![Table 2 Conventions (continued)
Convention Description
Plain text bold Identifies buttons, field names, and tabs that require user interaction.
[ ] Indicates conditional or optional text and instructions (for example, instructions that pertain
only to a specific configuration).
Caution Indicates that you must be careful. In this situation, you might do something that could result
in the loss of data or in an unpredictable outcome.
Note Indicates a helpful suggestion or a reference to material that is not covered elsewhere in this
documentation.
Security Alert Indicates information that is critical for maintaining product integrity or security.
Tip Indicates time-saving actions. It also might help you solve a problem.
Note: The IP addresses, screen captures, and graphics that are used within this document are for illustration
purposes only. They are not intended to represent a complete or appropriate configuration for your specific
needs. Features might be configured in screen captures because of contingency displays. However, not all
features are appropriate or desirable for your setup.
Additionally, many of the windows and pages in the Client tools have tables that can be edited. The first
column of a table that can be edited can display different symbols, depending on the action being taken. In
the help files, this is listed as the Edit column. The following example shows the symbols, along with their
descriptions. For the remainder of the help files, only a verbal description of the symbol will be used.
• Edit — This column identifies the edit status of the row in the table. The following icons can be displayed:
• [blank] — Indicates an existing line with associated values that is not the currently selected line.
• — (Pencil) Indicates that this row is the one that is being edited.
• — Indicates that you are creating a new row or entry.
• — Indicates that this row is currently selected and it contains previously specified values.
12 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-12-320.jpg)
![Managing the McAfee Firewall Enterprise Control Center (CommandCenter) Management Server
To log into the Management Server by using the Administration Tool, Configuration Tool, Reporting and
Monitoring Tool, or the Software Updates Tool:
1 From the Start menu, select McAfee > McAfee Firewall Enterprise Control Center >. Then select the
appropriate tool. The Login window is displayed.
Note: If this is the first time that you are logging into the Management Server, see Configuring the
Management Server on page 20.
2 Specify a valid Control Center user name in the User Name field. After the initial installation of the
Management Server, the default user name is the default password value that is specified in the ccinit.txt
file.
3 [Optional] Select the Remember User Name checkbox to preserve the specified user name in the field
or the default user value that is specified in the ccinit.txt file.
4 Specify the corresponding password in the Password field to preserve the default password value that is
specified in the ccinit.txt file.
5 Select a previously defined Management Server connection from the Server list.
6 Click Connect. A certificate validation message is displayed:
7 Click Yes.
You are now logged into the Control Center Management Server. You can start multiple Client Suite tools
from the Tools menu in any tool without logging in again.
Note: If you attempt to log into a Management Server by using a Client Suite Tool from an earlier version (that is,
earlier than the Management Server version), you will be prompted to update the Client Suite Tools before
proceeding.
Use the Login window to log into the Administration Tool, Configuration Tool, Reporting and Monitoring
Tool, or the Software Updates Tool. Each of these tools supports a similar login window.
Figure 3 Login window
22 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-22-320.jpg)
![Managing configuration data for the Management Server
Fields and buttons
This window has the following fields and buttons:
• User Name — Specify the name of the Control Center user. The user name must have been previously
defined. The default value is the name of the user who last logged in to the tool. After you have initially
installed the Control Center Management Server, the default value for the User Name field is the value
that is specified in the ccinit.txt file.
• Remember User Name — Determines whether to save the value that was specified in the User Name
field so that it can be displayed in the User Name field on subsequent login attempts.
• Password — Specify the password that is associated with the user that was specified in the User Name
field. After you have initially installed the Control Center Management Server, the default value is the
value that is specified in the ccinit.txt file.
• Server — Specify the name of a Control Center Management Server to which to log on.
To create a new connection name or to connect to a different Management Server, select <Add New
Server>. The Add New Server window is displayed. Specify values in the following fields as needed
and click OK: Name, Server Address, either Primary Server or Backup Server and related fields. The
Certificate Problem message is displayed because a new connection is being defined. Click OK. The
Root Certificate Store message is displayed. Click Yes. The main login window is now displayed and
the newly created server is selected.
To delete a connection name, select the name to be deleted in the list and click . The Modify Server
window is displayed. Click Remove. A confirmation window is displayed. Click Yes.
• Domain — [Not available on the Administration Tool] Specify the configuration domain to log into if
configuration domains have been activated.
To refresh the list of configuration domains to ensure that all of the recently configured domains are
displayed in the list, click . A valid user name and password must be supplied to refresh the list. The
user will be able to log into only a domain for which he or she has been given access.
If configuration domains have not been activated, ignore this field. For general information about
configuration domains, see Configuration domains on page 92. For specific information about activating
configuration domains, see Configuring configuration domains on page 95.
• Connect — Displays a certificate problem message as part of the connection process. Click Yes. If the
client tool software is the same version as the Management Server, the tool is displayed. If the client tool
software is older than the Management Server, you are prompted to update the Client Suite Tools before
proceeding.
• Exit — Close this window without attempting to log into the Management Server.
Managing configuration data for the Management Server
The Control Center Management Server contains all of the configuration information for one or more
security policies that have been implemented for the enterprise, or, as in the case where configuration
domains have been configured, multiple enterprise class domains.
The data that is stored on the Management Server is, therefore, critical to the management of the firewalls
and their implemented security policies. Establishing a security practice to ensure the ability to restore this
critical data in case of catastrophic failure is fundamental to the operation of the enterprise.
This section contains the following topics:
• Backing up configuration data for the Management Server on page 24
• Restoring configuration data to the Management Server on page 29
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 23](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-23-320.jpg)
![Managing configuration data for the Management Server
It is important that you review these procedures because there are some important prerequisites that are
included in them.
sudo -u backup /usr/sbin/backuptool
backuptool backup -f filename[.des3] [-k passphrase] [-L] [-D]
backuptool restore -f filename[.des3] [-k passphrase] [-L] [-D] [-b] [-i]
backuptool extract -f filename
backuptool download -f filename -s scheme -h hostname -d
remote-directory -u username -p password
backuptool upload -f filename -s scheme -h hostname -d
remote-directory -u username -p password
where:
[.des3] = Optionally use to encrypt file during backup and decrypt during
restore
[-k] = Encryption passphrase is the next argument in the command. The
filename must have a .des3 extension.
[-L] = Excludes files in /opt/security/var/gccserver/auditlogs from the
backup or restore operation
[-D] = Excludes files in /opt/security/var/gccserver/cfgbackups and in
/opt/security/var/gccserver/nightlybackups from the backup or restore operation
[-b] = Treats the backup file as having been created on a CC HA system
[-i] = Ignore the release level of the backup file
filename = filename of archive file
passphrase = encryption passphrase
scheme = one of FTP,FTPS,SCP
host = host name [:port(optional)] (When using FTPS, port is either 21 or
990. Consult your FTP server documentation.)
remote-directory = directory on remote host
username = username on remote host
password = password on remote host
%GCC: REASON = The first argument passed to backuptool was incorrect.
%GCC: STATUS = ERROR
%GCC: CODE = 1
The lines prefixed by %GCC indicate the result of the backuptool command. Here, the output indicates a
problem with the arguments that were passed. Therefore, the command prints usage information, as well
as the summarized result.
If the backuptool command fails, it returns STATUS=ERROR and CODE=<a non-zero error code>. It might
optionally return a REASON=<the cause of the error>.
The -k option requires a passphrase argument and the filename must have a .des3 extension. The
passphrase that you provide will be used to encrypt backup files for backup operations and decrypt backup
files for restore operations. The restore will fail if the passphrase that is used for restoring backups does not
match the passphrase that was used to create the backup.
Tip: When you specify a passphrase from the command line, shell quoting rules apply.
The following command is an example of the command to create a backup file by using hello'world as the
passphrase:
/usr/sbin/backuptool backup -f test.bak.des3 -k 'hello'''world'
The -L option omits the audit log files. Audit log files can get very large and can significantly increase the
amount of time that it takes to back up or restore the system. If you do not back up audit log files,
historical information that is used in reporting functions for all managed firewalls when a Management
Server is restored from a backup is eliminated.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 27](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-27-320.jpg)
![Managing configuration data for the Management Server
The -D option omits the backup files in the /opt/security/var/gccserver/cfgbackups and
/opt/security/var/gccserver/nightlybackups directories. The current database configuration is preserved.
However, the daily backup files that are automatically created each night (a total of seven files) and the
user-created backup files that are created by using the GUI are not included in the backup. If you include
these files in the backup, the amount of time it takes to backup or restore the system can significantly
increase. If you do not back up these database backup files, you lose the ability to restore them when a
Management Server is restored from a backup.
The -f option requires a path argument. The path identifies the complete path and filename of the archive
file that is being created or restored. The filename must be identical to the name of the file on the remote
host. (The directory part does not need to match.)
If the path argument for the -f option ends in .des3, the backup file will be encrypted or decrypted,
respectively, for the backup and restore operations.
The -i option ignores the release version of the backup file. The backup file will be restored, even if it was
created while running a different release of the Management Server. This is not usually recommended.
The hostname argument that is supplied with the -h option must be able to be resolved by the Management
Server, or the administrator can alternately specify an IP address. An optional port value can be specified if
it is required by the host.
Creating backup files for all databases
Use this procedure to back up all of the database files. Before you begin, make sure that no users are
accessing any of the databases.
1 Log in to the Management Server and switch to the dbadmin user. Database backup files are written to
the current directory. Ensure that the current directory is the one that will be written to by the dbadmin
user (for example: /home/dbadmin).
2 Run the following command:
/usr/sbin/backupdb all
Backup files are created for each of the three databases in the current working directory.
Creating backup files for a single database
Use this procedure to back up any one of the database files.
1 Ensure that no other users are accessing the database.
2 Log in as the mgradmin user and then switch to the dbadmin account. Database backup files are written
to the current directory. Ensure that the current directory is the one that will be written to by the dbadmin
user (for example, /home/dbadmin).
3 Run the following command:
/usr/sbin/backupdb [-k passphrase] <database-name> <backup-file>[.des3]
where <database-name> is cg_system for the system database, cg_configuration is the name for the
configuration database, or cg_events is the name for the events database data collected by the Secure
Alerts server. To create an encrypted backup file, append the optional .des3 file extension to the
backup file name. You can specify a customized encryption passphrase for encrypted backup files by
using the optional -k parameter. Note that standard shell quoting rules apply. (See the Tip in
Backuptool command overview on page 26.)
For example, /usr/sbin/backupdb -k ‘secret’ cg_events cg_events.bak.des3
28 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-28-320.jpg)
![Managing configuration data for the Management Server
Creating a backup file for a full system restoration
You should designate a specially named directory on the remote FTP server to store the backup so that it
can be easily located during the restore process.
You can view the progression of a backup on the Restore System from Backup window. For more
information about this window, see Restoring the Management Server configuration files from a backup file
on page 126.
Use the following procedure to create a full system backup that will include:
• Backup files in the /opt/security/var/gccserver/cfgbackups and
/opt/security/var/gccserver/nightlybackups directories
• Firewall audit log files
1 Log in as the mgradmin user.
2 Make sure that the backup user has access to the current directory (for example, /tmp). Database backup
files are written to the current directory.
3 As mgradmin, create the backup file:
sudo -u backup /usr/sbin/backuptool backup -f filename[.des3] [-k passphrase]
where:
filename = filename of archive file
[.des3] = Optionally use to encrypt file during backup and
decrypt during restore
[-k passphrase] = Optionally encrypt the file by using a custom encryption
passphrase. The filename must use the .des3 extension. A default passphrase will
be used if no passphrase is specified.
4 Move this backup file to a safe, off-box location by using the following command-line command as
mgradmin:
sudo -u backup /usr/sbin/backuptool upload -f filename -s scheme
-h hostname -d remote-directory -u username -p password
where:
filename = filename of archive file
scheme = one of FTP,FTPS,SCP
host = host name [:port(optional)] (When using FTPS, port is either 21 or
990. Consult your FTP server documentation.)
remote-directory = directory on remote host
username = username on remote host
password = password on remote host
Restoring configuration data to the Management Server
You can restore configuration data to a Control Center Management Server by using the GUI (the Restore
System from Backup window), or by using the command line interface. For procedural information, see the
following topics:
• Restoring configuration data by using the GUI on page 30
• Restoring data by using the command line on page 30
For information about restoring data when a complete failure has occurred to a standalone Management
Server or one or more servers in a high availability (HA) configuration, see Disaster recovery restoration for
Management Servers on page 33.
If you want to restore configuration backup files from Management Servers in an HA configuration, you
should use the command line tools. For more information, see Restoring data by using the command line on
page 30. However, you can restore full backup files for HA Management Servers by using the GUI. See
Restoring configuration data by using the GUI on page 30.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 29](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-29-320.jpg)
![Managing configuration data for the Management Server
Restoring all of the databases for a Management Server
1 Ensure that no other users are accessing the database.
2 Log in as the mgradmin user.
3 Stop all GUI clients, Tomcat, and Secure Alerts because open database connections will interfere with the
restore process.
To stop Tomcat:
su root
/etc/init.d/tomcat stop
To stop Secure Alerts:
su root
/etc/init.d/dcserver stop
4 Switch to the dbadmin user. Change the directory to the location where the backup files are located.
Ensure that the current directory contains all of the databases that were previously saved by using the
/usr/sbin/backupdb all command.
Note: When you have configured the Control Center HA Management Server feature, you must remove this
functionality before you restore any data. For more information, see Removing the High Availability (HA)
configuration feature on page 143.
5 Run the following command:
/usr/sbin/restoredb [-d] [-b] all
The optional [-d] parameter is used primarily by Technical Support. Use this parameter only if
instructed to do so by Technical Support. The [-b] parameter must be specified when the backup
being restored was created while the HA feature was operational.
Note: During this restoredb session, you will be prompted to specify the password for the root user account
several times. You must provide it for the restoration to continue.
6 After successfully restoring the backup file, you should start Tomcat and the Secure Alerts server:
To start Tomcat:
su root
/etc/init.d/tomcat start
To start the Secure Alerts server:
su root
/etc/init.d/dcserver start
Restoring a single database
1 Ensure that no other users are currently accessing the database.
2 Log in as the mgradmin user.
3 Stop all GUI clients, Tomcat, and Secure Alerts because open database connections will interfere with the
restore process.
To stop Tomcat:
su root
/etc/init.d/tomcat stop
To stop Secure Alerts:
su root
/etc/init.d/dcserver stop
To switch to the dbadmin user, run the following command:
su dbadmin
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 31](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-31-320.jpg)
![Managing configuration data for the Management Server
4 Change directories to the location where the backup is located (for example: /home/dbadmin). If you are
restoring a database file from the nightly backups, change the current directory to the nightly backup
directory (/opt/security/var/gccserver/nightlybackups).
Note: When you have configured the Control Center HA Management Server feature, you must remove this
functionality before you restore any data. For more information, see Removing the High Availability (HA)
configuration feature on page 143.
5 Run the following command:
/usr/sbin/restoredb [-d] [-b] [-k passphrase] database-name backup-file[.des3]
where <database-name> is cg_system for the system database, cg_configuration is the name for the
configuration database, or cg_events is the name for the events database data that is collected by the
Secure Alerts server. The optional [-d] parameter is used primarily by Technical Support. Use this
parameter only if instructed to do so by Technical Support. The [-b] parameter must be specified
when the backup being restored was created while the HA feature was operational. The optional .des3
file extension indicates that the file will be automatically decrypted. Use the optional [-k] parameter to
decrypt the backup file with a custom encryption passphrase if a custom passphrase was specified
when the backup file was created.
The following example restores an encrypted cg_events database file to the cg_events database on
the current Management Server:
/usr/sbin/restoredb cg_events cg_events.bak.des3
Note: During this restoredb session, you will be prompted to specify the password for the root user account
several times. You must provide it for the restoration to continue.
This next example restores a cg_configuration database file that was encrypted with a custom
passphrase:
/usr/sbin/restoredb -k 'secret' cg_configuration cg_configuration.bak.des3
6 After successfully restoring the backup file, you should start Tomcat and the Secure Alerts server:
To start Tomcat:
su root
/etc/init.d/tomcat start
To start the Secure Alerts server:
su root
/etc/init.d/dcserver start
32 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-32-320.jpg)
![Disaster recovery restoration for Management Servers
Restoring the Management Server configuration files from the command line
Use the mgradmin user account to access the backuptool restore command in the /usr/sbin/ directory by
using the sudo command. The following command is an example of the restore command of the
backuptool and all of the available parameters. To view the procedures that you need to perform for this
command, see Restoring all of the databases for a Management Server on page 31, Restoring a single
database on page 31, or Restoring the Management Server configuration files from the command line on
page 33.
It is important that you review these procedures because there are some important prerequisites that are
included in them.
sudo -u backup /usr/sbin/backuptool restore -f filename[.des3] [-k passphrase] [-L]
[-D] [-b] [-i]
where:
filename = filename of archive file
[.des3] = Optionally use to encrypt file during backup and decrypt
during restore
[-k passphrase] = Optionally use the specified passphrase to encrypt the backup file
[-L] = Do not include audit log files
[-D] = Do not include database files
[-b] = This argument must be specified if file was created when CC HA
was active
[-i] = Ignore the release level of the backup file
For more information about these options, see Backuptool command overview on page 26.
Disaster recovery restoration for Management Servers
If you have a standalone Management Server or one or both servers in a high availability (HA)
configuration that has or have failed completely, the following topics provide procedural information for
restoring the Management Server (or Servers):
• Restoring a standalone Management Server that has failed completely on page 34
• Restoring a primary Management Server that has failed completely and that is part of a high availability
(HA) pair on page 35
• Restoring a backup Management Server that has failed completely and that is part of a high availability
(HA) pair on page 36
• Restoring both Management Servers in a high availability (HA) pair that have failed completely on page 37
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 33](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-33-320.jpg)
![Disaster recovery restoration for Management Servers
Restoring a standalone Management Server that has failed completely
If a Control Center Management Server experiences a total system failure and it must be recovered from
backup, perform the following steps:
1 Perform a complete installation of the Control Center Management Server on the new server by using the
USB flash drive that was included with the Control Center. Follow the installation instructions.
2 Log into the Management Server console as the mgradmin user.
3 Make sure that the backup user has access to the current directory (for example, /tmp). Then run the
backuptool command as listed below to move the backup file to be restored into the current directory
location.
cd /tmp
sudo -u backup /usr/sbin/backuptool download -f filename
-s scheme -h hostname -d remote-directory -u username -p password
where:
filename = path and filename of archive file
scheme = one of FTP,FTPS,SCP
hostname = host name [:port (optional)] (When using FTPS, port is either 21
or 990. Consult your FTP server documentation.)
remote-directory = directory on remote host
username = username on remote host
password = password on remote host
4 Stop all GUI clients, Tomcat, and Secure Alerts because open database connections will interfere with the
restore process.
To stop Tomcat:
su root
/etc/init.d/tomcat stop
To stop Secure Alerts:
su root
/etc/init.d/dcserver stop
5 The backup file can now be restored.
When the backup is restored, the backuptool will check to make sure that the release level of the
backup file matches the release that is currently running on the Control Center Management Server. If
the release levels do not match, the backup will not be restored.
If the backup file was created by using the command line process, any components that were excluded
from the backup (such as database backups or audit log files) should be indicated during the restore
process by using the [-L] and [-D] parameters.
As mgradmin, issue the command line restore command:
sudo -u backup /usr/sbin/backuptool restore -f filename[.des3] [-k passphrase] [-L]
[-D] [-b] [-i]
where:
filename = filename of archive file
[.des3] = Optionally use to encrypt file during backup and decrypt during
restore
[-k passphrase] = Optionally use the specified passphrase to encrypt the backup file
[-L] = Do not include audit log files
[-D] = Do not include database files
[-b] = This argument must be specified if file was created when CC HA
was active
[-i] = Ignore the release level of the backup file
34 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-34-320.jpg)
![Disaster recovery restoration for Management Servers
Restoring both Management Servers in a high availability (HA) pair that have
failed completely
In this scenario, both of the Management Servers in your HA pair have failed completely. You can restore a
full backup by using the Upload Backup Wizard from the Restore System from Backup window. For more
information, see Uploading a backup configuration file from the Client to the Management Server on
page 128.
The following procedure is a combination of GUI and command line steps.
1 On the new primary Management Server, install the Control Center Management Server on the device,
including all of the license and patch information.
2 On the new backup Management Server, install the Control Center Management Server software on the
device, including all of the license and patch information.
3 On the primary Management Server, retrieve the backup data. From the command line, log into the new
primary Management Server as mgradmin and specify the following commands:
cd /tmp
sudo -u backup /usr/sbin/backuptool download -f filename -s scheme
-h hostname -d remote-directory -u username -p password
where
filename = Filename of archive file
scheme = one of FTP,FTPS,SCP
hostname = host name [:port (optional)] (When using FTPS, port is either
21 or 990. Consult your FTP server documentation.)
remote-directory = Directory on the host
username = Username on the host
password = Password on the host
4 Stop all GUI clients, Tomcat, and Secure Alerts because open database connections will interfere with the
restore process.
To stop Tomcat:
su root
/etc/init.d/tomcat stop
To stop Secure Alerts:
su root
/etc/init.d/dcserver stop
5 Restore the retrieved backup data to the primary Management Server by specifying the following
commands:
sudo -u backup /usr/sbin/backuptool restore -f filename[.des3] [-k passphrase]
[-L] [-D] -b
where
[.des3] = Optionally use to encrypt file during backup and decrypt during
restore
[-k passphrase] = Optionally use the specified passphrase to encrypt the backup file
[-L] = Excludes files in /opt/security/var/gccserver/auditlogs from
the backup or restore operation
[-D] = Excludes files in /opt/security/var/gccserver/cfgbackups and in
/opt/security/var/gccserver/nightlybackups from the backup or restore operation
-b = Treats the backup file as having been created on a CC HA system
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 37](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-37-320.jpg)
![Adding firewalls
6 After successfully restoring the backup file, you should start Tomcat and the Secure Alerts server:
To start Tomcat:
su root
/etc/init.d/tomcat start
To start the Secure Alerts server:
su root
/etc/init.d/dcserver start
7 On the primary Management Server, log into the Administration Tool and run the High Availability
Removal Wizard. (From the System menu, select High Availability Removal Wizard…. The wizard
starts.) When the wizard has completed, the Control Center Management Server will be ready to
re-establish HA.
8 On the same (primary) Management Server, run the High Availability Setup Wizard. (From the System
menu, select High Availability Setup Wizard…. The wizard starts.) When the wizard has completed, the
HA feature will have been configured on your two Management Servers.
Adding firewalls
A firewall must be configured and enrolled before it can be managed by the Control Center.
• If you have a new, unconfigured firewall, you can use the rapid deployment option. See Adding firewalls
by using rapid deployment registration on page 38.
• If you have a standalone firewall that already has a configured policy, or if you have an HA cluster, use
the manual registration procedure. See Adding firewalls by using manual registration on page 39.
Note: To simultaneously manage groups of related objects, see Overview of configuring a cluster on the McAfee
Firewall Enterprise Admin Console on page 225.
Adding firewalls by using rapid deployment registration
Use the rapid deployment method if you have a new, unconfigured firewall.
Do not use this method if you want to use the firewall in a managed High Availability (HA) cluster.
To register your firewall during its initial configuration:
1 Begin the McAfee Firewall Enterprise Quick Start Wizard.
On the Control Center Registration window, select the Auto-register to Control Center checkbox.
Complete these fields:
• Primary Server host name — Specify the fully qualified domain name (FQDN) of the Control Center
Management Server. If you are using a High Availability Management Server configuration, specify the
node name of the active Management Server.
• Primary Server IP address — Specify the IP address of the Control Center Management Server.
• Sign Up password — Specify a password that will be used when you enroll this firewall by using the
Control Center Configuration Tool. The password must be a minimum of eight characters and a
maximum of 256 characters.
You can use a default password for all of your firewalls or specify unique passwords for each firewall.
2 Complete the initial configuration.
3 In the Control Center Configuration Tool, select the Firewalls group bar. Right-click the Firewalls node
and select Sign Up Firewalls…. The Sign Up Firewalls window is displayed.
4 [Conditional] If you used the same password when registering each firewall, specify that password in the
Default Sign Up Password field.
38 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-38-320.jpg)
![Adding firewalls
c [Optional] If you are using a High Availability Control Center Management Server configuration, select
the Configure backup server checkbox.
• In the Backup Server Name field, specify the host name of the Management Server that is acting
as a backup to the active Management Server.
• In the IP Address field, specify the IP address of the Management Server that is acting as a backup
to the active Management Server.
d Click Register with the Control Center Now. An authentication window is displayed.
e Specify the Control Center administrator user name and password and click OK
2 In the Control Center Configuration Tool, make sure that the Firewalls group bar is selected and perform
one of the following steps:
• If you are registering a standalone firewall, right-click the Firewalls node and select Add Object.
The Add New Firewall window is displayed. Specify the required information about the firewall. For
more information about this window, see Registering a firewall manually on page 166.
• If you are registering a cluster, right-click the Clusters node and select Add Object. The Add Cluster window
is displayed. Specify the following information about the cluster:
• In the Cluster Name field, specify any name that quickly identifies the cluster. Do not use the fully
qualified domain name (FQDN) of either cluster member node.
• In the Cluster Mgmt Address field, specify the management address for the cluster node.
• In the Version field, specify the software version of the cluster.
3 In the Retrieval Items tab, right-click the column heading and select Unselect All. This instructs the
Control Center to establish connectivity without passing policy information. This saves time during an
initial firewall registration if the firewall is unreachable for some reason.
4 Click OK. The Control Center attempts to connect to the firewall.
5 Verify communication between the firewall and the Management Server. From the Reports menu, select
Firewall Status and verify that a green light appears next to the firewall.
6 After a connection has been established, go back to the Firewalls group bar and select the Firewalls
node or the Clusters node, depending on the object that you are configuring.
7 Perform the following steps to retrieve the necessary objects:
a Right-click the firewall that you just added and select Retrieve Firewall Objects. The Firewall Retrieval
Options window is displayed.
b In the Retrieval Item Description column heading, right-click and select Select All.
Note: If you have previously retrieved items from this firewall, consider clearing some of the checkboxes,
such as rules, to avoid creating duplicates of those items. Performing multiple retrievals of the same objects
is not recommended.
c Click OK. A system update message is displayed.
d Click Yes. The Control Center initiates a connection with the firewall and retrieves the selected items.
After the Control Center has successfully connected to the firewall and has retrieved the selected
items, you can begin managing policy information for that firewall.
40 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-40-320.jpg)
![Navigating the Control Center user interface
Each tool consists of the following graphical interface areas:
• Main window — The main window is displayed after you have successfully logged into one of the Control
Center tools. For information about the main window for each tool, see the following:
• Administration Tool main window on page 44
• Configuration Tool main window on page 45
• Reporting and Monitoring Tool main window on page 48
• Software Updates Tool main window on page 49
• Menus — Each Control Center tool has menus that are shared with other tools, that are unique to that
tool, and that are unique to a specific feature of that tool. For information about the tool menu for each
tool, see the following:
• Administration Tool menus on page 50
• Configuration Tool menus on page 56
• Reporting and Monitoring Tool menus on page 62
• Software Updates Tool menus on page 66
• Toolbars — Each Control Center tool has various toolbars that can be displayed, depending on the page
that is displayed in the work area.You can also customize any toolbar. For information about the toolbar
for each tool, see the following:
• Administration Tool toolbars on page 70
• Configuration Tool toolbars on page 70
• Reporting and Monitoring Tool toolbars on page 73
• Software Updates Tool toolbars on page 76
• Page area — Each Control Center tool has a page area to display the associated page that is displayed
in the work area. Any page that is currently active in the work area can be closed and removed from the
tab area by selecting the icon on the right corner of the page area. There are many different pages,
depending on your toolbar and menu selections. For example, every tool has a Start page.
• Docking pin — Each Control Center tool has a docking pin to manage the Object Configuration area and
Group bars. This feature allows for more visible area in the main screen when viewing pages in the work
area. Use the appropriate options on the View menu to reveal or hide the data that is displayed in the
Object Configuration area and in the Group bars.
• Work area — This portion of the GUI is where the data that is associated with the pages is displayed
when the associated tab for the page is selected.
• Group Bars — [Available only in the Configuration Tool and the Reporting and Monitoring Tool] These
two tools have group bars that assist in accessing object trees. Select the group bar and then select the
node in the tree with which you want to work.
• Status Bar — Each Control Center tool has a status bar in which different information is displayed. For
information about the status bar for each tool, see the following information:
• Administration Tool: Status bar on page 45
• Configuration Tool: Status bar on page 47
• Reporting and Monitoring Tool: Status bar on page 49
• Software Updates Tool: Status bar on page 50
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 43](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-43-320.jpg)
![Navigating the Control Center user interface
In addition to the window- and page-specific descriptions, there is additional functionality that is provided
in the Control Center Client Suite to help you configure and manage the security policy for your firewalls.
• Shortcut keys — Each menu bar has a keyboard shortcut to allow faster selection if you prefer to access
these items by keyboard as opposed to the mouse. As is the Windows standard, the keyboard shortcut is
indicated by an underscore (_) beneath the letter in the menu or menu option name. Press this character
on the keyboard to select the menu option.
• Right-click menus — Right-click menus are available for the objects that appear in the Object
Configuration area of the Administration Tool, Configuration Tool, and the Reporting and Monitoring Tool.
You can also use the right-click menu in the pages that appear in the work area of the various tools.
Many of these menu options are also accessible through another way in the Tool, such as a menu
option, a tool on the toolbar, or a button on the interface itself.
• Edit status column — Many tables include an Edit column that identifies the edit status of a row in a
table. The following icons can be displayed:
• [blank] — Indicates an existing line with associated values that is not the currently selected line.
• — Indicates that this row is the one that is being edited.
• — Indicates that you are creating a new row or entry.
• — Indicates that this row is currently selected and it contains previously specified values.
Administration Tool main window
Use the following areas of the Administration Tool main window to manage the administrative functions
that are associated with operating the Control Center. For more information, see Administration Tool on
page 79.
Administration Tool: Menu bar
The Menu bar on the Administration Tool includes all of the menus and menu options for the Administration
Tool. There are some menu options that are shared by all of the Client Suite tools and there are others that
are unique. To view the Administration Tool menu information, see Administration Tool menus on page 50.
Administration Tool: Users and Roles toolbar
Use the Users and Roles toolbar to manage the Control Center users and their assigned roles. You can
access all of the defined users and all of the defined roles in this area. For more information, see Control
Center users on page 81 and Control Center roles on page 89.
Administration Tool: Page area
Use the tab area to display or close tool-specific pages. For the Administration Tool, the following pages can
be displayed:
• Start Page
• Audit Trail
• Backup Server Status
Administration Tool: Work area
Use this area to view the data that is associated with tabs or pages.
Administration Tool: Docking pin
Use the docking pin to hide the Users and Roles toolbar. By hiding the toolbar, you can have more visible
area in the main screen when you are viewing one of the tabs. When the pin is undocked, you can access
the Users and Roles toolbar by moving the mouse over the Object Configuration tab on the upper left side
of the main window.
44 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-44-320.jpg)
![Navigating the Control Center user interface
Administration Tool: Status bar
Use the status bar to view the following information:
• Management Server — [Read-only] Displays the name and connection status of the Management
Server.
• Users — [Read-only] Displays the name, IP address, and number of tools that the user is currently logged
into for each user who is currently logged into this domain of the Management Server.
A message is displayed to all other users who are currently running a specific tool when another user
logs in or out of the Management Server. The status bar will be updated accordingly.
• Date/Time — [Read-only] Displays the current date and time.
• License Status — [Read-only] Displays the license status of the Management Server.
To view your license configuration from any tool in the Client Suite, move the pointer over the license
icon that is located in the lower right corner of the status line. A ToolTip displays the duration of the
shortest license and the accumulated licenses for each firewall in your configuration. For more
complete information about the status of the licensing, open the Administration Tool and select
License… from the System menu.
One of the following icons will be displayed:
• Valid license — Indicates that the program is fully licensed. For more information, see Licensing
the Control Center Management Server on page 104.
• Demo version — Indicates that the program is a demo version and it cannot connect to a firewall.
• Evaluation version — Indicates that this program is an evaluation license. The evaluation license
may be restricted to managing a limited number of firewalls for 30, 60, or 90 days. When the
evaluation license is within five (5) days of its expiration, the number of days that remain in the
evaluation are displayed in the current status area, which is located in the lower right corner of the
status bar in each tool of the Client Suite.
Configuration Tool main window
Use the following commands, windows, and options in the user interface for the Control Center
Configuration Tool to configure and manage multiple security policies and firewalls. For more information,
see Configuration Tool on page 153.
Configuration Tool: Menu Bar
Each tool in the Control Center Suite has a different set of menu bar menus to correspond to the features
and functions of the individual tool. Each menu bar menu has a keyboard shortcut to allow faster selection
for users who are more comfortable using the keyboard. These keyboard shortcuts are denoted by an
underscore designation on the menu option. These are the menus for the Configuration Tool, along with the
functionality that is available in each menu:
• File — Load a previously saved configuration from the file system into the Control Center database, save
the entire Control Center configuration to a file, or exit the Configuration Tool.
• View — Access the Start page, Rules page, and Alert Processing Rules page in the work area, access the
various configurable objects in the Objects toolbar, and access options to hide or display the various
toolbars that accompany the user interface.
• Configuration — Validate and apply configuration changes to supported firewalls, lock objects to prevent
multiple users from making simultaneous changes to the same objects, back up an individual firewall
configuration, and apply user-defined sorting views to simplify the management of multiple firewalls.
• System — Access the Device Control window. Use the Device Control window to manage firewalls. You
can initiate various shutdown or suspend states on selected firewalls.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 45](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-45-320.jpg)
![Navigating the Control Center user interface
• Reports — Access firewall status information, view configuration and validation reports, or access the
Control Center audit trail report.
• Tools — Start the other tools in the Control Center Client Suite. You can initiate only one instance of each
tool on a single system. If the selected tool is already displayed, no action occurs. The tools that appear
in the menu differ, depending on the tool that is in use when the Tools menu is accessed.
• Rules — [Available only when either the Rules page or the URL Translation Rules page is the active page
in the work area] Access the information that is used to manage individual rules. The options that are
displayed on the menu vary, depending on the specific page that is displayed when the Rules menu is
accessed.
• Window — The Window menu is universally available on all of the tools in the Control Center Client Suite.
Use the options on this menu to control the layout of objects and components in the Control Center Client
Suite.
• Help — The Help menu is universally available on all of the tools in the Control Center Client Suite. Use
the options on this menu to obtain context-sensitive help for using the features and fields that are
associated with each window, to obtain additional information about the services and features that are
associated with each tool, and to obtain background information about specific concepts that are
associated with using or operating the Control Center.
Configuration Tool: Toolbars
The Configuration Tool Toolbar has an Actions toolbar, a Rule Options toolbar, an Alert Processing Rules
Options toolbar, a System/Attack Responses toolbar, and a URL Rules Options toolbar that provide options
to access the various fields, buttons, and commands that are associated with the Configuration Tool.
Right-click in the toolbar area to manage individual toolbars.
Configuration Tool: Page area
Use the tab area to display the associated tab for a page that is displayed in the work area. Any page that
is currently active in the work area can be closed and removed from the tab area by clicking in the right
corner of the tab area. To the left of this icon is , which allows you to select any available page to view
from the displayed list. There are many different tabs, depending on your toolbar and menu selections. The
following list is an example of some of these pages:
• Start page — This page provides introductory information.
• Firewall Status page — View a status summary of the firewalls that are configured for your operation. You
can also use this page to quickly determine the status information about the operation of each firewall in
your configuration. For more information, see Viewing the overall status of your firewalls on page 574.
• Rules page —View a complete list of the rules that have been defined on your system. You can also use
this page to view, add, insert, change, delete, or prioritize rules. For more information about the Rules
page, see Creating, viewing, or modifying rules on page 528.
• Object Details page — View data that is related to all of the objects for the object type node that was
selected in the tree. For more information, see Viewing details about objects on page 160.
• Alert Processing Rules page — View a complete list of the alert processing rules that available. For more
information, see Viewing alert processing rules on page 564.
• Configuration Status Report page — Use this page to view information about the propagation of
configuration data from the Control Center database to each selected firewall. When the Configuration
Status Report window is displayed, the propagation status is refreshed every 15 seconds. For more
information, see Viewing configuration information about each firewall on page 584.
• Validation Status Report page — Use this page to view the status of the validation process for each of the
firewall configurations in the Control Center database and to view the differences between the current
configuration and the proposed configuration of a firewall. For more information, see Viewing the status
of Apply Configurations on page 593.
46 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-46-320.jpg)
![Navigating the Control Center user interface
Configuration Tool: Docking pin
Use the docking pin to manage the Object Configuration area and the Object Details page). You can use
this docking pin to hide or display toolbars so that you can have more visible area in the main screen when
you are viewing one of the tabs. Use the appropriate options on the View menu to display or hide the data
that is displayed in the Object Configuration area or to show or hide the Object Details page.
Configuration Tool: Work area
Use this area to view the data that is associated with tabs or pages.
Configuration Tool: Object Configuration area
Use this area to view, create, modify, and manage the configurable objects that form the foundation data
that is used to manage a security policy. Use the docking pin controls or the appropriate options on the
View menu to display or hide the data that is displayed in the Object Configuration area.
Configuration Tool: Group bars
Use the Group bars to access object trees, which, in turn, allow you to work with the objects. The
Configuration Tool has the following group bars:
• Firewalls — The object tree in this group bar includes firewalls, clusters, cluster members, and device
groups. For more information, see Configuration Tool - Firewalls on page 163.
• Firewall Settings — The object tree in this group bar includes all of the objects that can be configured
for firewalls, including such objects as network defenses and global settings. For more information, see
Configuration Tool - Firewall Settings on page 263.
• Policy — The object tree in this group bar includes objects that are used to determine the policy for your
firewalls, such as rules, application defenses, and authenticators. For more information, see Configuration
Tool - Policy on page 333.
• Monitor — The object tree in this group bar includes objects that are used to monitor different types of
data for firewalls, such as IPS attack and system responses, audit events, and so on, plus several reports.
For more information, see Configuration Tool - Monitor on page 573.
• Maintenance — The object tree in this group bar includes objects that are used to maintain the firewall,
such as licensing, and to maintain the Control Center Management Server, such as backing up and
restoring the Management Server. For more information, see Configuration Tool - Maintenance on
page 647.
Configuration Tool: Status bar
Use the status bar to view the following information:
• Management Server — [Read-only] Displays the name and connection status of the Management
Server.
• Users — [Read-only] Displays the name, IP address, and number of tools that the user is currently logged
into for each user who is currently logged into this domain of the Management Server.
A message is displayed to all other users who are currently running a specific tool when another user
logs in or out of the Management Server. The status bar will be updated accordingly.
• Date/Time — [Read-only] Displays the current date and time.
• License Status — [Read-only] Displays the license status of the Management Server.
To view your license configuration from any tool in the Client Suite, move the pointer over the license
icon that is located in the lower right corner of the status line. A ToolTip displays the duration of the
shortest license and the accumulated licenses for each firewall in your configuration. For more
complete information about the status of the licensing, open the Administration Tool and select
License… from the System menu.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 47](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-47-320.jpg)
![Navigating the Control Center user interface
Reporting and Monitoring Tool: Status bar
Use the status bar to view the following information:
• Management Server — [Read-only] Displays the name and connection status of the Management
Server.
• Users — [Read-only] Displays the name, IP address, and number of tools that the user is currently logged
into for each user who is currently logged into this domain of the Management Server.
A message is displayed to all other users who are currently running a specific tool when another user
logs in or out of the Management Server. The status bar will be updated accordingly.
• Date/Time — [Read-only] Displays the current date and time.
• License Status — [Read-only] Displays the license status of the Management Server.
To view your license configuration from any tool in the Client Suite, move the pointer over the license
icon that is located in the lower right corner of the status line. A ToolTip displays the duration of the
shortest license and the accumulated licenses for each firewall in your configuration. For more
complete information about the status of the licensing, open the Administration Tool and select
License… from the System menu.
One of the following icons will be displayed:
• Valid license — Indicates that the program is fully licensed. For more information, see Licensing
the Control Center Management Server on page 104.
• Demo version — Indicates that the program is a demo version and it cannot connect to a firewall.
• Evaluation version — Indicates that this program is an evaluation license. The evaluation license
may be restricted to managing a limited number of firewalls for 30, 60, or 90 days. When the
evaluation license is within five (5) days of its expiration, the number of days that remain in the
evaluation are displayed in the current status area, which is located in the lower right corner of the
status bar in each tool of the Client Suite.
Software Updates Tool main window
Use the following areas of the Software Updates Tool to manage the software updates functions associated
with operating the Control Center. For more information, see Software Updates Tool on page 691.
Software Updates Tool: Menu bar
The Menu bar on the Software Updates Tool includes all of the menus and menu options for the Software
Updates Tool. There are some menu options that are shared by all of the Client Suite tools and there are
others that are unique. To view the Software Updates Tool menu information, see Reporting and Monitoring
Tool menus on page 62.
Software Updates Tool: Toolbar
The Software Updates Tool has the Action toolbar that is used to access the main page options that are
available in the work area and an options toolbar that is associated with each main page. For more
information, see Customizing a toolbar on page 70.
Software Updates Tool: Page area
Use the page area to display or close tool-specific pages. For the Software Updates Tool, the following
pages can be displayed:
• Start Page
• Install Updates page
• Store Updates page
• Firewall Configuration Backup page
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 49](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-49-320.jpg)
![Navigating the Control Center user interface
Software Updates Tool: Work area
Use this area to view the data that is associated with tabs or pages.
Software Updates Tool: Status bar
Use the status bar to view the following information:
• Management Server — [Read-only] Displays the name and connection status of the Management
Server.
• Users — [Read-only] Displays the name, IP address, and number of tools that the user is currently logged
into for each user who is currently logged into this domain of the Management Server.
A message is displayed to all other users who are currently running a specific tool when another user
logs in or out of the Management Server. The status bar will be updated accordingly.
• Date/Time — [Read-only] Displays the current date and time.
• License Status — [Read-only] Displays the license status of the Management Server.
To view your license configuration from any tool in the Client Suite, move the pointer over the license
icon that is located in the lower right corner of the status line. A ToolTip displays the duration of the
shortest license and the accumulated licenses for each firewall in your configuration. For more
complete information about the status of the licensing, open the Administration Tool and select
License… from the System menu.
One of the following icons will be displayed:
• Valid license — Indicates that the program is fully licensed. For more information, see Licensing
the Control Center Management Server on page 104.
• Demo version — Indicates that the program is a demo version and it cannot connect to a firewall.
• Evaluation version — Indicates that this program is an evaluation license. The evaluation license
may be restricted to managing a limited number of firewalls for 30, 60, or 90 days. When the
evaluation license is within five (5) days of its expiration, the number of days that remain in the
evaluation are displayed in the current status area, which is located in the lower right corner of the
status bar in each tool of the Client Suite.
Administration Tool menus
The following menus are available in the Administration Tool:
• File — Administration Tool: File menu on page 50
• View — Administration Tool: View menu on page 51
• Users — Administration Tool: Users menu on page 51
• Roles — Administration Tool: Roles menu on page 51
• Configuration Domains — Administration Tool: Configuration Domains menu on page 52
• Audit Trail — Administration Tool: Audit Trail menu on page 52
• System — Administration Tool: System menu on page 53
• Tools — Administration Tool: Tools menu on page 54
• Window — Administration Tool: Window menu on page 55
• Help — Administration Tool: Help menu on page 55
Administration Tool: File menu
Select Exit in the File menu to close the Administration Tool.
50 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-50-320.jpg)
![Navigating the Control Center user interface
Administration Tool: View menu
Use the View menu options on the Administration Tool to manage the areas that are displayed (or hidden)
on the main window. To show each area, make sure that the menu option is selected. To close or hide the
area, clear the checkbox or click X on the page or area to close it.
This menu has the following options:
• Users and Roles — Displays or closes the Users and Roles Object Configuration area. This area displays
user, role, and configuration domain objects in a tree.
• Start Page — Displays the Start Page (the McAfee Firewall Enterprise Control Center home page) if it has
been previously closed.
Administration Tool: Users menu
Use the Users menu options on the Administration Tool to manage Control Center users. Control Center
users are defined as the users who are permitted to log into the various tools in the Control Center Client
Suite. For more information, see Control Center users on page 81. To edit, copy, or delete a user, highlight
the user in the tree and then select the respective menu option.
Note: Control Center users should not be confused with the users who are configured to access firewalls. Control
Center users are the users who have access to the tools in the Control Center Client Suite.
This menu has the following options:
• Add User… — Displays the Control Center User Manager window, in which you can add a Control Center
user. For more information, see Configuring Control Center users on page 82.
• Modify User… — Displays the Control Center User Manager window, in which you can modify the
attributes of an existing user. Highlight the user in the tree and select this menu option. Edit the
information and click OK.
• Copy User… — Displays the Control Center User Manager window, in which you can use an existing user
as the basis of a new user definition. Highlight the user in the tree and select this menu option. Edit the
attributes of this copy that you want to be unique and click OK.
• Change Password… — [Available only if internal authentication is being used, which is configured on
the Control Center Authentication Configuration window] Displays the Change User Password window, in
which you can change the current user’s password. For more information, see Changing user passwords
on page 88.
• Remove User(s) — Delete the highlighted user or users.
Administration Tool: Roles menu
Use the Roles menu options on the Administration Tool to manage the roles that are assigned to Control
Center users. Roles are created to limit or allow users to perform specific actions or administration-specific
activities for specified objects. For more information, see Control Center roles on page 89. To edit, copy, or
delete a role, highlight the role in the tree and then select the respective menu option.
This menu has the following options:
• Add Role… — Displays the Control Center Role Manager window, in which you can add a Control Center
role. For more information, see Managing roles for Control Center users on page 90.
• Modify Role… — Displays the Control Center Role Manager window, in which you can modify the
attributes of an existing role. Highlight the role in the tree and select this menu option. Edit the
information and click OK.
• Copy Role… — Displays the Control Center Role Manager window, in which you can use an existing role
as the basis of a new role definition. Highlight the role in the tree and select this menu option. Edit the
attributes of this copy that you want to be unique and click OK.
• Remove Role(s) — Delete the highlighted role or roles.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 51](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-51-320.jpg)
![Navigating the Control Center user interface
Administration Tool: Configuration Domains menu
Use the Configuration Domains menu on the Administration Tool to activate and manage configuration
domains, and to create and manage configuration versions for configuration domains. For more information
about configuration domains, see Configuration domains on page 92. For more information about
configuration domain versions and version management, see Configuration domain version management
on page 97. To edit, copy, or delete a configuration domain, highlight the configuration domain in the tree
and then select the respective menu option.
This menu has the following options:
• Add Domain… — Displays the Configuration Domain Manager window, in which you can add a Control
Center configuration domain. For more information, see Configuring configuration domains on page 95.
If configuration domains have not been previously activated, adding a second configuration domain (in
addition to the pre-defined Default domain) will activate the configuration domain option. To better
understand the implications of activating configuration domains, see Configuration domains on
page 92.
• Modify Domain… — Displays the Configuration Domain Manager window, in which you can modify the
attributes of an existing configuration domain. Highlight the configuration domain in the tree and select
this menu option. Edit the information and click OK.
• Remove Domain — Delete the highlighted domain and all associated data from the database for this
domain.
Caution: Deleting a configuration cannot be undone. If a configuration domain is deleted, only a previously
saved backup of the entire Management Server configuration data can restore the data. This action restores
the configuration data for all of the configuration domains to the conditions that existed when the backup was
made.
• Manage Versions — [Available only when configuration domains have been activated] Displays the
Manage Configuration Domain Versions window, in which you can add, edit, delete, or activate a
configuration version. Highlight the configuration domain in the tree (or the Default configuration domain
if configuration domains have not been activated) and select this menu option. Edit the information and
click OK. For more information about version management, see Configuration domain version
management on page 97.
Administration Tool: Audit Trail menu
Use the Audit Trail menu on the Administration Tool to manage the content of the McAfee Firewall
Enterprise Control Center user audit report and view the resulting report. For more information, see Audit
data management on page 100.
This menu has the following options:
• Manage Audit Trail — Displays the Audit Tracking and Archive Management window, in which you can
select the settings to be updated in, added to, or removed from the audit trail report. Additionally, you
can determine whether this data is to be archived and the way in which it is formatted. For more
information, see Managing audit trail information on page 101.
• View Audit Trail — Displays the Audit Trail page in the work area, in which you can view the audit report
information that is recorded according to the settings that were defined in the Audit Tracking and Archive
Management window. For more information, see Viewing audit trail information on page 615.
52 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-52-320.jpg)
![Navigating the Control Center user interface
• Server Logs… — Displays the Server Logs window, in which you can manage the Control Center
Management Server logs. For more information, see Viewing Management Server logs on page 663.
• Authentication… — Displays the Control Center Authentication Configuration window, in which you can
define your authentication strategy. For more information, see Authentication on page 145.
• Common License Information… — Displays the Common License Information window, in which you
can manage Control Center common license information. For more information, see Managing Control
Center licenses on page 106.
• Backup Server Status… — Displays the Backup Server Status page in the work area, in which you can
view the current status of each Management Server that is installed in your configuration if the High
Availability (HA) Management Server Configuration is configured for your organization. For more
information about HA, see High Availability (HA) on page 136. For more information about this window,
see Viewing the status of your backup Management Servers on page 122.
• Backup System… — Displays the Backup Control Center System window, in which you can save a
backup file of the Management Server. For more information, see Creating backup files of your
Management Server data by using the GUI on page 123.
• Restore System… — Displays the Restore System from Backup window, in which you can restore the
system from a backup file of the Management Server. For more information, see Restoring the
Management Server configuration files from a backup file on page 126.
• Set Server Date and Time… — Displays the Set Server Date and Time window, in which you can set
the Management Server date and time. For more information, see Setting the date and time on the
Management Server on page 131.
• Change Password… — [Available only if internal authentication is being used, which is configured on
the Control Center Authentication Configuration window] Displays the Change User Password window, in
which you can change the current user’s password. For more information, see Changing user passwords
on page 88.
• Restart Server… — Displays the Restart Server window, in which you can restart the Management
Server. For more information, see Restarting the Management Server on page 131.
Caution: If you select Yes, the server will be restarted immediately. There is no second confirmation request.
• Halt Server …— Stop the Management Server and exit the application. Then click Yes to confirm or No
to cancel the action.
• High Availability Setup Wizard… or High Availability Removal Wizard… — Displays either the High
Availability Setup Wizard or Removal Wizard, depending on your menu selection. Use these wizards to
establish or remove the High Availability (HA) Management Server configuration. For more information
about these wizards, see Configuring the High Availability (HA) feature on page 140 and Removing the
High Availability (HA) configuration feature on page 143.
Administration Tool: Tools menu
Use the menu options on the Tools menu of any tool to launch another tool using the same user name,
password, and Management Server that you are currently using. You cannot log into the same tool more
than once from a single client.
This menu has the following options:
• Configuration Tool… — Displays the Configuration Tool, in which you can configure the firewall, manage
multiple firewalls, and implement and enforce security policies across those firewalls. For more
information, see Configuration Tool on page 153.
• Reporting and Monitoring Tool… — Displays the Reporting and Monitoring Tool, in which you can
centrally monitor the status of supported firewalls and generate a wide range of firewall-specific reports.
For more information, see Reporting and Monitoring Tool on page 671.
54 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-54-320.jpg)
![Navigating the Control Center user interface
Configuration Tool menus
The following menus are available in the Configuration Tool:
• File — Configuration Tool: File menu on page 56
• View — Configuration Tool: View menu on page 56
• Configuration — Configuration Tool: Configuration menu on page 57
• System — Configuration Tool: System menu on page 58
• Reports — Configuration Tool: Reports menu on page 59
• Tools — Configuration Tool: Tools menu on page 60
• Rules — Configuration Tool: Rules menu on page 60
• Window — Configuration Tool: Window menu on page 61
• Help — Configuration Tool: Help menu on page 62
Configuration Tool: File menu
As in all of the other tools, you can select Exit in the File menu to close the Configuration Tool. However,
when the Rules page is displayed, the following additional options are available:
• Switch Domain… — [Available only when configuration domains are enabled] Displays the Switch
Domain window, in which you can select the domain that you want to access without having to log out
and then back in again.
• Export — [Available only when the Rules page is displayed] Displays the Export Rules File window, in
which you can specify a name and path for the tab-delimited rules file that you want to save.
• Print Preview — [Available only when the Rules page is displayed] Displays the Print Preview window,
in which you can view the rules in a preview state, ready to be printed. You can also change the print
review format to display one, two, three, four, or six pages on one print-ready page.
• Print — [Available only when the Rules page is displayed] Print the rules on the Rules page.
Note: To change the format of the printed pages, first go to the Print Preview window and change the display
before selecting this option.
Configuration Tool: View menu
Use the View menu options on the Configuration Tool to access pages in the work area, to access the
various configurable objects in the Objects toolbar, and to hide or display various toolbars that accompany
the user interface. To show each area, make sure that the menu option is selected. To close or hide the
area, clear the checkbox or click X on the page or area to close it.
This menu has the following options:
• Rules — Displays the Rules page in the work area, in which you can view a complete list of the rules that
have been defined on your system. For more information, see Creating, viewing, or modifying rules on
page 528.
• IPS Attack Responses — Displays the IPS Attack Responses page in the work area, in which you can
view a complete list of the IPS attack responses that have been defined on your system. For more
information, see Viewing IPS attack responses on page 608.
• System Responses — Displays the System Responses page in the work area, in which you can view a
complete list of the system responses that have been defined on your system. For more information, see
Viewing system responses on page 612.
• Alert Processing Rules — Displays the Alert Processing Rules page in the work area, in which you can
view all of the alert processing rules that are currently available. For more information, see Viewing alert
processing rules on page 564.
56 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-56-320.jpg)
![Navigating the Control Center user interface
• Server Logs… — Displays the Server Logs window, in which you can manage the Control Center
Management Server logs. For more information, see Viewing Management Server logs on page 663.
• Set Server Date and Time… — Displays the Set Server Date and Time window, in which you can set
the date and time on the Management Server. For more information, see Setting the date and time on
the Management Server on page 131.
• Change Password… — [Available only if internal authentication is being used, which is configured on
the Control Center Authentication Configuration window] Displays the Change User Password window, in
which you can change the current user’s password. For more information, see Changing user passwords
on page 88.
• Restart Server… — Displays the Restart Server window, in which you can restart the Management
Server. For more information, see Restarting the Management Server on page 131.
• Halt Server… — Displays a warning message, asking whether you want to continue with this action to
stop the Management Server. Click Yes to continue with the restart or No to cancel this action.
Configuration Tool: Reports menu
Use the Reports menu on the Configuration Tool to access firewall status information, view configuration
and validation reports and access the Control Center audit trail report.
This menu has the following options:
• Firewall Status — Displays the Firewall Status page, in which you can view a status summary of the
firewalls that are configured for your operation. You can also use this page to quickly determine the status
information about the operation of each firewall in your configuration. For more information, see Viewing
the overall status of your firewalls on page 574.
• Configuration Status — Displays the Configuration Status Report page, in which you can view
information about the propagation of configuration data from the Control Center database to each
selected firewall. When the Configuration Status Report page is displayed, the propagation status is
refreshed every 15 seconds. For more information, see Firewall configuration management on page 574.
• Validation Status — Displays the Validation Status Report page, in which you can view the status of the
validation process for each of the firewall configurations in the Control Center database. You can also view
the differences between the current configuration and the proposed configuration of a firewall. When this
report is displayed, the validation status is refreshed every 15 seconds. For more information, see Firewall
configuration management on page 574.
• Compliance Status — Displays the Compliance Report page, in which you can view all of the managed
firewalls and status information for all of the firewalls in your configuration that are managed with the
Control Center. For more information, see Configuring compliance report settings on page 596.
• Audit Trail... — Displays the Audit Trail page, in which you can list, filter, preview, and print the audit
trail data. This page is read-only. For more information, see Viewing audit trail information on page 615.
• Deployment Status — Displays the Deployment Status Report page, in which you can view the status
of the enrollment for a specific firewall. For more information, see Viewing your firewall enrollment
(deployment) status on page 598.
• McAfee Firewall Reporter — Displays the McAfee Firewall Reporter application, in which you can view,
analyze, and manage raw data from a firewall.
Note: When you select this menu option the first time, the McAfee Firewall Reporter Settings window is
displayed, in which you specify the McAfee Firewall Reporter server address and management port. After you
configure these settings, the application displays on the McAfee Firewall Reporter page.
For more information, see Viewing real-time Web data for your network on page 600.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 59](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-59-320.jpg)
![Navigating the Control Center user interface
• Tile Horizontal — Horizontally tile multiple document windows when MDI Tabbed is selected.
• Tile Vertical — Vertically tile multiple document windows when MDI Tabbed is selected.
• MDI Tabbed — Determines whether pages are displayed as windows or tabs that are docked in the rules
pane. The default value is selected. When you clear this checkbox, rules pages appear as undocked
document windows; they can be cascaded or tiled by using the Cascade, Tile Horizontal, and Tile
Vertical menu options, respectively.
You can also select the page that is displayed in the work area.
Configuration Tool: Help menu
Use the menu options on the Help menu to obtain context-sensitive help for using the features and buttons
that are associated with each window. You can also obtain additional information about the services and
features options that are associated with each tool, and background information for specific concepts that
are associated with using or operating the Control Center.
This menu has the following options:
• Contents — Displays a complete list of the main topics of the Control Center help system. Click a main
help topic to display the complete subtopic list.
• Index — Displays the full index for the Control Center help system. Specify a keyword to find a particular
entry in the index.
• Search — Searches the Control Center help system for a topic or matching words that you provide.
• About — Displays the licensing text, versions, and timestamp of the date and time at which the Client
Suite, Management Server, and database were built.
Reporting and Monitoring Tool menus
The following menus are available in the Reporting and Monitoring Tool:
• File — Reporting and Monitoring Tool: File menu on page 62
• System — Reporting and Monitoring Tool: System menu on page 63
• View — Reporting and Monitoring Tool: View menu on page 63
• Reports — Reporting and Monitoring Tool: Reports menu on page 64
• Tools — Reporting and Monitoring Tool: Tools menu on page 64
• Options — Reporting and Monitoring Tool: Options menu on page 64
• Window — Reporting and Monitoring Tool: Window menu on page 65
• Help — Reporting and Monitoring Tool: Help menu on page 66
Reporting and Monitoring Tool: File menu
Select Exit in the File menu to close the Reporting and Monitoring Tool.
This menu also has the following option:
• Switch Domain… — [Available only when configuration domains are enabled] Displays the Switch
Domain window, in which you can select the domain that you want to access without having to log out
and then back in again.
62 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-62-320.jpg)
![Navigating the Control Center user interface
Reporting and Monitoring Tool: System menu
Use the System menu on the Reporting and Monitoring Tool to manage server logs, set the server date and
time and, if necessary, restart or stop the Management Server.
This menu has the following options:
• Server Logs… — Displays the Server Logs window, in which you can manage the Control Center
Management Server logs. For more information, see Viewing Management Server logs on page 663.
• Set Server Date and Time… — Displays the Set Server Date and Time window, in which you can set
the Management Server date and time. For more information, see Setting the date and time on the
Management Server on page 131.
• Change Password… — [Available only if internal authentication is being used, which is configured on
the Control Center Authentication Configuration window] Displays the Change User Password window, in
which you can change the current user’s password. For more information, see Changing user passwords
on page 88.
• Restart Server… — Displays the Restart Server window, in which you can restart the Management
Server. For more information, see Restarting the Management Server on page 131.
Caution: If you select Yes, the server will be restarted immediately. There is no second confirmation request.
• Halt Server… — Stop the Management Server and exit the application. Then click Yes to confirm or No
to cancel the action.
Reporting and Monitoring Tool: View menu
Use the View menu on the Reporting and Monitoring Tool to manage the reporting options, management
options, and features that are associated with managing alerts and generating firewall-specific reports and
audit log reports.
This menu has the following options:
• Alert Browser — Displays the Alert Browser page, in which you can view a summary of the alerts that
have been generated by the configured firewalls. For more information, see Managing alerts on page 678.
Use the Alert Browser page to quickly identify the alerts that are being generated by the configured
firewalls, to acknowledge the alert, to annotate the corrective actions that are taken, to resolve the
problem, and to clear the alert.
• Alarm Sound Mapping — Displays the Alarm Sound Mappings window, in which you can specify and
map specific sound files to specific alarms. For more information, see Mapping sound files to alarms on
page 676.
• Secure Alerts Servers — Displays the Secure Alerts Server page, in which you can view current and
historical Secure Alerts Server status information. For more information, see Viewing Secure Alerts Server
status information on page 687.
This page is divided into the following panes:
• Secure Alerts Server Status table on page 688
The upper pane displays the current status of the Secure Alerts Servers.
• Secure Alerts Service History table on page 689
The lower pane displays the historical status of when the server was started and stopped.
• Start Page — Displays the Start Page (the Control Center home page) if it has been previously closed.
• Firewall Status — Displays the Firewall Status page, in which you can view a status summary of the
firewalls that are configured for your operation. You can also use this page to quickly determine the status
information about the operation of each firewall in your configuration. For more information, see Viewing
the overall status of your firewalls on page 574.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 63](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-63-320.jpg)
![Navigating the Control Center user interface
• Firewalls and Reports — Displays or closes the Firewalls and Reports Object Configuration area. This
area includes defined firewall objects and any report objects that have been generated during the current
session.
Reporting and Monitoring Tool: Reports menu
Use the Reports menu on the Reporting and Monitoring Tool to select and run various reports that provide
information about the Management Server, (System Information), audit data (Audit Trail), and security
policy (Policy). You can also access the McAfee Firewall Reporter.
This menu has the following options:
• System Information — Displays the System Information page, in which you can categorize
Management Server information and associated values. Information categories include: IP address,
memory capacities, software release, machine type, operating system, processor information, and the
current system time. For more information, see Displaying system information for the Control Center
Management Server on page 638.
• Audit Trail — Displays the Audit Trail page, in which you can list, filter, preview, and print audit trail data
that is displayed on this page in the work area. No information is changed when you use this page. For
more information, see Audit trail on page 615.
• Policy — Display the Policy Report window, in which you can view the security policy that is defined on
a firewall. You can also schedule a firewall-dependent policy report on a one-time or recurrent basis. For
more information, see Selecting the criteria for the firewall policy report on page 640.
• McAfee Firewall Reporter — Displays the McAfee Firewall Reporter page, in which you can view
real-time Web data for your network. For more information, see Viewing real-time Web data for your
network on page 600.
Reporting and Monitoring Tool: Tools menu
Use the menu options on the Tools menu of any tool to launch another tool using the same user name,
password, and Management Server that you are currently using. You cannot log into the same tool more
than once from a single client.
This menu has the following options:
• Administration Tool — Displays the Administration Tool, in which you can manage Control Center users
and roles, configuration domains, audit trail, licensing, and backup and restore operations. For more
information, see Administration Tool on page 79.
• Configuration Tool — Displays the Configuration Tool, in which you can configure the firewall, manage
multiple firewalls, and implement and enforce security policies across those firewalls. For more
information, see Configuration Tool on page 153.
• Software Updates Tool — Displays the Software Updates Tool, in which you can store, manage, and
install software and firmware updates for all deployed firewalls and install Management Server software
updates. For more information, see Software Updates Tool on page 691.
Reporting and Monitoring Tool: Options menu
[Available only when the Alert Browser page is displayed in the work area] Use the menu options on the
Options menu to manage and filter the displayed alerts, change the status condition of an alert
(acknowledge or clear), and display and filter the events that are associated with one or more selected
alerts.
This menu has the following options:
• Columns — Displays the Column Selector window, in which you can specify the columns of alert data to
be displayed on the Alert Browser page. For more information, see Configuring columns for the Alert
Browser page on page 685.
• Filters — Displays the Alert Filter window, in which you can specify the alerts to be displayed on the Alert
Browser. For more information, see Filtering the alerts to be displayed in the Alert Browser on page 686.
64 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-64-320.jpg)
![Navigating the Control Center user interface
• MDI Tabbed — Determines whether pages are displayed as windows or tabs that are docked in the rules
pane. The default value is selected. When you clear this checkbox, rules pages appear as undocked
document windows; they can be cascaded or tiled by using the Cascade, Tile Horizontal, and Tile
Vertical menu options, respectively.
You can also select the page that is displayed in the work area.
Reporting and Monitoring Tool: Help menu
Use the menu options on the Help menu to obtain context-sensitive help for using the features and buttons
that are associated with each window. You can also obtain additional information about the services and
features options that are associated with each tool, and background information for specific concepts that
are associated with using or operating the Control Center.
This menu has the following options:
• Contents — Displays a complete list of the main topics of the Control Center help system. Click a main
help topic to display the complete subtopic list.
• Index — Displays the full index for the Control Center help system. Specify a keyword to find a particular
entry in the index.
• Search — Searches the Control Center help system for a topic or matching words that you provide.
• About — Displays the licensing text, versions, and timestamp of the date and time at which the Client
Suite, Management Server, and database were built.
Software Updates Tool menus
The following menus are available in the Software Updates Tool:
• File — Software Updates Tool: File menu on page 66
• System — Software Updates Tool: System menu on page 67
• View — Software Updates Tool: View menu on page 67
• Operations — Software Updates Tool: Operations menu on page 68
• Tools — Software Updates Tool: Tools menu on page 69
• Window — Software Updates Tool: Window menu on page 69
• Help — Software Updates Tool: Help menu on page 69
Software Updates Tool: File menu
Select Exit in the File menu to close the Reporting and Monitoring Tool.
This menu also has the following option:
• Switch Domain… — [Available only when configuration domains are enabled] Displays the Switch
Domain window, in which you can select the domain that you want to access without having to log out
and then back in again.
66 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-66-320.jpg)
![Navigating the Control Center user interface
Software Updates Tool: System menu
Use the System menu on the Software Updates Tool to manage server logs and, if necessary, to restart or
stop the Management Server.
This menu has the following options:
• Start Ticket… or Stop Ticket… — The menu option that you see depends on whether a ticket has been
started. If no ticket has been started, the Start Ticket menu option is displayed. If a ticket has already
been started, the Stop Ticket menu option is displayed.
When you select Start Ticket, the Ticket window is displayed, in which you can specify the name of the
ticket. A ticket is used to identify specific changes that have been made to the firewall. For more
information, see Configuring change tickets on page 103.
When you select Stop Ticket, no window is displayed. However, the change ticket is closed.
• Server Logs… — Displays the Server Logs window, in which you can manage the Control Center
Management Server logs. For more information, see Viewing Management Server logs on page 663.
• Change Password… — [Available only if internal authentication is being used, which is configured on
the Control Center Authentication Configuration window] Displays the Change User Password window, in
which you can change the current user’s password. For more information, see Changing user passwords
on page 88.
• Restart Server… — Displays the Restart Server window, in which you can restart the Management
Server. For more information, see Restarting the Management Server on page 131.
Caution: If you select Yes, the server will be restarted immediately. There is no second confirmation request.
• Halt Server… — Stop the Management Server and exit the application. Then click Yes to confirm or No
to cancel the action.
Software Updates Tool: View menu
Use the View menu on the Software Updates Tool to manage the McAfee Firewall Enterprise Control Center
software and firmware updates for supported firewalls.
This menu has the following options:
• Start Page — Displays the Start Page (the Control Center home page) if it has been previously closed.
• Install Updates — Displays the Install Updates page, in which you can manage and install software
updates on each supported firewall that is installed in your configuration. For more information, see
Installing software and firmware updates on page 697.
• Firewall Configuration Backup — Displays the Firewall Configuration Backup page, in which you can
create and restore configuration backups for selected firewalls that are installed in your configuration. For
more information, see Backing up and restoring firewall configurations on page 704.
• Store Updates — Displays the Store Updates page, in which you can identify, store, and manage firewall
software and firmware updates on the Management Server. For more information, see Installing software
and firmware updates on page 697.
• Control Center Update — Displays the Control Center Update window, in which you can manage and
install McAfee Firewall Enterprise Control Center Management Server software updates. For more
information, see Downloading and applying Management Server updates on page 693.
• Update Settings — Displays the Update Settings window. You can configure the following functionality
in this window:
• Use a proxy server to download updates.
• Use an auto-discovery process to identify and download available updates.
For more information, see Configuring update download settings on page 692.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 67](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-67-320.jpg)
![Navigating the Control Center user interface
Software Updates Tool: Operations menu
[Available only when the Install Updates page or Store Updates page is active in the work area. Only the
options that apply to the visible tab are displayed.] Use the Operations menu on the Software Update Tool
to access page-specific options and functions for the tab page that is currently displayed in the work area.
When the Install Updates page is displayed, use the options on the Operations menu to update the selected
firewalls, schedule firewalls for updates, clear the last update, and update the firewall status.
When the Store Updates page is displayed, use the options on the Operations menu to check for new
updates, download selected updates, restart the download process, manually download updates, and
remove updates.
Operations menu for the Install Updates page
This menu has the following options when the Install Updates page is displayed in the work area:
• Update Firewalls — Perform the actions that you have specified on the firewalls that you have selected.
You must have already selected an update action for all of the selected firewalls before you can select this
tool or menu option. If you try to update a firewall with an update that has not been downloaded to the
Management Server, the update will first be downloaded and saved on the Management Server. Then it
will automatically be installed on the applicable selected firewalls.
Note: You cannot initiate a new update on a firewall while it has an update in the “In Progress” state.
• Schedule Firewalls — Displays the Schedule Firewall Actions window, in which you can set a date and
time to perform actions that are related to one or more firewalls. You can also remove a schedule. For
more information, see Scheduling device software updates on page 703.
• Clear Last Update — Clear the values of the Last Update and Update Status fields from the table.
However, this information is not cleared from the Update History data. Use this tool or menu option to
clear field values when an update is stuck in the “In Progress” state.
• Update Firewall Status — Send a firewall status request to the selected firewalls. The resulting firewall
status is displayed in a column on the left as an icon.
• Refresh Grid — Refresh the contents of the table on this page.
Operations menu for the Store Updates page
This menu has the following options when the Store Updates page is displayed in the work area:
• Check For Updates — Check for new updates from the defined, auto-discovery location. For more
information about configuring the auto-discovery settings, see Configuring update download settings on
page 692.
• Download Updates — Download the associated update for each highlighted row from the location that
is specified in the auto-discovery settings. For more information about configuring the auto-discovery
settings, see Configuring update download settings on page 692.
• Restart Download — Restart the download process if a problem or failure occurs when an update
package is being transferred from the location at which updates are stored to the Management Server.
• Remove Updates — Remove the associated update for each highlighted row from the Management
Server. After an update has been removed from the Management Server, it will no longer be displayed in
the Store Updates table unless you have selected the Show removed updates checkbox in the Update
Settings window.
• Manual Download — Specify the way in which and the location to which an update is to be downloaded
from a location other than the one that was specified in the auto-discovery settings. Use this option to
acquire an update and store it on the Management Server when there is no access to the Secure
Computing FTP location. For information about how to configure this option, see Manually downloading
software updates on page 711.
• Refresh Grid — Refresh the contents of this page.
68 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-68-320.jpg)
![Navigating the Control Center user interface
• (Ack) — Displays the Annotate window, in which you can record any comments about the associated
alert. By selecting this menu option, the acknowledgement checkbox for each selected alert is also
selected. This is a one-time activity for each alert. If you select this option, you cannot clear the option.
To view alerts that have been acknowledged, click (Display Ack) on the toolbar or select Display Ack
from the Options menu.
If an alert is acknowledged and more alerts of the same type on the same firewall occur, the alert
count is incremented and (Acknowledge Alert) is displayed in the Alert Browser page.
• (Clear) — Clear the selected alerts. To view alerts that have been cleared, click (Display Cleared)
on the toolbar or select Display Cleared from the Options menu. Cleared alerts will remain visible until
they are removed from the system. A script is automatically run each night to remove the cleared alerts.
You can configure the time at which this script runs.
• (Jump) — Displays the Jump To window, in which you can display the selected row number.
• (Events) — Displays the events that are associated with the selected alerts when one or more alerts
is highlighted. To view the events that are associated with one alert, click the Row Number column
(far-left column) to highlight the alert or to highlight more than one alert, press Ctrl +click or Shift
+click. Then, display the Event Browser window by clicking (Events) or selecting Events from the
Options menu.
• (Preview Pane) — Horizontally split the view display in half. The top half displays the detailed
description of the selected alert and the bottom half displays the list of alerts.
Devices and Reports area trees of the Reporting and Monitoring Tool
The Devices and Reports area is displayed on the left side of the main GUI interface of the Reporting and
Monitoring Tool. Select any of the following group bars to display the configurable objects in a tree that are
associated with the specific group bar.
• Firewalls — This node displays all of the firewalls that have been configured for your system. The
firewalls are organized by firewall type and then by groups of devices.
Right-click a firewall object to display a firewall-specific menu to perform specific actions, depending
on the selected firewall.
Firewall objects have the following options that can be accessed by right-clicking a firewall object:
• Alert Browser — Display the audit events for the selected object.
• Audit Report — Generate an audit report for the selected object.
• Policy Report — Generate a policy report for the selected object.
• License Report — Generate a license report for the selected object.
• Properties — Display the selected firewall's properties.
• Additional Firewall Reports — Identify a firewall-specific report to generate for the selected firewall.
For more information about generating firewall-specific reports, see Firewall report results on
page 619.
• Reports — [Available only if a firewall-specific report has been successfully generated] For more
information about generating firewall-specific reports, see Firewall report results on page 619. These
reports are available only until the current session is stopped.
Right-click a firewall report object to select options to arrange and sort the generated reports. The
following options are available:
• Sort by Report Type — Groups all of the generated reports by the type of report that was generated.
• Sort by Firewall — Groups all of the reports that were generated for a specific firewall by the firewall
name.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 75](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-75-320.jpg)
![Administration Tool
• Control Center license — You can manage the Control Center license by selecting License from the
System menu. For more information, see Control Center Management Server licensing on page 104.
• Network Settings — You can view and edit Control Center settings, such as host name, servers (NTP,
DNS, and mail), network interfaces (IP address, net mask, broadcast, and gateway) and static routes. For
more information, see Configuring Control Center network settings on page 115.
• System settings — You can manage specific Control Center system settings in the Administration Tool.
These settings include: specifying the default login disclaimer information that is posted in the login
window for each tool in the Client Suite, the failed login lockout settings, and the default application
time-out period. For more information, see Configuring system settings on page 121.
• ePolicy Orchestrator settings — You can configure the Control Center Management Server to
communicate with the ePolicy Orchestrator server to share information about host objects, firewalls, and
the Control Center Management Server. To use this communication, you must also configure an ePO user
in this window. For more information, see Configuring access to the ePolicy Orchestrator server on
page 132.
• Management Server property management — You can display and edit Control Center Management
Server properties and add new properties. For more information, see Configuring Management Server
properties on page 664.
• Ticket management — You can use the Start Ticket and Stop Ticket menu options to manage a ticket,
which is used to identify specific changes that have been made to the firewall. For more information, see
Configuring change tickets on page 103.
• Management Server log file management — You can manage the Control Center Management Server
log files by using the Server Logs window. For more information, see Viewing Management Server logs
on page 663.
• Alternate authentication — You can configure the way that Control Center users authenticate with the
Management Server. The Control Center supports an internal authentication mechanism, as well as LDAP
and RADIUS for off-box authentication. For more information, see Authentication on page 145.
• View the backup Management Server status — If the High Availability (HA) Management Server
Configuration option is used, you can view the status condition of the backup Management Servers in the
Backup Server Status page. For more information, see Viewing the status of your backup Management
Servers on page 122.
• Restore or backup the Management Server — Use the Administration Tool (and the Configuration
Tool under certain circumstances) to manage the backup and restoration of the Control Center
configuration and the operational data. A full system backup can be requested and an off-box location can
be specified. For more information, see Managing configuration data for the Management Server on
page 23.
• Set the Management Server date and time — You can set the Management Server date and time in
the Set Server Date and Time window. For more information, see Setting the date and time on the
Management Server on page 131.
• Change user passwords — [Available only if internal authentication is being used, which is configured
on the Control Center Authentication Configuration window] You can change a user’s password in the
Change User Password window. For more information, see Changing user passwords on page 88.
• Restart the Management Server — You can restart the Management Server. For more information, see
Restarting the Management Server on page 131.
Caution: If you select Yes, the server will be restarted immediately. There is no second confirmation request.
• Stop the Management Server — Stop the Management Server and exit the application. Then click Yes
to confirm or No to cancel the action.
80 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-80-320.jpg)
![Control Center users
Configuring Control Center users
Use the Control Center User Manager window to manage Control Center users. For more information about
users, see Control Center users on page 81.
When you add users in this window, they are able to log into the Control Center Client Suite tools to
manage objects from a central location. You cannot use this window to configure or manage users that
have access to specific firewalls. For more information about configuring firewall-specific users, see Firewall
users on page 461.
Figure 5 Control Center User Manager window
Accessing this window
In the Administration Tool, from the Users menu, select Add User, Modify User, or Copy User.
Fields and buttons
This window has the following fields and buttons:
• User Name — [Required] Specify a login name that is recognized by the Control Center.
• Password — [Required] Specify the password that is used to authenticate the user to the Control Center.
Passwords must be a minimum of eight characters in length.
If a new user is being added or the password value for an existing user changes, you will be prompted
to confirm the password when you save the user information. You must re-specify the password
exactly as it was specified in the Password field to save the changes.
You can also change a user password by using the Change User Password window if internal
authentication was set in the Control Center Authentication Configuration window. For more
information, see Changing user passwords on page 88.
• Full Name — [Optional] Specify the first and last name of the user.
• Email Address — [Optional] Specify the e-mail address of the user.
82 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-82-320.jpg)
![Control Center users
• Account Locked — [Available only if this user account is locked] Determines whether this user account
remains locked. The account could be locked because of reaching the number of failed login attempts. To
unlock this account, clear this checkbox. The default lockout time period is 30 minutes.
• Allow authentication failback — Determines whether the user can authenticate into the Management
Server by presenting the external authentication credentials to the internal authentication system so that
he or she can log into the Control Center Management Server if all identified external authentication
servers are unreachable.
• OK — Save the changes that were made on all of the tabs.
• Cancel — Close this window without saving any changes.
Tabs
This window has the following tabs:
• Domain Access — [Available only if configuration domains have been activated] Identify the
configuration domains that a user can log into and the privileges that he or she can exercise. For more
information, see Control Center User Manager window: Domain Access tab.
• Roles — Assign one or more roles to a user. This assignment controls the level of access that a user has
to Control Center objects and the actions that they can perform. This tab is available only if configuration
domains have not been activated. For more information, see Control Center User Manager window: Roles
tab.
• Firewall Access List — Specify the firewalls that the user can configure. For more information, see
Control Center User Manager window: Firewall Access List tab.
• Time Restrictions — Control the time frame in which the user can log into the Control Center, and
specify a date when the account will expire. For more information, see Control Center User Manager
window: Time Restrictions tab.
• Application Timeout — [Not available for the ePO user] Specify whether or when a user is required to
re-authenticate after a specified amount of inactivity (lack of mouse movement). For more information,
see Control Center User Manager window: Application Timeout tab.
Control Center User Manager window: Domain Access tab
Use the Domain Access tab of the Control Center User Manager window to specify access to configuration
domains and the privileges that can be exercised for the specified user. This tab has a current list of the
configuration domains and roles that have been previously defined.
Note: You can access this tab only if you have activated configuration domains. For more information, see
Configuration domains on page 92.
Figure 6 Control Center User Manager window: Domain Access tab
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 83](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-83-320.jpg)
![Control Center users
Fields and buttons
This tab has the following fields and buttons:
• Role — Select the checkbox to indicate the role or roles that are assigned to a Control Center user. By
default, a user has no roles assigned to him or her. Any number of defined roles can be assigned to a
single user.
• Description — [Read-only] Displays descriptive information about the role when the role was defined.
Note: Any changes that are made to users who are currently logged into the Control Center Client application do
not take effect until those users log out and log back in.
Control Center User Manager window: Firewall Access List tab
Use the Firewall Access List tab of the Control Center User Manager window to specify the firewalls to which
a user can apply configuration information. This tab contains the current list of the firewalls that have been
defined. For more information, see Control Center users on page 81.
Figure 8 Control Center User Manager window: Firewall Access List tab
Accessing this tab
1 In the Administration Tool, from the Users menu, select Add User, Modify User, or Copy User. The
Control Center User Manager window is displayed.
2 Click the Firewall Access List tab. The Firewall Access List tab of the Control Center User Manager
window is displayed.
Fields and buttons
This tab has the following fields and buttons:
• Firewalls — Specify the firewall or firewalls to which the user will be allowed to apply configuration
information. By default, no firewalls are selected. If the user is given access to all firewalls (ALL
FIREWALLS), he or she is automatically, without any further action, given access to all future firewalls
that are configured for the system. Otherwise, the user is able to apply configuration information only for
the firewalls that are specified on this tab.
• Description — [Read-only] Displays the descriptive information that was specified when the firewall was
defined during its configuration.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 85](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-85-320.jpg)
![Control Center users
Control Center User Manager window: Application Timeout tab
Use the Application Timeout tab on the Control Center User Manager window to specify the number of
minutes of inactivity that must elapse before the user is required to re-authenticate. Inactivity is defined as
the absence of mouse movement. As opposed to the System Settings window, in which you can set a
default application time-out period, use this tab to specify the user-specific time-out value. For more
information, see Control Center users on page 81.
Note: This tab is not available for the ePO user.
Figure 10 Control Center User Manager window: Application Timeout tab
Accessing this tab
1 In the Administration Tool, from the Users menu, select Add User, Modify User, or Copy User. The
Control Center User Manager window is displayed.
2 Click the Application Timeout tab. The Application Timeout tab of the Control Center User Manager
window is displayed.
Fields and buttons
This tab has the following fields and buttons:
• Use Default Application Timeout — Select this option to specify that the setting for this user will use
the default application time-out period that was set by using the System Settings window.
• No Application Timeout — Select this option to specify that this user will never require
re-authentication.
• Select Application Timeout — Select this option to specify the number of minutes of inactivity for this
user. Use this field, along with the Timeout (min) field, to specify a custom configuration to apply to each
user.
• Timeout (min) — [Available only if you have selected the Select Application Timeout option] Specify
the number of minutes of inactivity for this user.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 87](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-87-320.jpg)
![Control Center users
Changing user passwords
Use this window as an alternate way to change your user password. This window is available only if your
user profile has been configured to use internal authentication to access the Control Center (as opposed to
external authentication). For more information about authentication, see Authentication on page 145.
If you have administrator privileges and you want to change the password of a different user, use the
Control Center User Manager window in the Administration Tool. For more information, see Configuring
Control Center users on page 82.
Figure 11 Change User Password window
Accessing this window
From the System menu of any of the tools, select Change Password…. The Change User Password
window is displayed.
If you receive a Policy Violation message, indicating that your password has expired and you decide to
change your password, click Yes. The Change User Password window is displayed.
Fields and buttons
This window has the following fields and buttons:
• User name — [Read-only] Displays the user name with which you logged into the Control Center. This
is also the name of the user whose password you are changing.
• Current password — Specify the password that you are currently using and that you used to log into
the Control Center.
• New password — Specify a new password.according to the policy that is specified in this window. This
policy is established by an administrator user in the Control Center Authentication Configuration window.
For more information about this window, see Configuring Control Center user authentication on page 146.
• Confirm new password — Specify the same value as you specified in the Current password field to
verify the value that you specified.
• OK — Saves the password change.
• Cancel — Closes the window without saving any changes.
88 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-88-320.jpg)
![Control Center roles
Managing roles for Control Center users
Use the Role Manager window to manage roles that can be assigned to Control Center users. The role or
roles assigned to a user will determine the actions that the user can perform on the selected objects. For
more information, see Control Center roles on page 89.
Figure 12 Role Manager window
Accessing this window
In the Administration Tool, from the Roles menu, select Add Role, Modify Role, or Copy Role. The Role
Manager window is displayed.
Fields and buttons
This window has the following fields:
• Role Name — [Required] Specify a unique name for this Control Center role.
• Description — Provide a description for the role that is being specified.
Tabs
This window has the following tabs:
• Objects — Specify the activities that can be performed on the selected objects for users who are assigned
this role. For more information, see Role Manager window: Objects tab on page 91.
• Actions — Specify the actions that can be performed by users who are assigned this role. For more
information, see Role Manager window: Actions tab on page 92.
90 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-90-320.jpg)
![Control Center roles
Role Manager window: Objects tab
Use the Objects tab of the Role Manager window to specify the activities that can be performed on the
selected objects by users who are assigned to the role that is being specified. For more information, see
Control Center roles on page 89. To view the fields on this tab, see Figure 12 on page 90.
Accessing this tab
1 In the Administration Tool, from the Roles menu, select Add Role, Modify Role, or Copy Role.
2 Click the Objects tab. The Objects tab of the Role Manager window is displayed.
Fields and buttons
This tab has the following fields and buttons:
• Object — [Read-only] Displays the names of the available objects (for example, Network Objects,
Services, VPN).
The first item in the list (All Objects) has special significance. If the View, Update, Add, or Remove box
for this All Objects object is selected, the same checkbox for all of the other objects (both currently
defined and for those in the future) will also be selected.
• Description — [Read-only] Displays information about the object.
• View — Determine whether a user with this role is allowed to view objects of this type. This checkbox is
cleared by default.
• Update — Determines whether a user with this role is allowed to modify objects of this type. This
checkbox is cleared by default.
• Add — Determines whether a user with this role is allowed to create objects of this type. This checkbox
is cleared by default.
• Remove — Determines whether a user with this role is allowed to delete objects of this type. This
checkbox is cleared by default.
Note: If you select the Update, Add, or Remove checkbox for a particular type of object, the View checkbox
for that object is automatically selected.
Right-click anywhere in the object list to display a shortcut menu that you can use to select or clear the
associated View, Update, Add, or Remove checkbox for the object that is currently selected or to apply the
changes to all of the objects in the list.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 91](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-91-320.jpg)
![Configuration domains
Role Manager window: Actions tab
Use the Actions tab of the Role Manager window to specify the actions that can be performed by users who
are assigned the role that is currently being specified.
Figure 13 Role Manager window: Actions tab
Accessing this tab
1 In the Administration Tool, from the Roles menu, select Add Role, Modify Role, or Copy Role.
2 Click the Actions tab. The Actions tab of the Role Manager window is displayed.
Fields and buttons
This tab has the following fields and buttons:
• Action — [Read-only] Displays the names of the actions that have been specified (for example, Apply,
Validate, Alerting).
• Description — [Read-only] Displays information about the action.
• Enable — Determines whether a user with this role is allowed to perform this action. The default value
is cleared.
Configuration domains
Use configuration domains to partition managed firewalls into separate collections of objects and
configuration data so that each collection is independent of every other collection, and changes to one
collection do not affect others.
The main advantages for creating configuration domains include the following reasons:
• By using multiple configuration domains, administrator responsibilities can be segregated to allow each
administrator (or group of administrators) to have control of the firewalls and their related objects for a
single domain.
• When a configuration domain administrator logs into the Control Center, he or she sees and acts on only
those objects that are related to the configuration domain that he or she is currently logged into.
Information about other domains is not visible.
If you use configuration domains, you can compare it to having multiple installations of the Control Center,
with each installation having independent control over a domain and all of the associated, domain-specific
data. The main difference is that all of the data for all of the domains is managed by a single Control Center
Management Server.
92 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-92-320.jpg)
![Configuration domain version management
Managing versions of configuration domains
Accessing this window
In the Administration Tool, from the Configuration Domains menu of the Administration Tool, click Add
Domain…. The Configuration Domain Manager window is displayed.
Use the Manage Configuration Domain Versions window to create, modify, and activate versions of a
configuration domain. For more information about activating and creating configuration domains, see
Configuring configuration domains on page 95.
Figure 17 Manage Configuration Domain Versions window
Accessing this window
In the Administration Tool, from the Configuration Domains menu, select Manage Versions. The Manage
Configuration Domain Versions window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Configuration Domain — Displays all of the defined configuration domains in this list. Select the
configuration domain on which you want to act.
• Table — Use the fields in this table to configure the current versions of the identified configuration
domain.
• Name — [Read-only] Displays the name that is assigned to the version when it was created.
• Description — [Read-only] Displays the description that is assigned to the version when it was
created.
• Created Time — [Read-only] Displays the date on which and the time at which the associated version
was created.
• Deactivated Time — [Read-only] Displays the date on which and the time at which the version was
created. This value will change only if the version is activated and then de-activated. The date and time
at which a previously activated version is de-activated is recorded here.
• Active — [Read-only] Displays the status of the version. Yes is displayed for the currently active
version. All other versions display No.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 99](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-99-320.jpg)
![Audit data management
Fields and buttons
This tab has the following fields and buttons:
• Object — [Read-only] Displays the names of the objects that are available for audit tracking (for
example, Network Objects, Services, VPN).
• Description — [Read-only] Displays information about the object.
• Update — Determines whether to track when objects of this type are changed. This checkbox is selected
by default.
• Add — Determines whether to track when objects of this type are added. This checkbox is selected by
default.
• Remove — Determines whether to track when objects of this type are deleted. This checkbox is selected
by default.
Note: To display audit tracking data, from the Audit Trail menu on the Administration Tool main menu, select
View Audit Trail.
Audit Tracking and Archive Management window: Archive Settings tab
Use the Archive Settings tab of the Audit Tracking and Archive Management window to periodically archive
audit tracking data to an FTP server or to a directory on the Control Center Management Server, or to
periodically remove audit tracking data from the database. For more information, see Audit data
management on page 100.
Archive files are created in zip format. The data is stored in a comma-separated values (CSV) file format
that can be imported into a database or spreadsheet. The default file name format is
AuditArchivemm_dd_yy.zip, where mm indicates the month, dd the day, and yy the year.
If you decide to archive audit tracking data, note that the archiving process runs once a day after midnight
at some time. Any changes that you make will not take effect until that time.
Figure 19 Audit Tracking and Archive Management window: Archive Settings tab
Accessing this tab
1 In the Administration Tool, from the Audit Trail menu, select Manage Audit Trail.
2 Make sure that the Archive Audit Data checkbox is selected and click Archive Settings. The Archive
Settings tab of the Audit Tracking and Archive Management window is displayed.
102 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-102-320.jpg)
![Control Center Management Server licensing
Tabs
This window has the following tabs:
• Server — Specify the Control Center Management Server details. For more information, see License
Management window: Server tab on page 107.
• Contact — Specify the contact details. For more information, see License Management window: Contact
tab on page 108.
• Company — Specify the company's corporate and/or billing address. For more information, see License
Management window: Company tab on page 109.
License Management window: Server tab
Use the Server page of the License Management window to manage the Control Center Management Server
information. To view the fields on this tab, see Figure 21 on page 106.
Accessing this tab
1 In the Administration Tool, from the System menu, select License…. The License Management window
is displayed.
2 Click the Server tab. The Server tab of the License Management window is displayed.
Fields and buttons
This tab has the following fields and buttons:
• Serial Number — Specify the alphanumeric serial number of the Control Center Management Server.
Include the dashes (-) in the serial number.
Note: The serial number is located on the Control Center activation certificate.
• Server Version — [Read-only] Displays the version of the Control Center Management Server.
• Server ID — Specify the unique server identification of the Control Center Management Server.
• Activation URL — Specify the URL to be used for activation of the Control Center Management Server
license. This entails a remote, automatic activation process.
Note: If this activation process is used, ignore the Activation Key field.
• Restore Default URL — If, for any reason, the activation URL becomes corrupted, click this button to
restore the URL's original default value.
• Activation Key — Specify a file-based activation key to be imported and used to activate the Control
Center Management Server license. This entails a local activation process to use if the server is currently
isolated from the local network or if it cannot access the activation URL, thus precluding a remote,
automatic, activation process.
Note: If this activation process is used, ignore the Activation URL field.
• Feature — [Read-only] After the license has been acquired, displays the features that apply to the
Control Center:
• SecureOS
• Support
• McAfee Firewall Enterprise
• License State — [Read-only] After the license has been acquired, displays the current state or status of
the current Control Center Management Server license.
• Expiration — [Read-only] After the license has been acquired, displays the expiration date of the current
Control Center Management Server license.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 107](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-107-320.jpg)
![Control Center Management Server licensing
Configuring common license information for the Control Center
Use the Common License Information window to manage Control Center common license information. For
more information about licensing, see Control Center Management Server licensing on page 104.
Figure 24 Common License Information window
Accessing this window
In the Administration Tool, from the System menu, select Common License Information….The Common
License window is displayed.
Fields and buttons
This window has the following fields and buttons:
• SW Device — [Read-only] Displays -Default-.
Tabs
This window has the following tabs:
• Firewall — Displays the activation URL. For more information, see Common License Information window:
Firewall tab on page 112.
• Contact — Specify the contact details. For more information, see Common License Information window:
Contact tab on page 113.
• Company — Specify the company's corporate and/or billing address. For more information, see Common
License Information window: Company tab on page 114.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 111](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-111-320.jpg)
![Control Center Management Server licensing
Fields and buttons
This tab has the following fields and buttons:
• Node name — Specify the fully qualified domain name (FQDN) for this node (for example,
mgmtServer.companyname.com).
If you change the node name:
• Each firewall that was connected to the Control Center Management Server with the previous FQDN
must be re-registered.
• The web server (Tomcat) will restart, the client connection will be lost, and you will be prompted to log
in again.
• If you are using the High Availability (HA) feature, before you modify the node name, you must remove
HA by running the High Availability Removal Wizard. Then you can change the node name and then
run the High Availability Setup Wizard to resume HA operations.
• NTP configuration — Use the fields in this area to configure the Control Center Management Server as
a client of up to three NTP servers. The following fields are available:
• Use NTP to synchronize system clock — Determines whether to use NTP to synchronize the system
clock. The default value is cleared.
• NTP Server — [Read-only unless the Use NTP to synchronize system clock checkbox is selected]
Specify the IP address for each NTP server. (Up to three servers are allowed.)
• DNS configuration — Use the fields in this area to configure DNS servers. Use the Control Center local
domain name to specify a single domain to check when a host name (not a FQDN) is specified in a DNS
lookup. A maximum of three DNS servers can be configured. The following fields are available:
• Domain name — Specify the Control Center local domain name (such as example.net).
• DNS Server — Specify the IP address for each DNS server.
• Mail configuration — Use the field in this area to configure the IP address of the mail server.
• Mail server — Specify the full name (for example, mailhost.example.com) or IP address of the mail
server.
Note: If you change the mail server name, the web server (Tomcat) will restart, the client connection will
be lost, and you will be prompted to log in again.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 117](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-117-320.jpg)
![Control Center Management Server licensing
Network Settings window: Interfaces tab
Use the Interfaces tab on the Network Settings window to configure the interfaces on this node.
Figure 29 Network Settings window: Interfaces tab
Accessing this tab
1 In the Administration Tool, from the System menu, select Network Settings. The Network Settings
window is displayed.
2 Click the Interfaces tab. The Interfaces tab on the Network Settings window is displayed.
Fields and buttons
This tab has the following fields:
• Enabled — Determines whether, after you click OK, the selected network interface is brought up or down.
If this checkbox is selected, whenever the Control Center Management Server reboots, the selected
network interface is brought up. If this checkbox is cleared, whenever the Control Center Management
Server reboots, the selected network interface is not brought up.
• Name — [Read-only] Displays the name of the network device.
• IP Address — Specify the IP address for the interface.
• Netmask — Specify the net mask IP address for the interface.
• Broadcast — Specify the broadcast IP address for the interface.
• Speed/Duplex — Select the speed and duplex setting for the interface.
118 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-118-320.jpg)
![System settings
• Minutes Account Locked Out — Specify the number of minutes that a user is locked out after failing to
authenticate the number of times that is specified in the Failed Attempts Before Locking Out Accounts
field. Be careful to set a reasonable number of minutes. The locked out user will not be able to
re-authenticate for the stated period of time. To shorten the amount of time, the administrator must
delete and re-create the user. The default value is 30 minutes.
• Default Application Timeout — Specify the number of minutes of inactivity (that is, with no mouse
movement) that will be tolerated before requiring the user to re-authenticate. This is the default,
system-wide setting. Each user can be assigned to this value or to a custom-created application timeout
period that is created by using the Timeout tab of the Control Center User Manager window. The default
value is 120 minutes. For more information, see Control Center User Manager window: Application
Timeout tab on page 87.
Viewing the status of your backup Management Servers
Use the Backup Server Status page to view a visual indication of the status condition that is associated with
each Management Server in your current configuration. This page displays only the condition of the backup
Management Servers, and only if the High Availability (HA) Management Server option for the Control
Center Management Servers was configured and installed. For more information, see High Availability (HA)
on page 136.
Figure 32 Backup Server Status page (without a backup server configured)
Accessing this page
In the Administration Tool, from the System menu, select Backup Server Status. The Backup Server
Status page is displayed.
Fields and buttons
This page has the following fields and buttons:
• Name — [Read-only] Displays the node name of the associated backup Management Server.
• Status — [Read-only] Displays the status condition of the associated backup Management Server as of
the last time that this page display was refreshed.
• Replication Status — [Read-only] Displays the status of the synchronization attempt for this backup
server with the primary server.
122 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-122-320.jpg)
![System settings
• Last Replication Time — [Read-only] Displays the timestamp for the last time that this synchronization
occurred.
• Refresh — Refresh the displayed status.
Creating backup files of your Management Server data by using the GUI
Use the Backup Control Center System window to create a new backup file of the Control Center
Management Server data or to replace an exiting backup file. Use the fields and buttons on this window to
specify the scope of the backup, and (optionally) the off-box backup location.
You can create a new backup or replace an existing backup. If an existing backup file or a scheduled backup
file is highlighted in the Existing Backups table and you click Replace, you can specify a new backup name
and description and the new backup will replace the previously saved backup.
The resulting backup file can be restored by using the Restore System from Backup window. For more
information, see Managing configuration data for the Management Server on page 23.
Figure 33 Backup Control Center System window
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 123](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-123-320.jpg)
![System settings
• Run on date — [Available only if One time is the value that is selected in the Perform this backup
field] Click the down arrow to display a calendar in which you can select the day and date on which the
backup will run.
• Every n day(s) — [Available only if Daily is the value that is selected in the Perform this backup
field] Select the frequency (in days) at which the backup will run.
• Every n week(s) — [Available only if Weekly is the value that is selected in the Perform this backup
field] Select the frequency (in weeks) at which the backup will run. You can then select one or more
days of each week at which the backup will run.
• Day n of the month— [Available only if Monthly is the value that is selected in the Perform this
backup field] Select the day of the month on which the backup will run. Use this field to select a specific
day and then select or clear the individual months as needed.
To select a day by its position in the month (for example, the second Tuesday of the month), select
the The ordinal day_of_the_week field instead. Then select the months.
• The ordinal day_of_the_week — [Available only if Monthly is the value that is selected in the
Perform this backup field] Select a day and day of the week on which the backup will run. Use this
field to select the day of the week and then select or clear the individual months as needed.
To select a specific day of the month, select Day n of the month instead.
• Backup Destination — Use the fields in this area to specify the location where the backup file is stored.
• Control Center server — Select this option to specify that the backup will be stored on this Control
Center Management Server in the /opt/security/var/gccserver/cfgbackups directory.
• Remote location — Select this option to store the backup in a remote, off-box location. If you select
this checkbox, you must also select a location. As part of this backup process, the backup file is first
stored locally on the Management Server in the following directory:
/opt/security/var/gccserver/cfgbackups
It is then transferred to the location that is specified in the other fields in this area. The dbadmin
Linux account (if enabled) has access privileges to this directory.
If <New> is displayed, you have either just selected the Remote location option or you have not yet
created a remote location. Use the remaining fields in this area to configure the information for the
remote location.
• Export using — Specify the protocol to use for this exportation. The following values are available:
• SCP — Indicates that the SSH-enabled protocol will be used for this transfer.
• FTP — Indicates that the File Transfer Protocol will be used for this transfer.
• FTPS — Indicates that the Secure File Transfer Protocol will be used for this transfer.
The secure ftp user account has the permissions required to write to the Management Server
directories. The protocol that is used to export the archives to the Management Server is SCP.
• Host name — Specify the host name or IP address of the remote location that will be used for this
transfer.
• Port — Specify the port for the remote location that will be used for this transfer. The default value
varies, depending on the value that is selected in the Export using field. If SCP is selected, the default
value is 22. If FTP is selected, the default value is 21. If FTPS is selected, the default value is 990.
• Directory — Specify the directory on the remote system where the configuration files are stored. If
the remote system is a firewall, the administrator’s home directory is the default.
• User Name — Specify the user name of a user on the remote system. If this is a firewall, this user is
a firewall administrator.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 125](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-125-320.jpg)
![System settings
• Password — Specify the password that is used to authenticate the user on the remote system.
• Confirm — Specify the same password value that was specified in the Password field for confirmation.
• Existing Backups — Use the fields in this table to view the previously saved backup configurations.
• Backup Name — [Read-only] Displays the name of the backup configuration that was being
generated.
• Date Created — [Read-only] Displays a time stamp when the associated backup was created.
• Created By — [Read-only] Displays the Control Center user who created the backup.
• Active — [Read-only] Displays the status of the configuration. The following values are available:
• Y — Indicates that this configuration is currently being used by the McAfee Firewall Enterprise
Control Center.
• N — Indicates that the configuration is not the currently active one.
• R — Temporarily indicates that a restoration of this configuration is currently in progress.
• Full — [Read-only] Displays the scope of the backup at the time that it was created. If this value is Y
(Yes), the backup is a full system backup.
• Status — [Read-only] Displays the status of the backup.
• Frequency — [Read-only] Displays the frequency at which this backup was run.
• Remote Location — [Read-only] Displays the URL of the remote location where the backup was
stored off-box.
• Description — [Read-only] Displays the description text that was created when the backup was
created.
• Add — Save the backup configuration information. You are prompted to specify the password of the
remote server again. If there are any validation issues, the appropriate validation window is displayed.
If you have created a schedule for this backup, it will be started when the scheduled date and time is
reached. If you have not scheduled this backup, it will start immediately.
• Replace — Replace the failed or scheduled backup with the backup configuration that you have just
configured.
• Cancel — Cancel the backup and close this window.
Restoring the Management Server configuration files from a backup file
Use the Restore System from Backup window to:
• Restore a previously-saved system backup file to the Control Center Management Server.
• Modify a system backup name or description.
• Delete a system backup file.
This action restores the operation of the Control Center Management Server to the configuration that was in
effect when the backup file was created. For more information, see Managing configuration data for the
Management Server on page 23.
Caution: Restoring a configuration will completely overwrite the current Control Center configuration. Exercise
caution when requesting this action. Ensure that no other users are logged into the Management
Server when you are restoring a previously saved configuration. This action forces all users that are
currently logged into the Management Server to log off.
126 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-126-320.jpg)
![System settings
Figure 34 Restore System from Backup window
Accessing this window
In the Administration Tool or in the Configuration Tool, from the System menu, select Restore System.
The Restore System from Backup window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Select the backup to be restored from the following list — Select the backup file from the list of files
in this tab. This list includes all of the backup system configurations that can be restored.
• Name — Displays the name that is associated with the backup configuration. You can edit this value.
There are several different types of backup configuration files that are displayed on this window:
user-defined or system-generated. The user-defined files are stored either locally or off-box. (The
off-box locations are indicated by the value in the URL field.) The system-generated configuration files
were automatically generated before a retrieve was performed. They contain only the cg_configuration
database data, which includes all of the firewall configuration data, configurable objects data,
certificates, and similar data.
• Description — Displays the description that is associated with the backup. You can edit this value.
• Status — [Read-only] Displays the latest status of any restorations.
• Full — [Read-only] Specifies whether this backup was a full system backup (Y for Yes) or a partial
backup (N for No).
• HA — [Read-only] Displays whether this backup was created on a high availability system (Y for Yes)
or a standalone system (N for No).
• Date — [Read-only] Displays a time stamp of the time and date that the backup system configuration
was created.
• URL — [Read-only] Displays the URL of the off-box location of the remote backup file.
• Modify — Displays the Backup Details window, in which you can edit the name of the file and its
description.
• Delete — Delete the selected backup file.
• Upload — Displays the Upload Backup Wizard, in which you can upload a backup file from your Client
system to the Management Server. Note that this file must have a .bak.des3 filename extension.
• Download — Displays the Save As window, in which you can specify a new name for the configuration
backup file. Note that you cannot download backup files that have been saved to remote locations.
• Close — Close this window.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 127](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-127-320.jpg)
![System settings
Step 2 of 2 - Backup Information page
Use this page to add information about this configuration file and to establish an encryption passphrase if
needed.
This page has the following fields:
• Name — Specify the name for this backup configuration file.
• Description — Specify a description for this configuration file.
• Backup type — Specify the type of backup that this file contains. The following values are available:
• Configuration — Indicates that only the cg_configuration database will be included in this backup file.
• Full — Indicates that this will be a full configuration backup that includes all of the firewall configuration
data, configurable objects, certificates, and similar data.
• Full backup was created on a high availability system — [Available only if Full is selected in the
Backup type field] Determines whether the backup file that is being uploaded was created on a high
availability system. It is very important that you select this checkbox if you are restoring a full
configuration backup of an HA Management Server. Otherwise, database issues can occur.
• Backup uses custom encryption passphrase — Determines whether to provide a passphrase for this
backup file. Select this checkbox if a passphrase was specified when this configuration file was created.
If you select this checkbox, the following two fields are required:
• Passphrase — Specify the phrase that was used to encrypt this backup file when it was created. After
you enter this passphrase the first time, it is saved. Therefore, you will not need to re-specify it again.
• Confirm — Specify again the same value that you specified in the Passphrase field to confirm this
passphrase.
Specify values for these fields as needed. If you need to change the filename, click <<Back to go to the
previous page. To continue with the actual upload, click Upload. A transferring message is displayed while
the file is being uploaded. When the upload has completed, a confirmation message is displayed that
includes the checksum for the file if you want to further verify this file on the Management Server. Click OK
and the Wizard closes. Now you can go to the Restore System from Backup window and restore this
configuration to the Management Server.
Changing login information for remote system backups
Use the Remote Username and Password window when you are attempting to restore a configuration file
for the Control Center Management Server that is stored on a remote server and the login information for
that server has changed since this file was saved. When this window is displayed as part of the restoration
process, you can change the information to match the current login information for the remote server.
Figure 35 Remote Username and Password window
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 129](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-129-320.jpg)
![ePolicy Orchestrator settings
Fields and buttons
This tab has the following fields and buttons:
• Create User — [Available only if the ePO user has not yet been created] Displays the Control Center User
Manager window, in which you can create a new user with ePolicy Orchestrator server access. You can
create only one user with the ePolicy Orchestrator role.
• Username — [Displays only if you have created the ePO user] [Read-only] Displays the name of the ePO
user.
• (Edit) — Displays the Control Center User Manager window. in which you can edit information
about this user.
• (Delete) — Deletes this user from the Control Center. A confirmation message is displayed. Click
OK. You will need to create another ePO user to be able to use the ePO functionality.
Viewing ePolicy Orchestrator host data
The ePO Host Data page is a report that displays data about the selected host object. This data is
maintained on the ePolicy Orchestrator server. To display data about a particular host, the host object must
be managed by the ePolicy Orchestrator.
Prerequisites for accessing this report
To be able to view this report, the following prerequisites must be met:
1 The McAfee Firewall Enterprise ePO Extension must be installed on the ePO server that you will configure
in the ePolicy Orchestrator Settings window.
2 You must configure settings for the ePO server in the ePolicy Orchestrator Settings window. This is to
allow the Control Center to communicate with the ePO server.
3 On this same window, you must have selected the Allow Control Center to retrieve reports from
the ePO server checkbox.
Accessing this page
1 In the Configuration Tool, click the Policy group bar.
2 Select the Network Objects node. The subnodes are displayed.
3 Select the Hosts subnode. All of the defined host objects are displayed.
4 Right-click the object for which you want to view ePO data and select Show ePO Data. The ePO Host Data
page is displayed.
Note that this option is available only if you have selected the Allow Control Center to retrieve
reports from the ePO server checkbox on the ePolicy Orchestrator Settings window. You can also
access this report by generating the audit report and from the McAfee Firewall Enterprise Audit Report
window, right-clicking the Source IP value or the Dest IP value in any row and selecting Show ePO
Data.
Fields and buttons
The following fields are available on this page:
• ePO Host Data for host_name — [Read-only] Displays the host name of the object for which this data
was retrieved.
• Name — [Read-only] Displays the name of the host parameter for which a value is being displayed.
• Value — [Read-only] Displays the value of the host parameter.
• Save — Save the report as an .html file.
• Refresh — Retrieve updated data from the ePO server for this report.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 135](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-135-320.jpg)
![High Availability (HA)
2 The removal wizard generates an haStop.log log file. View the contents of this log file in the Server Logs
window. (From the Administration Tool System menu, select Server Logs…. Then select the High
Availability Setup node and then the haStop.log node.) If you see information at the end of this log that
indicates something other than the configuration completed, the removal wizard was not successful.
3 If either step 1 or 2 or both steps were unsuccessful, you must troubleshoot this problem. Go back to the
Configuration Tool for the old backup server and try to run the High Availability Removal wizard again. If
it is not available to you (that is, you see the High Availability Setup menu option as opposed to the High
Availability Removal menu option), you must contact Technical Support.
Final note
After you have successfully run the High Availability Removal Wizard on the primary Management Server,
there are additional steps that you can take regarding the control of firewalls. See Completing the HA
removal on a standalone Management Server or on one or two Management Servers of an HA pair on
page 144.
Completing the HA removal on a standalone Management Server or on one or two Management
Servers of an HA pair
After you have successfully run the High Availability Removal Wizard, there are several additional steps to
complete, depending on the way in which you want to control the firewalls for those Management Servers.
The following scenarios are described:
• Keep firewalls with the former primary server on page 144
• Keep firewalls with the former backup server on page 144
• Split firewalls between the two servers on page 144
Keep firewalls with the former primary server
To keep management control of all of the firewalls with the former primary server:
1 Use the Configuration Tool to log into the former primary server.
2 Apply the configuration to all of the firewalls.
Keep firewalls with the former backup server
To keep management control of all of the firewalls with the former backup server:
1 Use the Configuration Tool to log into the former backup server.
2 From the System menu, select Device Control…. The Device Control window is displayed.
3 Select all of the firewalls in the Select Firewalls to control list. In the Control Actions list, select
Request management control.
4 Apply the configuration to all of the firewalls.
Split firewalls between the two servers
To split management control of the firewalls between the two servers:
1 Use the Configuration Tool to log into the former primary server.
2 Apply the configuration to those firewalls that are going to remain under the control of this server.
3 [Optional — still on the former primary server] Delete the firewalls that are no longer needed (that is,
that are not going to be managed by this Management Server).
4 Use the Configuration Tool to log into the former backup server.
5 Open the Device Control window (by selecting Device Control… from the System menu).
6 Select all of the firewalls and then select Request management control. Only those firewalls that were
not applied to in step 2 above will respond to this request.
144 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-144-320.jpg)
![Authentication
7 Remaining on the former backup server, apply the configuration to all of the firewalls. Again, only those
firewalls that were not applied to in step 2 will succeed.
8 [Optional — still on the former backup server] Delete the firewalls that are no longer needed (that is, that
are not going to be managed by this Management Server).
Authentication
The Control Center supports using an external authentication mechanism, such as a POSIX-compatible
LDAP or RADIUS server to provide off-box authentication support for Control Center users.
This feature currently supports the use of external servers to manage authentication (by password
management). It does not support Control Center role-based, authorization management. This means that
Control Center users and their associated passwords can be assigned and managed by using the
mechanisms that are associated with the selected external servers. However, the Control Center internal
authentication and authorization database for each Control Center user must be updated and managed for
each user to support the internal, role-based authorization mechanism.
The Control Center role-based authorization features are not managed by using the external authentication
system. This provides a greatly simplified and effective means to centrally manage passwords without
needing to export a potentially complex role management interface that would be required by the Control
Center user role and domain configuration management. IT systems management can globally suspend a
user by using commonly used, centralized password management systems (that are available through the
use of LDAP or RADIUS servers), without having to manage the role-based authorization management and
configuration domain access management by using the same mechanism.
When you use external authentication, you can configure multiple external servers (LDAP or RADIUS) to
manage the Control Center user passwords. Each identified server is queried in the order that you specify
(from top to bottom), as displayed in the Control Center User Authentication window.
Note: When the Control Center Management Server contacts the LDAP server, it does so anonymously.
Use the Control Center User Authentication window to select the authentication method. If either LDAP or
RADIUS are selected, identify one or more external servers to use to authenticate Control Center users.
You can use this window to configure additional server-specific configuration parameters for LDAP and
RADIUS servers, as well as configurable port information.
To support the Control Center user role and configuration domain configurations, each Control Center user
must be defined in the internal and any external LDAP or RADIUS server to support external authentication
and internal user role authorization requirements. All Management Server users will also require that their
UNIX user names and passwords are defined in the RADIUS or LDAP servers.
The Control Center authentication management scheme has an additional failsafe feature: the ability to
selectively allow designated Control Center users to authenticate into the Management Server by
presenting the external authentication credentials to the internal authentication system so that they can log
into the Control Center Management Server if all identified external authentication servers are unreachable.
You can enable this feature for any number of users by selecting the Allow authentication failback
checkbox on the Control Center User Manager window.
To work properly, the values that are specified for the user name and password combination that are held
in the external authentication servers must be synchronized with the same values that are specified in the
internal authentication system.
If none of the specified external authorization servers can be reached to authenticate a Control Center
client user, the user who is configured with this designation can still authenticate with the Management
Server by using his or her internal credentials.
The user name and password synchronization requirement also applies to all Management Server users
who must have their UNIX user name and password accounts specified in and synchronized with the
external authentication servers. For Management Server user accounts, all defined UNIX user accounts are
automatically configured to have alternate internal authentication failover.
If a Control Center user or Management Server UNIX user account is forced to fail over to internal
authentication, he or she will automatically switch back to external authentication the next time that he or
she logs in to a Client Suite client, a shell, or console account.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 145](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-145-320.jpg)
![Authentication
• Require complex passwords — Determines whether users will be required to create complex
passwords by using the parameters that are specified in the subfields. This configuration is based on
the following character categories: uppercase, lowercase, numeric, and non-alphanumeric. If you
select this checkbox, configure the following subfields:
• Required number of character categories — Specify the number of character categories that
are required for each user password. For example, if you select 2, the user password can contain
combinations of any two of categories. The default value is 2.
• Required number of characters per character category — Specify the number of required
characters in each character category. The default value is 1.
• Example of a valid password — [Read-only] Displays an example of a valid password that reflects
all of the parameters that have been configured and selected on this window.
• Restore defaults — Overwrite the selected values on this tab with the system default values.
Configuring LDAP authentication or RADIUS authentication
Standalone LDAP directory servers have become popular in enterprises because they removed any need to
deploy an OSI network. They can also be used directly over TCP/IP.
Note: When the Control Center Management Server contacts the LDAP server, it does so anonymously.
When the RADIUS server is used for user authentication, the values that were specified in the Control
Center user name and password fields in the login window are passed to a RADIUS server over the RADIUS
protocol. The RADIUS server checks that the information is correct. If the server accepts the information, it
will then authorize access to the Control Center Management Server.
When you select LDAP or RADIUS as the value in the Select authentication method field, the following
fields are available on this tab:
• Select Authentication Servers — Use the lists in this area to identify the defined servers (LDAP or
RADIUS, depending on the selected authentication method) and the order in which to use them to
authenticate the Control Center user. The servers are specified by using the fields on the Authentication
Servers tab.
• Selected Servers — Displays the list of servers to use and the order in which to use them (from top
to bottom).
• Available Servers — Displays those servers that have been specified, but not selected, to use to
authenticate the Control Center users.
To add, remove, and order the list of the servers that will be used to authenticate Control Center
users, use any of the following buttons. Highlight the server object and select the appropriate
button to move the object:
(left), (right), (up), or (down).
• LDAP Options — [Available only if LDAP is selected in the Select Authentication Method field] Use the
fields in this area to further specify the directory location that contains the supplied user name and
password. A directory is a tree of directory entries. Each entry is a set of attributes. Each entry also has
a unique identifier, which is its Distinguished Name (DN).
• Suffix (Base) — Specify the Distinguished Name (DN) of the directory entry at which to start the
search. The following text is an example:
dc=sales,dc=example,dc=com
where dc is the domain component.
• LDAP Filter — Specify the way to examine each entry in the scope. The following filter is an example
of a search for persons who have either a given name of “John” or an e-mail address that starts with
“john”:
(&(objectClass=person)(|(givenName=John)(mail=john*)))
148 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-148-320.jpg)
![Authentication
Control Center Authentication Configuration window: Authentication Servers tab
Use the Authentication Servers tab on the Control Center Authentication Configuration window to specify
the authentication servers. You can add, edit, or delete servers on this tab.
Figure 43 Control Center Authentication Configuration window: Authentication Servers tab
Accessing this tab
1 In the Administration Tool, from the System menu, select Authentication. The Control Center
Authentication Configuration window is displayed.
2 Select the Authentication Servers tab. The Authentication Servers tab of the Control Center
Authentication Configuration window is displayed.
Fields and buttons
This tab has the following fields and buttons:
• Filter by Type — Specify the external authentication servers to display. The following values are
available:
• ALL — Displays all of the defined external authentication servers.
• LDAP — Displays only the defined LDAP servers.
• RADIUS — Displays only the defined RADIUS servers.
• Name — [Read-only] Displays the name of the server. If you want to add a server on this tab by clicking
Add, it does not become a manageable object in the Configuration Tool. Conversely, RADIUS or LDAP
server objects that are defined in the Configuration Tool are separate from the servers that are being
defined here.
• Type — [Read-only] Displays the type of server. The available values are: RADIUS or LDAP.
• IP Address / FQDN — [Read only] Displays the IP address or the fully qualified domain name (FQDN)
of the server.
• Port — [Read-only] Displays the user-defined port number of the server.
• Add — Display the Control Center Authentication Server window, in which you can add a new server.
• Edit — Display the Control Center Authentication Server window, in which you can edit the settings of the
highlighted server.
• Delete — Delete the highlighted server. Make sure that you want to do this because there is no
confirmation message.
150 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-150-320.jpg)
![Authentication
Configuring external authentication servers
Use the Control Center Authentication Server window to specify attributes that are associated with an
external authentication server. For more information about the root configuration window or about using
external authentication for Control Center users, see Authentication on page 145.
Figure 44 Control Center Authentication Server window
Accessing this window
1 In the Administration Tool, from the System menu, select Authentication. The Control Center User
Authentication window is displayed.
2 Click the Authentication Servers tab.
3 Click Add or Edit. The Control Center Authentication Server window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Name — [Required] Specify the name of the authentication server object are creating or edit the
displayed value.
• Description — Provide or edit a useful description about the reason that this object was created.
• Type — Determines whether this authentication server type is LDAP or RADIUS.
• IP Address/FQDN — Specify the IP address or the fully qualified domain name (FQDN) of the
authentication server being specified or edited.
• Port — Specify the port number to associate with the server being specified or edited. The default port
for LDAP is 389 and the default port for RADIUS is 1812. The default port values may vary, depending on
the way that the servers were configured.
• RADIUS Options — [Available only if RADIUS was selected as the value of the Type field] Use the fields
in this area to specify additional RADIUS options for the RADIUS authentication server. The following fields
are available:
• Server Secret — Specify (or edit) the value of the shared secret that is configured on the RADIUS
server.
• Timeout — Specify (or edit) the length of time (in seconds) to wait for a response from the server
before attempting to authentication to the next server in the list.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 151](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-151-320.jpg)
![Configuration Tool
Viewing details about objects
Use the Object Details page to browse data in the Control Center database that is related to the object type
that has been selected in one of the trees of the Configuration Tool. For example, if you selected the Burbs
sub-node under Network Objects in the Policy group to view the Burbs window, this page then displays data
about all of the burbs that have been defined.
You can also edit an object that is displayed on this page by double-clicking it to display the window for this
object (for example, the Burbs window if this page displays a list of burbs). And you can also export the
data in comma-separated format (CSV) to a file.
Figure 45 One example of the Object Details page
Accessing this page
Note: There is only one Object Details page for the Configuration Tool. Every time that you select a different
object type, the data that is displayed on this page is overwritten with the data for the newly selected object type.
1 To view a list of objects, click that object node in one of the trees of the Configuration Tool.
2 Select the Object Details page in the work area of the main window to view a list of these objects.
Fields and buttons
The column names in the table are unique to the object type that has been selected. However, the
navigational fields and buttons at the top of this page are the same for all object types.
Because your list of objects (where objects refers to the entity for which you are searching) could
potentially be very long, you can quickly retrieve only those objects that meet certain filter constraints by
using the Find filtering mechanism.
1 In the Find or Search field, specify a term that matches a selection for any value displayed in the browser.
2 Click the down arrow to select the display for the search results (Highlight matching <objects> [where
<objects> is the entity for which you are searching] or Only display matching <objects> [where
<objects> is the entity for which you are searching]).
3 Click Find or press Enter. The results are displayed. If you had selected the highlight option, all objects
that match the value in the Search field are highlighted in yellow. If you selected the other value, you
will see only those objects that matched your search criteria.
Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and view
all of the objects again, click (Clear Find Results).
160 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-160-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
Firewall window: General Settings area
Use the General Settings area of the Firewall window to specify firewall parameters such as the node name,
management IP address, management port, and software version. For more information about defining
firewall objects, see Firewall objects on page 163.
Figure 50 Firewall window: General Settings area
Accessing this area
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Firewalls node to display the list of firewalls.
3 Double-click a supported firewall object. The Firewall window is displayed.
4 Make sure that the General Settings node is selected.
Fields and buttons
This area has the following fields and buttons:
• Name — Displays the name of the firewall object as it appears in the list of firewalls in the Firewalls group
bar. You can edit this value.
• Description — Specify comments and information about the firewall and its configuration.
• Node Name — [Read-only] Displays the host name by which the system identifies itself during network
and login connections.
• Configuration — Use the fields in this area to specify information about the firewall and its location. The
following fields are available:
• Firewall Mgmt Address — Specify the IP address of the network interface on the firewall that the
Control Center uses to manage the firewall.
172 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-172-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
• Firewall Mgmt Port — Specify the port number that the firewall uses to communicate with the Control
Center Management Server. The default management port is 9005. The value that is selected or
specified in this field must match the value that is specified on the firewall by using its native GUI. If
you change the value on this window and apply the change, it does not change the value on the firewall.
• Version — [Read-only] Displays the version of software installed on the firewall. This information is
necessary so that the Control Center can produce the correct format of data that is sent to the firewall
when the configurations are applied.
• Time Zone — Specify the time zone in which the firewall is located.
• Location — Specify user-defined location information. Use this information to provide your own
alternate view of the way in which the firewalls are organized and displayed in the Firewalls group bar
of the Configuration Tool tree. For more information, see Reviewing your configured firewalls on
page 594.
• Contact — Specify contact information for this firewall. The Administrator e-mail address will be
displayed in this field. This is the e-mail address that was configured on and retrieved from the firewall.
• Enable IPv6 — [Available for the 7.0.1 version and later versions of the firewall only] Determine
whether to enable IPv6 for this firewall. If this is the first time that you are enabling IPv6 for any firewall
in this domain, the IPv6 Rule Conversion window is displayed. For more information about this window,
see Converting network objects in rules for the IPv6 protocol on page 204.
• Management Servers — Use the table in this area to specify information about the Control Center
Management Servers. If you are using the High Availability Management Server configuration option,
specify the active and the standby server or servers. The following columns are in this area:
• Host Name — Specify the fully qualified host name of the Management Server.
• IP address — Specify the IP address of the Management Server.
Note: Specify the IP address that the firewall uses to reach the Management Server. It may be different
from the IP address configured for the server if there is a NAT device between the firewall and the server.
• Firewall Properties — Use the table in this area to specify a user-defined category/value. Use this
category/value pair to sort firewalls by using a user-defined sorting scheme (in addition to the built-in
Location and Contact categories). By carefully defining a sorting scheme and identifying each by using
one or more categories, a powerful sorting scheme can be applied to obtain views of firewalls by using
the Firewall Sorting Manager window. The following columns are in this area:
• Category — Specify a name of the grouping that you want to define.
• Value — Specify a value for the category.
• Mail Configuration — Use the fields in this area to specify a firewall mail configuration.
• SMTP Mode — The following options are available:
• Secure Split SMTP — Use the firewall-hosted sendmail servers. Select this option to take
advantage of such sendmail features as header stripping, spam and fraud control, and mail routing.
• Transparent — Pass mail by proxy through the firewall. Select this option to ensure that only the
files that are necessary to send administrative messages will be configured. These include
firewall-generated alerts, messages, and logs.
• Internal SMTP Burb — Specify the burb in which your site's SMTP server resides.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 173](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-173-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
Firewall window: Offbox Settings area
Use the Offbox Settings area of the Firewall window to specify configuration information for exporting audit
data, settings for the McAfee Firewall Profiler, and for the McAfee Firewall Reporter.
Figure 51 Firewall window: Offbox Settings area
Accessing this area
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Firewalls node to display the list of firewalls.
3 Double-click a supported firewall object. The Firewall window is displayed.
4 In the tree on the left, select the Offbox Settings node. The Offbox Settings area is displayed.
Fields and buttons
This area has the following fields and buttons:
• Audit Export — Use the fields in this area to specify an audit export configuration.
• Configuration — Specify an audit export configuration that has been defined on the Audit Export
window. Access this window by selecting the Firewall Settings group bar in the Object area of the
Configuration Tool and double-clicking Audit Export. You can select or edit an existing configuration
or add a new one. See Audit export on page 268.
To edit an existing object:
First, select the object in the list.
Next, click (Edit selected). The respective object window is displayed.
To add a new object:
Click . The respective object window is displayed.
• Certificate — Specify a certificate to use when transferring the firewall's archived audit files to the
Control Center Management Server. This list includes the certificates that have been specified in the
Certificates area of the Firewall window.
• Attach Signature — [Available only if a value is selected in the Configuration field] Determines
whether a signature is attached. This checkbox is cleared by default.
174 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-174-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
• Delete logs after export — Determines whether to delete the audit export log file that resides on this
firewall after it has been successfully exported to all of its specified locations. If you do not select this
checkbox, the audit export log files will remain on the local firewall after they have been exported. The
default value is cleared.
• McAfee Firewall Profiler — [Available only for firewall versions 7.0.1.02 or later] Use the fields in this
area to configure this firewall to send audit and policy data to the McAfee Firewall Profiler that you specify.
You can create a new McAfee Firewall Profiler object in the Profler window. See McAfee Firewall Profiler
on page 272. The following fields are available:
• Archive verbose audit — [Available only if a McAfee Firewall Profiler has been configured]
Determines whether the audit data that is being archived is at the verbose. level, which means the
highest level of detail and larger file sizes. The default value is cleared.
• Certificate — Specify the certificate for the McAfee Firewall Profiler.
• McAfee Firewall Reporter — [Available only for firewall versions 7.0.1.02 or later] Use the field in this
area to configure this firewall to enable real-time transmission of its audit data to the McAfee Firewall
Reporter. The McAfee Firewall Reporter has advanced reporting functionality. The following field is
available:
• Configuration — Specify the Firewall Reporter / Syslog configuration that will be used by this firewall
to transmit its audit data to the McAfee Firewall Reporter. You can also edit and add configurations
from this field in the Firewall Reporter / Syslog window. For more information, see Firewall Reporter /
Syslog settings on page 273.
To edit an existing object:
First, select the object in the list.
Next, click (Edit selected). The respective object window is displayed.
To add a new object:
Click . The respective object window is displayed.
Firewall window: Interfaces area
Use the Interfaces area of the Firewall window to perform the following tasks:
• Assign all of the network link elements to the interface, such as IP address, network mask, burb, NIC, and
MTU size for outgoing packets.
• Select Quality of Service (QoS) profiles and define alias addresses for an interface.
• Create Standard, VLAN, DHCP, or transparent interfaces.
The internal and external network interfaces of the firewall are defined during the initial configuration. You
can create an unlimited number of interfaces. Up to 63 interfaces can be enabled at one time, in a
combination of standard and VLAN interfaces. However, you can configure only one of these interfaces to
be a transparent (bridged) interface.
For more information about defining firewall objects, see Firewall objects on page 163. For more
information about creating a transparent interface, see Creating a transparent (bridged) interface on
page 179.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 175](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-175-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
• Transparent — [Available only for firewall versions 7.0.1.02 and later] Indicates that two interfaces
are joined together to form one transparent or bridged interface.
• VLAN — Indicates that one of the virtual networks is managed by the NIC.
• VLAN ID — Specify the VLAN identifier for this interface. For each NIC set of VLANs, each number must
be unique. This field is not available if the value of the Type field is not set to VLAN. Valid values are from
1 to 4094.
• Burb — Specify the burb that is attached to this network interface.
• NIC/NIC Group — Specify the NIC or the NIC group that is currently attached to this network interface.
• Bridged Interfaces — [Available only if Transparent was selected as the value in the Type field] Specify
the two interfaces that will be used to form this transparent (bridged) interface.
• Advanced... — Display the Firewall Interface window, in which you can configure additional features for
this interface. See Configuring a network interface (for firewalls and cluster members) or a transparent
interface (for firewalls) on page 206.
• Delete — Click x (Delete) in the row to be deleted. The interface is deleted from the firewall.
• (Information area) — [Read-only] Displays information about the highlighted interface in the list.
• (Add) — Adds a new firewall interface to the bottom of the list.
NICS/NIC Groups tab
Use the NICs/NIC Group tab to configure the physical NIC and to create NIC groups for redundant NICs. A
primary reason for NIC groups is to provide redundant NIC functionality. If a primary NIC in a group stops
working or is disconnected, the standby NIC starts passing the traffic. To configure a new NIC group with a
primary and a secondary NIC, click Add to display the NIC Group window.
A maximum of 26 NICs can be installed in an firewall at one time, including the two onboard NICs. A
dual-port NIC counts as two NICs, a quad-port NIC counts as four NICs, and so on.
Figure 53 NICs/NIC Groups tab on the Firewall window: Interfaces area
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 177](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-177-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
Fields and buttons
This tab has the following fields and buttons:
• NICs — Use the fields in this table to configure the settings for each NIC.
• Name — [Read-only] Displays the name of the NIC.
• MAC Address — [Read-only] Displays the MAC address of the NIC. The MAC address is used for
communication at the data-link layer.
• Speed Mode — Specify the speed for packet delivery. If you select autoselect, the NIC communicates
with the network to determine this value. The none option is used for NICs that do not have any speed.
An example of this is a virtualized firewall. Otherwise, you can select an exact value from this list.
• Capabilities — Specify the media capabilities of the NIC.
To select the values for this list:
First, click the down arrow. The list of values is displayed, along with a Find field and button.
Second, if you do not need to filter the list, go to the next step. To filter the list of values, in the
Find field, specify a value or a partial value or an internal value (as in part of an IP address if you
are working with objects that reference them) and click Find. Only those values that match your
find criteria are displayed.
Third, select the checkbox of each value that you want to add to this field and click the down arrow
to close the drop-down display. If you have selected more than one value, they are displayed in a
comma-delimited list in this field.
The following values are available:
• rxcsum — Enables hardware checksum verification for incoming IPv4 packets.
• txcsum — Enables hardware checksum generation for outgoing IPv4 packets.
• jumbo_mtu — Configures the network interface to receive jumbo frames. This value is available
only on NICs that support jumbo frames.
• Description — Specify a description for this NIC.
• NIC Groups — Use the fields in this table to modify an existing NIC group or click Add to add a new one.
• Name — [Read-only] Displays the name of the NIC group.
• NICs — [Read-only] Displays the list of NICs that are attached to this NIC group.
• Description — Specify a description for the NIC group.
• Modify — Display the NIC Group window, in which you can edit the settings for this NIC group.
• Delete — Click x (Delete) in the row to be deleted. The NIC group is deleted from the firewall.
• Add — Display the NIC Group window, in which you can add a new NIC group.
178 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-178-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
Accessing this area
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Firewalls node to display the list of firewalls.
3 Double-click a supported firewall object. The Firewall window is displayed.
4 In the tree on the left, select the Static Routing node. The Static Routing area is displayed.
Tabs and buttons
This area has the following tabs and buttons:
• IPv4 — Configure static routes for your IPv4 addresses. For more information, see IPv4 tab on page 181.
• IPv6 — [Available only when IPv6 is enabled] Configure static routes for your IPv6 addresses. For more
information, see IPv6 tab on page 183.
• OK — Save all of the information on the entire Firewall window.
• Cancel — Close this window without saving any changes.
IPv4 tab
Use the fields on this tab to configure static routes for your IPv4 network traffic. To view the fields on this
tab, see Figure 54 on page 180.
Accessing this tab
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Firewalls node to display the list of firewalls.
3 Double-click a supported firewall object. The Firewall window is displayed.
4 In the tree on the left, select the Static Routing node. The Static Routing area is displayed.
5 Make sure that the IPv4 tab is displayed.
Fields and buttons
This tab has the following fields and buttons:
• Configure default route failover — Determines whether you are going to configure an alternate default
route. The default value is cleared. If you select this checkbox, the fields in the Alternate Default Route
area are available.
• Default Route — Use the fields in this area to configure the IP address for the default IPv4 route and, if
you are configuring route failover, one or more IP addresses to ping to confirm primary default route
availability. The following fields are available:
• IP address — Specify a valid IP address of the device that forwards traffic with no known route to its
destination address. This is usually the IP address of a router that forwards packets to your Internet
Service Provider (ISP). You can also configure a DHCP route by specifying dhcp as the value in this
field. However, you also must have a DHCP interface already configured.
• Description — Provide information to assist in identifying this route.
• Ping addresses — [Available only if Configure default route failover is selected] Use the fields in
this table to manage the IP addresses that the firewall will ping to confirm that the primary default
route is accessible.
The primary default route IP address is automatically displayed. However, you can configure
additional ping addresses.
• IP address — Specify the IP address that the firewall will ping. To add a new IP address, click
anywhere in a blank row.
• Delete — Click x (Delete) in the row of an IP address that you want to delete from this table.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 181](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-181-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
• Ping interval (s) — Specify the amount of time (in seconds) in between each ping that the firewall
will send to the configured IP addresses to ensure that the path is accessible. Valid values are from
2 to and including 60.
• Failures allowed — Specify the number of failed ping attempts that must occur before the
alternate default route assumes the role of the default (primary) route.
Failures are counted in increments and decrements rather than successively. This means that a
failed ping adds to the failure total, and a successful ping subtracts from the failure total. The failure
total is never less than zero and it is never more than the configured failures allowed.
For example, if you set the allowed number of failures to 3, the following table demonstrates the
way that successful and failed pings are counted to determine the failover.
Ping result: failure success success failure failure success failure failure Failover
event
Failure 1 0 0 1 2 1 2 3 occurs
total:
• Alternate Default Route — [Available only if Configure default route failover is selected] Use the
fields in this area to configure the IP address for the alternate default route and one or more IP addresses
to ping to confirm alternate default route availability. The following fields are available:
• IP address — Specify a valid IP address of the device that forwards traffic with no known route to its
destination address. This should be a different route than the primary default route or it can also be a
different ISP.
• Description — Provide information to assist in identifying this route.
• Ping addresses — Use this table to manage the IP addresses that the firewall will ping to confirm that
the primary default route is accessible.
• IP address — Specify the IP address that the firewall will ping. To add a new IP address, click
anywhere in a blank row.
• Delete — Click x (Delete) in the row of an IP address that you want to delete from this table.
• Ping interval (s) — Specify the amount of time (in seconds) in between each ping that the firewall
will send to the configured IP addresses to ensure that the path is accessible. Valid values are from
2 to and including 60.
• Failures allowed — Specify the number of failed ping attempts that must occur before the
alternate default route is considered to be inaccessible.
Failures are counted in increments and decrements rather than successively. This means that a
failed ping adds to the failure total, and a successful ping subtracts from the failure total. The failure
total is never less than zero and it is never more than the configured failures allowed. Valid values
are from 2 to and including 20.
For example, if you set the allowed number of failures to 3, the following table demonstrates the
way that successful and failed pings are counted to determine the failover.
Ping result: failure success success failure failure success failure failure Failover
event
Failure 1 0 0 1 2 1 2 3 occurs
total:
182 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-182-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
Fields and buttons
This tab has the following fields and buttons:
• Default Route — Use the fields in this area to configure the IP address for the default IPv6 route.
• IP address — Specify the IP address of the device that forwards traffic with no known route to its
destination address. This is usually the IP address of a router that forwards packets to your Internet
Service Provider (ISP). If you are configuring a link-local route (whereby your address begins with
fe80), you must also specify an interface in the Interface column for this route.
• Description — Provide information to assist in identifying this route.
• Destination — Specify the host IP address or subnet address of your end target. This value must be an
IPv6 address. You can also specify the prefix value at the end of this address by specifying slash (/) and
then the prefix value (for example, 5::/128).
• Prefix — Specify the mask length for this IP address. Valid values are 0–128.
• Gateway — Specify the gateway address that the route will use to pass traffic onto the destination. The
gateway address must be reachable by the firewall. If the IPv6 static route is a link-local address (that is,
the address value begins with fe80), you must specify a valid interface in the Interface column.
• Description — Provide information to assist in identifying this route.
• Interface — [Available only if this IPv6 static route is a link-local address] Specify the interface for this
route.
• Delete — Click x (Delete) in the row of a static route that you want to delete from this table.
Firewall window: Static Routing area (for versions 7.0.1 or later without IPv6 enabled or for
versions 7.0.0.06 or 7.0.0.07 only)
Use the Static Routing area to modify the default route or to configure an alternate route to be used for the
default route failover.
Note: If you are viewing this window for the 7.0.0.06 version or later versions of the firewall without IPv6
enabled, go to Firewall window: Static Routing area (for versions 7.0.1 or later without IPv6 enabled or for
versions 7.0.0.06 or 7.0.0.07 only) on page 184.If you are viewing this window for the 7.0.1 or later version of
the firewall with IPv6 enabled, see Firewall window: Static Routing area (for versions 7.0.1 and later with IPv6
enabled) on page 180.
The default route is the network route that is used by a router when no other known route exists for a
packet’s destination address. The alternate default route is a redundant route. If your primary default route
becomes inaccessible, the alternate default route will start to forward traffic.
With redundant default routes, use the fields in this area to define an alternate default route and ping
addresses for the default routes.
• The firewall continuously pings the default route IP address and any other ping addresses that you define
in this area.
• If all of the configured ping addresses fail, the alternate default route becomes the acting default route.
• Reset the primary default route when it is active again by selecting the Revert default gateway to the
primary default gateway option in the Control Actions field in the Device Control window.
184 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-184-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
Figure 56 Firewall window: Static Routing area (for firewall versions 7.0.1 or later without IPv6 enabled or for 7.0.0.06
and 7.0.0.07 only)
Accessing this area
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Firewalls node to display the list of firewalls.
3 Double-click a supported firewall object. The Firewall window is displayed.
4 In the tree on the left, select the Static Routing node. The Static Routing area is displayed.
Fields and buttons
This area has the following fields and buttons:
• Configure default route failover — Determines whether you are going to configure an alternate default
route. The default value is cleared. If you select this checkbox, the fields in the Alternate Default Route
area are available.
• Default Route — Use the fields in this area to configure the IP address for the default route and, if you
are configuring route failover, one or more IP addresses to ping to confirm primary default route
availability. The following fields are available:
• IP address — Specify a valid IP address of the device that forwards traffic with no known route to its
destination address. This is usually the IP address of a router that forwards packets to your Internet
Service Provider (ISP). You can also configure a DHCP route by specifying dhcp as the value in this
field. However, you also must have a DHCP interface already configured.
• Description — Provide information to assist in identifying this route.
• Ping addresses — [Available only if Configure default route failover is selected] Use the fields in
this table to manage the IP addresses that the firewall will ping to confirm that the primary default
route is accessible.
The primary default route IP address is automatically displayed. However, you can configure
additional ping addresses.
• IP address — Specify the IP address that the firewall will ping. To add a new IP address, click
anywhere in a blank row.
• Delete — Click x in the row of an IP address that you want to delete from this table.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 185](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-185-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
• Ping interval (s) — Specify the amount of time (in seconds) in between each ping that the firewall
will send to the configured IP addresses to ensure that the path is accessible. Valid values are from
2 to and including 60.
• Failures allowed — Specify the number of failed ping attempts that must occur before the
alternate default route assumes the role of the default (primary) route.
Failures are counted in increments and decrements rather than successively. This means that a
failed ping adds to the failure total, and a successful ping subtracts from the failure total. The failure
total is never less than zero and it is never more than the configured failures allowed. Valid values
are from 2 to and including 20.
For example, if you set the allowed number of failures to 3, the following table demonstrates the
way that successful and failed pings are counted to determine the failover.
Ping result: failure success success failure failure success failure failure Failover
event
Failure 1 0 0 1 2 1 2 3 occurs
total:
• Alternate Default Route — [Available only if Configure default route failover is selected] Use the
fields in this area to configure the IP address for the alternate default route and one or more IP addresses
to ping to confirm alternate default route availability. The following fields are available:
• IP address — Specify a valid IP address of the device that forwards traffic with no known route to its
destination address. This should be a different route than the primary default route or it can also be a
different ISP.
• Description — Provide information to assist in identifying this route.
• Ping addresses — Use the fields in this table to manage the IP addresses that the firewall will ping
to confirm that the primary default route is accessible.
• IP address — Specify the IP address that the firewall will ping. To add a new IP address, click
anywhere in a blank row.
• Delete — Click x in the row of an IP address that you want to delete from this table.
• Ping interval (s) — Specify the amount of time (in seconds) in between each ping that the firewall
will send to the configured IP addresses to ensure that the path is accessible. Valid values are from
2 to and including 60.
• Failures allowed — Specify the number of failed ping attempts that must occur before the
alternate default route is considered to be inaccessible.
Failures are counted in increments and decrements rather than successively. This means that a
failed ping adds to the failure total, and a successful ping subtracts from the failure total. The failure
total is never less than zero and it is never more than the configured failures allowed.
For example, if you set the allowed number of failures to 3, the following table demonstrates the
way that successful and failed pings are counted to determine the failover.
Ping result: failure success success failure failure success failure failure Failover
event
Failure 1 0 0 1 2 1 2 3 occurs
total:
186 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-186-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
Transparent DNS Configuration
The following fields are available in this area:
• Burb — [Read-only] Displays the burbs to which transparent name servers are assigned.
• DNS Servers — [Read-only] Displays the name servers for transparent DNS services.
• Add — Displays the Transparent DNS Servers window, in which you can configure a new transparent DNS
server. For more information, see Configuring transparent DNS server objects on page 211.
• Edit — Displays the Transparent DNS Servers window for the highlighted value in the table. You can edit
the values and click OK to save the change to the area. Note that you must click OK in the Firewall window
to save the changes to the firewall.
• Delete — Delete the highlighted server from this table.
Hosted Single Server Configuration
Figure 60 Firewall window: DNS area (Hosted Single Server configuration)
The following fields are available in this area:
• Manage DNS files via Control Center — Determines whether DNS files are managed by using the
Control Center. This checkbox is selected by default. If a DNS configuration that is not supported by
Control Center is encountered during retrieve, then this checkbox will be cleared. If you clear this
checkbox, the only field on the window that remains active is Enable server.
• Generate loopback and multicast failover zones on apply — Determines whether loopback zones
(0.x.127.in-addr.arpa, where x denotes the burb index) and the failover multicast zone
(0.255.239.in-addr.arpa) are automatically generated by the Control Center when you apply the
configuration.
These zones are added to the Control Center database when DNS components are retrieved from the
firewall (see Retrieving firewall components on page 168), and this checkbox is cleared.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 191](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-191-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
Select this checkbox to ensure that the loopback zones and the failover multicast zone files are
generated automatically when you apply, or propagate, a configuration from the Control Center
database to the firewall. Otherwise, you will be responsible for adding the loopback and multicast zone
files.
• DNS Zones — Use the fields in this area to specify the zones that are associated with the name server.
The following fields are available:
• Create a new DNS Zone — Click to display the DNS Zone Manager window, in which you can
create a new DNS zone. For more information, see Configuring DNS zones on page 315.
• DNS Zone — Specify the DNS zone to associate with the name server.
• Edit (button) — Displays the DNS Zone Manager window, in which you can edit the data for this DNS
zone.
• Server Configuration — Use the fields on this tab to specify configuration settings for the name server.
The following fields are available:
• Enable server — Determines whether the name server is enabled. This checkbox is selected by
default. If you disable the name server by clearing the checkbox, only connections that use IP
addresses will continue to work; connections that use host names will not.
• Enable notify — Determines whether the master name server will notify all slave servers when the
zone file changes. The notification indicates to the slaves that the contents of the master have changed
and that a zone transfer is necessary. This checkbox is cleared by default. If you select this checkbox,
the following fields are available:
• Yes — Indicates that the slave servers will be notified about zone file changes.
• No — Indicates that slave servers will not be notified about zone file changes.
• Forwarders — Specify external name servers to which to forward queries that cannot be answered
on the firewall. You can reposition a row in this table by highlighting the row and clicking either the
(move up) or (move down) buttons.
• Forward only — [Available only if a value is displayed in the Forwarders table] Determines whether
the name server will attempt to contact the root server if the Forwarders cannot answer the query.
This checkbox is selected by default. This indicates that queries will be directed only to the selected
forwarders. If this checkbox is cleared, the name server forwards the query to the selected forwarders.
If they cannot answer the query, the name server then attempts to contact the root server.
• allow-query — Specify particular hosts that are allowed to query the zone. If none are selected, all
requesters are authorized.
• allow-transfer — Specify particular hosts that are allowed to update the zone. This option is valid only
for master zones. If this field is left blank, updates are not allowed from any host.
•
• Dump-File — Specify the path name of the file to which the name server dumps the database when
instructed to do so with rndc dumpdb. If a path is not specified, the default is
named_dump.db.(rndc is the remote name daemon control program.
• Statistics File — Specify the path name of the file to which the name server appends statistics when
instructed to do so using rndc stats. If a path is not specified, the default is named.stats, which is
located in the current directory of the name server.
192 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-192-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
• DNS Zone — Specify the DNS zone to associate with the name server.
• Edit (button) — Displays the DNS Zone Manager window, in which you can edit the data for this DNS
zone.
• Unbound Server Configuration — Use this tab to specify configuration settings for the unbound name
server. The unbound name server is available for use by all internal burbs. The following fields and buttons
are available on this tab:
• Enable server — Determines whether the unbound name server is enabled. This checkbox is selected
by default. If you disable the name server by clearing the checkbox, only connections that use IP
addresses will continue to work; connections that use host names will not.
Caution: If you disable both the unbound server and the Internet server, connections will work only if
they use IP addresses rather than host names. Mail will not work, and other errors will occur as other parts
of the system attempt to access the network by name.
• Enable notify — Determines whether the master name server will notify all slave servers when the
zone file changes. The notification indicates to the slaves that the contents of the master have changed
and that a zone transfer is necessary. This checkbox is cleared by default. If you select this checkbox,
the following fields are available:
• Yes — Indicates that the slave servers will be notified about zone file changes.
• No — Indicates that the slave servers will be not be notified about zone file changes.
• Forwarders — Specify external name servers to which to forward queries that cannot be answered
on the firewall. You can reposition a row in this table by highlighting the row and clicking either the
(move up) or (move down) buttons.
• Forward only — [Available only if a value is displayed in the Forwarders table] Determines whether
the name server will attempt to contact the root server if the Forwarders cannot answer the query.
This checkbox is selected by default. This indicates that queries will be directed only to the selected
forwarders. If this checkbox is cleared, the name server forwards the query to the selected forwarders.
If they cannot answer the query, the name server then attempts to contact the root server.
• Forward to Internet Server first — Determines whether queries that cannot be answered on the
firewall are forwarded to the Internet server before they are forwarded to selected forwarders. This
checkbox is cleared by default. If this checkbox is selected, queries will be forwarded first to the
Internet server.
• allow-query — Specify particular hosts that are allowed to query the zone. If none are selected, all
requesters are authorized.
If you do not specify any values in this field, on apply, the following values are added to the
named.conf.u file:
• allow-recursion (any; ); — For firewall versions 7.0.0.08 and later and versions 7.0.1.02 and later
• allow-query-cache (any; ); — For firewall versions 7.0.1.02 and later
• allow-transfer — Specify particular hosts that are allowed to update the zone. This option is valid only
for master zones. If this field is left blank, updates are not allowed from any host.
• Dump-File — Specify the path name of the file to which the name server dumps the database when
instructed to do so with rndc dumpdb. If a path is not specified, the default is
named_dump.db.(rndc is the remote name daemon control program.
• Statistics File — Specify the path name of the file to which the name server appends statistics when
instructed to do so using rndc stats. If a path is not specified, the default is named.stats, which is
located in the current directory of the name server.
194 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-194-320.jpg)
![McAfee Firewall Enterprise (Sidewinder)
• Internet Server Configuration — Use the fields on this tab to specify configuration settings for the
Internet name server. The Internet name server is bound to the Internet burb. The following fields and
buttons are available on this tab:
• Enable server — Determines whether the Internet name server is enabled. This checkbox is selected
by default. If you disable the Internet name server by clearing the checkbox, external connections that
require host names will not work unless the name is already cached in the database of the unbound
name server. Connections that use IP addresses will work. E-mail will be placed in a queue because IP
addresses cannot be resolved.
Caution: If you disable both the unbound server and the Internet server, connections will work only if
they use IP addresses rather than host names. Mail will not work, and other errors will occur as other parts
of the system attempt to access the network by name.
• Enable notify — Determines whether the master name server will notify all slave servers when the
zone file changes. The notification indicates to the slaves that the contents of the master have changed
and that a zone transfer is necessary. This checkbox is cleared by default. If you select this checkbox,
the following fields are available:
• Yes — Indicates that the slave servers will be notified about zone file changes.
• No — Indicates that the slave servers will not be notified about zone file changes.
• Forwarders — Specify external name servers to which to forward queries that cannot be answered
on the firewall. You can reposition a row in this table by highlighting the row and clicking either the
(move up) or (move down) buttons.
• Forward only — [Available only if a value is displayed in the Forwarders table] Determines whether
the name server will attempt to contact the root server if the Forwarders cannot answer the query.
This checkbox is selected by default. This indicates that queries will be directed only to the selected
forwarders. If this checkbox is cleared, the name server forwards the query to the selected forwarders.
If they cannot answer the query, the name server then attempts to contact the root server.
• allow-query — Specify particular hosts that are allowed to query the zone. If none are selected, all
requesters are authorized.
• allow-transfer — Specify particular hosts that are allowed to update the zone. This option is valid only
for master zones. If this field is left blank, updates are not allowed from any host.
• Dump-File — Specify the path name of the file to which the name server dumps the database when
instructed to do so with rndc dumpdb. If a path is not specified, the default is
named_dump.db.(rndc is the remote name daemon control program.
• Statistics File — Specify the path name of the file to which the name server appends statistics when
instructed to do so using rndc stats. If a path is not specified, the default is named.stats, which is
located in the current directory of the name server.
To read specific information directly from the firewall, use the Firewall Retrieval Options window.
The Configuration Tool has two ways to read configuration information directly from the firewall, to
normalize the data, and to store this information in the database:
• When the firewall is initially created, identify and retrieve a user-selected set of retrieval objects by
using the Retrieval Item tab on the Add New Firewall window.
• After a firewall has been created, identify and retrieve a user-selected set of retrieval objects.
Right-click the firewall object and click Retrieve Firewall Objects, which displays the Firewall
Retrieval Options window.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 195](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-195-320.jpg)
![Firewall window: Certificates area
Use the Certificates area on the Firewall window to configure certificate server settings, view available
firewall certificates, assign certificates to server services, and manage Secure Shell (SSH) keys. Also use
this page to perform such actions as creating, importing, exporting, and deleting certificates and SSH keys.
Figure 62 Firewall window: Certificates area
Accessing this area
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Firewalls node to display the list of firewalls.
3 Double-click a supported firewall object. The Firewall window is displayed.
4 Select the Certificates node. The Certificates area is displayed.
Tabs
This area has the following tabs:
• Firewall Certificates — View the status of the firewall certificates. For more information, see Firewall
Certificates tab on page 196.
• SSH Keys — Manage the SSH keys for this firewall. For more information, see SSH Keys tab on page 197.
• Settings — Configure certificate server settings and assign certificates to server services. For more
information, see Settings tab on page 199.
Firewall Certificates tab
The Firewall Certificates tab displays the list of firewall certificate names and the status of those certificates.
You can filter this list by selecting the appropriate value in the Status list at the bottom left corner of this
tab. To view the fields on this tab, see Figure 62 on page 196.
This tab has the following fields:
• Name — [Read-only] Displays the names of firewall certificates in the table.
• Status — [Read-only] Displays the status of the associated firewall certificates in the table.
• Status — Specify the status by which the list of firewall certificates is filtered for display. Select one of
the following values:
• ALL — Displays all firewall certificates.
196 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-196-320.jpg)
![• Pending — Displays requested certificates by using the Manual PKCS10 signing mechanism. This
status can occur in the following circumstances:
• PKCS10 is used and a certificate has not been provided.
• A Certificate Authority (CA) signed certificate is used and the certificate has not yet been retrieved
from the Certificate Authority.
• Completed — Displays certificates that have been received from the certificate server.
• Revoked — Displays certificates for which a request has been rejected by Netscape CAs or CAs that
support Simple Certificate Enrollment Protocol (SCEP).
Use the buttons on the right side of the Certificates area to perform the following actions:
• Add Certificate — Displays the Certificate Request Wizard, with which you can create a new certificate
or import an existing certificate. The certificate will be added to the list of firewall certificates that are
displayed on this page. For more information, see Creating certificates or importing them into the
certificate database on page 515.
• Load Certificate — [For Manual PKCS10 certificate requests only] Displays the Load Certificate wizard,
in which you can import a certificate. For more information, see Loading certificates on page 522.
• Retrieve Certificate — For a certificate request that has been submitted to be signed by a CA, start a
query of the CA to determine whether the certificate has been approved.
• Certificate Details — Displays the Certificate Manager window, in which you can view information about
a selected certificate. Information includes such details as the certificate name, distinguished name,
domain name, signature type (for example, RSA), and status (for example, Completed, CA Signed).
• Export Certificate — Displays the Export Certificate wizard, in which you can export a certificate and
private key to a file. For more information, see Exporting certificates on page 519.
• Delete Certificate — Delete a certificate from the list of firewall certificates.
Note: If the selected certificate is being used by VPN, an application defense, or other firewall component, it
cannot be deleted.
SSH Keys tab
Use the SSH Keys tab to manage the SSH keys for this firewall.
Figure 63 Firewall window: Certificates area: SSH Keys tab
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 197](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-197-320.jpg)
![Accessing this tab
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Firewalls node to display the list of firewalls.
3 Double-click a supported firewall object. The Firewall window is displayed.
4 Select the Certificates node. The Certificates area is displayed.
5 Select the SSH Keys tab.
Fields and buttons
This tab has the following fields:
• Name — [Read-only] Displays the name of the SSH key. Note that Default_RSA_Key and
Default_DSA_Key are reserved words for the firewall. You cannot add or delete these keys. However, you
will see these keys in this tab when you retrieve from the firewall for the first time.
• SSH Fingerprint — [Read-only] Displays the SSH fingerprint of the public key that is associated with this
SSH key. The fingerprint is a hashed (shortened) version of the host key to make it easier for you to
compare keys.
• Signature Type — [Read-only] Displays the type of standard digital signature that is used when this SSH
key is generated or verified. Valid values are:
• RSA — Indicates a public key and private key combination
• DSA — Indicates a Digital Signature Algorithm (DSA)
Use the buttons on the right side of the SSH Keys tab to perform the following actions:
• Add — Displays the Add SSH Key window, in which you can add a new SSH key.
• Import — Displays the Import SSH Key window, in which you can import the SSH key directly from a file
or from pasted text.
• Export — Displays the Export SSH Key window in which you can export the highlighted SSH key directly
to a file or display it on the SSH Keys window.
• Delete — Delete the highlighted SSH key from the list of SSH keys.
198 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-198-320.jpg)
![• Key Server — Use the fields in this area to configure settings associated with keys.
• Maximum Validated Cache Size — Specify the maximum number of validated keys that will be
stored in cache memory. Caching validated keys can increase system performance. Acceptable
values range from 0 to 500. A value of 0 indicates that keys will not be cached. The default value is
100.
• Certificate Key Cache Lifetime (min.) — Specify the maximum amount of time that a certificate
can remain in the validated key cache before it must be re-validated. Acceptable values range from
0 to 360. A value of 0 indicates that certificate keys must be re-validated with each use.
• CRL — Use the fields in this area to configure settings associated with Certificate Revocation Lists
(CRLs). The following fields are available:
• Perform CRL Checking — Determines whether CRL checking is enabled. This checkbox is selected
by default. If this checkbox is cleared, CRL lists will not be consulted when validating certificates.
• CRL Retrieval Interval: — Specify the frequency at which a Certificate Authority (CA) is queried
to retrieve a new CRL.
• Audit Level — Specify the level of auditing to be performed on the specified certificate server. The
following values are available:
• Error — Log major errors only.
• Normal — Log major errors and informational messages. This is the default value.
• Verbose — Log information that is useful in detecting configuration issues.
• Debug — Log all errors and informational messages and also logs debugging information.
• Application Defense Settings — Use the field in this area to specify HTTPS application defense settings
for this certificate. The following field is available:
• Default HTTPS Certificate — Specify the SSL certificate that will be used to decrypt HTTPS traffic.
This certificate will be used by default for the HTTPS application defense. For more information, see
HTTPS Application Defense window: General tab on page 371.
• Common Access Card Configuration — [Available only for firewall version 7.0.1.02 and later] Use the
fields in this area to specify the Common Access Card (CAC) authenticator and CAC Webserver certificate
that are used to authenticate users when using a CAC to access the firewall. The following fields are
available:
• CAC Authenticator — Specify the CAC authenticator for this firewall. The default value is <None>.
You can also edit an existing authenticator or add a new one by following these instructions.
To edit an existing object:
First, select the object in the list.
Next, click (Edit selected). The respective object window is displayed.
To add a new object:
Click . The respective object window is displayed.
• Webserver SSL Certificate — Specify the certificate that the CAC Webserver will present to a CAC
user’s Web browser for the SSL session. If you select a CAC authenticator, you must specify the SSL
certificate.
• SSL Certificates — Use the fields in this area to specify the list of server services and their currently
assigned SSL certificates.
• Server — [Read-only] Displays the server services to which you can assign new SSL certificates.
200 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-200-320.jpg)
![• Reputation Threshold — Use the fields in this area to perform TrustedSource reputation service
™
filtering and specify an associated setting.
• Perform TrustedSource filtering on inbound mail — Determines whether TrustedSource is used
to reduce the amount of spam that reaches an organization's in-boxes. This value is cleared by default.
If you select this checkbox, use the associated field to specify a value that is used to distinguish
legitimate senders of e-mail from untrustworthy ones. Values range from 0 to 120. The default value
is 80. Messages from senders with reputation scores above the selected reputation threshold value are
rejected. Trustworthy senders receive low scores, and untrustworthy senders receive high scores.
Values are associated with TrustedSource reputation classes. See the help topic for the Global Settings
window for information about the reputation classes.
• Lockout Threshold — Use the fields in this area to enable lockout and specify an associated setting.
• Enable lockout — Determines whether a user whose account reaches a specified authentication
attempt threshold is locked out until the lock is cleared by an administrator. This value is cleared by
default. If you select this checkbox, you can specify the number of failed login attempts that can occur
for a single user account before the user is locked out of the firewall.
• Uninterruptible Power Supply (UPS) — [Available for all firewall versions except 7.0.1.00 and
7.0.1.01] Use the fields in this area to enable UPS and specify associated settings. The following fields are
available:
• Enable UPS — Determines whether a UPS device is enabled for a firewall. This checkbox is cleared by
default. If you select this checkbox, the following fields are available:
• Serial Port — Specify the serial port that is connected to the UPS. Available values are COM1 and
COM2. The default value is COM1.
• Battery Time (sec) — Specify the number of seconds that the UPS battery will last before its power
is considered to be low. The default value is 900.
If UPS is enabled and a power outage occurs, the firewall monitors the UPS and performs an orderly
shutdown when the power of the UPS battery begins to be low.
• Other Settings — Use the fields in this area to specify the following settings:
• Enforce U.S. Federal Information Processing Standard 140-2 — Determines whether the
requirements of the FIPS 14-2 standard are applied to a firewall. This standard specifies security
requirements for cryptographic modules. This value is cleared by default.
• Delete home directory upon deletion of user — Determines whether a user's home directory is
deleted automatically when the user account is deleted. This value is cleared by default.
• Blackhole source IP if attack IP cannot be confirmed (responses) — Determines whether a
source IP address is blackholed when the related audit message does not have an Attack IP field. This
value is cleared by default. If you select this checkbox, connections from the IP address originating the
attack will not be accepted.
• Enforce health monitor auditing — Determines whether audit data on the system's health status
are generated and statistics about network and system utilization are recorded. This checkbox is
selected by default.
• Allow Secure Alerts to be sent to Control Center — Determines whether Secure Alerts are allowed
to be sent by this firewall to the Control Center Management Server.
To configure the alerts, you must also go to the IPS Attack Response window or the System
Response window and select the Send Secure Alert checkbox.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 203](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-203-320.jpg)
![Fields and buttons
This window has the following fields and buttons:
• Name — Specify the name of the network interface. You can use alphanumeric characters, dashes (-),
and underscores (_).
• Enable interface — Determines whether the network interface is enabled on the firewall.
• Description — Specify a description for this interface.
• Interface type — Use the fields in this area to specify the type of network interface and an ID if VLAN
is selected. The following fields are available:
• (Interface type) — Specify the type of network interface. The following values are available:
• Standard — Indicates a standard interface.
• DHCP — (Dynamic Host Configuration Protocol) Indicates that this interface will centrally manage
IP addresses within your network. You cannot specify DHCP for an interface that is being used in a
high availability (HA) cluster.
• Transparent — [Available only for firewall versions 7.0.1.02 and later] Indicates a transparent
interface.
• VLAN ID — (Virtual Local Area Network) Indicates a virtual interface that allows administrators to
segment a LAN into different broadcast domains regardless of the physical location.
• ID — [Available only if VLAN is selected in the Interface Type field] Specify the ID for the VLAN
interface. Valid values are between 1 and 4094.
• Address — Use the fields in this area to define information about the address for this network interface.
The fields in this area are not available if DHCP is selected as the Interface Type value.
• Burb — Specify the burb for the network interface.
To edit an existing object:
First, select the object in the list.
Next, click (Edit selected). The respective object window is displayed.
To add a new object:
Click . The respective object window is displayed.
• IP address — Specify the unique IP address of the interface. This value must be a valid IPv4 address
in dotted quad format.
• Mask — Specify the netmask length for this IP address.
• Alias addresses — Use the fields in this area to add, edit, or delete alias addresses. Alias addresses
are used in Multiple Address Translation (MAT). You can add alias addresses to a network interface for
the following purposes:
• To consistently map specific IP aliases on another interface to specific logical networks connected
to this interface when you want to hide addresses.
• To accept connection requests for any defined alias.
• To communicate with more than one logical network without a router.
• To allow DNS to resolve different domains to each host address when you have more than one
address on the same network.
The fields in this area are not available if DHCP is selected as the Interface Type field value.
• Alias address — Specify the unique IP address of the alias to be associated with this network
interface. This value must be a valid IPv4 address in dotted quad format.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 207](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-207-320.jpg)
![• Mask — Specify the netmask length for this IP address.
• Delete — Click x (Delete) in the row to be deleted. The alias address is deleted from the firewall.
• Quality of Service profile — [Available for Standard and DHCP interface types only] Specify the Quality
of Service (QoS) profile to associate with this network interface. Each QoS profile contains one or more
queues that allow you to prioritize network performance based on network traffic type. You can define
QoS profiles in the Quality of Service window. The default value is <None>.
Note: For the 7.0.1 version and later versions of the firewall, you cannot select a profile that contains any of
the following characters: dash (-), period (.), or underscore (_).
To edit an existing object:
First, select the object in the list.
Next, click (Edit selected). The respective object window is displayed.
To add a new object:
Click . The respective object window is displayed.
QoS profiles are not supported on VLANs.
• NIC or NIC Group — [Not available for transparent interfaces] Specify the list of NICs and NIC groups
that are currently managed by this firewall. Select a name or select <None>, which indicates that this
interface is not part of a NIC group.
• Bridged interfaces — [Available only if this is a transparent interface] Use the fields in this area to add
new bridge members to this bridge. When you have finished, only two members can be members of this
bridge. The following fields are available:
• — Displays the Firewall Interface window, in which you can add a new bridged (member) interface.
Note that you cannot make address or MTU changes in this window. These changes must be made at
the bridge (parent) level.
• Use — Determines whether the bridge member is used in this bridge. Select or clear the checkbox to
enable or disable the interface. Only two members can be selected.
• Interface — [Read-only] Displays the name of the network, Virtual LAN (VLAN), or transparent (for
firewall versions 7.0.1.02 and later) interface for this bridge member.
• Burb — [Read-only] Displays the burb that is attached to this bridge member.
• VLAN ID — [Read-only] Displays the VLAN identifier for this bridge member.
• NIC/NIC Group — [Read-only] Displays the NIC or the NIC group for this bridge member.
• MTU size (Bytes) — Specify the size of the Maximum Transfer Unit (MTU) for outgoing packets. The
standard MTU is 1500 and the range is 576-1500. However, the upper limit of this range changes to 9000
if the selected NIC has jumbo frame capability enabled.
• ARP table cache size — [Available only for transparent interfaces] Specify the size of the address
resolution protocol (ARP) bridge table. This table contains a list of MAC addresses so that the firewall can
determine the NIC on which traffic is entering. Because of traffic, the table can potentially reach its
capacity, which means that subsequent traffic will be dropped. Use this field to set the size high enough
so that traffic will not be dropped. The range of values is 100–2048. The default value is 100.
• Failover IP address — [Available for cluster interfaces only] [Read-only] Displays common address for
the cluster that is shared between all of the nodes in the cluster.
208 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-208-320.jpg)
![• Enable IPv6 on this interface — [Available only for firewall versions 7.0.1 and later and not available
for cluster members or transparent interfaces] Determines whether IPv6 is enabled for this interface. A
message is displayed, asking whether you want to continue with this configuration. Click Yes. The IPv4
Rule Conversion window is displayed, in which you can indicate whether you want to convert your
ANYWHERE network objects in rules. Make your selection and click OK. You are returned to the Firewall
Interface window and the remaining IPv6-related fields are now available. For more information about the
IPv4 Rule Conversion window, see Converting network objects in rules for the IPv6 protocol on page 204.
• IPv6 stateless auto address configuration — [Available only if Enable IPv6 on this interface is
selected] Select a stateless auto-address configuration. The following selections are available:
• Static — Indicates that the interface is assigned the link-local address plus any static addresses that
you specify. The link-local address is automatically created whenever an interface becomes enabled.
This is the default value.
• Host mode — Indicates that the interface is assigned the link-local address plus any static addresses
that you specify. It is also assigned auto-configured addresses derived by combining any prefixes that
are received in router advertisements with the interface ID.
• Router mode — Indicates that the interface is assigned the link-local address plus any static
addresses that you specify. The firewall sends out router advertisements, either with prefixes in the
rtadvd.conf file or with prefixes derived from the static addresses on the interface.
Caution: Host mode and router mode should be used only if you want to use auto-configuration. If you use
these modes, unexpected results can occur, such as the following examples:
• A firewall with an interface that is configured in host mode can automatically add new IPv6 addresses to the
interface that the user might not expect.
• A firewall with an interface that is configured in router mode with static IPv6 addresses can, if the rtadvd.conf
file is not modified, advertise prefixes derived from the static IPv6 addresses. This can result in unexpected
addresses being added to IPv6 devices in the same network operating in host mode.
Static configuration is the most suitable configuration for most firewalls. You should clearly understand the
consequences of using host mode and router mode.
• IPv6 addresses — Use the fields in this area to specify and configure the order of IPv6 addresses. The
following fields are available:
• IPv6 Address — Specify an IP address to be associated with this interface. If you have more than one
address in this table, use the up and down arrows to change the order of addresses.
• Prefix — Specify the mask length for this IP address. Valid values are 0–128.
• Delete — Click x (Delete) in the row of the IP address to be deleted.
• (Move up) — Move the highlighted row up one row.
• (Move down) — Move the highlighted row down one row.
• Interface ID — Use the field in this area to override the interface ID that has been automatically
generated. The following field is available:
• Manually override the default interface id — Determines whether to override the interface ID. The
displayed 16-hexadecimal ID is derived from the NIC or NIC group’s MAC address and is used to
generate the link-local address for the interface. Edit this ID as needed.
• OK — Save the information on this window, close this window, and return to the Interfaces area of the
Firewall window.
• Cancel — Close this window without saving any changes.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 209](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-209-320.jpg)
![Configuring NIC groups
Use the NIC Group window to modify an existing NIC group or to add a new one. You can designate a
primary and a standby NIC so that you can implement the redundant NIC functionality. If the link to the
primary NIC in the NIC group is not active, the redundant NIC functionality is used.
• The firewall verifies a link at the physical layer (layer 1). The firewall inspects the carrier detect status on
the primary NIC in the NIC group. If the link is active, the primary NIC is used to pass traffic. If the link
is not active, a failover event occurs and the standby NIC starts passing traffic.
When the link for the primary NIC is active again, a failback event automatically occurs and the
primary NIC starts passing traffic.
• The firewall does not verify communication at the network layer with the next firewall. A failure in this
part of the connection does not trigger a failover event.
• There can be a delay before the standby NIC starts passing traffic while the switch or router recognizes
the change and selects the appropriate port.
• The NIC group uses the MAC address of the primary NIC no matter which NIC is actively passing traffic.
The MAC address is used for communication at the data-link layer.
Figure 68 NIC Group window
Accessing this window
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Firewalls node to display the list of firewalls.
3 Double-click a firewall. The Firewall window is displayed.
4 Select the Interfaces node in the tree and then select NICs/NIC Groups. The NICs//NIC Groups tab is
displayed.
5 Click Add. The NIC Groups window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Name — [Read-only] Displays the name of the NIC group that you are adding or modifying. This name
is automatically generated and you cannot change it. A format of grpn is used, where n is 0 for the first
group and then it is incremented for each subsequent group (for example, grp1, grp2, and so on).
• Description — Specify a description for this NIC group.
• Primary NIC — Specify the primary NIC in the NIC group. This list contains all of the firewall-specific
NICs, plus <None>. If you select <None>, the Standby NIC field is disabled.
• Standby NIC — Specify the standby NIC in the NIC group. This list contains all of the firewall-specific
NICs except for the value selected for the Primary NIC, plus <None>. If you select <None>, the
redundant NIC functionality will not be implemented.
• OK — Save the changes in this window. Note that this group is not saved until you click OK in the Firewall
window.
210 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-210-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
• For any cluster configuration, a minimum of three burbs must exist in this configuration domain.
• The IPv6 protocol is not currently supported for clusters.
Additional requirements for load-sharing clusters
The following additional requirements are for configuring load-sharing clusters:
• The firewalls must have identical hardware configurations.
• The interface that is used for the heartbeat burb must be at least as fast as the fastest load-sharing
interface on your firewall.
• [For firewall versions 7.0.1 and later] The Unicast - mirrored and the Unicast - flooded layer 2 modes are
only supported on em NICs.
• [For firewall versions 7.0.1 and later] If VLAN interfaces that share the same parent NIC or NIC group are
configured to use either the Unicast - mirrored or the Unicast - flooded layer 2 modes, they must meet
the following requirements:
• They must share the same cluster MAC address.
• They must use the same layer 2 mode (either Unicast - mirror or Unicast - flooded).
Accessing this wizard
To create a cluster with a single firewall or two firewalls or to join a node to an existing cluster:
1 In the Configuration Tool, make sure that the Firewalls group bar is displayed.
2 Select the Firewalls node.
3 Right-click a firewall and select Create/Join Cluster. The McAfee Firewall Enterprise Cluster Wizard
window is displayed.
To demote an entire cluster:
1 In the Configuration Tool, make sure that the Firewalls group bar is displayed.
2 Select the Clusters node.
3 Right-click the cluster and select Demote Cluster. The McAfee Firewall Enterprise Cluster Wizard window
is displayed.
To demote one node from an existing cluster:
1 In the Configuration Tool, make sure that the Firewalls group bar is displayed.
2 Select the Clusters node.
3 Select the cluster node that contains the cluster member to be demoted.
4 Right-click the cluster member and select Demote to Standalone. The McAfee Firewall Enterprise Cluster
Wizard window is displayed.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 217](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-217-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
Step 5 of 10 - Takeover Time page
Note: This page is not available if you selected Primary/Standby HA on the previous page. Skip to the next
page.
1 Specify the length of time (in seconds) that the primary node must be unavailable before the standby
node will begin the takeover process. This value is an integer between 2 and 257. The value of this field
varies, depending on the type of high availability configuration that you are using in your cluster. For
load-sharing HA nodes and peer-to-peer nodes, this value will be the same for each node in the cluster.
2 Click Next >>.
Step 6 of 10 - High Availability (HA) Layer 2 Mode page
Note: This page is displayed only for version 7.0.1 or later of the McAfee Firewall Enterprise (Sidewinder) when
you are configuring load-sharing clusters.
1 Select the default L2 mode to be used for this node. Refer to the descriptions on this page for each option.
Only network devices that are “em” devices will support unicast modes. The default value is Multicast.
2 Click Next >>.
Step 7 of 10 - High Availability (HA) Shared Cluster Addresses page
1 Specify a shared cluster IP address for each network. Note that you must configure at least three cluster
interfaces. The following fields are available in this table:
• Shared Cluster IP Address — Specify the cluster address for this interface. At least three interfaces
must be defined. The following restrictions apply to this cluster address:
• This must be a valid IP address.
• This cannot be the broadcast address of the network of this cluster.
• This cannot be an address that is outside of the selected network.
• This cannot be the same address as the network address or any other address that the firewall is
currently using.
• Network Address — [Read-only] Displays the network address that is calculated from the IP address
and subnet mask for the interface.
• Burb — [Read-only] Displays the burb that is associated with this address.
• Heartbeat burb — Specify the burb that is used for intra-cluster communication. The list includes all
of the existing, non-virtual, non-Internet burbs. A cluster address should also have been specified for
the heartbeat burb. Otherwise, the burb cannot be used as the heartbeat burb.
2 Click Next >>.
Step 8 of 10 - Cluster Management Address page
This page is displayed only if IP management address of the cluster cannot be automatically determined.
This can occur when the firewall is behind NAT.
1 Specify the management IP address of the cluster in the Specify the cluster management address field.
The following rules apply to this value:
• This must be a valid IP address.
• This address must be different from all of the cluster and cluster member IP addresses.
2 In the Cluster Member Management Address field, view the IP address or IP addresses of the cluster
member or members that you are promoting to this cluster. Make a note of these values if you need to
create a new NAT rule for this cluster.
3 Click Next >>.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 219](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-219-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
Step 3 of 9 - Create Cluster page
1 Configure the following fields on this page:
• Specify a name for the cluster object — Specify the name for the cluster object that you are
creating. Do not use the fully qualified domain name (FQDN) of any of the cluster member nodes.
However, any other string is acceptable.
• Choose the second node — Specify the second firewall that will be a part of this new cluster. This
list consists of all of the firewalls. Note that the version of the firewall that you select must be the same
version as the firewall that you are using to create the cluster.
• FDQN of the partner member — [Read-only] Displays the FQDN of the selected (second) node.
2 Click Next >>.
Step 4 of 9 - High Availability (HA) Mode page
1 Select the desired mode of the cluster. The following options are available:
• Peer-to-peer HA — Both firewalls are configured as standbys. The firewall that is booted first
becomes the primary node; the other node becomes the standby.
• Load-sharing HA — Both the primary and the secondary nodes share traffic-related duties. This is
the default selection.
• Primary/Standby HA — One node is configured as the primary and the other is the standby. The
standby node will become the primary node only if the current primary node is unavailable. After the
original primary node is restarted, the original primary node will resume as the primary node, taking
over from the standby node that was serving temporarily as the primary node.
2 Click Next >>.
Step 5 of 9 - Takeover Time page
Note: This page is not available if you selected Primary/Standby HA on the previous page. Skip to the next
page.
1 Specify the length of time (in seconds) that the primary node must be unavailable before the standby
node will begin the takeover process. This value is an integer between 2 and 257. The value of this field
varies, depending on the type of high availability configuration that you are using in your cluster. For
load-sharing HA nodes and peer-to-peer nodes, this value will be the same for each node in the cluster.
2 Click Next >>.
Step 6 of 9 - High Availability (HA) Layer 2 Mode page
Note: This page is displayed only for version 7.0.1 or later of the firewall when you are configuring load-sharing
clusters.
1 Select the default L2 mode to be used for this node. Refer to the descriptions on this page for each option.
Only network devices that are “em” devices will support unicast modes (mirrored or flooded). The default
value is Multicast.
2 Click Next >>.
Step 7 of 9 - High Availability (HA) Shared Cluster Addresses page
1 Specify a shared cluster IP address for each network. Note that you must configure at least three cluster
interfaces. The following fields are available in this table:
• Shared Cluster IP Address — Specify the cluster address for this interface. At least three interfaces
must be defined. The following restrictions apply to this cluster address:
• This must be a valid IP address.
• This cannot be the broadcast address of the network of this cluster.
• This cannot be an address that is outside of the selected network.
222 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-222-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
• This cannot be the same address as the network address or any other address that the firewall is
currently using.
• Network Address — [Read-only] Displays the network address that is calculated from the IP address
and subnet mask for the interface.
• Burb — [Read-only] Displays the burb that is associated with this address.
• Heartbeat burb — Specify the burb that is used for intra-cluster communication. The list includes all
of the existing, non-virtual, non-Internet burbs. A cluster address should also have been specified for
the heartbeat burb. Otherwise, the burb cannot be used as the heartbeat burb.
2 Click Next >>.
Step 8 of 9 - High Availability (HA) Advanced General Properties page
1 Specify the values for IPSec authentication. The following fields are available in this area:
• Authentication type — Select the type of IPSec authentication that will be used for this node.
Available values are SHA1 (the default value) or MD5.
• Password — Specify the password that will be used to generate the authentication key for IPSec. This
password must be the same value for both nodes in this cluster because they share the same virtual
firewall ID.
2 Specify the high availability identification information. The following fields are available in this area:
• Cluster ID — Specify the identification number that you are assigning to the cluster. This must be a
value between 1 and 255. The default value is the last octet of the heartbeat cluster address.
• Multicast group address — Specify the address of the multicast group that is used for high availability
purposes on the heartbeat burb. The address that you specify must be within the range of from
239.192.0.0 to 239.255.255.255. The default address is 239.255.0.1.
3 Click Next >>.
Step 9 of 9 - Cluster Wizard Summary page
The status of the cluster and cluster member configuration is displayed. If this information is correct, click
Finish >> to create the cluster and its two members. If this information is not correct, click << Previous
to go back to the page or pages that you need to edit. When you have finished editing the information, click
Next >> until you return to this summary page. Then click Finish >> to create the cluster and its two
members.
If everything was created successfully, the Apply Configuration window is displayed. Configure the settings
to either schedule this apply process or to perform it now. For more information about the Apply
Configuration window, see Applying firewall configurations on page 589.
After the configurations are applied, each firewall is restarted, except for version 7.0.1.01 and later
firewalls, where only some of the services will be restarted on each firewall. You should now see the cluster
and its two member nodes. In the Firewalls group bar of the Configuration tool, click the Clusters node and
then click the newly created cluster. You should now see the two members beneath the cluster node.
Demoting one cluster member (node) to a standalone firewall
This section refers to the scenario in which you want to demote one cluster member of a two-cluster
member node to a standalone firewall or there is only one cluster member in the cluster and you want to
demote that one member.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 223](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-223-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
Demotion prerequisite
Before you access the McAfee Firewall Enterprise Cluster Wizard to perform a demotion, the cluster must
have been retrieved. The following actions take place when a single cluster member of a multi-member
cluster is demoted:
• Any object that is referenced by the cluster will be copied to the new standalone firewall.
• This excludes the following objects, which will remain with the cluster and will not be associated with the
new standalone firewall:
• Interface aliases
• VPN peers with cluster or alias gateway addresses
• VPN bypasses
Step 1 of 2 - Welcome page
If you have met the prerequisite listed above, click Next >>.
Step 2 of 2 - Cluster Wizard Summary page
The status of the cluster member changes is displayed. Click Finish >> to demote the cluster member to a
standalone firewall or click Cancel to exit the wizard.
If the member was demoted successfully, the Apply Configuration window is displayed with the selected
cluster node and the targeted firewall. Configure the settings to either schedule this apply process or to
perform it now. For more information about the Apply Configuration window, see Applying firewall
configurations on page 589.
After the configurations are applied, you should see the cluster member that you just demoted now listed
under the Firewalls node, not under the Clusters node.
Demoting all of the cluster members to standalone firewalls
This section refers to the scenario in which you want to demote all of the cluster members in a cluster to
standalone firewalls.
Demotion prerequisite
Before you access the McAfee Firewall Enterprise Cluster Wizard to perform this type of a demotion, the
cluster must have been retrieved—that is, its members and interface information.
Step 1 of 4 - Welcome page
If you have met the prerequisite listed above, click Next >>.
Step 2 of 4 - Resolve Interface Aliases page
This page is available only if the following conditions are met:
• The entire cluster is being demoted—that is, the cluster node and its member nodes.
• There is more than one cluster member in this cluster node.
• The cluster node has at least one configured interface alias.
1 Specify the following fields and values on this page:
• Associate these addresses with the selected firewall — Specify the firewall that will be demoted
and that will accept the alias address associations. This list contains the names of all of the firewalls
(that is, cluster members) that are being demoted. Select the one firewall for these alias associations.
• IP Address — [Read-only] Displays the alias IP addresses that will be associated with the selected
firewall.
• Mask — [Read-only] Displays the subnet masks that are part of the alias addresses that will be
associated with the selected firewall.
2 Click Next >>.
224 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-224-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
Step 3 of 4 - Resolve VPN Objects page
This page is available only if the following conditions are met:
• The entire cluster is being demoted—that is, the cluster node and its member nodes.
• There is more than one cluster member in this cluster node.
• The cluster node has at least one configured VPN object that cannot be automatically resolved. This
includes VPN peer objects that have a cluster (non-alias) gateway address and VPN bypass objects.
1 Specify the following fields and values on this page:
• Associate these VPN objects with the selected firewall — Specify the cluster member (firewall)
that will be demoted and that will accept the VPN object associations. This list contains the names of
all of the firewalls (that is, cluster members) that are being demoted. Select the one firewall for these
VPN object associations.
• Type — [Read-only] Displays the type of VPN object that is being affected by this wizard. Valid values
are Peer and Bypass.
• Name — [Read-only] Displays the name of the VPN object.
• New Gateway IP Address — [Read-only] Displays the gateway IP address for the VPN object. This
address changes for peer objects when the firewall selection is changed in the first field.
• Description — [Read-only] Displays a description of the VPN object.
2 Click Next >>.
Step 4 of 4 - Cluster Wizard Summary page
The status of all of the changes is displayed. If this information is correct, click Finish >> to demote the
cluster members to a standalone firewall and to demote the cluster node. If this information is not correct,
click << Previous to go back to the page that you need to edit or click Cancel to exit the wizard. Start the
wizard again when you are ready to proceed and click Next >> to return to this summary page. Then click
Finish >> to demote the cluster members and the cluster node.
If the members were demoted and the cluster node was removed successfully, the Apply Configuration
window is displayed with the firewall objects selected. Configure the settings to either schedule this apply
process or to perform it now.
After the configurations are applied, you should now see the cluster members that you demoted listed
under the Firewalls node, not under the Clusters node and the cluster node should be removed.
Overview of configuring a cluster on the McAfee Firewall Enterprise Admin
Console
If you decide to configure a cluster on the McAfee Firewall Enterprise Admin Console and not on the Control
Center Client, you must first perform some tasks on the Admin Console and then move to the Configuration
Tool of the Control Center Client. The following procedures define this process at a high level.
McAfee Firewall Enterprise Admin Console
1 Define the High Availability (HA) configuration and the cluster nodes and cluster interfaces.
2 Register the firewall cluster that is to be managed by the Control Center.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 225](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-225-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
• Firewall Mgmt Port — Specify the port number that the firewall uses to communicate with the Control
Center Management Server. The default management port is 9005. The value that you specify in this
field must match the value that is specified on the firewall by using its native GUI. Changing this value
and applying the change does not change the value on the firewall.
• Version — [Read-only] Displays the version of software installed in the cluster. This information is
necessary so that the Control Center can produce the correct format of data sent to the firewall when
the configurations are applied.
• Time Zone — Specify the time zone in which the cluster exists.
• Location — Specify user-defined location information. This information can be used to provide a
user-defined alternate view of the way that the firewalls are organized and displayed in the Object area
in the Firewalls group. For more information, see Viewing configuration information about each firewall
on page 584.
• Contact — Specify an administrator name to associated with the cluster. This information can be used
to provide a user-defined alternate view of the way that the firewalls are organized and displayed in
the Object area in the Firewalls group. For more information, see Viewing configuration information
about each firewall on page 584.
• Management Servers — Use the fields in this area to specify information about the Control Center
Management Servers.
• Host Name — [Read-only] Displays the fully qualified host name of the Management Server.
• IP address — Specify the IP address of the Management Server.
• Firewall Properties — Specify a user-defined category/value. Use the Categories tab to develop a
classification hierarchy for firewalls that are installed in your configuration. Use this category/value pair
to sort firewalls by using a user-defined sorting scheme (in addition to the built-in Location and Contact
categories). As you create user-defined categories, they are displayed in the Category list. By carefully
defining a sorting scheme and identifying each firewall by using one or more categories, a powerful sorting
scheme can be applied to obtain views of firewalls by using the Firewall Sorting Manager window.
• Mail Configuration — Use the fields in this area to specify a firewall mail configuration.
• SMTP Mode — The following values are available:
• Secure Split SMTP — Uses the firewall-hosted sendmail servers. Select this value to take
advantage of such sendmail features as header stripping, spam and fraud control, and mail routing.
• Transparent — Passes mail by proxy through the firewall. Select this value to ensure that only the
files that are necessary to send administrative messages will be configured. These include
firewall-generated alerts, messages, and logs.
• Internal SMTP Burb — Specify the burb in which your site's internal SMTP server resides.
230 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-230-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
Cluster window: Offbox Settings area
Use the Offbox Settings area of the Cluster window to specify configuration information for exporting audit
data, settings for the McAfee Firewall Profiler, and for the McAfee Firewall Reporter.
Figure 73 Cluster window: Offbox Settings area
Accessing this area
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Clusters node to expand the list of currently defined cluster nodes.
3 Double-click one of the cluster subnodes. The Cluster window is displayed.
4 Select the Offbox Settings node in the tree on the left.
Fields and buttons
This area contains the following fields and buttons:
• Audit Export — Use the fields in this area to specify an audit export configuration.
• Configuration — Specify an audit export configuration that has been defined on the Audit Export
window. Access this window by selecting the Firewall Settings group bar in the Object area of the
Configuration Tool and double-clicking Audit Export. You can select or edit an existing configuration
or add a new one. See Audit export on page 268.
To edit an existing object:
First, select the object in the list.
Next, click (Edit selected). The respective object window is displayed.
To add a new object:
Click . The respective object window is displayed.
• Certificate — Specify a certificate to use when transferring the cluster's archived audit files to the
Control Center Management Server. This list includes the certificates that have been specified in the
Certificates area of the Cluster window.
• Attach Signature — [Available only if a value is selected in the Configuration field] Determines
whether a signature is attached. This checkbox is cleared by default.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 231](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-231-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
• Delete logs after export — Determines whether to delete the audit export log file that resides on this
cluster after it has been successfully exported to all of its specified locations. If you do not select this
checkbox, the audit export log files will remain on the local firewall after they have been exported. The
default value is cleared.
• McAfee Firewall Profiler — [Available only for firewall versions 7.0.1.02 or later] Use the fields in this
area to configure this cluster to send audit and policy data to the McAfee Firewall Profiler that you specify.
You can create a new McAfee Firewall Profiler object in the Profiler window. See McAfee Firewall Profiler
on page 272. The following fields are available:
• Archive verbose audit — [Available only if a McAfee Firewall Profiler has been configured]
Determines whether the audit data that is being archived is at the verbose. level, which means the
highest level of detail and larger file sizes. This is data that is not usually archived on the firewall, but
that will be sent to the McAfee Firewall Profiler if this checkbox is selected. The default value is cleared.
• Certificate — Specify the certificate for the McAfee Firewall Profiler.
• McAfee Firewall Reporter — [Available only for firewall versions 7.0.1.02 or later] Use the field in this
area to configure this firewall to enable real-time transmission of its audit data to the McAfee Firewall
Reporter. The McAfee Firewall Reporter has advanced reporting functionality. The following field is
available:
• Configuration — Specify the Firewall Reporter / Syslog configuration that will be used by this cluster
to transmit its audit data to the McAfee Firewall Reporter. You can also edit and add configurations
from this field in the Firewall Reporter / Syslog window. For more information, see Firewall Reporter /
Syslog settings on page 273.
To edit an existing object:
First, select the object in the list.
Next, click (Edit selected). The respective object window is displayed.
To add a new object:
Click . The respective object window is displayed.
Cluster window: Cluster Interfaces area
Use the Cluster Interfaces area of the Cluster window to specify cluster interface parameters.
Figure 74 Cluster window: Cluster Interfaces area
Accessing this area
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Clusters node to expand the list of currently defined cluster nodes.
3 Double-click one of the cluster nodes. The Cluster window is displayed.
4 Select the Cluster Interfaces node is selected in the tree on the left. The Cluster Interfaces area is
displayed.
232 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-232-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
Fields and buttons
This area has the following fields and buttons:
• Cluster IP address — Specify the IP address of the cluster interface. This address should be in the same
network as the burb of the interface. This value must be a valid IPv4 address in dotted quad format.
However, a value is not required.
You can also modify the cluster IP address on the Cluster Interface Properties window. If you modify
the cluster IP address in one window, it is automatically updated in the other window.
To delete a cluster IP address, click in the row of the address to be deleted and delete the value.
• Network Address — [Read-only] Displays the network address for the burb in which this cluster
interface resides.
• Burb — [Read-only] Displays the name of the burb in which this cluster interface resides.
• Advanced... — The Cluster Interface Properties window is displayed, in which you can configure
additional features for this cluster interface. See Modifying cluster interface properties on page 253.
Cluster window: High Availability area
Use the High Availability area of the Cluster window to configure the common parameters of the High
Availability cluster object.
Figure 75 Cluster window: High Availability area
Accessing this area
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Clusters node to expand the list of currently defined cluster nodes.
3 Double-click one of the cluster nodes. The Cluster window is displayed.
4 Select the High Availability node is selected in the tree on the left. The High Availability area is displayed.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 233](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-233-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
Fields and buttons
This area has the following fields and buttons:
• High Availability Identification — Use the fields in this area to set the following High Availability
parameters. The following fields are available.
• Cluster ID — Specify an identifier that is assigned to the cluster. Use this ID to distinguish among and
manage multiple HA clusters. This value must be an integer between 1 and 255.
• Multicast Group Address — Specify the address of the multicast group that is used for HA purposes
on the heartbeat burb.
Note: This address must be within the range from 239.192.0.0 to 239.255.255.255.
• HeartBeat Burb — Specify the burb that HA will use to send or receive heartbeats. A heartbeat is a
short message that is sent out at specific intervals to verify whether a firewall is operational. This must
be a dedicated burb.
• HeartBeat Verification Burb — Specify the burb that HA will use to send or receive a mini-heartbeat.
Select a burb that regularly passes traffic (for example, the internal burb).
• HA Status — Use the fields in this area to view the nodes in the HA cluster and their status.
• HA Node — [Read-only] Displays the nodes in the cluster.
• Status — [Read-only] Indicates whether a node is peer or primary.
• Refresh — Retrieve the updated status of the cluster members. The status bar displays the latest
information.
• IPSec Authentication — Use the fields in this area to specify parameters associated with IPSec
authentication.
• Authentication Type — Specify the type of IPSec authentication to use for HA. The following values
are available:
• SHA1
• MD5
• Password — Specify the password to be used to generate the authentication key for IPSec.
• Interface Test — Use the fields in this area to specify parameters that are associated with determining
whether an interface is operational.
• Time Between Tests — Specify the frequency (in seconds) with which the HA cluster will ping the
remote address to ensure that an interface and path are operational. The value specified must be an
integer between 2 and 60.
• Consecutive Failures — Specify the number of failed ping attempts that must occur before a
secondary (or standby) node takes over as the primary. The value specified must be an integer
between 2 and 20.
• Auto-Recover on Reconnect — Determines whether to automatically rejoin a firewall to an HA cluster
if a monitored interface or a heartbeat interface fails and recovers. The recovered cluster member is
restored to the appropriate state:
• In a primary/secondary cluster, the recovered firewall becomes the primary of the cluster.
• In a peer-to-peer cluster, the recovered firewall remains a standby member of the cluster.
• In a load-sharing cluster, the recovered firewall becomes a participating member of the cluster and
passes traffic.
234 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-234-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
Fields and buttons
This area has the following fields and buttons:
• Configure default route failover — Determines whether you are going to configure an alternate default
route. The default value is cleared. If you select this checkbox, the fields in the Alternate Default Route
area are available.
• Default Route — Use the fields in this area to configure the IP address for the default route and, if you
are configuring route failover, one or more IP addresses to ping to confirm primary default route
availability. The following fields are available:
• IP address — Specify a valid IP address of the device that forwards traffic with no known route to its
destination address. This is usually the IP address of a router that forwards packets to your Internet
Service Provider (ISP). You can also configure a DHCP route by specifying dhcp as the value in this
field. However, you also must have a DHCP interface already configured.
• Description — Provide information to assist in identifying this route.
• Ping addresses — [Available only if Configure default route failover is selected] Use the fields in
this table to manage the IP addresses that the firewall will ping to confirm that the primary default
route is accessible.
The primary default route IP address is automatically displayed. However, you can configure
additional ping addresses.
• IP address — Specify the IP address that the firewall will ping. To add a new IP address, click
anywhere in a blank row.
• Delete — Click x in the row of an IP address that you want to delete from this table.
• Ping interval (s) — Specify the amount of time (in seconds) in between each ping that the firewall
will send to the configured IP addresses to ensure that the path is accessible. Valid values are from
2 to and including 60.
• Failures allowed — Specify the number of failed ping attempts that must occur before the
alternate default route assumes the role of the default (primary) route.
Failures are counted in increments and decrements rather than successively. This means that a
failed ping adds to the failure total, and a successful ping subtracts from the failure total. The failure
total is never less than zero and it is never more than the configured failures allowed. Valid values
are from 2 to and including 20.
For example, if you set the allowed number of failures to 3, the following table demonstrates the
way that successful and failed pings are counted to determine the failover.
Ping result: failure success success failure failure success failure failure Failover
event
Failure 1 0 0 1 2 1 2 3 occurs
total:
• Alternate Default Route — [Available only if Configure default route failover is selected] Use the
fields in this area to configure the IP address for the alternate default route and one or more IP addresses
to ping to confirm alternate default route availability. The following fields are available:
• IP address — Specify a valid IP address of the device that forwards traffic with no known route to its
destination address. This should be a different route than the primary default route or it can also be a
different ISP.
• Description — Provide information to assist in identifying this route.
• Ping addresses — Use the fields in this table to manage the IP addresses that the firewall will ping
to confirm that the primary default route is accessible.
236 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-236-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
• DNS Zones — Use the fields in this area to specify the zones that are associated with the name server.
The following fields are available:
• Create a new DNS Zone — Click to display the DNS Zone Manager window, in which you can
create a new DNS zone. For more information, see Configuring DNS zones on page 315.
• DNS Zone — Specify the DNS zone to associate with the name server.
• Edit (button) — Displays the DNS Zone Manager window, in which you can edit the data for this DNS
zone.
• Server Configuration — Use the fields on this tab to specify configuration settings for the name server.
The following fields are available:
• Enable server — Determines whether the name server is enabled. This checkbox is selected by
default. If you disable the name server by clearing the checkbox, only connections that use IP
addresses will continue to work; connections that use host names will not.
• Enable notify — Determines whether the master name server will notify all slave servers when the
zone file changes. The notification indicates to the slaves that the contents of the master have changed
and that a zone transfer is necessary. This checkbox is cleared by default. If you select this checkbox,
the following fields are available:
• Yes — Indicates that the slave servers will be notified about zone file changes.
• No — Indicates that slave servers will not be notified about zone file changes.
• Forwarders — Specify external name servers to which to forward queries that cannot be answered
on the firewall. You can reposition a row in this table by highlighting the row and clicking either the
(move up) or (move down) buttons.
• Forward only — [Available only if a value is displayed in the Forwarders table] Determines whether
the name server will attempt to contact the root server if the Forwarders cannot answer the query.
This checkbox is selected by default. This indicates that queries will be directed only to the selected
forwarders. If this checkbox is cleared, the name server forwards the query to the selected forwarders.
If they cannot answer the query, the name server then attempts to contact the root server.
• allow-query — Specify particular hosts that are allowed to query the zone. If none are selected, all
requesters are authorized.
• allow-transfer — Specify particular hosts that are allowed to update the zone. This option is valid only
for master zones. If this field is left blank, updates are not allowed from any host.
• Dump-File — Specify the path name of the file to which the name server dumps the database when
instructed to do so with rndc dumpdb. If a path is not specified, the default is
named_dump.db.(rndc is the remote name daemon control program.
• Statistics File — Specify the path name of the file to which the name server appends statistics when
instructed to do so using rndc stats. If a path is not specified, the default is named.stats, which is
located in the current directory of the name server.
242 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-242-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
• Forward only — [Available only if a value is displayed in the Forwarders table] Determines whether
the name server will attempt to contact the root server if the Forwarders cannot answer the query.
This checkbox is selected by default. This indicates that queries will be directed only to the selected
forwarders. If this checkbox is cleared, the name server forwards the query to the selected forwarders.
If they cannot answer the query, the name server then attempts to contact the root server.
• Forward to Internet Server first — Determines whether queries that cannot be answered on the
firewall are forwarded to the Internet server before they are forwarded to selected forwarders. This
checkbox is cleared by default. If this checkbox is selected, queries will be forwarded first to the
Internet server.
• allow-query — Specify particular hosts that are allowed to query the zone. If none are selected, all
requesters are authorized.
If you do not specify any values in this field, on apply, the following values are added to the
named.conf.u file:
• allow-recursion (any; ); — For firewall versions 7.0.0.08 and later and versions 7.0.1.02 and later
• allow-query-cache (any; ); — For firewall versions 7.0.1.02 and later
• allow-transfer — Specify particular hosts that are allowed to update the zone. This option is valid only
for master zones. If this field is left blank, updates are not allowed from any host.
• Dump-File — Specify the path name of the file to which the name server dumps the database when
instructed to do so with rndc dumpdb. If a path is not specified, the default is
named_dump.db.(rndc is the remote name daemon control program.
• Statistics File — Specify the path name of the file to which the name server appends statistics when
instructed to do so using rndc stats. If a path is not specified, the default is named.stats, which is
located in the current directory of the name server.
• Internet Server Configuration — Use the fields on this tab to specify configuration settings for the
Internet name server. The Internet name server is bound to the Internet burb. The following fields and
buttons are available on this tab:
• Enable server — Determines whether the Internet name server is enabled. This checkbox is selected
by default. If you disable the Internet name server by clearing the checkbox, external connections that
require host names will not work unless the name is already cached in the database of the unbound
name server. Connections that use IP addresses will work. E-mail will be placed in a queue because IP
addresses cannot be resolved.
Caution: If you disable both the unbound server and the Internet server, connections will work only if
they use IP addresses rather than host names. Mail will not work, and other errors will occur as other parts
of the system attempt to access the network by name.
• Enable notify — Determines whether the master name server will notify all slave servers when the
zone file changes. The notification indicates to the slaves that the contents of the master have changed
and that a zone transfer is necessary. This checkbox is cleared by default. If you select this checkbox,
the following fields are available:
• Yes — Indicates that the slave servers will be notified about zone file changes.
• No — Indicates that the slave servers will not be notified about zone file changes.
• Forwarders — Specify external name servers to which to forward queries that cannot be answered
on the firewall. You can reposition a row in this table by highlighting the row and clicking either the
(move up) or (move down) buttons.
• Forward only — [Available only if a value is displayed in the Forwarders table] Determines whether
the name server will attempt to contact the root server if the Forwarders cannot answer the query.
This checkbox is selected by default. This indicates that queries will be directed only to the selected
forwarders. If this checkbox is cleared, the name server forwards the query to the selected forwarders.
If they cannot answer the query, the name server then attempts to contact the root server.
244 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-244-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
Firewall Certificates tab
Use the Firewall Certificates tab to view the list of firewall certificate names and the status of those
certificates. You can filter this list by selecting the appropriate value in the Status list at the bottom left
corner of this tab. To view the fields on this tab, see Figure 80 on page 245.
Fields and buttons
The Firewall Certificates tab has the following fields:
• Name — [Read-only] Displays the names of firewall certificates.
• Status — [Read-only] Displays the status of the associated firewall certificates.
• Status — (at the bottom of the tab) Specify the status by which the list of firewall certificates is filtered
for display. The following values are available:
• ALL — Displays all firewall certificates.
• Pending — Displays requested certificates by using the Manual PKCS10 signing mechanism. This
status can occur in the following circumstances:
• PKCS10 is used and a certificate has not been provided.
• A CA signed certificate is used and the certificate has not yet been retrieved from the Certificate
Authority.
• Completed — Displays certificates that have been received from the certificate server.
• Revoked — Displays certificates for which a request has been rejected by Netscape CAs or CAs that
support Simple Certificate Enrollment Protocol (SCEPl).
• Add Certificate — Start the Certificate Request Wizard, with which you can create a new certificate or
import an existing certificate. The certificate will be added to the list of firewall certificates that are
displayed on this page. For more information, see Creating certificates or importing them into the
certificate database on page 515.
• Load Certificate — For Manual PKCS10 certificate requests, start the Load Certificate wizard, in which
you can import a certificate. For more information, see Loading certificates on page 522.
• Retrieve Certificate — For a certificate request that has been submitted to be signed by a CA, start a
query of the CA to determine whether the certificate has been approved.
• Certificate Details — Displays the Certificate Manager window, in which you can view information about
a selected certificate. Information includes such details as the certificate name, distinguished name,
domain name, signature type (for example, RSA), and status (for example, Completed, CA Signed).
• Export Certificate — Start the Export Certificate wizard, in which you can export a certificate and private
key to a file. For more information, see Exporting certificates on page 519.
• Delete Certificate — Delete a certificate from the list of firewall certificates.
Note: If the selected certificate is being used by VPN, an application defense, or other firewall component, it
cannot be deleted.
246 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-246-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
SSH Keys tab
Use the SSH Keys tab to manage the SSH keys for this firewall.
Figure 81 Cluster window: Certificates area: SSH Keys tab
Accessing this area
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Clusters node to expand the list of currently defined cluster nodes.
3 Double-click one of the cluster nodes. The Cluster window is displayed.
4 Select the Certificates node is selected in the tree on the left. The Certificates area is displayed.
5 Select the SSH Keys tab.
Fields and buttons
This tab has the following fields and buttons:
• Name — [Read-only] Displays the name of the SSH key. Note that Default_RSA_Key and
Default_DSA_Key are reserved words for the firewall. You cannot add or delete these keys. However, you
will see these keys in this tab when you retrieve from the firewall for the first time.
• SSH Fingerprint — [Read-only] Displays the SSH fingerprint of the public key that is associated with this
SSH key. The fingerprint is a hashed (shortened) version of the host key to make it easier for you to
compare keys.
• Signature Type — [Read-only] Displays the type of standard digital signature that is used when this SSH
key is generated or verified. The following values are available:
• RSA — Public key and private key combination
• DSA — Digital Signature Algorithm
• Add — Display the Add SSH Key window, in which you can add a new SSH key.
• Import — Display the Import SSH Key window, in which you can import the SSH key directly from a file
or from pasted text.
• Export — Display the Export SSH Key window, in which you can export the SSH key directly to a file or
display it on the SSH Keys window.
• Delete — Delete the highlighted SSH key from the list of SSH keys.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 247](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-247-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
• Certificate Key Cache Lifetime (min.) — Specify the maximum amount of time that a certificate
can remain in the validated key cache before it must be re-validated. Acceptable values range from 0
to 360. A value of 0 indicates that certificate keys must be re-validated with each use.
• CRL — Use the fields in this area to configure settings that are associated with Certificate Revocation Lists
(CRLs). The following fields are available:
• Perform CRL Checking — Determines whether CRL checking is enabled. This checkbox is selected by
default. If this checkbox is cleared, CRL lists will not be consulted when certificates are being validated.
• CRL Retrieval Interval: — Specify the frequency with which a Certificate Authority (CA) is queried to
retrieve a new CRL.
• Audit Level — Specify the level of auditing to be performed on the specified certificate server. The
following values are available:
• Error — Logs major errors only.
• Normal — Logs major errors and informational messages. This is the default value.
• Verbose — Logs information that is useful in detecting configuration issues.
• Debug — Logs all errors and informational messages and also logs debugging information.
• Application Defense Settings — Use the field in this area to specify the HTTPS certificate that will be
used to decrypt HTTPS traffic. The following field is available:
• Default HTTPS Certificate — Specify the SSL certificate that will be used to decrypt HTTPS traffic.
This certificate will be used, by default, for the HTTPS application defense. For more information, see
HTTPS Application Defense window: General tab on page 371.
• Common Access Card Configuration — [Available only for firewall version 7.0.1.02 and later] Use the
fields in this area to specify the Common Access Card (CAC) authenticator and CAC Webserver certificate
that are used to authenticate users when using a CAC to access the firewall. The following fields are
available:
• CAC Certificate — Specify the CAC remote certificate for this administrator. This list displays all of the
remote certificates. The default value is <None>. You can also edit an existing certificate or add a new
one by following these instructions.
To edit an existing object:
First, select the object in the list.
Next, click (Edit selected). The respective object window is displayed.
To add a new object:
Click . The respective object window is displayed.
• Webserver SSL Certificate — Specify the certificate that the CAC Webserver will present to your Web
browser for the SSL session. If you select a CAC authenticator, you must specify the SSL certificate.
• SSL Certificates — Use this table to specify the list of server services and their currently assigned SSL
certificate.
• Server — Displays the server services to which you can assign new SSL certificates.
• SSL Certificate — Displays the name of the certificate that is currently assigned to the associated
server service. This certificate is the default certificate or a self-signed, RSA/DSA firewall certificate.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 249](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-249-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
Modifying cluster interface properties
Use the Cluster Interface Properties window to modify cluster IP addresses, to create, modify, or delete
remote test IP addresses, and to create, modify, or delete force ARP reset IP addresses for this cluster
interface on the firewall.
Figure 84 Cluster Interface Properties window
Accessing this window
1 In the Configuration Tool, make sure that the Firewalls group bar is selected. Select the Clusters node.
2 Double-click a cluster in the tree. The Cluster window for the selected node is displayed.
3 Select the Cluster Interfaces node. The Cluster Interfaces area is displayed.
4 Click Advanced.... The Cluster Interface Properties window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Cluster IP Address — Specify the unique IP address of the network interface brought forward from the
row in which you clicked Advanced.... You can edit the address in this window and the changes will be
propagated back to the Cluster Interfaces page of the Cluster window. You can use alphanumeric
characters, dashes (-), and underscores (_).
• Network Address — [Read-only] Displays the network interface for the burb that is displayed on the
Cluster Interfaces page.
• Burb — [Read-only for firewall versions earlier than 7.0.1] Specify the burb name for the cluster IP
address.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 253](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-253-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
• Quality of Service — Specify the Quality of Service profile that contains one or more queues that allow
you to prioritize network performance based on network traffic type.
Note: Only standard interfaces can use Quality of Service profiles, even if that interface is part of a cluster.
Note: For the 7.0.1 version and later versions of the firewall, you cannot select a profile that contains any of
the following characters: dash (-), period (.), or underscore (_).
• MTU — [Available only for version 7.0.1 and later firewalls] Specify the size of the Maximum Transmission
Unit (MTU) for outgoing packets.
• Shared addresses — Use the fields in this area to add, edit, or delete shared addresses. The following
fields are available:
• IP Address — Specify the unique IP address to be associated with this network interface. This value
must be a valid IPv4 address in dotted quad format.
You can specify a slash-format netmask length (for example, x.x.x.x/y where x is a number
between 0 and 255 and y is a number between 0 and 31). For example, if you specified 24, the
value will be 255.255.255.0. If you do not specify an IP address value, the default mask value,
which is 255.255.255.0, is provided.
• Mask — Specify the netmask to be associated with this network interface. This value must be a valid
IPv4 address in dotted quad format and it must also be a contiguous netmask.
• Delete — Click x (Delete) in the row to be deleted. The address is deleted from the interface after you
click OK.
• Force Arp Reset — [Not available if this cluster interface is in load-sharing mode] In this table, configure
hosts that are known to ignore gratuitous ARPs, but that need to know the new cluster alias.
• IP address — Specify the unique IP address of the network interface that will not accept gratuitous
requests. This value must be a valid IPv4 address in dotted quad format.
You can specify a slash-format netmask length (for example, x.x.x.x/y where x is a number
between 0 and 255 and y is a number between 0 and 31). After you move the mouse to another
field, the mask length is removed from this field and the appropriate netmask is displayed in the
Mask field. For example, if you specified 24, the value will be 255.255.255.0. If you do not specify
an IP address value, the default mask value, which is 255.255.255.0, is provided.
• Delete — Click x (Delete) in the row to be deleted. The IP address is deleted from the interface.
• Interface test — Use the fields in this area to configure remote test IP addresses for networks that you
want to periodically ping.
• Monitor link status — Determines whether the interface link is active. This method checks only
whether the interface is disconnected or the NIC stops working. It does not verify that other devices
can be contacted by the firewall.
• IP address — Specify the IP address to ping.
• Delete — Click x (Delete) in the row to be deleted. The IP address is deleted from the interface.
• Ping interval — Specify the length of time (in seconds) that the firewall will ping the remote address
to ensure that an interface and path are operational.
• Failures allowed — Specify the number of failed ping attempts that must occur before the standby
interface takes over as the primary.
Failures are counted in increments and decrements rather than successively. This means that a
failed ping adds to the failure total, and a successful ping subtracts from the failure total. The
failure total is never less than zero and it is never more than the configured failures allowed.
254 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-254-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
• Load sharing parameters — [Available only for version 7.0.1 and later clusters that are configured
in load sharing mode] Use the fields in this area to specify.Layer 2 and cluster MAC address
information. The following fields are available:
• L2 Mode — Specify the layer 2 mode for this interface. The following values are available:
• Unicast - mirrored — Select this value if the switches that are connected to your firewalls can
be configured to send out, on multiple ports, traffic that is destined for single unicast MAC
addresses.
• Multicast — Select this value if the switches that are connected to your firewalls do not support
Unicast - mirrored mode, but do support multicast MAC addresses. This is the default value.
• Multicast no IGMP — Select this value if the switch that is connected to this interface supports
multicast MAC addresses and you do not want this interface to send IGMP messages that
advertise the cluster MAC address.
• Unicast - flooded — Select this value if the switches that are connected to your firewalls do not
support Multicast mode or Unicast - mirrored mode.
This mode does increase network overhead for every device that is connected to the switch.
• Cluster MAC — Specify the cluster MAC address that will be shared by both firewalls in the cluster.
Do not modify the cluster MAC address unless this address conflicts with another device that is
attached to the same network. If you need to edit the value, do not change the first three octets
(xx.xx.xx.yy.yy.yy) of the address.
• OK — Save the changes on this window.
• Cancel — Close this window without saving any changes.
Configuring configuration data for a cluster member
Use the Cluster Member window to add or change configuration object data for the selected firewall cluster
node object. This window has three nodes.
Figure 85 Cluster Member window
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 255](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-255-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
Accessing this window
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Clusters node to expand the list of clusters.
3 Select a cluster to expand the list of nodes.
4 Double-click the cluster node (member). The Cluster Member window is displayed.
Buttons
• OK — Save the changes that have been made on any of the areas and close this window.
Note: Changes that you make on any individual area in this window are not saved until you click OK for the
entire window.
• Cancel — Close this window without saving any changes.
Tree nodes
This window has the following nodes in the tree:
• General Settings — Provide node identification and configuration information. For more information, see
Cluster Member window: General Settings area on page 256.
• Interfaces — Displays the interface configuration information for each network interface on the firewall
cluster node. See Cluster Member window: Interfaces area on page 257
• High Availability — Defines the node-specific high-availability configuration options for firewalls that are
installed in a high-availability cluster. For more information, see Cluster Member window: High Availability
area on page 260.
Cluster Member window: General Settings area
Use the General Settings area of the Cluster Member window to specify such node parameters as the node
name, management IP address, management port, and software version. For more information about
defining firewall objects, see Firewall objects on page 163. To view the fields in this area, see Figure 85 on
page 255.
Accessing this area
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Clusters node to expand the list of clusters.
3 Select a cluster to expand the list of nodes.
4 Double-click the cluster node (member). The Cluster Member window is displayed.
5 Make sure that the General Settings node in the tree is selected.
Fields and buttons
This area contains the following fields and buttons:
• Name — [Read-only] Displays the host name by which the system identifies itself during network and
login connections. The name may contain alphanumeric characters, hyphens, or periods. It cannot be
totally numeric.
• Description — Specify user-defined comments and information about the firewall and its configuration.
• Configuration — Use the fields in this area to configure various parameters for the cluster member. The
following fields are available:
• Firewall Mgmt Address — Specify the IP address of the network interface on the firewall that the
Control Center Management Server uses to manage the firewall.
256 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-256-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
• Firewall Mgmt Port — Specify the port number that the firewall uses to communicate with the Control
Center Management Server. The default management port is 9005. The value that you specify in this
field must match the value that is specified on the firewall by using its native GUI. Changing this value
and applying the change does not change the value on the firewall.
• Version — [Read-only] Displays the version of software installed in the firewall. This information is
necessary so that the Control Center can produce the correct format of data sent to the firewall when
the configurations are applied.
• Time Zone — [Read-only] Displays the time zone in which the firewall is located.
• Location — Specify user-defined location information. This information can be used to provide a
user-defined alternate view of the way that the firewalls are organized and displayed in the Firewalls
group bar of the Object Configuration area. For more information, see Reviewing your configured
firewalls on page 594.
• Contact — Specify user-defined contact information. This information can be used to provide a
user-defined alternate view of the way that the firewalls are organized and displayed in the Firewalls
group bar of the Object Configuration area. For more information, see Reviewing your configured
firewalls on page 594.
• Firewall Properties — Use the fields in this table to specify a user-defined category/value. Use the
categories to develop a classification hierarchy for firewalls that are installed in your configuration. This
category/value pair can be used to sort firewalls by using a user-defined sorting scheme (in addition to
the built-in Location and Contact categories). As user-defined categories are created, they are displayed
in the Category list. By carefully defining a sorting scheme and identifying each firewall by using one or
more categories, a powerful sorting scheme can be applied to obtain views of firewalls by using the
Firewall Sorting Manager window.
Cluster Member window: Interfaces area
Use the Interfaces area of the Cluster Member window to perform the following tasks:
• Assign all of the network link elements to the interface, such as IP address, network mask, burb, and NIC
for outgoing packets.
• Select Quality of Service (QoS) profiles and define shared addresses for an interface.
• Create standard or VLAN interfaces.
The internal and external network interfaces of the firewall are defined during the initial configuration. You
can create an unlimited number of interfaces. Up to 63 interfaces can be enabled at one time, in a
combination of standard and VLAN interfaces.
For more information about defining firewall objects, see Firewall objects on page 163.
Figure 86 Cluster Member window: Interfaces area
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 257](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-257-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
Accessing this area
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Clusters node to expand the list of clusters.
3 Select a cluster to expand the list of nodes.
4 Double-click the cluster node (member). The Cluster Member window is displayed.
5 Select the Interfaces node in the tree. The Interfaces area is displayed.
Tabs
This area has the following tabs:
• Firewall Interfaces — Specify interfaces for this firewall. See Firewall Interfaces tab on page 258.
• NICs/NIC Groups — Configure the physical NIC and create NIC groups for redundant NICs. See
NICs/NIC Groups tab on page 259.
Firewall Interfaces tab
The Firewall Interfaces tab has the following fields and buttons:
• Enabled — Determines whether the associated interface is enabled. Select or clear the checkbox to
enable or disable the interface.
• Name — Specify the name of a network interface or a Virtual LAN (VLAN) interface.
• IP Address — Specify the unique IP address of the network interface. This value must be a valid IPv4
address in dotted quad format. If you want to configure this interface to connect to a Dynamic Host
Configuration Protocol (DHCP) server, leave this field blank and select DHCP in the Type field. This field
will then display DHCP as its value.
You can specify a slash-format netmask length (for example, x.x.x.x/y where x is a number between 0
and 255 and y is a number between 0 and 31). After you move the mouse to another field, the mask
length is removed from this field and the appropriate netmask is displayed in the Mask field. For
example, if you specified 24, the value will be 255.255.255.0. If you do not specify an IP address
value, the default Mask value, which is 255.255.255.0, is provided.
• Mask — Specify the subnet mask assigned to a network interface. This value must be a valid IPv4 address
in dotted quad format and it must also be a contiguous subnet mask. If you are configuring this interface
to connect to a DHCP server, leave this field blank and select DHCP in the Type field. This field will then
display DHCP as its value.
• Type — Specify the type of interface that you are configuring. The following values are available:
• Standard — Indicates a single network that is attached to one NIC or NIC group.
• VLAN — Indicates that one of the virtual networks is managed by the NIC.
• VLAN ID — Specify the VLAN identifier for this interface. For each NIC set of VLANs, each number must
be unique. This field is not available if the value of the Type field is not set to VLAN. Valid values are from
1 to 4094.
• Burb — Specify the burb that is attached to this network interface.
• NIC/NIC Group — Specify the NIC or the NIC group that is currently attached to this network interface.
• Advanced... — Display the McAfee Firewall Enterprise Interface window, in which you can configure
additional features for this interface.
• Delete — Click x (Delete) in the row to be deleted. The interface is deleted from the firewall after you
click OK in this window.
• (Information area) — [Read-only] Displays information about the highlighted interface in the list.
• (Add) — Adds a new firewall interface to the bottom of the list.
258 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-258-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
NICs/NIC Groups tab
Use the NICs/NIC Group tab to configure the physical NIC and to create NIC groups for redundant NICs. A
primary reason for NIC groups is to provide redundant NIC functionality. If a primary NIC in a group stops
working or is disconnected, the standby NIC starts passing the traffic. To configure a new NIC group with a
primary and a secondary NIC, click Add to display the NIC Group window.
A maximum of 26 NICs can be installed in an firewall at one time, including the two onboard NICs. A
dual-port NIC counts as two NICs, a quad-port NIC counts as four NICs, and so on.
Figure 87 NICs/NIC Groups tab on the Cluster Member window: Interfaces area
Fields and buttons
This tab has the following fields and buttons:
• NICs — Use the fields in this table to configure the settings for each NIC.
• Name — [Read-only] Displays the name of the NIC.
• MAC Address — [Read-only] Displays the MAC address of the NIC. The MAC address is used for
communication at the data-link layer.
• Speed Mode — Specify the speed for packet delivery. If you select autoselect, the NIC communicates
with the network to determine this value. The none option is used for NICs that do not have any speed.
An example of this is a virtualized firewall. Otherwise, you can select an exact value from this list.
• Capabilities — Specify the media capabilities of the NIC.
To select the values for this list:
First, click the down arrow. The list of values is displayed, along with a Find field and button.
Second, if you do not need to filter the list, go to the next step. To filter the list of values, in the
Find field, specify a value or a partial value or an internal value (as in part of an IP address if you
are working with objects that reference them) and click Find. Only those values that match your
find criteria are displayed.
Third, select the checkbox of each value that you want to add to this field and click the down arrow
to close the drop-down display. If you have selected more than one value, they are displayed in a
comma-delimited list in this field.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 259](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-259-320.jpg)
![McAfee Firewall Enterprise (Sidewinder) clusters
The following values are available:
• rxcsum — Enables hardware checksum verification for incoming IPv4 packets.
• txcsum — Enables hardware checksum generation for outgoing IPv4 packets.
• jumbo_mtu — Configures the network interface to receive jumbo frames. This value is available
only on NICs that support jumbo frames.
• Description — Specify a description for this NIC.
• NIC Groups — Use the fields in this table to modify an existing NIC group or click Add to add a new one.
• Name — [Read-only] Displays the name of the NIC group.
• NICs — [Read-only] Displays the list of NICs that are attached to this NIC group.
• Description — Specify a description for the NIC group.
• Modify — Click Modify NICs... to display the NIC Group window, in which you can edit the settings
for this NIC group.
• Delete — Click x (Delete) in the row to be deleted. The NIC group is deleted from the firewall after
you click OK in the Cluster Member window.
• Add — Displays the NIC Group window, in which you can add a new NIC group.
Cluster Member window: High Availability area
Use the High Availability area of the Cluster Member window to configure HA settings that are unique to the
selected cluster node. You can designate a cluster mode, enable HA for the node, and specify a takeover
time.
Figure 88 Cluster Member window: High Availability area
Accessing this area
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Clusters node to expand the list of clusters.
3 Select a cluster to expand the list of nodes.
4 Double-click the cluster node (member). The Cluster Member window is displayed.
5 Select the High Availability node in the tree. The High Availability area is displayed.
260 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-260-320.jpg)
![Audit export
• WebTrends Extended Logging — Converts audit data to the WebTrends Extended Log File format
®
(WELF) and exports it for use by commercial software packages.
• Verbose ASCII — Converts audit data to ASCII with additional information. It can be displayed with
any text-viewing program.
• XML — Converts audit data to standard XML, which can be viewed with any Web browser.
• Host — Specify the host name or IP address of the remote system to which to export audit archives. You
can specify one or more letters at the top of the list to filter your search.
• User Name — Specify the login name to be used on the remote system.
• Password — Specify the password that is associated with the login name specified in the User Name field.
• Target Directory — Specify the path name of the directory on the remote system that can be used for
audit archives.
• Export to Control Center — Determines whether audit archives are exported to the Control Center
Management Server. This checkbox is cleared by default. If you select this checkbox, you must manually
unlock the ftp user account on the Management Server. The following fields are also available:
• User Name — [Read-only] Displays ftp, which the denotes the secure ftp user account on the
Management Server. The secure ftp user account has the permissions required to write to the
Management Server directories. The protocol that is used to export the archives to the Management
Server is SCP.
• Password — Specify the password that is assigned to the secure ftp user on the Control Center
Management Server.
• Confirm Password — Specify the password that you specified in the Password field.
Audit Export window: Frequency tab
Use the Frequency tab of the Audit Export window to specify a schedule for transferring the audit logs to a
remote location.
Figure 92 Audit Export window: Frequency tab
270 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-270-320.jpg)
![Network defenses
Tabs
This window has the following tabs:
• TCP — Customize audit output for TCP packets. For more information, see Network Defenses
Configuration window: TCP tab on page 280.
• IP — Customize audit output for IP packets. For more information, see Network Defenses Configuration
window: IP tab on page 281.
• UDP — Customize audit output for IP packets. For more information, see Network Defenses Configuration
window: UDP tab on page 283.
• ICMP — Customize audit output for ICMP packets. For more information, see Network Defenses
Configuration window: ICMP tab on page 284.
• ARP — Configure the audit data to be generated for ARP compliance issues that are stopped by the
firewall. For more information, see Network Defenses Configuration window: ARP tab on page 286.
• IPsec — Customize audit output for IPsec packets. For more information, see Network Defenses
Configuration window: IPsec tab on page 287.
• IPv6 — [Available only for version 7.01 or later firewalls with IPv6 enabled] Configure the audit data to
be generated for IPv6 attacks and compliance issues. For more information, see Network Defenses
Configuration window: IPv6 tab on page 289.
Network Defenses Configuration window: TCP tab
Use the TCP tab of the Network Defenses Configuration window to customize audit output for TCP packets
that the firewall determines to be part of an identifiable attack based on attack description (for example,
invalid offset or SYN flood) and non-protocol-compliant packets stopped by the firewall. If no attacks are
selected and no compliances issues are selected, the firewall still stops suspicious traffic but does not
generate audit. For the fields on this tab, see Figure 96 on page 279.
Accessing this tab
1 In the Configuration Tool, select the Firewall Settings group bar.
2 Double-click Network Defenses. The Network Defenses Configuration window is displayed.
3 Select the TCP tab if it is not already displayed.
Fields and buttons
This tab has the following fields and buttons:
• TCP Audits — Use the fields in this area to specify the TCP attacks for which you want to generate audit.
The following fields are available:
• Attacks — Specify the attacks for which audit data is to be generated. Right-click the Attacks header
to either select all checkboxes or to clear (unselect) all selected checkboxes.
• Audit the selected TCP compliance issues — Select the way in which you want to audit packets
that are not known attacks, but are also not compliant with the TCP standards. The following options
are available:
• All TCP compliance issues — Audits all TCP compliance issues
• Severe and moderate TCP compliance issues — Audits severe and moderate TCP compliance
issues
• Severe TCP compliance issues — Audits severe TCP compliance issues only (This is the default.)
• No TCP compliance issues — Does not audit TCP compliance issues
280 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-280-320.jpg)
![Managing servers and service configurations
Tabs
This window has the following tabs:
• Service Configuration — Modify global properties that are associated with proxy and filter agents and
to modify basic properties that are associated with TCP and UDP services. For more information, see
Servers and Service Setting window: Service Configuration tab on page 292.
• SNMP Agent — Configure advanced properties for the SNMP agent on the firewall. For more information,
see Servers and Service Setting window: SNMP Agent tab on page 294.
• ISAKMP Server — Modify advanced properties for the ISAKMP server. For more information, see Servers
and Service Setting window: ISAKMP Server tab on page 297.
• NTP Server — Enable the Network Time Protocol (NTP) service in a particular burb and to configure one
or more NTP servers. For more information, see Servers and Service Setting window: NTP Server tab on
page 299.
• Admin Console — Configure advanced properties for the Admin Console of the firewall and the SSH
server. For more information, see Servers and Service Setting window: Admin Console tab on page 300.
• DHCP Relay — Allow clients to obtain IP address from a DHCP server in a different burb. For more
information, see Servers and Service Setting window: DHCP Relay tab on page 301.
Servers and Service Setting window: Service Configuration tab
Use the Service Configuration tab of the Servers and Service Setting window to modify global properties
that are associated with proxy and filter agents and to modify basic properties that are associated with TCP
and UDP services. To view the fields on this tab, see Figure 103 on page 291.
To modify properties associated with selected servers, refer to the other tabs on this window tabs:
• SNMP Agent
• ISAKMP Server
• NTP Server
• Admin Console
• DHCP Relay
Accessing this tab
1 In the Configuration Tool, select the Firewall Settings group bar.
2 Double-click the Server and Service Settings node. The Servers and Service Setting window is
displayed.
3 Select the Service Configuration tab.
Fields and buttons
This tab has the following fields and buttons:
• Proxy Configuration — Use the fields in this area to change the number of connections for the proxy
agents on the firewall. You can configure these proxy agents to enable additional instances when traffic
volume is high. By distributing the load across multiple instances, you can improve performance.
• Proxy — [Read-only] Displays the name of a proxy agent.
• Expected Connections — Specify the total number of connections that are expected for the proxy
agent. The following options are available:
• 1000 — Opens a single instance of a proxy agent.
• 2000 — Opens a single instance of a proxy agent.
• 4000 — Opens two instances of a proxy agent.
• 8000 — Opens four instances of a proxy agent. This is the default value.
292 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-292-320.jpg)
![Managing servers and service configurations
• 16000 — Opens eight instances of a proxy agent.
• 32000 — Opens sixteen instances of a proxy agent.
Global properties are shared by all services that use a particular agent. If you create a new service
based on the FTP proxy agent, for example, and change the value of this global property, all of the
services that are based on the FTP proxy agent are affected.
• Generic Filter — Use the fields in this area to set the global properties associated with services that are
using the TCP/UDP Packet Filter agent on the firewall.
• Maximum TCP Sessions — Specify the maximum number of TCP sessions that are allowed to use the
TCP/UDP Packet Filter agent at one time.
• Maximum UDP Sessions — Specify the maximum number of UDP sessions that are allowed to use
the TCP/UDP Packet Filter agent at one time.
• Minimum Reserved Port — Specify the lowest port number in the range of ports that are reserved
for use by the TCP/UDP Packet Filter agent.
• Maximum Reserved Port — Specify the highest port number in the range of ports that is reserved
for use by the TCP/UDP Packet Filter agent.
• Allow Intra-Burb Forwarding — Determines whether traffic is forwarded between network
interfaces located within a burb. This checkbox is cleared by default. You should clear this checkbox if
you have a burb that has only one network interface. If it is cleared and a burb has two or more network
interfaces, the interfaces are separated. Select this checkbox to ensure that packets are forwarded in
burbs with more than one interface.
• TCP Servers — Use the fields in this area to configure the basic properties for the listed TCP daemon
servers.
• Daemon Server — [Read-only] Displays the name of the TCP daemon server.
• TCP Ports — Specify the TCP port number or port numbers that are used by the TCP daemon server.
• Idle Timeout — Specify the total number of seconds that an established connection can remain idle
before the daemon server closes the connection.
• UDP Servers — Use the fields in this area to configure the basic properties for the listed UDP daemon
servers.
• Daemon Server — [Read-only] Displays the name of the UDP daemon server.
• UDP Ports — Specify the UDP port number or port numbers that are used by the UDP daemon server.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 293](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-293-320.jpg)
![Managing servers and service configurations
Fields and buttons
This tab has the following fields and buttons:
• Audit Level — Specify the type of audit output for the ISAKMP server. The following values are available:
• Error — Logs only major errors.
• Normal — Logs only major errors and informational messages. This is the default value.
• Verbose — Logs all errors and informational messages. This level is useful for detecting configuration
issues.
• Debug — Logs errors, informational messages, and debug information.
• Trace — Logs errors, informational messages, and debug and function trace information.
• IKE Phase One Negotiation Properties — Use the fields in this area to configure properties associated
with IKE phase 1 negotiations. The following fields are available:
• Allow Certificate Negotiation — Determines whether certificate negotiation is permitted. This
checkbox is selected by default. If this checkbox is cleared, all of the certificates that are used to
authenticate remote peers must be in the local certificate database or they must be accessible using
Lightweight Directory Access Protocol (LDAP).
• Negotiation Timeout (sec) — Specify the length of time (in seconds) that the ISAKMP server will
wait for a response to its request to a remote peer before it resends a packet.
• Maximum Retry Attempts — Specify the maximum number of times that the ISAKMP server will
attempt to resend a packet if it does not receive a response.
• Number of New Connections Allowed At Once — Use the fields in this area to determine the
number of connections that are allowed to establish a connection to the ISAKMP server at one time.
Select one of the following options:
• Unlimited Connections — Indicates that the number of remote peers that are allowed to establish
a connection to the ISAKMP server at one time is unlimited. This option is selected by default.
• Maximum Connections — Indicates the maximum number of remote peers allowed to establish a
connection to the ISAKMP server at one time. You must select or specify a value.
• XAUTH Negotiation Properties — Use the fields in this area to configure properties that are associated
with Extended Authentication. The following fields are available:
• Only Allow One Active SA Per Authenticated User — Determines whether only one security
association (SA) is permitted for each authenticated user. This checkbox is selected by default.
• Negotiation Timeout (sec) — Specify the length of time (in seconds) that the ISAKMP server will
wait for a response to its request to an authenticator before it resends a packet.
• Maximum Negotiation Attempts — Specify the maximum number of times that the ISAKMP server
will attempt to resend a packet if it does not receive a response.
• XAUTH Authenticators — Specify the XAUTH authenticator or authenticators that can be used for
extended authentication.
• Default Authenticator — [Available only if more than one authenticator is selected in the XAUTH
Authenticators table] Specify the authenticator that is used by default.
298 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-298-320.jpg)
![Managing servers and service configurations
Servers and Service Setting window: NTP Server tab
Use the NTP Server tab of the Servers and Service Setting window to enable the Network Time Protocol
(NTP) service in an appropriate burb and to configure one or more NTP servers to be used for network time
synchronization.
The Network Time Protocol (NTP) is an Internet standard protocol that enables client computers to maintain
system time synchronization that is relative to master clocks. The firewall is compatible with NTP versions
2, 3, and 4. NTP version 4 is preferred and is used by default on the firewall.
The firewall can be configured as an NTP client or an NTP server. An NTP client receives time updates from
another system; an NTP server supplies time updates to other systems. Typically, a firewall is configured as
an NTP client that receives time updates from an internal NTP server. Configuring an firewall to receive time
updates from both an internal and an external NTP server is not recommended.
You can also configure peers and restricted addresses for NTP.
Figure 107 Servers and Service Setting window: NTP Server tab
Accessing this tab
1 In the Configuration Tool, select the Firewall Settings group bar.
2 Double-click the Server and Service Settings node. The Servers and Service Setting window is
displayed.
3 Select the NTP Server tab.
Fields and buttons
This tab has the following fields and buttons:
• Enable NTP on burbs — Specify the firewall burb that is used to communicate with an NTP server. The
following values are available, as well as all other configured burbs:
• external — Indicates that the firewall receives time updates from an NTP server on an external
network.
• internal — Indicates that the firewall receives time updates from an NTP server on an internal
network.
• NTP Configuration — Use the fields in this area to configure one or more NTP servers to be used for
synchronizing system clocks in your network. You can configure peers and restricted addresses for NTP
in this table. The following fields and buttons are available:
• Burb — [Read-only] Displays the firewall burb that is used to communicate with the NTP server. This
enables the NTP service in the appropriate burb.
• Servers — [Read-only] Displays the IP address or the host name of the NTP server that is used to
synchronize clocks in your network.
• Peers — [Read-only] Displays the peer for this NTP server configuration.
• Restricted — [Read-only] Displays the restrictions that have been configured for this NTP server.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 299](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-299-320.jpg)
![TrustedSource
• Name — [Read-only] Displays the name of the signature.
• Category— [Read-only] Displays the signature category for this signature. A signature category is a
category of signatures that all involve the same type of attack. The signature category is classified by the
network service targeted for attack, and it consists of a main category and a subcategory. One or more
categories can be added to a signature group.
• Class Type — [Read-only] Displays the class type for the signature. The class type identifies the intended
purpose of the attack, such as Root Level Exploit or Discovery.
• Type — [Read-only] Displays the threat level attribute for the signature. This threat level indicates a
relationship between confidence level and severity. The following types can be displayed:
• IPS — Detects attacks that are considered dangerous.
• IDS — Detects attacks that are either considered minor (such as probe or discovery activity) or they
are suspected attacks, meaning that the signature will possibly incorrectly identify legitimate traffic as
an attack.
• Policy — Identifies network traffic that you want to control based on your organization’s security
policy, such as instant messaging or P2P communication.
• Date Added — [Read-only] Displays the date that this signature was added or last updated.
• Vulnerability — [Read-only] Displays the number that was assigned by Common Vulnerabilities and
Exposures (CVE). Two types of identifiers can appear for a signature:
• If CVE precedes the number, the vulnerability has been reviewed and accepted by CVE and is an official
entry in the CVE list.
• If CAN or nothing precedes the number, the vulnerability is under review by CVE and is not yet an
official entry in the CVE list.
• If NONE is displayed, CVE has not reviewed this signature.
To view the CVE Web page associated with this number in a Web browser, click the link.
• SID — [Read-only] Displays the signature ID (SID) for the signature that was automatically generated
by the originator of the signature.
• Description — [Read-only] Displays the description for the signature.
• OK — Save the changes that were made in this window.
• Cancel — Close this window without saving any changes.
TrustedSource
TrustedSource is a reputation service that assigns a reputation score to an IP address based on the
behavior attributes of the traffic it generates. A reputation score is like a credit score that indicates the
trustworthiness of an IP address.
TrustedSource uses servers around the world to gather and analyze billions of packets dynamically to
determine reputation scores. For each IP address on the internet, TrustedSource calculates a reputation
value based on such attributes as sending behavior, blacklist and whitelist information, and spam trap
information.
Note: For more information about the service, see the TrustedSource web site at www.trustedsource.org.
304 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-304-320.jpg)
![Virus scanning
• Scanning Distribution — Use the fields in this area to specify the number of scanners to use for files of
selected sizes. The following fields are available:
• File Size Range — [Read-only] Displays one of the following options:
• Up to 40K
• Up to 100K
• Up to 1M
• Unlimited
Note: A file is handled by the first file size range that is larger than the file's size; for example, a file of size
40K will be handled by scanners assigned to the Up to 100K file size range.
• Scanners — Specify the number of scanners to use in distributing and servicing files in the associated
range of file sizes. Acceptable values range from 1 to 10.
Note: To ensure optimum performance, the total number of scanner processes across all ranges should not
exceed 20. If you decrease the number of scanners, the virus scanner must be restarted.
• Advanced — Use the fields in this area to configure properties for controlling buffer sizes, handling
archives, and scanning encrypted files.
• Scan Buffer Size (KB) — Specify the size (in kilobytes) of the memory buffer used for storing data
until a temporary backup file is created. Acceptable values range from 8 KB to 64 KB. The default value
is 64.
• Archive Scan Buffer Size (MB) — Specify the size in megabytes of the memory buffer used for
storing the contents of archive files until the anti-virus engine temporarily writes the contents to disk
to perform the scan. The default value is 128. The maximum is 512 MB.
• Maximum Number of Files to Scan in an Archive — Specify the largest number of files in an
archive to be scanned. If an archive contains more files than the specified maximum, scanning will not
be performed. The default value is 2000.
• Scan Encrypted Files — Determines the way in which the scanner handles password-protected files
(for example, .xls or .zip files). This checkbox is cleared by default. In this case, the scanner will
generate an error and reject password-protected files. If this checkbox is selected, the scanner scans
unencrypted parts of the files. If a virus is not detected, the file is allowed.
• OK — Save the changes that were made on this window.
• Cancel — Close this window without saving any changes.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 309](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-309-320.jpg)
![Quality of Service
Creating Quality of Service profiles
Use the Quality of Service window to identify Quality of Service (QoS) profiles that contain one or more
queues that you can use to prioritize network performance based on network traffic type.
Figure 113 Quality of Service window
Accessing this window
1 In the Configuration Tool, select the Firewall Settings group bar.
2 Double-click the Quality of Service node. The Quality of Service window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Object Name — Specify the name of this Quality of Service network object.
• Remaining bandwidth — [Read-only] Displays the percentage of bandwidth that is potentially available
for this profile. This amount is automatically calculated from a total of all of the percentages listed in the
Allocated Bandwidth column.
• Profile Name — Specify the unique name of this QoS profile. You can specify up to seven characters.
This value is automatically populated with the value that you specified in the Object Name field as soon
as you move out of that field. However, if the Object Name value is longer than seven characters, you
must edit the value in this (Profile Name) field.
Note: For version 7.0.1 and later firewalls, you cannot use the following characters in your profile name: dash
(-), period (.), and underscore (_).
• Description — Specify a more detailed description of the profile.
• Queue Name — Specify the name of this queue. This queue name cannot be longer than seven
characters.
For version 7.0.1 and later firewalls, only alphanumeric characters can be used.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 311](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-311-320.jpg)
![DNS zones
Tabs
This window has the following tabs:
• Configuration — Specify the zone type and configure properties particular to each type. For more
information, see DNS Zone Manager window: Configuration tab on page 316.
• Advanced Configuration — [Available only if the value of the Zone Type field is Master or Slave]
Specify properties that affect the name server's interaction with other devices (for example, enabling
notification of zone changes and identifying the hosts allowed to query the name server or request zone
transfers). For more information, see DNS Zone Manager window: Advanced Configuration tab on
page 318.
• Resource Records — [Available only if the value of the Zone Type field is Master] Specify the resource
record types that are most commonly used on the firewall. For more information, see DNS Zone Manager
window: Resource Records tab on page 319.
DNS Zone Manager window: Configuration tab
Use the Configuration tab of the DNS Zone Manager window to specify the type of zone and configure
properties associated with the selected zone type. To view the fields on the Configuration tab, see
Figure 116 on page 315.
Accessing this tab
1 In the Configuration Tool, select the Firewall Settings group bar.
2 Double-click the DNS Zones node. The DNS Zone Manger window is displayed.
3 Make sure that the Configuration tab is selected.
Fields and buttons
This tab has the following fields and buttons:
• Zone Type — Allows you to indicate whether the zone is configured as Master, Slave, or Forward. Fields
and controls vary according to the selected zone type.
• Master — Indicates that name server is the master of the zone (authoritative). When this option is
selected, the following fields are available:
• Notify other servers — Use this field to specify other name servers that should be notified when the
zone information is updated. This is to ensure that zone changes on the master are propagated to the
slaves.
This field is not visible in the McAfee Firewall Enterprise Admin Console. Values specified here will
be lost if you subsequently use the Admin Console to modify the configuration.
• Allow Transfer — Use this field to specify any hosts and/or networks that are permitted to make zone
transfers.
• Name server advertisement — Use this field to specify the host name or fully qualified domain name
to be used for the firewall system as name server in this domain.
• Contact person — Use this field to specify the E-mail address of the person responsible for managing
the zone. Use the following format to specify the address: admin_name.domain_name.
• Serial Number — [Read-only] Displays a number that is used by slave name servers to keep their
zone data up to date. This number is generated and maintained by the master name server.
• Reverse Zone — Determines whether the zone is a reverse lookup zone. This checkbox is cleared by
default. If you select this option, you may use the Resource Records tab of this window to add PTR
resource records.
316 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-316-320.jpg)
![Scheduled jobs
Fields and buttons
• Name — Specify the name of the individual job.
• Description — Provide a description of the individual job.
• OK — Save the changes that have been made on all of the tabs in this window.
• Cancel — Close this window without saving any changes.
Tabs
This window has the following tabs:
• Firewall Crontab — Select the jobs to be scheduled and the frequency at which they will be run. See
Scheduled Jobs window: Firewall Crontab tab on page 323.
• Scheduled Backup — Schedule automatic configuration backups. See Scheduled Jobs window:
Scheduled Backup tab on page 324.
Scheduled Jobs window: Firewall Crontab tab
Use the Firewall Crontab tab of the Scheduled Jobs window to select the jobs to be scheduled and the
frequency at which they will be run. Each job must be able to be set so that the job can run at multiple,
discrete times throughout the year. One-time tasks cannot be scheduled. To view the fields on this tab, see
Figure 119 on page 322.
Accessing this tab
1 In the Configuration Tool, select the Firewall Settings group bar.
2 Double-click the Scheduled Jobs node. The Scheduled Jobs window is displayed.
3 Make sure that the Firewall Crontab tab is selected.
Fields and buttons
This tab has the following fields and buttons:
• Enabled — Determines whether the job is enabled. This checkbox is cleared by default. To enable the
job, select this checkbox. You can also double-click any row to display the Custom Job Schedule window,
in which you can specify a unique schedule.
Note: You cannot delete default cron jobs. If you clear this checkbox, the job will not be run on the firewall.
• Name — [Read-only for default cronjobs only] Displays a label for the scheduled jobs configuration.
• Command — Specify the command to be run.
• Frequency — Specify the frequency with which the job is to be run. The following options are available:
• Bimonthly
• Monthly
• Weekly
• Daily
• Hourly
• Custom — If you select this value, you can double-click this row to display the Custom Job Schedule
window, in which you can specify a schedule that is particular to the needs of your site.
• Custom Frequency — Displays a frequency that you have defined on the Custom Job Schedule window.
• Description — Specifies a description for the job.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 323](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-323-320.jpg)
![Scheduled jobs
• Maintain local configuration backups — Select the option to determine the number of backup
files to maintain. The following options are available:
• Keep all backups — Select this option to keep all of the backup files.
• Keep the last n backups — [Available only if remote backups are not enabled] Select this option
to only keep the last number of backups that you specify. If this limit is reached, the latest backup
will overwrite the oldest backup file.
• Remote backup (SCP) — Select this option to save the files on a remote system. The following fields
are available for this selection:
• Username — Specify the user name of a user on the remote system. If the remote system is a
firewall, this is a firewall administrator.
• Password — Specify the password that is used to authenticate the user to the remote system. (The
firewall does not save the password.)
• Hostname — Specify the host name or IP address of the remote system.
• Port — Specify the port on the remote system. The default value is 22.
• Directory — Specify the directory on the remote system where the configuration files are stored.
If the remote system is a firewall, the home directory of the administrator is the default value.
• Control Center Management Server — Select this option to save the files on the Control Center
Management Server. The following fields are available for this selection:
• Username — Specify the user name of an administrator on the Control Center Management Server.
• Keep the last n backups — Select this option to only keep the last number of backups that you
specify. If this limit is reached, the latest backup will overwrite the oldest backup file.
• Password — Specify the password that is used to authenticate the administrator to the Control
Center Management Server.
• Backup Schedule — Use the fields in this area to configure the schedule for the backups. The following
fields are available:
• Frequency — Specify the frequency for exporting the file. The rest of the fields in this area are
contingent on the value that you select. The following values are available:
• Hourly — Indicates that the backup will be run on the hour.
• n minutes after the hour — Specify this value for the minute after every hour that the backup
is run.
• Daily — Indicates that the backup will be run every day at the hour that you specify.
• Randomize by up to n minutes — Indicates that the schedule can be varied a different number
of minutes every day.
• Weekly — Indicates that the backup will be run at the selected time on the selected days of the
week. You can select multiple days.
• Randomize by up to n minutes — Indicates that the schedule can be varied a different number
of minutes every selected day.
• Monthly — Indicates that the backup will be run at the selected time on the selected days of the
month. You can select multiple days.
• Randomize by up to n minutes — Indicates that the schedule can be varied a different number
of minutes every selected day.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 325](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-325-320.jpg)
![Third-party updates
Fields and buttons
This window has the following fields and buttons:
• Name — [Required] Specifies a label used to refer to the update configuration.
• Description — Specifies information about the update configuration.
• OK — Save the changes that have been made on all of the tabs on this window.
• Cancel — Close this window without saving any changes.
Tabs
This window also has the following tabs:
• Virus Scan Signature Updates — Configure a schedule for updating Virus Scan signature files. See
Third-Party Updates window: Virus Scan Signature Updates tab on page 327.
• IPS Signature Updates — Configure a schedule for updating IPS signature files. See Third-Party
Updates window: IPS Signature Updates tab on page 328.
• Geo-Location Updates — Configure a schedule for updating the Geo-Location database that maps
countries to IP addresses. See Third-Party Updates window: Geo-Location Updates tab on page 330.
Third-Party Updates window: Virus Scan Signature Updates tab
Use the Virus Scan Signature Updates tab of the Third-Party Updates window to establish a schedule for
automatically downloading and installing updated anti-virus signature files.
To download and install updated anti-virus signatures immediately, use the Device Control window. This
window is accessible by selecting the Device Control option on the System menu of the Configuration
Tool.
To check the version number of the currently installed anti-virus signature file, use the Antivirus Patch
Version Information report. This report is available by selecting Firewall Reports on the Reports menu of
the Configuration Tool or the Reporting and Monitoring Tool. To view the fields on this tab, see Figure 121
on page 326.
Accessing this tab
1 In the Configuration Tool, select the Firewall Settings group bar.
2 Double-click the Third-Party Updates node in the tree. The Third-Party Updates window is displayed.
3 Make sure that the Virus Scan Signature Updates tab is selected.
Fields and buttons
This tab has the following fields and buttons:
• Details — Use the fields in this area to configuration information about the virus scan signature updates.
The following fields are available:
• Download Site — Specify the Web site from which to download and install the anti-virus signature
files. The default site is downloads.securecomputing.com.
• Directory — Specify the path name of the directory on the download site from which to download and
install the anti-virus signature files. The default directory is cgi-bin/avupdate.
• Enable Automated Scanner Engine Updates — Determines whether updates to the anti-virus
engine are automatically installed. This checkbox is cleared by default. If this checkbox is selected and
an uninstalled anti-virus engine update is available, the engine update will be installed the next time
that updated anti-virus signature files are installed.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 327](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-327-320.jpg)
![Network objects
• Import Network Objects — Displays the Import Network Objects Wizard, in which you can specify a
file from which you can import network objects that are defined in that file. To import network objects,
see Importing network objects on page 345.
Configuring endpoints (network objects)
Use the Network Objects Manager window to add or modify the following types of endpoints: hosts,
networks, address ranges, and domains.
The fields that are displayed on the window depend on the value selected in the Type field. You can also
change the type and thus change the fields. For example, if you accessed this window to create a host and
you decided instead to create a network object, you can change the value in the Type field and see all of
the appropriate fields for this new object type.
For additional information about network objects, see Network objects on page 336. For more information
about configurable objects, see Firewall configuration management on page 574.
Figure 125 Network Object Manager window for host objects
Accessing this window
1 In the Configuration Tool, select the Policy group bar.
2 Select the Network Objects node in the tree.
3 Double-click Hosts, Networks, Address Ranges, or Domains, depending on the type of object that you
want to create. The respective fields are displayed in the Network Object Manager window.
Fields and buttons
This window has the following fields and buttons:
Note: Several of the fields on this window are type-specific as indicated.
• Name — [Required] Specify a unique name for the object.
• Privileged — Determines whether this object is created as a privileged object. This checkbox is cleared
by default., To create a privileged object, the user must be assigned a role that allows access to privileged
objects (View, Update, Add, Remove). Use the Actions tab on the Role Manager window in the
Administration Tool to assign the privileged object action to a role.Description — Specify information
about the configured endpoint.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 337](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-337-320.jpg)
![Network objects
• Type — [Required] Initially displays the value that matches the node that you double-clicked to access
this window. The value of this field determines the remaining fields that are displayed on this window. The
following values are available:
• Hosts — Configure a single host. When this value is selected, the following fields are displayed:
• Address — Specify the Internet Protocol (IP) address.
If there is at least one firewall that is enabled with the IPv6 protocol, you can specify an IPv6
address, which is a series of seven groups of alphanumeric characters that are separated by colons
(:). An example of this format is: nnaa:an:n:nana:naa:aa:aann:nana.
However, if there are no IPv6-enabled firewalls, you must specify an IPv4 address, which is a series
of four groups of decimals in dot notation format. An example of an IPv4 address is:
nnn.nn.nnn.nnn.
• Hostname — Specify the fully qualified host name.
• Use DNS lookups to resolve the hostname — [Available only if a hostname value has been
specified in the Hostname field] Determines whether a DNS lookup is used to find the IP address
associated with a specified hostname. If this checkbox is selected, the Override Default TTL (s)
checkbox is available.
• Alternate Addresses — [Available only if a hostname and address value has been specified in the
Hostname and Address fields] Specify any alternate addresses that are used to reference the host.
Multiple addresses can be specified by using a comma to separate entries.
• Override Default TTL (s) — Determines whether the default Time to Live (TTL) period for caching
DNS records is overridden by a specified value. The default value is 86400 seconds (one day). To
override the default, select this checkbox and select a different value.
• Networks — Configure a subnet. When this value is selected, the following fields are displayed:
• Address — [Required] Specify the unique IP address of the subnet.
If there is at least one firewall that is enabled with the IPv6 protocol, you can specify an IPv6
address, which is a series of seven groups of alphanumeric characters that are separated by colons
(:). An example of this format is: nnaa:an:n:nana:naa:aa:aann:nana.
However, if there are no IPv6-enabled firewalls, you must specify an IPv4 address, which is a series
of four groups of decimals in dot notation format. An example of an IPv4 address is:
nnn.nn.nnn.nnn.
• Mask Length — [Required] Specify the length of the subnet mask in bits. If an IPv6 address is
specified in the Address field, this length should be between 0 and 128. Otherwise, the length should
be between 0 and 32. The default value is 24.
• Address Ranges — Configure a range of IP addresses. When this value is selected, the following fields
are displayed.
• Begin Address — [Required] Specify the first matching IP address.
• End Address — [Required] Specify the last matching IP address.
Note: The range that is specified in the Begin Address and End Address fields is inclusive. The value that
is specified in the Begin Address field must be less than or equal to the value that is specified in the End
Address field.
• Domains — Configure all of the hosts in a particular domain. The firewall performs a reverse DNS
lookup to determine whether a host belongs to a particular domain. When this value is selected, the
following field is displayed., Domain Name — Specify the name of the domain.
• OK — Save this object and, if new, insert it in the list of objects below the respective object type node.
• Cancel — Close this window without saving any changes.
338 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-338-320.jpg)
![Network objects
Importing network objects
Use the Import Network Objects Wizard to import the following types of network objects from a file: IP
addresses, hostnames for host objects, network objects, and address range objects.
Prerequisites for the imported file
To create a valid file to use with this wizard, the following prerequisites must be met:
• The file must be in either .txt or .csv (comma-delimited) format.
• You can mix object types in one file. However, each object type must consist of the following format:
Table 15 Imported file formats
Format type Format Description
.txt [Address] [Name] #[Description] where the address and name parameters are required and
the # and description parameters are optional
.csv [Address],[Name],[Description] where the address and name parameters are required and
the last comma (,) and the description parameters are
optional
• The network object should also include the mask (for example, 1.1.1.1/24).
• The address range object should include the start address and the end address, separated by a hyphen
(-) (for example, 1.1.1.1-2.2.2.2).
If there are any errors in your imported file, a message will be displayed and you can view your errors. For
more about this, see the wizard steps that follow.
Accessing this wizard
1 In the Configuration Tool, select the Policy group bar.
2 Select the Network Objects node to expand the list of subnodes.
3 Double-click the Import Network Objects subnode. The Import Network Objects Wizard is displayed.
Wizard steps
This wizard has two steps.
Step 1 of 2
This page introduces you to the wizard. Before you import your file, you can view the required formats for
each network object type that are displayed in the display area.
To load the text file that contains your network object definitions, click Load File. After you locate the file to
use and click Open, the contents of this file are displayed on this first page.
Click Next >> to continue or Cancel to close the wizard.
Step 2 of 2
Use this page to determine the objects in the file that you want to import and also to fix any errors in the
file that are now displayed in the table. Then, you can import the objects by clicking Finish.
The list of network objects is now displayed in the table on this page. If there are any errors in the imported
file, each row that contains an error is highlighted and a message is displayed at the bottom of this page,
along with a View Errors button.
To troubleshoot the errors:
1 Click View Errors to display the Import Errors window, in which you can view a description of the errors.
2 Click x to close this window.
3 Click in the field in the table that contains the error. Edit the value so that it is correct for the type of
object in this row. Note that these changes will not be propagated back to the file itself.
4 Repeat steps 3–4 for each row that contains an error.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 345](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-345-320.jpg)
![Services
5 When you have completed your edits, click Finish. The values will be checked again for validity and will
be imported if they are correct.
The following fields and buttons are available on this page:
• Import — Determines whether this object will be imported when you click Finish. The default value is
selected for each valid row. If a row is not valid, the checkbox will not be selected. After you correct the
invalid data, you must still select the checkboxes for the objects that you want to import. Clear the
checkbox for any object that you do not want to import now.
• Type — [Read-only] Displays the type of object.
• Name — Displays the name of the object as it was retrieved from the imported file. You can edit this
value.
• Address — Displays the address (and mask, if applicable) of the object as it was retrieved from the
imported file. You can edit this value.
• Description — Displays a description for the object as it was retrieved from the imported file. You can
edit this value.
• View Errors — Displays the Import Errors window, in which you can view a description of the errors that
were found in the imported file. For information about how to use this window, see the troubleshooting
section above.
• <<Previous — Changes the display to the previous page of the wizard.
• Finish — The objects are imported. Afterwards, an Import Complete message is displayed, indicating the
number of network objects that have been successfully imported. Click OK and the wizard is closed.
• Cancel — Closes the wizard without importing any objects.
Services
A service is a description of a network communications protocol. Computers can send information packets
to each other by agreeing on a protocol and, for TCP and UDP, a port. Protocol and port numbers have
well-established meanings; for example, IP protocol 89 is used for Open Shortest Path First (OSPF) routing
traffic, and TCP (protocol 6) port number 23 is used for the Telnet remote login application. Control Center
service objects are accustomed to the type of traffic that should be matched by a rule. Occasionally, they
are also used to specify a TCP or UDP port number that a firewall service (for example, a content inspection
agent or remote authorization agent) should use to communicate with a remote computer. Therefore, the
firewall manager should create service objects that describe the type of traffic that will be recognized by the
firewall.
The security firewalls support the following categories of services.
• Proxy services — A network service that is associated with a proxy agent that is running on the firewall.
The proxy agent controls communication between clients on one side of the firewall and servers on the
other side. The user's client program communicates with the proxy agent instead of communicating
directly with the server. The proxy agent evaluates requests from the client and decides whether to permit
or deny those requests, based on your security policy. If a request is approved, the proxy agent forwards
the client's requests to the server and forwards the server's responses back to the client. The proxy agent
is application-aware. (For example, it understands the application layer protocol and can interpret its
commands.) , Proxy agents are used to create proxy services. Proxy services may be TCP-based or
UDP-based. Many are defined by default for such TCP-based services as HTTP, FTP, and Telnet and for
such UDP protocols as SNMP and NTP. Use the Proxy Service window to create additional proxy services.
346 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-346-320.jpg)
![Services
Configuring proxy services
Use the Proxy Service window to add or change a proxy service. For more information about the types of
services that are supported by the firewalls, see Services on page 346.
Figure 131 Proxy Service window
Accessing this window
1 In the Configuration Tool, select the Policy group bar.
2 In the Policy tree, select the Services node.
3 Double-click Proxy Services. The Proxy Service window is displayed.
Fields and buttons
The fields that are displayed in this window will change, depending on the value that you select in the
Agent list. The following fields are common to all service types:
• Name — [Required] Specify a name for the service.
• Privileged — Determines whether this object is created as a privileged object. This checkbox is cleared
by default., To create a privileged object, the user must be assigned a role that allows access to privileged
objects (View, Update, Add, Remove). Use the Actions tab on the Role Manager window in the
Administration Tool to assign the privileged object action to a role.
• Agent — Specify the type of traffic that will use this service. This field is synonymous with selecting the
Agent value in the McAfee Firewall Enterprise Admin Console. Most of the protocols that are listed in this
list use the standard TCP window fields.
• OK — Save this changes that were made in this window.
• Cancel — Close this window without saving the changes.
The remaining fields that are displayed depend on the value that you select in this field.
• Citrix Proxy — Allows remote clients to access applications within a Citrix server farm by using the
Citrix Independent Computing Architecture (ICA) protocol.
• DNS Proxy — Allows DNS query traffic and DNS zone file transfers.
• FTP Proxy — Allows access to File Transfer Protocol (FTP) servers., To allow FTP over IPv6, you must
use the FTP Packet Filter agent. This agent does not support IPv6. For more information, see
Configuring filter services on page 350.
• Generic Proxy — Transport layer that processes both TCP and UDP. This proxy agent is not
application-aware.
• H323 Proxy — Allows audio and video features for H.323 applications.
• HTTP Proxy — Allows connections to Web servers by using the Hypertext Transfer Protocol (HTTP).
348 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-348-320.jpg)
![Services
• HTTPS Proxy — Allows connections to Web servers by using the SSL-encrypted HTTP.
• IIOP Proxy — Allows the Internet Inter-ORB Protocol (IIOP), which is the wire protocol that is used
by Common Object Request Broker Architecture (CORBA) applications for interoperability in a
heterogeneous environment.
• Mail Proxy — Allows Simple Mail Transfer Protocol (SMTP) messages through the firewall.
• MS-SQL Proxy — Allows Microsoft servers and clients to pass SQL traffic.
®
• Oracle Proxy — Allows Structured Query Language (SQL) traffic between Oracle servers and clients.
• Ping Proxy — Allows ICMP echo (ping) requests and ICMP echo responses through the firewall.
• RealMedia Proxy — Allows RealMedia audio and video data packet connections.
• Registration — Allows the firewall to join a High Availability cluster.
• RSH Proxy — Allows remote file copy protocol (RCP) and remote shell (RSH) login.
• RTSP Proxy — Allows the RealMedia Player and QuickTime Multimedia Player protocols.
• SIP Proxy — Allows Session Initiation Protocol (SIP), a protocol that is commonly used by VoIP
applications.
• SNMP Proxy — Supports remote management by using the Simple Network Management Protocol
(SNMP).
• SOCKS Proxy — Allows the SOCKSv5 protocol.
• SSH Proxy — Allows Secure Copy protocol (SCP), Secure FTP protocol (SFTP), and Secure Shell login.
• Sun RPC Proxy — Relays requests between RPC clients and remote servers.
• T120 Proxy — Allows T.120 applications.
• Telnet Proxy — Allows access to Telnet servers.
• Description — Specify information about the configured service.
• TCP ports — Specify the TCP port or ports on which the service will accept traffic. Specify multiple ports
by using a comma to separate entries. , Do not use ports 9000-9010. These ports are reserved by the
firewall for administrative purposes.
• Gatekeeper ports — [Available for H323 Proxy only] Specify the gatekeeper port or ports on which the
service will accept traffic. Specify multiple ports by using a comma to separate entries. , Do not use ports
9000-9010. These ports are reserved by the firewall for administrative purposes.
• UDP ports — [Available only for Citrix Proxy and Generic Proxy] Specify the UDP port or ports on which
the service will accept traffic. Specify multiple ports by using a comma to separate entries. , Do not use
ports 9000-9010. These ports are reserved by the firewall for administrative purposes.
• TCP idle timeout (sec) — Specify the number of seconds that the connection can remain idle before it
is terminated. The default is 7200 seconds. A value of 0 maintains idle sessions indefinitely. To set a data
time-out, click the up or down arrow or specify a value in the field.
• UDP idle timeout (sec) — [Available only for Citrix Proxy, Generic Proxy, and H323 Proxy] Specify the
number of seconds that the connection can remain idle before it is terminated. The default is 300 seconds.
A value of 0 maintains idle sessions indefinitely. To set a data time-out, click the up or down arrow or
specify a value in the field.
• Allow fast path sessions — [Not available for H323 Proxy] Specify whether fast path proxy sessions
will be allowed on the firewall. A fast path session improves system performance by lessening the load
that is placed on the system kernel when passing proxy data through the firewall. For more information
about fast path sessions, see the "Services" chapter in the McAfee Firewall Enterprise (Sidewinder)
Administration Guide.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 349](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-349-320.jpg)
![Services
• Allowed connection types — [Available only for FTP Proxy, HTTP Proxy, and HTTPS Proxy] Specify the
types of connections that will be allowed. The following values are available:
• Transparent — Indicates that the client appears to connect directly to the server without connecting
to the firewall first.
• Non-Transparent — Indicates that the client connects to the firewall and then connects to the server.
• Both — Indicates that either transparent or non-transparent connections are allowed.
Configuring filter services
Use the Filter Service window to add or change a filter service. For more information about the types of
services that are supported by the firewalls, see Services on page 346.
Figure 132 Filter Service window
Accessing this window
1 In the Configuration Tool, select the Policy group bar.
2 In the Policy tree, select the Services node.
3 Double-click Filter Services. The Filter Service window is displayed.
Fields and buttons
The fields that are displayed in this window will change, depending on the value that you select in the
Agent list. The following fields are common to all service types:
• Name — [Required] Specify a name for the service.
• Privileged — Determines whether this object is created as a privileged object. This checkbox is cleared
by default., To create a privileged object, the user must be assigned a role that allows access to privileged
objects (View, Update, Add, Remove). Use the Actions tab on the Role Manager window in the
Administration Tool to assign the privileged object action to a role.
350 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-350-320.jpg)
![Services
• Agent — [Required] Specify the type of traffic that will use this service. This field is synonymous with
selecting the Agent value in the McAfee Firewall Enterprise Admin Console.The following values are
available:
• FTP Packet Filter — [Available for firewall versions 7.0.1 and later] Indicates a file transfer protocol
(FTP) that is defined by specified port numbers. When you select this service type, see the service
type-specific fields that are described in the Agent: FTP Packet Filter on page 351.
• Generic Filter — Indicates a service that handles TCP or UDP traffic through the kernel. When you
select this service type, see the service type-specific fields that are described in Agent: Generic Filter
on page 352. This is the default value.
• ICMP Filter —(Internet Control Message Protocol) Indicates a network layer protocol that supports
packets that contain error, control, and informational messages. A message type and code further
qualify the service. When you select this service type, see the service type-specific fields that are
described in Agent: ICMP Filter on page 352., You can use this filter with any firewall version. However,
the ipv6_echo and ipv6_info messages are available only for versions 7.0.1 and later with the IPv6
protocol enabled.
• Protocol Filter — Indicates a network layer protocol that is defined by a protocol number. When you
select this service type, see the service type-specific fields that are described in Agent: Protocol Filter
on page 353.
• Description — Specify information about the configured service.
• OK — Save this changes that were made in this window.
• Cancel — Close this window without saving the changes.
Agent: FTP Packet Filter
• TCP source ports — Specify a range of valid source ports. By default, all source ports are specified., Do
not use ports 9000-9010. These ports are reserved by the firewall for administrative purposes.
• TCP destination ports — Specify the TCP port or ports on which the service will accept traffic. Specify
multiple ports by using a comma to separate entries., Do not use ports 9000-9010. These ports are
reserved by the firewall for administrative purposes.
• Enable stateful packet inspection — Determines whether stateful packet inspection will occur for this
service when it is used as an IP filter service on the firewall. Stateful packet inspection tracks the state of
network connections traversing the firewall. Only packets that match a known connection state are
allowed by the firewall; all others are rejected., Enable stateful session failover — Determines whether
existing filter sessions will be transferred to the secondary node of a High Availability cluster during a
failover event. This checkbox is selected by default.
Tip: You might want to clear this checkbox for short-lived connections.
• Bi-directional — Determines whether the firewall will allow traffic that is associated with this service
to flow from either the source or the destination addresses. Select this checkbox only if your source
port and destination port have the same value. This checkbox is cleared by default., NAT and
redirection are not allowed for bi-directional rules with stateful packet inspection enabled.
• Reset TCP connections after connection timeout — Specify whether a TCP Reset packet will be
sent to the client and server after the specified connection timeout. This checkbox is selected by
default.
• TCP idle timeout (sec) — Specify the number of seconds that the connection can remain idle before
it is closed. Valid values are between 0 and 2147483647. The default is 7200 seconds. A value of 0
maintains idle sessions indefinitely. To set a time-out, click the up or down arrow or specify a value in
the field.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 351](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-351-320.jpg)
![Services
• timestamp — Indicates that timestamp requests and responses will be used.
• ipv6_echo — [Available for firewall versions 7.0.1 and later when the IPv6 protocol is enabled]
Indicates that echo requests and responses that are used by ping and that are transmitted as IPv6
traffic will be used.
• ipv6_info — [Available for firewall versions 7.0.1 and later when the IPv6 protocol is enabled]
Indicates that ICMP information requests and responses that are transmitted as IPv6 traffic will be
used.
• Enable stateful session failover — Determines whether existing filter sessions will be transferred
to the secondary node of a High Availability cluster during a failover event.
Note: ICMP control and error messages that are generated by TCP/UDP traffic are managed by using the
TCP/UDP rules, as opposed to ICMP rules. For example, to pass “host unreachable” error messages for
undelivered TCP packets for a specific rule through the firewall, configure this value on the Packet Filter
application defenses, instead of by using the ICMP service.
• Bi-directional — Determines whether the firewall will allow traffic that is associated with this service
to flow from either the source or the destination addresses. Select this checkbox only if your source
port and destination port have the same value. This checkbox is cleared by default., NAT and
redirection are not allowed for bi-directional rules with stateful packet inspection enabled.
Agent: Protocol Filter
• Protocol number — Specify the first IP protocol supported by this service. A protocol number must be
an integer between 0 and 255.
• Bi-directional — Determines whether the firewall will allow traffic that is associated with this service
to flow from either the source or the destination addresses. Select this checkbox only if your source
port and destination port have the same value. This checkbox is cleared by default., NAT and
redirection are not allowed for bi-directional rules with stateful packet inspection enabled.
Configuring service groups
Use the Service Groups Manager window to define groups of related services that will be simultaneously
managed. The purpose of a group is specific to the type of service. However, the procedure to create
groups is the same. Two or more related objects are associated under an aggregated object name to
simplify the management of multiple service objects.
Figure 133 Service Groups Manager window
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 353](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-353-320.jpg)
![Application defenses
• Allow specified URL matches — Indicates that if the string is found in a particular URL, the request
is allowed. The table lists the match strings that are currently allowed.
• Match Type — Specify the part of the URL that will be matched against the string value and be denied
or allowed, depending on the value in the Deny Specified URL Matches field. The following options are
available:
• Contains — Indicates that a match is considered to be anything that contains the specified string.
• Begins with — Indicates that a match is considered to be anything that begins with the same
characters as the specified string.
• Ends with — Indicates that a match is considered to be anything that ends with the same characters
as the specified string.
• Match Parameter — Specify the portion of the URL to be matched against the specified string. The
following options are available:
• Host — Indicates that the host component of the request URL will be matched with the specified string.
• Path — Indicates that the path component of the request URL will be matched with the specified string.
• All — Indicates that the entire request URL will be matched with the specified string.
• String — Specifies the string to be denied.
For an example of how this works, consider the following URL:
http://www.mycompany.com/resources/logos.html
You specify "logos" as the value in the String field. This URL will be allowed if the Match Parameter
value is set to Host; it will be denied if the Match Parameter value is set to Path or All.
• Options — Use the fields in this area to configure additional requirements.
• Enforce Strict URLs — Determines whether URLs containing special characters are denied. If this
checkbox is selected, URLs with certain special characters will be disallowed under certain
circumstances (such as RFC violation). For example, the following special characters will not be
permitted: angle brackets (<>), braces ({}), brackets ([]), quote ("), back quote (`), back slash (),
caret (^), and pipe (|).
• Allow Unicode — Determines whether international multi-byte characters are allowed in a query. If
this checkbox is selected, international multi-byte characters are allowed.
• Require HTTP Version in Request — Determines whether the HTTP version is required in HTTP
requests. If this checkbox is selected, the checkboxes associated with the acceptable versions, 1.0 and
1.1, are selected:
• 1.0 — Indicates that HTTP version 1.0 is allowed.
• 1.1 — Indicates that HTTP version 1.1 is allowed.
• Max URL Length — Specify the maximum number of characters allowed in a URL. The default value
is 1024. Acceptable values range from 1 to 10000.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 359](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-359-320.jpg)
![Application defenses
• Action — Specify the action to be taken for each resource that is specified in this table. The following
options are available:
• Allow — Permit files with the specified extensions to be transferred. Note that this option excludes
scanning for viruses and spyware.
• Scan — Require files with the specified extensions to be scanned for viruses and spyware. If
scanning does not detect viruses or spyware, the files are allowed to be transferred.
• Deny — Prohibit files with the specified extensions from being transferred. Note that this option
excludes scanning for viruses and spyware.
• MIME Type — Specify the MIME type that you want to filter. If you select asterisk (*), the filter rule
will ignore this field when it determines a match.
• MIME Subtype — Specify the MIME subtype associated with the selected value in the MIME Type
column. If you select asterisk (*), the filter rule will ignore this field when it determines a match.
• Extension Type — Specify the types of file name extensions to be filtered. The following options are
available:
• All File Extensions — Indicates that file name extensions of all types (*). Extensions are ignored
when the filter rule determines a match.
• Archive File Types — Indicates usage of the list of predefined file name extensions that are
displayed in the Extensions column (such as tar and zip, for example).
• Mime Specific Types — Displays the file name extensions that are associated with the selected
Mime Type and Mime Subtype field values. If you have selected a Mime Type of text and a Mime
Subtype of html, for example, this field displays html and htm.
• Custom List — You can specify text in the Extensions field to create a customized list of file name
extensions.
• Extensions — Specify the file name extensions to be included. If you selected Archive File Types or
Mime Specific Types for the value of the Extension Type field, the associated extensions are
displayed in this field. If you selected Custom List for the Extension Type field value, specify your file
extensions in this list. Use the following guidance for your values:
• Do not specify the leading period for each extension value.
• If you have more than one file extension value to specify, use commas (,), not spaces (), to delimit
your values.
• Up and down buttons — Use the buttons to move the selected row up or down one row in the table,
respectively.
• Scanner Behavior — Use the fields in this area to configure scanning parameters. The following fields
are available:
• Reject all files if scanning is unavailable — Determines whether file transfer using HTTP is
prevented if the proxy cannot communicate with the scanners. This checkbox is cleared by default. If
you select this option, the connection will be dropped if scanning is unavailable (for example, due to
out-of-date virus data, an expired license, or a configuration error).
• Use heuristic scanning (scan for unknown viruses) — [Available only for firewall versions
7.0.0.08 and later and 7.0.1.02 and later] Determines whether to enable scanning for unknown
viruses. This checkbox is cleared by default.
• Infected File Handling — Use the fields in this area to specify the way that infected files are handled.
The following options are available:
• Discard infected files — Indicates that infected files will be discarded.
366 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-366-320.jpg)
![Application defenses
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the Application Defenses node.
3 Double-click HTTPS. The HTTPS Application Defense window is displayed.
4 Select Server as the value for the Type field.
5 Select the Content Scanning tab.
Fields and buttons
This tab has the following fields and buttons.
• Enforce McAfee SmartFilter — Determines whether the McAfee SmartFilter is used to filter HTTPS
traffic. This checkbox is cleared by default. If this checkbox is selected, the following field can be used:
• Reject all requests if McAfee SmartFilter unavailable — Determines whether HTTPS requests are
denied if the McAfee SmartFilter server on the firewall is unavailable.
• Enforce Content Control — [Available only if you select Server as the Type field value on this window]
Determines whether certain types of content are denied. This checkbox is cleared by default. If this
checkbox is selected, the following field can be used to deny particular types of content from Web
documents:
• Deny SOAP — Deny SOAP objects.
HTTPS Application Defense window: Connection tab
Use the Connection tab of the HTTPS Application Defense window to configure connection properties for the
HTTPS application defense.
Figure 145 HTTPS Application Defense window: Connection tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the Application Defenses node.
3 Double-click HTTPS. The HTTPS Application Defense window is displayed.
4 Select Server as the value for the Type field.
5 Select the Connection tab.
374 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-374-320.jpg)
![Application defenses
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the Application Defenses node.
3 Double-click HTTPS. The HTTPS Application Defense window is displayed.
4 Select Server as the value for the Type field.
5 Make sure that you select Decrypt Web Traffic on the General tab.
6 Select the HTTP URL tab.
Fields and buttons
This tab has the following fields and buttons:
• Enforce URL Control configuration — Determines whether URL control properties are configured. This
checkbox is cleared by default. If this checkbox is selected, the remaining fields on this tab are available.
• Allowed Commands — Specify the HTTP commands that are allowed by the proxy.
• (Deny Specified URL Matches) — Specify whether you can specify a list of URLs to be denied or whether
to deny all of them.
• Deny — Indicates that, if the string is found in a particular URL, the request is explicitly denied. The
table lists the match strings that are currently denied.
• Allow specified URL matches — Indicates that the URLs that you have specified will be allowed.
• Match Type — Specify the way that the value specified in the Match Parameter field will match with the
value in the String field.
• Contains
• Begins with
• Ends with
• Match Parameter — Specify the portion of the URL to be matched against the value that is specified in
the String field. The following values are available:
• Host — Indicates that the host component of the request URL will be matched with the value in the
String field.
• Path — Indicates that the path component of the request URL will be matched with the value in the
String field.
• All — Indicates that the entire request URL will be matched with the value in the String field.
• String — Specify the string to be denied.
Consider the following URL
http://www.mycompany.com/resources/logos.html
and the String "logos." This URL will be allowed if the Match Parameter value is Host; it will be
denied if the Match Parameter value is Path or All.
• Options — Use the fields in this area to specify additional options. The checkboxes associated with these
options are cleared by default.
• Enforce Strict URLs — Determines whether URLs containing special characters are denied. If this
checkbox is selected, special characters excluded from URL syntax by RFC, for example, will not be
permitted. This includes angle brackets (<>), braces ({}), brackets ([]), double quotation mark ("),
back quote (`), back slash (), caret (^), pipe (|).
• Allow Unicode — Determines whether international multibyte characters are allowed in a query. If
this checkbox is selected, international multibyte characters are allowed.
376 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-376-320.jpg)
![Application defenses
HTTPS Application Defense window: MIME/Virus/Spyware tab
Use the MIME/Virus/Spyware tab of the HTTPS Application Defense window to configure settings required
for scanning of resources for MIME (Multipurpose Internet Mail Extensions) types, viruses, and spyware.
These settings allow you to enable scanning, control scanner behavior, and specify the actions to be taken
with different types of resources.
Note: The MIME/Virus/Spyware tab is available only if you selected Server as the value of the Type field in this
window and selected Decrypt Web Traffic on the General tab in this window.
Figure 149 HTTPS Application Defense window: MIME/Virus/Spyware tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the Application Defenses node.
3 Double-click HTTPS. The HTTPS Application Defense window is displayed.
4 Select Server as the value for the Type field.
5 Make sure that you select Decrypt Web Traffic on the General tab.
6 Select the MIME/Virus/Spyware tab.
Fields and buttons
This tab has the following fields and buttons:
• Enforce Virus/Spyware Scanning — Determines whether scanning of files for MIME types, viruses,
and spyware is enabled. This checkbox is cleared by default. If you select this checkbox, the other controls
on this page may be used to configure parameters that control scanning of file content and handling of
infected files.
• Virus/Spyware Extensions — Use the fields in this area to specify the types of resources to be scanned
and the action to be taken for each type. The following fields are available:
• Default Action — Specify the action to be taken by default for resources that are not specified in the
table below this field. The following values are available:
• Allow — [Default] Indicates that all resources other than those explicitly denied by MIME Type,
MIME Subtype, Extension Type and Action are allowed.
Note: If you select this option, you must use the Action and MIME Type, MIME Subtype, and
Extension Type fields to specify the resources that you want to scan or deny.
• Scan — Indicates that all resources are to be scanned for MIME types, viruses and spyware, except
those that are defined as being denied in the table.
380 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-380-320.jpg)
![Application defenses
• Deny — Indicates that all resources are to be denied, except for those that are defined as being
allowed in the table.
Note: If you select this option, you must use the Action and MIME Type, MIME Subtype, and Extension
Type fields to specify the resources that you want to allow or scan.
• Action — Specify the action to be taken for resources with extensions of the type specified by
Extension Type. The following values are available:
• Allow — Permit files with the specified extensions to be transferred. Note that this option excludes
scanning for viruses and spyware.
• Scan — Require files with the specified extensions to be scanned for viruses and spyware. If
scanning does not detect viruses or spyware, the files are allowed to be transferred.
• Deny — Prohibit files with the specified extensions from being transferred. Note that this option
excludes scanning for viruses and spyware.
• MIME Type — Specify the MIME type that you want to filter. If you select the asterisk (*), the filter
rule will ignore this field when it determines a match.
• MIME Subtype — Specify the MIME subtype associated with the selected value in the MIME Type
column. If you select the asterisk (*),the filter rule will ignore this field when it determines a match.
• Extension Type — Specify the types of file name extensions to be filtered. The following values are
available:
• All File Extensions — Indicates file name extensions of all types (*). Extensions are ignored when
the filter rule determines a match.
• Archive File Types — Indicates usage of the list of predefined file name extensions that are
displayed in the Extensions column (for example, tar, zip).
• Mime Specific Types — Displays the file name extensions that are associated with the selected
MIME Type and MIME Subtype field values. If you have selected a MIME Type of text and a
MIME Subtype of html, for example, this field displays html and htm.
• Custom List — You can specify text in the Extensions field. to create a customized list of file name
extensions.
• Extensions — Specify the file name extensions to be included. If you selected Archive File Types or
Mime Specific Types for the value of the Extension Type field, the associated extensions are
displayed in this field. If you selected Custom List for the Extension Type field value, specify your file
extensions in this list. Use the following guidance for your values:
• Do not specify the leading period for each extension value.
• If you have more than one file extension value to specify, use commas (,), not spaces (), to delimit
your values.
• Up and down buttons — Use the buttons to move the selected row up or down one row in the table,
respectively.
• Scanner Behavior — Use the fields in this area to configure scanning parameters. The following fields
are available:
• Reject all files if scanning is unavailable — Determines whether file transfer using HTTP is
prevented if the proxy cannot communicate with the scanners. This checkbox is cleared by default. If
you select this option, the connection will be dropped if scanning is unavailable (for example, due to
out-of-date virus data, an expired license, or a configuration error).
• Use heuristic scanning (scan for unknown viruses) — [Available only for firewall versions
7.0.0.08 and later and 7.0.1.02 and later] Determines whether to enable scanning for unknown
viruses. This checkbox is cleared by default.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 381](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-381-320.jpg)
![Application defenses
Mail (Sendmail) Application Defense window: MIME/Virus/Spyware tab
Use the MIME/Virus/Spyware tab of the Mail (Sendmail) Application Defense window to configure settings
required for scanning mail messages for MIME (Mulitpurpose Internet Mail Extensions) type, viruses, and
spyware. Use these settings to enable scanning, to control scanner behavior, and to specify the actions to
be taken with different types of resources.
Figure 151 Mail (Sendmail) Application Defense window: MIME/Virus/Spyware tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the Application Defenses node.
3 Double-click the Mail (Sendmail) node. The Mail (Sendmail) Application Defense window is displayed.
4 Select the MIME/Virus/Spyware tab.
Fields and buttons
This tab has the following fields and buttons:
• Enforce Virus/Spyware Scanning — Determines whether scanning of files for MIME types, viruses,
and spyware is enabled. This checkbox is cleared by default. If you select this checkbox, the other controls
on this page may be used to configure parameters that control file content scanning and infected file
handling.
• Virus/Spyware Extensions — Use the fields in this area to specify the types of resources to be scanned
and the action to be taken for each type. The following fields are available:
• Default Action — Specify the action to be taken by default for resources that are not specified in the
table below this field. The following values are available:
• Allow — [Default] Indicates that all resources other than those explicitly denied by MIME Type,
MIME Subtype, Extension Type and Action are allowed.
Note: If you select this option, you must use the Action and MIME Type, MIME Subtype, and
Extension Type fields to specify the resources that you want to scan or deny.
• Scan — Indicates that all resources are to be scanned for MIME types, viruses and spyware, except
those that are defined as being denied in the table.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 385](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-385-320.jpg)
![Application defenses
• Deny — Indicates that all resources are to be denied, except for those that are defined as being
allowed in the table.
Note: If you select this option, you must use the Action and MIME Type, MIME Subtype, and Extension
Type fields to specify the resources that you want to allow or scan.
• Action — Specify the action to be taken for resources with extensions of the type specified by
Extension Type. The following values are available:
• Allow — Permit files with the specified extensions to be transferred. Note that this option excludes
scanning for viruses and spyware.
• Scan — Require files with the specified extensions to be scanned for viruses and spyware. If
scanning does not detect viruses or spyware, the files are allowed to be transferred.
• Deny — Prohibit files with the specified extensions from being transferred. Note that this option
excludes scanning for viruses and spyware.
• MIME Type — Specify the MIME type that you want to filter. If you select the asterisk (*), the filter
rule will ignore this field when it determines a match.
• MIME Subtype — Specify the MIME subtype associated with the selected value in the MIME Type
column. If you select the asterisk (*),the filter rule will ignore this field when it determines a match.
• Extension Type — Specify the types of file name extensions to be filtered. The following values are
available:
• All File Extensions — Indicates file name extensions of all types (*). Extensions are ignored when
the filter rule determines a match.
• Archive File Types — Indicates usage of the list of predefined file name extensions that are
displayed in the Extensions column (for example, tar, zip).
• Mime Specific Types — Displays the file name extensions that are associated with the selected
MIME Type and MIME Subtype field values. If you have selected a MIME Type of text and a
MIME Subtype of html, for example, this field displays html and htm.
• Custom List — You can specify text in the Extensions field. to create a customized list of file name
extensions.
• Extensions — Specify the file name extensions to be included. If you selected Archive File Types or
Mime Specific Types for the value of the Extension Type field, the associated extensions are
displayed in this field. If you selected Custom List for the Extension Type field value, specify your file
extensions in this list. Use the following guidance for your values:
• Do not specify the leading period for each extension value.
• If you have more than one file extension value to specify, use commas (,), not spaces (), to delimit
your values.
• Up and down buttons — Use the buttons to move the selected row up or down one row in the table,
respectively.
• Scanner Behavior — Use the fields in this area to configure scanning parameters. The following fields
are available:
• Reject all files if scanning is unavailable — Determines whether transfer of files via sendmail is
prevented if scanning is not available. This checkbox is cleared by default. If you select this option,
files will be rejected or discarded as specified by the field settings on the General tab.
• Use heuristic scanning (scan for unknown viruses) — [Available only for firewall versions
7.0.0.08 and later and 7.0.1.02 and later] Determines whether to enable scanning for unknown
viruses. This checkbox is cleared by default.
386 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-386-320.jpg)
![Application defenses
• Replace client's FQDN with — Determines whether you will replace the FQDN of the SMTP client with
a value that you specify. If you select this checkbox, specify an FQDN (of up to 250 characters) to replace
the SMTP client’s FQDN. This feature is commonly used with outbound NAT rules to hide an internal e-mail
server’s domain name. Valid values include: alphanumeric characters, dash (-), underscore (_), and
period (.).
• Verify client's FQDN — Determines whether the client’s IP address must match the domain specified in
the client’s HELO or EHLO command. If this is selected and the client's domain and IP address do not
match, a 554 reply code is sent to the client.
• Pass server's reply text — Determines whether to allow human-readable reply text to pass from the
server to the client.
Note: If you select this checkbox to enable this feature on outbound SMTP rules, private network information
can be revealed.
• Max PDU size — Specify the allowed length of SMTP commands and responses for the Protocol Data Unit
(PDU). Allowed values are 512 bytes to 64 kilobytes. This limit does not apply to data or authorization
commands.
• Mail Messages — Use the fields in this area to configure destination-based mail filtering.
The SMTP proxy blocks messages that contain source routing information by default. To configure the
proxy to allow these messages while stripping the source routing information, use the destination
table.
• Allow mail to — [Available only if Enforce Destination Address Filtering is selected] Specify the
destinations to which mail is allowed. The following options are available:
• Allow mail to any destination — Indicates that mail will be allowed at any destination.
• Only allow mail to defined destinations — Indicates that you can specify the destinations to
which the firewall will forward mail. The firewall allows mail based on the contents of its RCPT TO:
field. If the domain name portion of the RCPT TO: field matches a character string in the domain
address list, the mail is allowed to pass. To configure the destinations, use the destination table
below.
• Destination Type — Specify the format of the destination for this row.
To add a destination, click the Destination Type field when it has no value. Select a value from the
list and continue with the other fields in the destination table.
The following options are available:
• Domains — Indicates that this destination is fully qualified domain name (FQDN).
• IP address — Indicates that this destination is a single IP address.
• IP Range — Indicates that this destination is an address range.
• Destination — Specify the value of the destination, depending on the value in the Destination Type
column.
• Domains — Specify a fully qualified domain name (FQDN).
• IP address — Specify a valid IP address.
• IP Range — Specify an address range, with beginning and ending IP addresses.
• Include Subdomains — Determines whether the subdomains for an FQDN are included in this
destination. For example, if you allow mail to be sent to example.com and select this option, messages
sent to mail.example.com are also allowed.
This is the most reliable option to go with the Domains value in the Destination Type field because
most destinations in the RCPT TO: field are formatted as a domain name.
390 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-390-320.jpg)
![Application defenses
• Deny — Indicates that all file types other than those explicitly allowed by the values specified in the
Extension Type and Action column are denied.
Note: If you select this option, you must use the Action and Extension Type controls to specify the file
types that you want to allow or scan.
• Action — Specify the action to be taken for files with extensions of the type that is specified in the
Extension Type column. The following values are available:
• Allow — Permits files with the specified extensions to be transferred. Note that this option excludes
scanning for viruses and spyware.
• Scan — Requires files with the specified extensions to be scanned for viruses and spyware. If
scanning does not detect viruses or spyware, the files are allowed to be transferred.
• Deny — Prohibits files with the specified extensions from being transferred. Note that this option
excludes scanning for viruses and spyware.
• Extension Type — Specify the types of file name extensions to be subjected action that is specified
in the Action column. The following values are available:
• All File Extensions — Allow file name extensions of all types.
• Predefined list — Select file name extensions from a predefined list that is displayed in the
Extensions field.
• Custom List — Create a list of extensions by specifying text in the Extensions column.
• Extensions — Specify the file name extensions to be included. If the value that is specified in the
Extension Type column is Pre-defined list, select values for Category (for example, application,
image, text) and their associated file extensions. (For example, if you select application as your
category, you can select doc, bin, and exe for your file extensions.)
• Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a
selected action in this table.
• Scanner Behavior — Use the fields in this area to configure scanning parameters. The following fields
are available:
• Reject all files if scanning is unavailable — Determines whether file transfer using FTP is prevented
if the proxy cannot communicate with the scanners. This checkbox is cleared by default. If you select
this option, the connection will be dropped if scanning is unavailable (for example, due to out-of-date
virus data, an expired license, or a configuration error).
• Use heuristic scanning (scan for unknown viruses) — [Available only for firewall versions
7.0.0.08 and later and 7.0.1.02 and later] Determines whether to enable scanning for unknown
viruses. This checkbox is cleared by default.
• Infected File Handling — Use the fields in this area to specify the way that infected files are handled.
The following options are available:
• Discard infected files — Indicates that infected files will be discarded.
• Repair infected files — Indicates that infected files will be disinfected prior to processing. If an
infected file cannot be disinfected, it will be discarded.
• Maximum Scan Size — [Available only for firewall versions 7.0.0.08 and later and 7.0.1.02 and later]
Use the fields in this area to specify file size parameters for scanning. The following fields are available:
• Scan File Size Limit (KB) — Specify the maximum file size (in kilobytes) that will be allowed. The
default value is 32768.
• Files over the scan limit will be allowed through unscanned — Indicates that, even though a
file exceeds the specified limit, it will be allowed to pass through without being scanned.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 399](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-399-320.jpg)
![Application defenses
Fields and buttons
This tab has the following fields and buttons:
• Allowed client authentication methods — Use the fields in this area to determine the authentication
methods to allow. The following fields are available:
• Any — Select this option to allow any authentication method on which the client and server agree.
• Selected from list — Select this option to specify that only the selected authentication methods are
allowed.
To add a new, custom authentication method to this list, click New. The Client Authentication - New
Method window is displayed. Specify a value in the Method field and click OK. Only custom methods
that are created in this way can be deleted.
Note: The publickey and hostbased authentication methods are not supported.
To delete a custom authentication method, highlight the method in the list and click Delete.
• Enabled — Determines whether this authentication method is allowed.
• Authentication Method — [Read-only] Displays the names of the authentication methods. The
following values are provided by default:
• keyboard-interactive — Indicates that authentication methods that are based on the
keyboard-interactive method that is defined in RFC 4252 are allowed.
• password — Indicates that password authentication is allowed.
• Client greeting — Specify the text for a message that is sent to the client immediately after a secure
connection is established. Clear this field if you do not want to use a client greeting.
SSH Application Defense window: Client Advanced tab
Use the Client Advanced tab of the SSH Application Defense window to configure advanced options for
client connections.
Figure 168 SSH Application Defense window: Client Advanced tab
412 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-412-320.jpg)
![Application defenses
Figure 170 Packet Filter Application Defense window
Accessing this window
1 In the Configuration Tool, select the Policy group bar.
2 Select the Application Defenses node.
3 Double-click the Packet Filter node. The Packet Filter Application Defense window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Name — [Required] Specify a label for the Packet Filter application defense.
• Description — Provide information about the Packet Filter application defense.
• OK — Save the changes made on this window.
• Cancel — Close this window without saving any changes.
• Versions — Click this button to view a display of all of the fields on this window that have version-specific
availability. You can also view this same information at the field level by holding your mouse over the
version level icon and viewing the ToolTip.
Note: This button is displayed only if a version 7.0.1 or later firewall has IPv6 enabled.
Tabs
This window also has the following tabs:
• General — Determine whether to limit the request rate and to configure audit parameters. For more
information, see Packet Filter Application Defense window: General tab on page 417.
• Advanced — Control the types of ICMP and IPv6 messages (if IPv6 is enabled) that can be generated by
a rule's TCP/UDP traffic. For more information, see Packet Filter Application Defense window: Advanced
tab on page 417.
416 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-416-320.jpg)
![Application defenses
Fields and buttons
This tab has the following fields and buttons:
• Allowed control and error responses — Specify the types of responses that are allowed. The
checkboxes that are associated with these responses are cleared by default. Select the checkbox that is
associated with each response to include it in the list of allowed responses. Right-click on the column
heading to access options to quickly select or clear fields. The following options are available:
• Select All — Select all responses.
• Unselect All — Clear all responses.
• Allowed IPv6 control and error responses — [Available only for version 7.0.1 firewalls and later with
IPv6 enabled] Specify the types of IPv6 responses that are allowed. The checkboxes that are associated
with these responses are cleared by default. Select the checkbox that is associated with each response to
include it in the list of allowed responses. Right-click on the column heading to access options to quickly
select or clear fields. The following options are available:
• Select All — Select all responses.
• Unselect All — Clear all responses.
Configuring application defense groups
Use the Application Defense Groups window to create and maintain application defense groups. An
application defense group consists of one application defense for each existing type of application defense.
Application defense groups are used in rules to specify advanced properties for service groups. One
application defense group is set as the default and is selected by default when a new rule that uses an
application defense is created. Only application defenses that apply to the services that are specified on the
rule are implemented in the rule. For more information, see Configuring rules on page 533.
Figure 172 Application Defense Groups window
418 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-418-320.jpg)
![IPS inspection
Accessing this window
1 In the Configuration Tool, select the Policy group bar.
2 Select the Application Defenses node.
3 Double-click the Group node. The Application Defense Groups window is displayed.
Fields and buttons
This window has the following fields and buttons.
• Name — Specify a label to refer to the group application defense.
• Description — Provide information about the group application defense.
• Mapping List — Use the fields in this table to associate a particular application defense with each type
of application defense that is available. The following columns are available:
• Type — [Read-only] Displays the types of application defenses available.
• Name — [Read-only] Displays all of the application defenses that have previously been defined for the
value that you have selected in the Type field. Specify the application defense to be associated with
the selected type.
• Add — Displays the window for the selected application defense type, in which you can create a new
application defense. When you have saved the application defense (by clicking OK), the newly created
application defense is added to the list of application defenses in the Name column and it is selected.
• OK — Save the changes that you made on this window.
• Cancel — Close this window without saving any changes.
IPS inspection
Use the IPS object to configure IPS response mappings and signature groups.
• A response mapping contains a list of class types, their threat level, and their response settings. Each
class type refers to a set of known network-based attacks. Class types classified as IPS detect confirmed
attacks that are also considered dangerous. Class types classified as IDS detect either suspected attacks
or traffic that is considered less dangerous, such as probe or discovery activity. Class types classified as
Policy identify traffic based on organizational security practices. For more information, see Configuring
IPS response mappings on page 420.
• A signature group can contain one or more signature categories. A signature category is a category of
signatures that all involve the same type of attack. The IPS engine provides the categories and may
update them occasionally.
You can also add individual signatures to a signature group. This gives you finer control in creating a
signature group, and it allows you to add Policy signatures, which are not included in the default
signature categories because they are specific to an organization. For more information, see
Configuring IPS signature groups on page 421.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 419](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-419-320.jpg)
![IPS inspection
Configuring IPS response mappings
Use the IPS Response Mapping window to create and maintain IPS response mappings. A response
mapping associates a class type with an action. A class type defines the nature and severity of attack (for
example, backdoor activity, root-level exploit, worms, and viruses). You can specify a wide variety of
responses—from allowing, but auditing, suspicious traffic to prohibiting the traffic. You can also prohibit (or
blackhole) the traffic for a specified period of time.
A response mapping describes the response that should be taken for traffic that matches signatures of
specified class types.
Figure 173 IPS Response Mapping window
Accessing this window
1 In the Configuration Tool, select the Policy group bar.
2 Select the IPS node.
3 Double-click the Response Mappings node. The IPS Response Mapping window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Name — [Required] Specify a unique label that is used to refer to the response mapping. You can specify
up to 100 characters.
• Description — Provide information about the response mapping.
• Name — [Read-only] Displays the names of the class types.
• Type — [Read-only] Displays the associated signature type, which also more specifically defines the type
of traffic to match. The following options can be displayed:
• IPS — Indicates a prevention signature. This indicates a higher probability of a real attack and implies
a stronger response (for example, prohibit the traffic and generate an audit event).
• IDS — Indicates a detection signature. This indicates a suspected attack or activity that is considered
less dangerous, such as a probe or a discovery activity. It also implies a more lenient response (for
example, allow the traffic, but generate an audit event).
• POLICY — Indicates traffic based on organizational security practices.
420 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-420-320.jpg)
![IPS inspection
• Response — Specify the action to take for the values specified in the Name and Type fields. The following
values are available:
• Allow no Audit — Allow the anomalous traffic to pass, but do not generate an IPS audit event.
• Allow — Allow the anomalous traffic to pass and generate an IPS audit event.
• Blackhole — Prohibit traffic from an offending host for a period of time specified by the value in the
Duration(s) field and generate an IPS audit event.
• Deny — Prohibit traffic, send a TCP Reset to the originating host, indicating that the connection has
been closed, and generate an IPS audit event.
• Drop — Prohibit anomalous traffic and generate an IPS audit event.
• Drop no Audit — Prohibit anomalous traffic, but do not generate an IPS audit event.
• Duration(s) — [Available only if the Response field value is Blackhole] Specify the length of time (in
seconds) during which traffic from an offending host is prohibited. Valid values range from 0 through
100000. A value of 0 indicates that the offending host is blackholed for an indefinite amount of time. The
default value is 0.
• Description — [Read-only] Displays information about the associated class type.
• OK — Save the changes that you have made on this window.
• Cancel — Close this window without saving any changes.
Configuring IPS signature groups
Use the IPS Signature Group window to create and maintain IPS signature groups. Use signatures to detect
particular types of network attacks (for example, back-door activity, root user exploit, worms, and viruses).
They are contained in signature categories such as BROWSER - IE, DB - MSSQL, and FTP - LOGIN, and
those signature categories can be grouped. Many signature groups are defined for you by default. However,
you can also create your own groups by using this window.
Figure 174 IPS Signature Group window
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 421](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-421-320.jpg)
![IPS inspection
Accessing this window
1 In the Configuration Tool, select the Policy group bar.
2 Select the IPS node.
3 Double-click the Signature Groups node. The IPS Signature Group window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Name — [Required] Specify a unique label used to refer to the signature group.
• Description — Provide information about the signature group.
• OK — Save the changes made on this window.
• Cancel — Close this window without saving any changes.
Tabs
This window also has the following tabs:
• Categories — View a list of all of the available signature categories from which you can build a signature
group. For more information, see IPS Signature Group window: Categories tab on page 422.
• Signatures — View a list of all of the available signatures from which you can build a signature group.
For more information, see IPS Signature Group window: Signatures tab on page 423.
IPS Signature Group window: Categories tab
Use the Categories tab of the IPS Signature Group window to select the categories to be used in an IPS
signature group. To view the fields on this tab, see Figure 174 on page 421.
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the IPS node.
3 Double-click the Signature Groups node. The IPS Signature Group window is displayed.
4 Make sure that the Categories tab is selected.
Fields and buttons
This tab has the following fields and buttons:
• Enable — Determines whether the signature category is included in the signature group. This checkbox
is cleared by default. If this checkbox is selected, the IPS and IDS checkboxes are enabled. If they are
enabled, you must select either IPS or IDS or both checkboxes must be selected.
• Category — [Read-only] Lists all of the available signature categories.
• IPS — Determines whether the IPS signatures in the associated category are enabled. IPS signatures are
used to identify attacks that are an exact match to a signature file. This checkbox is selected by default.
However, only if you select Enable is this signature enabled.
• IDS — Determines whether the IDS signatures in the associated category are enabled. IDS signatures
are used to identify attacks that are considered minor, such as probe or discovery activity, or they are
suspected attacks, meaning that the signature might incorrectly identify legitimate traffic as an attack.
This checkbox is selected by default. However, only if you select Enable is this signature enabled.
• Description — [Read-only] Displays useful information about the signature.
422 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-422-320.jpg)
![IPS inspection
IPS Signature Group window: Signatures tab
Use the Signatures tab of the IPS Signature Group window to select the signatures to be used in an IPS
signature group.
Note: If you have selected one or more categories on the Categories tab, the signatures in this list that are part
of those categories will automatically be selected and will be displayed with a grey background.
Figure 175 IPS Signature Group window: Signatures tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the IPS node.
3 Double-click the Signature Groups node. The IPS Signature Group window is displayed.
4 Select the Signatures tab.
Fields and buttons
This tab has the following fields and buttons:
Because your list of objects (where objects refers to the entity for which you are searching) could
potentially be very long, you can quickly retrieve only those objects that meet certain filter constraints by
using the Find filtering mechanism.
1 In the Find or Search field, specify a term that matches a selection for any value displayed in the browser.
2 Click the down arrow to select the display for the search results (Highlight matching <objects> [where
<objects> is the entity for which you are searching] or Only display matching <objects> [where
<objects> is the entity for which you are searching]).
3 Click Find or press Enter. The results are displayed. If you had selected the highlight option, all objects
that match the value in the Search field are highlighted in yellow. If you selected the other value, you
will see only those objects that matched your search criteria.
4 Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and view
all of the objects again, click (Clear Find Results).
• Search — Provides a filtering mechanism for viewing signatures in this list. See the procedure above for
more information about how to perform a search.
• Enabled — Determines whether this signature will be added to the signature group.
• Name — [Read-only] Displays the name of the signature.
• Category — [Read-only] Displays the signature category for this signature. A signature category is a
category of signatures that all involve the same type of attack. The signature category is classified by the
network service targeted for attack, and it consists of a main category and a subcategory.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 423](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-423-320.jpg)
![Authentication services
• Class Type — [Read-only] Displays the class type for the signature. The class type identifies the intended
purpose of the attack, such as Root Level Exploit or Discovery.
• Type — [Read-only] Displays the threat level attribute for the signature. This threat level indicates a
relationship between confidence level and severity. The following types can be displayed:
• IPS — Detects attacks that are considered dangerous.
• IDS — Detects attacks that are either considered minor (such as probe or discovery activity) or they
are suspected attacks, meaning that the signature will possibly incorrectly identify legitimate traffic as
an attack.
• Policy — Identifies network traffic that you want to control based on your organization’s security
policy, such as instant messaging or P2P communication.
• Date Added — [Read-only] Displays the date that this signature was added or last updated.
• Vulnerability — Displays the number that was assigned by Common Vulnerabilities and Exposures
(CVE). Two types of identifiers can appear for a signature:
• If CVE precedes the number, the vulnerability has been reviewed and accepted by CVE and is an official
entry in the CVE list.
• If CAN or nothing precedes the number, the vulnerability is under review by CVE and is not yet an
official entry in the CVE list.
• If NONE is displayed, CVE has not reviewed this signature.
To view the CVE Web page associated with this number in a Web browser, click the link.
• SID — [Read-only] Displays the signature ID (SID) for the signature that was automatically generated
by the originator of the signature.
• Description — [Read-only] Displays the description for the signature.
Authentication services
Authentication refers to a process that validates a person’s identity before he or she is allowed to pass
traffic through the firewall.
The firewall authenticates two types of users:
• Administrators who are connecting to the firewall
• Proxy users who are connecting through the firewall
The supported firewalls use similar, but different, objects to support different configuration options for
authentication services and rules. When assigning an authenticator to a rule, you have the option of
restricting proxy connections to specific external user groups, which are configured by using the External
Group window in the User area. This area provides an overview of the authenticators and their use:
• Password authenticators — Standard password authentication requires a user to specify the same
password each time he or she logs in.
Standard password authentication is typically used for internal-to-external SOCKS 5, Telnet, FTP, and
HTTP connections through the firewall, and for administrators logging into the firewall from the
internal (trusted) network.
See Configuring password authenticators on page 426.
424 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-424-320.jpg)
![Authentication services
• LDAP authenticators — Lightweight Directory Access Protocol (LDAP) is a protocol used by many
different authentication servers. You can use the LDAP authentication servers, listed here, to provide fixed
password authentication for SOCKS 5, Telnet, FTP, and HTTP sessions through the firewall. It can also be
used to authenticate logins and SSH logins to the firewall.
You can set up an LDAP directory server containing users and passwords. Use any valid combination of
LDAP attributes and values as an optional filter string to distinguish authorized firewall users. The
following LDAP servers are supported:
• Active Directory authenticators — Lightweight Directory Access Protocol (LDAP) server owned by
Microsoft.
• iPlanet authenticators — Lightweight Directory Access Protocol (LDAP) server owned by iPlanet, Inc.
• Open LDAP authenticators — OpenLDAP Software is a free, open source implementation of LDAP
developed by the OpenLDAP Project.
• Custom LDAP authenticators — Use Custom LDAP to customize the directory user identifier and
directory member identifier, the attributes used in the LDAP server searches.
See Configuring OpenLDAP authenticators on page 450 or Configuring custom LDAP authenticators on
page 455.
• Common Access Card (CAC) authenticators — [Available only for firewall versions 7.0.1.02 and later]
Use the CAC authenticator to log into a firewall by using a U.S. Department of Defense Common Access
Card (CAC). You can log into a firewall by using the McAfee Firewall Enterprise Admin Console, Telnet, or
SSH. Generate a one-time password on a secure web page on the firewall and specify that password in
the appropriate login field.
See Configuring CAC authenticators on page 459.
Configuring password authenticators
Use the Password Authenticator window to create and maintain standard password authenticators.
Authenticators are used in rules to require users to authenticate before their request is allowed through the
firewall. Standard password authentication is typically used for internal-to-external SOCKS 5, Telnet, FTP,
and HTTP connections, and for administrators logging into the firewall from the internal (trusted) network.
Using the Control Center Configuration Tool, you can create multiple Password authenticators. (Using the
McAfee Firewall Enterprise Admin Console, you cannot rename the default Password authenticator nor
create additional Password authenticators.) To assign a specific Password authenticator to a firewall, go to
the Miscellaneous Settings area of the Firewall window. In the Password Authenticator field, select the
appropriate authenticator. When creating rules, set the Authenticator field value to Password, which is a
placeholder. When the policy is applied, that placeholder is replaced with the authenticator that is specified
in the Password field. For more information, see Firewall window: Miscellaneous area on page 201.
426 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-426-320.jpg)
![Authentication services
Figure 176 Password Authenticator window
Accessing this window
1 In the Configuration Tool, select the Policy group bar.
2 Select the Authenticators node.
3 Double-click the Password node. The Password Authenticator window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Name — Specify a label for the Password authenticator. Only alphanumeric characters, dashes (-),
underscores (_), and a dot (.) are supported.
• Description — Provide information about the authenticator.
• Login prompt — Specify the text to appear asking for user identification. The default is Username:.
• Password prompt — Specify the text to appear asking for a password. The default is Password:.
• Expiration message — Specify the text to appear when a password has expired. The default value is
Password has expired.
• Maximum login attempts — Specify the maximum number of login attempts allowed before the
connection is dropped. The default is 8 attempts.
• Expiration period (days) — Specify the number of days a password remains valid. The default is 1 day.
• Minimum password length — Specify the minimum number of characters a password must contain.
The default is 6 characters.
• Example of a valid password — [Read-only] Displays a valid password according to the values that you
have specified in the other fields on this window.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 427](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-427-320.jpg)
![Authentication services
• Authenticators to establish passport credentials — Specify the authenticators that can be used to
authenticate users when they encounter a rule using this Passport authenticator. The table includes all of
the configured authenticators. By default, only the default Password authenticator is selected.
Note: The CAC Authenticator is available for firewall versions 7.0.1.02 and later only. It is one of the
authenticators that can be used to establish Passport credentials for the Passport authenticator. If you want to
use CAC authentication, you must select this checkbox.
• (checkbox) — Indicates the authenticator to be used to establish credentials. The default authenticator
(that is the value that is specified in the Default authenticator to establish Passport credentials
field) is selected in this table.
• Name — [Read-only] Displays the name of the authenticator.
• Type — [Read-only] Displays the type of authentication that is used for this authenticator (that is, the
value that is displayed in the Name column).
• Description — [Read-only] Displays a description of this authenticator.
• Default authenticator to establish Passport credentials — Specify the authenticator to use in rules
that have Passport as the authenticator. The default authenticator should be the authentication method
that is mostly commonly used by users.
• Web Login — Use the fields in this area to configure whether web login is required and whether active
session mode is also used. The following fields are available:
• Require web Login — Determines whether users are required to acquire a Passport for an HTTP
connection.
Users are redirected from a web request to an authentication login page. Passport authentication
for other connection times is denied. After a user has been authenticated, a “Successful Login”
browser window is displayed. The user is then redirected to the requested web page. This checkbox
is cleared by default.
To configure the Web login page and logout page banners, you must connect directly to the firewall.
• Active session mode — [Available only for firewall versions 7.0.1.00 and later] Use the fields in this
area to determine whether to require the Passport holder to maintain an open network connection to
the firewall. This increases security when multiple users share the same IP address.
When active session mode is enabled, the “Successful Login” browser must remain open during the
life of the passport. The following fields are available:
• Refresh period (sec) — [Available only for firewall versions 7.0.1.00 and later] Specify the time
at which a heartbeat message is sent to the “Successful Login” web page. A heartbeat message
periodically tests the HTTPS connection and refreshes the page. If the connection is broken, the
Passport is revoked and all of the sessions that were authorized by that passport are closed.
Note: Time-outs vary for each web browser. A high refresh period could result in revoked Passports for
some browsers because the HTTPS connection has timed out.
• Grace period (sec) — [Available only for firewall versions 7.0.1.00 and later] Specify the number
of seconds that the HTTPS connection can be broken before the Passport is revoked.
• Redirect delay (sec) —[Available only for firewall versions 7.0.1.00 and later] Specify the number of
seconds that a web redirect page remains open after a successful Passport login.
If a user makes a web request and has not yet been authenticated for Passport, the user is
redirected to the authentication login page. After successful authentication, the “Successful Login”
browser window is displayed, including information that the user will be redirected to the requested
page in a new browser window.
430 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-430-320.jpg)
![Authentication services
RADIUS Authenticator window: Groups tab
Use the Groups tab of the RADIUS Authenticator window to create a list of external users groups that are
available when adding this authenticator to a rule. Only select external groups that are valid for this
RADIUS authentication server. When creating a rule, select the external group or groups that will be
required to authenticate when those users attempt to pass traffic that matches that rule. For information
about configuring external user groups, see Configuring external firewall groups on page 469.
Figure 179 RADIUS Authenticator window: Groups tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the Authenticators node.
3 Double-click RADIUS Authenticators. The RADIUS Authenticator window is displayed.
4 Select the Groups tab.
Fields and buttons
This tab has the following fields and buttons:
• Group source — Use the options in this area to determine whether this is an internal or external group
that is allowed in proxy connections. The following options are available:
• Internal — Indicates that this is an internally managed group.
• External — Indicates that this is an externally created group.
• External groups — Use the fields in this table to specify one or more external users groups to associate
with this authenticator.
• External Group — [Read-only] Displays the name of the external group.
• Delete — Click x to delete the server.
• — Displays the External Group window, in which you can add an external group.
434 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-434-320.jpg)
![Authentication services
• RADIUS group options — Use the fields in this area to specify the attributes that are defined in the
dictionary files on the RADIUS server. The firewall searches for these attributes in the response of the
RADIUS server. The following fields are available:
• Group type — Specify the attribute type for this server. The default value is 26, which is a
vendor-specific attribute.
• Vendor ID — [Available only if the value of the Group type field is 26] Specify a vendor ID from
the dictionary files of the RADIUS server.
• Vendor type — [Available only if the value of the Group type field is 26] Specify a vendor type
from the dictionary files of the RADIUS server.
• Group delimiters — Specify the character or characters that separate groups in a string. This is
needed only if the RADIUS server sends attributes in a single string. You can specify multiple
delimiter characters consecutively—that is, without any spaces or separators between them.
Configuring Safeword authenticators
Use the Safeword Authenticator window to create and maintain your SafeWord authenticators.
Authenticators are used in rules to require users to authenticate to the specified server before their request
is allowed through the firewall. The SafeWord family of remote authentication servers includes SafeWord
RemoteAccess and SafeWord PremierAccess. With SafeWord PremierAccess, you can use fixed passwords
or passcode authentication for Telnet and FTP sessions through the firewall, and for administrator login
attempts directly to the firewall or through an SSH session. You can authenticate HTTP sessions by using
either fixed passwords or passcodes without the challenge or response option. (Not all tokens support this
option.)
When creating a rule, you can also select the external group or groups that will be required to authenticate
when those users attempt to pass traffic that matches that rule. For more information about configuring
external groups, see Configuring external firewall groups on page 469.
Figure 180 Safeword Authenticator window
Accessing this window
1 In the Configuration Tool, select the Policy group bar.
2 Select the Authenticators node.
3 Double-click Safeword Authenticators. The Safeword Authenticator window is displayed.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 435](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-435-320.jpg)
![Authentication services
Safeword Authenticator window: Groups tab
Use the Groups tab of the Safeword Authenticator window to create a list of external users groups that are
available when adding this authenticator to a rule. Only select external groups that are valid for this
SafeWord authentication server. When creating a rule, select the external group or groups that will be
required to authenticate when those users attempt to pass traffic that matches that rule. For information
about configuring external user groups, see Configuring external firewall groups on page 469.
Figure 181 Safeword Authenticator window: Groups tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the Authenticators node.
3 Double-click Safeword Authenticators. The Safeword Authenticator window is displayed.
4 Select the Groups tab.
Fields and buttons
This tab has the following fields and buttons:
• Group source — Use the options in this area to determine whether this is an internal or external group
that is allowed in proxy connections. The following options are available:
• Internal — Indicates that this is an internally managed group.
• External — Indicates that this is an externally created group.
• External groups — Use the fields in this table to specify one or more external users groups to associate
with this authenticator.
• External Group — [Read-only] Displays the name of the external group.
• Delete — Click x to delete the server.
• — Displays the External Group window, in which you can add an external group.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 437](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-437-320.jpg)
![Authentication services
• Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a
selected action in this table.
• Search options — Use the fields in this area to specify the search options. The following fields are
available:
• Search scope — Specify the levels of the containers that will be searched. The following values are
available:
• Base — Search only in the containers defined here. When this option is selected, the valid search
container format is an LDAP Distinguished Name, such as cn=My Name, sn=Name, o=Bizco, c=US.
• Sub-Tree — Search in the defined containers and their sub-containers. When this option is
selected, the valid search container format is the same as when Base is selected.
• Apply search filter — Determines whether the filter search is to be based on a profile filter. This
checkbox is cleared by default. If it is selected, you must specify the filter to use (for example,
objectclass=person).
• LDAP directory identifiers — Use the fields in this area to view the directory identifiers. The following
fields are available:
• Directory user identifier — [Read-only] Displays the directory user identifier for iPlanet, which is uid.
• Directory member identifier — [Read-only] Displays the directory member identifier, which is
uniquemember.
iPlanet Authenticator window: Logins tab
Use the Logins tab of the iPlanet Authenticator window to define the prompts displayed to users when
prompted to log into the iPlanet server and the maximum number of allowed login attempts.
Figure 185 iPlanet Authenticator window: Logins tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the Authenticators node.
3 Double-click iPlanet Authenticators. The iPlanet Authenticator window is displayed.
4 Select the Logins tab.
Fields and buttons
This tab has the following fields and buttons:
• Login prompt — Specify the login prompt you want to appear during the user's login process. The default
is Username:.
• Password prompt — Specify the password prompt you want to appear during the user's login
process.The default is Password:.
• Maximum login attempts — Specify the maximum number of login attempts that are allowed.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 443](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-443-320.jpg)
![Authentication services
iPlanet Authenticator window: Groups tab
Use the Groups tab of the iPlanet Authenticator window to create a list of external users groups that are
available when adding this authenticator to a rule. Select only those external groups that are valid for this
iPlanet authentication server. When creating a rule, select the external group or groups that will be required
to authenticate when those users attempt to pass traffic that matches that rule. For information about
configuring external user groups, see Configuring external firewall groups on page 469.
Figure 186 iPlanet Authenticator window: Groups tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the Authenticators node.
3 Double-click iPlanet Authenticators. The iPlanet Authenticator window is displayed.
4 Select the Groups tab.
Fields and buttons
This tab has the following fields and buttons:
• Group source — Use the options in this area to determine whether this is an internal or external group
that is allowed in proxy connections. The following options are available:
• Internal — Indicates that this is an internally managed group.
• External — Indicates that this is an externally created group.
• External groups — Use the fields in this table to specify one or more external users groups to associate
with this authenticator.
• External Group — [Read-only] Displays the name of the external group.
• Delete — Click x to delete the server.
• — Displays the External Group window, in which you can add an external group.
444 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-444-320.jpg)
![Authentication services
• Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a
selected action in this table.
• Search options — Use the fields in this area to specify the search options. The following fields are
available:
• Search scope — Specify the levels of the containers that will be searched. The following values are
available:
• Base — Search only in the containers defined here. When this option is selected, the valid search
container format is an LDAP Distinguished Name, such as cn=My Name, sn=Name, o=Bizco, c=US.
• Sub-Tree — Search in the defined containers and their sub-containers. When this option is
selected, the valid search container format is the same as when Base is selected.
• Apply search filter — Determines whether the filter search is to be based on a profile filter. This
checkbox is cleared by default. If it is selected, you must specify the filter to use (for example,
objectclass=person).
• LDAP directory identifiers — Use the fields in this area to view the directory identifiers. The following
fields are available:
• Directory user identifier — [Read-only] Displays the directory user identifier for Active Directory,
which is sameaccountname.
• Directory member identifier — [Read-only] Displays the directory member identifier, which is
memberof.
Active Directory Authenticator window: Logins tab
Use the Logins tab of the Active Directory Authenticator window to define the prompts displayed to users
when prompted to log into the Active Directory server and the maximum number of allowed login attempts.
Figure 189 Active Directory Authenticator window: Logins tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the Authenticators node.
3 Double-click Active Directory Authenticators. The Active Directory Authenticator window is displayed.
4 Select the Logins tab.
Fields and buttons
This tab has the following fields and buttons:
• Login prompt — Specify the login prompt you want to appear during the user's login process. The default
is Username:.
• Password prompt — Specify the password prompt you want to appear during the user's login
process.The default is Password:.
448 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-448-320.jpg)
![Authentication services
• Maximum login attempts — Specify the maximum number of allowed login attempts.
Active Directory Authenticator window: Groups tab
Use the Groups tab of the Active Directory Authenticator window to create a list of external users groups
that are available when adding this authenticator to a rule. Only select external groups that are valid for
this Active Directory authentication server. When creating a rule, select the external group or groups that
will be required to authenticate when those users attempt to pass traffic that matches that rule. For more
information about configuring external groups, see Configuring external firewall groups on page 469.
Figure 190 Active Directory Authenticator window: Groups tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the Authenticators node.
3 Double-click Active Directory Authenticators. The Active Directory Authenticator window is displayed.
4 Select the Groups tab.
Fields and buttons
This tab has the following fields and buttons:
• Group source — Use the options in this area to determine whether this is an internal or external group
that is allowed in proxy connections. The following options are available:
• Internal — Indicates that this is an internally managed group.
• External — Indicates that this is an externally created group.
• External groups — Use the fields in this table to specify one or more external users groups to associate
with this authenticator.
• External Group — [Read-only] Displays the name of the external group.
• Delete — Click x to delete the server.
• — Displays the External Group window, in which you can add an external group.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 449](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-449-320.jpg)
![Authentication services
• Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a
selected action in this table.
• Search options — Use the fields in this area to specify the search options. The following fields are
available:
• Search scope — Specify the levels of the containers that will be searched. The following values are
available:
• Base — Search only in the containers defined here. When this option is selected, the valid search
container format is an LDAP Distinguished Name, such as cn=My Name, sn=Name, o=Bizco, c=US.
• Sub-Tree — Search in the defined containers and their sub-containers. When this option is
selected, the valid search container format is the same as when Base is selected.
• Apply search filter — Determines whether the filter search is to be based on a profile filter. This
checkbox is cleared by default. If it is selected, you must specify the filter to use (for example,
objectclass=person).
• LDAP directory identifiers — Use the fields in this area to view the directory identifiers. The following
fields are available:
• Directory user identifier — [Read-only] Displays the directory user identifier, which is cn.
• Directory member identifier — [Read-only] Displays the directory member identifier, which is
uniquemember.
OpenLDAP Authenticator window: Logins tab
Use the Logins tab of the OpenLDAP Authenticator window to define the prompts displayed to users when
prompted to log into the OpenLDAP server and the maximum number of allowed login attempts.
Figure 193 OpenLDAP Authenticator window: Logins tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the Authenticators node.
3 Double-click OpenLDAP Authenticators. The OpenLDAP Authenticator window is displayed.
4 Select the Logins tab.
Fields and buttons
This tab has the following fields and buttons:
• Login prompt — Specify the login prompt you want to appear during the user's login process. The default
is Username:.
• Password prompt — Specify the password prompt you want to appear during the user's login
process.The default is Password:.
• Maximum login attempts — Specify the maximum number of allowed login attempts.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 453](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-453-320.jpg)
![Authentication services
OpenLDAP Authenticator window: Groups tab
Use the Groups tab of the OpenLDAP Authenticator window to create a list of external users groups that are
available when adding this authenticator to a rule. Only select external groups that are valid for this
OpenLDAP authentication server. When creating a rule, select the external group or groups that will be
required to authenticate when those users attempt to pass traffic that matches that rule. For more
information about configuring external groups, see Configuring external firewall groups on page 469.
Figure 194 OpenLDAP Authenticator window: Groups tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the Authenticators node.
3 Double-click OpenLDAP Authenticators. The OpenLDAP Authenticator window is displayed.
4 Select the Groups tab.
Fields and buttons
This tab has the following fields and buttons:
• Group source — Use the options in this area to determine whether this is an internal or external group
that is allowed in proxy connections. The following options are available:
• Internal — Indicates that this is an internally managed group.
• External — Indicates that this is an externally created group.
• External groups — Use the fields in this table to specify one or more external users groups to associate
with this authenticator.
• External Group — [Read-only] Displays the name of the external group.
• Delete — Click x to delete the server.
• — Displays the External Group window, in which you can add an external group.
454 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-454-320.jpg)
![Authentication services
Custom LDAP Authenticator window: Groups tab
Use the Groups tab of the Custom LDAP Authenticator window to create a list of external users groups that
are available when adding this authenticator to a rule. Only select external groups that are valid for the
authentication server listed on the Servers tab. When creating a rule, select the external group or groups
that will be required to authenticate when those users attempt to pass traffic that matches that rule. For
more information about configuring external groups, see Configuring external firewall groups on page 469.
Figure 198 Custom LDAP Authenticator window: Groups tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the Authenticators node.
3 Double-click Custom LDAP Authenticators. The Custom LDAP Authenticator window is displayed.
4 Select the Groups tab.
Fields and buttons
This tab has the following fields and buttons:
• Group source — Use the options in this area to determine whether this is an internal or external group
that is allowed in proxy connections. The following options are available:
• Internal — Indicates that this is an internally managed group.
• External — Indicates that this is an externally created group.
• External groups — Use the fields in this table to specify one or more external users groups to associate
with this authenticator.
• External Group — [Read-only] Displays the name of the external group.
• Delete — Click x to delete the server.
• — Displays the External Group window, in which you can add an external group.
Configuring CAC authenticators
Use the CAC Authenticator window to create and maintain your Common Access Card (CAC) authenticators.
CAC authenticators are used in rules to require users who are using CACs for authentication to authenticate
to the CAC Webserver on the firewall before their request is allowed through the firewall.
Use the Control Center Configuration Tool to create multiple CAC authenticators. To assign a specific CAC
authenticator to a firewall, go to the Settings tab of the Certificates area of the Firewall window. In the CAC
Authenticator field, select the appropriate authenticator. You must also specify a certificate on this tab to
be used by the CAC Webserver on the firewall. When creating rules in the Rule Editor window, set the
Authenticator field value to CAC, which is a placeholder. When the policy is applied, that placeholder is
replaced with the authenticator that you have specified in the CAC Authenticator field. For more
information, see Firewall window: Certificates area on page 196.
Note: This authenticator is available only for firewall versions 7.0.1.02 and later.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 459](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-459-320.jpg)
![Firewall users
• Office — Specify the administrator's office address.
• Office Phone — Specify the administrator's office phone number.
• Home Phone — Specify the administrator's office home number.
• Home Directory — Specify the home directory for this administrator. The default value for this field is
/home/username.
• Login Shell — Specify the UNIX shell that will be used when this administrator logs in.
• Role — Specify the authorized roles for this administrator. This role determines the level of access this
administrator account is allowed on the firewall or firewalls selected on the Firewalls tab of the Firewall
User Manager - Administrators window. The following values are available:
• Admin — Grants administrator privileges for all areas. This is the default.
• Admin Read Only — Grants read privileges only. This role allows an administrator to view all system
information, as well as create and run audit reports. An administrator with read-only privileges cannot
commit changes to any area of the firewall.
• Admin no privileges — Limits access to the firewall. An administrator with no admin privileges cannot
log into firewall. This role is generally used to temporarily disable an administrator account.
• CAC Certificate — [Available only for firewall version 7.0.1.02 and later] Specify the Common Access
Card (CAC) remote certificate for this administrator. This list displays all of the remote certificates. The
default value is <None>.
• Password Options — Use the fields in this area to specify password information for this user. The
following fields are available:
• Password — Specify the password associated with this user account. The password can be created
manually or automatically.
To create a password manually, type a password in the Password field. The characters appear as
asterisks (*). There is an 8-character minimum. Use these guidelines to create a strong password:
• Use passwords that are at least eight characters in length.
• Use a mix of upper- and lowercase letters, and non-alphabetic characters such as symbols and
numbers.
• Do not use any easily guessed words or words found in a dictionary, including foreign languages.
After you click OK, you are asked to verify the password.
To automatically create a password, click Generate. The password displays in clear text in the
Password field.
Note: This password will not be visible after you click OK. If the user forgets the password, you will need to
create a new password for this account.
• Discard Password Info — Determines whether to delete the user’s password account from the
database. You might want to do this if you are changing a user’s authentication method from password
to SafeWord, for example, and you need to remove the previous password information.
466 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-466-320.jpg)
![Time periods
Time periods
You can specify periods of time when a rule is in effect. Use the TIme Period Manager window to create
these time periods. See Managing time periods on page 470.
Managing time periods
Use the Time Period Manager window to create and maintain time periods. Time periods are used in rules to
indicate when a rule is in effect. For more information, see Configuring rules on page 533.
Figure 205 Time Period Manager window
Accessing this window
1 In the Configuration Tool, select the Policy group bar.
2 Double-click the Time Periods node. The Time Period Manager window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Name — [Required] Specify a label for this time period.
• Description — Provide information about this time period.
• Type — Specify the type of time period to use. The following values are available:
• Continuous — Indicates that a rule is active for one episode per week. If this option is selected, the
Start and End controls are enabled.
• Recurring — Indicates that a rule is active on particular days and times every week. If this option is
selected, the Days of Week and Times fields are enabled. This is the default value.
• Days of Week — [Displayed only if the selected Type value is Recurring] Specify the days of the week
on which a rule is active. The following options are available:
• Every Day of the Week — Indicates that the rule is active every day of the week. This checkbox is
selected by default.
• S M T W Th F Sa — Indicates that the rule is active on the selected days of the week. When the Every
Day of the Week checkbox is cleared, you can click the toggle button representing the day of the week
to include or exclude. When the field is blue, its value is included in the time period.
470 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-470-320.jpg)
![VPN
• Times — [Displayed only if the selected Type value is Recurring] Specify the times during which a rule
is active. The following options are available:
• All Day — Determines whether the rule is active 24 hours of the selected days in the Days of Week
field. This checkbox is selected by default.
• Start — Specify a starting time for the rule to become active on each selected day of the week. When
the All day checkbox is cleared, you can type or select the start time.
• End — Specify an ending time for the rule to be active on each selected day of the week. When the
All day checkbox is cleared, you can type or select the end time.
• Start — [Displayed only if the selected Type value is Continuous] Specify the day of the week and the
time when the rule becomes active each week.
• End —[Displayed only if the selected Type value is Continuous] Specify the day of the week and the time
when the rule becomes inactive until the following week.
• OK — Save the changes in this window.
• Cancel — Close this window without saving any changes.
VPN
A Virtual Private Network (VPN) securely connects networks and nodes to form a single, protected network.
The data is protected as it tunnels through unsecured networks, such as the Internet or intranets. The VPN
ensures data origin authentication, data integrity, data confidentiality, and anti-replay protection. A VPN
works by encapsulating packets and sending them to a VPN peer for decapsulation. The encapsulated
packets can be sent in the clear on the unsecured network between the VPN peers.
The VPN is a security gateway between trusted and non-trusted networks that protects network access,
network visibility, and network data.
The two types of supported VPN connections are gateway-to-gateway and host-to-gateway.
A gateway-to-gateway is often used when passing traffic from firewall to firewall between offices located in
different cities. In this configuration, each gateway is identified by its IP address. Any end of the VPN can
initiate and respond to a VPN connection. In the following illustration, the gateway-to-gateway tunnel
connects networks A and B via Security Gateway A and Security Gateway B to form a VPN.
In a host-to-gateway connection, one or more single remote hosts (also known as road warriors) connect to
a protected network. This type of VPN access is often used to provide access to protected business-related
services for external users, such as telecommuters, a company’s mobile sales force, and extranet partners.
VPN hosts are typically end-user (personal) computers equipped with IPsec-based VPN client software. The
client software is invoked to establish a secure connection with the VPN. Unlike a gateway-to-gateway VPN
which automatically allows either node to initiate or respond to a connection, a host-to-gateway VPN must
be configured to allow secure connection initiated by the VPN client software. These connections are
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 471](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-471-320.jpg)
![VPN
Step 1 of 7
Select the type of VPN channel being configured.
• Select the type of VPN channel to be configured — Specify the type of VPN channel being created.
The following options are available:
• Mesh — Form VPN tunnels so that all defined gateways can access the protected resources for all other
gateway participants in the configuration.
• Star — Allow all defined gateways to access the protected resources of a central gateway.
• Remote — Specify a configuration that will allow one or more remote clients to access the protected
resources of the associated gateway.
• Enter a Name to identify the VPN Channel — Specify the name used to identify the VPN channel.
• Enter a Description for the VPN Channel (optional) — Provide information on the VPN channel being
defined.
Click Next >> to proceed to the next page.
Step 2 of 7 - Mesh VPN Channel
For a mesh configuration, identify the gateways that will participate in the mesh VPN channel configuration.
At least two gateways must be configured. The list displays the gateway information after the gateway has
been added by clicking Add Gateway.
• Name — Displays the name of the VPN peer objects that defines gateway addressing and its associated
protected networks.
• Address — Displays the access address to the gateway.
• Protected Resources — Displays the protected resources of the gateway that each other gateway in the
mesh configuration can access. This can be an endpoint group that defines an array of resources.
Click Next >> to proceed to the next page.
Step 2 of 7 - Star VPN Channel
For a star configuration, a single central gateway must be defined to act as the hub of the VPN channel
configuration. All other participating gateways are defined in the lower portion of this page. The lists display
the gateway information after the gateway has been added by clicking Configure Gateway or Add
Gateway.
• Configure the Central Gateway for the VPN Channel — This table contains the following information:
• Name — [Read-only] Displays the name of the VPN peer object that serves as the central gateway of
the star configuration. To select a previously defined VPN peer object or to define a new one, click
Configure Gateway.
• Address — [Read-only] Displays the address associated with the selected VPN Peer object.
• Protected Resources — [Read-only] Displays the protected resources that have been defined for the
central gateway. These resources are made available to all other gateways in the configuration.
• Configure the VPN Gateways that will connect to the Central Gateway — This table contains the
following information:
• Name — [Read-only] Displays the name of the VPN peer object that serves as participating gateway
of the star configuration. To select a previously defined VPN peer object or to define a new one, click
Add Gateway.
• Address — [Read-only] Displays the address associated with the selected VPN peer object.
• Protected Resources — [Read-only] Displays the protected resources that have been defined for the
gateway. These resources are made available to the central gateway in the configuration.
Click Next >> to proceed to the next page.
476 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-476-320.jpg)
![VPN
Step 2 of 7 - Remote Clients VPN Channel
For a remote configuration, identify the remote client configuration, the range of address that will be used
by the VPN clients for communication to the protected resources of the VPN gateways, and the gateway
VPN peer.
• Select the Client Configuration that will be given to the Remote Clients — Specify a previously
defined remote client configuration object. If the appropriate client configuration option is not listed, click
Add Configuration to create a new one.
• Select the address range to be used by the Remote Clients — Displays the addresses and address
ranges from which the firewall can assign internal IP addresses to remote access VPN clients. Each
endpoint can be associated with only one VPN client configuration.
If the resource does not appear in the list, you can create a new network object by clicking Add. For
more information, see the Configuring endpoints (network objects) on page 337.
The address range to be used by remote clients can contain up to 65535 (64K – 1) host addresses.
Selecting an address range endpoint in this field requires special consideration. To be useful, the
virtual IP addresses specified here must also be selected for the remote client configuration object.
The virtual IP addresses can be specified as host, subnet, or address range endpoints; however, the
protected resources in a VPN tunnel configuration allows only host and subnet endpoints. If the virtual
IP addresses are specified as an address range endpoint, you must create a subnet endpoint, several
host endpoints, or a group of host endpoints that represent the virtual IP addresses.
• Configure the VPN Gateway that the Remote Clients will connect to — This table contains the
following information:
• Name — [Read-only] Displays the name of the VPN peer object that serves as the participating
gateway of the star configuration. To select a previously defined VPN peer object or to define a new
one, click Configure Gateway.
• Firewall — [Read-only] Displays the name associated with the selected firewall object.
• Protected Resources — [Read-only] Displays the protected resources that have been defined for the
gateway. These resources will be made available to the remote client in the configuration.
Click Next >> to proceed to the next page.
Step 3 of 7 Cryptographic (IKE) Configuration
Use this page to define the Cryptographic configuration parameters for the VPN channel being created.
• Select the Mode to establish a VPN tunnel — Specify the mode that is used to establish an IKE phase
1 tunnel. The following options are available:
• Main — Six packets must be exchanged to establish the phase 1 tunnel. This is the default value.
• Aggressive — [Optional) Three packages must be exchanged to establish the phase 1 tunnel.
Although the phase 1 tunnel is established more quickly in Aggressive mode, Main mode provides
greater protection against denial of service attacks.
• Select the Encryption Algorithms to use — Specify one or more algorithms to protect IKE phase 1 and
phase 2 (IPSec) traffic. The following values are available:
• aes256 — Denotes the Advanced Encryption Standard using a 256-bit key.
• aes192—Denotes the Advanced Encryption Standard using a 192-bit key.
• aes128— Denotes the Advanced Encryption Standard using a 128-bit key. This is the default value.
• cast128 — Denotes the CAST design procedure that uses a 128-bit key.
• 3des— Denotes the Triple Data Encryption Standard. It uses three stages of DES, giving an effective
keying strength of 168 bits.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 477](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-477-320.jpg)
![VPN
• des — Denotes the Data Encryption Standard. It uses a 56-bit key.
Note: The None option is not available in the VPN Wizard. If your security policy requires that the
encryption algorithm is set to None, make this change by using VPN Community - Cryptography Phase 2
Properties page for the appropriate VPN community object.
• Preferred — Select the preferred encryption algorithm to receive from the VPN channel.
• Alternates — [Optional] Select one or more alternative algorithms that will be accepted when
received from the VPN channel.
• Select the Hash Algorithms to use — Specify one or more algorithms to authenticate IKE phase 1 and
phase 2 traffic. The following options are available:
• md5 — Denotes a Hash Message Authentication Code that uses the MD5 hash algorithm.
• sha1 — (Default) Denotes a Hash Message Authentication Code that uses the SHA1 hash algorithm.
This is the default value.
Note: The None option is not available in the VPN Wizard. If your security policy requires that the
encryption algorithm is set to None, make this change by using the VPN Community - Cryptography Phase
2 Properties page for the appropriate VPN community object.
• Preferred — Select the preferred hash algorithm to receive from the VPN channel.
• Alternates — [Optional] Select one or more alternative algorithms that will be accepted when
received from the VPN channel.
• Select the Diffie-Hellman Groups to use — Specify the group that determines the length of the base
prime numbers that are used during the key exchange process. The following values are available:
• 1 — Provides 768 bits of keying strength
• 2 — Provides 1024 bits of keying strength
• 5 — Provides 2048 bits of keying strength. This is the default value. When this value is selected, the
following fields are available:
• Preferred— Select the preferred Diffe-Hellman Group to receive from the VPN channel.
• Alternates — [Optional] Select one or more alternative algorithms that will be accepted when
received from the VPN channel.
• Use Perfect Forward Secrecy — Determines whether the key material associated with each IPsec
security association is derived from the key material that is used to authenticate the remote peer during
the ISAKMP negotiation. If this checkbox is selected, the key material associated with each IPsec security
association cannot be derived.
Click Next >> to proceed to the next page.
Step 4 of 7 Authentication Configuration (Pre-Shared Keys)
At least one authentication method must be specified: pre-shared keys, certificates, or both. Use this page
to indicate whether pre-shared keys are going to be used, and if so, the passphrase to use. If you are going
to be using certificates only, click Next >> without doing anything on this page. Otherwise, configure the
fields on this page as needed.
• Authenticate using Pre-Shared Key — Determines whether pre-shared keys can be used to
authenticate the VPN channel.
• Enter a Passphrase — Specify the passphrase, or key. The key can be a maximum of 128 ASCII
characters or 256 hexadecimal characters excluding the 0x. The key must be at least eight characters
long and can consist of any valid characters. If hexadecimal representation is used, remember that an
eight-bit value is represented by two hexadecimal characters.
• Confirm Passphrase — Confirm the passphrase.
Click Next >> to proceed to the next page.
478 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-478-320.jpg)
![VPN
Step 5 of 7 Authentication Configuration (Certificates)
At least one authentication method must be specified: pre-shared keys, certificates, or both. Use this page
to indicate whether certificates are going to be used, and if so, the certificates to use. If both pre-shared
keys and certificates are specified, certificates are preferred over pre-shared keys.
• Authenticate using Certificates — Specify that certificates can be used to authenticate the VPN
channel. Select one of the following options to specify the allowed verification type:
• Certificate Authority verification — Displays all the CA certificates that have been imported into the
Control Center Management Server. Select one or more CA certificates to be trusted by the VPN
channel. The certificate(s) that are identified here must be coordinated with the certificates that are
identified with each firewall that participates in the VPN channel.
To import a new certificate, click Add CA Certificate. The CA Certificate Import Wizard is displayed.
• Single Certificate verification — Requires one certificate per peer. Assign certificates in the table
below.
• Select the Certificate that will be presented by each VPN Gateway — Use this table to identify the
firewall certificate that is installed on each gateway that is participating in the VPN channel. The certificate
identified here must be coordinated with the CA certificate that is trusted by the VPN channel. The
Certificate and Manage Certificates fields are interactive.
• VPN Gateway — [Read-only] Displays the gateways to be used in this VPN channel.
• Firewall — [Read-only] Displays the fully qualified domain name of the gateway object. If the object
is not a managed firewall, this field is blank.
• Certificate — Specify the CA certificate to be trusted by the VPN channel. The list includes all of the
relevant certificates that have been imported into the Management Server. The certificate that you
select must be coordinated with the certificates that are identified with each firewall that participates
in the VPN channel.
• Manage Certificates. — Click Manage… to display the Certificates window, in which all of the
available certificates for the selected gateway are displayed. In the Certificates window, to import a
new certificate, click Add Certificate.
• For managed firewalls, this displays the Certificate Request Wizard.
• For unmanaged gateways, this displays the Remote Certificates Wizard.
Click Next >> to proceed to the next page.
Step 6 of 7 Remote Identities
Note: This page is available only when configuring remote identities.
Use this page to specify the list of identities that will be provided by the remote clients for identification
purposes. Remote identities are used to identify the authorized users who participate in a VPN definition
and either have been issued a certificate from a particular CA or they use a VPN client that is configured
with a pre-shared password.
• Identity Type — Specify the type for this identity. This value determines the format of the value that
you specify in the Identity field. The following types are available:
• Email — Restrict access based on e-mail address. Specify one e-mail address per identity or use a
wildcard to indicate all e-mail addresses (for example, @example.com).
• Distinguished Name — Restrict access based on Distinguished Name.
Note: The order of distinguished names in this table must match the order in which they are listed in the
certificate.
• Domain Name — Restrict access by domain name. Specify one fully qualified domain name (FQDN)
per identity or use a wildcard to indicate all domain names (such as *.example.com).
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 479](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-479-320.jpg)
![VPN
• IP address — Restrict access by a unique IP address or by a group of IP addresses. For example,
182.19.0.0/16 indicates that only users with IP addresses beginning with 182.19 (as contained in the
certificate) will be authorized to use this VPN.
• Identity — Specify the value for the identity type that was specified in the previous column.
Click Next >> to proceed to the next page.
Step 7 of 7 Summary
This page provides a summary the VPN channel information for the VPN channel that you are defining.
The top portion of this page shows the configurable objects that are created as a result of the configuration
decisions that you made when progressing through the VPN wizard.
• Type — [Read-only] Displays the VPN objects that were created. The following object types are possible:
• VPN Peers — These objects define the participating VPN Channel gateways.
• VPN Communities — These objects define the VPN Channel configuration.
• VPN Client Configurations — These objects define the VPN remote (road warrior) hosts.
• IKE Strategies — These objects define the Internet Key Exchange (IKE) strategy that is used by the
VPN feature of the firewall to establish a secure tunnel between hosts.
• IPSEC Strategies — These objects define the IPsec Strategy that identifies groups of cryptographic
properties to use as an IPsec strategy. For the negotiation to be successful, one of the groupings will
be agreed on, and its parameters will be used. The successful negotiation of an IPsec Strategy results
in an IPsec Security Association (SA) between the managed VPN and the peer.
• Name — [Read-only] Displays the associated object name that you defined during the wizard
configuration process.
The bottom portion of the page displays a VPN Channel Overview area. To export this configuration as a
text file, click Save As….
If you agree to the contents and want to save the VPN, click Finish. Otherwise, you can click << Back to
return to a previous page to make adjustments or you can click Cancel to exit the wizard without saving
any changes.
480 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-480-320.jpg)
![VPN
Managing firewall certificates for VPN gateways
Use the firewall_name Certificates window to manage the certificates for the selected firewall that will be
presented by each VPN gateway.
Figure 206 firewall_name Certificates window
Accessing this window
1 In the Configuration Tool, select the Policy group bar.
2 Select the VPN node to expand the tree and then double-click VPN Wizard. The VPN Wizard window is
displayed.
3 Proceed through the wizard until you get to step 5, which is the Authentication Configuration (Certificates)
page. In the list of certificates at the bottom of this page, click Manage… for the VPN gateway that you
want to manage. The firewall_name Certificates window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Name — [Read-only] Displays the name of the certificate. Select the certificate that you want to work
with and then select the button for the action that you want to perform.
• Status — [Read-only] Displays the status of the selected certificate.
• Close — Close this window.
• Add Certificate — The Certificate Request Wizard starts. Run this wizard to create a new certificate or
to import an existing certificate.
• Load Certificate — The Load Certificate Wizard starts. Run this wizard to load a certificate from a file or
from an LDAP server.
• Retrieve Certificate — Retrieve a certificate from the URL address.
• Certificate Details — Displays the certificate's status, signature type, and identifying information, such
as distinguished name, e-mail address, domain name, or IP address.
• Export Certificate — The Export Certificate Wizard starts. Run this wizard to export a stored certificate.
• Delete Certificate — Delete the selected certificate.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 481](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-481-320.jpg)
![VPN
Accessing this window
1 In the Configuration Tool, select the Policy group bar.
2 Select the VPN node to expand the tree and then double-click VPN Wizard. The VPN Wizard window is
displayed.
3 For Mesh or Star VPN channels, proceed through the wizard until you get to step 2 for configuring Mesh
or Star VPN channels. This is either the Mesh VPN Channel page or the Star VPN Channel page. Click Add
Gateway. The VPN Gateway window is displayed.
or
For Remote VPN channels, proceed through the wizard until you get to step 2. The Remote Clients VPN
Channel page is displayed. Click Configure Gateway. The VPN Gateway window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Configure a new VPN Gateway to connect to the VPN Channel — Specify a new VPN gateway and
the associated protected resources.
If an existing VPN gateway has been defined with identical protected resources, select Add an existing
VPN Gateway (VPN Peer object) to the VPN Channel at the bottom of the page and then select the
appropriate object.
• Enter a name to identify the VPN Gateway — Specify a unique name to identify the combination
of the gateway addressing information and the associated protected resources that is being created.
This VPN peer object can be used in other configurations.
• Select the Managed Firewall to use for this VPN Gateway — Specify a firewall object that is
managed by the Control Center. If the gateway is not managed by the Control Center, select <None>.
Each firewall and the associated protected resources can be identified only once per configuration.
• Enter the IP address that other VPN gateways will use to connect to this gateway — Specify
the address that other hosts in this VPN channel will use to connect to this gateway.
The following information refers to specific options in this list:
• If a managed firewall is selected, this list contains only the defined interfaces for that firewall.
Note: For clustered interfaces, only the cluster name and IP address of each available clustered interface
associated with the clustered configuration are identified.
• If the managed firewall value is set to <None> and the IP Address option is selected, this list
contains only the endpoints that contain an IP address.
• If the managed firewall value is set to <None> and the DNS Host Name option is selected, this list
contains only the endpoints that contain a host name.
• Select the Burb that VPN Traffic will be terminated on — Specify the burb in which VPN traffic
transitions between plain-text and encrypted data.
If the resource does not appear in the list, click (Add) to create a new burb. For more
information, see the Configuring burbs on page 341.
• Select the interface on which Remote Clients will connect to this VPN Gateway — [Available
only for remote client configurations] Specify the interface that the remote client will use to connect to
the selected VPN gateway.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 483](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-483-320.jpg)
![VPN
VPN Community window: General tab
Use the General tab on the VPN Community window to build Star, Mesh, and Remote Access VPN
communities of previously defined VPN peers. VPN communities are also created as a result of running the
VPN Wizard. After a VPN community is created, you must create rules to manage the traffic sent between
the specified protected endpoints. To view the fields on this tab, see Figure 211 on page 491.
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the VPN node.
3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community
window is displayed.
4 Make sure that the General tab is selected.
Fields and buttons
This tab has the following fields and buttons:
• Name — Specify a user-defined name for the VPN Community object being created.
• Description — Provide a user-defined description of the purpose of the VPN Community object being
created.
• Community Type — Specify the type of community that is being defined. The following values are
available:
• Mesh — Configure a mesh community. A Mesh community is type of gateway-to-gateway VPN
community in which a secure channel is defined between all participating gateways.
• Star — Configure a star community. A Star community is a type of gateway-to-gateway VPN in which
a secure channel is defined between the central gateway and each satellite gateway. Secure channels
are NOT defined between satellite gateways.
• Central Gateway — [Available only if Star is selected as the value of the Community Type field]
Select the hub of the star community from the list that contains all of the previously-defined firewall
VPN peer objects that have been defined by using the VPN Peers window.
• Remote Access — Define a gateway to host community. This option is used to support road warrior
peer types. A remote access community is a host-to-gateway VPN community.
• Remote Peer — [Available only if Remote Access is selected as the value of the Community Type
field] Select the remote host VPN peer object from the list that contains all of the previously defined
remote host VPN Peer objects that have been defined by using the VPN Peers window.
• Participating Gateways — Select the gateways that will participate in this VPN Community object. This
list includes all of the previously defined gateways that have been configured in the Control Center.
492 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-492-320.jpg)
![VPN
• Single Certificate — If the community includes a firewall, you can choose to use a single firewall
certificate instead of using CA certificates.
• Use Extended Authentication (XAuth) — [Available only when a Remote Access community object is
being defined] Indicates that extended authentication can be used for remote client authentication. If one
or more gateways have been defined for the remote access community, XAuth authentication is only
applied between the client and associated gateway if the gateway has a VPN Client Configuration object
defined in its VPN Peer object definition.
• Pre-Shared Keys — Use the fields in this area to determine whether pre-shared keys are to be used for
authentication. The following fields are available:
• Use A-B Keys — Determines whether A-B pre-shared keys are used as an authentication method for
IKE phase 1 negotiations. The first portion of the A-B key (A Key) is specified in the Pre-shared Key
field by the first user. The second portion of the A-B Key (B Key) is specified by having a second user
log in and navigate to this object to specify the second key.
Until the second key has been specified and the change has been applied to each managed firewall
in the community, a warning message is displayed for the object to indicate that the A-B key pair is
not complete.
• Pre-Shared Key — This is the sum of 128 ASCII characters or 256 hexadecimal characters, excluding
the 0x. It must be at least eight characters long and can consist of any valid characters. If hexadecimal
representation is used, remember that an eight-bit value is represented by two hexadecimal
characters. You are required to confirm this key after you analyze the configuration and select OK. If
the Use A-B Keys checkbox has been selected, this is the field that is used to specify the respective
keys. The B key is specified by having another user log in and add the B key portion in this field.
VPN Community window: Cryptography tab
Use the Cryptography tab of the VPN Community window to define and manage the allowed cryptographic
settings for this VPN Community.
Figure 213 VPN Community window: Cryptography tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the VPN node.
3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community
window is displayed.
4 Select the Cryptography tab.
494 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-494-320.jpg)
![VPN
Tabs
This tab has the following tabs:
• General — Specify the IKE version and mode. You also determine if the Phase 1 and Phase 2
cryptographic properties are to be configured identically or individually. For more information, see VPN
Community window: Cryptography General tab on page 495.
• Cryptographic Properties — Configure the encryption, hash, and Diffie-Hellman Group settings. You
can also enable perfect forward secrecy on this page. For more information, see VPN Community window:
Cryptography Cryptographic Properties tab on page 499.
• Phase 1 Properties — [Available only if you select the Configure Phase 1 and Phase 2 Cryptographic
Properties Individually option on the General tab] Specify the IPsec cryptographic properties to use
during the phase 1 key exchange. For more information, see VPN Community window: Cryptography
Phase 1 Properties tab on page 496.
• Phase 2 Properties — [Available only if you select the Configure Phase 1 and Phase 2 Cryptographic
Properties Individually option on the General tab] Specify the IPsec cryptographic properties to use
during the phase 2 key exchange. For more information, see VPN Community window: Cryptography
Phase 2 Properties tab on page 498.
• SA Lifetimes — Configure the Phase 1 and Phase 2 lifetime settings. For more information, see VPN
Community window: Cryptography SA Lifetimes tab on page 501.
VPN Community window: Cryptography General tab
Use the Cryptography General tab of the VPN Community window to set the Internet Key Exchange (IKE)
version and mode, and to determine if phase 1 and phase 2 are to be configured identically or individually.
To view the fields on this tab, see Figure 213 on page 494.
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the VPN node.
3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community
window is displayed.
4 Select the Cryptography tab.
5 Make sure that the General tab is displayed.
Fields and buttons
This tab has the following fields and buttons:
• IKE Version — Specify the IKE version to use. Options are IKE v1 and IKE v2. Here are some
characteristics of each version:
• IKEv2 is simpler, more robust, and more reliable. However, not many products currently support the
newer IKEv2. Check your product documentation.
• IKEv1 is not compatible with IKEv2. Both sides of a VPN connection must use the same version of IKE.
• When using IKEv2, each side of a VPN connection can use a different authentication method. With
IKEv1, both sides must agree on an authentication method.
• In IKEv2, extended authentication (XAUTH) can be used as a standalone authentication method. In
IKEv1, extended authentication must be used in conjunction with password/certificate authentication.
• IKE Mode — [Available only if you are using IKE v1] Specify the mode to be used for key exchange. The
following values are available:
• Main — This mode has three exchanges between the initiator and the receiver. It is slower, but secure.
It cannot be used with dynamic IP clients with password authentication.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 495](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-495-320.jpg)
![VPN
• aes128 — Indicates the Advanced Encryption Standard using a 128-bit key. This is the default
value.
• 3des — Indicates the Triple Data Encryption Standard. It uses three stages of DES, giving an
effective keying strength of 168 bits.
• des — Indicates the Data Encryption Standard. It uses a 56-bit key.
• Preferred — Specify the preferred encryption algorithm to receive from the remote peer.
• Alternates — [Optional] Select one or more alternative algorithms that will be accepted when received
from the remote peer.
• Hash — Specify the algorithm that will be used to authenticate IKE phase 1 traffic. The list contains the
available hash algorithms. The following values are available:
• md5 — Indicates a Hash Message Authentication Code that uses the MD5 hash algorithm.
• sha1 — Indicates a Hash Message Authentication Code that uses the SHA1 hash algorithm. This is
the default value.
• Preferred — Specify the preferred hash algorithm to receive from the remote peer.
• Alternates — [Optional] Specify one or more alternative algorithms that will be accepted when
received from the remote peer.
• DH Groups — Specify the group that determines the length of the base prime numbers that will be used
during the key exchange process The list contains the available Diffie-Hellman groups. The following
values are available:
• 1 — Provides 768 bits of keying strength
• 2 — Provides 1024 bits of keying strength. This is the default value.
• 5 — Provides 2048 bits of keying strength
• None — The key length is 0.
• Preferred — Specify the preferred DH group to receive from the remote peer.
• Alternates — [Optional] Specify one or more alternative groups that will be accepted when received
from the remote peer.
• PRF — Specify the PRF algorithm to use during Phase 1 (IKEv2 only). The following values are available:
• sha1 — Indicates a Hash Message Authentication Code that uses the SHA1 hash algorithm. This is
the default value.
• md5 — Indicates a Hash Message Authentication Code that uses the MD5 hash algorithm.
• Preferred — Specify the preferred PRF algorithm to receive from the remote peer.
• Alternates — [Optional] Specify one or more alternative algorithms that will be accepted when
received from the remote peer.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 497](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-497-320.jpg)
![VPN
VPN Community window: Cryptography Phase 2 Properties tab
Use the Cryptography Phase 2 tab of the VPN Community window to define the IPsec cryptographic
properties to use during the phase 2 key exchange. These properties must match the cryptographic
properties configured on the remote peer.
Note: This tab is available only if you selected Configure Phase 1 and Phase 2 Cryptographic Properties
Individually on the General tab.
Figure 215 VPN Community window: Cryptography tab: Phase 2 Properties tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the VPN node.
3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community
window is displayed.
4 Select the Cryptography tab.
5 In the General tab, make sure that you have selected Configure Phase 1 and Phase 2 Cryptographic
Properties Individually.
6 Select the Phase 2 Properties tab.
Fields and buttons
This tab has the following fields and buttons:
• Encryption — Specify the type of encryption that you and the remote peer have chosen to use to protect
IKE phase 2 (IPSec) traffic. The following values are available:
• aes256 — Indicates the Advanced Encryption Standard using a 256-bit key.
• aes192 — Indicates the Advanced Encryption Standard using a 192-bit key.
• aes128 — Indicates the Advanced Encryption Standard using a 128-bit key. This is the default
value.
• 3des — Indicates the Triple Data Encryption Standard. It uses three stages of DES, giving an
effective keying strength of 168 bits.
• des — Indicates the Data Encryption Standard. It uses a 56-bit key.
• none — Contains an encryption header but does not specify an encryption algorithm. It is generally
only used during testing.
Note: This option applies only to phase 2 traffic. If None is selected, an algorithm is negotiated by the
VPN peers for phase 1 traffic. md5 is the preferred algorithm and sha1 is the fallback.
• Preferred — Specify the preferred encryption algorithm to receive from the remote peer.
• Alternates — [Optional] Specify one or more alternative algorithms that will be accepted when
received from the remote peer.
498 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-498-320.jpg)
![VPN
• Hash — Specify the algorithm used to authenticate IKE phase 2 traffic. The list contains the available
hash algorithms. The following values are available:
• md5 — Indicates a Hash Message Authentication Code that uses the MD5 hash algorithm.
• sha1 — Indicates a Hash Message Authentication Code that uses the SHA1 hash algorithm. This is
the default value.
• Preferred — Specify the preferred hash algorithm to receive from the remote peer.
• Alternates — [Optional] Specify one or more alternative algorithms that will be accepted when
received from the remote peer.
• PFS Group — [Available only if the PFS option is enabled] Specify the Diffie-Hellman group to use for the
PFS derivation of IPsec keys. (This corresponds to the PFS Oakley group in the firewall VPN definition
area.) The following values are available:
• 1 — Provides 768 bits of keying strength
• 2 — Provides 1024 bits of keying strength. This is the default value.
• 5 — Provides 2048 bits of keying strength
• None — The key length is 0.
VPN Community window: Cryptography Cryptographic Properties tab
Use the Cryptographic Properties tab of the VPN Community window to define the IPsec cryptographic
properties. These properties must match the cryptographic properties configured on the remote peer.
Note: This tab is available only if you selected Configure Identical Phase 1 and Phase 2 Cryptographic
Properties on the General tab.
Figure 216 VPN Community window: Cryptography tab: Cryptographic Properties tab
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the VPN node.
3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community
window is displayed.
4 Select the Cryptography tab.
5 In the General tab, make sure that you have selected Configure Identical Phase 1 and Phase 2
Cryptographic Properties.
6 Select the Cryptographic Properties tab.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 499](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-499-320.jpg)
![VPN
Fields and buttons
This tab has the following fields and buttons:
• Encryption — Specify the type of encryption that you and the remote peer have chosen to use to protect
IKE phase 1 and phase 2 (IPSec) traffic. The following values are available:
• aes256 — Indicates the Advanced Encryption Standard using a 256-bit key.
• aes192 — Indicates the Advanced Encryption Standard using a 192-bit key.
• aes128 — Indicates the Advanced Encryption Standard using a 128-bit key. This is the default
value.
• 3des — Indicates the Triple Data Encryption Standard. It uses three stages of DES, giving an
effective keying strength of 168 bits.
• des — Indicates the Data Encryption Standard. It uses a 56-bit key.
• none — Contains an encryption header but does not specify an encryption algorithm. It is generally
only used during testing.
• Preferred — Specify the preferred encryption algorithm to receive from the remote peer.
• Alternates — [Optional] Specify one or more alternative algorithms that will be accepted when
received from the remote peer.
• Hash — Specify the algorithm that will be used to authenticate IKE phase 1 and phase 2 traffic. The list
contains the available hash algorithms. The following values are available:
• sha1 — Indicates a Hash Message Authentication Code that uses the SHA1 hash algorithm. This is
the default value.
• md5 — Indicates a Hash Message Authentication Code that uses the MD5 hash algorithm.
• Preferred — Specify the preferred hash algorithm to receive from the remote peer.
• Alternates — [Optional] Specify one or more alternative algorithms that will be accepted when
received from the remote peer.
• DH Groups — Specify the group that determines the length of the base prime numbers that will be used
during the key exchange process The list contains the available Diffie-Hellman groups. The following
values are available:
• 1 — Provides 768 bits of keying strength
• 2 — Provides 1024 bits of keying strength. This is the default value.
• 5 — Provides 2048 bits of keying strength
• None — The key length is 0.
• Preferred — Specify the preferred DH group to receive from the remote peer.
• Alternates — [Optional] Specify another group that will be accepted when received from the remote
peer.
• PRF — Specify the PRF algorithm to use during Phase 1 (IKEv2 only). The following values are available:
• sha1 — Indicates a Hash Message Authentication Code that uses the SHA1 hash algorithm. This is
the default value.
• md5 — Indicates a Hash Message Authentication Code that uses the MD5 hash algorithm.
• Preferred — Specify the preferred PRF algorithm to receive from the remote peer.
• Alternates — [Optional] Specify one or more alternative algorithms that will be accepted when
received from the remote peer.
500 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-500-320.jpg)
![VPN
• Enable Extended Sequence Numbers — Determines whether to double the IPsec sequence number to
a 64-bit number. This checkbox is useful if you expect extremely heavy traffic, ensuring that you can pass
traffic over a VPN without running out of sequence numbers. By default, this checkbox is cleared,
indicating that the sequence numbers are a 32-bit number.
• Relax Strict Identity Matching — Determines whether the identity matching restrictions are relaxed.
If you are experiencing issues associated with identity processing with the remote VPN peer, selecting this
checkbox can improve interoperability, but it would decrease security. By default, this checkbox is
cleared, indicating that identity processing occurs at the standard level.
• Encapsulation — Specify the way that the packets in the VPN are encrypted. The following values are
available:
• Tunnel — The more common form of VPN encapsulation. Both the data and the source and destination
IP addresses are encrypted within the encapsulated payload. This is the default.
• Transport — Transport mode encrypts the data but the source and destination IP addresses are not
concealed.
Adding a VPN community
Use the VPN Community window in the Configuration Tool to add a VPN communities object.
Note: Prior to adding a VPN community, ensure that the necessary VPN peers, hosts, and networks objects have
been created.
To add a VPN community:
1 Select VPN in the Object Configuration area of the Configuration Tool.
2 Double-click VPN Communities to open the VPN Community window. You can also right-click and select
Add Object from the menu.
To complete the General tab:
1 Click the General tab.
2 In the Name field, specify a unique, user-defined name for the VPN community object that is being
created.
3 [Optional] In the Description field, specify a user-defined description of the purpose of the VPN
community object being created.
4 Select the Community Type value from the list:
• If you select Mesh:
a Select the associated checkbox for two or more participating gateways.
b Continue with the To complete the Authentication tab: section.
• If you select Star:
a Select a central gateway from the list to be used as the center of the star network topology.
b Select the associated checkbox for one or more participating gateways.
c Continue with the To complete the Authentication tab: section.
• If you select Remote Access:
a Select ne of the remote peers from the list.
b Select the associated checkbox for one or more participating gateways.
c Continue with the To complete the Authentication tab: section.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 503](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-503-320.jpg)
![VPN
3 In the DH Groups area, select one preferred Diffie-Hellman group, and one or more alternative
Diffie-Hellman groups, to be used in this VPN community. The following values are available:
• 5
• 2
• 1
4 Select the Use Perfect Forward Secrecy option to ensure that the key material that is associated with
each IPsec security association cannot be derived from the key material used to authenticate the remote
peer during the ISAKMP negotiation.
5 On the Phase 2 Properties page in the Encryption area, select one preferred type of encryption and one
or more alternative types of encryption to be used in this VPN community. The following values are
available:
• aes256
• aes192
• aes128
• cast128
• 3des
• des
• none
6 In the Hash area, select one preferred type of authentication hash, and one or more alternative hash
types, to be used in this VPN community. The following values are available:
• sha1
• md5
• none
7 In the PFS Group area, if you are configuring IKEv2, select the Diffie-Hellman group to use for the PFS
derivation of IPsec keys. This is available only if the PFS option is enabled. (This corresponds to the PFS
Oakley group in the Firewall VPN definition area.) The following values are available:
• 1 — Provides 768 bits of keying strength
• 2 — [Default] Provides 1024 bits of keying strength
• 5 — Provides 2048 bits of keying strength
• None — The key length is 0.
8 Continue with the To complete the SA Lifetimes tab: section.
To complete the SA Lifetimes tab:
1 Select the Phase 1 SA lifetime (in seconds and KB) before the firewall must negotiate for new IKE keys.
To leave a value unspecified, select Unspecified in the appropriate checkbox.
2 Select the Phase 1 SA lifetime (in seconds and KB) before the firewall must negotiate for new IPsec keys.
To leave a value unspecified, select Unspecified in the appropriate checkbox.
3 Continue with the To complete the Firewall Options tab: section.
506 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-506-320.jpg)
![VPN
To complete the Firewall Options tab:
1 To force the connection to rekey when the SA lifetimes limits are reached, even if no traffic has passed
through the VPN since the last rekey, select the Forced Rekey option.
2 [Conditional] If Force Rekeying is selected, set the phase 1 and phase 1 soft rekey percentages. These
indicate how far in advanced of the SA Lifetime limit to begin negotiating new keys. This makes sure you
have some new keys on hand by the time that the hard limit expires.
3 [Optional] If your policy uses aggressive mode IKEv1 exchanges, the Encrypt Final Aggressive Mode
Packet option causes the firewall to encrypt the final aggressive mode packet in the exchange. You might
need to enable this option if you are experiencing interoperability issues with your VPN peer when using
aggressive mode.
4 [Optional] Select Enable Extended Sequence Numbers if you need to double the IPsec sequence
number to a 64-bit number. This option is useful if you expect extremely heavy traffic, ensuring that you
can pass traffic over a VPN without running out of sequence numbers.
5 [Optional] Select Relax Strict Identity Matching to relax the identity matching restrictions. If you are
experiencing issues associated with identity processing with the remote VPN peer, selecting this option
can improve interoperability. However, it does decrease security.
6 Select the encapsulation method. Options are Tunnel and Transport. The most common option is Tunnel.
7 Continue with the To complete the VPN Community configuration: section.
To complete the VPN Community configuration:
Click Analyze to validate your configuration. If you are satisfied with the analysis, click OK to save the VPN
community object.
Note: Some data validation will be applied to ensure that all of the required and conditionally required information
has been specified. If you do not properly complete the VPN community configuration, an error message is
generated.
Creating a network configuration for a VPN client
Use the VPN Client Configuration window to establish a network configuration for the VPN client to operate
on the private side of a firewall.
When a remote host connects to the firewall using a VPN client, you might want the host to appear as
though it is located on an internal network (for example, a network behind the firewall). To provide this
capability, you create one or more virtual subnets of IP addresses that will be used by remote peers when
they attempt to make a VPN connection. When a client attempts a connection, the firewall assigns it one of
the IP addresses that are available in the virtual subnet. The firewall also negotiates with the client to
determine other VPN requirements, such as the DNS and/or WINS servers that will be made available to
the client. If the negotiation is successful, the client is connected and the VPN connection is established.
Note: Not all VPN client software supports the negotiation of every client address pool parameter. Make sure to
verify that your client or clients support the necessary features.
You define the number and size of the available virtual subnets. Even though the client might have a fixed
IP address, the address that is used within the VPN definition is the address that has been assigned to it
from the specified virtual subnet. The virtual subnet works for both fixed and dynamic clients.
You can also create multiple client configurations. You can group VPN clients into distinct virtual subnets to
limit the resources that the clients in each group can access. In some cases, VPN client configuration
objects can be used by more than one peer.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 507](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-507-320.jpg)
![VPN
VPN Client Configuration window: General tab
Use the General tab on the VPN Client Configuration window to configure a pool of virtual addresses to be
used by remote peers when they attempt to make a VPN connection. You can also determine the DNS
and/or WINS servers that will be made available to the remote client. For more information, see the
Creating a network configuration for a VPN client on page 507.
To change the order, or rank, of the listed servers, select an entry and use the up or down arrow to change
its position. The firewall will attempt to connect to the servers in the order that is shown here.
To delete an entry, select that entry's far left column and then press Delete. To view the fields on this tab,
see Figure 218 on page 508.
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the VPN node.
3 Double-click the VPN Client Configurations node or right-click it and select Add Object. The VPN Client
Configuration window is displayed.
4 Make sure that the General tab is selected.
Fields and buttons
This tab has the following fields and buttons:
• Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the position of an
object in any of these three tables.
• Virtual Subnets — Specify the objects that define the range of virtual IP addresses that can be assigned
to the VPN clients to appear as a private address for the client. This list contains all of the previously
defined host and subnet network objects.
• DNS Servers — [Optional] Specify the DNS servers to be used to provide DNS services to the VPN clients
that are using this client configuration.
• NBNS/WINS Servers — [Optional] Specify the WINS servers to be used to provide NBNS/WINS services
to the VPN clients that are using this client configuration.
VPN Client Configuration window: Fixed IP Mappings tab
Use the Fixed IP Mappings tab of the VPN Client Configuration window to assign fixed addresses to selected
clients from the pool of available options that are specified on the General tab and to configure client
identification strings for this object. For more information, see Creating a network configuration for a VPN
client on page 507.
Figure 219 VPN Client Configuration window: Fixed IP Mappings tab
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 509](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-509-320.jpg)
![VPN
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the VPN node.
3 Double-click the VPN Client Configurations node or right-click it and select Add Object. The VPN Client
Configuration window is displayed.
4 Select the Fixed IP Mappings tab.
Fields and buttons
This tab has the following fields and buttons:
• Address — Specify the address to use in the fixed IP mapping. This address must be part of a virtual
subnet that was selected on the General tab.
• Client Identifier(s) — [Read-only] Displays the client identifier or identifiers that are associated with
the displayed address.
• Add — Displays the VPN Client Fixed Mapping window, in which you can add a client identifier.
• Edit — Displays the VPN Client Fixed Mapping window, in which you can edit a client identifier. Make sure
that you have highlighted the identifier that you want to edit before clicking this button.
• Delete — Deletes the selected fixed IP mapping, but only after you click OK.
Defining fixed addresses for VPN clients
Use the VPN Client Fixed Mapping window to define fixed addresses for selected clients. One of the benefits
of assigning fixed IP addresses to selected clients is that it allows you to govern what each client can do.
For example, you might restrict access to certain clients, and you might grant additional privileges to other
clients. You do this by creating a network object for a selected IP address and then using the network
object within a rule.
Each unique IP address can appear in the fixed IP mappings table only once. Multiple identities representing
a single client, however, can be mapped to one IP address.
Figure 220 VPN Client Fixed Mapping window
Accessing this tab
1 In the Configuration Tool, select the Policy group bar.
2 Select the VPN node.
3 Double-click the VPN Client Configurations node or right-click it and select Add Object. The VPN Client
Configuration window is displayed.
4 Select the Fixed IP Mappings tab.
5 Click Add or Edit. The VPN Client Fixed Mapping window is displayed.
510 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-510-320.jpg)
![VPN
5 In the Description field, specify an appropriate user-defined description of the object being created.
6 On the General tab, specify the following information:
a In the Virtual Subnets list, select a previously defined interface, network, or address range that
identifies the address range of possible addresses to be assigned to the clients that use this
configuration.
b [Optional] In the DNS Server field, select the previously defined network object to serve as the DNS
server for this configuration.
c [Optional] In the NBNS/WINS Server field, select the previously-defined network object to serve as
the NetBIOS Name Server or WINS server for this configuration.
7 On the Fixed IP Mappings tab, click Add and select an IP address and the client identifier(s) to be used
to identify a client connecting from the specified address. Repeat as necessary for this client configuration.
8 On the main VPN Client Configuration window, click OK to save the data.
CA certificates
On the firewall, certificates play an important role in allowing the use of automatic key generation in
Internet Key Exchange (IKE) VPNs. With automatic key generation, after you gather the initial information
for the remote end of the VPN, there is no further direct contact between you and the remote end of the
VPN. Session keys are automatically and continually generated and updated based on this initial identifying
information. As a result, the firewall requires a way to assure that the machine with which you are
negotiating session keys is actually whom it claims to be—a way to authenticate the other end of the VPN.
To allow automatic key generation, the firewall can use pre-shared keys or certificates as the authentication
method. Certificates are generally more reliable and tougher to spoof, and, therefore, are favored over
shared passphrases (keys). The firewall can use the following certificate trust sources:
• Single certificate — Single certificate authentication requires that the firewall generates a certificate and
private key to be kept on the firewall and a certificate and private key to be exported and installed on a
client. Each certificate, after it has been installed on its end of a VPN connection, acts as a trust point. A
single certificate (also referred to as a “self-signed certificate”) differs from Certificate Authority (CA)
based certificates in that no root certificate is necessary.
• Certificate Authority policy — The firewall can be configured to trust certificates from a particular
certificate authority (CA). Thus, it will trust any certificate that is signed by a particular CA that meets
certain administrator-configured requirements for the identity contained within the certificate. Because of
the nature of this type of policy, only locally administered Certificate Authorities should be used in this
type of policy.
Certificate Revocation List (CRL)
The CRL is a list of subscribers who are paired with their digital certificate status. The list enumerates
revoked certificates along with the reason or reasons for revocation. The dates of certificate issue and the
authorities that issued them are also included. In addition, each list contains a proposed date for the next
release. When a potential user attempts to access a server, the server allows or denies access based on the
CRL entry for that particular user. Both certificates and CRLs are stored in repositories to make them
accessible to users. LDAP servers, Web servers, and FTP servers are examples of repositories.
You can configure the firewall Certificate server to query a specified LDAP server for retrieving certificates
and CRLs that are needed for certificate verification.
Use the Certificates area on the Firewall window to manage the CRL.
Certificate file formats
The Control Center supports the importation and exportation of certificates as binary or PEM-encoded X.509
files or as part of a PKCS-12 file. (A PKCS-12 file contains both a certificate and a private key and is
normally protected with a password.) The private key that is associated with a certificate can also be
imported or exported, either as part of a PKCS-12 file or as a separate PKCS-1 or PKCS-8 file. The PKCS-10
format is also supported for requesting a certificate from a CA.
512 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-512-320.jpg)
![VPN
Fields and buttons
This window has the following fields and buttons:
• Certificate Name — Specify the unique name of the certificate that is used by the Control Center to
reference the certificate.
• Distinguished Name — [Read-only] Displays the distinguished name, e-mail address, domain name,
and/or IP address that is associated with the certificate.
• Signature Type — [Read-only] Displays whether the signature that is associated with the certificate is
RSA or DSA.
• Status — [Read-only] Displays whether the certificate is complete or pending.
• SCEP URL — [CA certificates only] Specify the URL of the SCEP server that issued the CA certificate.
• SCEP CA ID — [CA certificates only—optional] Specify the value that is used to identify this specific CA.
Creating certificates or importing them into the certificate database
Use the Certificate Request Wizard to add or import a certificate into the Control Center certificate
database. The wizard has two paths: one for creating a new certificate and one for importing an existing
certificate. For information about how to add a certificate, see the appropriate section.
Accessing this wizard
To create certificates:
1 In the Configuration Tool, select the Firewalls group bar.
2 Select the Firewalls node.
3 Double-click a firewall. The Firewall window is displayed.
4 Select the Certificates node. The Certificates area is displayed.
5 Click Add Certificate. The Certificate Request wizard is displayed.
To import remote certificates:
1 In the Configuration Tool, select the Policy group bar.
2 Select the VPN node.
3 Double-click the Remote Certificates node. The Remote Certificates page is displayed.
4 Click Add Certificate. The Certificate Request Wizard is displayed.
Create a new certificate
Step 1 of 8
Select Create a new certificate.
Click Next >.
Step 2 of 8
Specify a unique name for the certificate. This name will be given to the certificate and will be used when
importing the certificate into the Control Center.
Click Next >.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 515](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-515-320.jpg)
![VPN
Fields and buttons
This page has the following fields and buttons:
• Name — [Read-only] Displays the name of the remote certificate.
• Status — [Read-only] Displays the current status of the remote certificate.
• Status — Specify the certificates that will be displayed in the table, based on their certificate status. The
following values are available:
• ALL
• Pending
• Completed
• Revoked
• Add Certificate — Displays the Certificate Request Wizard. Run this wizard to create a new certificate or
to import an existing certificate.
• Load Certificate — Displays the Load Certificate Wizard. Run this wizard to load a certificate from a file
or from an LDAP server.
• Retrieve Certificate — Retrieve a certificate from the URL address.
• Certificate Details — Displays the Certificate Manager window, in which the following information is
displayed: certificate status, signature type, and identifying information, such as Distinguished Name,
E-mail address, domain name, or IP address.
• Export Certificate — Displays the Export Certificate Wizard. Run this wizard to export a stored
certificate.
• Delete Certificate — Delete the selected certificate.
524 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-524-320.jpg)
![Rules
• If a burb object is dragged to a cell with an existing burb object, the new burb is added to the list.
• If a burb object is dragged to a cell with burb groups, or a burb group is dragged to a cell with burb
objects, the burb is not added to the list.
Figure 223 Rules page
Accessing this page
This page is displayed by default when you log into the Configuration Tool. Select the Rules tab. The Rules
page is displayed in the work area.
Columns
The following columns appear by default. To select the columns you want to display on this page, see
Configuring columns to display on the Rules page on page 532.
• Enabled — Determines whether the rule is enabled. This checkbox is selected by default. If this box is
cleared, the firewall behaves as though the rule was not present.
• Rule Name — [Read-only] Displays the name of the rule.
• Action — [Read-only] Displays the way in which packets matching the rule are handled. The following
values are possible:
• Allow — Indicates that packets matching this rule pass through the firewall without intervention.
• Deny — Indicates that packets matching this rule are prohibited from passing through the firewall.
• Drop — Indicates that packets matching this rule are silently dropped.
• Apply On (firewalls) — [Read-only] Displays the firewalls to which the rule applies.
• Services — [Read-only] Displays the network services to which the rule applies.
• Source Burbs — [Read-only] Displays the burbs from which traffic that matches the rule can come.
• Sources — [Read-only] Displays the network sources to which the rule applies.
• Destination Burbs — [Read-only] Displays the burbs to which traffic matching the rule can go.
• Destinations — [Read-only] Displays the network destinations to which the rule applies.
• Time Periods — [Read-only] Displays the time periods when the rule is in effect.
530 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-530-320.jpg)
![Rules
• Application Defense — [Read-only] Displays the application defense for the rule.
• Authenticator — [Read-only] Displays the authenticator for the rule.
• Rule Description — [Read-only] Displays information about the rule.
Use the options accessed on the Rule Options toolbar or from the Rules menu to manage rules. The
following options are provided:
• Add New Rule — Displays the Rule Editor window, in which you can create a new rule.
• Edit Rule — Displays the Rule Editor window, in which you can edit the highlighted rule.
• Delete Rule — Delete the highlighted rule.
• Delete Rules — Displays a window in which you can specify groups, sequences, and single rules to
delete.
• Cut Rule — Cut or move the highlighted rule.
• Paste Rule — Paste a rule in the position of the insertion point.
• Copy Rule — Create a copy of the highlighted rule.
• Move to Top — Move the highlighted rule to the top of the page. If you move a General Rule, it is moved
to the top of the General Rules.
• Move Up — Move the highlighted rule up one position on the page.
• Move Down — Move the highlighted rule down one position on the page.
• Move to Bottom — Move the highlighted rule to the bottom of the page. If you move a Priority Rule, it
is moved to the bottom of the Priority Rules.
• Move Above Rule — Move the highlighted rule above a specific rule.
• Move Below Rule — Move the highlighted rule below a specific rule.
• Filter Rules — Displays the Rules Filter Selection window, in which you can specify the filter criteria that
are used to display subsets of rules. The rules that meet the requirements that have been defined in the
filter are displayed in the Rules page. Also as a result of configuring the filter, the Filter Off menu option
becomes available on the Rules menu of the Configuration Tool. Select the Filter Off menu option to
cancel the filtered view.
• Manage Filters — Load and manage filters that have been defined by using the Rules Filter Selection
window. These filters are used to limit the rules display to those rules that meet the requirements defined
in the filter selection window. Also as a result of configuring the filter, the Filter Off menu option becomes
available on the Rules menu of the Configuration Tool. Select the Filter Off menu option to cancel the
filtered view.
• Quick Filter — Display only those rules that have been defined for selected firewalls. This action opens
the Quick Filter window. When you complete the window and click OK, the list of rules is filtered to show
only the rules that meet the requirements defined in the quick filter. The Filter Off menu option is now
available on the Rules menu of the Configuration Tool. Select Filter Off from the Rules menu to cancel
the filtered view.
• Default Rule Settings — Displays the Default Rule Settings window, in which you can specify default
parameters for new rules that are created. For more information, see Configuring default settings for
creating rules on page 540.
• Create Groups — Create or delete groups of rules. For more information, see Configuring groups of rules
on page 551.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 531](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-531-320.jpg)
![Rules
• Sources — Use the fields in this area to determine the location from which the traffic for this rule can
begin.
• (Sources list) — Specify the network source or sources (for example, IP address, domain, netmap, and
so on) to which the rule applies. Double-click any object in this list to open it.
Source and destination endpoints must have the same type of address—an IPv4 source can connect
only to an IPv4 destination, and an IPv6 source can connect only to an IPv6 destination.
Note: If you want this rule to match all endpoints in the selected source burb(s), select one of the following
network objects:
• ANYWHERE – This network object matches both IPv4 and IPv6 addresses.
• Any_IPv4 – This network object matches IPv4 addresses only. If IPv6 is not enabled on your firewall,
selecting this endpoint ensures that this rule will not allow any traffic from IPv6 addresses if you choose
to enable IPv6 in the future.
• Any_IPv6 – [Available only if IPv6 is enabled] This network object matches IPv6 addresses only.
To search for objects, use the filter field to control the number of objects that are displayed. To limit
the search to exact matches of a specified sequence of characters that appears anywhere in the
object name, specify one or more characters and press Enter. To perform an advanced search for
an object, click (Advanced search).
To view a list of objects that you can add, click (Add).
To perform a filtered search, specify the first few characters of the object and click Find. The list of
objects is limited to those objects that match the text that you specified.
• Burbs — Specify the burb or burb groups in which the source endpoint is located. You can select one
or more burbs or one or more burb groups. Click the down arrow. Select one of the following options
and then select one or more burbs or burb groups:
• Any burb — Permits matching traffic from any burb.
• Selected burbs — Permits matching traffic from one or more burbs selected from associated list.
• Selected burb groups — Permits matching traffic from one or more burb groups selected from
associated list.
• NAT — Specify the network object that will replace the original source address as the traffic leaves the
firewall. By default, NAT is enabled and it uses the IP address of the firewall interface that matches the
destination burb (localhost). NAT allows you to rewrite a packet's source address. For example, if the
internal network uses private addresses, replace the actual source address with the publicly routable
external address of the firewall.
Click the down arrow. The following options are available:
• NONE — Indicates that NAT is disabled.
• Host — Indicates that you must select the addresses of the network sources that are mapped to a
single address.
• Netmap — Indicates that you must select the addresses of the selected network sources that are
mapped to different objects. If this option is selected, you must specify the mapping of sources to
objects in the table that contains the following columns:
• Original — Lists the selected network source or sources.
• Mapped — Lists the host or network endpoints that are defined on the system. Specifies the host
or network endpoint to which the corresponding original network source is to be mapped.
Note: By default, all source objects displayed in the Original column are mapped to themselves in the
Mapped column.
536 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-536-320.jpg)
![Rules
• Preserve source port — Determines whether the source port is preserved after the source address
has been translated. This checkbox is cleared by default. Select this option only when required by the
application protocol.
• Destinations — Use the fields in this area to specify the network destinations to which the rule applies.
• (Destinations list) — Specify the network destination or destinations (for example, IP address, domain,
netmap, and so on) to which the rule applies. Double-click any object in this list to open it.
Destination and source endpoints must have the same type of address—an IPv4 source can connect
only to an IPv4 destination, and an IPv6 source can connect only to an IPv6 destination.
Note: If you want this rule to match all endpoints in the selected source burb(s), select one of the following
network objects:
• ANYWHERE – This network object matches both IPv4 and IPv6 addresses.
• Any_IPv4> – This network object matches IPv4 addresses only. If IPv6 is not enabled on your firewall,
selecting this endpoint ensures that this rule will not allow any traffic from IPv6 addresses if you choose
to enable IPv6 in the future.
• Any_IPv6 – [Available only if IPv6 is enabled] This network object matches IPv6 addresses only.
To search for objects, use the filter field to control the number of objects that are displayed. To limit
the search to exact matches of a specified sequence of characters that appears anywhere in the
object name, specify one or more characters and press Enter. To perform an advanced search for
an object, click (Advanced search).
To view a list of objects that you can add, click (Add).
To perform a filtered search, specify the first few characters of the object and click Find. The list of
objects is limited to those objects that match the text that you specified.
• Burbs — Specify the burb or burb groups in which the destination endpoint is located.
Note: If you are using redirection, match the destination burb to the destination endpoint, even if the
redirect endpoint is in another burb.
You can select one or more burbs or one or more burb groups. Click the down arrow. Select one of
the following options and then select one or more burbs or burb groups:
• Any burb — Permits matching traffic from any burb.
• Selected burbs — Permits matching traffic from one or more burbs selected from the associated
list.
• Selected burb groups — Permits matching traffic from one or more burb groups selected from the
associated list.
• Redirect — Specify settings for redirection. Use redirection to rewrite a packet's destination address.
If the traffic needs to be redirected to a different endpoint, the original destination redirects to the
network object that you select in this field. Click the down arrow. The following options are available:
• NONE — Indicates that redirection is disabled.
• Host — Indicates that the addresses of all of the selected destinations are mapped to a single
address.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 537](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-537-320.jpg)
![Rules
Accessing this window
1 In the Configuration Tool, the Rules page must be displayed. If it is not, select the Rules tab.
2 From the Rules menu, select Search and Replace…. The Search and Replace window is displayed.
3 Select the types of objects and the object values that you want to search for and replace.
4 Click OK. The Search and Replace Verification window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Edit — This column identifies the row that is being edited. The following icons can be displayed:
• [blank] — Indicates that this row is not currently selected.
• — Indicates that this row is currently selected. You can double-click this row to see a read-only
version of this rule in the Rule Editor window.
• Rules name — [Read-only] Displays the names of each rule that is affected by this object substitution.
You can double-click a highlighted rule to view it in the Rule Editor window. You can also double-click the
up and down arrow to the right of this column name to change the displayed order of rules alphabetically
(either top to bottom or bottom to top, alphabetically).
• OK — Proceed to make all of the object substitutions in your rules.
• Cancel — Close this window and cancel the substitution process. However, the Search and Replace
window is again displayed, in which you can change the parameters for this process and click OK again
or click Cancel to stop the substitution process.
544 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-544-320.jpg)
![Rules
Loading and managing previously saved rule filters
Use the Manage Filters window to load and manage previously saved filters. Saved filters store previous
settings specified in the Rules Filter Selection window. They can be used later to display only those rules
that currently meet the previously defined filter requirements.
Note: This window is available only if filters have been saved.
Figure 230 Manage Filters window
Accessing this window
1 In the Configuration Tool, select the Rules tab. The Rules page is displayed.
2 In the toolbar, select (Manage Filters).
or
From the Rules menu, select Manage Filters. The Manage Filters window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Filter Name — [Read-only] Displays the name that was applied to the filter when it was defined by using
the Rules Filter Selection window.
• Description — [Read-only] Displays the description that was applied to the filter when it was defined by
using the Rules Filter Selection window.
• Apply — Apply the selected filter to the rules that will be displayed on the Rules page.
• Edit — Display the Rules Filter Selection window for the selected filter so that you can edit the
information.
• Delete — Delete the selected filter.
• Cancel — Close this window without making any changes.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 549](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-549-320.jpg)
![Rules
• TrustedSource — This checkbox includes the following sub-elements:
• TrustedSource Enabled
• TrustedSource Reputation
For more information about condition elements and other elements, see Configuring rules on page 533.
After you have made your selections, click Next > to begin analyzing and combining rules with common
elements.
Step 4 of 5 - Merge Rules
If there are candidates for merging rules in your rule set, the following tables are displayed on this page:
• Merge Rule Groups — Use this table to view and configure the usage of individual rules in a merge rule
group. A merge rule group includes the individual rules that are candidates for being merged to form the
merge result rule that is displayed at the top of the group.
Every merge rule group has a group header that contains information about the group: whether it is
used, the number of the group, and the number of rules that belong to the group. If the color of the
header is green or red, the merge rule group is used; if the color of the header is gray, it is not used.
The color red indicates that the merge can possibly cause a policy change in the rule set. This can
occur if services, sources, destinations, or time periods were selected to merge or ignore in Step 3 of 5
- Setting Criteria for Merging Rules on page 552.
Use the navigation controls at the top of the Merge Rules table to move among the merge groups.
This table contains all of the information that the All Rules table contains, plus the following additional
column:
• Use — Determines whether to make changes to the merge rule groups. This column contains a
checkbox that is selected for all of the merge rule groups and the rules that they contain. If you accept
the merge result rule (by selecting this checkbox), the component rules will be deleted as indicated by
strike-through text in the rules. If you clear the checkbox associated with a rule in a merge rule group,
that rule will not be part of the merge and will not be deleted. The merge result rule will be
re-generated, and the All Rules table will be updated.
Rule numbers are the same in both of the tables so that you can easily locate a rule.
Note: The only column in this table that can be modified is the Use column. All of the other columns are
read-only.
You can double-click a rule in the Merge Rule Groups table to display the Rule Details window, in
which all of the information about this rule is displayed. This can be helpful because the tables in
the Merge Rules Wizard do not display all of the configuration information for a rule. In this Rule
Details window, you can make changes only to a merge result rule. The window will display existing
rules in read-only mode.
• All Rules — Use this table to view all of the rules in the rule set. Merge rule sets and merged rules that
are targeted for merging have strike-through text and color to distinguish them from the other rules in
the set. This table has the following columns:
• Number — [Read-only] Displays the number of this rule in the rule set. You can change the sort order
on this column.
• Enabled — [Read-only] Displays the status of the Enabled rule checkbox for this rule, which indicates
whether the rule is enabled. (This checkbox is located on the Rule Editor window or the Rule Details
window.)
• Name — [Read-only] Displays the label that is associated with the rule.
• Apply On — [Read-only] Displays the firewalls to which the rule applies.
• Last Updated — [Read-only] Displays the date on which the associated firewall was last updated.
554 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-554-320.jpg)
![Rules
• Action — [Read-only] Indicates the way that packets that match the rule are handled. The following
options are possible:
• Allow — Indicates that packets that match this rule pass through the firewall without intervention.
• Deny — Indicates that packets that match this rule are prohibited from passing through the firewall.
• Drop — Indicates that packets that match this rule are silently dropped.
• Services — [Read-only] Displays the network services to which the rule applies.
• Sources — [Read-only] Displays the network sources to which the rule applies.
• Destinations — [Read-only] Displays the network destinations to which the rule applies.
• Time Periods — [Read-only] Displays the time periods during which the rule is in effect.
• Source Burbs — [Read-only] Displays the source burbs to which the rule applies.
• Destination Burbs — [Read-only] Displays the destination burbs to which the rule applies.
After you have finished configuring the rules in all of the merge rule groups, click Next >.
Step 5 of 5 - Results
This page displays a summary of the merge settings. The following fields are available:
• Summary — Use the fields in this area to determine whether to make a backup of the Control Center
configuration before you go ahead with the merge process and it also displays the results of the changes
that you made in Step 3 of 5 - Setting Criteria for Merging Rules and Step 4 of 5 - Merge Rules.
• Backup Control Center System before merging the rules — Determines whether to make a
backup of the Control Center configuration before you actually perform the merge processing. The
default value is cleared.
• Number of Merges — [Read-only] Displays the number of merges that you have selected to perform.
• Number of Deleted Rules — [Read-only] Displays the number of rules that you have selected for
deletion.
• Number of Rules — [Read-only] Displays the number of rules that have been defined on this
Management Server.
• New Rule Set — [Read-only] Displays the projected results of the merge process—that is, all of the
rules that would exist after the wizard has merged the specified rules.
Review the rule set and decide whether you want to proceed with deleting the selected rules.
If there are no rules to be merged, click Close.
To commit your changes to the Control Center Management Server, click Finish. To close the wizard
without committing any changes, click Cancel.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 555](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-555-320.jpg)
![Rules
• Services — Displays the network services to which the rule applies.
• Sources — Displays the network sources to which the rule applies.
• Destinations — Displays the network destinations to which the rule applies.
• Time Periods — Displays the time periods during which the rule is in effect.
• All Rules — Use the table in this area to view all of the rules in the rule set. Rules that contain
strike-through text and color have been designated for deletion. Except for the Delete column, all of the
other columns in this table are the same as those that are displayed in the Duplicate Rules area.
In either area, you can double-click a row in the table to display the Rule Details window, in which all of the
information about this rule is displayed. This can be helpful because the tables in the Duplicate Rule Wizard
do not display all of the configuration information for a rule.
Note: The Rule Details window is read-only.
Click Next > to continue with the wizard.
Step 4 of 4 - Results
This page displays a summary of the duplicate rule settings. The following fields are available:
• Summary — Use the fields in this area to determine whether to go ahead and commit the changes that
you made in Step 3 of 4 - Delete Duplicate Rules on page 556 to the Control Center Management Server.
• Old Number of Rules — [Read-only] Displays the original number of rules that existed before you
ran this wizard.
• Deleted Rules — [Read-only] Displays the number of rules that you have selected for deletion.
• New Number of Rules — [Read-only] Displays the number of rules that are the result of committing
this change to the Management Server.
• New Rule Set — [Read-only] Displays the projected results of the duplicate rule deletion
process—that is, all of the rules that would exist after the wizard has deleted the specified duplicate
rules.
Review the rule set and decide whether you want to proceed with deleting the selected rules.
If there are no rules to be deleted, click Close. This is probably because you have cleared all of the Deleted
checkbox selections that were made by default.
To commit your changes to the Control Center Management Server, click Finish. To close the wizard
without committing any changes, click Cancel.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 557](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-557-320.jpg)
![URL translation rules
Columns
The following columns appear on this page by default:
• Rank — [Read-only] Displays the position of the URL translation rule in the rule set. You can change the
position of this rule by highlighting the rule and clicking Move Up or Move Down on the toolbar (or from
the Rules menu).
• Name — [Read-only] Displays the name of this rule.
• Apply On — [Read-only] Displays a comma-delimited list of firewalls to which this rule is mapped.
• Burbs — [Read-only] Displays a comma-delimited list of burbs or burb groups to which this rule is
mapped.
• Original URL — [Read-only] Displays the URL to which inbound HTTP requests are sent for this rule. This
is the value that is specified in the Matching URL field in the URL Translation Rules window.
• Ports — [Read-only] Displays a comma-delimited list of custom ports that have been specified for the
URL in the Original URL field.
• Server — [Read-only] Displays the name of the server that corresponds to the internal web server to
which connections that match this rule should be directed. This is the value that was specified in the
Server Address field in the URL Translation Rules Editor window.
• New URL — [Read-only] Displays the name of the URL that should replace the destination URL that is
displayed in the Original URL field on this page.
• Description — [Read-only] Displays the user-defined description of this rule.
Configuring URL translation rules
Use the URL Translation Rules Editor window to configure your firewall to redirect inbound HTTP
connections based on application layer data, rather than on transport layer data as per conventional
redirect rules. By examining the HTTP application layer data, the firewall determines the internal web
server for which inbound requests are destined, even though multiple servers are sharing the same
external IP address.
Use URL translation if your network environment matches one or more of the following scenarios:
• You have multiple web sites that resolve to a single IP address on your firewall by using DNS.
• You have one or more web sites that contain resources that are hosted on different physical servers
behind your firewall.
If URL translation is enabled on an internet-facing burb, inbound HTTP requests are handled as follows:
1 An inbound HTTP request reaches the firewall. The TCP connection must be destined for an IP address
that is assigned to the firewall.
2 The firewall examines the HTTP request’s application layer data and compares it to the defined URL
translation rules to determine the internal web server to which the request should be sent.
3 If you select the Rewrite URL checkbox, thefirewall rewrites the application data in the HTTP request as
configured, so that it conforms to the requirements of the internal web server.
4 Based on the IP address of the destination web server that was determined in step 2, a policy rule match
is performed.
5 If a policy rule is matched, the connection is redirected to the internal web server.
560 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-560-320.jpg)
![URL translation rules
• Source — Use the fields in this area to select burbs or burb groups where the clients that generate the
inbound HTTP requests are located and to configure HTTP matching parameters. You can either specify
the entire URL in the Matching URL field or you can build the URL from its attributes by using the fields
in the Matching URL attributes area.
• Burbs — Specify the burb or burb groups where the clients that generate the inbound HTTP requests
are located. You can select one or more burbs or one or more burb groups. Click the down arrow. The
following options are available:
• Selected Burbs — Specify one or more burbs selected from associated list.
• Selected Burb Groups — Specify one or more burb groups selected from associated list.
• Matching URL — Select this option to configure the URL that this rule should match. This URL contains
all of the attributes and it must be a valid URL format.
To specify a custom port, add the port to the end of the URL (for example, http://example.net:3128
where 3128 is the port number). To specify multiple ports to match, use the Port field in the
Matching URL attributes area on the advanced page.
You can also add a path prefix that will be added after the port (for example,
http://example.net:3128/myDirectory where /myDirectory is the path prefix).
The values in the Host, Port, and Path Prefix fields in the Matching URL attributes area will
automatically match the value that you are specifying in this field.
• Matching URL attributes — [Available only if you have clicked the Advanced >> button at the
bottom of this window] Select this option to build the URL by specifying the values in attributes for the
URL.
• Host — Specify the host to be used to match inbound HTTP requests.
• Port — Specify the port or ports to be used to match inbound HTTP requests. Specify multiple ports
in a comma-delimited list.
• Path prefix — Specify the path prefix to be used to match inbound HTTP requests.
• Destination — Use the fields in this area to select or create an IP address object that corresponds to the
internal web server to which connections matching this rule should be redirected. You can either specify
the entire URL in the New URL field or you can build the URL from its attributes by using the fields in the
New URL attributes area.
• Server address — Specify the IP address object that corresponds to the internal web server to which
connections that match this rule should be redirected.
To search for objects, use the filter field to control the number of objects that are displayed. To limit
the search to exact matches of a specified sequence of characters that appears anywhere in the
object name, specify one or more characters and press Enter. To perform an advanced search for
an object, click (Advanced search).
To view a list of objects that you can add, click (Add).
To add an object, click (Add) to display the Network Object Manager window for the type of
object that you are adding.
• Rewrite URL — Determines whether the inbound HTTP request is translated so that it matches the
host name and path structure of the internal Web server. This checkbox applies to the values that were
specified in either the Matching URL field or in the Matching URL attributes fields. If you clear this
checkbox, the New URL and New URL attributes fields are not available.
Note: Path information beyond the matching URL path prefix in the HTTP request is not affected by
selecting this checkbox.
562 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-562-320.jpg)
![Alert processing rules
• New URL — Select this option to configure the URL that will replace the value that was specified in
the Matching URL field. This URL contains all of the attributes and it must be a valid URL format.
To keep the other attributes and to change only the port from the value that was specified in the
Matching URL field, clear the Maintain original port checkbox. This also changes the value of the
destination Port field in the New URL attributes area to <Maintain original port> and it cannot be
edited while this checkbox is selected.
Note: The firewall does not modify hyperlinks in HTML files. Therefore, whenever possible, relative links
should be employed for the Web servers by the firewall that is performing the URL translation. The firewall
does translate the Location header in 3xx redirection server status codes.
• New URL attributes — [Available only if you have clicked the Advanced >> button at the bottom of
this window] Select this option to build the URL by specifying the values in attributes for the URL.
• Host — Specify the host to be used to rewrite the URL.
• Port — Specify the port to be used to rewrite the URL.
• Path prefix — Specify the path prefix to be used to rewrite the URL.
• Advanced >> — Click this button to view the Matching URL attributes and New URL attributes fields.
If you are using the Matching URL or New URL fields, you do not need to click this button. However, to
specify multiple ports, you must click Advanced >> to be able to specify the values in the Port field in
the Matching URL attributes area.
• Collapse << — [This button is available only after you have clicked the Advanced >> button.] Click this
button to hide the Matching URL attributes and New URL attributes fields.
• OK — Save the changes in this window.
• Cancel — Close this window without saving any changes.
Alert processing rules
When you are managing multiple firewalls, similar alerts that are generated from different firewalls can be
difficult to distinguish. Alert processing rules are used to evaluate every firewall alert that is being sent to
the Management Server to determine the way that the alert will be reported in the Reporting and
Monitoring Tool. Additionally, several different types of Management Server alerts are also captured and
displayed.
Similar to other processing rules, the alerts that are being sent to the Management Server from the
firewalls are evaluated by the alert processing rules from top to bottom. The first processing rule that
matches the characteristic and condition requirements for the incoming alert is reported in the way in which
it has been defined by the rule.
To ensure that all alerts are reported, the last processing rule in the list of rules is generic enough to catch
and report any alerts that are not characterized by any of the preceding processing rules.
The following main alert processing rule management components are available to assist you:
• Alert Processing Rules page — The table on this page displays all of the alert processing rules that are
currently defined. For more information, see Viewing alert processing rules on page 564.
• Alert Processing Rule window — Each processing rule defines alert actions, such as triggering an
e-mail message, to associate with the alert. For more information, see Modifying pre-defined alert
processing rules on page 565.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 563](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-563-320.jpg)
![Alert processing rules
Fields and buttons
This window has the following fields and buttons:
• Name — Displays the name that is associated with the alert processing rule.
• SNMP Trap Action — Use the fields in this area to enable and configure an SNMP trap action to associate
with this alert processing rule.
• Enabled — Determines whether to enable the SNMP trap action. The default value is cleared. If you
select this checkbox, you must also select the SNMP Version in the SNMP Version field.
• SNMP Version — Specify the version of SNMP that you are using for this rule.
• Host IP address — Specify the IP address of the host to which the SNMP Trap message will be sent.
• Community — [Available only if SNMP Trap v1 or SNMP Trap v2c is selected in the SNMP Version
field] Specify the name of the community that is authorized to retrieve information. This is the
management station (manager) and the nodes that it will manage.
• Security Name — [Available only if SNMP Trap v3 is selected in the SNMP Version field] Specify the
name of the user.
• Trap — Specify the type of trap that will be used if this SNMP Trap action is enabled (that is, the
Enabled checkbox is selected). The following values are available:
• Cold Start (the default value)
• Warm Start
• Link Down
• Link Up
• Authentication Failure
• EGP Neighbor Loss
• Enterprise Specific
• Specific — If you select this value, you must also set the value.
• Use Default Message — Determines whether the server will send the default message as the
message attribute (Alert body) of the Trap. If this is cleared, the Message field is available so that you
can provide your own message text.
• Message — Specify the message that will be sent as the message attribute of this trap.
• Authentication Protocol — [Available for SNMP Trap v3 only] Specify the authentication protocol to
use for this rule. Valid values are MD5 and SHA, where MD5 is the default value.
• Authentication Key — [Available for SNMP Trap v3 only] Specify the authentication key that is
required to authenticate the user. To copy the contents of a file into this field, click to navigate to
the file and then click Open. The contents are copied into this field.
• Privacy Protocol — [Available for SNMP Trap v3 only] Specify the encrypted privacy protocol to use
for this rule. Valid values are DES, AES128, AES192, and AES256, where DES is the default value.
• Private Key — [Available for SNMP Trap v3 only] Specify the encrypted private key that is required
to authenticate the user. To copy the contents of a file into this field, click to navigate to the file
and then click Open. The contents are copied into this field.
566 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-566-320.jpg)
![SSH known hosts
Configuring strong known host associations
Use the SSH Known Hosts window to manage the database of strong known host associations. This list
includes only those SSH known host keys with strong trust levels across all firewalls.
Figure 240 SSH Known Hosts window
Accessing this window
1 In the Configuration Tool, select the Policy group bar.
2 Double-click the SSH Known Hosts node. The SSH Known Hosts window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Apply On — [Read-only] Displays the name of a specific firewall or ALL FIREWALLS to indicate the
firewall or firewalls on which this known host key is to be applied.
• IP Address — [Read-only] Displays the IP address of the SSH server.
• Port — [Read-only] Displays the port on which the SSH server is listening.
• Retrieved From — [Read-only] Displays the firewall from or through which the key was obtained. If a
key was manually specified, a blank value is displayed.
• Key Type — [Read-only] Displays the type of SSH key that the SSH server presents. Valid values are
RSA or DSA.
• Fingerprint — [Read-only] Displays the fingerprint that the SSH server presents. A fingerprint is a
hashed (shortened) version of the host key.
• Delete — Delete the known host association in the row in which you click x (Delete).
• OK — Saves the changes that were made in this window.
• Cancel — Close this window without saving any changes.
• Add Known Host — Displays the Add SSH Known Host window, in which you can add known host keys.
All known host keys that you add in that window will have strong trust levels.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 569](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-569-320.jpg)
![SSH known hosts
• Retrieve key — Perform the retrieval. If the retrieval is successful, the data is displayed in the Key
field and the fingerprint is displayed in the Fingerprint field. Click OK. The new SSH known host key
is added to the list on the SSH Known Hosts window.
• Manually enter the SSH Key — Determines whether to manually paste the host key data from another
source or to specify it manually. You can also generate a fingerprint for this SSH key.
• Key — Specify the host key value. If you have specified a new SSH key or edited a retrieved one, click
Calculate to create or update the fingerprint and then click OK to add this key to the list on the SSH
Known Hosts window.
• Fingerprint — [Read-only] Displays the fingerprint of the SSH key.
• OK — Save the changes in this window.
• Cancel — Close this window without saving any changes.
Configuring host associations
Use this window to delete weak associations from the firewall or to promote weak associations to strong
associations.
Figure 242 Manage Known Hosts window
Accessing this window
1 In the Configuration Tool, select the Policy group bar.
2 Double-click the SSH Known Hosts node. The SSH Known Hosts window is displayed.
3 Click Manage Known Hosts. The Manage SSH Known Hosts window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Firewall — Specify the name of the firewall from which to retrieve weak associations and click Retrieve
Weak Associations. You can then either promote the weak associations to strong ones or you can delete
them.
• Promote to Strong — Determines whether to promote a weak association to a strong one. If this is
selected, when you click OK, this association will be displayed on the SSH Known Hosts window, along
with the other strong associations.
• Address — [Read-only] Displays the SSH server IP address that is stored on the firewall.
• Port — [Read-only] Displays the port on which the SSH server is listening.
• Key type — [Read-only] Displays the type of SSH key that the SSH server presents. Values are RSA and
DSA.
• Fingerprint — [Read-only] Displays the fingerprint that the SSH server presents.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 571](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-571-320.jpg)
![Firewall configuration management
Figure 243 Firewall Status page
Accessing this page
In the Reporting and Monitoring Tool, select (Firewall Status) in the toolbar or from the View menu,
select Firewall Status.
or
In the Configuration Tool, the Firewall Status page should be one of the default tabs that are displayed.
Select this tab.
or
If you do not see the Firewall Status tab in the Configuration Tool, from the Reports menu, select Firewall
Status or select (Firewall Status) in the toolbar.
The Firewall Status page is displayed.
Table fields and buttons
Use each column heading in the data table to sort the column data in ascending or descending order by
clicking the column heading. The Firewall column sorts by firewall status (red or green) or by firewall name.
Double-click a row in this table and the Firewall Dashboard window is displayed for that firewall.
• Current firewall status as of — [Read-only] Displays the timestamp of the last update to the data on
this page.
• Update Status — Force an update of the status for the selected firewall. To use this feature, highlight
one or more firewalls and click Update Status. A message is sent to each firewall to return its current
status information.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 575](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-575-320.jpg)
![Firewall configuration management
• Settings… — Displays the Firewall Status Settings window, in which you can configure the columns to
be displayed in this table, the thresholds for various columns, and the charts to be displayed in the
dashboard part of this page. For more information, see Configuring settings for the Firewall Status page
on page 579.
• Status — [Read-only] Displays the status of the associated firewall the last time that the page data was
refreshed. (Red) indicates a status of not running. (Green) indicates a status of running,
(Amber) indicates that the firewall is running, but that it is in a policy mismatch state. (Question mark)
indicates that the state of the firewall is unknown.
• Firewall — [Read-only] Displays (the firewall icon) for the firewall and the name that was assigned
to the firewall when it was configured.
• Cluster — [Read-only] Displays the name of the cluster of which this firewall is a member.
• Version — [Read-only] Displays the current version of the software or firmware that is running on the
associated firewall. This value is also displayed in the data files on the left side of the dashboard.
• Policy Status — [Read-only] Displays whether the configuration policy has been applied from the Control
Center to the firewall. This value is also displayed in the data files on the left side of the dashboard. The
following values are available:
• POLICY MISMATCH — Indicates that the policy on the Control Center for the specified firewall does
NOT match the policy on the firewall.
• Policy in sync — Indicates that the policy on the Control Center for the specified firewall matches the
policy on the firewall.
• Never applied — Indicates that the policy for the firewall has never been applied from the Control
Center.
• Unknown — Indicates that the Control Center cannot verify the state of the policy on the firewall.
• Health — [Read-only] Displays the status of the health of the firewall as determined by a combination of
warning and critical threshold values as determined on the Firewall Status Settings window. These
thresholds are for: CPU utilization, physical memory utilization, virtual memory utilization, and disk
utilization. (Red) indicates that one of these values has exceeded the specified critical threshold on
this firewall. (Green) indicates that none of the warning or critical thresholds have been exceeded on
this firewall, (Amber) indicates that one of these values has exceeded the specified warning threshold
on this firewall. (Unknown) indicates that the thresholds for this firewall cannot be determined.
• CPU — [Read-only] Displays the percentage of existing CPU that is being used in this firewall. This value
is also graphically displayed and charted in the CPU Utilization chart in the dashboard. This value is also
one of the values that is monitored for the Health column indicator.
• Memory — [Read-only] Displays the percentage of existing memory that is being used in this firewall.
This value is also graphically displayed and charted in the Memory Utilization chart in the dashboard.
This value is also one of the values that is monitored for the Health column indicator.
• Swap — [Read-only] Displays the percentage of existing swap space that is being used in this firewall.
This value is also one of the values that is monitored for the Health column indicator.
• Disk — [Read-only] Displays the percentage of existing disk space that is being used in this firewall. This
value is also graphically displayed and charted in the Disk Utilization chart in the dashboard. This value
is also one of the values that is monitored for the Health column indicator.
• Proxy Sessions — [Read-only] Displays the number of proxy sessions that are currently running on this
firewall.
• Filter Sessions — [Read-only] Displays the number of filter sessions that are currently running on this
firewall.
• Boot Time — [Read-only] Displays the timestamp for the date and time at which the associated firewall
was last started.
576 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-576-320.jpg)
![Firewall configuration management
• Last Apply — [Read-only] Displays a timestamp for the last time that a successful change was applied
to the associated firewall. This value is also displayed in the data files on the left side of the dashboard.
• Last Status Change — [Read-only] Displays the timestamp at which the firewall status was last updated
by the Control Center.
• Location — [Read-only] Displays the location data that was assigned to the associated firewall when it
was configured. This value is also displayed in the data files on the left side of the dashboard.
• Contact — [Read-only] Displays the contact data that was assigned to the associated firewall when it was
configured. This value is also displayed in the data files on the left side of the dashboard.
Dashboard fields and buttons
The dashboard part of this window is split into two different sections that are read-only. The section on the
left contains data about the firewall. There are a few fields that are not displayed elsewhere on this page,
either in the table at the top of the page or in the charts. This includes information such as inbound and
outbound data and the status of the interface or interfaces on this firewall.
The section on the right contains charts. The following charts are available on this window (again, as
controlled in the Firewall Status Settings window):
• Unacknowledged Alerts (available only if this firewall is configured to send Secure Alerts to the Control
Center)
• CPU Utilization
• Memory Utilization
• Disk Utilization
• Active Sessions
• Data Rate (bytes / sec)
• VPN Sessions
The data for all of these charts is updated periodically as the information is received. Note that, for the
Unacknowledged Alerts chart, this is information that the firewall has sent to the Control Center.
Viewing the status of a specific firewall
Use the Firewall Dashboard window to view a summary of the status for one firewall in your configuration
domain. Or you can display additional windows for other firewalls and monitor them all at the same time
while you are working in the Control Center Client Suite.
The data in this window is the same data that is displayed at the bottom of the Firewall Status page.
However, your view in this window is for one firewall only.
The charts that are displayed in this window can be changed in the Charts tab of the Firewall Status
Settings window. For more information, see Configuring settings for the Firewall Status page on page 579.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 577](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-577-320.jpg)
![Firewall configuration management
• Number of minutes of data to display — Specify the number of minutes to display in each chart.
Subdivisions of this time period are automatically generated in each chart so that you can view segments
of the time. The default value is 30.
• Show chart data in 3-D — Determines whether to display the chart data in a three-dimensional view or
a one-dimensional view. The default value is selected.
Viewing configuration information about each firewall
Use the Configuration Status Report page to view information about the propagation of configuration data
from the Control Center Management Server database to each selected firewall. When the Configuration
Status Report page is displayed, the propagation status is refreshed every 15 seconds. For more
information, see Firewall configuration management on page 574.
Figure 248 Configuration Status Report page
Accessing this page
In the Configuration Tool, select (Configuration Status Report) in the toolbar.
or
From the Report menu, select Configuration Status Report. The Configuration Status Report page is
displayed.
Fields and buttons
The data displayed on this report is determined by the value that is selected in the Display Configurations
area that is located in the lower right corner of the page.
When Current is selected as the value in the Display Configurations area, the following buttons and field
data are displayed:
• Last Refreshed — [Read-only] Displays the time at which this page was last refreshed (by clicking the
Refresh button) or when this page was opened, if the Refresh button has not been clicked yet.
• Firewall (name and icon) — [Read-only] Displays the name of the firewall and its associated icon. As of
the time displayed in the Last Refreshed field at the top of the page, the current communication status
of the associated firewall is indicated by an icon preceding this field. The following values are possible:
• (Green) — Responding
• (Red) — Not Responding
• Groups — [Read-only] Displays the names of the device groups to which the firewall belongs or none.
• Last Update — [Read-only] Displays the date and time that the firewall was last updated.
• Pending Update — [Read-only] Displays the date and time that a pending update was created.
584 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-584-320.jpg)
![Firewall configuration management
• Pending Status — [Read-only] Displays the status of the pending propagation request. The following
values can be displayed:
• Notified — Indicates that the server has notified the firewall that an update is available and it (the
server) is waiting for a reply from the firewall.
• Notify Failed — Indicates that the server was not able to notify the firewall about a new update
because of a communication failure.
• Requested — Indicates that the firewall has requested an update, and that the server is preparing to
send it.
• Sent — Indicates that the server has sent new configuration data to the firewall.
• Send Failed — Indicates that the server was unable to send the new configuration data to the firewall
because of a communication failure.
• ! - Apply failed — Indicates that the apply for this configuration failed. Double-click the row to view
an explanatory message about the failure.
• Completed — Indicates that the new configuration has been applied, and that the firewall has reported
success.
• Rejected — Indicates that the new configuration was not applied, and that the firewall has reported
a failure.
• Unknown — Indicates that there is no record of ever having sent a configuration update to the firewall.
• Refresh — Immediately refresh the status information.
• Re-init All — Immediately re-initialize all of the firewalls that have a pending re-initialize status. This
does not affect firewalls that do not have a pending re-initialization status.
• Reinitialize Select — Immediately re-initialize the one or more selected firewalls that have a pending
re-initialize status. This does not affect firewalls that do not have a pending re-initialization status.
• Display Configurations — The selected option determines whether to display the firewalls with a
completed configuration update (select Current) or those firewalls that are scheduled to perform a
configuration update (select Scheduled).
When Scheduled is the value that is selected for the Display Configurations area, the following buttons and
field data are displayed:
• Firewall (name and icon) — [Read-only] Displays the name of the firewall and its associated icon. As of
the time displayed in the Last Refreshed field at the top of the page, the current communication status
of the associated firewall is indicated by an icon preceding this field. The following values are possible:
• — Responding
• — Not Responding
• Configuration Created — [Read-only] Displays a time/date stamp of the time at which the pending
configuration was created.
• Pending Update — [Read-only] Displays a time/date stamp of the time at which the pending
configuration is to be applied.
• Pending Status — [Read-only] Displays the status of the pending propagation request. The following
values may be displayed:
• Pending — Indicates that the update is waiting for the propagation time to occur.
• Notified — Indicates that the server has notified the firewall that an update is available and it (the
server) is waiting for a reply from the firewall.
• Notified Failed — Indicates that the server was unable to notify the firewall about a new update
because of a communication failure.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 585](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-585-320.jpg)
![Firewall configuration management
Figure 250 Validation Warnings window
Accessing this window
In the Configuration Tool, highlight the firewall or firewalls in the tree that you want to update and select
(Validate Configurations) in the toolbar. If there are any issues with the validation, this window is
displayed. Otherwise, the validation will proceed and you will not see this window.
Fields and buttons
This window has the following fields and buttons:
• Firewall — [Read-only] Displays the name of the firewall that has the apply or validation issue.
Note: If this apply or validation includes multiple firewalls, firewalls that do not have issues will not be
displayed in this table.
• Issue — [Read-only] Displays a brief description of the apply or validation issue for the firewall.
• Proceed with the apply or validation process. — Determines whether to continue with the apply or
validation process. If you select this option, you are ignoring the issues that have been displayed on this
window. Your apply might fail as a result. Click OK and the apply or validation process will continue, with
the issues that have been identified here.
• Never warn me about these issues for any firewall again. — Determines whether all of the issues
in the table will be displayed for future applies or validations. This checkbox applies to all of the issues.
For example, if you see a warning for a version issue and you do not care about those warnings, you
can select that issue and then select this checkbox. You will not receive any version warnings in this
window in the future. Those types of warnings will be ignored in this pre-validation process. However,
the issue still exists and might cause apply issues.
Note: If there are multiple issues on this window and you want to specify only one of them to hide, select
the cancel option, fix the other issues, and then re-apply or re-validate again. When you have only the one
issue remaining, you can select this checkbox.
• Cancel the apply or validation process, resolve the issues, and then re-apply or re-validate the
configuration. — Determines whether the apply or validation process is cancelled for all of the firewalls
that were selected, even if they have no issues. Click OK and this window is closed without making any
changes. Then you can fix the issues and re-apply or re-validate all of the firewalls again.
• OK — Perform the selected action for this apply or validation process. The Configuration Status Report is
displayed for applies and the Validation Status Report is displayed for validations.
588 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-588-320.jpg)
![Firewall configuration management
Figure 251 Apply Configuration window
Accessing this window
1 In the Configuration Tool, click (Apply Configurations…) in the toolbar. The Apply Configuration
window is displayed.
or
From the Configuration menu, select Apply Configurations…. The Apply Configuration window is
displayed.
or
In the Configuration Tool, make sure that the Firewalls group bar is selected. Select the Firewalls node
to display the tree.
2 Right-click a firewall for which you want to apply its configuration and select Apply Configuration. The
Apply Configuration window is displayed.
Fields and buttons
This window has following fields and buttons:
• Schedule Apply Configuration — Determines whether to schedule the Apply Configuration task for a
future time. When selected, use the down arrow to access the calendar and select a date, or add the date
and time manually or by scrolling.
Note: A new Apply Configuration task will replace an earlier version that is pending.
• Ticket — [Optional] Associate a change tracking ticket and description with each apply task.
• Firewalls — Specify the firewalls that are included in the Apply Configuration task. Select the checkbox
for each firewall to be included.
• OK — Start the Apply Configuration task or saves a scheduled task. If the configuration deployment is
successful, the Propagation to Firewall(s) is in progress, please check the Status Report message
displays.
• Cancel — Close the window without further action.
For information about the information that can be configured for each type of supported firewall, see
Registering your firewalls by using the rapid deployment option on page 164.
590 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-590-320.jpg)
![Firewall configuration management
Applying a configuration to one or more firewalls
1 In the Configuration Tool, from the Configuration menu, select Apply Configurations. The Apply
Configuration window is displayed.
2 Select the checkbox associated with each firewall to be configured.
3 [Optional] Select the Schedule Apply Configuration checkbox to define a future date and time to apply
the configuration. A special date/time window is displayed, in which you can select a date and time when
the current configuration is to be applied.
Note: When you are scheduling a configuration to be applied at a future date and time, the current
configuration is preserved and applied at the scheduled time, regardless of configuration changes that have
occurred between the time that the apply was scheduled and when the apply occurs.
4 When managing an HA pair, only the served firewall will receive configuration information during the
configuration propagation. The standby system's configuration is automatically synchronized when the
served firewall's configuration has changed. Click OK to apply the configuration to the selected firewall or
firewalls.
To view information about the status of the propagation in the Configuration Status Report, select
Configuration Status Report from the Reports menu.
Troubleshooting apply configuration warnings
Use the Apply Warnings window to learn about any apply (configuration) issues and to configure whether
warning messages will be displayed in the future for specific issues. Before your changes are applied to the
selected firewalls, there is now a validation process that occurs. If there are any issues that could cause the
apply process to fail, this window is displayed and the specific issues are identified. You have the following
options in this window:
• Proceed with the apply process, ignoring these issues.
The result of this selection is that some of the values that you have configured may not be applicable to
the firewall. As a result, the firewall may behave differently than your configuration would suggest.
• Cancel the apply process.
This window closes. You can then fix the identified issues and re-apply.
Note: This action cancels the apply for all of your selected firewalls, including for those firewalls that had no
potential issues.
• Proceed with the apply process and do not show any warnings in the future.
The apply configuration process will proceed. When you select this checkbox, the next time that an apply
process is started and a scenario occurs (in which a warning would be displayed), no warning will be
issued.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 591](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-591-320.jpg)
![Firewall configuration management
Figure 252 Apply Warnings window
Accessing this window
In the Configuration Tool, highlight the firewall or firewalls in the tree that you want to update and select
(Apply Configurations) in the toolbar. If there are any issues with the apply, this window is displayed.
Otherwise, the apply will be processed on the selected firewall or firewalls.
Fields and buttons
This window has the following fields and buttons:
• Firewall — [Read-only] Displays the name of the firewall that has the apply or validation issue.
Note: If this apply or validation includes multiple firewalls, firewalls that do not have issues will not be
displayed in this table.
• Issue — [Read-only] Displays a brief description of the apply or validation issue for the firewall.
• Proceed with the apply or validation process. — Determines whether to continue with the apply or
validation process. If you select this option, you are ignoring the issues that have been displayed on this
window. Your apply might fail as a result. Click OK and the apply or validation process will continue, with
the issues that have been identified here.
• Never warn me about these issues for any firewall again. — Determines whether all of the issues
in the table will be displayed for future applies or validations. This checkbox applies to all of the issues.
For example, if you see a warning for a version issue and you do not care about those warnings, you
can select that issue and then select this checkbox. You will not receive any version warnings in this
window in the future. Those types of warnings will be ignored in this pre-validation process. However,
the issue still exists and might cause apply issues.
Note: If there are multiple issues on this window and you want to specify only one of them to hide, select
the cancel option, fix the other issues, and then re-apply or re-validate again. When you have only the one
issue remaining, you can select this checkbox.
• Cancel the apply or validation process, resolve the issues, and then re-apply or re-validate the
configuration. — Determines whether the apply or validation process is cancelled for all of the firewalls
that were selected, even if they have no issues. Click OK and this window is closed without making any
changes. Then you can fix the issues and re-apply or re-validate all of the firewalls again.
• OK — Perform the selected action for this apply or validation process. The Configuration Status Report is
displayed for applies and the Validation Status Report is displayed for validations.
592 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-592-320.jpg)
![Firewall configuration management
Viewing the status of Apply Configurations
Use the Validation Status Report to view the status of the validation process for each of the firewall
configurations in the Control Center database and to view the differences between the current configuration
and the proposed configuration of a firewall. When this report is displayed, the validation status is refreshed
every 15 seconds. For more information, see Firewall configuration management on page 574.
Figure 253 Validation Status Report page
Accessing this page
In the Configuration Tool, select (Validation Status) in the toolbar.
or
In the Configuration Tool, from the Reports menu, select Validation Status.
The Validation Status Report page is displayed.
Fields and buttons
This page has the following fields and buttons:
• Last Refresh — [Read-only] Displays the time at which the data on this page was last refreshed.
• Apply Selected — Perform an apply configuration on one or more firewalls that are displayed in this
table.
• Refresh — Perform an immediate refresh of the data on this page. Although this page is automatically
refreshed every 15 seconds, you can click this button for an immediate refresh.
• Firewall — [Read-only] Displays the name assigned to the firewall. The communication status of the
firewall is indicated by an icon preceding this field. The color indicates the communication status as of the
time displayed in the Last Refresh field at the top of the page:
• (Green) — Responding
• (Red) — Not Responding
• Last Update — [Read-only] Displays the time when the validation process was started for a firewall.
• Status — [Read-only] Displays the status of the validation process for a firewall. The following values can
be displayed:
• Started — Indicates that the validation process has been started for the firewall.
• Notified — Indicates that the Control Center has notified the firewall that configuration information is
available. The Control Center is waiting for a reply from the firewall.
• Notify failed — Indicates that the Control Center could not notify the firewall about the configuration
information because of a communication failure.
• Requested — Indicates that the firewall has responded to the Control Center's notification by
requesting the configuration information. The Control Center is preparing to send the information.
• Sent — Indicates that the Control Center has sent the configuration information to the firewall.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 593](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-593-320.jpg)
![Firewall configuration management
• Send failed — Indicates that the Control Center could not send the configuration information to the
firewall because of a communication failure.
• Completed — Indicates that the firewall has processed the configuration information and has reported
that the proposed configuration is valid.
• Validation failed — Indicates that the firewall has processed the configuration information and has
reported that the proposed configuration is invalid.
• Errors — [Read-only] Displays any errors that occurred during validation.
• Differences — View the differences between the current configuration and the proposed configuration of
a firewall. If the Validation Status field displays a status of Completed and there are differences between
the firewall configuration and the confirmation that the Control Center currently has for the firewall, the
View button is displayed. Click this button to display the Configuration Changes Details window, in which
you can view the differences between the proposed and the current configuration.
Note: If the values in the Last Update and Status fields are empty for a particular firewall, the configuration
for that firewall has never been validated.
Reviewing your configured firewalls
Use the Firewall Sorting Manager window to provide a user-defined view of the firewalls that have been
configured for your operation. You can select the firewall characteristics and the order of consideration of
those characteristics to determine how the firewalls are to be displayed using a standard selection list.
The available sort characteristics are: type (type of firewall), location (uses the user-defined location
information), contact (uses the user-defined contact information associated with a firewall), and any
user-defined category/value pair.
By careful management of the location information, contact information, and user-defined categories
associated with each firewall, an organization can create a powerful and effective firewall-sorting plan to
help make managing large numbers of firewalls easier.
One or more user-defined categories and values are assigned to firewalls by using the Add New Firewalls
window when defining a firewall or the firewall-specific firewall manager window after the firewall has
defined. The manager window for the firewall is the Firewall window.
Figure 254 Firewall Sorting Manager window
594 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-594-320.jpg)
![Firewall configuration management
Accessing this window
In the Configuration Tool, from the System menu, select Firewall Sorting…. The Firewall Sorting Manager
window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Use Default Firewall Sorting — Determines whether to use the default sorting. Default sorting is by
firewall type, location, and contact in that sequence.
• (Left list) — Displays the unused characteristics that can be used to sort the view.
• (Right list) — Displays the characteristics used to sort the list in the sequence that each characteristic is
considered.
• Add — Move the highlighted characteristic in the left list to the right list.
• Remove — Move the highlighted characteristic in the right list to left list.
• Move Up — Move the highlighted characteristic in the right list up one position.
• Move Down —Move the highlighted characteristic in the right list down one position.
• OK — Apply the selected sort characteristics. to the firewall.
• Cancel — Close the window without making any changes.
Comparing impacts of proposed configuration changes for a firewall
Use the Configuration Changes Details window to examine the differences between the current
configuration and the proposed configuration of a firewall.
Figure 255 Configuration Changes Details window example data
Accessing this window
1 In the Configuration Tool, from the Reports menu, select Validation Status. The Validation Status Report
page is displayed.
2 If a firewall has configuration differences, a View button is displayed in the Differences column. Click
View in the row of the firewall for which you want to view these differences. The Configuration Changes
Details window is displayed.
Fields and buttons
This window has comparison information that is arranged in the following manner:
• (Details area)— Displays the details of the changes that will take place in each file when these changes
in the configuration file are applied to the firewall.
• Close — Close the window without saving the displayed text.
• Save As… — Displays the Save Validation Report As… window, in which you can specify a destination, file
name, and format (either HTML or text file [.txt]) for the information on this window.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 595](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-595-320.jpg)
![Firewall configuration management
Fields and buttons
This page has the following fields and buttons:
• Last Refresh — [Read-only] Displays the last time the data being shown was updated.
• Refresh — Refresh the data being displayed.
• (Status) — [Read-only] Displays the current status of the communication between the associated firewall
and the Management Server. The following indications are possible:
• — Green indicates that the Management Server is in communication with the managed firewall.
• — Yellow indicates that the Management Server is negotiating communication with the managed
firewall.
• — Red indicates that the Management Server is not in communication with the managed firewall.
• (Firewall Type) — [Read-only] Displays the icon that represents the managed firewall: (firewall).
• Firewall — [Read-only] Displays the node name that is associated with the managed firewall.
• Last Update — [Read-only] Displays a time stamp that indicates the last time the data being viewed was
refreshed.
• Compliance Status — [Read-only] Displays the compliance status. The following values are possible:
• Unknown — Validation between the managed firewall and the Management Server has not been
performed.
• Compliant — Validation between the managed firewall and the Management Server has been
performed and the configurations match.
• Not Compliant — Validation between the managed firewall and the Management Server has been
performed and the configurations do not match.
• Errors — [Read-only] Displays any error conditions that were detected during the last update.
• Differences — A View button is displayed for those firewalls whose configurations that are stored on the
firewall are different from the configuration that is stored on the Management Server. Click this button to
view the differences in the Configuration Changes Detail window. For more information, see Comparing
impacts of proposed configuration changes for a firewall on page 595.
Viewing your firewall enrollment (deployment) status
Use the Deployment Status Report page to view the status of the enrollment process when the rapid
deployment option is used to initiate enrolling one or more firewalls from the Control Center Management
Server. The enrollment process is initiated by using the Sign Up Firewalls - Firewall window. For more
information, see Adding firewalls by using rapid deployment registration on page 38.
Figure 258 Deployment Status Report page
Accessing this page
In the Configuration Tool, from the Reports menu, select Deployment Status. The Deployment Status
Report page is displayed.
598 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-598-320.jpg)
![Firewall configuration management
Fields and buttons
This page has the following fields and buttons:
• Status — This column indicates the status of the enrollment process. When the enrollment is successful,
this column displays Operation completed. The following values are possible:
• Retrieving status — Displayed when the server has not yet begun working on the sign up task for
this particular firewall.
• Initializing — Displayed when the server has started working on this particular firewall.
• Authenticating — Displayed when the Control Center Management Server and firewall are
authenticating each other using the sign-up password.
• Sending Request — Displayed when the Control Center Management Server is requesting the firewall
to initialize itself. The server sends some data to the firewall that the firewall can use to initialize itself.
• Operation started — Displayed when the firewall has notified the Control Center Management Server
that it has received the initialization request.
• Operation in progress — Displayed when the firewall is in the process of initializing itself. At this
stage, it is running cmsetup.
• Operation completed — Displayed when the firewall has notified the Control Center Management
Server of successful completion of the initialization task.
• Operation failed — Displayed when the firewall has notified the Control Center Management Server
of initialization failure. The details field may include the content of the error with more useful error
information.
• Device Type — [Read-only] Displays the type of firewall.
• Device Name — [Read-only] Displays the supplied firewall name.
• IP Address — [Read-only] Displays the supplied firewall IP address.
• Last Updated — [Read-only] Displays a time stamp for the status of the row.
• Details — [Read-only] Displays any error conditions that occurred during the enrollment process.
• Clear Completed — Clear all rows that display Operation completed in the Status column.
Configuring the firewall for usage inside the Control Center Client
Use the McAfee Firewall Reporter Settings window to configure the settings that the Control Center
Management Server will use to connect for the first time with the McAfee Firewall Reporter server. (After
you have configured these settings, you will not see this window again.) Note that this connection is made
by using the Internet options that are specified on your client machine.
Figure 259 McAfee Firewall Reporter Settings window
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 599](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-599-320.jpg)
![Firewall configuration management
• Displayed_column_value — Indicates that column filtering is performed on records that match the
value or values in this column. The data in the list for each column is different, depending on the values
that are displayed for that column. There is one entry in this list for each unique value that is displayed
in this column.
• Report-specific column names — The following columns are displayed in this report:
• Status — [Read-only] Visually indicates the status of the service. The following values are
available:
• (Running) — The service is processing traffic as expected.
• (Running with errors) — The service is processing traffic. However, it is also generating errors.
The service could be temporarily disabled or there could be an issue that you need to
troubleshoot.
• (Not running) — Either the service is not running or there is no available information about
the status of this service. You must investigate this status.
• Service — [Read-only] Displays the name of the service.
• Agent — [Read-only] Displays the agent for the service. This information can be useful when you
are considering restarting or disabling a particular service.
• Burbs — [Read-only] Displays the burbs in which this service is enabled.
When a service is used in a rule, the service is enabled in the source burb for that rule. All source
burbs for rules that use this service are listed on this page.
Note: Some services display the Firewall burb in the Burbs column. This burb is used for internal firewall
processing and it cannot be modified.
Also, the Sendmail service runs only in two burbs, even if the source burb is set to <Any>.
• Ports — [Read-only] Displays the ports that have been configured for this service.
• Active Rules — [Read-only] Displays the enabled rules that use this service.
• Service Information — Displays the Service Information window, in which more specific information
about this service is displayed. This button is available only after you have selected a row in the report.
For more information about this window, see Viewing details about a firewall service on page 604.
• Audit Data — Displays the McAfee Firewall Enterprise Audit Report window and generates a report of the
audit data for the last 24 hours for this service. Select this button if the service is not running that way
that it was configured. For more information about this window, see Configuring and generating audit
reports for one or more firewalls on page 625.
• Restart Agent — Restart or re-enable the selected service. First, the service is disabled and then the
agent for this service is immediately re-enabled. All current connections are dropped and any audit counts
are reset.
Do not restart an agent unless it is part of a procedure, you have completed other troubleshooting
measures, or you have been instructed to do so by McAfee Technical Support.
Caution: If you restart a service, all of the current connections for this agent are dropped—in addition to the
connections for the selected service.
• Temporarily Disable Agent — Temporarily disable the selected service. This stops the agent for this
service. The agent is then restarted as soon as any policy configuration changes are saved.
Do not temporarily disable an agent unless it is part of a procedure, you have completed other
troubleshooting measures, or you have been instructed to do so by McAfee Technical Support
Tip: A quick way to safely re-enable all of the stopped agents is to change a rule or the description of a service
and then save the changes.
• Refresh — Update the service information for the selected firewall.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 603](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-603-320.jpg)
![Firewall configuration management
Viewing details about a firewall service
Use the Service Information window to view the burbs and ports on which the service should be listening,
along with the current status of the service. You can also check the current status of this service and
perform some of the same actions that are available from the Service Status page:
• Display audit data for this service (Audit Data button)
• Restart this service (Restart button)
• Temporarily disable this service (Temporarily Disable button)
Figure 261 Service Information window
Accessing this window
If the Service Status page is already displayed, skip to step 5.
1 In the Configuration Tool or the Reporting and Monitoring Tool, in the Firewalls group bar, click the
Firewalls node to display the list of available firewalls.
2 Right-click the firewall for which you want to run the report. Select Firewall Reports >Service Status.
The Service Status window is displayed. For more information about this window, see Generating firewall
reports on page 623.
3 Make your selections on this window and then click Request Report. If you were requesting this report
in the Configuration Tool or in the Reporting and Monitoring Tool with the value of the Wait For Report
checkbox selected, the Service Status report is displayed in a new tab in the work area. If you had
selected not to wait for the report in the Reporting and Monitoring Tool, a Reports group is created, along
with a folder for this report and the individual report listed in (below) this folder.
4 If you did not wait for the report in the Reporting and Monitoring Tool, double-click the report in the
Reports group area and the report is displayed as a page (tab) in the work area. The Service Status page
is displayed.
5 Select a service in the report and click Service Information. The Service Information window is
displayed.
Fields and buttons
• Service information as of — [Read-only] Displays the timestamp of the date and time at which this
report was last run or refreshed (by clicking Refresh).
• Agent_name agent is service_status — [Read-only] Displays the name of the agent (Agent_name)
and its current status (service_status). The following service status values are available:
• running — The service is processing traffic as expected.
604 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-604-320.jpg)
![Responses
• running with errors — The service is processing traffic. However, it is also generating errors. The
service could be temporarily disabled or there could be an issue that you need to troubleshoot.
• not running — Either the service is not running or there is no available information about the status
of this service. You must investigate this status.
• Configured Burb — [Read-only] Displays the source burb in a rule where this service was used. All of
the source burbs for rules that use this service are listed in this column.
• Configured Port — [Read-only] Displays all of the ports that are configured for this service.
• Listening or Running — [Read-only] Indicates whether the service is listening (accepting connections)
on a port. However, if this is a special service that does not listen on any ports, this column heading will
be “Running”, indicating the status of this service.
• Audit Data — Displays the McAfee Firewall Enterprise Audit Report window and generates a report of the
audit data for the last 24 hours for this service. Select this button if the service is not running that way
that it was configured. For more information about this window, see Configuring and generating audit
reports for one or more firewalls on page 625.
• Restart — Restart or re-enable the selected service. First, the service is disabled and then the agent for
this service is immediately re-enabled. All current connections are dropped and any audit counts are
reset.
Do not restart an agent unless it is part of a procedure, you have completed other troubleshooting
measures, or you have been instructed to do so by McAfee Technical Support.
Caution: If you restart a service, all current connections for this agent are dropped—in addition to the
connections for the selected service.
• Temporarily Disable — Temporarily disable the selected service. This stops the agent for this service.
The agent is then restarted as soon as any policy configuration changes are saved. This button is not
available if this is a service that is used for firewall internal processing.
Do not temporarily disable an agent unless it is part of a procedure, you have completed other
troubleshooting measures, or you have been instructed to do so by McAfee Technical Support
Tip: A quick way to safely re-enable all of the stopped agents is to change a rule or the description of a service
and then save the changes.
• Refresh — Update the service information for the selected firewall.
• Close — Close this window and return to the Service Status page.
Responses
Use firewall IPS attack responses and system event responses to monitor your network for abnormal and
potentially threatening activities that range from an attempted attack to an audit overflow. You can
configure the number of times that a particular event must occur within a specified time frame before it
triggers a response.
When the firewall encounters audit activity that matches the specified type and frequency criteria, the
response that you configured for that system event or attack type determines the way in which the firewall
will react. The firewall can be configured to respond by alerting an administrator about the event by using
e-mail and SNMP trap and by ignoring packets from particular hosts for a specified period of time
Some default attack and system event responses are automatically created on the firewall during its initial
configuration. The additional configuration options you select will depend mainly on your site’s security
policy and, to some extent, on your own experiences using the features. You might want to start with the
default options and make adjustments as necessary to meet your site’s needs.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 605](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-605-320.jpg)
![Responses
Viewing IPS attack responses
Use the IPS Attack Responses page to view a complete list of the IPS attack responses that have been
defined on your system. To modify attack response settings, double-click the specific response. The IPS
Attack Response window is displayed, in which you can configure these settings. For more information, see
Configuring IPS attack responses on page 609.
Figure 264 IPS Attack Responses page
Accessing this page
1 In the Configuration Tool, select the Monitor group bar.
2 Double-click the IPS Attack Responses node. The IPS Attack Responses page is displayed.
Fields and buttons
The following fields and buttons are displayed.
• Filter — Specify the firewall for which you want to display IPS attack responses or select ALL RESPONSES
to view them for all firewalls. If you need to change your display, click (Clear Filter results).
• Find — Because your list of objects (where objects refers to the entity for which you are searching) could
potentially be very long, you can quickly retrieve only those objects that meet certain filter constraints by
using the Find filtering mechanism.
a In the Find or Search field, specify a term that matches a selection for any value displayed in the
browser.
b Click the down arrow to select the display for the search results (Highlight matching <objects>
[where <objects> is the entity for which you are searching] or Only display matching <objects>
[where <objects> is the entity for which you are searching]).
c Click Find or press Enter. The results are displayed. If you had selected the highlight option, all objects
that match the value in the Search field are highlighted in yellow. If you selected the other value, you
will see only those objects that matched your search criteria.
d Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and
view all of the objects again, click (Clear Find Results).
• Enabled — Determines whether the IPS Attack Response is enabled.
• Name — [Read-only] Displays the name assigned to the IPS attack response.
• Audit Filter — [Read-only] Displays the audit filter associated with the IPS Attack Response. Audit filters
are defined on the Audit Filter window.
• Apply On — [Read-only] Displays the firewalls to which the IPS Attack Response applies.
608 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-608-320.jpg)
![Responses
• Attack Responses — [Read-only] Displays the IPS attack response(s) associated with the IPS attack.
Responses are defined on the Responses window.
• Frequency — [Read-only] Displays the frequency parameters associated with the IPS attack response.
Frequency parameters are defined on the IPS Attack Response window.
• Description —Specify information about the IPS attack response.
Configuring IPS attack responses
Use the IPS Attack Response window to configure and modify Intrusion Prevention System (IPS) attack
responses. IPS attack responses define the way that the firewall responds when it detects audit events that
indicate such possible attacks as Type Enforcement violations and proxy floods.
Figure 265 IPS Attack Response window
Accessing this window
1 If the IPS Attack Responses page is already displayed, skip to step 4.
2 In the Configuration Tool, select the Monitor group bar.
3 Double-click the IPS Attack Responses node. The IPS Attack Responses page is displayed.
4 Double-click an attack response on the IPS Attack Responses page. The IPS Attack Response window is
displayed
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 609](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-609-320.jpg)
![Responses
Viewing system responses
Use the System Responses page to view a complete list of the system responses that have been defined on
your system. To modify system response settings, double-click the specific response. The System Response
window is displayed, in which you can configure these settings. For more information, see Configuring
system responses on page 613.
Figure 266 System Responses page
Accessing this page
1 In the Configuration Tool, select the Monitor group bar.
2 Double-click the System Responses node. The System Responses page is displayed.
Fields and buttons
The following columns are displayed by default.
• Filter — Specify the firewall for which you want to display system responses or select ALL RESPONSES
to view them for all firewalls. If you need to change your display, click (Clear Filter results).
• Find — Because your list of objects (where objects refers to the entity for which you are searching) could
potentially be very long, you can quickly retrieve only those objects that meet certain filter constraints by
using the Find filtering mechanism.
a In the Find or Search field, specify a term that matches a selection for any value displayed in the
browser.
b Click the down arrow to select the display for the search results (Highlight matching <objects>
[where <objects> is the entity for which you are searching] or Only display matching <objects>
[where <objects> is the entity for which you are searching]).
c Click Find or press Enter. The results are displayed. If you had selected the highlight option, all objects
that match the value in the Search field are highlighted in yellow. If you selected the other value, you
will see only those objects that matched your search criteria.
d Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and
view all of the objects again, click (Clear Find Results).
• Enabled — Determines whether the system response is enabled.
• Name — [Read-only] Displays the name assigned to the system response.
• Audit Filter — [Read-only] Displays the audit filter associated with the system response. Audit filters are
defined on the Audit Filter window.
612 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-612-320.jpg)
![Responses
• Apply On — [Read-only] Displays the firewalls to which the system response applies.
• System Responses — [Read-only] Displays the system response(s) associated with the system event.
Responses are defined on the Responses window.
• Frequency — [Read-only] Displays the frequency parameters associated with the system response.
Frequency parameters are defined on the System Response window.
• Description — Specify information about the IPS attack response.
Configuring system responses
Use the System Response window to configure and modify system responses. System responses define the
way that the firewall responds when it detects audit events that indicate such significant system events as
license failures and log overflow issues.
Figure 267 System Response window
Accessing this window
1 If the System Responses page is already displayed, skip to step 4.
2 In the Configuration Tool, select the Monitor group bar.
3 Double-click the System Responses node. The System Responses page is displayed.
4 Double-click a system response on the System Responses page. The System Response window is
displayed.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 613](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-613-320.jpg)
![Audit trail
Figure 268 Audit Trail page
Accessing this page
In the Configuration Tool, select the Audit Trail tool from the Actions toolbar or from the Reports menu,
select Audit Trail.
or
In the Administration Tool, from the Audit Trail menu, select View Audit Trail.
or
In the Reporting and Monitoring Tool, from the Reports menu, select Audit Trail.
The Audit Trail page is displayed.
Fields and buttons
This page has the following fields and buttons:
• Export — Save the data as comma-separated values (CSV) in a separate file that can be opened as a
spreadsheet. Specify the name and destination of the .csv file in the Export to CSV file window.
• Print Preview — View a print preview of the currently displayed data. A printer must be defined to use
this option.
• Print — Print the current view of the audit data. You must define a printer to be able to use this option.
The printed report includes the data in the Object Name, Row ID, Action, Date/Time, Action By,
Ticket, Formatted Data, and Raw Data columns.
• Refresh — Retrieve the latest audit data from the audit tables in the Management Server database.
• Filter — Select a time range within which to view the audit data. If you have selected a filter and you
want to revert back to the default value, click (Clear FIlter).
• Find — Search for audit trail data. Because your list of objects (where objects refers to the entity for which
you are searching) could potentially be very long, you can quickly retrieve only those objects that meet
certain filter constraints by using the Find filtering mechanism.
a In the Find or Search field, specify a term that matches a selection for any value displayed in the
browser.
b Click the down arrow to select the display for the search results (Highlight matching <objects>
[where <objects> is the entity for which you are searching] or Only display matching <objects>
[where <objects> is the entity for which you are searching]).
c Click Find or press Enter. The results are displayed. If you had selected the highlight option, all objects
that match the value in the Search field are highlighted in yellow. If you selected the other value, you
will see only those objects that matched your search criteria.
d Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and
view all of the objects again, click (Clear Find Results).
• (Right-click) Copy — Copy the contents of any cell in the table to the clipboard. Right click in any cell and
select Copy.
616 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-616-320.jpg)
![Audit trail
• Domain — [Read-only] Displays the domain type that is associated with the audit trail row. The rows to
be displayed can be controlled by specifying the domain preference.
• Object Name — [Read-only] Displays the list of object names that were captured by the audit tracking
configuration.
• Row ID — [Read-only] Displays the list of object row IDs. This field is unique for each object in the
Control Center.
• Action — [Read-only] Displays the operation (Insert, Update, Delete) that was performed.
• Date/Time — [Read-only] Displays the date and time of the object change.
• Action By — [Read-only] Displays the Control Center user ID of the person who was responsible for the
object change. When the value listed in this column is set to Unknown, look to the object's parent for the
correct user ID value.
• Ticket — [Read-only] Displays the name of the ticket that is associated with the listed change.
• Formatted Data — [Read-only] Displays the details of an audit entry in common language.
• Raw Data — [Read-only] Displays the command that was sent to the Management Server in XML format.
• (Details area) — [Read-only] Displays additional details about the highlighted row of data in this area
below the table.
Configuring a custom audit trail filter
Use the Audit Trail Filter window to configure a customized range of time that will be used to display the
audit data on the Audit Trail page. You can specify various types of ranges or milestones as identified in the
Select time range field description.
Figure 269 Audit Trail Filter window
Accessing this window
1 If the Audit Trail page is already displayed, skip to step 3.
2 In the Configuration Tool, select the Audit Trail tool from the Actions toolbar or from the Reports menu,
select Audit Trail.
or
In the Administration Tool, from the Audit Trail menu, select View Audit Trail.
or
In the Reporting and Monitoring Tool, from the Reports menu, select Audit Trail.
The Audit Trail page is displayed.
3 In the Audit Trail page, in the Filter list, select Custom Time Range. The Audit Trail Filter window is
displayed.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 617](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-617-320.jpg)
![Reporting
All firewall-specific reports are transient. They are saved only for the current session. When you close the
Reporting and Monitoring Tool, all report objects and reports are discarded.
Generating aggregate reports
If you are generating an aggregate report for a device group (when you right-click a device group object
and select Aggregate Reports), the subsequent report combines the firewall-specific reports for each
firewall in the device group into one report. This can be convenient when you are generating reports for
many firewalls.
You can also generate aggregate reports by selecting a report that allows you to select multiple firewall
objects or device groups from the report generation window. An example of this type of report, which is
accessed from the right-click Firewall Reports menu option of a firewall is the Blackholed IPs report.
Viewing firewall report data
Some reports have report-specific parameters and options that can be specified when you request a report.
The name of this page will be the name of menu option that you select from the Firewall Reports right-click
menu. For example, if you select the Running Processes menu option, the Running Processes window is
displayed, in which you specify your report parameters. When the report is generated, the Running
Processes page is displayed. For more information about each of these reports and the information that
they display, see Table 22 on page 621.
Accessing this page
1 In the Configuration Tool or the Reporting and Monitoring Tool, select the Firewalls group bar. For ePO
host data reports only, select the Policy group bar.
2 Depending on the object for which you want to generate the report, select the Firewalls node, the
Clusters node, or the Device Groups node. The list of available firewalls, clusters, and device groups are
displayed, respectively.
3 [For cluster member reports only] Select the cluster node that contains the cluster member for which you
want to generate a report.
4 Right-click the object for which you want to generate the report.
For firewall reports, select Firewall Reports and then the name of the report that you want to
generate. The report window is displayed.
5 For firewall objects, specify the options on the report window. For some reports, you can schedule the
report to be generated at a later time. However, for most of the reports, they will be generated
immediately. Click Generate Report. If you did not schedule the report, the report page is displayed. If
you scheduled the report, it will appear in the Reports group bar after it has been generated.
Note: The generated reports are saved only for the current session. When you log out, the reports will not be
saved.
620 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-620-320.jpg)
![Reporting
Table 22 Reports and associated parameters (continued)
Report Name Description and Optional Parameters
System Vital This report displays the system resources and the load factor placed on them by the current system processes
Statistics for the selected firewall. The Load Average information is presented by CPU, Real Memory, Virtual Memory,
Disk Use, and Load Average for the last minute, 5 minutes or 15 minutes.
Report presentation is by Name and Value.
VPN Status This report displays the active status of all of the VPNs for a selected firewall.
Report presentation is by Name and Status.
Generating firewall reports
Use this report window to request a firewall-specific report. Note that the title of this window changes,
depending on the name of the report that you are requesting by right-clicking a firewall, cluster, cluster
member, or device group object and then selecting the report from the Firewall Reports menu.
For example, if you select Running Processes from the Firewall Reports right-click menu, the Running
Processes window is displayed.
There are currently more than 70 different reports that can be generated. For more information about
reports, report options, and reporting in general, see Firewall reports on page 619.
The following example is the Service Status window because Service Status was selected from the menu.
Figure 270 Service Status window (because the Service Status menu option was selected)
Accessing this window
1 In the Configuration Tool or the Reporting and Monitoring Tool, select the Firewalls group bar.
2 Depending on the object for which you want to generate the report, select the Firewalls node, the
Clusters node, or the Device Groups node. The list of available firewalls, clusters, and device groups are
displayed, respectively.
3 [For cluster member reports only] Select the cluster node that contains the cluster member for which you
want to generate a report.
4 Right-click the object for which you want to generate the report. Select Firewall Reports and then the
name of the report that you want to generate. The report window is displayed.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 623](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-623-320.jpg)
![Firewall audit reports
Fields and buttons
• Firewall — Specify the specific firewall about which the report will be generated. You can select several
firewalls in certain report windows for certain reports that provide aggregate information. The default
value is the firewall that you right-clicked in the Firewalls group.
To select the values for this list:
a Click the down arrow.
The list of values is displayed, along with a Find field and button.
b If you do not need to filter the list, go to the next step.
To filter the list of values, in the Find field, specify a value or a partial value or an internal value (as
in part of an IP address if you are working with objects that reference them) and click Find. Only
those values that match your find criteria are displayed.
c Select the checkbox of each value that you want to add to this field and click the down arrow to close
the drop-down display. If you have selected more than one value, they are displayed in a
comma-delimited list in this field.
• Wait for Report — [Available for reports that are being generated in the Reporting and Monitoring Tool
only] Determines whether to wait until the resulting report has been generated and displayed before any
other actions can occur. Reports can be viewed synchronously (whereby no other operations can occur
until the report is generated and displayed) or asynchronously (whereby you request the report and view
the results at some other time). The default value is selected.
• Parameter Name — Specify the name of any additional parameter that can alter the scope of the report.
Some reports require an input parameter to complete the request, while other reports use parameters as
optional reporting criteria. For more information about any required or optional parameters that are
associated with a specific report, see Firewall reports on page 619.
• Parameter Value — Specify the parameter value that might be required, depending on the specific
report that is being requested. Parameters can take several forms, depending on the report. A parameter
can be a checkbox that you can optionally select, or it can be a data field entry. For more information
about any required or optional parameters that are associated with a specific report, see Firewall reports
on page 619.
• Request Report — Submit the report request based on the supplied parameters (if any) and options.
• Close — Close the window without generating the report.
Firewall audit reports
Audit reports are generated from the data that is collected in the audit log files for each firewall in your
configuration. To enable audit reports to be generated by using the Reporting and Monitoring Tool, the
audit archive files or encrypted audit archive files from each firewall must be placed in defined locations on
the Control Center Management Server.
The Management Server contains a base directory in which all audit data is stored. Within this base
directory, a directory is created for each firewall that is being managed by the Control Center. The audit
archive files are placed in the directory that corresponds to the Control Center on which they were
generated. Information about enabling the firewalls to place audit log data on the Management Server is
provided in the Offbox Settings area on the Firewall window in the Configuration Tool.
Caution: Log files grow very quickly and can consume vast amounts of disk space on the Management Server.
Ensure that you manage your system resources by archiving or purging your audit log files on a regular basis.
The base directory that is created on the Management Server for the log files is
/opt/security/var/gccserver/auditlogs. A separate sub-directory is created for each firewall object that is
created in your configuration.
624 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-624-320.jpg)
![Firewall audit reports
Accessing this window
1 In the Configuration Tool or in the Reporting and Monitoring Tool, select the Firewalls group bar.
2 You can run this report for firewalls or cluster members. For firewalls, select the Firewalls node to expand
the list of firewalls.
or
For cluster members, select the Clusters node to expand the list of clusters. Then select the cluster that
contains the member for which you want to run this report.
3 Right-click the firewall or cluster member for which to run this report and select Audit Report. The McAfee
Firewall Enterprise Audit Report window is displayed.
Alternately, you can perform the following steps to access this window:
1 In the Configuration Tool, select the Monitor group bar.
2 Double-click Audit Report. The McAfee Firewall Enterprise Audit Report window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Select time range — Use the fields in this area to configure the start and stop times for the time on the
client at which this report will be run.
A best practice is to use a network to synchronize the time for all firewalls. Without this
synchronization, the time on individual firewalls may vary beyond time zone (for example, one firewall
might be at 9:30, another at 9:37, and another at 9:25). For an archived audit report, such a variance
affects the amount of data that is included.
The following fields are available:
• (Select time range) — Specify the start and end time. If you select Custom Time Range as the value,
you can specify your own start time and end time. Otherwise, select a predetermined period of time
from this list.
• Start time — [Available only if Custom Time Range was the value selected in the Select time range
list] Specify the firewall start date and time for the audit archive. Click the down arrow and then select
the day from the calendar.
• End time — [Available only if Custom Time Range was the value that was selected in the Select time
range list] Specify the firewall end date and time for the audit archive. Click the down arrow and then
select the day from the calendar.
• Select audit source — Use the fields in this area to specify the information that this report will access.
The following fields are available:
• Managed firewall — Select this option to specify that the report will be generated for a single firewall.
The Control Center Management Server connects directly to the firewall and generates the report by
using the audit archives that are available on the firewall.
Note: This audit report retrieves a maximum of 24 megabytes of data, which is approximately 20,000
events.
• Imported audit — Select this option to specify that the report will be generated based on an existing
archived audit for the selected firewall or firewalls.
Note: You must have already configured audit files to be exported from the firewall or firewalls to the
Control Center. Configure this in the Audit Export area of the Offbox Settings area in the Firewall
window for each individual firewall. See Firewall window: Offbox Settings area on page 174.
When you select this option, a graph is displayed at the bottom of the report, visually indicating the
following information:
• The segments of time are displayed horizontally for the time range that you specified.
626 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-626-320.jpg)
![Firewall audit reports
Audit report results
After you generate the audit report, the report data is displayed and additional fields and buttons are
available. The following graphic illustrates a generated audit report.
Figure 272 McAfee Firewall Enterprise Audit Report window after report generation
Fields and buttons after report generation
This window now has the following fields and buttons after a report has been generated:
• Find functionality (and the buttons and fields that comprise this functionality) Because your list of objects
(where objects refers to the entity for which you are searching) could potentially be very long, you can
quickly retrieve only those objects that meet certain filter constraints by using the Find filtering
mechanism.
a In the Find or Search field, specify a term that matches a selection for any value displayed in the
browser.
b Click the down arrow to select the display for the search results (Highlight matching <objects>
[where <objects> is the entity for which you are searching] or Only display matching <objects>
[where <objects> is the entity for which you are searching]).
c Click Find or press Enter. The results are displayed. If you had selected the highlight option, all objects
that match the value in the Search field are highlighted in yellow. If you selected the other value, you
will see only those objects that matched your search criteria.
d Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and
view all of the objects again, click (Clear Find Results).
• Hide details — Displays a summary of the selected audit event at the bottom of this window. Conversely,
click Show details to hide this display so that you can view more events on the window.
• Export… — Displays the Save Audit Output File window, in which you can save this audit event data in
any of the three following formats to a location that you choose:
• XML (.xml)
• Text (.txt)
• SEF (.sef)
630 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-630-320.jpg)
![Firewall audit reports
• Settings — Displays the McAfee Firewall Enterprise Audit Report: Color Settings window, in which you
can configure the colors that are used on the McAfee Firewall Enterprise Audit Report window. For more
information, see Configuring on-screen color schemes for the audit records on page 636.
• Time — [Read-only] Displays the date and time on the client at which this audit event occurred.
Note: You can view detailed information about a specific audit event by double-clicking it in the report. The
Audit Report Event Viewer window is displayed. For more information, see Viewing event-specific audit
information on page 635.
• Firewall — [Read-only] Displays the fully qualified domain name (FQDN) of the firewall against which
this event occurred.
• Syslog — [Read-only] Displays the number that represents the priority of the audit event. The following
values are available:
• 0 — Emergencies
• 1 — Alerts
• 2 — Critical
• 3 — Errors
• 4 — Warnings
• 5 — Notifications
• 6 — Informational
• 7 — Debugging
• Type — [Read-only] Displays the type code that identifies the type of problem to which this event can be
associated.
• Command — [Read-only] Displays the process name to which this event is attached (for example, acld
or monitord).
• Source IP — [Read-only] Displays the IP address of the source of the audit event. This information can
originate from any IP-attached source (for example, the Control Center Management Server that is using
a firewall as a proxy or the firewall that is sending information to itself by using a localhost).
If the firewall for which you have generated data is version 7.0.1.02 or later and you have configured
the McAfee Firewall Enterprise ePO Extension, you can right-click in this field and retrieve host data
from the ePolicy Orchestrator server. For more information, see ePolicy Orchestrator settings on
page 132.
• Source Burb — [Read-only] Displays the name of the burb for the device that is identified in the Source
IP column.
• Source Port — [Read-only] Displays the port that was used to send the audit event by the device that
is specified in the Source IP column.
• Dest IP — [Read-only] Displays the IP address of the of the destination device of the audit event.
If the firewall for which you have generated data is version 7.0.1.02 or later and you have configured
the McAfee Firewall Enterprise ePO Extension, you can right-click in this field and retrieve host data
from the ePolicy Orchestrator server. For more information, see ePolicy Orchestrator settings on
page 132.
• Dest Burb — [Read-only] Displays the name of the burb for the device that is identified in the Dest IP
column.
• Dest Port — [Read-only] Displays the port that was used to receive the audit event.
• Information — [Read-only] Displays additional information about the audit event. Sometimes, this can
be the filter that was used to generate the event.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 631](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-631-320.jpg)
![Firewall audit reports
• (text area at the bottom of this window) — [Read-only] Displays the data for the column of a selected
row in the report results table.
Configuring filters for audit reports
Use the Audit Filter window to define parameters for filtering the audit data so that you can respond to
audit events of particular interest to your site in an effective way. You can select from a list of available
filters for IPS attack responses and system responses or define a custom audit filter.
Filters are used to configure IPS attack responses and system responses. firewall IPS attack responses and
system event responses allow you to monitor your network for abnormal and potentially threatening
activities. They define criteria that determine how the firewall will react when audit events matching the
filter expression occur (for example, defining the number of times that an event must occur within a
specified time frame before a response is triggered). When the firewall encounters audit activity that
matches the criteria, it can respond by triggering alerts through E-mail and SNMP traps or by blackholing,
or ignoring, traffic from suspect hosts for a specified period of time.
For additional information, refer to the following related topics:
• Viewing IPS attack responses on page 608
• Configuring system responses on page 613
Figure 273 Audit Filter window
Accessing this window
1 In the Configuration Tool, select the Monitor group bar.
2 Double-click the Audit Filters node in the tree. The Audit Filter window is displayed.
632 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-632-320.jpg)
![Firewall audit reports
A source IP address of 10.69.101.34 and an external destination burb match the filter expression.
Viewing event-specific audit information
Use the Audit Report Event Viewer window to view detailed information about a specific event from the
McAfee Firewall Enterprise Audit Report window. You can also display this information in either a grid or
text format and you can copy this data to the Clipboard.
Figure 274 Audit Report Event Viewer window
Accessing this window
1 In the Configuration Tool or the Reporting and Monitoring Tool, select the Firewalls group bar.
2 In the tree, select the Firewalls node to expand the list of firewalls.
3 Right-click the firewall for which to run this report and click Audit Report. The McAfee Firewall Enterprise
Audit Report window is displayed.
4 Select your report parameters and filters and click Generate Audit. The report data is generated.
5 Double-click the row of the audit event for which you want to view more information. The Audit Report
Event Viewer is displayed for this event.
Fields and buttons
This window has the following fields and buttons:
• Field — [Read-only] Displays the name of a field in this audit event record.
• Value — [Read-only] Displays the value for this field in the audit event record.
• Show Details — Display additional fields in this audit event record. To hide these details after you have
shown them, click Hide Details.
• Copy — Save a copy of this audit event record to the Clipboard.
• Show ASCII — Change the display of this information to a text format. To revert to the table format,
click Show Grid.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 635](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-635-320.jpg)
![Firewall audit reports
Fields and buttons
This window has the following fields and buttons:
• Color Settings — Use the fields in this area to specify the color to be used for the various levels of audit
data severity. Select one of the following fields.
• System — [Read-only] Indicates the system colors as they pertain to the severity levels. You cannot
edit these settings on this window. You can change your system settings in the Control Panel.
• Minimal — [Read-only] Indicates the color that will be used for the text only in the McAfee Firewall
Enterprise Audit Report window. You cannot edit these settings.
• Fully defined — [Read-only] Indicates the combination of colors that will be used for the background
of the row and the text in that row. You cannot edit these settings. If you want to use different
combinations, select the Custom option.
• Custom — Indicates the combination of colors that will be used for the background of the row and the
text in that row. Initially, the Color settings values are used as the basis for the Custom settings.
However, you can edit these settings to create your own custom combinations.
• Severity — [Read-only] Displays the severity levels for the types of alerts that are displayed in the
McAfee Firewall Enterprise Audit Report window, along with a severity number. The lower the number;
the higher the severity.
• Background Color — [Read-only] Displays the colors that are used for the background of each
severity level for each color setting.
• Text Color — [Read-only] Displays the colors that are used for the text in each severity level for each
color setting.
• Example— [Read-only] Displays a preview of the color combination as displayed or defined in the
Background Color and Text Color columns.
• OK — Save the settings on this window and, on closing, implements the changes in the McAfee Firewall
Enterprise Audit Report window.
• Cancel — Close this window without saving or implementing any changes in the McAfee Firewall
Enterprise Audit Report window.
Creating customized color settings for the data in the McAfee Firewall Enterprise Audit Report
window
This procedure assumes that you have already generated audit data in the McAfee Firewall Enterprise Audit
Report window. If you have not yet done this, see Configuring and generating audit reports for one or more
firewalls on page 625.
1 In the McAfee Firewall Enterprise Audit Report window, click Settings. The McAfee Firewall Enterprise
Audit Report: Color Settings window is displayed.
2 Select Custom.
3 Click the table cell for the background color or text color for the severity type that you want to modify.
The Color window is displayed.
4 Select a basic color or click Define Custom Colors >> to create a custom color.
5 If you are selecting a basic color, go to the next step.
or
For a custom color, click in the color display on the right for the color that you want to add. You can also
move the slider up or down to adjust the settings of this selection. When you see that the color that you
want is displayed in the Color|Solid box, click Add to Custom Colors.
6 Click OK.
7 Repeat steps 3–6 for each table cell that you want to edit.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 637](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-637-320.jpg)
![Firewall audit reports
8 When you have finished, click OK to update the McAfee Firewall Enterprise Audit Report with these color
settings changes.
Displaying system information for the Control Center Management Server
Use the System Information page to display information about the Control Center Management Server.
Figure 276 System Information page
Accessing this page
In the Configuration Tool or in the Reporting and Monitoring Tool, from the Reports menu, select System
Information. The System Information page is displayed.
Fields and buttons
This page has the following fields and buttons:
• (Expand Default) — Revert to the default display on this report.
• (Expand All) — Expand all of the nodes on this report. For this report, there is only one (Interface)
node.
• (Collapse All) — Close all of the nodes on this report. For this report, there is only one (Interface)
node.
• Interface — [Read-only] Displays the interface IP address.
• broadcast — [Read-only] Displays the broadcast IP address.
• mac — [Read-only] Displays the manufacturer-assigned Media Access Control (MAC) address of the
network interface card.
• mask — [Read-only] Displays the subnet mask.
• name — [Read-only] Displays the system-assigned name of the network interface.
638 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-638-320.jpg)
![Firewall audit reports
• type — [Read-only] Displays the type of network.
• host name — [Read-only] Displays the name of the host.
• Control Center version — [Read-only] Displays the Control Center version that is currently installed.
• high availability — [Read-only] Displays whether the High Availability (HA) feature is configured on this
interface.
• HA stand-by — [Read-only] [Available only if high availability is set to yes] Displays the host name of
the standby or backup Management Server in an HA configuration.
• logging level — [Read-only] Displays the logging level that has been set for the Management Server.
One of the following levels will be displayed. This ranges from the highest level of logging to the lowest
(as in most inclusive): OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, and ALL where
FINE is the default value. You can set this level in the Server Property Editor window.
• configured administrators — [Read-only] Displays the number of administrators who are currently
configured to access this Control Center Management Server.
• logged in administrators — [Read-only] Displays the name and IP address of the administrators who
are currently logged into the Control Center.
• operating system — [Read-only] Displays the operating system on the Management Server.
• machine type — [Read-only] Displays information about the hardware architecture and microprocessor.
• number of processors — [Read-only] Displays the number of processors on the Management Server.
• processor type — [Read-only] Displays the type of processor on the Management Server.
• processor speed — [Read-only] Displays the speed of the processor on the machine.
• total memory — [Read-only] Displays the total amount of system memory in kilobytes.
• available memory — [Read-only] Displays the amount of free system memory in kilobytes.
• total swap — [Read-only] Displays the total amount of swap space in kilobytes.
• available swap — [Read-only] Displays the amount of available swap space in kilobytes.
• total disk space for logs — [Read-only] Displays the total amount of disk space that is available for log
files in kilobytes.
• available disk space for logs — [Read-only] Displays the amount of available disk space for log files in
kilobytes.
• available disk space for backups — [Read-only] Displays the amount of available disk space for backup
configuration files in kilobytes.
• total disk space for audit data — [Read-only] Displays the total amount of disk space that is available
for audit data files in kilobytes.
• available disk space for audit data — [Read-only] Displays the amount of available disk space for audit
data files in kilobytes.
• total disk space for database — [Read-only] Displays the total amount of disk space that is available
for the Management Server database in kilobytes.
• available disk space for database — [Read-only] Displays the amount of available disk space for the
Management Server database in kilobytes.
• character encoding — [Read-only] Displays the name of the character value mapping to a graphical
character set.
• locale — [Read-only] Displays the name of a set of parameters that define the language and regional
preferences for the user interface.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 639](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-639-320.jpg)
![Firewall audit reports
• time zone — [Read-only] Displays the name of the time zone in which the Control Center Management
Server operates.
• current time (local) — [Read-only] Displays the current time as represented in the local time zone.
• current time (GMT) — [Read-only] Displays the current time as represented in Greenwich Mean Time
(GMT).
• last boot time — [Read-only] Displays the time at which the Management Server was last started.
• system up time — [Read-only] Displays the length of the time that the Management Server has been
running since the last start.
• Save — Save a copy of the report to a file in HTML format.
• Print — Print a copy of the report.
Selecting the criteria for the firewall policy report
Use the Policy Report window to select the firewall for which you want to run this report about the security
policy that has been defined and implemented. You can generate a firewall-dependent policy report now or
you can schedule the report at a later time as a one-time event or on a recurring basis.
Note: If you want to view the policy report in HTML format, you must wait for it. You cannot schedule an HTML
version of this report.
Figure 277 Policy Report window
Accessing this window
In the Reporting and Monitoring Tool, from the Reports menu, select Policy.
or
In the Configuration Tool, select the Monitor group bar and double-click Policy Report.
or
1 In the Configuration Tool, select the Firewalls group bar. Select the Firewalls, Clusters, or Device
Groups node.
2 Right-click a firewall, cluster, or device group object, respectively, and select Policy Report. The Policy
Report window is displayed.
640 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-640-320.jpg)
![Firewall audit reports
• Frequency — Use the field in this area to specify the frequency at which the policy report should be
generated. The following field is available:
• Perform this report — Specify the frequency at which the policy report should be generated. The
following values are available:
• One time — Indicates that the report should be generated only on the date (Run on date field
value) and at the time (Run at field value) that is specified. This is the default value.
• Daily — Indicates that the report should be generated on a daily basis at an interval that you
specify in the Every n days field.
• Weekly — Indicates that the report should be generated on a weekly basis at an interval that
you specify in the Every n weeks field. You can also specify the day or days during the week that
the report should be generated.
• Monthly — Indicates that the report should be generated on a monthly basis at an interval that
you specify in the Schedule area.
• Schedule — The fields in this area change, depending on the selection that you make in the Perform
this report field. Any one of the following fields are displayed:
• Run on date — [Available only when One time is the value in the Perform this report field] Specify
the specific date that the report should be generated. This date is in day, month, date, year format.
Click the down arrow to select the date from the calendar.
• Every n days — [Available only when Daily is the value in the Perform this report field] Specify
the daily interval at which this report is generated.
For example, if you select 3 for the days, the report will be generated every three days at the time
that you specified in the Run at field.
• Every n weeks — [Available only when Weekly is the value in the Perform this report field]
Specify the weekly interval at which this report is generated. You can further define the frequency
by selecting the day or days of the week on which the report will be generated.
For example, if you select 2 for the weeks and Tuesday and Wednesday for the days, this report
is generated every two weeks on Tuesday and Thursday of that week.
• Day n of the month — [Available only when Monthly is the value in the Perform this report field]
Specify the monthly interval at which this report is generated. Specify a specific date in the month
in this field. If you want to specify a specific week and day of the month, use the The week day field.
The checkboxes that indicate the specific months also apply to this field.
For example, if you select 12 for this value and leave all of the months selected, this report will be
generated on the 12th day of each month.
• The week day — [Available only when Monthly is the value in the Perform this report field]
Specify the week of the month and day of the month at which this report is generated. The
checkboxes that indicate the specific months also apply to this field.
For example, if you select second for the week and Wednesday for the month and clear all of the
month checkboxes except for July and August, this report will be generated every second
Wednesday in the months of July and August only.
• Months — [Available only when Monthly is the value in the Perform this report field] Specify the
month or months when this report will be generated. All of the months are selected by default.
• Request Report or Schedule Report — The name on this button changes, depending on whether you
are waiting for the report to be generated (Request Report) or you are scheduling the report (Schedule
Report). If you are waiting for the report, the report is immediately generated when you click this button.
If you are scheduling this report for a later time, the report is scheduled and the window is closed.
• Close — Close this window without generating a report or scheduling a report.
642 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-642-320.jpg)
![Firewall license reports
3 In the Firewalls field, click the down arrow to select one or more firewalls for which you want to generate
this report. You can also use the Find field to narrow the list of displayed firewalls that are available for
selection.
4 Click Generate Report. If you selected only one firewall, the License Report for the selected firewall. If
you selected multiple firewalls, the License Report for Multiple Firewalls page is displayed. Each firewall
is displayed on a separate row in the report.
Fields and buttons
This page has the following fields and buttons:
• Expires in — Specify a timeframe within which to view potential license expirations for one or more
firewalls. For example, if you select the next 15 days and none of the licenses for the selected firewall
or firewalls expires within the next 15 days, no data is displayed on this report. The default value is
<Show all>.
• (Clear Find Results) — Click this button to revert to the <Show All> condition so that you can view
all of the license information again. Use this after you have filtered your report data by selecting a
timeframe in the Expires in list.
• Filter row (first row in the table) — For each column, you can specify the filter that you want to apply to
the data for this column. The following options are available for each column:
• (All) — Indicates that no filtering is to be performed on this column. All records are displayed, unless
a particular record is filtered out by the criteria set in a different column.
• (Empty) — Indicates that column filtering is performed on records that do not have data in this
column. The records that have data are not displayed, regardless of the settings in any other column.
• Displayed_column_value — Indicates that column filtering is performed on records that match the
value or values in this column. The data in the list for each column is different, depending on the values
that are displayed for that column. There is one entry in this list for each unique value that is displayed
in this column.
• Report-specific column names — Except for the Firewall column, which displays the name or names
of the firewalls that have been selected for this report, the following columns display license status
information in this table:
• SecureOS
• Support
• VPN
• Failover
• Strong Crypto (Cryptography)
• Anti-Virus
• Anti-Spam
• IPS
• SSL Decryption
• IPS Signature
• Promotion
• Generated on — [Read-only] Displays the time at which and date on which this report was generated.
• Refresh — Update this report with the latest information and clear any applied filters.
• Print — The Print window is displayed, in which you configure the settings to print this report.
• Print Preview — The Print preview window is displayed, in which you can view the report before printing.
646 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-646-320.jpg)
![9 Configuration Tool - Maintenance
Contents
Maintenance
Firewall maintenance
Control Center maintenance
Maintenance
Use the options in the Maintenance group bar section of the Configuration Tool to maintain multiple
firewalls and security policies for a distributed homogeneous or heterogeneous configuration.
• Firewall maintenance — Specify the following parameters for the individual McAfee Firewall Enterprise:
• Device control — Re-initialize, reboot, and provide an orderly shutdown of selected firewalls in the
Device Control window. You can also terminate active sessions and security associations for
user-selected firewalls. For more information, see Managing firewall shutdown and suspension states
and other maintenance settings on page 656.
• License firewall — Specify and manage firewall licenses by using the Firewall License window. For
more information, see Viewing and managing firewall licenses on page 658.
• Control Center maintenance — Specify the following parameters for the McAfee Firewall Enterprise
Control Center Management Server:
• Server logs — View various types of server logs in the Server Logs window. For more information,
see Viewing Management Server logs on page 663.
• Server properties editor — View and edit Control Center Management Server properties and add
new properties in the Server Property Editor window. For more information, see Configuring
Management Server properties on page 664.
• Firewall audit export settings — Export firewall audit log files that were written to the Control
Center Management Server to a remote location. For more information, see Exporting firewall audit
files that are stored on the Control Center on page 667.
• Backup configuration — Create a backup file of the Control Center Management Server data or
replace an existing backup file in the Backup Control Center System window. For more information,
see Creating backup files of your Management Server data by using the GUI on page 123.
• Restore configuration — Restore a previously saved system backup file to the Management Server,
modify an existing backup name or description, or delete a system backup file in the Restore System
from Backup window. For more information, see Restoring the Management Server configuration files
from a backup file on page 126.
or
Manage Versions — [Available only if you have enabled configuration domains] Create, modify,
delete, and activate versions of a configuration domain. For more information, see Managing versions
of configuration domains on page 99.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 647](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-647-320.jpg)
![Firewall maintenance
• Property — [Read-only] Displays the name of the properties in the table for the selected object in the
tree. These properties are representative fields from the object window.
• Value — [Read-only] Displays the values that are defined for the properties in the table. These values
are the values of the fields in the object window for the respective properties.
• Export — Export the data in this window to a comma-delimited (CSV) file.
• Close — Close this window.
Locking configuration objects
Use the Locking Manager to lock all objects of a particular type or to unlock objects. The lock includes all
existing objects as well as new objects that you create. You can, for example, lock objects that are of the
type Networks, which means that you are locking the set of Networks objects.
Multiple Control Center users can be logged onto the same Management Server by using multiple Client
Suite clients. This means that, at any given time, multiple users can be making simultaneous changes. To
alleviate the possibility of contention, the Control Center provides a mechanism to lock selected objects (for
example, address ranges, networks, rules) so that other Control Center users cannot simultaneously add,
modify, or delete those types of objects.
When you or another user locks a set of objects, the lock status is indicated in the Objects toolbar by
highlighting on the name of the object type using a red or blue color. If you have locked a set of objects,
the name of the object type is highlighted in green (for example, Networks ). If another user has locked
CVP Policy
a set of objects, the name of the object type is highlighted in red (for example, Networks ).
CVP Policy
The lock that you obtain for a set of objects is temporary; you can activate or unlock the lock at any time.
If you do not remove the lock, the lock will be removed automatically when you log out of all client GUIs
that you have logged onto or when all of your server sessions expire.
Note: Locks are assigned based on a user name; locks are not assigned based on the server session to which you
have logged on.
This means that explicit locking and unlocking status is reflected in all clients that a user is logged onto. If a user
is logged into more than one client, any active locking status is retained until he logs out of every client (or until
all sessions expire).
Figure 282 Locking Manager window
Accessing this window
In the Configuration Tool, from the Configuration menu, select Locking Manager…. The Locking Manager
window is displayed.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 649](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-649-320.jpg)
![Firewall maintenance
Fields and buttons
This window has the following fields and buttons:
• Lock all objects — Determines whether all objects are locked. If you select this checkbox, you are the
only user who can add, modify, or delete Control Center objects. If you want to control object locking for
select objects, but not all object types, do not select this checkbox. Instead, select the individual object
types in the Object Type column.
• Object Type — Determines whether a particular set of objects is locked by a Control Center user. This
list contains all of the object types that can be locked. Select the object types for which you want to
control.
If an object name is selected, that set of objects has already been locked by the user who is listed in
the Locked By field. If an object name is not selected, that set of objects is not locked.
• Locked By — [Read-only] Displays the name of the Control Center user who has locked the set of objects
identified by Object Type.
Note: During certain operations, individual objects or sets of objects may be automatically locked by the
Control Center. These operations include saving an object's configuration, retrieving a firewall's configuration,
and applying a configuration to one or more firewalls. When the operation finishes, the Control Center removes
the locks.
• OK — Save the changes that were made in this window.
• Cancel — Close this window without saving any changes.
Locking objects
Use the Locking Manager window to lock one or more sets of Control Center objects to prevent multiple
users from accessing and changing the same objects. Locking a set of objects ensures that no other Control
Center user can add, modify, or delete objects of that type. For more information, see Firewall maintenance
on page 648.
1 In the Configuration Tool, from the Configuration menu, select Locking Manager. The Locking Manager
window is displayed.
2 Select the checkbox next to all of the objects to be locked.
3 [Optional] Select the Lock all objects checkbox to lock all objects.
4 Click OK to obtain the locks.
650 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-650-320.jpg)
![Firewall maintenance
Managing unused objects on the Control Center Management Server
Use the Unused Objects page to display a list of objects that are not currently used in the Control Center.
This list contains only those objects to which you have access and system objects are not included.
You can edit an object in the list by double-clicking it to display it in its respective object window. You can
also delete the object by right-clicking it in the list and selecting Remove Object.
Figure 283 Unused Objects page for filter services objects
Accessing this page
1 In the Configuration Tool, from the Reports menu, select Unused Objects. The Unused Objects page is
displayed.
2 To display the objects, click Generate. The retrieval process might take some time. The report is then
displayed with the list of unused objects. Note that the more objects you include in the filter, the longer
the report will take to generate.
Fields and buttons
This page has the following fields and buttons:
• The total number of unused objects is — [Read-only and is displayed after you have clicked
Generate] Displays the number of unused objects that are listed in this report. There are potentially two
different totals that can be displayed on this page:
• The total number of unused objects for the configuration domain to which you are currently logged in
• [Only if you do not have access to view all of the objects in the current domain] The total number of
unused objects to which you have access. (This would be a subset of the other total.)
• Export — Save this report data to a comma-delimited (CSV) file.
• Filter — Specify the object type on which you want to filter the displayed results. The following values
are available:
• All Objects — Include all objects in the display.
• Filter Services — Include only filter service objects in the display.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 651](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-651-320.jpg)
![Firewall maintenance
• Proxy Services —Include only proxy service objects in the display.
• Hosts — Include only host objects in the display.
• Signature Groups — Include only signature group objects in the display.
• Time Periods — Include only time period objects in the display.
• All other objects — Include only those object types that are not listed above in the display.
• Find — Because your list of objects (where objects refers to the entity for which you are searching) could
potentially be very long, you can quickly retrieve only those objects that meet certain filter constraints by
using the Find filtering mechanism.
a In the Find or Search field, specify a term that matches a selection for any value displayed in the
browser.
b Click the down arrow to select the display for the search results (Highlight matching <objects>
[where <objects> is the entity for which you are searching] or Only display matching <objects>
[where <objects> is the entity for which you are searching]).
c Click Find or press Enter. The results are displayed. If you had selected the highlight option, all objects
that match the value in the Search field are highlighted in yellow. If you selected the other value, you
will see only those objects that matched your search criteria.
d Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and
view all of the objects again, click (Clear Find Results).
• Delete selected rows — Delete the rows in the table that you have selected. Press Ctrl+click to
highlight multiple rows. If you have accidentally highlighted an object that you do not want to delete, click
(Clear Find Results) to clear the selection highlight from all of the matching objects and start your
selection process again. When you are ready to delete these objects, click the Delete selected rows
button. You can also delete individual rows by clicking x (Delete) at the end of the row to be deleted.
• Type — [Read-only] Displays the type of object for this row. You can edit this object by double-clicking
it. This object data is displayed in the appropriate object window. For example, if you double-clicked an
administrator object, the Firewall User Manager - Administrators window is displayed.
• Name — [Read-only] Displays the name of this object.
• Description — [Read-only] Displays the description for this object.
• Delete — Click x (Delete) in the row to be deleted.
Merging objects
Use the Merge Objects wizard to analyze and combine your network objects, services, system responses,
IPS responses, and HTTP, HTPS, SMTP, and group application defenses.that share elements. The wizard will
scan your list of objects and identify the objects with common elements. You can then combine them into a
single object. Only objects within the same configuration domain can be merged, unless they are in the
shared domain. The shared domain object will always become the master object and the other objects will
be deleted after the merge completes.
The common elements that are used to identify these objects are the same elements that are used in the
retrieve process to identify similar objects that are distinguished by name only.
Requirements for using this wizard
To use this wizard, you must have the following permissions:
1 You must be assigned a role that includes View, Update, and Remove access for the Merge Objects wizard.
2 You must also be assigned a role that includes the ability to View, Update, and Remove access for all
objects.
652 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-652-320.jpg)
![Firewall maintenance
Click Find Next to move through the matches. To remove the yellow highlight from the selected
values, click (Clear Find Results).
• List of duplicate entries — Use the rows in this table to determine the duplicate objects to be
merged. The following fields are available:
• (Numbers) — [Read-only] Displays the number for this row. When this row is highlighted, the List
of objects to merge for duplicate entry area displays this row number in parentheses ().
• Use — Determines whether the object group will be merged. This checkbox is cleared by default.
If you select the checkbox, the objects in this object group will be merged.
• (Remaining fields) — [Read-only] The remaining fields are object type-specific. For example, if
you were searching for duplicate hosts, you will see the Address and Hostname fields.
2 Use the List of objects to merge for duplicate entry (n) area (where n is the number of the row
selected in the List of duplicate entries table) to determine the action to perform on each object in the
selected group. The following columns are available in this table:
Note: Objects that are shared are indicated with a pink highlight ( ). These objects must always be the
master object and they cannot be merged into any other objects.
• Action — Specify the action to perform on each member of the group. You must select one master
object (Keep) to which the other selected objects (Delete) will be merged and subsequently deleted
after the merge has completed. You can also specify individual objects that will not be included in the
merge process (Do not merge).
In addition to these actions, the following options are available from the right-click menu from any
row in this table:
• View — Displays the object editor window for this object type. For example, if you select a Host
object, the Network Object Manager window is displayed.
• Show usage — Displays the Usage of object_name Object window, in which you can view all of the
other objects in which this object is either used or referenced.
• Name — [Read-only] Displays the name of the merge object.
3 After you have made your selections in both tables, click Next > to continue to the next page.
Step 3 of 3 - Summary page
The Summary page displays the following lists: the master objects to be preserved are displayed in bold
text on the left, the objects to be deleted as a result of the merger are displayed in bold text in the middle,
and the objects to be ignored are displayed on the right.
The following actions are available:
• Click Export summary to export this information to a comma-delimited (.csv) file.
• Click < Back if the information on this page is not acceptable. Make changes and then click Next > again
to return to the Summary page.
• Click Cancel to exit the wizard without making any merges.
• Click Finish if the information is acceptable and you want to continue with the merge. A confirmation
message is displayed, indicating that the Management Server updates have been completed and that the
system will refresh all of the data.
• Click OK. The objects are merged and the Merge Objects wizard is closed.
654 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-654-320.jpg)
![Firewall maintenance
Firewall License window: Firewall tab
Use the Firewall tab of the Firewall License window to specify the information about the firewall that is
required to obtain a license. To view the fields on this tab, see Figure 286 on page 658.
Accessing this tab
1 In the Configuration Tool, from the System menu, select License Firewall.... The Firewall License
window is displayed.
2 Make sure that the Firewall tab is selected.
Fields and buttons
This tab has the following fields and buttons:
• Firewall ID — [Read-only] Displays the Firewall ID for the firewall.
• Firewall version — [Read-only] Displays the version and patch level of the firewall (for example, McAfee
Firewall Enterprise 7.0.1.00).
• Serial number — Specify the 16-digit alphanumeric serial number for the specified firewall. The serial
number is located on the firewall Activation Certificate. You must include the dashes when specifying the
serial number in this field.
• Activation URL — Displays the URL for the McAfee Web site to which the licensing information is
submitted.
• Import Key — If do not have access to the Internet from the firewall or your local network, you cannot
use the URL displayed in the Activation URL field to submit your data. Use this button to import an
activation key that you have obtained using another method and have saved to a file.
• Activate Firewall — Submit the information required to obtain an activation key from the McAfee
licensing Web site.
Tabs
The Firewall tab has the following tabs:
• Activation Key
• Features
Activation Key tab
The Activation Key tab displays the activation key that has been obtained from McAfee Corporation for the
specified firewall.
Features tab
The Features tab displays the features that are available for the specified firewall and the licensing status of
each feature.
This tab has the following field and buttons:
• Feature Name — Displays the features that are available for the firewall.
• License Status — Displays the current licensing status associated with each feature.
• Expiration — Displays the expiration date for the feature.
• Refresh — Update the table display.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 659](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-659-320.jpg)
![Control Center maintenance
Configuring Management Server properties
Use the Server Property Editor window to display and edit Control Center Management Server properties
and add new properties. After editing any existing value or introducing a new property, the Control Center
Management server must be restarted for these changes to take effect.
Note: When you restart the server to invoke any change made to the server properties, only the server
application (Tomcat) will be restarted, not the server device hardware.
Figure 290 Server Property Editor window
Accessing this window
1 In the Configuration Tool, select the Maintenance group bar.
2 Beneath the Control Center Maintenance node, double-click the Server Properties Editor sub-node.
The Server Property Editor window is displayed.
or
In the Configuration Tool and in the Administration Tool, from the System menu, select Server Property
Editor. The Server Property Editor window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Property — [Read-only] Displays the property name. The following properties are displayed:
• management.server.version — [Read-only] Displays the version of the Management Server.
• logging.level — Specify the level of log information. Values range from the lowest level (INFO) to the
highest level (ALL). The default value is FINE. The following values are available:
• INFO
• CONFIG
• FINE (This is the default value.)
• FINER
• FINEST
• ALL
664 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-664-320.jpg)
![Control Center maintenance
• backup.auditlogs — Determines whether. the audit log files will be backed up when a backup is
performed. The default value is cleared.
• backup.dbbackups — Determines whether the database files will be backed up when a backup is
performed. The default value is cleared.
• ccqsize — Specify the number of concurrent configurations that the Management Server will build
during an apply or validate. The default value is 15.
• msqsize — Specify the number of concurrent messages that the Management Server will send out to
managed firewalls. The default value is 15.
• firewall.sweep — Specify the frequency (in minutes) that the Management Server will check for
unresponsive firewalls. Firewalls that have not sent an updated status in the specified number of
minutes will be considered to be down. The default value is 5.
• session.timeout — Specify the number of minutes to wait before the Management Server will clear
out an inactive client session. The default value is 15.
• debug.retainRetrieveXml — Determines whether the Management Server should retain
configuration bundles that have been obtained from a firewall during a retrieve. The default value is
selected.
• license.url.cc — Specify the default URL that is used to obtain a Control Center license. The default
value is https://ssl.securecomputing.com/cgi-bin/cc-activation.cgi.
• license.url.sw — Specify the default URL that is used to obtain a firewall license. The default value is
https://ssl.securecomputing.com/cgi-bin/sidewinder-activation.cgi.
• license.backupurl.cc — Specify the backup URL to use to obtain a Control Center license if the
primary URL is unresponsive. The default value is https://66.45.10.76/cgi-bin/cc-activation.cgi.
• license.backupurl.sw — Specify the backup URL to use to obtain a firewall license if the primary URL
is unresponsive. The default value is https://66.45.10.76/cgi-bin/sidewinder-activation.cgi.
• hdd.size.threshold — Specify the threshold of the percentage of used hard drive space before an
alert is generated based on Management Server disk space. The default value is 80.
• update.nodename.interval — Specify the frequency (in hours) that a task is run to ensure that the
firewall status table has the correct nodename information for each firewall. The default value is 6.
• audit.export.cron — Specify the time at which the audit export will occur. By default, it occurs nightly
at 2:30 AM. However, you can use this property to override that setting. For more information about
the values for this property, see Exporting firewall audit files that are stored on the Control Center on
page 667. The default value is 0 30 2 * * ? *.
• Value — [Read-only] Displays the value of the associated property name.
• OK — Save the changes that were made on this window.
• Cancel — Close this window without saving any changes.
• Add — Displays the Add New Property window, in which new properties can be defined.
666 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-666-320.jpg)
![Control Center maintenance
Accessing this window
1 In the Configuration Tool, select the Maintenance group bar.
2 Beneath the Control Center Maintenance node, double-click the Firewall Audit Export Settings
sub-node. The Export Settings for Control Center Firewall Audit Files window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Enable export of Firewall audit files from Control Center to a remote location. — Determines
whether to establish the parameters in this window to trigger an export of existing firewall audit files to
a remote location. The default value is cleared. If you select this checkbox and the criteria is met and the
files are exported, the audit files are deleted from the Control Center Management Server after the export
is successful.
• Retention Settings — Use the fields in this area to determine the conditions for exporting the audit files.
The following fields are available:
• Export audit files that are older than n days — Determines whether to set a date condition for
exportation—that is, that files would be exported after a certain number of days that they have been
stored on the Control Center Management Server. If you select this checkbox. you must also configure
the number of days for this condition. The default value is cleared.
• Limit the combined size of all of the audit files — Determines whether to set a file size condition
for exportation—that is, that files would be exported after a certain combined file size limit is reached.
If you select this checkbox, you must also configure the other fields in this group to define this
condition:
• Size limit — Indicates the number for the combined size of all of the audit files from firewalls that
are stored on the Management Server. The default value is 0.
• Unit — Indicates the measurement unit for the value that was specified in the Size Limit field. The
available values are MB and GB. The default value is MB.
• Current Partition Usage — [Read-only] Use the fields in this area to view existing information about
the size of the partition on the Management Server that contains all of the firewall audit log files. The
three fields indicate the amount of space that is currently used by audit log files (Used), the amount
of space that is available for additional log files (Available), and the percentage of space in the
partition that is currently being used (Percentage Used). In the Used and Available fields, the
following abbreviations are used: M = MB, K = KB, G = GB, and B = bytes.
• Remote Location — Use the fields in this area to specify information about the target remote location
so that the audit log files can be successfully exported. The following fields are available:
• Export using — Specify the type of file transfer to be used for this export. The following values are
available:
• SCP — Indicates that Secure Copy (SCP) is used for the transfer. This is the default value.
• FTP — Indicates that File Transfer Protocol (FTP) is used for the file transfer.
• FTPS — Indicates that File Transfer Protocol Secure (FTPS) is used for the file transfer.
• Username — Specify the user name that will be used to authenticate with the remote location for this
file transfer.
• Password — Specify the password that will be used to authenticate with the remote location for this
file transfer.
• Hostname — Specify the hostname of the remote location for this file transfer.
668 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-668-320.jpg)
![Control Center maintenance
• Port — Specify the port that will be used for this file transfer. The default value for this field is
determined by the value that you have selected in the Export using field. The following default values
are displayed, according to protocol:
• For SCP, the default value is 22.
• For FTP, the default value is 21.
• For FTPS, the default value is 990.
• Directory — Specify the remote directory that will be used for this file transfer.
• (Informational message) — [Read-only] The text in this message changes, depending on whether you
have selected the first checkbox in this window. If you select the first window, make sure that you read
this message.
• OK — Save the export settings that you have configured. Note again, that the actual export will not occur
until 2:30 AM or the values that is specified in the audit.export.cron property of the Server Property Editor
window. Audit files will be deleted after they have been successfully transferred.
• Cancel — Close this window without saving any export settings. No export will occur.
Customizing the Configuration Tool
Use the Configuration Tool Startup Options window to configure the appearance of Configuration Tool when
it is started. It allows the administrator to configure which windows to initially load when the tool is opened
and has an optional feature to open the tool with the configuration that existed when the tool was closed.
Figure 292 Configuration Tool Startup Options window
Accessing this window
In the Configuration Tool, from the System menu, select Startup Options. The Configuration Tool Startup
Options window is displayed.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 669](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-669-320.jpg)
![Reporting and Monitoring Tool
Viewing the properties of a firewall
Use the McAfee Firewall Enterprise Properties window to view configuration parameters that are associated
with the selected firewall. These parameters are configured on the Firewall window in the Configuration
Tool. For more information, see Configuring the firewall on page 170.
Figure 293 McAfee Firewall Enterprise Properties window
Accessing this window
1 In the Reporting and Monitoring Tool, select the Firewalls group bar.
2 Click the Firewalls node in the tree to expand the view of firewalls.
3 Right-click one of the defined firewall objects and select Properties. The McAfee Firewall Enterprise
Properties window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Name — [Read-only] Displays the name of the firewall object as is appears in the list of firewalls in the
Firewalls group bar.
• Description — [Read-only] Displays information about the firewall and its configuration.
• Node Name — [Read-only] Displays the host name by which the system identifies itself during network
and login connections.
• Configuration — [Read-only] Use this fields in this area to view information about the firewall and its
location. The following fields are available:
• Firewall Mgmt Address — [Read-only] Displays the IP address of the network interface on the
firewall that the Control Center uses to manage the firewall.
• Firewall Mgmt Port — [Read-only] Displays the port number that the firewall uses to communicate
with the Control Center Management Server.
• Version — [Read-only] Displays the version of software installed on the firewall.
672 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-672-320.jpg)
![Reporting and Monitoring Tool
• Time Zone — [Read-only] Displays the time zone in which the firewall is located.
• Location — [Read-only] Displays user-defined location information.
• Contact — [Read-only] Displays the contact information for this firewall. The Administrator e-mail
address will be displayed in this field. This is the e-mail address that was configured on and retrieved
from the firewall.
• Enable IPv6 — Not available on this window.
• Management Servers — [Read-only] Use the fields in this area to view the Management Servers that
manage this firewall. The following fields are available:
• Host Name — [Read-only] Displays the fully qualified host name of the Management Server.
• IP address — [Read-only] Displays the IP address that this firewall uses to reach the server.
• Firewall Properties — [Read-only] Use this table to view user-defined category and value pairs.
• Mail Configuration — Use the fields in this area to view information about the mail configuration for this
firewall. The following fields are available:
• SMTP Mode — [Read-only] The following values can be displayed:
• Secure Split SMTP — Indicates to use the firewall-hosted sendmail servers. Select this option to
take advantage of such sendmail features as header stripping, spam and fraud control, and mail
routing.
• Transparent — Indicates to pass mail by proxy through the firewall. Select this option to ensure
that only the files that are necessary to send administrative messages will be configured. These
include firewall-generated alerts, messages, and logs.
• Internal SMTP Burb — [Read-only] Displays the burb in which your site's SMTP server resides.
• Close — Close this window without saving any changes.
Investigating alerts
Often, the root cause of an alert is obvious as indicated by the content of the associated message.
However, for those alerts that have been generated when the root cause or the corrective action is not
self-evident, you can use the other resources in the Reporting and Monitoring Tool to investigate the cause
and to correct the condition that generated the alert.
You can accomplish the following tasks by using the features, functions, and reports in the Reporting and
Monitoring Tool:
• Browse alerts — The Alert Browser page provides a summary of firewall-generated alerts. Use this page
to:
• Visually examine a summary of each alert.
• Sort and manage how the alerts are displayed.
• Acknowledge alerts.
• Clear, annotate and review the actions hat taken for each alert.
• Review alert messages.
• Determine the time at which an alert occurred so that you can investigate the activities that were
logged when the alert occurred.
For more information, see Alerts on page 677.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 673](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-673-320.jpg)
![Alerts
• Display Cleared — Display the alerts that have been cleared. As a result of this selection, the
associated checkbox is also selected in the Alert Filter window.
• Display Open — Display the alerts that have not been acknowledged. As a result of this selection, the
associated checkbox is also selected in the Alert Filter window.
• Annotate — Determines whether to enable annotations. The Annotate window is displayed, in which
you can record any comments about the associated alert.
• Ack — Select the acknowledgement checkbox for this alert. This is a one-time activity for each alert
and this action cannot be undone. The Annotate window is displayed, in which you can record any operator
information to associate with the alert. To view alerts that have been acknowledged, click (Display
Ack) on the toolbar or click Display Ack in the Options menu.
If an alert is acknowledged and more alerts of the same type on the same firewall occur, the alert
count is incremented and is displayed on the Alert Browser.
• Clear — Clear the selected alerts. To view alerts that have been cleared, click (Display Cleared) on
the toolbar or click Display Cleared in the Options menu. Cleared alerts will remain visible until they are
removed from the system. A script is automatically run each night to remove the cleared alerts. The time
that this script runs is user configurable.
• Jump — Jump to a specified row number. The Jump To window is displayed, in which the selected row
number is displayed.
• Events — Display the events that are associated with the selected alerts. To view the events that are
associated with an alert, click the row number column (first column) to highlight the alert (or to highlight
more than one alert, press Ctrl and click or press Shift and click). Then click (Events) or click Events
in the Options menu to display the Event Browser window.
• Preview Pane — Horizontally split the view display in half. This results in the top half of the display
showing the detailed description of the selected alert and the bottom half showing the list of alerts.
• Alarm for Open — Display all events for Alarm Open only.
• Alarm for Ack — Display all events for Alarm Acknowledge only.
• Alert Update Summary — Select this checkbox to display the Alert Update Summary for the selected
event.
Fields and buttons
This page has the following fields and buttons:
• Columns at the top of the page — The columns that are displayed at any time are dependent on the
columns that you select in the Column Selector window. For more information about the content of the
columns, see Column data on page 674.
• Alert Details tab — Use the fields on this tab to view more detailed information about the selected alert.
• Alarm — [Read-only] Displays the name of the alert alarm.
• Alarm Sound — [Read-only] Displays the name of the alarm sound.
• Count — [Read-only] Displays the total count of the alerts of a particular kind.
• Device Address — [Read-only] Displays the IP address of the firewall.
• Device Id — [Read-only] Displays the identification of the firewall.
• Device Name — [Read-only] Displays the name of the firewall.
• Device Type — [Read-only] Displays the type of the firewall.
• Duration — [Read-only] Displays the time, in milliseconds, between the start time and the stop time
values.
• Event Type — [Read-only] Displays the type of event as defined by the sending firewall.
680 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-680-320.jpg)
![Alerts
• Id — [Read-only] Displays the unique identification that is assigned to this alert by the Secure Alerts
Server.
• Last Update Time — [Read-only] Displays the time stamp of the at which the alert information was
last updated.
• Message — [Read-only] Displays the associated message for the specific alert (if known).
• Name — [Read-only] Displays the name of the activity as it is defined by the sending firewall.
• Priority — [Read-only] Displays the priority that is assigned to the alert. There are five levels of
priority, listed from highest to lowest:
Table 29 Alert priorities
Level Priority Color Description
1 Critical Red
2 High Orange
3 Low Yellow
4 Warning Green
5 Information <transparent>
• Processing Rule — [Read-only] Displays the name of the alert processing rule.
• Start Time — [Read-only] Displays the time stamp for the first time that the alert was generated from
the perspective of the local clock for the Secure Alerts Server.
• Status — [Read-only] Displays the status of the alert.
• Stop Time — [Read-only] Displays the time stamp of the time at which the alert was acknowledged
from the perspective of the local clock for the Secure Alerts Server.
• User — [Read-only] Displays the integer that represents the user who caused the alert.
• Event Details tab — Use the fields on this tab to view more detailed information about the events that
are associated with the selected alert.
• Category — Indicates a grouping of events as defined by the firewall, such as CCAlerts for the McAfee
Firewall Enterprise Control Center Management Server and SystemInfo and Authentication for the
firewalls.
• Event — [Read-only] Displays the short description of the event.
• ID — [Read-only] Displays the unique alert identifier that is assigned by the Secure Alerts Server.
• Last Update Time — [Read-only] Displays the time stamp of the time at which the alert information
was last updated.
• Message — [Read-only] Displays the associated message for the specific alert (if known).
• Name — [Read-only] Displays the name of the alert as it is defined by the sending firewall.
• Reason — [Read-only] Displays the description of the reason that caused this event.
• Time — [Read-only] Displays the time at which the event was generated that produced this alert.
Accessing this window
In the Reporting and Monitoring Tool, from the Options menu, select Ack, Clear, or Annotate.
or
When the Alert Browser page is displayed and an alert is highlighted, click (Ack), (Clear), or
(Annotate) in the toolbar.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 681](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-681-320.jpg)
![Alerts
Viewing additional event information
Use the Event Message window to view any additional information that is known about the selected event.
Figure 298 Event Message window
Accessing this window
In the Reporting and Monitoring Tool, double-click a specific row number of an event that is displayed in the
Event Browser window. The Event Message window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Event Name — [Read-only] Displays the name of the event that was selected in the Event Browser
window.
• Event Type — [Read-only] Displays the type of the alert as defined by the Secure Alerts Server. All alerts
from each supported firewall are classified by using a class/type relationship. For more information about
event types, see Column data on page 674.
• Attribute — [Read-only] Displays a list of the event-specific attributes. You can change the sort order of
this column by clicking the arrow at the end of the column heading.
• Value — [Read-only] Displays the value associated with each event attribute.
• Close — Close this window.
Accessing this window
In the Reporting and Monitoring Tool, from the Options menu when the Alert Browser page is displayed,
click Jump or click (Jump) in the toolbar.
or
Click Jump to in the Event Browser window.
684 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-684-320.jpg)
![Secure Alerts Server
Tables
This page is divided into two tables:
• Secure Alerts Server Status table
The upper table displays the current status of the Secure Alerts Servers.
• Secure Alerts Service History table
The lower table displays the historical status of when the server was started and stopped.
Fields and buttons
This page has the following fields and buttons:
• View — Use this right-click menu to select the way in which the Secure Alerts Server Status data is
displayed. Right-click in the Secure Alerts Server Status table to display this option and click it. The
following options are available:
• Large Icons — Display the supported Secure Alerts Server data by using large icons.
• Small Icons — Display the supported Secure Alerts Server data by using small icons.
• List — Display the supported Secure Alerts Server data in list format.
• Details — Display the supported Secure Alerts Server data in a detailed list format. This is the default
value.
Secure Alerts Server Status table
This table has the following fields and buttons:
Note: The field data is displayed only when Details is selected from the View right-click menu.
• MM/DD/YYYY HH:MM:SS — [Read-only] Displays the time stamp that indicates the last time that the
page data was refreshed. To force a refresh, click Refresh.
• Status icon (first column) — [Read-only] Displays the status of the Secure Alerts Server the last time that
the page data was refreshed: (red) indicates stopped.; (green) indicates running.
When the Secure Alerts Server is stopped, none of the alert and event activity that is sent by the
firewalls is processed.
• Refresh — Force a refresh of the page.
• Name — [Read-only] Displays the status icon and the name that is assigned to the Secure Alerts Server.
The status icon displays the status of the Secure Alerts Server the last time that the page data was
refreshed: (red) indicates stopped.; (green) indicates running. When the Secure Alerts Server is
stopped, none of the alert and event activity that is sent by the firewalls is processed.
The server name currently cannot be changed. The default name is Secure Alerts Server.
• Location — [Read-only] Displays the location of the Secure Alerts Server.
• Start Time — [Read-only] Displays a time stamp that indicates the time at which the Secure Alerts Server
was started.
• Last Update — [Read-only] Displays a time stamp that indicates the last time that the Secure Alerts
Server sent its status message to the Management Server.
• Status — [Read-only] Displays the current status of the Secure Alerts Server.
688 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-688-320.jpg)
![Firewall reports in the Reporting and Monitoring Tool
Secure Alerts Service History table
This table has the following fields and buttons:
Note: No history data is displayed if the Secure Alerts Server has never been stopped.
• Name — [Read-only] Displays the name that is assigned to the Secure Alerts Server.
• Location — [Read-only] Displays the location of the Secure Alerts Server.
• Start Time — [Read-only] Displays a time stamp that indicates the time at which the Secure Alerts Server
was started.
• Stop Time — [Read-only] Displays a time stamp that indicates the last time that the Secure Alerts Server
wrote to the database.
Firewall reports in the Reporting and Monitoring Tool
The Control Center Reporting and Monitoring Tool has an interface to request a wide variety of
firewall-specific reports. Although some firewalls share similar reports, each firewall can generate unique
reports that provide insight into its operation and configuration.
There are currently more than 70 different reports that can be generated. Most of these reports are
presented in Reporting on page 619.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 689](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-689-320.jpg)
![Software Updates Tool
Fields and buttons
This tab has the following fields and buttons:
• Upload to Server from Client — Determines whether to upload a software update file from the Client
Suite platform to the Management Server. When you select this option, the following field and button are
available:
• Upload file — Specify the name of the software update file to be uploaded.
• Browse — Perform a search on the current platform for the software update file.
• Upload to Server using FTP/HTTP — Determines whether to upload a specific software update file to
the Management Server from a remote location.
• Upload — [Available only if Upload to Server using FTP/HTTP is selected] Use the fields in this area to
specify the remote location from which to upload a specific software update file.
• Protocol — [Required] Specify the protocol to use for transferring the software update file from the
corporate site to the Management Server. The following values are available:
• FTP — File Transfer Protocol
• HTTP — Hypertext Transfer Protocol
The default value is FTP.
• Server — Specify the host name of the server from which the update is to be uploaded.
• Port — Specify the port on the remote server to use for this upload.
• Directory — Specify the path for the update file. You must define this path relative to the location of
the user of the Management Server This user is identified in the User name field. For example, if a
user with a home directory of /home/username wants to download a file that is located on the
Management Server at /var/tmp, the path is ../../var/tmp.
• File — Specify the name of the software update file to be uploaded.
• User name — [Applicable only if the value of the Protocol field is FTP] Specify the login name that
was used to access the specified Management Server.
• Password — [Applicable only if the value of the Protocol field is FTP] Specify the password that is
associated with the login name that was used to access the specified Management Server. Data in this
field is masked as it is specified.
• Upload — Upload the software update and close this window.
• Cancel — Close this window without saving any changes and without performing any upload.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 695](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-695-320.jpg)
![Software Updates Tool
Control Center Update window: Uploaded Packages tab
Use the Uploaded Packages tab on the Control Center Update window to view the software updates that
have been uploaded and to select one of them to apply.
Figure 304 Control Center Update window: Uploaded Packages tab
Accessing this tab
1 In the Software Updates Tool, from the View menu, select Control Center Update. The Control Center
Update window is displayed.
2 Select the Uploaded Packages tab.
Fields and buttons
This tab has the following fields and buttons:
• Patch — Displays the names of the software update packages that have been uploaded to the
Management Server. The packages are sorted by the date on which they were added. Select the radio
button that is associated with the patch that you want to apply. Only one patch can be selected.
• Build Number — [Read-only] Displays the build number of the software update package.
• Status — [Read-only] Displays the status of the associated software update packages. The following
values can be displayed:
• Pending — Indicates that there is an update that has been uploaded that needs to be applied.
• Applied — Indicates that the update was successfully applied.
• Failed — Indicates that the apply was started; however, it failed. You can re-apply the update.
• Invalid — Indicates that the selected update cannot be installed over the current applied hot fix,
ePatch, or patch.
• DependsOn — Indicates that the selected update has a dependency on another patch. It can be
applied only after that patch has been applied.
• Obsolete — Indicates that the selected update will make obsolete one of the components of the
Control Center. This patch can be applied only from the command line by using the force (-f) command.
Note: If the selected update makes more than one component obsolete, the status will be Invalid, not
Obsolete.
• Date of last modification — [Read-only] Displays the date that the status of the patch was last updated.
696 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-696-320.jpg)
![Software Updates Tool
• Log — If the value of the Status column is Applied or Failed, click Display Log to view the related log
file. The Server Logs window is displayed, in which you can view the entire log file or a selected number
of lines. For more information about this window, see Viewing Management Server logs on page 663.
• Apply — Apply the selected software update to the Management Server. If you select a package that has
a Status value of Pending and click this button, the Management Server starts the selected software
update and either logs you off of the client or reboots the machine. After the update has been applied,
the value of the Status field is changed.
Note: A software update whose version number is higher than the current version of the Management Server
cannot be selected or applied. The Uploaded Packages tab verifies that the new update has a sequence
number that is greater than the last update that was added. This ensures that an update is not installed if it is
older than updates that are already on the machine.
The following text is the format of the patches:
Table 30 Tar file formats
Tar file name File type Example
[release version - 5 digits] Patch 40003.tar
[release version - 5 digits] [E} ePatch 40003E01.tar
[sequence number - 2 digits]
[release version - 5 digits] [H} Hot fix 40003H01.tar
[sequence number - 2 digits]
• Current server version — [Read-only] Displays the currently installed version of the Control Center
Management Server software.
• Revalidate — Update the status of the package.
Installing software and firmware updates
Maintaining software and firmware updates to multiple firewalls in a heterogeneous environment can be a
complex task. To provide the enterprise-class protection that is required by your security policies, installing
and managing software and firmware updates to firewalls is not optional.
To help simplify the process, use the Control Center Software Updates Tool to manage software and
firmware updates for supported firewalls that are being managed by the Control Center.
Before you begin to install the updates, you should back up the current configuration of the firewall that is
going to be updated. To perform this activity, click (Firewall Configuration Backup) on the toolbar of the
Software Updates Tool. For more information about this activity, see Backing up a firewall configuration on
page 706 or Restoring a firewall configuration on page 707.
Use the table on the Install Updates page to:
• Determine the current software version that is installed on each supported firewall in the configuration.
• Identify firewalls that require updates.
• Select an update action to perform on selected firewalls. These actions include install, uninstall, and
rollback.
• Select an available software or firmware update.
• Determine the status of the last applied update.
• View and select the update packages to be installed, uninstalled, or rolled back and view the historical
data that is associated with previous update actions.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 697](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-697-320.jpg)
![Software Updates Tool
Figure 305 Install Updates page
Accessing this page
In the Software Updates Tool, from the View menu, select Install Updates.
or
In the Software Updates Tool, click (Install Updates) on the toolbar.
Fields and buttons
This page has the following table columns and buttons:
• — Determines whether a row in the table is selected. When you select this checkbox, the Operations
menu and related toolbar options are displayed for the selected firewall.
• (Status icon) — Identifies the current status of the associated firewall:
• (Not Running) — This firewall is not currently running.
• (Running) — This firewall is currently running.
• (Unknown) — The operational status of this firewall is currently unknown.
• (Waiting) — The firewall is starting or performing a task.
• Firewall type icon — Identifies the type of firewall that is associated with the row:
• — (McAfee Firewall Enterprise)
• Firewall — [Read-only] Displays the name of the firewall as defined when the firewall was configured.
• Version — [Read-only] Displays the software version that is currently installed on the associated firewall.
• Schedule Status — [Read-only] Displays the date and time for an action that has been scheduled. If a
schedule is just being created, the field displays the status of the scheduling operation.
• Action — [Read-only] Displays the type of action to be performed. The following values are available:
• Install — Indicates that a single software update is to be installed.
• Install Multiple — Indicates that multiple software updates are to be installed.
• Uninstall — Indicates that a single software update is to be uninstalled.
• Uninstall Multiple — Indicates that multiple software updates are to be uninstalled.
• Rollback — Indicates that the firewall is to be restored to a previous state. A rollback reverts the
firewall to the state just prior to installation of the software update. This value is available only after
installation of a package that cannot be uninstalled.
• Update — Specify the software update to install, uninstall, or roll back on the associated firewall. Click
the down arrow to display all of the available updates. The following columns are displayed in this list:
• Name — Displays the name of the software or firmware update and an icon to indicate the status of
the update. The following icons are available:
• (Not Downloaded) — This update has not been downloaded to the Management Server If an
update with this status is identified to be installed on one or more firewalls, it is downloaded onto
the Management Server first and then installed.
• (Downloaded) — This update has already been downloaded to the Management Server.
698 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-698-320.jpg)
![Software Updates Tool
• (In Progress) — This update is currently being downloaded to the Management Server.
• Description — Displays a brief description of the software update.
Note: If multiple firewalls are selected (that is, multiple rows are highlighted), when you select an update
from the update field, the update will be selected for all applicable firewalls. If you click the Update
Firewalls tool or click (Update Firewalls), the update will be applied to all of the highlighted firewalls
to which it applies.
• Last Update — [Read-only] Displays the name of the last software update that has been applied to the
firewall by the Control Center.
• Update Status — [Read-only] Displays the status of the last update applied to the associated firewall by
the Control Center. The following values are available:
• In Progress — Indicates that the update is in the process of being installed.
• Completed — Indicates that the update has been successfully installed.
• Failed — Indicates that the update operation failed.
• Manage Firewall — Displays the Manage Firewall window, in which you can view and select the packages
to be installed, uninstalled, or rolled back. You can also view a history of the update actions and status
messages that have been performed on the associated firewall by the Control Center.
When the Install Updates page is displayed, the following tools are available on the toolbar. They are also
options on the Operations menu. To perform some of the following actions, you must select the row or
rows to identify the firewalls to which the action applies. To select a firewall, select the checkbox in the first
column. Then select the tool or menu option.
• Update Firewalls — Perform the actions that you have specified on the firewalls that you have selected.
You must have already selected an update action for all of the selected firewalls before you can click this
tool or menu option. If you try to update a firewall with an update that has not been downloaded to the
Management Server, the update will first be downloaded and saved on the Management Server. Then it
will be installed on the applicable selected firewalls without you needing to take any additional action.
Note: You cannot initiate a new update on a firewall while it has an update in the “In Progress” state.
• Schedule Firewalls — Displays the Schedule Firewall Actions window. Use this window to set a date and
time to perform actions that are related to one or more firewalls. You can also remove a schedule.
• Clear Last Update — Clear the values of the Last Update and Update Status fields from the table. This
information is not cleared from the Update History data. Use this tool or menu option to clear field values
when an update is stuck in the “In Progress” state.
• Update Firewall Status — Send a firewall status request to the selected firewalls. The resulting firewall
status is displayed in a column on the left as an icon.
• Refresh Grid — Refresh the contents of this table.
Managing updates for a firewall
Use the Manage Firewall window to perform the following functions:
• View packages that are available for installation.
• View and select packages that can be uninstalled.
• Select rollback action and view package list after a rollback is done.
• View a history of update operations and status messages that have been performed on the associated
firewall.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 699](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-699-320.jpg)
![Software Updates Tool
Manage Firewall window: Packages tab
Use the Packages tab on the Manage Firewall window to view and select software update packages that can
be installed, uninstalled, or rolled back. To view the files on this tab, see Figure 306 on page 700.
Accessing this tab
1 In the Software Updates Tool, from the View menu, select Install Updates.
or
In the Software Updates Tool, click (Install Updates) on the toolbar.
2 Click Manage Firewall in the row of the firewall to be managed. The Manage Firewall window is displayed.
3 Make sure that the Packages tab is selected.
Fields and buttons
This tab has the following fields and buttons.
• Action — Specify the type of action to take for a selected update package. Information displayed on this
tab varies according to the selected action. The following values are available:
• Install — Select an associated update package for installation on the firewall.
• Package Name — Displays the name of an update package.
• Reboot — Indicates whether installation of the associated update package requires the firewall to
be rebooted.
• Dependencies — Displays the names of packages that must have been installed previously or that
must be installed with the update package.
• Obsoletes — Displays the names of packages that are rendered obsolete by the update package.
• Uninstallable — Indicates whether the update package can be uninstalled.
• Release Date — Displays the date when the update package was released.
• Readme — Click View to display the Readme file that is associated with the update package.
• Uninstall — Select an associated update package to be uninstalled from the firewall.
• Package Name — Displays the name of an update package.
• Required By — Displays the names of packages that require the update package to be installed.
• Reboot — Indicates whether uninstalling the associated update package requires the firewall to be
rebooted.
• Uninstallable — Indicates whether the update package can be uninstalled.
• Description — Provides information about the update package.
• Rollback — Restore a firewall to a previous state. The fields and buttons that are associated with this
action are available only if a rollback is possible. A rollback can be performed only when a package that
is not removable has been installed. You are advised to consider the following information before you
perform a rollback:
• A rollback reverts the firewall to its state just prior to installation of the update package.
• Changes that have been made to the firewall's configuration after the update package was installed
will be lost.
• A rollback is a recommended recovery option only for a short period of time after package
installation.
• A rollback always requires that the firewall is rebooted.
• Perform Rollback — [Available only if a rollback is possible] Determines whether a rollback operation
is performed. This checkbox is cleared by default. Select the checkbox to select a rollback operation.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 701](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-701-320.jpg)
![Software Updates Tool
• Package Name — [Read-only] Displays the names of the packages to which the firewall system will
be rolled back.
• Status — [Read-only] Displays the date and time when the packages were installed or loaded on the
firewall.
Manage Firewall window: History tab
Use the History tab on the Manage Firewall window to view a historical listing of all of the update actions
and status messages that have been applied to the associated firewall by the Control Center.
Figure 307 Manage Firewall window: History tab
Accessing this tab
1 In the Software Updates Tool, from the View menu, select Install Updates.
or
In the Software Updates Tool, click (Install Updates) on the toolbar.
2 Click Manage Firewall in the row of the firewall to be managed. The Manage Firewall window is displayed.
3 Select the History tab.
Fields and buttons
This tab has the following columns and buttons:
• Update Entry — [Read-only] Displays a description of the operation that has been performed (for
example, downloading of an update package, scheduling of a firewall action, installation of an update
package, or rollback completed).
• Last Update Time — [Read-only] Displays the date and time on which and at which the associated
update operation was performed.
• Initiating User — [Read-only] Displays the name of the Control Center user who initiated the update
operation.
702 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-702-320.jpg)
![Software Updates Tool
• Status — [Read-only] Displays the status of the last update operation that was applied to the associated
firewall by the Control Center. The following values are available:
• In Progress — Indicates that the update operation is in the process of being completed.
• Completed — Indicates that the update operation has been successfully completed.
• Failed — Indicates that the update operation failed.
• Details — Display a window that displays the details of the update operation. This could be the contents
of an update installation log file or other similar data.
Scheduling device software updates
Use the Schedule Device Actions window to set a date and time for performing the following update actions
on supported firewalls:
• Install
• Uninstall
• Rollback
In addition to scheduling updates, you can also perform these actions immediately. You also can
unschedule previously scheduled actions.
Note: You can access this window only if you have selected at least one row in the table on the Install Updates
page and each selected row must have an update selected for it.
Figure 308 Schedule Device Actions window
Accessing this window
1 In the Software Updates Tool, from the View menu, select Install Updates.
or
In the Software Updates Tool, click (Install Updates) on the toolbar.
2 Make sure that you have selected at least one firewall and an action for it.
3 From the Operations menu, select Schedule Firewalls.
or
Click (Schedule Firewalls) in the toolbar. The Schedule Device Actions window is displayed.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 703](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-703-320.jpg)
![Software Updates Tool
Fields and buttons
This window has the following fields and buttons:
• Schedule for — Specify the date and time at which to perform an install, uninstall, or rollback action on
a firewall.
• Unschedule All — Determines whether to unschedule all of the actions that have been scheduled. By
default, this checkbox is not selected.
• Perform Actions Now — Determines whether to perform the update actions immediately. If you select
this checkbox, actions are performed as soon as you click OK.
• Devices and Actions — Use this table to identify the firewalls and the types of actions to be performed
on each one. The following columns are displayed:
• — [Read-only] Denotes a McAfee Firewall Enterprise (Sidewinder), as indicated by the value of the
Device Name field.
• Device Name — [Read-only] Displays the fully qualified domain name (FQDN) of the firewall as it was
configured on the Firewall window.
• Version — [Read-only] Displays the version of the software that is currently installed on the associated
firewall.
• Action — [Read-only] Displays the action to be performed on the associated firewall.
• Packages — [Read-only] Displays the names of the packages to which the associated action applies.
• Current Schedule — [Read-only] Displays the date for any existing schedule that will be unscheduled.
There is no value in this field if a schedule does not exist.
• OK — Save the changes that were made in this window.
• Cancel — Close this window without saving any changes.
Backing up and restoring firewall configurations
Use the Firewall Configuration Backup page to perform the following actions on the configuration file for a
specified firewall:
• Retrieve a backup firewall configuration file based on the current configuration of the selected firewall or
firewalls and store it on the Management Server.
• Restore a backup firewall configuration file.
You can also use this page to maintain a version of a working configuration before you make any
configuration changes or to recover from an unexpected loss of firewall configuration data.
For more specific information about how to perform these actions, see the following procedures:
• Backing up a firewall configuration on page 706
• Restoring a firewall configuration on page 707
Note: Save the current configuration of all firewalls before upgrading the software or firmware and before
making changes to the configuration.
704 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-704-320.jpg)
![Software Updates Tool
Fields and buttons:
• Firewall — Select one or more firewalls for backup of its or their configuration.
• Description — [Read-only] Displays the description of the backup that was last performed on this
firewall. For manual backups, this is the value that is specified on the Confirm Backup window. For more
information, see Confirming a configuration backup of one or more firewalls on page 708.
• Last Backup Date — [Read-only] Displays the timestamp that indicates the last time that the firewall
was backed up.
• Last Backup By — [Read-only] For manual backups, displays the name of the Control Center user who
initiated the backup. For other backups, this field is left blank.
• Create Backup(s) — Begin the backup process by displaying the Confirm Backup window, in which you
can confirm your selections on the Backup tab. For more information about the Confirm Backup window,
see Confirming a configuration backup of one or more firewalls on page 708.
Backing up a firewall configuration
1 In the Software Updates Tool, from the View menu, select Firewall Configuration Backup.
or
In the Configuration Tool, from the System menu, select Firewall Configuration Backup.
The Firewall Configuration Backup page is displayed in the work area.
2 To create a backup of the configuration data for selected firewalls, select the checkbox that is associated
with each firewall.
3 Click Create Backup(s) to store a backup copy of the firewall configuration for the selected firewalls on
the Management Server. The Confirm Backup window is displayed.
4 You can edit the description or accept the default value. Then click OK to confirm this backup. A message
is displayed, indicating that this request has been sent to the firewall.
After the backup is complete, the Description, Last Backup Date, and Last Backup By column values
are updated on this tab.
Firewall Configuration Backup page: Restore tab
Use the Restore tab of the Firewall Configuration Backup page to select a firewall to which you will restore
its configuration. This tab lists all of the backups that have been saved for the selected firewall, whether
created as a scheduled job or manually on the Backup tab on this window.
Any firewall configuration backup can be deleted from this tab.
Note: Although manual backups (for example, backups created in the Backup tab on this window) can be deleted
only on the Restore tab, scheduled backups or other backups are subject to the retention policies that are
configured in the Scheduled Backup tab of the scheduled job that is associated with each firewall.
Figure 310 Firewall Configuration Backup page: Restore tab
706 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-706-320.jpg)
![Software Updates Tool
Accessing this tab
1 In the Software Updates Tool, click (Firewall Configuration Backup) on the toolbar.
or
In the Software Updates Tool, from the View menu, select Firewall Configuration Backup.
or
In the Configuration Tool, from the System menu, select Firewall Configuration Backup.
The Backup tab is displayed on the Firewall Configuration Backup page.
2 Select the Restore tab. The Restore tab on the Firewall Configuration Backup page is displayed.
Fields and buttons
This tab has the following fields and buttons:
• Firewall — Specify the firewall that you want to restore from the list of available firewalls.
• Restore Backup — Restore a configuration backup for the selected firewall.
• Type — [Read-only] Displays the nature of the backup file. The following values are possible:
• Manual — Indicates that the configuration backup was performed on the Backup tab of the Firewall
Configuration Backup page.
• Scheduled — Indicates that the configuration backup was performed as a scheduled job that was
originally configured on the Scheduled Jobs window.
• Backup Date — [Read-only] Displays the date and time that this backup was completed.
• Backup By — [Read-only] Displays the name of the user who created this backup. If this backup was
created by a scheduled job, there is no value for this field.
• Restore Date — [Read-only] Displays the timestamp that indicates the last time that the backup was
restored to the firewall.
• Description — [Read-only] Displays the description for this configuration backup file.
• Delete — Click x (Delete) in the row to be deleted. This configuration backup file is deleted from the
Management Server.
Restoring a firewall configuration
1 In the Software Updates Tool, from the View menu, select Firewall Configuration Backup.
or
In the Configuration Tool, from the System menu, select Firewall Configuration Backup.
The Firewall Configuration Backup page is displayed in the work area.
2 Select the Restore tab.
3 In the Firewall field, select the firewall to be restored.
4 In the table, select the row of the backup that you want to use for this restoration and click Restore
Backup. A system warning is displayed, indicating that the restoration is about to occur. As a result of
that, the firewall will be rebooted and a subsequent policy mismatch can occur.
5 Click OK. An information message is displayed, indicating that the restore request has been sent to the
firewall. After the restore is complete, the Restore Date column value is updated with the current
information.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 707](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-707-320.jpg)
![Software Updates Tool
Confirming a configuration backup of one or more firewalls
Use the Confirm Backup window to add a description for the manual configuration backup file or files
(depending on the number of firewalls that you select) that you are about to create. This window also
serves as an additional confirmation that you want to continue with the backup process.
Figure 311 Confirm Backup window
Accessing this window
1 In the Software Updates Tool, click (Firewall Configuration Backup) on the toolbar.
or
In the Software Updates Tool, from the View menu, select Firewall Configuration Backup.
or
In the Configuration Tool, from the System menu, select Firewall Configuration Backup.
The Firewall Configuration Backup page is displayed.
2 On the Backup tab, select the firewall or firewalls for which you want to create configuration backup files
and click Create Backup(s). The Confirm Backup window is displayed.
Fields and buttons
This window has the following fields and buttons:
• Firewall — [Read-only] Displays the name of one firewall in each row that you selected on the Backup
tab.
• Description — Specify a description for this backup file. The default value is Manual backup. However,
you can edit this value as needed.
• OK — Displays a message, indicating that this request has been sent to the firewall.
or
If this message is suppressed (see Note below), the window is closed.
Note: You can choose to hide this confirmation message by selecting Never display this warning again.
• Cancel — Close this window and cancel the backup process.
708 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-708-320.jpg)
![Software Updates Tool
Fields and buttons
This page has the following table columns:
• Name — [Read-only] Displays the name of the software or firmware update.
• Description — [Read-only] Displays a brief description of the software update.
• Type — [Read-only] Displays the firewall to which the update applies.
• Release Date — [Read-only] Displays the date on which the update was released.
• Status — [Read-only] Displays the status of the update on the Management Server. The following values
are available:
• Not Downloaded — The update has been identified, but not downloaded.
• Downloading onto Mgmt. Server — The update is currently being downloaded from the source
destination to the Management Server.
• Available on Mgmt. Server — The update has already been downloaded to the Management Server.
• Download Failed — The download failed.
• Unavailable — The update has been removed from the Management Server.
• Readme — Click this button to display the readme file that is associated with the selected stored update
in a default text reader.
The following options are available as tools on the Software Updates Tool or as menu options from the
Operations menu when the Store Updates page is displayed. To perform some of the following options,
you must select one or more rows in the table to identify the firewalls to which the action applies. To select
a row, click the far-left column to highlight the row. To highlight several rows at once, press Ctrl+click.
• Check for Updates — Check for new updates from the defined, auto-discovery location. For more
information about configuring the auto-discovery settings, see Configuring update download settings on
page 692.
• Download Updates — Download the associated update for each highlighted row from the location
that is specified in the auto-discovery settings. For more information about configuring the auto-discovery
settings, see Configuring update download settings on page 692.
• Restart Download — Restart the download process if a problem or failure occurs when an update
package is being transferred from the location at which updates are stored to the Management Server.
• Remove Updates — Remove the associated update for each highlighted row from the Management
Server. After an update has been removed from the Management Server, it will no longer be displayed in
the Store Updates table unless you have selected the Show removed updates checkbox in the Update
Settings window.
• Manual Download — Specify how and where an update is to be downloaded from a location other
than the one that was specified in the auto-discovery settings. Use this option to acquire an update and
store it on the Management Server when there is no access to the McAfee FTP location. For information
about how to configure this option, see Manually downloading software updates on page 711.F
710 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-710-320.jpg)
![Software Updates Tool
• <OS> — Contains the name of the operating system for the firewall.
• <Revision> — Contains the release number for the main release (for example, 7.0).
• <Version> — Contains the firewall version to which the update package is applicable (for example,
7.0.1).
• <Type> — Contains the type of update package (for example, Patch, Hotfix, or E-Patch).
• <Flags> — Contains one of the following values that indicates the status: active, active uninstallable,
inactive.
• <Requires> — Contains the names of other update packages on which this update package depends and
that must be installed before this package or with this package.
• <Readme> — Contains the text for the readme file.
• <Obsoletes> — [Optional tag] Contains a wildcard value that is used to match the names of the
packages that this update package will make obsolete.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 713](https://image.slidesharecdn.com/fmydocumentsdocumentsmcafeecontrolcenterfecc40004aga-090915150421-phpapp02/85/test-upload-713-320.jpg)
test upload
- 1. McAfee Firewall Enterprise Control ® Center (CommandCenter™) Administration Guide version 4.0.0.04
- 2. COPYRIGHT Copyright © 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE, LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions This product includes software developed by Inferno Nettverk A/S, Norway. Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002 Inferno Nettverk A/S, Norway. All rights reserved. This product includes software developed by Todd C. Miller. Copyright (c) 1996 Todd C. Miller <Todd.Miller@courtesan.com> All rights reserved. This product includes software developed by the University of California, Berkeley and its contributors. Copyright (c) 1983, 1988, 1990, 1992, 1993, 1995 The Regents of the University of California. All rights reserved. This product includes software developed by Red Hat, Inc. Copyright Red Hat, Inc., 1998, 1999, 2001, 2002. This product includes software developed by Julianne F. Haugh. Copyright 1988 - 1997, Julianne F. Haugh. All rights reserved. This product includes software developed by Info-ZIP. Copyright (c) 1990-2004 Info-ZIP. All rights reserved. This product includes software developed by the Apache Software Foundation http://www.apache.org. Copyright (c) 1999, 2000 The Apache Software Foundation. All rights reserved. This product includes software developed by Computing Services at Carnegie Mellon University (http://www.cmu.edu/computing/). Copyright (c) 2000 Carnegie Mellon University. All rights reserved. This product includes software developed by Ian F. Darwin and others. Copyright (c) Ian F. Darwin 1986, 1987, 1989, 1990, 1991, 1992, 1994, 1995. This product includes software developed by Silicon Graphics, Inc. Copyright (c) 1991-1997. Portions by Sam Leffler. Copyright (c) 1988-1997. This product includes software developed by Purdue Research Foundation, West Lafayette, Indiana 47907. Copyright 2002. All rights reserved. Portions by Victor A. Abell This product includes software developed by Thomas E. Dickey <dickey@invisible-island.net>. Copyright 1997-2002, 2003. All Rights Reserved. This product includes software developed by David L. Mills. Copyright (c) David L. Mills 1992-2001. This product includes software developed by University of Cambridge. Copyright (c) 1997-2001 University of Cambridge; ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ This product contains db4 software - Portions distributed by Sleepycat Software. Copyright (c) 1990-2001 Sleepycat Software, and by The President and Fellows of Harvard University, copyright (c) 1995, 1996. All rights reserved. This product includes software developed by Keith Packard. Copyright © 2001,2003. This product includes krb5 software developed by the Massachusetts Institute of Technology, Copyright (c) 1985-2001. This product includes libjpeg software developed by Thomas G. Lane, Copyright (C) 1991-1998. All Rights Reserved. This software is based in part on the work of the Independent JPEG Group. This product includes libradius software developed by Juniper Networks, Inc., Copyright 1998. All rights reserved. This product includes LInux LOader (LILO) software developed in part by Werner Almesberger, Copyright 1992-1998. Portions by John Coffman, Copyright 1999-2005. All rights reserved. This product includes software developed by The OpenSSL Project for use in the OpenSSL Toolkit. (http:// www.openssl.org) Copyright © 1998-2006. The toolkit includes cryptographic software written by Eric Young (eay@cryptsoft.com). Copyright (c) 1995-1998. This product includes software written by Tim Hudson (tjh@cryptsoft.com) Copyright (c) 1993-2001 Spread Concepts LLC. All rights reserved. This product includes software developed by The XFree86 Project, Inc. (http://www.xfree86.org/) and its contributors. Copyright (C) 1994-2004 The XFree86 Project, Inc. All rights reserved. Part of the software embedded in this product is gSOAP software. Portions created by gSOAP are Copyright (C) 2001-2004 Robert A. van Engelen, Genivia Inc. All Rights Reserved. This product includes software developed by Internet Systems Consortium, Inc. Copyright © 2004-2006 Internet Systems Consortium, Inc. ("ISC"). Copyright © 1996-2003 Internet Software Consortium. This product includes software developed by Jython Developers. Copyright © 2000-2007 Jython Developers. All rights reserved. This product contains certain other third party software which include the following additional terms: Redistribution and use in source and binary forms of the above listed software, with or without modification, are permitted provided that the following conditions are met: 1 Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2 Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3 Neither the name of the author may be used to endorse or promote products derived from this software without specific prior written permission. Issued April 2009 / McAfee Firewall Enterprise Control Center (CommandCenter ) software version 4.0.0.04 ® ™
- 3. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL LICENSORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes or may include some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format that the source code also be made available to those users. For any such software, the source code is made available in a designated directory created by installation of the Software or designated internet page. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in the McAfee End User License Agreement, then such rights shall take precedence over the rights and restrictions herein. Issued April 2009 / McAfee Firewall Enterprise Control Center (CommandCenter ) software version 4.0.0.04 ® ™
- 4. Issued April 2009 / McAfee Firewall Enterprise Control Center (CommandCenter ) software version 4.0.0.04 ® ™
- 5. Contents About this Document 11 1 Introduction 13 About the McAfee Firewall Enterprise Control Center (CommandCenter) . . . . . . . . . . . . . . . . . . . . . . . . . 13 Features of the Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 About the Client Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Administration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Configuration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Reporting and Monitoring Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Software Updates Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2 Administrator Basics 19 Managing the McAfee Firewall Enterprise Control Center (CommandCenter) Management Server . . . . . . . 19 Configuring the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Logging into the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Managing configuration data for the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Backing up configuration data for the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Restoring configuration data to the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Disaster recovery restoration for Management Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Restoring a standalone Management Server that has failed completely . . . . . . . . . . . . . . . . . . . . . . . 34 Restoring a primary Management Server that has failed completely and that is part of a high availability (HA) pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Restoring a backup Management Server that has failed completely and that is part of a high availability (HA) pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Restoring both Management Servers in a high availability (HA) pair that have failed completely . . . . . . 37 Adding firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Adding firewalls by using rapid deployment registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Adding firewalls by using manual registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Managing firewall interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Routed mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Transparent (bridged) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Navigating the Control Center user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Administration Tool main window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Configuration Tool main window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Reporting and Monitoring Tool main window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Software Updates Tool main window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Administration Tool menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Configuration Tool menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Reporting and Monitoring Tool menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Software Updates Tool menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Customizing a toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Administration Tool toolbars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Configuration Tool toolbars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Reporting and Monitoring Tool toolbars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Software Updates Tool toolbars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 3 Administration Tool 79 Administration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Control Center users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Configuring Control Center users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Changing user passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Control Center roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Managing roles for Control Center users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Configuration domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Activating configuration domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 5
- 6. Configuring configuration domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Moving a firewall or cluster from one configuration domain to another . . . . . . . . . . . . . . . . . . . . . . . 96 Changing from one configuration domain to another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Configuration domain version management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Configuration domain version management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Managing versions of configuration domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Audit data management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Managing audit trail information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Configuring change tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Control Center Management Server licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Managing Control Center licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Configuring common license information for the Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Configuring Control Center network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 System settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Configuring system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Viewing the status of your backup Management Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Creating backup files of your Management Server data by using the GUI . . . . . . . . . . . . . . . . . . . . 123 Restoring the Management Server configuration files from a backup file . . . . . . . . . . . . . . . . . . . . . 126 Uploading a backup configuration file from the Client to the Management Server . . . . . . . . . . . . . . . 128 Changing login information for remote system backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Setting the date and time on the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Restarting the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 ePolicy Orchestrator settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Configuring access to the ePolicy Orchestrator server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Viewing ePolicy Orchestrator host data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 High Availability (HA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 How High Availability (HA) works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 HA configuration and status support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Configuring the High Availability (HA) feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Removing the High Availability (HA) configuration feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Configuring Control Center user authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Control Center Authentication Configuration window: Authentication Servers tab . . . . . . . . . . . . . . . 150 Configuring external authentication servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 4 Configuration Tool Overview 153 Configuration Tool . . . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Configuration Tool operations . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Configurable objects . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Viewing details about objects . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 5 Configuration Tool - Firewalls 163 Firewall objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 163 McAfee Firewall Enterprise (Sidewinder) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 164 Registering your firewalls by using the rapid deployment option . . . . . . . . . . . . . . . . .. .. ... . . . . 164 Registering a firewall manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 166 Retrieving firewall components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 168 Configuring settings for a standalone firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 169 Configuring the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 170 Firewall window-related tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 204 Converting network objects in rules for the IPv6 protocol . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 204 Deleting firewall objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 213 McAfee Firewall Enterprise (Sidewinder) clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 215 Managing clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 215 Configuring, promoting and demoting cluster objects and cluster nodes . . . . . . . . . . .. .. ... . . . . 216 Overview of configuring a cluster on the McAfee Firewall Enterprise Admin Console . . .. .. ... . . . . 225 Adding a cluster that was created on the McAfee Firewall Enterprise Admin Console . . .. .. ... . . . . 226 Configuring configuration information for a cluster . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 228 Modifying cluster interface properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 253 Configuring configuration data for a cluster member . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 255 Device groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 261 Configuring groups of related device objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 261 6 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 7. 6 Configuration Tool - Firewall Settings 263 Firewall settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Common (global) settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Configuring common (global) settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Audit export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Configuring audit archive settings for a firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 McAfee Firewall Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Configuring McAfee Firewall Profiler settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Firewall Reporter / Syslog settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Configuring the exportation of audit data to a McAfee Firewall Reporter or to designated syslog servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 274 Network defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 278 Configuring network defense audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 279 Managing servers and service configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 291 Viewing and managing IPS signatures by using the IPS Signature Browser . . . . . . . . . . . .. .. .. . . . . . 302 TrustedSource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 304 Configuring TrustedSource settings for rules and mail filtering . . . . . . . . . . . . . . . . . .. .. .. . . . . . 305 Virus scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 308 Configuring virus scanning properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 308 Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 310 Creating Quality of Service profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 311 DNS zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 312 Configuring DNS zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 315 Scheduled jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 322 Scheduling jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 322 Third-party updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 326 Configuring third-party update schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 326 Software update package status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 331 Establishing a schedule to check for software updates . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 331 7 Configuration Tool - Policy 333 Policy objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Configuring endpoints (network objects) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Creating adaptive endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Creating Geo-Location objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Configuring burbs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Configuring groups of burb objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Configuring groups of endpoint objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Importing network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Configuring proxy services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Configuring filter services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Configuring service groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Configuring HTTP application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Configuring HTTPS application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Configuring Mail (Sendmail) application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 Configuring Mail (SMTP proxy) application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Configuring Citrix application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Configuring FTP application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Configuring IIOP application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 Configuring T120 application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Configuring H.323 application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 Configuring Oracle application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 Configuring MS SQL application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 Configuring SOCKS application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 Configuring SNMP application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Configuring SIP application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Configuring SSH application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Configuring Packet Filter application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Configuring application defense groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 7
- 8. IPS inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 419 Configuring IPS response mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 420 Configuring IPS signature groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 421 Authentication services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 424 Configuring password authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 426 Configuring passport authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 428 Configuring RADIUS authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 431 Configuring Safeword authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 435 Configuring Windows Domain authenticators . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 438 Configuring iPlanet authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 440 Configuring Active Directory authenticators . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 445 Configuring OpenLDAP authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 450 Configuring custom LDAP authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 455 Configuring CAC authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 459 Firewall users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 461 Firewall administrators, users, user groups, and external groups . . . . . . . . . . .. ... .. .. . . . . . . . 461 Configuring firewall users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 462 Configuring firewall administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 464 Configuring firewall user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 468 Configuring external firewall groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 469 Time periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 470 Managing time periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 470 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 471 Configuration features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 472 Components and considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 474 Client configurations and XAUTH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 475 Creating VPN channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 475 Managing firewall certificates for VPN gateways . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 481 Configuring VPN gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 482 Configuring VPN peer objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 484 Building Star, Mesh, and remote access VPN communities . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 491 Creating a network configuration for a VPN client . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 507 Defining fixed addresses for VPN clients . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 510 Adding a VPN client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 511 CA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 512 Managing certificate names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 514 Creating certificates or importing them into the certificate database . . . . . . . . .. ... .. .. . . . . . . . 515 Importing certificates into the known certificates database . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 518 Exporting certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 519 Loading certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 522 Managing remote certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 523 Bypassing IPsec policy evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 525 Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 527 How rules work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 527 Rule management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 528 Creating, viewing, or modifying rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 528 Configuring columns to display on the Rules page . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 532 Configuring rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 533 Configuring default settings for creating rules . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 540 Replacing objects in rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 541 Verifying the objects to be replaced in your rules . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 543 Filtering rules to display on the Rules page . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 545 Loading and managing previously saved rule filters . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 549 Displaying filtered rules on the Rules page . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 550 Configuring groups of rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 551 Merging rules with common elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 552 Deleting duplicate rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 556 Viewing configuration information for duplicate rules . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 558 URL translation rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 559 Viewing your URL translation rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 559 Configuring URL translation rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 560 Alert processing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 563 Viewing alert processing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 564 8 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 9. Modifying pre-defined alert processing rules ....... .. ... .. ... .. . . . . . . . . . . . . . . . . . . . . . 565 Assigning priority levels to alerts . . . . . . . . ....... .. ... .. ... .. . . . . . . . . . . . . . . . . . . . . . 567 SSH known hosts . . . . . . . . . . . . . . . . . . . . . . ....... .. ... .. ... .. . . . . . . . . . . . . . . . . . . . . . 568 Configuring strong known host associations . ....... .. ... .. ... .. . . . . . . . . . . . . . . . . . . . . . 569 Creating strong SSH known host keys . . . . . ....... .. ... .. ... .. . . . . . . . . . . . . . . . . . . . . . 570 Configuring host associations . . . . . . . . . . . ....... .. ... .. ... .. . . . . . . . . . . . . . . . . . . . . . 571 8 Configuration Tool - Monitor 573 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 Firewall configuration management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 Viewing the overall status of your firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 Viewing the status of a specific firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Configuring settings for the Firewall Status page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579 Viewing configuration information about each firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584 Validating firewall configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 Troubleshooting validation configuration warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 Applying firewall configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589 Troubleshooting apply configuration warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 Viewing the status of Apply Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 Reviewing your configured firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594 Comparing impacts of proposed configuration changes for a firewall . . . . . . . . . . . . . . . . . . . . . . . . 595 Configuring compliance report settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596 Viewing the compliance status of the current firewall configuration . . . . . . . . . . . . . . . . . . . . . . . . . 597 Viewing your firewall enrollment (deployment) status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 Configuring the firewall for usage inside the Control Center Client . . . . . . . . . . . . . . . . . . . . . . . . . 599 Viewing real-time Web data for your network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600 Viewing services and managing service agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 Viewing details about a firewall service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 Configuring alert notification for e-mail accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 Configuring blackholes for suspected hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 Viewing IPS attack responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608 Configuring IPS attack responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 Viewing system responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612 Configuring system responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 Audit trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615 Viewing audit trail information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615 Configuring a custom audit trail filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Audit archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 Firewall reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 Viewing firewall report data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620 Generating firewall reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623 Firewall audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624 Configuring and generating audit reports for one or more firewalls . . . . . . . . . . . . . . . . . . . . . . . . . 625 Configuring filters for audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 Viewing event-specific audit information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 Configuring on-screen color schemes for the audit records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636 Displaying system information for the Control Center Management Server . . . . . . . . . . . . . . . . . . . 638 Selecting the criteria for the firewall policy report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640 Viewing information about the security policy for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643 Firewall license reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 Selecting the firewall for the license report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 Viewing the status of all of the licenses for a firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 9 Configuration Tool - Maintenance 647 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . 647 Firewall maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . 648 Viewing object usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . 648 Locking configuration objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . 649 Managing unused objects on the Control Center Management Server .. .. .. . . . . . . . . . . . . . . . . . 651 Merging objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . 652 Setting the date and time on a firewall . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . 655 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 9
- 10. Managing firewall shutdown and suspension states and other maintenance settings . . . . . . . . . . . . . 656 Viewing and managing firewall licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 Control Center maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 Viewing Management Server logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663 Configuring Management Server properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 Exporting firewall audit files that are stored on the Control Center . . . . . . . . . . . . . . . . . . . . . . . . . 667 Customizing the Configuration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669 10 Reporting and Monitoring Tool 671 Reporting and Monitoring Tool . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 671 Viewing the properties of a firewall . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 672 Investigating alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 673 Column data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 674 Mapping sound files to alarms . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 676 Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 677 Managing alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 678 Viewing events for a specific alert . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 682 Configuring the columns on the Event Browser window . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 683 Viewing additional event information . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 684 Configuring columns for the Alert Browser page . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 685 Filtering the alerts to be displayed in the Alert Browser . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 686 Secure Alerts Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 686 Functionality of the Secure Alerts Server . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 687 Viewing Secure Alerts Server status information . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 687 Firewall reports in the Reporting and Monitoring Tool . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 689 11 Software Updates Tool 691 Software Updates Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 691 Automatically identify updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 691 Configuring update download settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 692 Downloading and applying Management Server updates . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 693 Installing software and firmware updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 697 Managing updates for a firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 699 Scheduling device software updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 703 Backing up and restoring firewall configurations . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 704 Confirming a configuration backup of one or more firewalls . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 708 Storing software and firmware updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 709 Manually downloading software updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 711 Index 715 10 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 11. About this Document This Administration Guide leads you through planning and configuration of your initial Firewall Enterprise Control Center (CommandCenter) Management Server. It also covers basic post-installation tasks for integrating a new firewall into your network. While problems are not anticipated, this guide also includes troubleshooting tips. This guide is for anyone assigned to initially set up a McAfee Firewall Enterprise Control Center Management Server. It assumes that you are familiar with McAfee Firewall Enterprise (Sidewinder) devices. It also assumes you are familiar with networks and network terminology. You can find additional information at the following locations: • Online help — Online help is built into the Control Center. Click F1. • Manuals — View product manuals at mysupport.mcafee.com. • Knowledge Base — Visit the Knowledge Base at mysupport.mcafee.com. You’ll find helpful articles, troubleshooting tips and commands, and the latest documentation. The following table lists the various documentation resources for Control Center administrators: Table 1 Summary of Control Center documentation Document Description Firewall Enterprise Control Leads you through your initial firewall configuration. Includes instructions for configuring Center (CommandCenter) and installing the High Availability (HA) Management Server and registering firewalls. Setup Guide Firewall Enterprise Control Provides an introduction to Control Center and includes reference information and Center (CommandCenter) procedures for using the Control Center Client Suite to centrally define and manage the Administration Guide enterprise security policies for the firewall. McAfee Firewall Enterprise Complete administration information on all of the firewall functions and features. You (Sidewinder) should read this guide if your Control Center enterprise includes firewalls. Administration Guide Online help Online help is built into Control Center Client Suite programs and the Control Center Initialization tool. Knowledge Base Supplemental information for all other Control Center documentation. Articles include helpful troubleshooting tips and commands. All manuals and application notes are also posted here. The Knowledge Base is located at mysupport.mcafee.com. Any time that there is a reference to a “firewall”, this is always the McAfee Firewall Enterprise. Additionally, refer to Table 2 for a list of the text conventions that are used in this document. Table 2 Conventions Convention Description Courier bold Indicates commands and key words that you specify at a system prompt. Note: A backslash () indicates a command that does not fit on the same line. Specify the command as shown, ignoring the backslash. Courier italic Indicates a placeholder for text that you specify. <Courier italic> When enclosed in angle brackets (< >), this indicates optional text. nnn.nnn.nnn.nnn Indicates a placeholder for an IP address that you specify. Courier plain Indicates text that is displayed on a computer screen. Plain text italics Indicates the names of files and directories. Also used for emphasis (for example, when introducing a new term). McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 11
- 12. Table 2 Conventions (continued) Convention Description Plain text bold Identifies buttons, field names, and tabs that require user interaction. [ ] Indicates conditional or optional text and instructions (for example, instructions that pertain only to a specific configuration). Caution Indicates that you must be careful. In this situation, you might do something that could result in the loss of data or in an unpredictable outcome. Note Indicates a helpful suggestion or a reference to material that is not covered elsewhere in this documentation. Security Alert Indicates information that is critical for maintaining product integrity or security. Tip Indicates time-saving actions. It also might help you solve a problem. Note: The IP addresses, screen captures, and graphics that are used within this document are for illustration purposes only. They are not intended to represent a complete or appropriate configuration for your specific needs. Features might be configured in screen captures because of contingency displays. However, not all features are appropriate or desirable for your setup. Additionally, many of the windows and pages in the Client tools have tables that can be edited. The first column of a table that can be edited can display different symbols, depending on the action being taken. In the help files, this is listed as the Edit column. The following example shows the symbols, along with their descriptions. For the remainder of the help files, only a verbal description of the symbol will be used. • Edit — This column identifies the edit status of the row in the table. The following icons can be displayed: • [blank] — Indicates an existing line with associated values that is not the currently selected line. • — (Pencil) Indicates that this row is the one that is being edited. • — Indicates that you are creating a new row or entry. • — Indicates that this row is currently selected and it contains previously specified values. 12 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 13. 1 Introduction Contents About the McAfee Firewall Enterprise Control Center (CommandCenter) About the Client Suite About the McAfee Firewall Enterprise Control Center (CommandCenter) The Control Center is an enterprise-class management tool for creating and applying security policies across multiple firewalls. Network administrators can remotely manage, maintain, and monitor firewalls for one or more domains. The Control Center consists of the following entities: • Control Center Client Suite — a set of tools that resides on a desktop computer that is running a Windows operating system. The tools provide the graphical user interfaces (GUIs) to configure, manage, ® and monitor supported firewalls and to perform Control Center administrative tasks. For more information, see About the Client Suite on page 15. • Control Center Management Server — a hardened Linux platform that provides the firewall ® management and monitoring capabilities that are required to centrally implement security policy. It manages the framework for secure communication between the server, Client Suite, and supported firewalls. The Control Center Management Server requires at least one installation of the Control Center Client Suite. • At least one firewall in a heterogeneous network of security devices that exist in a single domain. • One or more domains that represent a complete, inclusive network security policy. Figure 1 Basic Control Center Management Server environment Control Center Client Suite Managed firewall (Windows) Control Center Management Server R Managed firewall Managed firewall Client application: Control Center Managed firewalls: Client Suite tools connect Management Server: The configuration and to the Control Center All firewall management is initialization is similar to Management Server to accomplished through a standalone firewalls. Then push create, edit, and deploy connection to the Control policy from the Control Center policy to the managed Center. Management Server to each firewalls. firewall. The Client Suite and tiers of firewalls securely communicate with the Management Server by using SOAP over HTTPS. SSL, using Client Certificates generated by the built-in Certificate Authority, is used to encrypt and authenticate the client/server communication. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 13
- 14. About the McAfee Firewall Enterprise Control Center (CommandCenter) You can also implement Control Center Management Servers in a High Availability (HA) configuration, in which one Management Server actively manages the registered firewalls, while another Management Server acts as a standby or backup. If the active Management Server fails, the management responsibilities can be switched to the standby or backup Management Server. For more information about this, see High Availability (HA) on page 136. Features of the Control Center The Control Center is the central security appliance management solution from McAfee. It provides the foundation for a suite of products that is used to: • Define and distribute rules to hundreds of firewalls. • Share configuration data among firewalls. • Configure Virtual Private Network (VPN) connectivity. • Implement and selectively activate multiple security policies. • Manage software releases on all of your firewalls. • Simplify routine administrative tasks. • Manage ongoing changes to your security policies. The Control Center supports the following features and functionality: • Object-based design — Using an object-based configuration technique, objects can be defined once and can be reused anywhere that the object is needed. Network objects represent one example of this implementation. Network objects include firewalls and device groups, hosts, networks, address ranges, interfaces, and endpoint groups. These objects are used when you define rules. Over time, hundreds of rules can be defined by using these objects. If the properties of a network object must be changed, you have to update the object once. The resulting changes will propagate wherever that object is used. • Auditing of object management events and archiving of audit tracking data — The Control Center has an audit tracking and archive management feature that can be configured to monitor object changes and purge or archive audit tracking data. The auditing data contains information about the requested operation performed, time, date and user name. This information can be displayed or printed using the Audit Trail report. Because the audit tracking table grows without bounds and consumes disk space, you also have the option to periodically remove the data from the database or archive it to another location. This is true for both Control Center audit data and audit data that is currently stored on the Management Server that was retrieved from one or more firewalls. • Configuration domains — Use configuration domains to partition your managed firewalls into separate collections of objects and configuration data. Each collection is independent of any other collection, and changes to one collection do not affect the others. For more information, see Configuration domains on page 92. • Rule set queries — Because firewall configurations often require numerous rules, the Control Center can produce views of these rules as a subset of the rules. This added convenience helps to manage and validate the many rules that are stored in the Control Center database. • Firewall configuration retrieval — After a firewall has been added to the list of managed firewalls, you can use the Firewall Retrieval Options window to choose the configuration components to be retrieved and stored as Control Center objects. You can select all components or limit your selection to specific components. This feature saves time and effort when you are performing the initial setup to manage a firewall. • Policy validation and reports — After making configuration changes and before applying them, you can determine whether firewall configurations in the Control Center database are valid. You can view a report that shows the status of the validation process and a report that details the differences between the current and proposed firewall configurations. 14 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 15. About the Client Suite • Configuration status report — After the configuration has been propagated to one or more firewalls, a status report is produced to list warnings or errors that may have occurred. • Certificate Authority (CA) framework — A built-in CA framework lets you quickly issue certificates for the various architectural components. A built-in CA saves time when using SSL with client certificates. • Simultaneous, multiple users — The Control Center provides a locking mechanism that accommodates simultaneous use of the Control Center Client Tools by multiple users. Administrators have the option of locking entire object trees or allowing the system to lock individual objects on a first-come, first-served basis. This approach allows single-user environments to function without explicit locking. • High Availability (HA) feature — You can configure redundant Management Servers by using the High Availability Server Configuration (HA) feature. The HA feature uses a multi-server configuration to continue Control Center Management Server functions if the active Management Server fails. For more information, see High Availability (HA) on page 136. • Apply Configuration enhancements — The Apply Configuration window includes a checkbox that determines whether the network is automatically re-initialized when configuration changes are applied to a firewall. If the network is not re-initialized automatically, the Client displays all of the firewalls that need to be re-initialized in the Configuration Status report. In addition, the apply mechanism on the firewall supports the running of a script after the apply operation has been completed. The apply process also supports the listing files that are to be excluded from management. About the Client Suite The McAfee Firewall Enterprise Control Center Client Suite is the suite of tools that provides the user interfaces for task-grouped operations of the Control Center. Each tool encapsulates related operations to deliver the functionality required by Control Center users. Administration Tool The Administration Tool aggregates the McAfee Firewall Enterprise Control Center administrative functions into a single tool. You can accomplish the following tasks by using the features and functions of the Administration Tool: • Control Center users — You can create and manage the unique Control Center user names and passwords that are used to authenticate user access to the Control Center Management Server. For more information, see Control Center users on page 81. • Control Center roles — After a user is defined, he or she is assigned a role that determines the tasks that he or she is allowed to perform. Although a default set of roles has been pre-defined, you can create additional user-defined roles that can be assigned to Control Center users. For more information, see Control Center roles on page 89. • Configuration domains — Activate the configuration domains option to segregate configuration data views and management into multiple domains. The operation and configuration data associated with a configuration domain is accessible only when the specific domain is selected during the login process. All other configuration data is obscured and cannot be acted upon or seen. If configuration domains are activated, configuration domain versions and version management can be accessed from the Administration Tool, as well as from the Configuration tool. For more information about configuring and managing configuration domains, see Configuration domains on page 92. For more information about versions and version management for configuration domains, see Configuration domain version management on page 97. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 15
- 16. About the Client Suite • Audit Trail — The Control Center can track when firewalls, endpoints, services, rules, alert processing rules, and many other objects are updated, added, or removed by Control Center users. You can define the actions that are to be tracked, the objects that are to be tracked, the archiving (or not) of the tracked data, and a way to view and filter the tracked data. For more information, see Audit data management on page 100. Note: Do not confuse the Control Center Audit Trail that provides a record of actions performed by Control Center users with security firewall-specific audit reports. • Control Center license — You can manage the Control Center license by selecting License from the System menu. For more information, see Control Center Management Server licensing on page 104. • System settings — You can manage specific Control Center system settings in the Administration Tool. These settings include: defining the default login disclaimer information that is posted in the login window for each tool in the Client Suite, the failed login lockout settings, and the default application time-out period. For more information, see Configuring system settings on page 121. • Alternate authentication — Use the Administration Tool to configure the way that Control Center users authenticate with the Management Server. The Control Center supports an internal authentication mechanism, as well as LDAP and RADIUS for off-box authentication. For more information, see Authentication on page 145. • Management Server backup and restore operations — Use the Administration Tool (and the Configuration Tool under certain circumstances) to manage the backup and restoration of the Control Center configuration and the operational data. A full system backup can be requested and an FTP off-box location can be specified. For more information, see Managing configuration data for the Management Server on page 23. • Backup server status — If the High Availability (HA) Management Server Configuration option is used, you can view the status condition of the backup Management Servers in the Backup Server Status page. For more information, see Viewing the status of your backup Management Servers on page 122. Configuration Tool Use the Configuration Tool to define, configure, and maintain multiple firewalls and security policies for a distributed homogeneous or heterogeneous configuration of firewalls. You can accomplish the following tasks by using the features and functions of the Configuration Tool: • Create configurable objects — The components that comprise a security policy include a set of configurable objects that defines the characteristics of the building blocks that are used to implement the security policy. Use this object model of defined objects to share characteristics, options, and functionality, instead of having to provide raw configuration information for each aspect of an implemented security policy. Use the Configuration Tool to retrieve, create, and manage configurable object characteristics. For more information, see Configurable objects on page 154. • Manage configurable objects — After configurable objects have been defined or retrieved, you can edit, validate, and apply changes to the configured object. You can manage the implemented security policy across all of the supported firewalls in your configuration. For more information, see Firewall configuration management on page 574. • Create and manage rules — Rules provide the network security mechanism that controls the flow of data into and out of the internal network. They specify the network communications protocols that can be used to transfer packets, the hosts and networks to and from which packets can travel, and the time periods during which the rules can be applied. Rules are created by the system administrator and should reflect the internal network site's security policy. You can retrieve, create, and manage rules in the Configuration Tool. For more information, see Creating, viewing, or modifying rules on page 528. 16 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 17. About the Client Suite Reporting and Monitoring Tool The Reporting and Monitoring Tool aggregates all of the McAfee Firewall Enterprise Control Center security firewall monitoring and reporting functions into a single tool. Use the Reporting and Monitoring Tool to centrally manage multiple firewalls in a homogeneous or heterogeneous device configuration that is employed in an implemented security policy. You can accomplish the following tasks by using the features, functions, and reports in the Reporting and Monitoring Tool: • View Secure Alerts for the firewall — An integrated Secure Alerts Server collects the alerts and activities that are generated by the supported firewalls. This server also normalizes the data and stores it the Secure Alerts Server database. This data is the source of information that is presented in the Alert Browser and the Event Browser. Use the Secure Alerts Server Status page to view the status of the associated server. For more information, see Functionality of the Secure Alerts Server on page 687. • Determine firewall status — A comprehensive visual display of the operational status for all of the supported firewalls is provided. The Firewall Status page lists firewall-specific status reports based on the audit log data that is sent to the Management Server by each configured firewall. For more information, see Firewall audit reports on page 624. • Manage audit reports — You can generate user-defined, firewall-specific audit reports based on the audit log data that is sent to the Management Server by each configured firewall. For more information, see Firewall audit reports on page 624. • Generate and view firewall-specific reports — You can generate and display a variety of firewall-specific reports. For those reports that require it, you provide the report-specific parameters or options for the specific report that is being generated through the provided interface. For more information, see Firewall reports in the Reporting and Monitoring Tool on page 689. Software Updates Tool Use the Software Updates tool to apply software and firmware updates to supported firewalls, and to store and manage the updates on the Management Server. You can accomplish the following tasks by using the features and functions of the Software Updates Tool: • Install updates — Determine the current version of software or firmware that is installed on each firewall; install, uninstall, or roll back an update; schedule an update action for a particular date and time; view the status of an update action; and view the history of previously completed update actions. For more information, see Installing software and firmware updates on page 697. • Back up firewall configuration — Back up and restore configurations for selected firewalls. You can do this both here, in the Software Updates Tool, and in the Configuration Tool. Use the saved configuration files to restore a default firewall configuration, to maintain a version of a working configuration before you make any configuration changes, or to recover from an unexpected loss of firewall configuration data. When you are installing software updates, this features is a convenience and a precaution. For more information, see Backing up and restoring firewall configurations on page 704. • Store updates — Download, manage, and store firewall software and firmware updates on the Management Server. Use the interface to identify the name of the update, the type of firewall to which the update applies, the release date, and its download status. You can also view an associated Readme file. For more information, see Installing software and firmware updates on page 697. • Update settings — Enable the downloading of files by using a proxy server, configure auto-discovery settings for software updates, and control whether update packages that have been removed from the Management Server are displayed on the Store Updates page. For more information, see Configuring update download settings on page 692. • Update Control Center — Upload software updates to the Control Center Management Server and then install them. For more information, see Downloading and applying Management Server updates on page 693. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 17
- 18. About the Client Suite 18 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 19. 2 Administrator Basics Contents Managing the McAfee Firewall Enterprise Control Center (CommandCenter) Management Server Managing configuration data for the Management Server Disaster recovery restoration for Management Servers Adding firewalls Managing firewall interfaces Navigating the Control Center user interface Managing the McAfee Firewall Enterprise Control Center (CommandCenter) Management Server The Control Center Management Server provides the firewall management and monitoring capabilities required to centrally implement security policy. This section explains how to log onto, add, delete, and back up Management Servers. • Configuring the Management Server on page 20 • Adding primary or backup (standby) Management Servers on page 21 • Removing (deleting) primary or backup (standby) Management Servers on page 21 • Logging into the Management Server on page 21 • Backing up configuration data for the Management Server on page 24 • Restoring configuration data to the Management Server on page 29 • Restoring a standalone Management Server that has failed completely on page 34 • Restoring a primary Management Server that has failed completely and that is part of a high availability (HA) pair on page 35 • Restoring a backup Management Server that has failed completely and that is part of a high availability (HA) pair on page 36 • Restoring both Management Servers in a high availability (HA) pair that have failed completely on page 37 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 19
- 20. Managing the McAfee Firewall Enterprise Control Center (CommandCenter) Management Server Configuring the Management Server The first time that you log onto the Management Server by using any of the Client Tools (except the Control Center Initialization Tool), you must configure a new Management Server. Use the Add New Server window to configure the Management Server that you are going to access by using the Control Center Client tools. During subsequent logins, you can configure additional primary or backup (standby) servers. You can also remove Management Servers in this window. Figure 2 Add New Server window Accessing this window 1 From the Start menu, select All Programs > McAfee > McAfee Firewall Enterprise Control Center > any tool except for the Initialization tool. The Login window displays. 2 Specify the user name and password in their respective fields. 3 In the Service field, make sure that <Add New Server> is displayed and click . The Add New Server window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a name that quickly identifies this Management Server. • Server address — Specify the node name or IP address of this Management Server. • Server Type — Use the fields in this area to determine whether this server will be a primary server or a backup (standby) server. The following fields are available: • Primary server — Indicates that this Management Server will perform as a primary server. This is the default value. This does not imply that high availability or failover clustering is configured. The following additional fields must be completed if this value is selected: • User name — Specify the name of the user who has access to this Management Server. This value will be required in future logins. • Password — Specify the password for the user name that was specified in the User name field. • Backup server — Indicates that this Management Server will perform as a backup or standby server. In addition to selecting the primary server in the next field, you must perform additional tasks to implement the high availability or clustering environment. For more information about this, see Configuring, promoting and demoting cluster objects and cluster nodes on page 216. • Primary server — Specify the Management Server that will act as the primary server for this Management Server in a high availability or cluster environment. 20 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 21. Managing the McAfee Firewall Enterprise Control Center (CommandCenter) Management Server • OK — Continue with the configuration and login process. For more information, see Adding primary or backup (standby) Management Servers on page 21. • Cancel — Close this window without configuring a new server. If this is your first time after installation, you must access this window again to configure your primary server. • Remove — Delete the Management Server that is displayed in the Server field. To use this Management Server in the future, you must re-configure it in this window. For more information about the removal process, see Removing (deleting) primary or backup (standby) Management Servers on page 21. Adding primary or backup (standby) Management Servers 1 From the Start menu, select All Programs > McAfee > McAfee Firewall Enterprise Control Center > and then any tool except for the Initialization tool. The Login window displays. 2 Specify the user name and password in their respective fields. 3 In the Service field, make sure that <Add New Server> is displayed and click . The Add New Server window is displayed. 4 Configure the fields in this window, specifying whether you are adding a primary or a backup (standby) server and then specifying the related field information. For more information, see Configuring the Management Server on page 20. 5 Click OK. The Certificate Problem message is displayed because the Management Server imports a non-Certificate Authority (CA) certificate before it imports the CA certificate from the Control Center. Click Yes. Another message is displayed. Click Yes. The login window is displayed. 6 In the Server list, select the server to which you want to log in. Then specify the user name and password for that server and click Connect. Removing (deleting) primary or backup (standby) Management Servers 1 From the Start menu, select All Programs > McAfee > McAfee Firewall Enterprise Control Center > and then any tool except for the Initialization tool. The Login window displays. 2 Specify the user name and password in their respective fields. 3 In the Service field, select the server to be removed and click . The Add New Server window is displayed. 4 Click Remove. The Management Server is removed from the list of available Management Servers. Logging into the Management Server Use any of the Client Suite tools (except for the Control Center Initialization Tool) to log into the Management Server. Each of these tools in the Client Suite supports a similar login interface. The Control Center supports a user-configurable lock-out mechanism for logins. It is initially set to lock out a user after three unsuccessful attempts to authenticate. After the user is locked out, he or she will not be able to successfully authenticate until a pre-configured amount of time has elapsed. (The default value is 30 minutes.) For more information about configuring these settings, see Configuring system settings on page 121. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 21
- 22. Managing the McAfee Firewall Enterprise Control Center (CommandCenter) Management Server To log into the Management Server by using the Administration Tool, Configuration Tool, Reporting and Monitoring Tool, or the Software Updates Tool: 1 From the Start menu, select McAfee > McAfee Firewall Enterprise Control Center >. Then select the appropriate tool. The Login window is displayed. Note: If this is the first time that you are logging into the Management Server, see Configuring the Management Server on page 20. 2 Specify a valid Control Center user name in the User Name field. After the initial installation of the Management Server, the default user name is the default password value that is specified in the ccinit.txt file. 3 [Optional] Select the Remember User Name checkbox to preserve the specified user name in the field or the default user value that is specified in the ccinit.txt file. 4 Specify the corresponding password in the Password field to preserve the default password value that is specified in the ccinit.txt file. 5 Select a previously defined Management Server connection from the Server list. 6 Click Connect. A certificate validation message is displayed: 7 Click Yes. You are now logged into the Control Center Management Server. You can start multiple Client Suite tools from the Tools menu in any tool without logging in again. Note: If you attempt to log into a Management Server by using a Client Suite Tool from an earlier version (that is, earlier than the Management Server version), you will be prompted to update the Client Suite Tools before proceeding. Use the Login window to log into the Administration Tool, Configuration Tool, Reporting and Monitoring Tool, or the Software Updates Tool. Each of these tools supports a similar login window. Figure 3 Login window 22 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 23. Managing configuration data for the Management Server Fields and buttons This window has the following fields and buttons: • User Name — Specify the name of the Control Center user. The user name must have been previously defined. The default value is the name of the user who last logged in to the tool. After you have initially installed the Control Center Management Server, the default value for the User Name field is the value that is specified in the ccinit.txt file. • Remember User Name — Determines whether to save the value that was specified in the User Name field so that it can be displayed in the User Name field on subsequent login attempts. • Password — Specify the password that is associated with the user that was specified in the User Name field. After you have initially installed the Control Center Management Server, the default value is the value that is specified in the ccinit.txt file. • Server — Specify the name of a Control Center Management Server to which to log on. To create a new connection name or to connect to a different Management Server, select <Add New Server>. The Add New Server window is displayed. Specify values in the following fields as needed and click OK: Name, Server Address, either Primary Server or Backup Server and related fields. The Certificate Problem message is displayed because a new connection is being defined. Click OK. The Root Certificate Store message is displayed. Click Yes. The main login window is now displayed and the newly created server is selected. To delete a connection name, select the name to be deleted in the list and click . The Modify Server window is displayed. Click Remove. A confirmation window is displayed. Click Yes. • Domain — [Not available on the Administration Tool] Specify the configuration domain to log into if configuration domains have been activated. To refresh the list of configuration domains to ensure that all of the recently configured domains are displayed in the list, click . A valid user name and password must be supplied to refresh the list. The user will be able to log into only a domain for which he or she has been given access. If configuration domains have not been activated, ignore this field. For general information about configuration domains, see Configuration domains on page 92. For specific information about activating configuration domains, see Configuring configuration domains on page 95. • Connect — Displays a certificate problem message as part of the connection process. Click Yes. If the client tool software is the same version as the Management Server, the tool is displayed. If the client tool software is older than the Management Server, you are prompted to update the Client Suite Tools before proceeding. • Exit — Close this window without attempting to log into the Management Server. Managing configuration data for the Management Server The Control Center Management Server contains all of the configuration information for one or more security policies that have been implemented for the enterprise, or, as in the case where configuration domains have been configured, multiple enterprise class domains. The data that is stored on the Management Server is, therefore, critical to the management of the firewalls and their implemented security policies. Establishing a security practice to ensure the ability to restore this critical data in case of catastrophic failure is fundamental to the operation of the enterprise. This section contains the following topics: • Backing up configuration data for the Management Server on page 24 • Restoring configuration data to the Management Server on page 29 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 23
- 24. Managing configuration data for the Management Server Backing up configuration data for the Management Server You can back up your data in three different ways: • Automatic nightly backups — For more information, see Automatic nightly backups on page 24. • By using the GUI (the Backup Control Center System window) — For more information, see Backing up the Management Server by using the GUI on page 25. • By using the command line — For more information, see Backing up the Management Server files by using the command line on page 26. Note: Before you continue on with the command line procedures, make sure that you see dbadmin and root user accounts and using the command line on page 25. The following table provides information about the types of files that are backed up by each of these methods. Table 3 Backed up files by backup method Type of Files Automatic nightly GUI (Backup Control GUI (Backup Control backuptool backup Center System window Center System window command with Full system backup with Full system checkbox selected) backup checkbox cleared) Configuration database Yes Yes Yes Yes (cg_configuration) System database (cg_system) Yes Yes No Yes Events database (cg_events) Yes Yes No Yes CA and SSL certificates and private No Yes No Yes keys Firewall and Control Center No Yes No Yes Management Server software updates Secure Alerts Server configuration No Yes No Yes files and miscellaneous other files Firewall audit log files and No Yes if the checkbox for the No Yes, unless the -L configuration backups backups.auditlogs option is specified setting is selected in the Server Property Editor window Backup files contained in the No Yes if the checkbox for the No Yes, unless the -D /opt/security/var/gccserver/cfgbac backups.dbbackups option is specified kups and setting is selected in the /opt/security/var/gccserver/nightly Server Property Editor backups. This includes the nightly window backups and the backups that were created by using the GUI. Automatic nightly backups By default, backup files of the configuration (cg_configuration), system (cg_system), and events (cg_events) database data occur at midnight each night. Note: These files are stored locally on the Control Center Management Server. It is recommended that you also back up these files to an off-box location. • cg_system – This database includes information about the Control Center system, software update data, backup information, deployment information, version and licensing information, and similar data. • cg_configuration – This database includes all of the firewall configuration data, configurable objects data, certificates, and similar data. • cg_events – This database includes all of the information that the reporting and monitoring tool extracts from the syslog files that are used to monitor firewall activity and to generate various reports. 24 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 25. Managing configuration data for the Management Server Seven revisions of this data are stored in the /opt/security/var/gccserver/nightlybackups directory. Each revision is identified by a date and a numeric identifier. The dbadmin Linux account has the necessary privileges to modify the characteristics of this cron job, as required, and to restore individual configuration, system, and events database data. For more information, see Restoring a single database on page 31. Backing up the Management Server by using the GUI You can perform backups of your Control Center Management Server by using the Backup Control Center System window. By using this window, you can perform the following tasks: • Save your configuration files immediately (either locally or off-box) • Create a schedule on which to save your configuration files (either locally or off-box) If configuration domains are active, you can access the Backup System and Restore System menu options from the System menu only in the Administration Tool. If configuration domains are not active, you can access these options from the System menu in either the Administration Tool or the Configuration Tool. Additionally, if domains are active, you can create versions of domains that can serve as backups. These are separate from system backups, but they do provide an additional backup option. For more information, see Configuration domain version management on page 97. To access this functionality, in the Administration Tool, from the Configuration Domains menu, select Manage Versions. Backing up your configuration files 1 If configuration domains are activated, you must access the Backup Control Center System window from the Administration Tool. From the System menu, select Backup System…. The Backup Control Center System window is displayed. or If configuration domains are not activated, in either the Configuration Tool or the Administration Tool, from the System menu, select Backup System…. The Backup Control Center System window is displayed. Note: If configuration domains are activated, you can also manage different versions of domains. In the Administration Tool, from the Configuration Domains menu, select Manage Versions. 2 Configure the fields on this window, depending on whether you are saving the configuration locally or sending it off-box and whether you are scheduling the backup or performing it immediately. If you save the configuration files locally, they are saved into the following directory: /opt/security/var/gccserver/cfgbackups 3 To create a full system backup, make sure that the Full system backup checkbox is selected. If you do not select this checkbox, only the cg_configuration database will be included in this backup file. The full system backup file includes all of the firewall configuration data, configurable objects, certificates, and similar data. 4 Click OK to save your configuration information. For more information about this window, see Creating backup files of your Management Server data by using the GUI on page 123. dbadmin and root user accounts and using the command line Some of the following commands can be run only by the dbadmin user. If you have not already configured the dbadmin user account (and you can always do this again if it has already been configured), you must follow the procedure that is specified in Configuring the dbadmin user account on page 26. After you have configured this account, you can log into the Management Server as mgradmin and switch to the dbadmin user by using the su command. You may be prompted for the root password during certain phases of the command line backup and restore process. Additionally, if you did not configure a password for the root user during the initial setup of the Control Center, you must do so before continuing with the command line backup and restore processes. For information about how to configure the root password, see the “Tips and Troubleshooting” appendix of the McAfee Firewall Enterprise Control Center Startup Guide. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 25
- 26. Managing configuration data for the Management Server Backing up the Management Server files by using the command line As the mgradmin user, you can manage the configuration, system, and events database data by using the backuptool command. To back up databases only, use the backupdb command. For more information about these commands and the related procedures that use them, see the following topics: • Backuptool command overview on page 26 • Creating backup files for all databases on page 28 • Creating backup files for a single database on page 28 • Creating a backup file for a full system restoration on page 29 Configuring the dbadmin user account After the initial configuration, the dbadmin account is locked and does not have an assigned password. You will need to unlock this account to perform database-related operations, including certain backup and restore operations, from the command line. To unlock the dbadmin account and assign a password to it: 1 Log into the console or through SSH by using the mgradmin account. A prompt is displayed. 2 Switch to the sso account by specifying the following command: su - sso 3 Specify the sso account password. 4 Assign a password to the dbadmin account by specifying the following command: /usr/sbin/cg_usermod -s /bin/bash -p newpassword dbadmin where newpassword is the password that you are assigning to the account. The password should be at least seven alphanumeric characters long. 5 Exit the sso account by specifying the following command: exit To switch to the dbadmin user, run the following command: su dbadmin Backuptool command overview Use the backuptool command to back up or restore full backups of your Management Server configuration. Access the backuptool command in the /usr/sbin/ directory by using the sudo command as follows: sudo -u backup /usr/sbin/backuptool <options> Run this command without arguments to view all of the available options. The following commands are examples of the backup command of the backuptool and all of the available parameters. To view the procedures that you need to perform for this command, see Creating backup files for all databases on page 28, Creating backup files for a single database on page 28, or Creating a backup file for a full system restoration on page 29. 26 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 27. Managing configuration data for the Management Server It is important that you review these procedures because there are some important prerequisites that are included in them. sudo -u backup /usr/sbin/backuptool backuptool backup -f filename[.des3] [-k passphrase] [-L] [-D] backuptool restore -f filename[.des3] [-k passphrase] [-L] [-D] [-b] [-i] backuptool extract -f filename backuptool download -f filename -s scheme -h hostname -d remote-directory -u username -p password backuptool upload -f filename -s scheme -h hostname -d remote-directory -u username -p password where: [.des3] = Optionally use to encrypt file during backup and decrypt during restore [-k] = Encryption passphrase is the next argument in the command. The filename must have a .des3 extension. [-L] = Excludes files in /opt/security/var/gccserver/auditlogs from the backup or restore operation [-D] = Excludes files in /opt/security/var/gccserver/cfgbackups and in /opt/security/var/gccserver/nightlybackups from the backup or restore operation [-b] = Treats the backup file as having been created on a CC HA system [-i] = Ignore the release level of the backup file filename = filename of archive file passphrase = encryption passphrase scheme = one of FTP,FTPS,SCP host = host name [:port(optional)] (When using FTPS, port is either 21 or 990. Consult your FTP server documentation.) remote-directory = directory on remote host username = username on remote host password = password on remote host %GCC: REASON = The first argument passed to backuptool was incorrect. %GCC: STATUS = ERROR %GCC: CODE = 1 The lines prefixed by %GCC indicate the result of the backuptool command. Here, the output indicates a problem with the arguments that were passed. Therefore, the command prints usage information, as well as the summarized result. If the backuptool command fails, it returns STATUS=ERROR and CODE=<a non-zero error code>. It might optionally return a REASON=<the cause of the error>. The -k option requires a passphrase argument and the filename must have a .des3 extension. The passphrase that you provide will be used to encrypt backup files for backup operations and decrypt backup files for restore operations. The restore will fail if the passphrase that is used for restoring backups does not match the passphrase that was used to create the backup. Tip: When you specify a passphrase from the command line, shell quoting rules apply. The following command is an example of the command to create a backup file by using hello'world as the passphrase: /usr/sbin/backuptool backup -f test.bak.des3 -k 'hello'''world' The -L option omits the audit log files. Audit log files can get very large and can significantly increase the amount of time that it takes to back up or restore the system. If you do not back up audit log files, historical information that is used in reporting functions for all managed firewalls when a Management Server is restored from a backup is eliminated. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 27
- 28. Managing configuration data for the Management Server The -D option omits the backup files in the /opt/security/var/gccserver/cfgbackups and /opt/security/var/gccserver/nightlybackups directories. The current database configuration is preserved. However, the daily backup files that are automatically created each night (a total of seven files) and the user-created backup files that are created by using the GUI are not included in the backup. If you include these files in the backup, the amount of time it takes to backup or restore the system can significantly increase. If you do not back up these database backup files, you lose the ability to restore them when a Management Server is restored from a backup. The -f option requires a path argument. The path identifies the complete path and filename of the archive file that is being created or restored. The filename must be identical to the name of the file on the remote host. (The directory part does not need to match.) If the path argument for the -f option ends in .des3, the backup file will be encrypted or decrypted, respectively, for the backup and restore operations. The -i option ignores the release version of the backup file. The backup file will be restored, even if it was created while running a different release of the Management Server. This is not usually recommended. The hostname argument that is supplied with the -h option must be able to be resolved by the Management Server, or the administrator can alternately specify an IP address. An optional port value can be specified if it is required by the host. Creating backup files for all databases Use this procedure to back up all of the database files. Before you begin, make sure that no users are accessing any of the databases. 1 Log in to the Management Server and switch to the dbadmin user. Database backup files are written to the current directory. Ensure that the current directory is the one that will be written to by the dbadmin user (for example: /home/dbadmin). 2 Run the following command: /usr/sbin/backupdb all Backup files are created for each of the three databases in the current working directory. Creating backup files for a single database Use this procedure to back up any one of the database files. 1 Ensure that no other users are accessing the database. 2 Log in as the mgradmin user and then switch to the dbadmin account. Database backup files are written to the current directory. Ensure that the current directory is the one that will be written to by the dbadmin user (for example, /home/dbadmin). 3 Run the following command: /usr/sbin/backupdb [-k passphrase] <database-name> <backup-file>[.des3] where <database-name> is cg_system for the system database, cg_configuration is the name for the configuration database, or cg_events is the name for the events database data collected by the Secure Alerts server. To create an encrypted backup file, append the optional .des3 file extension to the backup file name. You can specify a customized encryption passphrase for encrypted backup files by using the optional -k parameter. Note that standard shell quoting rules apply. (See the Tip in Backuptool command overview on page 26.) For example, /usr/sbin/backupdb -k ‘secret’ cg_events cg_events.bak.des3 28 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 29. Managing configuration data for the Management Server Creating a backup file for a full system restoration You should designate a specially named directory on the remote FTP server to store the backup so that it can be easily located during the restore process. You can view the progression of a backup on the Restore System from Backup window. For more information about this window, see Restoring the Management Server configuration files from a backup file on page 126. Use the following procedure to create a full system backup that will include: • Backup files in the /opt/security/var/gccserver/cfgbackups and /opt/security/var/gccserver/nightlybackups directories • Firewall audit log files 1 Log in as the mgradmin user. 2 Make sure that the backup user has access to the current directory (for example, /tmp). Database backup files are written to the current directory. 3 As mgradmin, create the backup file: sudo -u backup /usr/sbin/backuptool backup -f filename[.des3] [-k passphrase] where: filename = filename of archive file [.des3] = Optionally use to encrypt file during backup and decrypt during restore [-k passphrase] = Optionally encrypt the file by using a custom encryption passphrase. The filename must use the .des3 extension. A default passphrase will be used if no passphrase is specified. 4 Move this backup file to a safe, off-box location by using the following command-line command as mgradmin: sudo -u backup /usr/sbin/backuptool upload -f filename -s scheme -h hostname -d remote-directory -u username -p password where: filename = filename of archive file scheme = one of FTP,FTPS,SCP host = host name [:port(optional)] (When using FTPS, port is either 21 or 990. Consult your FTP server documentation.) remote-directory = directory on remote host username = username on remote host password = password on remote host Restoring configuration data to the Management Server You can restore configuration data to a Control Center Management Server by using the GUI (the Restore System from Backup window), or by using the command line interface. For procedural information, see the following topics: • Restoring configuration data by using the GUI on page 30 • Restoring data by using the command line on page 30 For information about restoring data when a complete failure has occurred to a standalone Management Server or one or more servers in a high availability (HA) configuration, see Disaster recovery restoration for Management Servers on page 33. If you want to restore configuration backup files from Management Servers in an HA configuration, you should use the command line tools. For more information, see Restoring data by using the command line on page 30. However, you can restore full backup files for HA Management Servers by using the GUI. See Restoring configuration data by using the GUI on page 30. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 29
- 30. Managing configuration data for the Management Server Restoring configuration data by using the GUI Use the Restore System from Backup window to restore a user-defined configuration file that is stored locally or off-box or to restore a system-generated configuration file that was automatically generated before a retrieve was performed. The system-generated backups that are displayed on this window contain the cg_configuration database data only, which includes all of the firewall configuration data, configurable objects data, certificates, and similar data. For more information about this window, see Restoring the Management Server configuration files from a backup file on page 126. 1 If configuration domains are activated, you must access the Restore System from Backup window from the Administration Tool. From the System menu, select Restore System…. The Restore System from Backup window is displayed. or If configuration domains are not activated, in either the Configuration Tool or the Administration Tool, from the System menu, select Restore System…. The Restore System from Backup window is displayed. Tip: If the backup file that you want to restore is stored on the Client system, you can upload the file to the Control Center Management Server by clicking Upload and then following the instructions on the window. After the file has been uploaded, the backup file should be displayed in the list of available backups. 2 Select the backup file to use and click Restore. 3 If this is a local backup, go to the step 5. or If this backup file is located on a remote server, the Remote Username and Password window is displayed. 4 Click Yes to proceed. The following results can occur: • Successful restore of full backup — You will be logged off of the tool and the Management Server will be restarted. You will not be allowed to log back in until the restore has finished. • Successful restore of configuration backup — A message is displayed, indicating that the restoration was successful and advising you to log out and to restart the Management Server. Click OK and take the recommended actions—log out, restart the Management Server, and then log in again. • Failed to restore — If the errors cannot be resolved, contact Technical Support for additional assistance. Restoring data by using the command line The following procedures address restoration of various components of configuration data by using the command line interface: Note: Before you continue on with the command line procedures, make sure that you see dbadmin and root user accounts and using the command line on page 25 and Backuptool command overview on page 26. • Restore all of the databases for a Management Server (restoredb all command) — See Restoring all of the databases for a Management Server on page 31. • Restore a single database for a Management Server (restoredb command) — See Restoring a single database on page 31. • Restore the full Management Server configuration (backuptool restore command) — See Restoring the Management Server configuration files from the command line on page 33. 30 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 31. Managing configuration data for the Management Server Restoring all of the databases for a Management Server 1 Ensure that no other users are accessing the database. 2 Log in as the mgradmin user. 3 Stop all GUI clients, Tomcat, and Secure Alerts because open database connections will interfere with the restore process. To stop Tomcat: su root /etc/init.d/tomcat stop To stop Secure Alerts: su root /etc/init.d/dcserver stop 4 Switch to the dbadmin user. Change the directory to the location where the backup files are located. Ensure that the current directory contains all of the databases that were previously saved by using the /usr/sbin/backupdb all command. Note: When you have configured the Control Center HA Management Server feature, you must remove this functionality before you restore any data. For more information, see Removing the High Availability (HA) configuration feature on page 143. 5 Run the following command: /usr/sbin/restoredb [-d] [-b] all The optional [-d] parameter is used primarily by Technical Support. Use this parameter only if instructed to do so by Technical Support. The [-b] parameter must be specified when the backup being restored was created while the HA feature was operational. Note: During this restoredb session, you will be prompted to specify the password for the root user account several times. You must provide it for the restoration to continue. 6 After successfully restoring the backup file, you should start Tomcat and the Secure Alerts server: To start Tomcat: su root /etc/init.d/tomcat start To start the Secure Alerts server: su root /etc/init.d/dcserver start Restoring a single database 1 Ensure that no other users are currently accessing the database. 2 Log in as the mgradmin user. 3 Stop all GUI clients, Tomcat, and Secure Alerts because open database connections will interfere with the restore process. To stop Tomcat: su root /etc/init.d/tomcat stop To stop Secure Alerts: su root /etc/init.d/dcserver stop To switch to the dbadmin user, run the following command: su dbadmin McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 31
- 32. Managing configuration data for the Management Server 4 Change directories to the location where the backup is located (for example: /home/dbadmin). If you are restoring a database file from the nightly backups, change the current directory to the nightly backup directory (/opt/security/var/gccserver/nightlybackups). Note: When you have configured the Control Center HA Management Server feature, you must remove this functionality before you restore any data. For more information, see Removing the High Availability (HA) configuration feature on page 143. 5 Run the following command: /usr/sbin/restoredb [-d] [-b] [-k passphrase] database-name backup-file[.des3] where <database-name> is cg_system for the system database, cg_configuration is the name for the configuration database, or cg_events is the name for the events database data that is collected by the Secure Alerts server. The optional [-d] parameter is used primarily by Technical Support. Use this parameter only if instructed to do so by Technical Support. The [-b] parameter must be specified when the backup being restored was created while the HA feature was operational. The optional .des3 file extension indicates that the file will be automatically decrypted. Use the optional [-k] parameter to decrypt the backup file with a custom encryption passphrase if a custom passphrase was specified when the backup file was created. The following example restores an encrypted cg_events database file to the cg_events database on the current Management Server: /usr/sbin/restoredb cg_events cg_events.bak.des3 Note: During this restoredb session, you will be prompted to specify the password for the root user account several times. You must provide it for the restoration to continue. This next example restores a cg_configuration database file that was encrypted with a custom passphrase: /usr/sbin/restoredb -k 'secret' cg_configuration cg_configuration.bak.des3 6 After successfully restoring the backup file, you should start Tomcat and the Secure Alerts server: To start Tomcat: su root /etc/init.d/tomcat start To start the Secure Alerts server: su root /etc/init.d/dcserver start 32 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 33. Disaster recovery restoration for Management Servers Restoring the Management Server configuration files from the command line Use the mgradmin user account to access the backuptool restore command in the /usr/sbin/ directory by using the sudo command. The following command is an example of the restore command of the backuptool and all of the available parameters. To view the procedures that you need to perform for this command, see Restoring all of the databases for a Management Server on page 31, Restoring a single database on page 31, or Restoring the Management Server configuration files from the command line on page 33. It is important that you review these procedures because there are some important prerequisites that are included in them. sudo -u backup /usr/sbin/backuptool restore -f filename[.des3] [-k passphrase] [-L] [-D] [-b] [-i] where: filename = filename of archive file [.des3] = Optionally use to encrypt file during backup and decrypt during restore [-k passphrase] = Optionally use the specified passphrase to encrypt the backup file [-L] = Do not include audit log files [-D] = Do not include database files [-b] = This argument must be specified if file was created when CC HA was active [-i] = Ignore the release level of the backup file For more information about these options, see Backuptool command overview on page 26. Disaster recovery restoration for Management Servers If you have a standalone Management Server or one or both servers in a high availability (HA) configuration that has or have failed completely, the following topics provide procedural information for restoring the Management Server (or Servers): • Restoring a standalone Management Server that has failed completely on page 34 • Restoring a primary Management Server that has failed completely and that is part of a high availability (HA) pair on page 35 • Restoring a backup Management Server that has failed completely and that is part of a high availability (HA) pair on page 36 • Restoring both Management Servers in a high availability (HA) pair that have failed completely on page 37 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 33
- 34. Disaster recovery restoration for Management Servers Restoring a standalone Management Server that has failed completely If a Control Center Management Server experiences a total system failure and it must be recovered from backup, perform the following steps: 1 Perform a complete installation of the Control Center Management Server on the new server by using the USB flash drive that was included with the Control Center. Follow the installation instructions. 2 Log into the Management Server console as the mgradmin user. 3 Make sure that the backup user has access to the current directory (for example, /tmp). Then run the backuptool command as listed below to move the backup file to be restored into the current directory location. cd /tmp sudo -u backup /usr/sbin/backuptool download -f filename -s scheme -h hostname -d remote-directory -u username -p password where: filename = path and filename of archive file scheme = one of FTP,FTPS,SCP hostname = host name [:port (optional)] (When using FTPS, port is either 21 or 990. Consult your FTP server documentation.) remote-directory = directory on remote host username = username on remote host password = password on remote host 4 Stop all GUI clients, Tomcat, and Secure Alerts because open database connections will interfere with the restore process. To stop Tomcat: su root /etc/init.d/tomcat stop To stop Secure Alerts: su root /etc/init.d/dcserver stop 5 The backup file can now be restored. When the backup is restored, the backuptool will check to make sure that the release level of the backup file matches the release that is currently running on the Control Center Management Server. If the release levels do not match, the backup will not be restored. If the backup file was created by using the command line process, any components that were excluded from the backup (such as database backups or audit log files) should be indicated during the restore process by using the [-L] and [-D] parameters. As mgradmin, issue the command line restore command: sudo -u backup /usr/sbin/backuptool restore -f filename[.des3] [-k passphrase] [-L] [-D] [-b] [-i] where: filename = filename of archive file [.des3] = Optionally use to encrypt file during backup and decrypt during restore [-k passphrase] = Optionally use the specified passphrase to encrypt the backup file [-L] = Do not include audit log files [-D] = Do not include database files [-b] = This argument must be specified if file was created when CC HA was active [-i] = Ignore the release level of the backup file 34 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 35. Disaster recovery restoration for Management Servers 6 After successfully restoring the backup file, you should start Tomcat and the Secure Alerts server: To start Tomcat: su root /etc/init.d/tomcat start To start the Secure Alerts server: su root /etc/init.d/dcserver start 7 After Tomcat and the Secure Alerts server have been restarted, you can log into the Management Sever by using any of the client tools in the Client Suite of tools to continue managing your firewalls. No certificates need to be re-issued because they have been restored from the backup. Restoring a primary Management Server that has failed completely and that is part of a high availability (HA) pair If you have two Management Servers that are configured as an HA pair and the primary Management Server has a complete failure, refer to the following high-level steps to recover from this event: 1 Using the GUI, log into the backup Management Server. You are prompted to switch this backup server to be the primary server. If you select to do so, the backup server is promoted to the primary server and, after a brief period of time, you are logged into the Client tool. If you choose not to change the role, you cannot proceed. 2 Remove the High Availability (HA) feature from the backup server by running the High Availability Removal Wizard. (From the System menu, select High Availability Removal Wizard…. The wizard starts.) The HA feature will be removed from this server. At this point, you no longer have a primary server. You have a standalone server that was your original backup server. From this point forward in this procedure, this server will be referred to as the old server. Verify that the removal wizard successfully removed the HA feature: a Go to the Administration Tool and open the Backup Server Status page. (From the System menu, select Backup Server Status….) If the removal wizard was successful, this page will be blank. Continue on to step b. However, if any data is displayed on this page (as in the backup Management Server displays a status of FAILED), the removal was not successful. Continue on to step b and then to step c. b The removal wizard generates an haStop.log log file. View the contents of this log file in the Server Logs window. (From the Administration Tool System menu, select Server Logs…. Then select the High Availability Setup node and then the haStop.log node.) If you see information at the end of this log that indicates something other than the configuration completed, the removal wizard was not successful. c If either step a or b or both steps were unsuccessful, you must troubleshoot this problem. Go back to the Configuration Tool for the old backup server and try to run the High Availability Removal wizard again. If it is not available to you (that is, you see the High Availability Setup menu option as opposed to the High Availability Removal menu option), you must contact Technical Support. 3 Create a new Management Server (hereafter referred to as the replacement server) to replace the failed primary server by re-installing the Control Center Management Server software and ensuring that licensing and any applicable patches are in place. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 35
- 36. Disaster recovery restoration for Management Servers 4 On the old server, run the High Availability Setup wizard and specify the replacement Management Server as the backup server. (From the System menu, select High Availability Setup Wizard….) You must run the High Availability Setup wizard from the old server and not from the replacement server because the old server has the current management data. If you run the High Availability Setup wizard from the replacement server, the old server's data will be lost. At that point, you will need to restore your data from a full backup. See Restoring both Management Servers in a high availability (HA) pair that have failed completely on page 37". 5 The last step depends on whether you want to make the replacement Management Server the new primary server or keep the old server as the new primary server. • To switch server roles and make the replacement Management Server the primary server, log out of the old server and log into the replacement server. You are asked whether to make this server the new primary server. Click OK. You now have a new primary server with your old server resuming its backup role. or • To maintain the current backup role of the replacement server as it has been configured by the High Availability Setup wizard, no additional steps are required. Restoring a backup Management Server that has failed completely and that is part of a high availability (HA) pair In this scenario, the primary Management Server in an HA pair is running. However, the backup Management Server has failed completely. You want to add a new backup Management Server to your HA pair. 1 On the primary Management Server, log into the Administration Tool and run the High Availability Removal wizard. Verify that the removal wizard successfully removed the HA feature: a Go to the Administration Tool and open the Backup Server Status page. (From the System menu, select Backup Server Status….) If the removal wizard was successful, this page will be blank. Continue on to step b. However, if any data is displayed on this page (as in the backup Management Server displays a status of FAILED), the removal was not successful. Continue on to step b and then to step c. b The removal wizard generates an haStop.log log file. View the contents of this log file in the Server Logs window. (From the Administration Tool System menu, select Server Logs…. Then select the High Availability Setup node and then the haStop.log node.) If you see information at the end of this log that indicates something other than the configuration completed, the removal wizard was not successful. c If either step a or b or both steps were unsuccessful, you must troubleshoot this problem. Go back to the Configuration Tool for the old backup server and try to run the High Availability Removal wizard again. If it is not available to you (that is, you see the High Availability Setup menu option as opposed to the High Availability Removal menu option), you must contact Technical Support. 2 Create a new backup Management Server (hereafter referred to as the replacement server) to replace the failed backup server by re-installing the Control Center Management Server software and ensuring that licensing and any applicable patches are in place. 3 Go back to the primary Management Server and run the High Availability Setup wizard, specifying the replacement server as the backup server. 36 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 37. Disaster recovery restoration for Management Servers Restoring both Management Servers in a high availability (HA) pair that have failed completely In this scenario, both of the Management Servers in your HA pair have failed completely. You can restore a full backup by using the Upload Backup Wizard from the Restore System from Backup window. For more information, see Uploading a backup configuration file from the Client to the Management Server on page 128. The following procedure is a combination of GUI and command line steps. 1 On the new primary Management Server, install the Control Center Management Server on the device, including all of the license and patch information. 2 On the new backup Management Server, install the Control Center Management Server software on the device, including all of the license and patch information. 3 On the primary Management Server, retrieve the backup data. From the command line, log into the new primary Management Server as mgradmin and specify the following commands: cd /tmp sudo -u backup /usr/sbin/backuptool download -f filename -s scheme -h hostname -d remote-directory -u username -p password where filename = Filename of archive file scheme = one of FTP,FTPS,SCP hostname = host name [:port (optional)] (When using FTPS, port is either 21 or 990. Consult your FTP server documentation.) remote-directory = Directory on the host username = Username on the host password = Password on the host 4 Stop all GUI clients, Tomcat, and Secure Alerts because open database connections will interfere with the restore process. To stop Tomcat: su root /etc/init.d/tomcat stop To stop Secure Alerts: su root /etc/init.d/dcserver stop 5 Restore the retrieved backup data to the primary Management Server by specifying the following commands: sudo -u backup /usr/sbin/backuptool restore -f filename[.des3] [-k passphrase] [-L] [-D] -b where [.des3] = Optionally use to encrypt file during backup and decrypt during restore [-k passphrase] = Optionally use the specified passphrase to encrypt the backup file [-L] = Excludes files in /opt/security/var/gccserver/auditlogs from the backup or restore operation [-D] = Excludes files in /opt/security/var/gccserver/cfgbackups and in /opt/security/var/gccserver/nightlybackups from the backup or restore operation -b = Treats the backup file as having been created on a CC HA system McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 37
- 38. Adding firewalls 6 After successfully restoring the backup file, you should start Tomcat and the Secure Alerts server: To start Tomcat: su root /etc/init.d/tomcat start To start the Secure Alerts server: su root /etc/init.d/dcserver start 7 On the primary Management Server, log into the Administration Tool and run the High Availability Removal Wizard. (From the System menu, select High Availability Removal Wizard…. The wizard starts.) When the wizard has completed, the Control Center Management Server will be ready to re-establish HA. 8 On the same (primary) Management Server, run the High Availability Setup Wizard. (From the System menu, select High Availability Setup Wizard…. The wizard starts.) When the wizard has completed, the HA feature will have been configured on your two Management Servers. Adding firewalls A firewall must be configured and enrolled before it can be managed by the Control Center. • If you have a new, unconfigured firewall, you can use the rapid deployment option. See Adding firewalls by using rapid deployment registration on page 38. • If you have a standalone firewall that already has a configured policy, or if you have an HA cluster, use the manual registration procedure. See Adding firewalls by using manual registration on page 39. Note: To simultaneously manage groups of related objects, see Overview of configuring a cluster on the McAfee Firewall Enterprise Admin Console on page 225. Adding firewalls by using rapid deployment registration Use the rapid deployment method if you have a new, unconfigured firewall. Do not use this method if you want to use the firewall in a managed High Availability (HA) cluster. To register your firewall during its initial configuration: 1 Begin the McAfee Firewall Enterprise Quick Start Wizard. On the Control Center Registration window, select the Auto-register to Control Center checkbox. Complete these fields: • Primary Server host name — Specify the fully qualified domain name (FQDN) of the Control Center Management Server. If you are using a High Availability Management Server configuration, specify the node name of the active Management Server. • Primary Server IP address — Specify the IP address of the Control Center Management Server. • Sign Up password — Specify a password that will be used when you enroll this firewall by using the Control Center Configuration Tool. The password must be a minimum of eight characters and a maximum of 256 characters. You can use a default password for all of your firewalls or specify unique passwords for each firewall. 2 Complete the initial configuration. 3 In the Control Center Configuration Tool, select the Firewalls group bar. Right-click the Firewalls node and select Sign Up Firewalls…. The Sign Up Firewalls window is displayed. 4 [Conditional] If you used the same password when registering each firewall, specify that password in the Default Sign Up Password field. 38 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 39. Adding firewalls 5 Provide the FQDN, IP address, and password for each firewall that has been configured by using the rapid deployment option by performing either of the following steps: • In the table, specify registration information for each firewall. Starting with the Host Name field, specify the FQDN, IP address, and password for a firewall that was registered by using the rapid deployment option. Repeat this step for each firewall that is ready to be registered. • Import registration information for multiple firewalls from a file. a Create a a space-delimited text file that contains a host name and IP address for each firewall that has been prepared for enrollment. The following list is an example: fw1.company.net 172.26.113.171 fw2.company.net 198.115.56.121 fw3.company.net 191.21.115.101 b Click Import and then browse to the file that you created in the step a. The Sign Up Firewalls window is populated with information from the text file. c In the Password field, specify the sign up password for each firewall. Tip: If a password is not specified for a particular firewall, the value in the Default Sign Up Password field is used. 6 Click OK and then confirm that you want to register these firewalls. The Deployment Status Report is displayed. • If the status value is Operation successful, the Control Center successfully connected to that firewall. • If the status value is Operation failed, double-click Details and address the issue that is described there. After the Control Center successfully connects to a firewall, you must retrieve its policy. This must be done on an firewall-by-firewall basis. 7 In the Configuration Tool, make sure that the Firewalls group bar is selected. 8 Select the Firewalls node to display the list of firewalls. 9 Perform the following steps to retrieve the necessary objects: a Right-click the firewall that you have just added and select Retrieve Security Device Objects. The Firewall Retrieval Options window is displayed. b In the Retrieval Item Description column heading, right-click and select Select All. Note: If you have previously retrieved items from this firewall, consider clearing some of the checkboxes, such as rules, to avoid creating duplicates of those items. c Click OK. The Control Center initiates a connection with the firewall and retrieves the selected items. Adding firewalls by using manual registration Use this procedure if you are registering: • A standalone firewall that already has a configured policy. • An existing HA cluster. To register a firewall to your Control Center Management Server after the firewall is fully operational: 1 In the McAfee Firewall Enterprise Admin Console, register the target firewall or cluster to the Control Center Management Server: a Select Maintenance > Control Center Registration. b Specify the hostname and IP address of the Control Center Management Server. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 39
- 40. Adding firewalls c [Optional] If you are using a High Availability Control Center Management Server configuration, select the Configure backup server checkbox. • In the Backup Server Name field, specify the host name of the Management Server that is acting as a backup to the active Management Server. • In the IP Address field, specify the IP address of the Management Server that is acting as a backup to the active Management Server. d Click Register with the Control Center Now. An authentication window is displayed. e Specify the Control Center administrator user name and password and click OK 2 In the Control Center Configuration Tool, make sure that the Firewalls group bar is selected and perform one of the following steps: • If you are registering a standalone firewall, right-click the Firewalls node and select Add Object. The Add New Firewall window is displayed. Specify the required information about the firewall. For more information about this window, see Registering a firewall manually on page 166. • If you are registering a cluster, right-click the Clusters node and select Add Object. The Add Cluster window is displayed. Specify the following information about the cluster: • In the Cluster Name field, specify any name that quickly identifies the cluster. Do not use the fully qualified domain name (FQDN) of either cluster member node. • In the Cluster Mgmt Address field, specify the management address for the cluster node. • In the Version field, specify the software version of the cluster. 3 In the Retrieval Items tab, right-click the column heading and select Unselect All. This instructs the Control Center to establish connectivity without passing policy information. This saves time during an initial firewall registration if the firewall is unreachable for some reason. 4 Click OK. The Control Center attempts to connect to the firewall. 5 Verify communication between the firewall and the Management Server. From the Reports menu, select Firewall Status and verify that a green light appears next to the firewall. 6 After a connection has been established, go back to the Firewalls group bar and select the Firewalls node or the Clusters node, depending on the object that you are configuring. 7 Perform the following steps to retrieve the necessary objects: a Right-click the firewall that you just added and select Retrieve Firewall Objects. The Firewall Retrieval Options window is displayed. b In the Retrieval Item Description column heading, right-click and select Select All. Note: If you have previously retrieved items from this firewall, consider clearing some of the checkboxes, such as rules, to avoid creating duplicates of those items. Performing multiple retrievals of the same objects is not recommended. c Click OK. A system update message is displayed. d Click Yes. The Control Center initiates a connection with the firewall and retrieves the selected items. After the Control Center has successfully connected to the firewall and has retrieved the selected items, you can begin managing policy information for that firewall. 40 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 41. Managing firewall interfaces Managing firewall interfaces The internal and external network interfaces of the firewall are defined during initial configuration. However, you can configure additional interfaces to suit the needs of your network infrastructure. The firewall can be used in any or all of the following ways: • As a gateway between your internal network and the Internet. • As a gateway between any networks with different security needs. • As a transparent firewall inside of a single network. Traffic is passed through the firewall by arriving on one interface and leaving on a different interface. The relationship between configured interfaces can be classified in the following ways: • Routed – A firewall interface is connected to each unique network, and the firewall allows traffic to pass between the networks like a router, which enforces your security policy. For more information, see Routed mode on page 41. • Transparent (bridged) – Two firewall interfaces are connected inside of a single network and are bridged to form one transparent interface. Traffic passes through the firewall like a switch, allowing you to enforce security policy inside the network without having to re-address the network. In other words, this firewall can be placed anywhere inside of your network without having to reconfigure your network. For more information, see Transparent (bridged) mode on page 41. Note: You can configure only one transparent interface (bridge) on each firewall. The routed and transparent modes are not exclusive; your firewall can be simultaneously configured with a single bridged interface and additional routed interfaces. This is called hybrid mode. Routed mode In routed mode, your firewall is deployed at the intersection of multiple networks. • The firewall is connected to each network by a network interface. • Each firewall interface must be assigned a unique IP address in the connected subnet. • The protected networks must be unique—each network must be a different subnet. • Hosts in a protected network communicate with other networks by using the firewall’s IP address as their gateway. • Each firewall interface is assigned to a unique burb. When traffic attempts to cross from one burb to another, the configured security policy is enforced. For examples of deploying a firewall in single or multiple networks, see McAfee Firewall Enterprise (Sidewinder) Administration Guide. Transparent (bridged) mode In transparent (bridged) mode, your firewall is deployed inside of a single network. A transparent interface consists of two interfaces that are connected inside of the same network and that are assigned to unique burbs. The following table shows the default firewall interface configuration. These interfaces, or any other two interfaces, can be used to configure a transparent interface. Table 4 Standard interfaces User defined interface name NIC or NIC Group Burb name external_network em0 external internal_network em1 internal McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 41
- 42. Navigating the Control Center user interface The following table shows a transparent interface that is configured by using the default interfaces. Note that bridge0 consists of em0 and em1. Table 5 Transparent interface User defined transparent interface name NIC or NIC Group bridged_network bridge0 (em0, em1) When traffic attempts to cross the transparent interface (from one burb to the other), a rule check is performed to enforce security policy. Because hosts inside of the network are not aware that the firewall is deployed, they communicate with each other as though they were directly connected by a switch. • If two hosts reside in the same burb (that is, on the same side of the transparent interface), they communicate directly over the network and no security policy is enforced. • If two hosts reside in different burbs (that is, on different sides of the transparent interface), they communicate through the firewall and security policy is enforced. For examples of transparently enforcing security policy inside of a single subnet or transparently protecting a single network, see McAfee Firewall Enterprise (Sidewinder) Administration Guide. For information about how to configure a transparent interface, see Creating a transparent (bridged) interface on page 179. Navigating the Control Center user interface The Control Center Client Suite has four tools that have a similar design and navigation, although the functionality of each tool is mostly unique. (You can access some features from more than one tool and, in some situations, from all of the tools.) The following figure is an example of the Configuration Tool main window, which is the most complex of all of the tool main windows. Figure 4 Example of the Control Center Client Suite main window Menu bar Toolbars Object Configuration area Page area Docking pin Work area Group bars Status bar 42 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 43. Navigating the Control Center user interface Each tool consists of the following graphical interface areas: • Main window — The main window is displayed after you have successfully logged into one of the Control Center tools. For information about the main window for each tool, see the following: • Administration Tool main window on page 44 • Configuration Tool main window on page 45 • Reporting and Monitoring Tool main window on page 48 • Software Updates Tool main window on page 49 • Menus — Each Control Center tool has menus that are shared with other tools, that are unique to that tool, and that are unique to a specific feature of that tool. For information about the tool menu for each tool, see the following: • Administration Tool menus on page 50 • Configuration Tool menus on page 56 • Reporting and Monitoring Tool menus on page 62 • Software Updates Tool menus on page 66 • Toolbars — Each Control Center tool has various toolbars that can be displayed, depending on the page that is displayed in the work area.You can also customize any toolbar. For information about the toolbar for each tool, see the following: • Administration Tool toolbars on page 70 • Configuration Tool toolbars on page 70 • Reporting and Monitoring Tool toolbars on page 73 • Software Updates Tool toolbars on page 76 • Page area — Each Control Center tool has a page area to display the associated page that is displayed in the work area. Any page that is currently active in the work area can be closed and removed from the tab area by selecting the icon on the right corner of the page area. There are many different pages, depending on your toolbar and menu selections. For example, every tool has a Start page. • Docking pin — Each Control Center tool has a docking pin to manage the Object Configuration area and Group bars. This feature allows for more visible area in the main screen when viewing pages in the work area. Use the appropriate options on the View menu to reveal or hide the data that is displayed in the Object Configuration area and in the Group bars. • Work area — This portion of the GUI is where the data that is associated with the pages is displayed when the associated tab for the page is selected. • Group Bars — [Available only in the Configuration Tool and the Reporting and Monitoring Tool] These two tools have group bars that assist in accessing object trees. Select the group bar and then select the node in the tree with which you want to work. • Status Bar — Each Control Center tool has a status bar in which different information is displayed. For information about the status bar for each tool, see the following information: • Administration Tool: Status bar on page 45 • Configuration Tool: Status bar on page 47 • Reporting and Monitoring Tool: Status bar on page 49 • Software Updates Tool: Status bar on page 50 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 43
- 44. Navigating the Control Center user interface In addition to the window- and page-specific descriptions, there is additional functionality that is provided in the Control Center Client Suite to help you configure and manage the security policy for your firewalls. • Shortcut keys — Each menu bar has a keyboard shortcut to allow faster selection if you prefer to access these items by keyboard as opposed to the mouse. As is the Windows standard, the keyboard shortcut is indicated by an underscore (_) beneath the letter in the menu or menu option name. Press this character on the keyboard to select the menu option. • Right-click menus — Right-click menus are available for the objects that appear in the Object Configuration area of the Administration Tool, Configuration Tool, and the Reporting and Monitoring Tool. You can also use the right-click menu in the pages that appear in the work area of the various tools. Many of these menu options are also accessible through another way in the Tool, such as a menu option, a tool on the toolbar, or a button on the interface itself. • Edit status column — Many tables include an Edit column that identifies the edit status of a row in a table. The following icons can be displayed: • [blank] — Indicates an existing line with associated values that is not the currently selected line. • — Indicates that this row is the one that is being edited. • — Indicates that you are creating a new row or entry. • — Indicates that this row is currently selected and it contains previously specified values. Administration Tool main window Use the following areas of the Administration Tool main window to manage the administrative functions that are associated with operating the Control Center. For more information, see Administration Tool on page 79. Administration Tool: Menu bar The Menu bar on the Administration Tool includes all of the menus and menu options for the Administration Tool. There are some menu options that are shared by all of the Client Suite tools and there are others that are unique. To view the Administration Tool menu information, see Administration Tool menus on page 50. Administration Tool: Users and Roles toolbar Use the Users and Roles toolbar to manage the Control Center users and their assigned roles. You can access all of the defined users and all of the defined roles in this area. For more information, see Control Center users on page 81 and Control Center roles on page 89. Administration Tool: Page area Use the tab area to display or close tool-specific pages. For the Administration Tool, the following pages can be displayed: • Start Page • Audit Trail • Backup Server Status Administration Tool: Work area Use this area to view the data that is associated with tabs or pages. Administration Tool: Docking pin Use the docking pin to hide the Users and Roles toolbar. By hiding the toolbar, you can have more visible area in the main screen when you are viewing one of the tabs. When the pin is undocked, you can access the Users and Roles toolbar by moving the mouse over the Object Configuration tab on the upper left side of the main window. 44 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 45. Navigating the Control Center user interface Administration Tool: Status bar Use the status bar to view the following information: • Management Server — [Read-only] Displays the name and connection status of the Management Server. • Users — [Read-only] Displays the name, IP address, and number of tools that the user is currently logged into for each user who is currently logged into this domain of the Management Server. A message is displayed to all other users who are currently running a specific tool when another user logs in or out of the Management Server. The status bar will be updated accordingly. • Date/Time — [Read-only] Displays the current date and time. • License Status — [Read-only] Displays the license status of the Management Server. To view your license configuration from any tool in the Client Suite, move the pointer over the license icon that is located in the lower right corner of the status line. A ToolTip displays the duration of the shortest license and the accumulated licenses for each firewall in your configuration. For more complete information about the status of the licensing, open the Administration Tool and select License… from the System menu. One of the following icons will be displayed: • Valid license — Indicates that the program is fully licensed. For more information, see Licensing the Control Center Management Server on page 104. • Demo version — Indicates that the program is a demo version and it cannot connect to a firewall. • Evaluation version — Indicates that this program is an evaluation license. The evaluation license may be restricted to managing a limited number of firewalls for 30, 60, or 90 days. When the evaluation license is within five (5) days of its expiration, the number of days that remain in the evaluation are displayed in the current status area, which is located in the lower right corner of the status bar in each tool of the Client Suite. Configuration Tool main window Use the following commands, windows, and options in the user interface for the Control Center Configuration Tool to configure and manage multiple security policies and firewalls. For more information, see Configuration Tool on page 153. Configuration Tool: Menu Bar Each tool in the Control Center Suite has a different set of menu bar menus to correspond to the features and functions of the individual tool. Each menu bar menu has a keyboard shortcut to allow faster selection for users who are more comfortable using the keyboard. These keyboard shortcuts are denoted by an underscore designation on the menu option. These are the menus for the Configuration Tool, along with the functionality that is available in each menu: • File — Load a previously saved configuration from the file system into the Control Center database, save the entire Control Center configuration to a file, or exit the Configuration Tool. • View — Access the Start page, Rules page, and Alert Processing Rules page in the work area, access the various configurable objects in the Objects toolbar, and access options to hide or display the various toolbars that accompany the user interface. • Configuration — Validate and apply configuration changes to supported firewalls, lock objects to prevent multiple users from making simultaneous changes to the same objects, back up an individual firewall configuration, and apply user-defined sorting views to simplify the management of multiple firewalls. • System — Access the Device Control window. Use the Device Control window to manage firewalls. You can initiate various shutdown or suspend states on selected firewalls. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 45
- 46. Navigating the Control Center user interface • Reports — Access firewall status information, view configuration and validation reports, or access the Control Center audit trail report. • Tools — Start the other tools in the Control Center Client Suite. You can initiate only one instance of each tool on a single system. If the selected tool is already displayed, no action occurs. The tools that appear in the menu differ, depending on the tool that is in use when the Tools menu is accessed. • Rules — [Available only when either the Rules page or the URL Translation Rules page is the active page in the work area] Access the information that is used to manage individual rules. The options that are displayed on the menu vary, depending on the specific page that is displayed when the Rules menu is accessed. • Window — The Window menu is universally available on all of the tools in the Control Center Client Suite. Use the options on this menu to control the layout of objects and components in the Control Center Client Suite. • Help — The Help menu is universally available on all of the tools in the Control Center Client Suite. Use the options on this menu to obtain context-sensitive help for using the features and fields that are associated with each window, to obtain additional information about the services and features that are associated with each tool, and to obtain background information about specific concepts that are associated with using or operating the Control Center. Configuration Tool: Toolbars The Configuration Tool Toolbar has an Actions toolbar, a Rule Options toolbar, an Alert Processing Rules Options toolbar, a System/Attack Responses toolbar, and a URL Rules Options toolbar that provide options to access the various fields, buttons, and commands that are associated with the Configuration Tool. Right-click in the toolbar area to manage individual toolbars. Configuration Tool: Page area Use the tab area to display the associated tab for a page that is displayed in the work area. Any page that is currently active in the work area can be closed and removed from the tab area by clicking in the right corner of the tab area. To the left of this icon is , which allows you to select any available page to view from the displayed list. There are many different tabs, depending on your toolbar and menu selections. The following list is an example of some of these pages: • Start page — This page provides introductory information. • Firewall Status page — View a status summary of the firewalls that are configured for your operation. You can also use this page to quickly determine the status information about the operation of each firewall in your configuration. For more information, see Viewing the overall status of your firewalls on page 574. • Rules page —View a complete list of the rules that have been defined on your system. You can also use this page to view, add, insert, change, delete, or prioritize rules. For more information about the Rules page, see Creating, viewing, or modifying rules on page 528. • Object Details page — View data that is related to all of the objects for the object type node that was selected in the tree. For more information, see Viewing details about objects on page 160. • Alert Processing Rules page — View a complete list of the alert processing rules that available. For more information, see Viewing alert processing rules on page 564. • Configuration Status Report page — Use this page to view information about the propagation of configuration data from the Control Center database to each selected firewall. When the Configuration Status Report window is displayed, the propagation status is refreshed every 15 seconds. For more information, see Viewing configuration information about each firewall on page 584. • Validation Status Report page — Use this page to view the status of the validation process for each of the firewall configurations in the Control Center database and to view the differences between the current configuration and the proposed configuration of a firewall. For more information, see Viewing the status of Apply Configurations on page 593. 46 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 47. Navigating the Control Center user interface Configuration Tool: Docking pin Use the docking pin to manage the Object Configuration area and the Object Details page). You can use this docking pin to hide or display toolbars so that you can have more visible area in the main screen when you are viewing one of the tabs. Use the appropriate options on the View menu to display or hide the data that is displayed in the Object Configuration area or to show or hide the Object Details page. Configuration Tool: Work area Use this area to view the data that is associated with tabs or pages. Configuration Tool: Object Configuration area Use this area to view, create, modify, and manage the configurable objects that form the foundation data that is used to manage a security policy. Use the docking pin controls or the appropriate options on the View menu to display or hide the data that is displayed in the Object Configuration area. Configuration Tool: Group bars Use the Group bars to access object trees, which, in turn, allow you to work with the objects. The Configuration Tool has the following group bars: • Firewalls — The object tree in this group bar includes firewalls, clusters, cluster members, and device groups. For more information, see Configuration Tool - Firewalls on page 163. • Firewall Settings — The object tree in this group bar includes all of the objects that can be configured for firewalls, including such objects as network defenses and global settings. For more information, see Configuration Tool - Firewall Settings on page 263. • Policy — The object tree in this group bar includes objects that are used to determine the policy for your firewalls, such as rules, application defenses, and authenticators. For more information, see Configuration Tool - Policy on page 333. • Monitor — The object tree in this group bar includes objects that are used to monitor different types of data for firewalls, such as IPS attack and system responses, audit events, and so on, plus several reports. For more information, see Configuration Tool - Monitor on page 573. • Maintenance — The object tree in this group bar includes objects that are used to maintain the firewall, such as licensing, and to maintain the Control Center Management Server, such as backing up and restoring the Management Server. For more information, see Configuration Tool - Maintenance on page 647. Configuration Tool: Status bar Use the status bar to view the following information: • Management Server — [Read-only] Displays the name and connection status of the Management Server. • Users — [Read-only] Displays the name, IP address, and number of tools that the user is currently logged into for each user who is currently logged into this domain of the Management Server. A message is displayed to all other users who are currently running a specific tool when another user logs in or out of the Management Server. The status bar will be updated accordingly. • Date/Time — [Read-only] Displays the current date and time. • License Status — [Read-only] Displays the license status of the Management Server. To view your license configuration from any tool in the Client Suite, move the pointer over the license icon that is located in the lower right corner of the status line. A ToolTip displays the duration of the shortest license and the accumulated licenses for each firewall in your configuration. For more complete information about the status of the licensing, open the Administration Tool and select License… from the System menu. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 47
- 48. Navigating the Control Center user interface One of the following icons will be displayed: • Valid license — Indicates that the program is fully licensed. For more information, see Licensing the Control Center Management Server on page 104. • Demo version — Indicates that the program is a demo version and it cannot connect to a firewall. • Evaluation version — Indicates that this program is an evaluation license. The evaluation license may be restricted to managing a limited number of firewalls for 30, 60, or 90 days. When the evaluation license is within five (5) days of its expiration, the number of days that remain in the evaluation are displayed in the current status area, which is located in the lower right corner of the status bar in each tool of the Client Suite. Reporting and Monitoring Tool main window Use following areas of the Reporting and Monitoring Tool to monitor and manage alerts, select and investigate chronological activities that are recorded by firewalls, generate and view standard and custom reports, and observe overall firewall status. For more information, see Reporting and Monitoring Tool on page 671. Reporting and Monitoring Tool: Menu bar The Menu bar on the Reporting and Monitoring Tool includes all of the menus and menu options for the Reporting and Monitoring Tool. There are some menu options that are shared by all of the Client Suite tools and there are others that are unique. To view the Reporting and Monitoring Tool menu information, see Reporting and Monitoring Tool menus on page 62. Reporting and Monitoring Tool: Toolbar The Reporting and Monitoring Tool has a Firewalls and Reports toolbar that provides options to access the tabs, fields, buttons, and windows that you use to manage alerts and generate firewall-specific and audit log reports. For more information, see Reporting and Monitoring Tool toolbars on page 73. Reporting and Monitoring Tool: Page area Use the page area to display or close tool-specific pages. For the Reporting and Monitoring Tool, the following pages can be displayed: • Start Page • Firewall Status • Alert Browser • Audit Trail • Secure Alerts Server Status Reporting and Monitoring Tool: Work area Use this area to view the data that is associated with tabs or pages. Reporting and Monitoring Tool: Docking pin Use the docking pin to hide the toolbar. By hiding the toolbar, you can have more visible area in the main screen when you are viewing one of the tabs. When the pin is undocked, you can access the toolbar by moving the mouse over the Object Configuration tab on the upper left side of the main window. 48 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 49. Navigating the Control Center user interface Reporting and Monitoring Tool: Status bar Use the status bar to view the following information: • Management Server — [Read-only] Displays the name and connection status of the Management Server. • Users — [Read-only] Displays the name, IP address, and number of tools that the user is currently logged into for each user who is currently logged into this domain of the Management Server. A message is displayed to all other users who are currently running a specific tool when another user logs in or out of the Management Server. The status bar will be updated accordingly. • Date/Time — [Read-only] Displays the current date and time. • License Status — [Read-only] Displays the license status of the Management Server. To view your license configuration from any tool in the Client Suite, move the pointer over the license icon that is located in the lower right corner of the status line. A ToolTip displays the duration of the shortest license and the accumulated licenses for each firewall in your configuration. For more complete information about the status of the licensing, open the Administration Tool and select License… from the System menu. One of the following icons will be displayed: • Valid license — Indicates that the program is fully licensed. For more information, see Licensing the Control Center Management Server on page 104. • Demo version — Indicates that the program is a demo version and it cannot connect to a firewall. • Evaluation version — Indicates that this program is an evaluation license. The evaluation license may be restricted to managing a limited number of firewalls for 30, 60, or 90 days. When the evaluation license is within five (5) days of its expiration, the number of days that remain in the evaluation are displayed in the current status area, which is located in the lower right corner of the status bar in each tool of the Client Suite. Software Updates Tool main window Use the following areas of the Software Updates Tool to manage the software updates functions associated with operating the Control Center. For more information, see Software Updates Tool on page 691. Software Updates Tool: Menu bar The Menu bar on the Software Updates Tool includes all of the menus and menu options for the Software Updates Tool. There are some menu options that are shared by all of the Client Suite tools and there are others that are unique. To view the Software Updates Tool menu information, see Reporting and Monitoring Tool menus on page 62. Software Updates Tool: Toolbar The Software Updates Tool has the Action toolbar that is used to access the main page options that are available in the work area and an options toolbar that is associated with each main page. For more information, see Customizing a toolbar on page 70. Software Updates Tool: Page area Use the page area to display or close tool-specific pages. For the Software Updates Tool, the following pages can be displayed: • Start Page • Install Updates page • Store Updates page • Firewall Configuration Backup page McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 49
- 50. Navigating the Control Center user interface Software Updates Tool: Work area Use this area to view the data that is associated with tabs or pages. Software Updates Tool: Status bar Use the status bar to view the following information: • Management Server — [Read-only] Displays the name and connection status of the Management Server. • Users — [Read-only] Displays the name, IP address, and number of tools that the user is currently logged into for each user who is currently logged into this domain of the Management Server. A message is displayed to all other users who are currently running a specific tool when another user logs in or out of the Management Server. The status bar will be updated accordingly. • Date/Time — [Read-only] Displays the current date and time. • License Status — [Read-only] Displays the license status of the Management Server. To view your license configuration from any tool in the Client Suite, move the pointer over the license icon that is located in the lower right corner of the status line. A ToolTip displays the duration of the shortest license and the accumulated licenses for each firewall in your configuration. For more complete information about the status of the licensing, open the Administration Tool and select License… from the System menu. One of the following icons will be displayed: • Valid license — Indicates that the program is fully licensed. For more information, see Licensing the Control Center Management Server on page 104. • Demo version — Indicates that the program is a demo version and it cannot connect to a firewall. • Evaluation version — Indicates that this program is an evaluation license. The evaluation license may be restricted to managing a limited number of firewalls for 30, 60, or 90 days. When the evaluation license is within five (5) days of its expiration, the number of days that remain in the evaluation are displayed in the current status area, which is located in the lower right corner of the status bar in each tool of the Client Suite. Administration Tool menus The following menus are available in the Administration Tool: • File — Administration Tool: File menu on page 50 • View — Administration Tool: View menu on page 51 • Users — Administration Tool: Users menu on page 51 • Roles — Administration Tool: Roles menu on page 51 • Configuration Domains — Administration Tool: Configuration Domains menu on page 52 • Audit Trail — Administration Tool: Audit Trail menu on page 52 • System — Administration Tool: System menu on page 53 • Tools — Administration Tool: Tools menu on page 54 • Window — Administration Tool: Window menu on page 55 • Help — Administration Tool: Help menu on page 55 Administration Tool: File menu Select Exit in the File menu to close the Administration Tool. 50 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 51. Navigating the Control Center user interface Administration Tool: View menu Use the View menu options on the Administration Tool to manage the areas that are displayed (or hidden) on the main window. To show each area, make sure that the menu option is selected. To close or hide the area, clear the checkbox or click X on the page or area to close it. This menu has the following options: • Users and Roles — Displays or closes the Users and Roles Object Configuration area. This area displays user, role, and configuration domain objects in a tree. • Start Page — Displays the Start Page (the McAfee Firewall Enterprise Control Center home page) if it has been previously closed. Administration Tool: Users menu Use the Users menu options on the Administration Tool to manage Control Center users. Control Center users are defined as the users who are permitted to log into the various tools in the Control Center Client Suite. For more information, see Control Center users on page 81. To edit, copy, or delete a user, highlight the user in the tree and then select the respective menu option. Note: Control Center users should not be confused with the users who are configured to access firewalls. Control Center users are the users who have access to the tools in the Control Center Client Suite. This menu has the following options: • Add User… — Displays the Control Center User Manager window, in which you can add a Control Center user. For more information, see Configuring Control Center users on page 82. • Modify User… — Displays the Control Center User Manager window, in which you can modify the attributes of an existing user. Highlight the user in the tree and select this menu option. Edit the information and click OK. • Copy User… — Displays the Control Center User Manager window, in which you can use an existing user as the basis of a new user definition. Highlight the user in the tree and select this menu option. Edit the attributes of this copy that you want to be unique and click OK. • Change Password… — [Available only if internal authentication is being used, which is configured on the Control Center Authentication Configuration window] Displays the Change User Password window, in which you can change the current user’s password. For more information, see Changing user passwords on page 88. • Remove User(s) — Delete the highlighted user or users. Administration Tool: Roles menu Use the Roles menu options on the Administration Tool to manage the roles that are assigned to Control Center users. Roles are created to limit or allow users to perform specific actions or administration-specific activities for specified objects. For more information, see Control Center roles on page 89. To edit, copy, or delete a role, highlight the role in the tree and then select the respective menu option. This menu has the following options: • Add Role… — Displays the Control Center Role Manager window, in which you can add a Control Center role. For more information, see Managing roles for Control Center users on page 90. • Modify Role… — Displays the Control Center Role Manager window, in which you can modify the attributes of an existing role. Highlight the role in the tree and select this menu option. Edit the information and click OK. • Copy Role… — Displays the Control Center Role Manager window, in which you can use an existing role as the basis of a new role definition. Highlight the role in the tree and select this menu option. Edit the attributes of this copy that you want to be unique and click OK. • Remove Role(s) — Delete the highlighted role or roles. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 51
- 52. Navigating the Control Center user interface Administration Tool: Configuration Domains menu Use the Configuration Domains menu on the Administration Tool to activate and manage configuration domains, and to create and manage configuration versions for configuration domains. For more information about configuration domains, see Configuration domains on page 92. For more information about configuration domain versions and version management, see Configuration domain version management on page 97. To edit, copy, or delete a configuration domain, highlight the configuration domain in the tree and then select the respective menu option. This menu has the following options: • Add Domain… — Displays the Configuration Domain Manager window, in which you can add a Control Center configuration domain. For more information, see Configuring configuration domains on page 95. If configuration domains have not been previously activated, adding a second configuration domain (in addition to the pre-defined Default domain) will activate the configuration domain option. To better understand the implications of activating configuration domains, see Configuration domains on page 92. • Modify Domain… — Displays the Configuration Domain Manager window, in which you can modify the attributes of an existing configuration domain. Highlight the configuration domain in the tree and select this menu option. Edit the information and click OK. • Remove Domain — Delete the highlighted domain and all associated data from the database for this domain. Caution: Deleting a configuration cannot be undone. If a configuration domain is deleted, only a previously saved backup of the entire Management Server configuration data can restore the data. This action restores the configuration data for all of the configuration domains to the conditions that existed when the backup was made. • Manage Versions — [Available only when configuration domains have been activated] Displays the Manage Configuration Domain Versions window, in which you can add, edit, delete, or activate a configuration version. Highlight the configuration domain in the tree (or the Default configuration domain if configuration domains have not been activated) and select this menu option. Edit the information and click OK. For more information about version management, see Configuration domain version management on page 97. Administration Tool: Audit Trail menu Use the Audit Trail menu on the Administration Tool to manage the content of the McAfee Firewall Enterprise Control Center user audit report and view the resulting report. For more information, see Audit data management on page 100. This menu has the following options: • Manage Audit Trail — Displays the Audit Tracking and Archive Management window, in which you can select the settings to be updated in, added to, or removed from the audit trail report. Additionally, you can determine whether this data is to be archived and the way in which it is formatted. For more information, see Managing audit trail information on page 101. • View Audit Trail — Displays the Audit Trail page in the work area, in which you can view the audit report information that is recorded according to the settings that were defined in the Audit Tracking and Archive Management window. For more information, see Viewing audit trail information on page 615. 52 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 53. Navigating the Control Center user interface Administration Tool: System menu Use the System menu on the Administration Tool to manage various options for the Control Center. You can manage the following entities: • Control Center licenses (License option) • Universal system settings (System Settings option) by accessing the options that are used to set these settings • Authentication strategy (Authentication option) • Status of all of the Management Servers when you are using the Control Center High Availability (HA) Management Server option (Backup Server Status option) • System backup and restore commands (Backup System option and Restore System option). This menu has the following options: • License… — Displays the License Management window, in which you can manage the Control Center license. For more information, see Control Center Management Server licensing on page 104. The current status of the license is displayed in the status bar at the lower-right corner of each tool in the Client Suite. Hold the mouse over the license to view a ToolTip that displays the license information. The following versions are available: • Valid license — Indicates that the program is fully licensed. For more information about licensing, see Licensing the Control Center Management Server on page 104. • Demo version — Indicates that the program is a demo version and it will not be able to connect to a firewall. • Evaluation version — Indicates that this program is an evaluation license. The evaluation license may be restricted to managing a limited number of firewalls for 30, 60, or 90 days. When the evaluation license is within five (5) days of its expiration, the number of days that remain in the evaluation are displayed in the current status area, which is located in the lower right corner of the status bar in each tool of the Client Suite. • Network Settings… — Displays the Network Settings window, in which you can view and edit Control Center settings, such as host name, servers (NTP, DNS, and mail), network interfaces (IP address, netmask, broadcast, and gateway) and static routes. For more information, see Configuring Control Center network settings on page 115. • System Settings… — Displays the System Settings window, in which you can set system-wide settings for the disclaimer, user lockout, and default application lockout options. For more information, see Configuring system settings on page 121. • ePolicy Orchestrator settings… — Displays the ePolicy Orchestrator Settings window, in which you can configure the Control Center to communicate with the ePolicy Orchestrator (ePO) server. Use this communication to share data about host objects (displayed on the Control Center), firewalls (displayed on ePO), and the Control Center Management Server (displayed on ePO). To use this communication, you must also configure an ePO user in this window. For more information, see Configuring access to the ePolicy Orchestrator server on page 132. • Server Property Editor… — Displays the Server Property Editor window, in which you can display and edit Control Center Management Server properties and add new properties. For more information, see Configuring Management Server properties on page 664. • Start Ticket… or Stop Ticket… — The menu option that you see depends on whether a ticket has been started. If no ticket has been started, the Start Ticket menu option is displayed. If a ticket has already been started, the Stop Ticket menu option is displayed. When you select Start Ticket, the Ticket window is displayed, in which you can specify the name of the ticket. A ticket is used to identify specific changes that have been made to the firewall. For more information, see Configuring change tickets on page 103. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 53
- 54. Navigating the Control Center user interface • Server Logs… — Displays the Server Logs window, in which you can manage the Control Center Management Server logs. For more information, see Viewing Management Server logs on page 663. • Authentication… — Displays the Control Center Authentication Configuration window, in which you can define your authentication strategy. For more information, see Authentication on page 145. • Common License Information… — Displays the Common License Information window, in which you can manage Control Center common license information. For more information, see Managing Control Center licenses on page 106. • Backup Server Status… — Displays the Backup Server Status page in the work area, in which you can view the current status of each Management Server that is installed in your configuration if the High Availability (HA) Management Server Configuration is configured for your organization. For more information about HA, see High Availability (HA) on page 136. For more information about this window, see Viewing the status of your backup Management Servers on page 122. • Backup System… — Displays the Backup Control Center System window, in which you can save a backup file of the Management Server. For more information, see Creating backup files of your Management Server data by using the GUI on page 123. • Restore System… — Displays the Restore System from Backup window, in which you can restore the system from a backup file of the Management Server. For more information, see Restoring the Management Server configuration files from a backup file on page 126. • Set Server Date and Time… — Displays the Set Server Date and Time window, in which you can set the Management Server date and time. For more information, see Setting the date and time on the Management Server on page 131. • Change Password… — [Available only if internal authentication is being used, which is configured on the Control Center Authentication Configuration window] Displays the Change User Password window, in which you can change the current user’s password. For more information, see Changing user passwords on page 88. • Restart Server… — Displays the Restart Server window, in which you can restart the Management Server. For more information, see Restarting the Management Server on page 131. Caution: If you select Yes, the server will be restarted immediately. There is no second confirmation request. • Halt Server …— Stop the Management Server and exit the application. Then click Yes to confirm or No to cancel the action. • High Availability Setup Wizard… or High Availability Removal Wizard… — Displays either the High Availability Setup Wizard or Removal Wizard, depending on your menu selection. Use these wizards to establish or remove the High Availability (HA) Management Server configuration. For more information about these wizards, see Configuring the High Availability (HA) feature on page 140 and Removing the High Availability (HA) configuration feature on page 143. Administration Tool: Tools menu Use the menu options on the Tools menu of any tool to launch another tool using the same user name, password, and Management Server that you are currently using. You cannot log into the same tool more than once from a single client. This menu has the following options: • Configuration Tool… — Displays the Configuration Tool, in which you can configure the firewall, manage multiple firewalls, and implement and enforce security policies across those firewalls. For more information, see Configuration Tool on page 153. • Reporting and Monitoring Tool… — Displays the Reporting and Monitoring Tool, in which you can centrally monitor the status of supported firewalls and generate a wide range of firewall-specific reports. For more information, see Reporting and Monitoring Tool on page 671. 54 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 55. Navigating the Control Center user interface • Software Updates Tool… — Displays the Software Updates Tool, in which you can store, manage, and install software and firmware updates for all deployed firewalls and install Management Server software updates. For more information, see Software Updates Tool on page 691. Administration Tool: Window menu Use the menu options on the Window menu to control the layout of objects and components in the Control Center user interface. This menu has the following options: • Refresh — Refresh the window. • Restore Docking State — Restore the default docking state of the toolbar and the Objects Details page (if applicable for the specific tool). The layout of any open rules tab groups is unaffected by this command. • Cascade — Cascade multiple document windows when MDI Tabbed is cleared. • Tile Horizontal — Horizontally tile multiple document windows when MDI Tabbed is selected. • Tile Vertical — Vertically tile multiple document windows when MDI Tabbed is selected. • MDI Tabbed — Determines whether pages are displayed as windows or tabs that are docked in the rules pane. The default value is selected. When you clear this checkbox, rules pages appear as undocked document windows; they can be cascaded or tiled by using the Cascade, Tile Horizontal, and Tile Vertical menu options, respectively. You can also select the page that is displayed in the work area. Administration Tool: Help menu Use the menu options on the Help menu to obtain context-sensitive help for using the features and buttons that are associated with each window. You can also obtain additional information about the services and features options that are associated with each tool, and background information for specific concepts that are associated with using or operating the Control Center. This menu has the following options: • Contents — Displays a complete list of the main topics of the Control Center help system. Click a main help topic to display the complete subtopic list. • Index — Displays the full index for the Control Center help system. Specify a keyword to find a particular entry in the index. • Search — Searches the Control Center help system for a topic or matching words that you provide. • About — Displays the licensing text, versions, and timestamp of the date and time at which the Client Suite, Management Server, and database were built. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 55
- 56. Navigating the Control Center user interface Configuration Tool menus The following menus are available in the Configuration Tool: • File — Configuration Tool: File menu on page 56 • View — Configuration Tool: View menu on page 56 • Configuration — Configuration Tool: Configuration menu on page 57 • System — Configuration Tool: System menu on page 58 • Reports — Configuration Tool: Reports menu on page 59 • Tools — Configuration Tool: Tools menu on page 60 • Rules — Configuration Tool: Rules menu on page 60 • Window — Configuration Tool: Window menu on page 61 • Help — Configuration Tool: Help menu on page 62 Configuration Tool: File menu As in all of the other tools, you can select Exit in the File menu to close the Configuration Tool. However, when the Rules page is displayed, the following additional options are available: • Switch Domain… — [Available only when configuration domains are enabled] Displays the Switch Domain window, in which you can select the domain that you want to access without having to log out and then back in again. • Export — [Available only when the Rules page is displayed] Displays the Export Rules File window, in which you can specify a name and path for the tab-delimited rules file that you want to save. • Print Preview — [Available only when the Rules page is displayed] Displays the Print Preview window, in which you can view the rules in a preview state, ready to be printed. You can also change the print review format to display one, two, three, four, or six pages on one print-ready page. • Print — [Available only when the Rules page is displayed] Print the rules on the Rules page. Note: To change the format of the printed pages, first go to the Print Preview window and change the display before selecting this option. Configuration Tool: View menu Use the View menu options on the Configuration Tool to access pages in the work area, to access the various configurable objects in the Objects toolbar, and to hide or display various toolbars that accompany the user interface. To show each area, make sure that the menu option is selected. To close or hide the area, clear the checkbox or click X on the page or area to close it. This menu has the following options: • Rules — Displays the Rules page in the work area, in which you can view a complete list of the rules that have been defined on your system. For more information, see Creating, viewing, or modifying rules on page 528. • IPS Attack Responses — Displays the IPS Attack Responses page in the work area, in which you can view a complete list of the IPS attack responses that have been defined on your system. For more information, see Viewing IPS attack responses on page 608. • System Responses — Displays the System Responses page in the work area, in which you can view a complete list of the system responses that have been defined on your system. For more information, see Viewing system responses on page 612. • Alert Processing Rules — Displays the Alert Processing Rules page in the work area, in which you can view all of the alert processing rules that are currently available. For more information, see Viewing alert processing rules on page 564. 56 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 57. Navigating the Control Center user interface • URL Translation Rules — Displays the URL Translation Rules page in the work area, in which you can view a complete list of the URL translation rules that have been defined on your system. • Start Page — Displays the Start Page (the Control Center home page) if it has been previously closed. • Remote Certificates — Displays the Remote Certificates page, in which you can manage remote certificates. For more information, see Managing remote certificates on page 523. • Objects — Either hide or display the Object Configuration area. • Object Details — Either hide or display the Object Details page. • Toolbars — Either hide or display the page-specific toolbars in the toolbar. Configuration Tool: Configuration menu Use the Configuration menu on the Configuration Tool to validate and apply configuration changes to supported firewalls, lock objects to prevent multiple operators from making simultaneous changes to the same objects, backup an individual firewall configuration, and apply user-defined sorting views to simplify managing multiple firewalls. This menu has the following options: • Duplicate Rules Wizard — Start the Duplicate Rule Wizard, in which you can analyze your rule set and delete duplicate rules. For more information, see Deleting duplicate rules on page 556. • Merge Rules Wizard — Start the Merge Rules Wizard, in which you can analyze your rule set and combine rules that have common elements. For more information, see Merging rules with common elements on page 552. • Merge Objects Wizard — Start the Merge Objects Wizard, in which you can analyze your network objects and services and to combine those objects that have common elements. For more information, see Merging objects on page 652. • Apply Configurations... — Displays the Apply Configurations window, in which you can propagate configurations from the Control Center database to the managed firewalls. When you apply the configuration, configuration information is sent to the selected target firewalls. The following events can then occur: • Data on the firewall is transformed and implemented. • Firewall components are restarted as needed. • The results of this “apply” are reported back to the Control Center. For more information, see Applying firewall configurations on page 589. • Validate Configurations... — Displays the Validate Configuration window, in which you can ensure that the firewall configurations that are stored on the Management Server are valid. You can also use this window to view the differences between the current configuration and the proposed configuration of a firewall. For more information, see Policy objects on page 333. • Locking Manager... — Displays the Locking Manager window, in which you can lock selected objects of a given type (for example, address ranges, networks, rules) so that other Control Center users cannot simultaneously add, modify, or delete those types of objects. Multiple Control Center users can be logged onto the same Management Server by using multiple Client Suite clients. This means that, at any given time, multiple users can be making simultaneous changes. The lock includes all existing objects, as well as new objects that you create. You can, for example, specify to lock network objects, which is defined by selecting the Networks checkbox in this window. For more information, see Locking configuration objects on page 649. • Priority Mappings... — Displays the Priority Mappings window, in which you can define the alert priority that is associated with predefined and custom alerts. For more information, see Assigning priority levels to alerts on page 567. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 57
- 58. Navigating the Control Center user interface • VPN Wizard... — Starts the VPN Wizard, in which you can create mesh, star, and remote (road warrior) VPN channels. For more information, see Creating VPN channels on page 475. • SSH Known Hosts... — Displays the SSH Known Hosts window, in which you can manage the database of SSH known host keys. For more information, see Configuring strong known host associations on page 569. Configuration Tool: System menu Use the System menu on the Configuration Tool to access the following options: • Firewall Sorting... — Displays the Firewall Sorting Manager window, in which you can provide a user-defined view of the firewalls that are configured for your operation. You can select the firewall characteristics and the order of consideration for those characteristics to determine the way in which the firewalls are displayed. The sort characteristics that are available include: Type (type of firewall), Location (uses the user-defined location information), Contact (uses the user-defined contact information associated with a firewall), and any user-defined category/value pair. For more information, see Reviewing your configured firewalls on page 594. • Startup Options... — Displays the Startup Options window, in which you can configure the appearance of Configuration Tool when it is opened. You can configure the windows to initially load when the tools is opened. There is also an optional feature to open the tool with the configuration that existed when the tool was closed. • Start Ticket or Stop Ticket — The menu option that you see depends on whether a ticket has been started. If no ticket has been started, the Start Ticket menu option is displayed. If a ticket has already been started, the Stop Ticket menu option is displayed. When you select Start Ticket, the Ticket window is displayed, in which you can specify the name of the ticket. A ticket is used to identify specific changes that have been made to the firewall. For more information, see Configuring change tickets on page 103. When you select Stop Ticket, no window is displayed. However, the change ticket is closed. • Device Control... — Displays the Device Control window, in which you can manage firewalls. You can initiate various shutdown or suspend states for selected firewalls. For more information, see Managing firewall shutdown and suspension states and other maintenance settings on page 656. • Compliance Report Settings... — Displays the Compliance Report Settings window, in which you can enable and configure compliance reports. Compliance Reports are viewed and managed on the Compliance Report page. For more information, see Configuring compliance report settings on page 596. • Firewall Configuration Backup... — Displays the Firewall Configuration Backup page, in which you can create and restore configuration backups for selected firewalls installed in your configuration. You can also access this page from the Software Updates Tool and from the Configuration Tool. For more information, see Backing up and restoring firewall configurations on page 704. • License Firewall... — Displays the Firewall License window, in which you can specify and manage firewall product licenses. For more information, see Viewing and managing firewall licenses on page 658. • Backup System... — Displays the Backup Control Center System window, in which you can create a new backup file of the Control Center Management Server data or replace an exiting backup file. For more information, see Creating backup files of your Management Server data by using the GUI on page 123. • Restore System... — Displays the Restore System from Backup window, in which you can restore a previously saved system backup file to the Management Server. For more information, see Restoring the Management Server configuration files from a backup file on page 126. • Server Property Editor… — Displays the Server Property Editor window, in which you can modify properties that are associated with the Management Server. For more information, see Configuring Management Server properties on page 664. 58 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 59. Navigating the Control Center user interface • Server Logs… — Displays the Server Logs window, in which you can manage the Control Center Management Server logs. For more information, see Viewing Management Server logs on page 663. • Set Server Date and Time… — Displays the Set Server Date and Time window, in which you can set the date and time on the Management Server. For more information, see Setting the date and time on the Management Server on page 131. • Change Password… — [Available only if internal authentication is being used, which is configured on the Control Center Authentication Configuration window] Displays the Change User Password window, in which you can change the current user’s password. For more information, see Changing user passwords on page 88. • Restart Server… — Displays the Restart Server window, in which you can restart the Management Server. For more information, see Restarting the Management Server on page 131. • Halt Server… — Displays a warning message, asking whether you want to continue with this action to stop the Management Server. Click Yes to continue with the restart or No to cancel this action. Configuration Tool: Reports menu Use the Reports menu on the Configuration Tool to access firewall status information, view configuration and validation reports and access the Control Center audit trail report. This menu has the following options: • Firewall Status — Displays the Firewall Status page, in which you can view a status summary of the firewalls that are configured for your operation. You can also use this page to quickly determine the status information about the operation of each firewall in your configuration. For more information, see Viewing the overall status of your firewalls on page 574. • Configuration Status — Displays the Configuration Status Report page, in which you can view information about the propagation of configuration data from the Control Center database to each selected firewall. When the Configuration Status Report page is displayed, the propagation status is refreshed every 15 seconds. For more information, see Firewall configuration management on page 574. • Validation Status — Displays the Validation Status Report page, in which you can view the status of the validation process for each of the firewall configurations in the Control Center database. You can also view the differences between the current configuration and the proposed configuration of a firewall. When this report is displayed, the validation status is refreshed every 15 seconds. For more information, see Firewall configuration management on page 574. • Compliance Status — Displays the Compliance Report page, in which you can view all of the managed firewalls and status information for all of the firewalls in your configuration that are managed with the Control Center. For more information, see Configuring compliance report settings on page 596. • Audit Trail... — Displays the Audit Trail page, in which you can list, filter, preview, and print the audit trail data. This page is read-only. For more information, see Viewing audit trail information on page 615. • Deployment Status — Displays the Deployment Status Report page, in which you can view the status of the enrollment for a specific firewall. For more information, see Viewing your firewall enrollment (deployment) status on page 598. • McAfee Firewall Reporter — Displays the McAfee Firewall Reporter application, in which you can view, analyze, and manage raw data from a firewall. Note: When you select this menu option the first time, the McAfee Firewall Reporter Settings window is displayed, in which you specify the McAfee Firewall Reporter server address and management port. After you configure these settings, the application displays on the McAfee Firewall Reporter page. For more information, see Viewing real-time Web data for your network on page 600. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 59
- 60. Navigating the Control Center user interface • System Information — Displays the System Information page, in which you can categorize Management Server information and associated values. Information categories include: IP address, memory capacities, software release, machine type, operating system, processor information, and the current system time. For more information, see Displaying system information for the Control Center Management Server on page 638. • Unused Objects — Displays the Unused Objects page, in which you can retrieve a list of all of the unused objects to which you have access in this configuration domain. You can also double-click an object to edit it or you can delete it. For more information, see Managing unused objects on the Control Center Management Server on page 651. Configuration Tool: Tools menu Use the menu options on the Tools menu of any tool to launch another tool using the same user name, password, and Management Server that you are currently using. You cannot log into the same tool more than once from a single client. This menu has the following options: • Administration Tool — Displays the Administration Tool, in which you can manage McAfee Firewall Enterprise Control Center users and roles, configuration domains, audit trail, licensing, and backup and restore operations. For more information, see Administration Tool on page 79. • Reporting and Monitoring Tool — Displays the Reporting and Monitoring Tool, in which you can centrally monitor the status of supported firewalls and generate a wide range of firewall-specific reports. For more information, see Reporting and Monitoring Tool on page 671. • Software Updates Tool — Displays the Software Updates Tool, in which you can store, manage, and install software and firmware updates for all deployed firewalls and install Management Server software updates. For more information, see Software Updates Tool on page 691. Configuration Tool: Rules menu Use the Rules menu on the Configuration Tool to access the controls used to manage individual rules when the Rules page or the URL Translation Rules page is displayed in the work area. The menu that is displayed depends on the page that is currently displayed. • Rules page menu options • URL Translation Rules page options Rules page menu options This menu has the following options when the Rules page is displayed: • Add New Rule — Displays the Rule Editor window, in which you can create a new rule. For more information, see Configuring rules on page 533. • Edit Rule — Displays the Rule Editor window, in which you can edit an existing rule. For more information, see Configuring rules on page 533. • Delete Rule — Delete the highlighted rule. • Delete Rules… — Displays the Rules Removal window, in which you can specify multiple rules and sets of rules to be deleted. Specify a range as the beginning and ending rule, separated by a hyphen (-). Separate each range of rules or individual rules with a comma (,). • Cut Rule — Cut (or move) the highlighted rule. • Paste Rule — Paste a rule in the location of the insertion point. • Copy Rule — Create a copy of the highlighted rule. • Replace Rule Objects… — Displays the Replace Rule Objects window, in which you can specify an object type that is currently in a rule to be replaced by another type. • Move To Top — Move the highlighted rule to the top of the page. 60 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 61. Navigating the Control Center user interface • Move Up — Move the highlighted rule up one position on the page. • Move Down — Move the highlighted rule down one position on the page. • Move To Bottom — Move the highlighted rule to the bottom of the page. • Move Above Rule… — Move the highlighted rule above a specific rule. • Move Below Rule... — Move the highlighted rule below a specific rule. • Filter Rules — Displays the Rules Filter Selection window, in which you can specify the filter criteria that are used to display subsets of rules. After you define your filter criteria and click OK, the rules that match the filter requirements are displayed in the Rules page. Additionally, (Filter Off) is available as a menu option on the Rules menu of the Configuration Tool. Select the menu option to cancel the filtered view and to return to a view of all of the rules on the Rules page. For more information, see Filtering rules to display on the Rules page on page 545. • Manage Filters — Displays the Manage Filters window, in which you can load and manage previously named filters that are used to display only those rules that meet the filter requirements. For more information, see Loading and managing previously saved rule filters on page 549. • Quick Filter — Displays the Quick Filter window, in which you can view only those rules that have been defined for the selected firewalls on the Rules page. For more information, see Displaying filtered rules on the Rules page on page 550. • Default Rule Settings… — Displays the Default Rule Settings window, in which you can define some of the default settings when new rules are created. For more information, see Configuring default settings for creating rules on page 540. • Create Group — Displays the Rules Group window, in which you can create groups of rules. For more information, see Configuring groups of rules on page 551. • Configure Columns — Displays the Rules Display Columns window, in which you can specify the columns to display on the Rules page. For more information, see Configuring columns to display on the Rules page on page 532. URL Translation Rules page options This menu has the following options when the URL Translation Rules page is displayed in the work area: • Add New Rule — Displays the URL Translation Rules Editor window, in which you can define a new URL translation rule. For more information, see Configuring URL translation rules on page 560. • Edit Rule — Displays the URL Translation Rules Editor window, in which you can edit the highlighted URL translation rule. For more information, see Configuring URL translation rules on page 560. • Copy Rule — Create a copy of the highlighted rule. • Delete Rule — Delete the highlighted rule. • Move Up — Move the highlighted rule up one position on the page. • Move Down — Move the highlighted rule down one position on the page. Configuration Tool: Window menu Use the menu options on the Window menu to control the layout of objects and components in the Control Center user interface. This menu has the following options: • Refresh — Refresh the window. • Restore Docking State — Restore the default docking state of the toolbar and the Objects Details page (if applicable for the specific tool). The layout of any open rules tab groups is unaffected by this command. • Cascade — Cascade multiple document windows when MDI Tabbed is cleared. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 61
- 62. Navigating the Control Center user interface • Tile Horizontal — Horizontally tile multiple document windows when MDI Tabbed is selected. • Tile Vertical — Vertically tile multiple document windows when MDI Tabbed is selected. • MDI Tabbed — Determines whether pages are displayed as windows or tabs that are docked in the rules pane. The default value is selected. When you clear this checkbox, rules pages appear as undocked document windows; they can be cascaded or tiled by using the Cascade, Tile Horizontal, and Tile Vertical menu options, respectively. You can also select the page that is displayed in the work area. Configuration Tool: Help menu Use the menu options on the Help menu to obtain context-sensitive help for using the features and buttons that are associated with each window. You can also obtain additional information about the services and features options that are associated with each tool, and background information for specific concepts that are associated with using or operating the Control Center. This menu has the following options: • Contents — Displays a complete list of the main topics of the Control Center help system. Click a main help topic to display the complete subtopic list. • Index — Displays the full index for the Control Center help system. Specify a keyword to find a particular entry in the index. • Search — Searches the Control Center help system for a topic or matching words that you provide. • About — Displays the licensing text, versions, and timestamp of the date and time at which the Client Suite, Management Server, and database were built. Reporting and Monitoring Tool menus The following menus are available in the Reporting and Monitoring Tool: • File — Reporting and Monitoring Tool: File menu on page 62 • System — Reporting and Monitoring Tool: System menu on page 63 • View — Reporting and Monitoring Tool: View menu on page 63 • Reports — Reporting and Monitoring Tool: Reports menu on page 64 • Tools — Reporting and Monitoring Tool: Tools menu on page 64 • Options — Reporting and Monitoring Tool: Options menu on page 64 • Window — Reporting and Monitoring Tool: Window menu on page 65 • Help — Reporting and Monitoring Tool: Help menu on page 66 Reporting and Monitoring Tool: File menu Select Exit in the File menu to close the Reporting and Monitoring Tool. This menu also has the following option: • Switch Domain… — [Available only when configuration domains are enabled] Displays the Switch Domain window, in which you can select the domain that you want to access without having to log out and then back in again. 62 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 63. Navigating the Control Center user interface Reporting and Monitoring Tool: System menu Use the System menu on the Reporting and Monitoring Tool to manage server logs, set the server date and time and, if necessary, restart or stop the Management Server. This menu has the following options: • Server Logs… — Displays the Server Logs window, in which you can manage the Control Center Management Server logs. For more information, see Viewing Management Server logs on page 663. • Set Server Date and Time… — Displays the Set Server Date and Time window, in which you can set the Management Server date and time. For more information, see Setting the date and time on the Management Server on page 131. • Change Password… — [Available only if internal authentication is being used, which is configured on the Control Center Authentication Configuration window] Displays the Change User Password window, in which you can change the current user’s password. For more information, see Changing user passwords on page 88. • Restart Server… — Displays the Restart Server window, in which you can restart the Management Server. For more information, see Restarting the Management Server on page 131. Caution: If you select Yes, the server will be restarted immediately. There is no second confirmation request. • Halt Server… — Stop the Management Server and exit the application. Then click Yes to confirm or No to cancel the action. Reporting and Monitoring Tool: View menu Use the View menu on the Reporting and Monitoring Tool to manage the reporting options, management options, and features that are associated with managing alerts and generating firewall-specific reports and audit log reports. This menu has the following options: • Alert Browser — Displays the Alert Browser page, in which you can view a summary of the alerts that have been generated by the configured firewalls. For more information, see Managing alerts on page 678. Use the Alert Browser page to quickly identify the alerts that are being generated by the configured firewalls, to acknowledge the alert, to annotate the corrective actions that are taken, to resolve the problem, and to clear the alert. • Alarm Sound Mapping — Displays the Alarm Sound Mappings window, in which you can specify and map specific sound files to specific alarms. For more information, see Mapping sound files to alarms on page 676. • Secure Alerts Servers — Displays the Secure Alerts Server page, in which you can view current and historical Secure Alerts Server status information. For more information, see Viewing Secure Alerts Server status information on page 687. This page is divided into the following panes: • Secure Alerts Server Status table on page 688 The upper pane displays the current status of the Secure Alerts Servers. • Secure Alerts Service History table on page 689 The lower pane displays the historical status of when the server was started and stopped. • Start Page — Displays the Start Page (the Control Center home page) if it has been previously closed. • Firewall Status — Displays the Firewall Status page, in which you can view a status summary of the firewalls that are configured for your operation. You can also use this page to quickly determine the status information about the operation of each firewall in your configuration. For more information, see Viewing the overall status of your firewalls on page 574. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 63
- 64. Navigating the Control Center user interface • Firewalls and Reports — Displays or closes the Firewalls and Reports Object Configuration area. This area includes defined firewall objects and any report objects that have been generated during the current session. Reporting and Monitoring Tool: Reports menu Use the Reports menu on the Reporting and Monitoring Tool to select and run various reports that provide information about the Management Server, (System Information), audit data (Audit Trail), and security policy (Policy). You can also access the McAfee Firewall Reporter. This menu has the following options: • System Information — Displays the System Information page, in which you can categorize Management Server information and associated values. Information categories include: IP address, memory capacities, software release, machine type, operating system, processor information, and the current system time. For more information, see Displaying system information for the Control Center Management Server on page 638. • Audit Trail — Displays the Audit Trail page, in which you can list, filter, preview, and print audit trail data that is displayed on this page in the work area. No information is changed when you use this page. For more information, see Audit trail on page 615. • Policy — Display the Policy Report window, in which you can view the security policy that is defined on a firewall. You can also schedule a firewall-dependent policy report on a one-time or recurrent basis. For more information, see Selecting the criteria for the firewall policy report on page 640. • McAfee Firewall Reporter — Displays the McAfee Firewall Reporter page, in which you can view real-time Web data for your network. For more information, see Viewing real-time Web data for your network on page 600. Reporting and Monitoring Tool: Tools menu Use the menu options on the Tools menu of any tool to launch another tool using the same user name, password, and Management Server that you are currently using. You cannot log into the same tool more than once from a single client. This menu has the following options: • Administration Tool — Displays the Administration Tool, in which you can manage Control Center users and roles, configuration domains, audit trail, licensing, and backup and restore operations. For more information, see Administration Tool on page 79. • Configuration Tool — Displays the Configuration Tool, in which you can configure the firewall, manage multiple firewalls, and implement and enforce security policies across those firewalls. For more information, see Configuration Tool on page 153. • Software Updates Tool — Displays the Software Updates Tool, in which you can store, manage, and install software and firmware updates for all deployed firewalls and install Management Server software updates. For more information, see Software Updates Tool on page 691. Reporting and Monitoring Tool: Options menu [Available only when the Alert Browser page is displayed in the work area] Use the menu options on the Options menu to manage and filter the displayed alerts, change the status condition of an alert (acknowledge or clear), and display and filter the events that are associated with one or more selected alerts. This menu has the following options: • Columns — Displays the Column Selector window, in which you can specify the columns of alert data to be displayed on the Alert Browser page. For more information, see Configuring columns for the Alert Browser page on page 685. • Filters — Displays the Alert Filter window, in which you can specify the alerts to be displayed on the Alert Browser. For more information, see Filtering the alerts to be displayed in the Alert Browser on page 686. 64 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 65. Navigating the Control Center user interface • Export Data — Displays the Export Alerts File window, in which you specify the destination for the exported data and the file name that is used for the exported data. The selected data is exported, in plain text format, to a local platform. • Print — Displays the Print window, in which you can specify the printer name, the print range, and the number of copies of the selected alert data. • Display Ack — Displays the alerts that have been acknowledged. By selecting this option, the Acknowledged checkbox is automatically selected in the Alert Filter window. • Display Cleared — Displays the alerts that have been cleared. By selecting this option, the Cleared checkbox is automatically selected in the Alert Filter window. • Display Open — Displays the alerts that have not been acknowledged. By selecting this option, the Open checkbox is automatically selected in the Alert Filter window. • Annotate — Displays the Annotate window, in which you can record any comments about the associated alert. • Ack — Displays the Annotate window, in which you can record any comments about the associated alert. By selecting this menu option, the acknowledgement checkbox for each selected alert is also selected. This is a one-time activity for each alert. If you select this option, you cannot clear the option. To view alerts that have been acknowledged, click (Display Ack) on the toolbar or select Display Ack from the Options menu. If an alert is acknowledged and more alerts of the same type on the same firewall occur, the alert count is incremented and (Acknowledge Alert) is displayed in the Alert Browser page. • Clear — Clear the selected alerts. To view alerts that have been cleared, click (Display Cleared) on the toolbar or select Display Cleared from the Options menu. Cleared alerts will remain visible until they are removed from the system. A script is automatically run each night to remove the cleared alerts. You can configure the time at which this script runs. • Jump — Displays the Jump To window, in which you can display the selected row number. • Events — Displays the events that are associated with the selected alerts when one or more alerts is highlighted. To view the events that are associated with one alert, click the Row Number column (far-left column) to highlight the alert or to highlight more than one alert, press Ctrl +click or Shift +click. Then, display the Event Browser window by clicking (Events) or selecting Events from the Options menu. • Preview Pane — Horizontally split the view display in half. The top half displays the detailed description of the selected alert and the bottom half displays the list of alerts. • Alarm for Open — Display all of the events for Alarm Open only. • Alarm for Ack — Display all of the events for Alarm Acknowledged only. • Alert Update Summary — Display the Alert Update Summary for the selected event. Reporting and Monitoring Tool: Window menu Use the menu options on the Window menu to control the layout of objects and components in the Control Center user interface. This menu has the following options: • Refresh — Refresh the window. • Restore Docking State — Restore the default docking state of the toolbar and the Objects Details page (if applicable for the specific tool). The layout of any open rules tab groups is unaffected by this command. • Cascade — Cascade multiple document windows when MDI Tabbed is cleared. • Tile Horizontal — Horizontally tile multiple document windows when MDI Tabbed is selected. • Tile Vertical — Vertically tile multiple document windows when MDI Tabbed is selected. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 65
- 66. Navigating the Control Center user interface • MDI Tabbed — Determines whether pages are displayed as windows or tabs that are docked in the rules pane. The default value is selected. When you clear this checkbox, rules pages appear as undocked document windows; they can be cascaded or tiled by using the Cascade, Tile Horizontal, and Tile Vertical menu options, respectively. You can also select the page that is displayed in the work area. Reporting and Monitoring Tool: Help menu Use the menu options on the Help menu to obtain context-sensitive help for using the features and buttons that are associated with each window. You can also obtain additional information about the services and features options that are associated with each tool, and background information for specific concepts that are associated with using or operating the Control Center. This menu has the following options: • Contents — Displays a complete list of the main topics of the Control Center help system. Click a main help topic to display the complete subtopic list. • Index — Displays the full index for the Control Center help system. Specify a keyword to find a particular entry in the index. • Search — Searches the Control Center help system for a topic or matching words that you provide. • About — Displays the licensing text, versions, and timestamp of the date and time at which the Client Suite, Management Server, and database were built. Software Updates Tool menus The following menus are available in the Software Updates Tool: • File — Software Updates Tool: File menu on page 66 • System — Software Updates Tool: System menu on page 67 • View — Software Updates Tool: View menu on page 67 • Operations — Software Updates Tool: Operations menu on page 68 • Tools — Software Updates Tool: Tools menu on page 69 • Window — Software Updates Tool: Window menu on page 69 • Help — Software Updates Tool: Help menu on page 69 Software Updates Tool: File menu Select Exit in the File menu to close the Reporting and Monitoring Tool. This menu also has the following option: • Switch Domain… — [Available only when configuration domains are enabled] Displays the Switch Domain window, in which you can select the domain that you want to access without having to log out and then back in again. 66 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 67. Navigating the Control Center user interface Software Updates Tool: System menu Use the System menu on the Software Updates Tool to manage server logs and, if necessary, to restart or stop the Management Server. This menu has the following options: • Start Ticket… or Stop Ticket… — The menu option that you see depends on whether a ticket has been started. If no ticket has been started, the Start Ticket menu option is displayed. If a ticket has already been started, the Stop Ticket menu option is displayed. When you select Start Ticket, the Ticket window is displayed, in which you can specify the name of the ticket. A ticket is used to identify specific changes that have been made to the firewall. For more information, see Configuring change tickets on page 103. When you select Stop Ticket, no window is displayed. However, the change ticket is closed. • Server Logs… — Displays the Server Logs window, in which you can manage the Control Center Management Server logs. For more information, see Viewing Management Server logs on page 663. • Change Password… — [Available only if internal authentication is being used, which is configured on the Control Center Authentication Configuration window] Displays the Change User Password window, in which you can change the current user’s password. For more information, see Changing user passwords on page 88. • Restart Server… — Displays the Restart Server window, in which you can restart the Management Server. For more information, see Restarting the Management Server on page 131. Caution: If you select Yes, the server will be restarted immediately. There is no second confirmation request. • Halt Server… — Stop the Management Server and exit the application. Then click Yes to confirm or No to cancel the action. Software Updates Tool: View menu Use the View menu on the Software Updates Tool to manage the McAfee Firewall Enterprise Control Center software and firmware updates for supported firewalls. This menu has the following options: • Start Page — Displays the Start Page (the Control Center home page) if it has been previously closed. • Install Updates — Displays the Install Updates page, in which you can manage and install software updates on each supported firewall that is installed in your configuration. For more information, see Installing software and firmware updates on page 697. • Firewall Configuration Backup — Displays the Firewall Configuration Backup page, in which you can create and restore configuration backups for selected firewalls that are installed in your configuration. For more information, see Backing up and restoring firewall configurations on page 704. • Store Updates — Displays the Store Updates page, in which you can identify, store, and manage firewall software and firmware updates on the Management Server. For more information, see Installing software and firmware updates on page 697. • Control Center Update — Displays the Control Center Update window, in which you can manage and install McAfee Firewall Enterprise Control Center Management Server software updates. For more information, see Downloading and applying Management Server updates on page 693. • Update Settings — Displays the Update Settings window. You can configure the following functionality in this window: • Use a proxy server to download updates. • Use an auto-discovery process to identify and download available updates. For more information, see Configuring update download settings on page 692. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 67
- 68. Navigating the Control Center user interface Software Updates Tool: Operations menu [Available only when the Install Updates page or Store Updates page is active in the work area. Only the options that apply to the visible tab are displayed.] Use the Operations menu on the Software Update Tool to access page-specific options and functions for the tab page that is currently displayed in the work area. When the Install Updates page is displayed, use the options on the Operations menu to update the selected firewalls, schedule firewalls for updates, clear the last update, and update the firewall status. When the Store Updates page is displayed, use the options on the Operations menu to check for new updates, download selected updates, restart the download process, manually download updates, and remove updates. Operations menu for the Install Updates page This menu has the following options when the Install Updates page is displayed in the work area: • Update Firewalls — Perform the actions that you have specified on the firewalls that you have selected. You must have already selected an update action for all of the selected firewalls before you can select this tool or menu option. If you try to update a firewall with an update that has not been downloaded to the Management Server, the update will first be downloaded and saved on the Management Server. Then it will automatically be installed on the applicable selected firewalls. Note: You cannot initiate a new update on a firewall while it has an update in the “In Progress” state. • Schedule Firewalls — Displays the Schedule Firewall Actions window, in which you can set a date and time to perform actions that are related to one or more firewalls. You can also remove a schedule. For more information, see Scheduling device software updates on page 703. • Clear Last Update — Clear the values of the Last Update and Update Status fields from the table. However, this information is not cleared from the Update History data. Use this tool or menu option to clear field values when an update is stuck in the “In Progress” state. • Update Firewall Status — Send a firewall status request to the selected firewalls. The resulting firewall status is displayed in a column on the left as an icon. • Refresh Grid — Refresh the contents of the table on this page. Operations menu for the Store Updates page This menu has the following options when the Store Updates page is displayed in the work area: • Check For Updates — Check for new updates from the defined, auto-discovery location. For more information about configuring the auto-discovery settings, see Configuring update download settings on page 692. • Download Updates — Download the associated update for each highlighted row from the location that is specified in the auto-discovery settings. For more information about configuring the auto-discovery settings, see Configuring update download settings on page 692. • Restart Download — Restart the download process if a problem or failure occurs when an update package is being transferred from the location at which updates are stored to the Management Server. • Remove Updates — Remove the associated update for each highlighted row from the Management Server. After an update has been removed from the Management Server, it will no longer be displayed in the Store Updates table unless you have selected the Show removed updates checkbox in the Update Settings window. • Manual Download — Specify the way in which and the location to which an update is to be downloaded from a location other than the one that was specified in the auto-discovery settings. Use this option to acquire an update and store it on the Management Server when there is no access to the Secure Computing FTP location. For information about how to configure this option, see Manually downloading software updates on page 711. • Refresh Grid — Refresh the contents of this page. 68 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 69. Navigating the Control Center user interface Software Updates Tool: Tools menu Use the menu options on the Tools menu of any tool to launch another tool using the same user name, password, and Management Server that you are currently using. You cannot log into the same tool more than once from a single client. This menu has the following options: • Administration Tool — Displays the Administration Tool, in which you can manage Control Center users and roles, configuration domains, audit trail, licensing, and backup and restore operations. For more information, see Administration Tool on page 79. • Configuration Tool — Displays the Configuration Tool, in which you can configure the firewall, manage multiple firewalls, and implement and enforce security policies across those firewalls. For more information, see Configuration Tool on page 153. • Reporting and Monitoring Tool — Displays the Reporting and Monitoring Tool, in which you can centrally monitor the status of supported firewalls and generate a wide range of firewall-specific reports. For more information, see Reporting and Monitoring Tool on page 671. Software Updates Tool: Window menu Use the menu options on the Window menu to control the layout of objects and components in the Control Center user interface. This menu has the following options: • Refresh — Refresh the window. • Restore Docking State — Restore the default docking state of the toolbar and the Objects Details page (if applicable for the specific tool). The layout of any open rules tab groups is unaffected by this command. • Cascade — Cascade multiple document windows when MDI Tabbed is cleared. • Tile Horizontal — Horizontally tile multiple document windows when MDI Tabbed is selected. • Tile Vertical — Vertically tile multiple document windows when MDI Tabbed is selected. • MDI Tabbed — Determines whether pages are displayed as windows or tabs that are docked in the rules pane. The default value is selected. When you clear this checkbox, rules pages appear as undocked document windows; they can be cascaded or tiled by using the Cascade, Tile Horizontal, and Tile Vertical menu options, respectively. You can also select the page that is displayed in the work area. Software Updates Tool: Help menu Use the menu options on the Help menu to obtain context-sensitive help for using the features and buttons that are associated with each window. You can also obtain additional information about the services and features options that are associated with each tool, and background information for specific concepts that are associated with using or operating the Control Center. This menu has the following options: • Contents — Displays a complete list of the main topics of the Control Center help system. Click a main help topic to display the complete subtopic list. • Index — Displays the full index for the Control Center help system. Specify a keyword to find a particular entry in the index. • Search — Searches the Control Center help system for a topic or matching words that you provide. • About — Displays the licensing text, versions, and timestamp of the date and time at which the Client Suite, Management Server, and database were built. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 69
- 70. Navigating the Control Center user interface Customizing a toolbar Use the Customize window to customize toolbars. To access the Customize window, right-click anywhere on the toolbar or on the Menu bar. You can add and remove buttons, create your own custom toolbars, hide or display toolbars, and move toolbars. Create a custom toolbar 1 Right-click anywhere on a toolbar or on the Menu bar. A submenu is displayed. The content of the submenu varies according to the page that is displayed in the work area and the options that are associated with that page. 2 Select Customize. The Customize window is displayed. 3 Click New. 4 In the New Toolbar Name field, specify a name for the toolbar and click OK. 5 Click the Commands tab. 6 Do one of the following: To add a button to the toolbar: a Click a category in the Categories tree. b Drag the command that you want from the Commands list to the displayed toolbar. or To add a custom menu to the toolbar a In the Categories tree, click Custom Menus. b Drag the menu that you want from the Commands list to the displayed toolbar. 7 When you have added all of the buttons and menus that you want to the new toolbar, click Close. Administration Tool toolbars The Administration Tool does not have a context-sensitive toolbar. Configuration Tool toolbars The Configuration Tool has several different toolbars, depending on the page that is displayed in the work area. However, the default toolbar is the Actions toolbar. These toolbars provide options to access the pages, controls, and windows used to manage features associated with the Configuration Tool. The following toolbars area available in the Configuration Tool: • Actions toolbar • Rule Options toolbar on page 72 • Alert Processing Rules Options toolbar on page 72 • System/Attack Responses toolbar on page 72 • URL Rules Options toolbar on page 73 70 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 71. Navigating the Control Center user interface Actions toolbar The Actions Toolbar has the basic set of tools for all of the pages that are displayed in the Configuration Tool. The following tools are displayed: • (Apply Configurations…) — Displays the Apply Configurations window, in which you can apply or schedule an apply to one or more firewalls. For more information, see Applying firewall configurations on page 589. • (Validate Configurations…) — Displays the Validate Configuration window, in which you can assure that proposed configuration changes can be successfully applied to one or more firewalls. For more information, see Validating firewall configurations on page 586. • (Configuration Status) — Displays the Configuration Status Report page, in which you can view information about the propagation of configuration data from the Control Center database to each selected firewall. For more information, see Firewall configuration management on page 574. • (Validation Status) — Displays the Validation Status Report page, in which you can view the status of the validation process for each of the firewall configurations in the Control Center database and view the differences between the current configuration and the proposed configuration of a firewall. For more information, see Firewall configuration management on page 574. • (Rules) — Displays the Rules page, in which you can view a complete list of the rules that have been defined on your system. For more information, see Creating, viewing, or modifying rules on page 528. • (IPS Attack Responses) — Displays the IPS Attack Responses page, in which you can view a complete list of the IPS attack responses that have been defined on your system. For more information, see Viewing IPS attack responses on page 608. • (System Responses) — Displays the System Responses page, in which you can view a complete list of the system responses that have been defined on your system. For more information, see Viewing system responses on page 612. • (Audit Trail…) — Displays the Audit Trail page, in which you can view and analyze the McAfee Firewall Enterprise Control Center user activity that is stored in the audit trail tables in the Management Server Database. For more information, see Viewing audit trail information on page 615. • (Firewall Status) — Displays the Firewall Status page, in which you can view a status summary of the firewalls that are configured for your operation. You can also use this page to quickly determine the status information about the operation of each firewall in your configuration. For more information, see Viewing the overall status of your firewalls on page 574. • (Firewall Configuration Backup…) — Displays the Firewall Configuration Backup page, in which you can create or restore backup configuration files for one or more firewalls. For more information, see Backing up and restoring firewall configurations on page 704. • (Device Control…) — Displays the Device Control window, in which you can manage firewalls. You can initiate various shutdown or suspend states for selected firewalls. For more information, see Managing firewall shutdown and suspension states and other maintenance settings on page 656. • (Locking Manager…) — Displays the Locking Manager window, in which you can lock or unlock objects of a particular type to prevent multiple users from accessing or changing the same objects. For more information, see Locking configuration objects on page 649. • (Start Ticket) or (Stop Ticket) — The tool that you see depends on whether a ticket has been started. If no ticket has been started, the Start Ticket tool is displayed. If a ticket has already been started, the Stop Ticket tool is displayed. When you select , the Ticket window is displayed, in which you can specify the name of the ticket. A ticket is used to identify specific changes that have been made to the firewall. For more information, see Configuring change tickets on page 103. When you select , no window is displayed. However, the change ticket is closed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 71
- 72. Navigating the Control Center user interface Rule Options toolbar The Rule Options toolbar is displayed when the Rules page is displayed in the work area of the Configuration Tool. In addition to the tools in the Actions toolbar, this toolbar has the following tools: • (Add New Rule) — Displays the Rule Editor window, in which you can create a new rule. For more information, see Creating, viewing, or modifying rules on page 528. • (Edit Rule) — Displays the Rule Editor window, in which you can edit an existing rule. For more information, see Configuring rules on page 533. • (Delete Rule) — Delete the highlighted rule. • (Delete Rules…) — Displays the Rules Removal window, in which you can specify multiple rules and sets of rules to be deleted. Specify a range as the beginning and ending rule, separated by a hyphen (-). Separate each range of rules or individual rules with a comma (,). • (Cut Rule) — Cut (or move) the highlighted rule. • (Paste Rule) — Paste a rule in the location of the insertion point. • (Copy Rule) — Create a copy of the highlighted rule. • (Move To Top) — Move the highlighted rule to the top of the page. • (Move Up) — Move the highlighted rule up one position on the page. • (Move Down) — Move the highlighted rule down one position on the page. • (Move To Bottom) — Move the highlighted rule to the bottom of the page. • (Manage Filters) — Displays the Manage Filters window, in which you can load and manage previously named filters that are used to display only those rules that meet the filter requirements. For more information, see Loading and managing previously saved rule filters on page 549. • (Create Group) — Displays the Rules Group window, in which you can create groups of rules. For more information, see Configuring groups of rules on page 551. • (Configure Columns) — Displays the Rules Display Columns window, in which you can specify the columns to display on the Rules page. For more information, see Configuring columns to display on the Rules page on page 532. Alert Processing Rules Options toolbar The Alert Processing Rules Options toolbar is displayed when the Alert Processing Rules page is displayed in the work area of the Configuration Tool. This toolbar has the following tools: • (Activate New Alert Policy) — Send the alert rule set to the Control Center Management Server, which will momentarily reload the new rule set. • (Edit Rule) — Displays the Alert Processing Rule window, in which you can edit an existing rule. For more information, see Modifying pre-defined alert processing rules on page 565. System/Attack Responses toolbar The System/Attack Responses Toolbar is displayed when either the System Responses page or the IPS Attack Responses page is displayed in the work area. This toolbar has the following tools: • (Save Pending Changes) — Save changes that were made to the highlighted response during an editing session. • (Clear Pending Changes) — Undo changes that were made to the highlighted response during an editing session. • (Add New) — Displays the System Response window or the IPS Attack Response window, depending on the response page that is open in the work area. Select this option to create a new response. For more information, see Configuring system responses on page 613 or Configuring IPS attack responses on page 609. 72 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 73. Navigating the Control Center user interface • (Edit) — Displays the System Response window or the IPS Attack Response window, depending on the response page that is open in the work area. Select this option to edit the highlighted response. For more information, see Configuring system responses on page 613 or Configuring IPS attack responses on page 609. • (Delete Rule) — Delete the highlighted response (rule). • (Delete Rules…) — Displays the Rules Removal window, in which you can specify multiple responses (rules) and sets of rules to be deleted. Specify a range as the beginning and ending rule, separated by a hyphen (-). Separate each range of rules or individual rules with a comma (,). URL Rules Options toolbar The URL Rules Options toolbar is displayed when the URL Translation Rules page is displayed in the work area. This toolbar has the following tools: • (Add New Rule) — Displays the URL Translation Rules Editor window, in which you can create a new URL translation rule. For more information, see Configuring URL translation rules on page 560. • (Edit Rule) — Displays the URL Translation Rules Editor window, in which you can edit an existing URL translation rule. For more information, see Configuring URL translation rules on page 560. • (Delete Rule) — Delete the highlighted rule. • (Delete Rules…) — Displays the Rules Removal window, in which you can specify multiple rules and sets of rules to be deleted. Specify a range as the beginning and ending rule, separated by a hyphen (-). Separate each range of rules or individual rules with a comma (,). • (Copy Rule) — Create a copy of the highlighted rule. • (Move Up) — Move the highlighted rule up one position on the page. • (Move Down) — Move the highlighted rule down one position on the page. Object Configuration area trees of the Configuration Tool The Object Configuration area is displayed on the left side of the main GUI interface of the Configuration Tool. Select any of the following group bars to display the configurable objects in a tree that are associated with the specific group bar. • Firewalls — Displays a tree that includes firewall, cluster, and device group objects. • Firewall Settings — Displays a tree that includes all of the objects that are related to a firewall configuration. • Policy —Displays a tree that includes all of the objects that help you define policy for your network configuration. Objects include: rules, network objects, and application defenses. • Monitor — Displays a tree that includes objects that assist you with monitoring your firewalls. Objects include: audit filters, responses, IPS attack responses, system responses, and the audit report. • Maintenance — Displays a tree that includes objects that assist you maintaining your firewalls and the McAfee Firewall Enterprise Control Center Management Server Reporting and Monitoring Tool toolbars The Reporting and Monitoring Tool has the Firewalls and Reports toolbar and an Alert Browser toolbar that provide options to access the tab pages and windows that you use to manage alerts and generate firewall-specific and audit log reports. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 73
- 74. Navigating the Control Center user interface Firewalls and Reports tools The Firewalls and Reports toolbar has the following tools: • (Alert Browser) — Displays the Alert Browser page, in which you can view a summary of the alerts that have been generated by the configured firewalls. For more information, see Alerts on page 677. Use the Alert Browser is to quickly identify the alerts that are being generated by the configured firewalls, to acknowledge the alert, to annotate the corrective actions that are taken, to resolve the problem, and to clear the alert. • (Secure Alerts Servers) — Displays the Secure Alerts Server page, in which you can view current and historical Secure Alerts Server status information. For more information, see Secure Alerts Server on page 686. This page is divided into two panes: • Secure Alerts Server Status table on page 688 The upper pane displays the current status of the Secure Alerts Servers. • Secure Alerts Service History table on page 689 The lower pane displays the historical status of when the server was started and stopped. • (Start Page) — Displays the Start Page (the McAfee Firewall Enterprise Control Center home page) if it has been previously closed. • (Firewall Status) — Displays the Firewall Status page, in which you can view a status summary of the firewalls that are configured for your operation. You can also use this page to quickly determine the status information about the operation of each firewall in your configuration. For more information, see Viewing the overall status of your firewalls on page 574. Alert Browser When the Alert Browser page is displayed in the work area, the following tools are available on the Alert Browser toolbar in addition to those tools from the Firewalls and Reports toolbar: • (Columns) — Displays the Column Selector window, in which you can specify the columns of alert data to be displayed on the Alert Browser page. For more information, see Configuring columns for the Alert Browser page on page 685. • (Filters) — Displays the Alert Filter window, in which you can specify the alerts to be displayed on the Alert Browser. For more information, see Filtering the alerts to be displayed in the Alert Browser on page 686. • (Export Data) — Displays the Export Alerts File window, in which you specify the destination for the exported data and the file name that is used for the exported data. The selected data is exported, in plain text format, to a local platform. • (Print) — Displays the Print window, in which you can specify the printer name, the print range, and the number of copies of the selected alert data. • (Display Ack) — Displays the alerts that have been acknowledged. By selecting this tool, the Acknowledged checkbox is automatically selected in the Alert Filter window. • (Display Cleared) — Displays the alerts that have been cleared. By selecting this tool, the Cleared checkbox is automatically selected in the Alert Filter window. • (Display Open) — Displays the alerts that have not been acknowledged. By selecting this tool, the Open checkbox is automatically selected in the Alert Filter window. • (Annotate) — Displays the Annotate window, in which you can record any comments about the associated alert. 74 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 75. Navigating the Control Center user interface • (Ack) — Displays the Annotate window, in which you can record any comments about the associated alert. By selecting this menu option, the acknowledgement checkbox for each selected alert is also selected. This is a one-time activity for each alert. If you select this option, you cannot clear the option. To view alerts that have been acknowledged, click (Display Ack) on the toolbar or select Display Ack from the Options menu. If an alert is acknowledged and more alerts of the same type on the same firewall occur, the alert count is incremented and (Acknowledge Alert) is displayed in the Alert Browser page. • (Clear) — Clear the selected alerts. To view alerts that have been cleared, click (Display Cleared) on the toolbar or select Display Cleared from the Options menu. Cleared alerts will remain visible until they are removed from the system. A script is automatically run each night to remove the cleared alerts. You can configure the time at which this script runs. • (Jump) — Displays the Jump To window, in which you can display the selected row number. • (Events) — Displays the events that are associated with the selected alerts when one or more alerts is highlighted. To view the events that are associated with one alert, click the Row Number column (far-left column) to highlight the alert or to highlight more than one alert, press Ctrl +click or Shift +click. Then, display the Event Browser window by clicking (Events) or selecting Events from the Options menu. • (Preview Pane) — Horizontally split the view display in half. The top half displays the detailed description of the selected alert and the bottom half displays the list of alerts. Devices and Reports area trees of the Reporting and Monitoring Tool The Devices and Reports area is displayed on the left side of the main GUI interface of the Reporting and Monitoring Tool. Select any of the following group bars to display the configurable objects in a tree that are associated with the specific group bar. • Firewalls — This node displays all of the firewalls that have been configured for your system. The firewalls are organized by firewall type and then by groups of devices. Right-click a firewall object to display a firewall-specific menu to perform specific actions, depending on the selected firewall. Firewall objects have the following options that can be accessed by right-clicking a firewall object: • Alert Browser — Display the audit events for the selected object. • Audit Report — Generate an audit report for the selected object. • Policy Report — Generate a policy report for the selected object. • License Report — Generate a license report for the selected object. • Properties — Display the selected firewall's properties. • Additional Firewall Reports — Identify a firewall-specific report to generate for the selected firewall. For more information about generating firewall-specific reports, see Firewall report results on page 619. • Reports — [Available only if a firewall-specific report has been successfully generated] For more information about generating firewall-specific reports, see Firewall report results on page 619. These reports are available only until the current session is stopped. Right-click a firewall report object to select options to arrange and sort the generated reports. The following options are available: • Sort by Report Type — Groups all of the generated reports by the type of report that was generated. • Sort by Firewall — Groups all of the reports that were generated for a specific firewall by the firewall name. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 75
- 76. Navigating the Control Center user interface Software Updates Tool toolbars The Software Updates Tool has an Action toolbar that is used to access the main page options that are available in the work area and options toolbars that are associated with the Store Updates and Install Updates pages. Action Toolbar tools The Action toolbar has the following tools: • (Install Updates) — Displays the Install Updates page, in which you can manage and install software updates on each supported firewall that is installed in your configuration. For more information, see Installing software and firmware updates on page 697. • (Firewall Configuration Backup) — Displays the Firewall Configuration Backup page, in which you can create and restore configuration backups for selected firewalls that are installed in your configuration. For more information, see Backing up and restoring firewall configurations on page 704. • (Store Updates) — Displays the Store Updates page, in which you can identify, store, and manage firewall software and firmware updates on the Management Server. For more information, see Storing software and firmware updates on page 709. • (Start Ticket) or (Stop Ticket) — The tool that you see depends on whether a ticket has been started. If no ticket has been started, the Start Ticket tool is displayed. If a ticket has already been started, the Stop Ticket tool is displayed. When you select , the Ticket window is displayed, in which you can specify the name of the ticket. A ticket is used to identify specific changes that have been made to the firewall. For more information, see Configuring change tickets on page 103. When you select , no window is displayed. However, the change ticket is closed. Install Updates page tools When the Install Updates page is displayed in the work area, the following tools are available: • Update Firewalls — Perform the actions that you have specified on the firewalls that you have selected. You must have already selected an update action for all of the selected firewalls before you can select this tool or menu option. If you try to update a firewall with an update that has not been downloaded to the Management Server, the update will first be downloaded and saved on the Management Server. Then it will automatically be installed on the applicable selected firewalls. Note: You cannot initiate a new update on a firewall while it has an update in the “In Progress” state. • Schedule Firewalls — Displays the Schedule Firewall Actions window, in which you can set a date and time to perform actions that are related to one or more firewalls. You can also remove a schedule. For more information, see Scheduling device software updates on page 703. • Clear Last Update — Clear the values of the Last Update and Update Status fields from the table. However, this information is not cleared from the Update History data. Use this tool or menu option to clear field values when an update is stuck in the “In Progress” state. • Update Firewall Status — Send a firewall status request to the selected firewalls. The resulting firewall status is displayed in a column on the left as an icon. • Refresh Grid — Refresh the contents of the table on this page. 76 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 77. Navigating the Control Center user interface Store Updates page tools When the Store Updates page is displayed in the work area, the following tools are available: • Check for Updates — Check for new updates from the defined, auto-discovery location. For more information about configuring the auto-discovery settings, see Configuring update download settings on page 692. • Download Updates — Download the associated update for each highlighted row from the location that is specified in the auto-discovery settings. For more information about configuring the auto-discovery settings, see Configuring update download settings on page 692. • Restart Download — Restart the download process if a problem or failure occurs when an update package is being transferred from the location at which updates are stored to the Management Server. • Remove Updates — Remove the associated update for each highlighted row from the Management Server. After an update has been removed from the Management Server, it will no longer be displayed in the Store Updates table unless you have selected the Show removed updates checkbox in the Update Settings window. • Manual Download — Specify the way in which and the location to which an update is to be downloaded from a location other than the one that was specified in the auto-discovery settings. Use this option to acquire an update and store it on the Management Server when there is no access to the Secure Computing FTP location. For information about how to configure this option, see Manually downloading software updates on page 711. • Refresh Grid — Refresh the contents of this page. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 77
- 78. Navigating the Control Center user interface 78 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 79. 3 Administration Tool Contents Administration Tool Control Center users Control Center roles Configuration domains Configuration domain version management Audit data management Control Center Management Server licensing System settings ePolicy Orchestrator settings High Availability (HA) Authentication Administration Tool The Administration Tool aggregates the McAfee Firewall Enterprise Control Center (CommandCenter) administrative functions into a single tool. You can accomplish the following tasks by using the features and functions of the Administration Tool: • Control Center users — You can create and manage the unique Control Center user names and passwords that are used to authenticate user access to the Control Center Management Server. For more information, see Control Center users on page 81. • Control Center roles — After a user is specified, he or she is assigned a role that determines the tasks that he or she is allowed to perform. Although a default set of roles has been pre-defined, you can create additional user-defined roles that can be assigned to Control Center users. For more information, see Control Center roles on page 89. • Configuration domains — Activate the configuration domains option to segregate configuration data views and management into multiple domains. The operation and configuration data associated with a configuration domain is accessible only when the specific domain is selected during the login process. All other configuration data is obscured and cannot be acted upon or seen. If configuration domains are activated, configuration domain versions and version management can be accessed from the Administration Tool, as well as from the Configuration tool. For more information about configuring and managing configuration domains, see Configuration domains on page 92. For more information about versions and version management for configuration domains, see Configuration domain version management on page 97. • Audit management — The Control Center can track when firewalls, endpoints, services, rules, alert processing rules, and many other objects are updated, added, or removed by Control Center users. You can specify the actions that are to be tracked, the objects that are to be tracked, the archiving (or not) of the tracked data, and a way to view and filter the tracked data. For more information, see Audit data management on page 100. Note: Do not confuse the Control Center Audit Trail that provides a record of actions performed by Control Center users with security firewall-specific audit reports. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 79
- 80. Administration Tool • Control Center license — You can manage the Control Center license by selecting License from the System menu. For more information, see Control Center Management Server licensing on page 104. • Network Settings — You can view and edit Control Center settings, such as host name, servers (NTP, DNS, and mail), network interfaces (IP address, net mask, broadcast, and gateway) and static routes. For more information, see Configuring Control Center network settings on page 115. • System settings — You can manage specific Control Center system settings in the Administration Tool. These settings include: specifying the default login disclaimer information that is posted in the login window for each tool in the Client Suite, the failed login lockout settings, and the default application time-out period. For more information, see Configuring system settings on page 121. • ePolicy Orchestrator settings — You can configure the Control Center Management Server to communicate with the ePolicy Orchestrator server to share information about host objects, firewalls, and the Control Center Management Server. To use this communication, you must also configure an ePO user in this window. For more information, see Configuring access to the ePolicy Orchestrator server on page 132. • Management Server property management — You can display and edit Control Center Management Server properties and add new properties. For more information, see Configuring Management Server properties on page 664. • Ticket management — You can use the Start Ticket and Stop Ticket menu options to manage a ticket, which is used to identify specific changes that have been made to the firewall. For more information, see Configuring change tickets on page 103. • Management Server log file management — You can manage the Control Center Management Server log files by using the Server Logs window. For more information, see Viewing Management Server logs on page 663. • Alternate authentication — You can configure the way that Control Center users authenticate with the Management Server. The Control Center supports an internal authentication mechanism, as well as LDAP and RADIUS for off-box authentication. For more information, see Authentication on page 145. • View the backup Management Server status — If the High Availability (HA) Management Server Configuration option is used, you can view the status condition of the backup Management Servers in the Backup Server Status page. For more information, see Viewing the status of your backup Management Servers on page 122. • Restore or backup the Management Server — Use the Administration Tool (and the Configuration Tool under certain circumstances) to manage the backup and restoration of the Control Center configuration and the operational data. A full system backup can be requested and an off-box location can be specified. For more information, see Managing configuration data for the Management Server on page 23. • Set the Management Server date and time — You can set the Management Server date and time in the Set Server Date and Time window. For more information, see Setting the date and time on the Management Server on page 131. • Change user passwords — [Available only if internal authentication is being used, which is configured on the Control Center Authentication Configuration window] You can change a user’s password in the Change User Password window. For more information, see Changing user passwords on page 88. • Restart the Management Server — You can restart the Management Server. For more information, see Restarting the Management Server on page 131. Caution: If you select Yes, the server will be restarted immediately. There is no second confirmation request. • Stop the Management Server — Stop the Management Server and exit the application. Then click Yes to confirm or No to cancel the action. 80 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 81. Control Center users • High Availability (HA) configuration on the Management Server — You can use these wizards to establish or remove the High Availability (HA) Management Server configuration. For more information about these wizards, see Configuring the High Availability (HA) feature on page 140 and Removing the High Availability (HA) configuration feature on page 143. Control Center users Each user who can log into the Control Center must be identified and authenticated. This is accomplished by specifying a unique user name and password for each user. The tasks that can be performed by users are determined by the assigned role and the specific firewalls over which a user can have authority. Use the Control Center User Manager window on the Administration Tool to specify Control Center users. This window is used to perform the following tasks: • Create and manage the Control Center users. • Assign previously defined roles to a user. • Specify the firewalls that can be accessed by the named user. • Restrict the time of day and days of the week that users can log into the Control Center. • Specify when a user's access to the Control Center expires. • Specify if and when a user is required to re-authenticate after a specified amount of inactivity (lack of mouse movement). Use the Role Manager window to specify the roles that are assigned to Control Center users. If configuration domains are activated, the Domain Access tab is displayed, in which you can specify the domains that the user can log into and the privileges that he or she has for configuring and managing the domain. For more information about configuration domains, see Configuration domains on page 92. If external, off-box authentication is selected, you can select a failover internal authentication method for a user. If you select the Allow authentication fallback checkbox, credentials that have been submitted to log into the Management Server from any of the tools in the Client Suite are presented to the internal authentication system if there is a communication failure between the Management Server and the off-box authentication server (LDAP or RADIUS). Configure the type of authentication to be used by selecting Authentication from the System menu of the Administration Tool. For more information, see Authentication on page 145. Note: The Control Center User Manager window is not used to configure users who are authorized to directly manage security devices, such as firewalls, or to pass data through a firewall. For more information, see Configuring Control Center users on page 82. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 81
- 82. Control Center users Configuring Control Center users Use the Control Center User Manager window to manage Control Center users. For more information about users, see Control Center users on page 81. When you add users in this window, they are able to log into the Control Center Client Suite tools to manage objects from a central location. You cannot use this window to configure or manage users that have access to specific firewalls. For more information about configuring firewall-specific users, see Firewall users on page 461. Figure 5 Control Center User Manager window Accessing this window In the Administration Tool, from the Users menu, select Add User, Modify User, or Copy User. Fields and buttons This window has the following fields and buttons: • User Name — [Required] Specify a login name that is recognized by the Control Center. • Password — [Required] Specify the password that is used to authenticate the user to the Control Center. Passwords must be a minimum of eight characters in length. If a new user is being added or the password value for an existing user changes, you will be prompted to confirm the password when you save the user information. You must re-specify the password exactly as it was specified in the Password field to save the changes. You can also change a user password by using the Change User Password window if internal authentication was set in the Control Center Authentication Configuration window. For more information, see Changing user passwords on page 88. • Full Name — [Optional] Specify the first and last name of the user. • Email Address — [Optional] Specify the e-mail address of the user. 82 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 83. Control Center users • Account Locked — [Available only if this user account is locked] Determines whether this user account remains locked. The account could be locked because of reaching the number of failed login attempts. To unlock this account, clear this checkbox. The default lockout time period is 30 minutes. • Allow authentication failback — Determines whether the user can authenticate into the Management Server by presenting the external authentication credentials to the internal authentication system so that he or she can log into the Control Center Management Server if all identified external authentication servers are unreachable. • OK — Save the changes that were made on all of the tabs. • Cancel — Close this window without saving any changes. Tabs This window has the following tabs: • Domain Access — [Available only if configuration domains have been activated] Identify the configuration domains that a user can log into and the privileges that he or she can exercise. For more information, see Control Center User Manager window: Domain Access tab. • Roles — Assign one or more roles to a user. This assignment controls the level of access that a user has to Control Center objects and the actions that they can perform. This tab is available only if configuration domains have not been activated. For more information, see Control Center User Manager window: Roles tab. • Firewall Access List — Specify the firewalls that the user can configure. For more information, see Control Center User Manager window: Firewall Access List tab. • Time Restrictions — Control the time frame in which the user can log into the Control Center, and specify a date when the account will expire. For more information, see Control Center User Manager window: Time Restrictions tab. • Application Timeout — [Not available for the ePO user] Specify whether or when a user is required to re-authenticate after a specified amount of inactivity (lack of mouse movement). For more information, see Control Center User Manager window: Application Timeout tab. Control Center User Manager window: Domain Access tab Use the Domain Access tab of the Control Center User Manager window to specify access to configuration domains and the privileges that can be exercised for the specified user. This tab has a current list of the configuration domains and roles that have been previously defined. Note: You can access this tab only if you have activated configuration domains. For more information, see Configuration domains on page 92. Figure 6 Control Center User Manager window: Domain Access tab McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 83
- 84. Control Center users Accessing this tab 1 In the Administration Tool, from the Users menu, select Add User, Modify User, or Copy User. The Control Center User Manager window is displayed. 2 Select the Domain Access tab. The Domain Access tab of the Control Center User Manager window is displayed. Fields and buttons Select the checkbox that is associated with each previously defined configuration domain that the user can log into and each role that specifies the privileges that he or she can exercise. There are two special configuration domains that are displayed in the list of configuration domains: • Administrator domain • Shared domain Administrator domain Select the Administrator domain checkbox to grant configuration domain administrator privileges to the user. The user can then access the Administration Tool and can create and delete configuration domains, along with other super-user privileges. For more information, see Configuration domains on page 92. Shared domain Select the Shared domain checkbox to grant those privileges for common objects that are shared across all of the configuration domains to the user. For more information, see Configuration domains on page 92. Control Center User Manager window: Roles tab Use the Roles tab of the Control Center User Manager window to specify the level of access that a user has to Control Center objects and the actions that he or she can perform. This tab contains a complete list of Control Center roles that have been previously defined. For more information about users and roles, see Control Center users on page 81 and Control Center roles on page 89. Note: This tab is available only if configuration domains have not been activated. For more information, see Configuration domains on page 92. Figure 7 Control Center User Manager window: Roles tab Accessing this tab 1 In the Administration Tool, from the Users menu, select Add User, Modify User, or Copy User. The Control Center User Manager window is displayed. 2 Select the Roles tab. The Roles tab of the Control Center User Manager window is displayed. 84 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 85. Control Center users Fields and buttons This tab has the following fields and buttons: • Role — Select the checkbox to indicate the role or roles that are assigned to a Control Center user. By default, a user has no roles assigned to him or her. Any number of defined roles can be assigned to a single user. • Description — [Read-only] Displays descriptive information about the role when the role was defined. Note: Any changes that are made to users who are currently logged into the Control Center Client application do not take effect until those users log out and log back in. Control Center User Manager window: Firewall Access List tab Use the Firewall Access List tab of the Control Center User Manager window to specify the firewalls to which a user can apply configuration information. This tab contains the current list of the firewalls that have been defined. For more information, see Control Center users on page 81. Figure 8 Control Center User Manager window: Firewall Access List tab Accessing this tab 1 In the Administration Tool, from the Users menu, select Add User, Modify User, or Copy User. The Control Center User Manager window is displayed. 2 Click the Firewall Access List tab. The Firewall Access List tab of the Control Center User Manager window is displayed. Fields and buttons This tab has the following fields and buttons: • Firewalls — Specify the firewall or firewalls to which the user will be allowed to apply configuration information. By default, no firewalls are selected. If the user is given access to all firewalls (ALL FIREWALLS), he or she is automatically, without any further action, given access to all future firewalls that are configured for the system. Otherwise, the user is able to apply configuration information only for the firewalls that are specified on this tab. • Description — [Read-only] Displays the descriptive information that was specified when the firewall was defined during its configuration. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 85
- 86. Control Center users Control Center User Manager window: Time Restrictions tab Use the Time Restrictions tab of the Control Center User Manager window to specify when a user has the ability to log into the Control Center, and to identify the date when the user account will expire. For more information, see Control Center users on page 81. Figure 9 Control Center User Manager window: Time Restrictions tab Accessing this tab 1 In the Administration Tool, from the Users menu, select Add User, Modify User, or Copy User. The Control Center User Manager window is displayed. 2 Select the Time Restrictions tab. The Time Restrictions tab of the Control Center User Manager window is displayed. Fields and buttons This tab has the following fields and buttons: • Login Restriction — Use the fields in this area to determine any time constraints on user logins. • Restrict User Login by Time — Determines whether there is a time constraint on the time that a user can log in. This checkbox is cleared by default. If you select this checkbox, the following field is available: • Time Period — Specify the time period from the list of previously defined time periods. Or you can click to display the Time Period Manager window box in which you can specify a new time object. These time period objects are managed by using the Configuration Tool. For more information about time period objects, see Managing time periods on page 470. • Expiration Settings — Use the fields in this area to determine whether the user account will expire on a specific date. The following fields are available: • Expire Account — Determines whether the user account will expire on a specific date. This date is the date on which the user will no longer be able to log into the Control Center Client application. This checkbox is cleared by default. You can edit the value in the list directly or you can click the down arrow to access a calendar, in which you can select the month, date, and year. 86 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 87. Control Center users Control Center User Manager window: Application Timeout tab Use the Application Timeout tab on the Control Center User Manager window to specify the number of minutes of inactivity that must elapse before the user is required to re-authenticate. Inactivity is defined as the absence of mouse movement. As opposed to the System Settings window, in which you can set a default application time-out period, use this tab to specify the user-specific time-out value. For more information, see Control Center users on page 81. Note: This tab is not available for the ePO user. Figure 10 Control Center User Manager window: Application Timeout tab Accessing this tab 1 In the Administration Tool, from the Users menu, select Add User, Modify User, or Copy User. The Control Center User Manager window is displayed. 2 Click the Application Timeout tab. The Application Timeout tab of the Control Center User Manager window is displayed. Fields and buttons This tab has the following fields and buttons: • Use Default Application Timeout — Select this option to specify that the setting for this user will use the default application time-out period that was set by using the System Settings window. • No Application Timeout — Select this option to specify that this user will never require re-authentication. • Select Application Timeout — Select this option to specify the number of minutes of inactivity for this user. Use this field, along with the Timeout (min) field, to specify a custom configuration to apply to each user. • Timeout (min) — [Available only if you have selected the Select Application Timeout option] Specify the number of minutes of inactivity for this user. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 87
- 88. Control Center users Changing user passwords Use this window as an alternate way to change your user password. This window is available only if your user profile has been configured to use internal authentication to access the Control Center (as opposed to external authentication). For more information about authentication, see Authentication on page 145. If you have administrator privileges and you want to change the password of a different user, use the Control Center User Manager window in the Administration Tool. For more information, see Configuring Control Center users on page 82. Figure 11 Change User Password window Accessing this window From the System menu of any of the tools, select Change Password…. The Change User Password window is displayed. If you receive a Policy Violation message, indicating that your password has expired and you decide to change your password, click Yes. The Change User Password window is displayed. Fields and buttons This window has the following fields and buttons: • User name — [Read-only] Displays the user name with which you logged into the Control Center. This is also the name of the user whose password you are changing. • Current password — Specify the password that you are currently using and that you used to log into the Control Center. • New password — Specify a new password.according to the policy that is specified in this window. This policy is established by an administrator user in the Control Center Authentication Configuration window. For more information about this window, see Configuring Control Center user authentication on page 146. • Confirm new password — Specify the same value as you specified in the Current password field to verify the value that you specified. • OK — Saves the password change. • Cancel — Closes the window without saving any changes. 88 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 89. Control Center roles Control Center roles A role defines the activities that a user is permitted to perform on each type of object in the Control Center, and the actions that the user is allowed to perform across the various tools. The objects include, but are not limited to, endpoints, services, firewall users, time objects, VPNs, and certificates. The activities are defined as: • View — The user can view objects. • Update — The user can update existing objects. • Add — The user can add new objects. • Remove — The user can remove objects. You can use roles in many different ways to add strong security when you are configuring firewalls. For example, your organization can require that the action of two or more users must be involved to administrate a firewall. Each user would need to contribute his or her part of the configuration before a complete configuration can be created and applied. For example, you can create a role that allows a user to have full access to all objects, except for those that are used for VPN. You can create another role to allow a user to have access only to the objects that are used for VPN (for example, VPN peers, communities, and certificates). To create a firewall configuration that employs VPN, the actions of both users would be required. You can also configure an environment that uses permitted actions by specifying a role in which one user could specify and validate configurations, and by specifying another role to allow a different user to apply configurations. You can create any number of roles and you can assign any number of roles to a user. If you have assigned a role to a current user, the role cannot be deleted. Use the Role Manager window to create roles that can be assigned to Control Center users. The following roles are defined by default. However, you can delete any of these roles except for the Administrator role (again, if it is not assigned to a current user): • Administrator — This is an administrator with full access to all object types. This is the only pre-defined role that cannot be deleted. • VPN Administrator — This is an administrator who can manage VPN access. • Audit and Alert Administrator — This is an administrator who can manage audits and alerts. • Audit and Alert Monitor — This is a user who can view and manage firewall alerts and activities, and who can also view reports from firewalls. Use the Control Center User Manager window to assign these roles to users. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 89
- 90. Control Center roles Managing roles for Control Center users Use the Role Manager window to manage roles that can be assigned to Control Center users. The role or roles assigned to a user will determine the actions that the user can perform on the selected objects. For more information, see Control Center roles on page 89. Figure 12 Role Manager window Accessing this window In the Administration Tool, from the Roles menu, select Add Role, Modify Role, or Copy Role. The Role Manager window is displayed. Fields and buttons This window has the following fields: • Role Name — [Required] Specify a unique name for this Control Center role. • Description — Provide a description for the role that is being specified. Tabs This window has the following tabs: • Objects — Specify the activities that can be performed on the selected objects for users who are assigned this role. For more information, see Role Manager window: Objects tab on page 91. • Actions — Specify the actions that can be performed by users who are assigned this role. For more information, see Role Manager window: Actions tab on page 92. 90 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 91. Control Center roles Role Manager window: Objects tab Use the Objects tab of the Role Manager window to specify the activities that can be performed on the selected objects by users who are assigned to the role that is being specified. For more information, see Control Center roles on page 89. To view the fields on this tab, see Figure 12 on page 90. Accessing this tab 1 In the Administration Tool, from the Roles menu, select Add Role, Modify Role, or Copy Role. 2 Click the Objects tab. The Objects tab of the Role Manager window is displayed. Fields and buttons This tab has the following fields and buttons: • Object — [Read-only] Displays the names of the available objects (for example, Network Objects, Services, VPN). The first item in the list (All Objects) has special significance. If the View, Update, Add, or Remove box for this All Objects object is selected, the same checkbox for all of the other objects (both currently defined and for those in the future) will also be selected. • Description — [Read-only] Displays information about the object. • View — Determine whether a user with this role is allowed to view objects of this type. This checkbox is cleared by default. • Update — Determines whether a user with this role is allowed to modify objects of this type. This checkbox is cleared by default. • Add — Determines whether a user with this role is allowed to create objects of this type. This checkbox is cleared by default. • Remove — Determines whether a user with this role is allowed to delete objects of this type. This checkbox is cleared by default. Note: If you select the Update, Add, or Remove checkbox for a particular type of object, the View checkbox for that object is automatically selected. Right-click anywhere in the object list to display a shortcut menu that you can use to select or clear the associated View, Update, Add, or Remove checkbox for the object that is currently selected or to apply the changes to all of the objects in the list. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 91
- 92. Configuration domains Role Manager window: Actions tab Use the Actions tab of the Role Manager window to specify the actions that can be performed by users who are assigned the role that is currently being specified. Figure 13 Role Manager window: Actions tab Accessing this tab 1 In the Administration Tool, from the Roles menu, select Add Role, Modify Role, or Copy Role. 2 Click the Actions tab. The Actions tab of the Role Manager window is displayed. Fields and buttons This tab has the following fields and buttons: • Action — [Read-only] Displays the names of the actions that have been specified (for example, Apply, Validate, Alerting). • Description — [Read-only] Displays information about the action. • Enable — Determines whether a user with this role is allowed to perform this action. The default value is cleared. Configuration domains Use configuration domains to partition managed firewalls into separate collections of objects and configuration data so that each collection is independent of every other collection, and changes to one collection do not affect others. The main advantages for creating configuration domains include the following reasons: • By using multiple configuration domains, administrator responsibilities can be segregated to allow each administrator (or group of administrators) to have control of the firewalls and their related objects for a single domain. • When a configuration domain administrator logs into the Control Center, he or she sees and acts on only those objects that are related to the configuration domain that he or she is currently logged into. Information about other domains is not visible. If you use configuration domains, you can compare it to having multiple installations of the Control Center, with each installation having independent control over a domain and all of the associated, domain-specific data. The main difference is that all of the data for all of the domains is managed by a single Control Center Management Server. 92 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 93. Configuration domains When you log into the Configuration Tool, the Reporting and Monitoring Tool, or the Software Updates Tool, a specific configuration domain is selected. Only those objects that belong to the selected domain are visible for the duration of that tool session. Configuration domains define the firewall and object operations that an administrator can manage, configure, report on, and monitor when he or she is logged into that configuration domain. Additionally, the administrator functionality is further defined according to the privileges (roles) that he or she has been assigned for that domain. A single Control Center installation can support multiple domains by keeping separate from all of the other domains those firewalls, objects, and configuration data that are associated with each domain. Administrators can switch from domain to domain by selecting a different domain at the login page. Figure 14 Single Control Center supporting multiple domains For customers who are not interested in segmenting responsibilities into separate domains, the Control Center supports all of the management features, configurations, and functionality in a single domain environment that is completely transparent to the administrator. Most of your environments that are supported by the Control Center will not require the additional support and user/role management that is required to support configuration domains because you are managing firewalls that are associated with a single, enterprise-class domain. Activating configuration domains After you install the Control Center Management Server and Client Suite for the first time, a single domain configuration is configured. The mechanisms and conventions that are associated with having multiple configuration domains are transparent when you are in this mode. You must use the functions that are in the Administration Tool to create additional configuration domains. To activate the configuration domain option, you must configure a second configuration domain. After the second domain has been created, the creator of this domain is notified that from that point going forward, only those Control Center users who have administrative privileges for that configuration domain can access the Administration Tool. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 93
- 94. Configuration domains By activating a configuration domain, a new class of Control Center user called the configuration domain administrator is created. Each Control Center user who is a member of the Administration Domain is a configuration domain administrator. Only those Control Center users with this privilege can: • Log into the Administration Tool. • Create and destroy configuration domains. • Create, modify, and delete Control Center users and manage their associated roles for each domain. • Manage Control Center licensing. • Manage system-wide settings. • Configure and manage external authentication. By default, the creator of a configuration domain is granted administrative privileges for the configuration domain and is a member of the administration domain. All other Control Center users must be configured to determine the following actions: • The domains to which they have access • The roles that determine the objects that they can manage and the actions that they can take. • Whether they have administrative privileges for the configuration domain so that they can log into the Administration Tool. After initially activating configuration domains, the appearance of the Control Center User Manager window changes to accommodate the new functionality that is required to manage user access to specific domains. Specifically, the Domain Access tab is now displayed in this window. The following domains are displayed on the Domain Access tab of the Control Center User Manager window: • Shared • Default • Administrator • <User-created domain> where the User-created domain is the newly created configuration domain that activated the configuration domain option. In addition to the standard default and user-created domain, two special-purpose domains are created: • Administrator domain • Shared domain Administrator domain Use the administrator domain to identify those users who have administrator privileges for the configuration domain. All users who will be allowed to access the Administration Tool need to be activated in the administrator domain. Shared domain The shared domain contains all of the common objects that are shared across all of the configuration domains. This includes a set of default, generic configuration objects that are used to perform a variety of functions that are configured when the Control Center was initially installed. To work with objects in the shared domain, an administrator must be explicitly permitted access to log into the shared domain. If you add an object to the shared domain, this object is universally available to all of the configuration domains that are defined in the Management Server. 94 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 95. Configuration domains Conversely, if you change the characteristics of an object in the shared domain, the object characteristics are changed in all configuration domains. Make sure that you carefully consider this when you decide to change the characteristics of any object in the shared domain. Otherwise, this change can cause problems across multiple domains that use this same object. A good practice is to copy an existing object in the shared domain, rename it, change the specific characteristic or characteristics and save the change. This new object can be accessed by all users. The shared domain has special limitations. Firewall objects may not appear in the shared domain. Objects in the shared domain may not reference objects in a non-shared domain. Certain objects contain “apply on” attributes that reference firewalls. The shared domain can support those objects with empty “apply on” associations. Although objects in the shared domain are visible when you edit a configuration domain (shared object are green) and it is possible to reference the shared object from within the configuration domain, you cannot change the characteristics of the shared object while you are editing object data in a configuration domain. However, you can copy the shared object. The copy will reside in the configuration domain and it can then be fully characterized. Objects cannot be moved from a shared domain to a configuration domain, or moved or copied from a configuration domain to the shared domain. Because the shared domain does not exist unless configuration domains have been activated, sites that do not use activate configuration domains will not have a shared domain. Configuring configuration domains Use the Configuration Domain Manager window to create new or edit existing versions of configuration domains. For more information about activating and creating configuration domains, see Configuration domains on page 92. Figure 15 Configuration Domain Manager window Accessing this window In the Administration Tool, from the Configuration Domains menu, select Add Domain or Edit Domain. The Configuration Domain Manager window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify information to identify a configuration domain. If configuration domains have not been activated, the configuration domains option is activated when you create a configuration domain. • Description — Provide a useful description of the use or purpose of the configuration domain that you are creating. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 95
- 96. Configuration domains Moving a firewall or cluster from one configuration domain to another You can move a firewall or cluster from one configuration domain to another domain as long as you have administrative privileges in both domains. The following procedure is a high-level overview of the steps that are required to move a firewall or a cluster from one configuration domain to another configuration domain. 1 In the Configuration Tool, log into the source domain (for example, Domain A). (This is the domain from which you want to move the firewall or cluster.) 2 Make sure that the Firewalls group bar is selected. 3 Select the Firewalls node or Clusters node, depending on the object that you are moving. 4 Right-click the firewall or cluster node to be moved and select Remove Object. 5 If there are no other versions of this configuration domain (Domain A), skip to step 6. or If there are other versions of this domain, repeat steps 1–4 until the firewall or cluster is removed from all of the Domain A versions. 6 Log into the target configuration domain (for example, Domain B). 7 Right-click on either the Firewalls or the Clusters node (depending on the object that you are moving) and select Add Object. The Add new firewall window or the Add Cluster window is displayed, depending on the node that you selected. 8 Specify the information necessary for the object that you are moving and click OK. The object is added to the respective node. Changing from one configuration domain to another Use the Switch Domain window to change between configuration domains, provided that you have access to each of these domains. You can switch domains without having to log off and on again or re-specifying your user name or password. Note: This window is available only if configuration domains have been configured. Figure 16 Switch Domain window Accessing this window In the Configuration Tool, Reporting and Monitoring Tool, and Software Updates Tool, from the File menu, select Switch Domain…. The Switch Domain window is displayed. Fields and buttons This window has the following fields and buttons: • Select the domain that you wish to switch to — Specify the configuration domain that you want to switch to. This list displays only those domains for which you have access. • OK — A confirmation message is displayed, indicating that you have connected to the new configuration domain. Click OK to close this message. • Cancel — Close this window without switching domains. 96 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 97. Configuration domain version management Configuration domain version management With the advent of configuration domains comes the concept of saving a version of a configuration domain that is separate from and distinctly different than a backup configuration of the Management Server. (For more information, see Managing configuration data for the Management Server on page 23.) Multiple versions of a domain can be captured. While only one domain version may be active at any time, any previously saved version can be activated at any time. The active domain is the domain that currently governs the security policy for the specific domain. When changes are made to a domain configuration, the changes are saved for the currently active domain. By default, when a user logs into any tool, he or she logs into the active version of the domain. By supporting multiple domain versions, you can have the flexibility to change a security policy to a pre-configured (and previously saved) version. By creating a saved version of a current configuration, you can make configuration changes to the active version without worrying about how to recover if the policy is flawed or if the backup does not proceed as planned. To recover, you can activate the previously working configuration. To create a domain version, name the version and save the configuration. Note that saving a domain version does not activate it. Activating a domain version is a separate process. When a new domain version is activated, you, and any other administrators who are logged into any tools that use the current domain, will be logged off and all of you will be required to log back into the McAfee Firewall Enterprise Control Center. Configuration domain version management If configuration domains are activated, use configuration domain version management to save and activate backup configuration data that is associated with each individual configuration domain. Saving a version of a configuration domain is separate from and distinctly different than saving a backup configuration of the Management Server. In many ways, this process accomplishes the same goals as a system backup. However, it differs in a few key areas that are important to understand. The first difference is that there is no mechanism and there is none required to FTP a version of a configuration domain to an off-box location. All of the versions of all defined configuration domains are saved during a normal Control Center Management Server backup procedure that can be stored in an off-box location to support worst-case failure recovery scenarios. The next major difference is that only the configurable data that is associated with the specific configuration domain is preserved. No shared domain data is preserved. Although judicious management of shared objects should prevent shared object characteristics from being altered in any way that could cause problems when used with a configuration domain configuration, shared object configuration characteristics are not preserved with the configuration domain object characteristics. Multiple versions of a domain can be captured. Although only one domain version can be active at any time, any previously saved version can activated at any time. The active domain is the domain that currently governs the security policy for the specific domain. When you make changes to a domain configuration, the changes are saved for the currently active domain. By default, when you log into any tool, you log into the active version of the domain. By supporting multiple domain versions, you can have the flexibility to change a security policy to a pre-configured (and previously saved) version. By creating a saved version of a current configuration, you can make configuration changes to the active version without worrying about how to recover if the policy is flawed or if the backup does not go as planned. You can activate and apply the previously working configuration to recover. By saving different versions of configuration domain configurations, you can configure alternate security policies that can be quickly activated if you need to do this. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 97
- 98. Configuration domain version management To create a domain version, use the Manage Configuration Domain Versions window in the Administration Tool to assign a name to identify the version and save the configuration. Note that the act of saving a domain version configuration does not activate it. Activating a domain version is a separate process. To activate a previously saved version of a configuration domain, use the Manage Configuration Domain Versions window to highlight the version to activate and click Activate. When a new domain version is activated, you and any other administrators who are logged into any tools that use the current domain are logged off and all of you will be required to log back into the Control Center. It is easy to manage versions of a configuration domain, provided that you exercise good configuration change practices. For example, if some configuration changes are going to be implemented to a configuration domain, use the following practices to assure success if the changes are successful or not: • Before you make major changes to the objects in a configuration domain, save the current configuration. If you are not certain that the configuration in the Management Server database matches the configuration of the managed firewalls, generate a compliance report to verify that the configuration on the managed firewalls corresponds to the configuration data that is stored in the Management Server. When you are satisfied that the Management Server data is correct, save a version of the configuration data. Remember that saving a version of the current configuration does not activate the newly saved version. This newly saved version represents a known good configuration that can be activated in the very near future if the configuration changes that are about to be made do not have the desired effect or if they need to be backed out. • Make your configuration changes by using the features and functions of the Configuration Tool. Remember that all of the changes are being saved in the currently active version of the configuration data. It is always good policy to validate changes before applying them by running the Validation Status Report. When you are satisfied with the validation data, apply the changes. • To see information about the status of the propagation, access the Configuration Status Report by selecting this option on the Reports menu. Observe and test the operation of the newly applied configuration data. If all has gone well, the backup configuration is no longer required. It can be saved or deleted. If the configuration changes do not operate as expected, the backup configuration can be activated and applied to restore the known good configuration. 98 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 99. Configuration domain version management Managing versions of configuration domains Accessing this window In the Administration Tool, from the Configuration Domains menu of the Administration Tool, click Add Domain…. The Configuration Domain Manager window is displayed. Use the Manage Configuration Domain Versions window to create, modify, and activate versions of a configuration domain. For more information about activating and creating configuration domains, see Configuring configuration domains on page 95. Figure 17 Manage Configuration Domain Versions window Accessing this window In the Administration Tool, from the Configuration Domains menu, select Manage Versions. The Manage Configuration Domain Versions window is displayed. Fields and buttons This window has the following fields and buttons: • Configuration Domain — Displays all of the defined configuration domains in this list. Select the configuration domain on which you want to act. • Table — Use the fields in this table to configure the current versions of the identified configuration domain. • Name — [Read-only] Displays the name that is assigned to the version when it was created. • Description — [Read-only] Displays the description that is assigned to the version when it was created. • Created Time — [Read-only] Displays the date on which and the time at which the associated version was created. • Deactivated Time — [Read-only] Displays the date on which and the time at which the version was created. This value will change only if the version is activated and then de-activated. The date and time at which a previously activated version is de-activated is recorded here. • Active — [Read-only] Displays the status of the version. Yes is displayed for the currently active version. All other versions display No. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 99
- 100. Audit data management • Add — Specify that a new version of the configuration domain will be created. When you click this option, the Add New Configuration Domain Version window is displayed, in which you can add a new version of the configuration domain. • Edit — Highlight a version of a configuration domain and select this option to display the Edit Configuration Domain Version window. Use this window to edit the name or description that is associated the selected version. • Activate — Highlight a version of a configuration domain and select this option to activate the selection. After the selection is activated, it must be applied to the firewall to become effective. Audit data management The Control Center has the ability to save, view, and archive specific actions that are performed by Control Center users on selected objects. The objects include, but are not limited to, firewalls, endpoints, services, rules, and alert processing rules. You can specify the audit trail data that is recorded by using the Audit Tracking and Archive Management window. For more information, see Managing audit trail information on page 101. The resulting audit data can be viewed, filtered, and printed by using the Audit Trail page. The auditing facility is not meant to maintain a full historical record of all of the tracked data. Instead, it is meant to provide a way to keep track of the user who performed specific actions on specific objects, and the time at which those actions occurred. Although tracking specific changes made by Control Center users is a good practice, it can use a great deal of disk space. The audit data is stored in the audit tracking table in the Management Server database. This table grows without bounds and you should regularly archive or discard this data by using the options and features in the Audit Tracking and Archive Management window. Note: Do not confuse the Control Center audit trail that provides a record of actions that are performed by Control Center users with security firewall-specific audit reports. For more information about audit data that is security firewall-specific, see Audit trail on page 615. You can collect the information about specific actions that are performed on specific objects by Control Center users for a specific amount of time, and then you can store or purge the information. All of the collected audit trail information is saved in tables in the Management Server database. You can configure the kind of data that is collected and the disposition of the data. Use the Audit Tracking and Archive Management window to specify the types of audit data that are recorded. Use the Audit Settings tab on this window to identify the actions to be recorded (Update, Add, or Remove) for the selected objects (whether this is all of the objects or a user-selected list of objects). You can specify the number of days to keep the audit tracking data in the database on the Management Server before archiving it to another location or removing it. By default, the number of days to keep the data is set to zero, which indicates that no audit data is archived. If you want to keep audit data, initially set the value to 1 day and adjust this value as necessary. After the number of days to keep the data has expired, you can purge it (erase it from the Management Server database), archive it to a local path on the Management Server, or send it to another location by using FTP. Archive files are created in zip format. The data is stored in a comma-separated values (CSV) file that can be imported into a database or spreadsheet. The default file name format is AuditArchivemm_dd_yy.zip, where mm indicates the month, dd the day, and yy the year. If you want to archive audit tracking data, note that the archiving process runs once a day, after midnight. Any changes that you make will not take effect until that time. 100 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 101. Audit data management Managing audit trail information Use the Audit Tracking and Archive Management window to configure the specific actions that are tracked for the identified objects. For more information, see Audit data management on page 100. Figure 18 Audit Tracking and Archive Management window Accessing this window In the Administration Tool, from the Audit Trail menu, select Manage Audit Trail. The Audit Tracking and Archive Management window is displayed. Fields and buttons This window has the following field and buttons: • Archive Audit Data — Determines whether to display the Archive Settings tab that is used to identify and manage the archive settings. • OK — Save the changes that have been made in all of the tabs on this window. • Cancel — Close this window without saving any changes. Tabs This window has the following tabs: • Audit Settings — Specify the actions to be tracked for the selected objects. For more information, see Audit Tracking and Archive Management window: Audit Settings tab on page 101. • Archive Settings — Specify and manage the archive settings. For more information, see Audit Tracking and Archive Management window: Archive Settings tab on page 102. Audit Tracking and Archive Management window: Audit Settings tab Use the Audit Settings tab on the Audit Tracking and Archive Management window to identify the actions to track for the specified objects. For more information, see Audit data management on page 100. To view the fields on this tab, see Figure 18 on page 101. Accessing this tab In the Administration Tool, from the Audit Trail menu, select Manage Audit Trail. The Audit Settings tab on the Audit Tracking and Archive Management window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 101
- 102. Audit data management Fields and buttons This tab has the following fields and buttons: • Object — [Read-only] Displays the names of the objects that are available for audit tracking (for example, Network Objects, Services, VPN). • Description — [Read-only] Displays information about the object. • Update — Determines whether to track when objects of this type are changed. This checkbox is selected by default. • Add — Determines whether to track when objects of this type are added. This checkbox is selected by default. • Remove — Determines whether to track when objects of this type are deleted. This checkbox is selected by default. Note: To display audit tracking data, from the Audit Trail menu on the Administration Tool main menu, select View Audit Trail. Audit Tracking and Archive Management window: Archive Settings tab Use the Archive Settings tab of the Audit Tracking and Archive Management window to periodically archive audit tracking data to an FTP server or to a directory on the Control Center Management Server, or to periodically remove audit tracking data from the database. For more information, see Audit data management on page 100. Archive files are created in zip format. The data is stored in a comma-separated values (CSV) file format that can be imported into a database or spreadsheet. The default file name format is AuditArchivemm_dd_yy.zip, where mm indicates the month, dd the day, and yy the year. If you decide to archive audit tracking data, note that the archiving process runs once a day after midnight at some time. Any changes that you make will not take effect until that time. Figure 19 Audit Tracking and Archive Management window: Archive Settings tab Accessing this tab 1 In the Administration Tool, from the Audit Trail menu, select Manage Audit Trail. 2 Make sure that the Archive Audit Data checkbox is selected and click Archive Settings. The Archive Settings tab of the Audit Tracking and Archive Management window is displayed. 102 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 103. Audit data management Fields and buttons This tab has the following fields and buttons: • Days to Keep — Specify the number of days to keep the audit tracking data in the database on the Management Server before archiving it to another location or removing it. By default, this value is set to 1, which indicates that archiving is enabled. Adjust this value as necessary to meet the needs of your site. • Archive Data to FTP Server — Extract audit tracking data from the database on the Management Server and archive it to a specified FTP server on the local network. The database is purged after the data has been archived to the FTP server. If this option is selected, the following fields are available in the FTP Settings area: • Server Address — Specify the IP address of the local FTP server where the data is to be stored. • User Name — Specify the FTP server login name. • Password — Specify the password that is associated with the user name value. • Server File Path — Specify the path name to the directory on the FTP server where audit tracking data will be archived. The path name is relative to the login directory that is associated with the user name. Note that this directory must already exist, and the user who is specified by the User Name field value must have write access to this directory. • Purge Archive Data — Remove the audit tracking data database on the Management Server after the number of days that are specified in the Days to Keep field. This option is selected by default. Select this option if you do not want to preserve the audit trail data. Note that the audit trail data grows without bound and you might not want to save this data. • Archive to Local Path — Audit tracking data will be archived to the directory that is specified on the Management Server. The database is purged after the data has been archived. Configuring change tickets Use the Ticket window to provide a name for the change ticket that you are starting. Figure 20 Ticket window Accessing this window In the Administration Tool, Configuration Tool or Software Updates Tool, from the System menu, select Start Ticket…. or In the Configuration Tool or in the Software Updates Tool, in the Action toolbar, select (Start Ticket). The Ticket window is displayed. Fields and buttons This window has the following field: • Ticket — Specify a name for this ticket, up to 32 characters. • OK — Save this name and start tracking the audit data. • Cancel — Close this window without saving this name or starting the audit data tracking. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 103
- 104. Control Center Management Server licensing Control Center Management Server licensing The functions and capabilities of the Control Center are controlled by the installed license key. Use the License Management window to view and manage the Control Center license key. Note: Licensing for the Control Center is not additive. The Control Center is initially shipped with one license and any subsequent change to that license will necessitate re-licensing. The Control Center has three licensing options: • Demo — All features of the Control Center that do not require connection to any firewalls are permitted. The Control Center initially ships with this license. Also note that the Demo Option appears on the License Manager Heading when only the initial license is installed. • Evaluation — The evaluation license might be restricted to managing a limited number of firewalls for 30, 60, or 90 days. When the evaluation license is within five (5) days of its expiration, the number of days that remain in the evaluation are displayed in the current status area, which is located in the lower right corner of the status bar in each tool of the Client Suite. • Permanent — After you purchase the Control Center, you must obtain a permanent license from the McAfee corporate web site (www.mcafee.com). This license might be restricted to managing a limited number of firewalls. Licensing the Control Center Management Server This procedure describes how to obtain a Control Center license, either automatically using the Internet (remote process) or if necessary, manually using a local activation key (local process). • Licensing with Internet connectivity • Licensing on an isolated network Licensing with Internet connectivity For automatic license activation, using the Internet, perform the following steps: Note: To access the license servers, Internet access through any firewall on SSL port 443 is required. 1 Using the Administration Tool, log into the Control Center Management Server. 2 From the System menu, select License. The License Management window is displayed. 3 On the Server tab, in the Serial Number field, specify the 16-character serial number that is located on the Activation Certificate or on your hardware platform. Leave the default values for all of the other fields on this tab. 4 On the Contact tab, specify the requested information. Refer to the administrator of this particular Management Server. 5 On the Company tab, specify the requested information about the company that has purchased this particular Control Center Management Server: a On the Company Address tab, specify the requested address information. b On the Billing Address tab, specify information as requested. If this information is the same as the company address information, click Copy From Company Address. 6 Submit this information to McAfee by selecting Activate License. A window is displayed, indicating that all of the information is transmitted over a secure connection. 7 Click OK to continue. The licensing information is sent to the activation server that is located at the URL that is specified in the Activation URL field. The activation server verifies the serial number and returns an activation key, which is displayed in the Activation Key field. 8 Click OK to save the licensing information and close this window. The license is now activated. 104 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 105. Control Center Management Server licensing Licensing on an isolated network To activate a license without Internet connectivity, using the activation key, perform the following steps: 1 Using the Administration Tool, log into the Control Center Management Server. 2 From the System menu, select License. The License Management window is displayed. 3 On the Server tab, in the Serial Number field, specify the 16-character serial number that is located on the Activation Certificate or on your hardware platform. Leave the default values for all of the other fields on this tab. 4 Write down the serial number and the server ID values. 5 Move to a computer that has Internet access. 6 In a web browser, navigate to the Secure Computing activation web page: www.securecomputing.com/goto/activation 7 In the list of forms, select Secure Firewall CommandCenter. The activation form is displayed. 8 Complete the form as directed on the web site and click Submit. A confirmation window is displayed. 9 Verify that the information that you have specified is correct. If it is not correct, click Back to return to the form and to correct the information. 10 Click Submit. After approximately one minute, a new web page is displayed with the activation key. 11 Using the on-screen instructions, save the activation key to removable media. 12 Return to the computer on which the Client Suite is installed. 13 Insert the removable media into the computer. 14 In the Administration Tool, from the System menu, select License. The License Management window is displayed. 15 On the Server tab, click Import Key. The Import Key window is displayed. 16 Navigate to the location of the activation key file and select it. 17 Click Open. The activation key is extracted from the file and is displayed in the Activation Key field. 18 Complete the required fields on the Contact and Company tabs: a On the Contact tab, specify the requested information. Refer to the administrator of this particular Management Server. b On the Company tab, specify the requested information about the company that has purchased this particular Control Center Management Server: • On the Company Address tab, specify the requested address information. • On the Billing Address tab, specify information as requested. If this information is the same as the company address information, click Copy From Company Address. 19 Click OK. The license is now activated and the License Management window will reflect any associated features. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 105
- 106. Control Center Management Server licensing Managing Control Center licenses Use the License Management window to manage Control Center licenses. For more information about licensing, see Control Center Management Server licensing on page 104. Figure 21 License Management window Accessing this window In the Administration Tool, from the System menu, select License…. The LIcense Management window is displayed. Fields and buttons This window has the following buttons: • Copy From Default — Automatically populate the Activation URL field in the Server tab of the License Management window and all of the required information fields on the Contact and Company tabs. • OK — Save your license information. You must click OK to license your Management Server after you have imported the license key or activated the license to retrieve a new key from the license server. • Activate License — Submit the license information to the Secure Computing Corporation licensing web site that is specified in the Activation URL field by using an encrypted HTTPS session. Note: After you have retrieved your activation key for this Control Center Management Server, you must click OK to save all of this information. Only then is the Management Server licensed. • Import Key — Import a different Control Center Management Server activation key from a local or remote source. See the Important note above because the same procedure applies for importing a key. 106 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 107. Control Center Management Server licensing Tabs This window has the following tabs: • Server — Specify the Control Center Management Server details. For more information, see License Management window: Server tab on page 107. • Contact — Specify the contact details. For more information, see License Management window: Contact tab on page 108. • Company — Specify the company's corporate and/or billing address. For more information, see License Management window: Company tab on page 109. License Management window: Server tab Use the Server page of the License Management window to manage the Control Center Management Server information. To view the fields on this tab, see Figure 21 on page 106. Accessing this tab 1 In the Administration Tool, from the System menu, select License…. The License Management window is displayed. 2 Click the Server tab. The Server tab of the License Management window is displayed. Fields and buttons This tab has the following fields and buttons: • Serial Number — Specify the alphanumeric serial number of the Control Center Management Server. Include the dashes (-) in the serial number. Note: The serial number is located on the Control Center activation certificate. • Server Version — [Read-only] Displays the version of the Control Center Management Server. • Server ID — Specify the unique server identification of the Control Center Management Server. • Activation URL — Specify the URL to be used for activation of the Control Center Management Server license. This entails a remote, automatic activation process. Note: If this activation process is used, ignore the Activation Key field. • Restore Default URL — If, for any reason, the activation URL becomes corrupted, click this button to restore the URL's original default value. • Activation Key — Specify a file-based activation key to be imported and used to activate the Control Center Management Server license. This entails a local activation process to use if the server is currently isolated from the local network or if it cannot access the activation URL, thus precluding a remote, automatic, activation process. Note: If this activation process is used, ignore the Activation URL field. • Feature — [Read-only] After the license has been acquired, displays the features that apply to the Control Center: • SecureOS • Support • McAfee Firewall Enterprise • License State — [Read-only] After the license has been acquired, displays the current state or status of the current Control Center Management Server license. • Expiration — [Read-only] After the license has been acquired, displays the expiration date of the current Control Center Management Server license. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 107
- 108. Control Center Management Server licensing License Management window: Contact tab Use the Contact tab of the License Management window to specify contact information for the administrator of this Control Center. This information is needed to receive important customer bulletins and renewable support licenses. Figure 22 License Management window: Contact tab Accessing this tab 1 In the Administration Tool, from the System menu, select License…. The License Management window is displayed. 2 Click the Contact tab. The Contact tab of the License Management window is displayed. Fields and buttons This tab has the following fields and buttons: Note: If the field name is enclosed in parentheses (), this indicates that it is an optional field and its usage is optional. • First Name — Specify the first name of the Control Center administrator. • Last Name — Specify the last name of the Control Center administrator. • Email — Specify the e-mail address of the Control Center administrator. • Primary Phone — Specify the primary phone number of the Control Center administrator. • (Alternate Phone) — Specify the alternate (secondary) phone number of the Control Center administrator. • (Fax) — Specify the fax number of the Control Center administrator. • (Job Title) — Specify the job title of the Control Center administrator. • (Purchased From) — Specify the name of the supplier or company that sold the Control Center to you. • (Comment) — Specify miscellaneous information about your site. 108 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 109. Control Center Management Server licensing License Management window: Company tab Use the Company page of the License Management window to specify information about the company that bought this Control Center, including the corporate and/or billing address. Figure 23 License Management window: Company tab Accessing this tab 1 In the Administration Tool, from the System menu, select License…. The License Management window is displayed. 2 Click the Company tab. The Company tab of the License Management window is displayed. Fields and buttons This tab has the following fields, the completion of which is mandatory, unless otherwise indicated: • Company Name — Specify the name of the company who is purchasing the Control Center. • Industry Classification — Specify the company's industry sector. From the list, select the classification that most closely matches the industry. The page also has the following tabs: • Company Address — Specify the address for the company. For more information, see Company Address tab. • Billing Address — Specify the billing address for the company. For more information, see Billing Address tab. Company Address tab The Company Address tab has the following fields and buttons: • Address — Specify the street address at which the company is based, including any suite number or department information, and so on. • City — Specify the name of the city in which the company is based. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 109
- 110. Control Center Management Server licensing • State / Province — Specify the name of the state in which the US company is based. Note: All predefined state names apply to US companies. For non-US companies, select Other... and complete the State / Province (Non-US) field. • State / Province (Non-US) — Specify the name of the state or province in which the non-US company is based. • Postal (zip) Code — Specify the five-digit ZIP code of the US company or the alphanumeric postal code of the non-US company. • Country — Specify the name of the country in which the company is based. Billing Address tab The Billing Address tab has the following fields and buttons: • Copy From Company Address — If all of the address information for your company address and your company’s billing address are the same, click this button to copy all of the information from the Company Address tab to this tab. You can also use this button if there are only minor differences between the two addresses. Import the company address information into this tab and make your minor changes. • Address — Specify the billing address number and street name, including any suite number or department information, and so on. • City — Specify the name of the city for the billing address. • State / Province — Specify the name of the state for the US billing address. Note: All predefined state names apply to US companies. For non-US companies, select Other... and complete the State / Province (Non-US) field. • State / Province (Non-US) — Specify the name of the state or province for the non-US billing address. • Postal (zip) Code — Specify the five-digit ZIP code of the US billing address or the alphanumeric postal code of the non-US billing address. • Country — Specify the name of the country for the billing address. • Clear — Clear all of the fields on the Billing Address tab. 110 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 111. Control Center Management Server licensing Configuring common license information for the Control Center Use the Common License Information window to manage Control Center common license information. For more information about licensing, see Control Center Management Server licensing on page 104. Figure 24 Common License Information window Accessing this window In the Administration Tool, from the System menu, select Common License Information….The Common License window is displayed. Fields and buttons This window has the following fields and buttons: • SW Device — [Read-only] Displays -Default-. Tabs This window has the following tabs: • Firewall — Displays the activation URL. For more information, see Common License Information window: Firewall tab on page 112. • Contact — Specify the contact details. For more information, see Common License Information window: Contact tab on page 113. • Company — Specify the company's corporate and/or billing address. For more information, see Common License Information window: Company tab on page 114. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 111
- 112. Control Center Management Server licensing Common License Information window: Firewall tab Use the Firewall tab on the Common License Information window to manage the licensing information. Specifically, the Firewall tab contains the activation URL for the firewall. Figure 25 Common License Information window: Firewall tab Accessing this tab 1 In the Administration Tool, from the System menu, select Common License Information…. The Common License Information window is displayed. 2 Click the Firewall tab. The Firewall tab of the Common LIcense Information window is displayed. Fields and buttons This tab has the following field: • Activation URL — Specify the URL to be used for this firewall activation. This URL enables the submission of the license information. 112 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 113. Control Center Management Server licensing Common License Information window: Contact tab Use the Contact tab on the Common License window to manage the contact information. Figure 26 Common License Information window: Contact tab Accessing this tab 1 In the Administration Tool, from the System menu, select Common License Information…. The Common License Information window is displayed. 2 Click the Contact tab. The Contact tab of the Common License Information window is displayed. Fields and buttons This tab has the following fields: Note: If the field name is enclosed in parentheses (), this indicates that it is an optional field and its usage is optional. • First Name — Specify the contact's first name. • Last Name — Specify the contact's last name. • Email — Specify the contact's mail address. • Primary Phone — Specify the contact's primary phone number. • (Alternate Phone) — Specify the contact's alternate (secondary) phone number. • (Fax) — Specify the contact's fax number. • (Job Title) — Specify the contact's job title. • (Purchased From)— Specify the name of the supplier. • (Comment) — Specify any pertinent, concise comment. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 113
- 114. Control Center Management Server licensing Common License Information window: Company tab Use the Company tab on the Common License Information window to specify the company corporate address and/or its billing address. Figure 27 Common License Information window: Company tab Accessing this tab 1 In the Administration Tool, from the System menu, select Common License Information…. The Common License Information window is displayed. 2 Click the Company tab. The Company tab on the Common License Information window is displayed. Fields and buttons This tab has the following fields and buttons: • Company Name — Specify the name of the company purchasing the Control Center. • Industry Classification — Specify the company's industry sector. From the list, select the classification that most closely matches the industry. Tabs This tab also has the following tabs: • Company Address — Specify the company address information. For more information, see Company Address tab. • Billing Address — Specify the billing address for the company. For more information, see Billing Address tab. Company Address tab The Company Address tab has the following fields and buttons. Unless otherwise indicated, you must specify a value in each field. • Address — Specify the street address at which the company is based, including any suite number or department information, and so on. • City — Specify the name of the city in which the company is based. 114 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 115. Control Center Management Server licensing • State / Province — Specify the name of the state in which the US company is based. Note: All predefined state names apply to US companies. For non-US companies, select Other… and select a value in the State / Province (Non-US) field. • State / Province (Non-US) — Specify the name of the state or province in which the non-US company is based. • Postal (zip) Code — Specify the five-digit ZIP code of the US company or the alphanumeric postal code of the non-US company. • Country — Specify the name of the country in which the company is based. Billing Address tab The Billing Address tab has the following fields and buttons. Unless otherwise indicated, you must specify a value in each field. • Copy From Company Address — If all of the address information for your company address and your company’s billing address are the same, click this button to copy all of the information from the Company Address tab to this tab. You can also use this button if there are only minor differences between the two addresses. Import the company address information into this tab and make your minor changes. • Address — Specify the billing address number and street name, including any suite number or department information, and so on. • City — Specify the name of the city for the billing address. • State / Province — Specify the name of the state for the US billing address. Note: All predefined state names apply to US companies. For non-US companies, select Other... and complete the State / Province (Non-US) field. • State / Province (Non-US) — Specify the name of the state or province for the non-US billing address. • Postal (zip) Code — Specify the five-digit ZIP code of the US billing address or the alphanumeric postal code of the non-US billing address. • Country — Specify the name of the country for the billing address. • Clear — Clear all of the fields on the Billing Address tab. Configuring Control Center network settings Use the Network Settings window to view and change Control Center settings such as: • Host name • Servers: • Network Time Protocol (NTP) • Domain Name System (DNS) • Mail • Network interfaces: • IP address • Net mask • Broadcast • Gateway • Static Routes McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 115
- 116. Control Center Management Server licensing Figure 28 Network Settings window Accessing this window In the Administration Tool, from the System menu, select Network Settings. The Network Settings window is displayed. Tabs This window has the following tabs: • General — Specify general settings for this network node. For more information, see Network Settings window: General tab on page 116. • Interfaces — Specify settings for the interfaces on this node. For more information, see Network Settings window: Interfaces tab on page 118. • Static Routes — Specify settings for the static routes on this node. For more information, see Network Settings window: Static Routes tab on page 119. Network Settings window: General tab Use the General tab on the Network Settings window to specify general settings for this network node. To view the fields on this tab, see Figure 28 on page 116. Accessing this tab 1 In the Administration Tool, from the System menu, select Network Settings. The Network Settings window is displayed. 2 Click the General tab. The General tab of the Network Settings window is displayed. 116 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 117. Control Center Management Server licensing Fields and buttons This tab has the following fields and buttons: • Node name — Specify the fully qualified domain name (FQDN) for this node (for example, mgmtServer.companyname.com). If you change the node name: • Each firewall that was connected to the Control Center Management Server with the previous FQDN must be re-registered. • The web server (Tomcat) will restart, the client connection will be lost, and you will be prompted to log in again. • If you are using the High Availability (HA) feature, before you modify the node name, you must remove HA by running the High Availability Removal Wizard. Then you can change the node name and then run the High Availability Setup Wizard to resume HA operations. • NTP configuration — Use the fields in this area to configure the Control Center Management Server as a client of up to three NTP servers. The following fields are available: • Use NTP to synchronize system clock — Determines whether to use NTP to synchronize the system clock. The default value is cleared. • NTP Server — [Read-only unless the Use NTP to synchronize system clock checkbox is selected] Specify the IP address for each NTP server. (Up to three servers are allowed.) • DNS configuration — Use the fields in this area to configure DNS servers. Use the Control Center local domain name to specify a single domain to check when a host name (not a FQDN) is specified in a DNS lookup. A maximum of three DNS servers can be configured. The following fields are available: • Domain name — Specify the Control Center local domain name (such as example.net). • DNS Server — Specify the IP address for each DNS server. • Mail configuration — Use the field in this area to configure the IP address of the mail server. • Mail server — Specify the full name (for example, mailhost.example.com) or IP address of the mail server. Note: If you change the mail server name, the web server (Tomcat) will restart, the client connection will be lost, and you will be prompted to log in again. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 117
- 118. Control Center Management Server licensing Network Settings window: Interfaces tab Use the Interfaces tab on the Network Settings window to configure the interfaces on this node. Figure 29 Network Settings window: Interfaces tab Accessing this tab 1 In the Administration Tool, from the System menu, select Network Settings. The Network Settings window is displayed. 2 Click the Interfaces tab. The Interfaces tab on the Network Settings window is displayed. Fields and buttons This tab has the following fields: • Enabled — Determines whether, after you click OK, the selected network interface is brought up or down. If this checkbox is selected, whenever the Control Center Management Server reboots, the selected network interface is brought up. If this checkbox is cleared, whenever the Control Center Management Server reboots, the selected network interface is not brought up. • Name — [Read-only] Displays the name of the network device. • IP Address — Specify the IP address for the interface. • Netmask — Specify the net mask IP address for the interface. • Broadcast — Specify the broadcast IP address for the interface. • Speed/Duplex — Select the speed and duplex setting for the interface. 118 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 119. Control Center Management Server licensing Network Settings window: Static Routes tab Use the Static Routes tab on the Network Settings window to configure the static routes for this node. Figure 30 Network Settings window: Static Routes tab Accessing this tab 1 In the Administration Tool, from the System menu, select Network Settings. The Network Settings window is displayed. 2 Click the Static Routes tab. The Static Routes tab of the Network Settings window is displayed. Fields and buttons This tab has the following fields: • Default gateway — Specify the IP address for the default gateway. • Type — Select the type of route (Host or Network). • Destination — Specify the destination IP address for the route. • Netmask — Specify the net mask for the route. If you have selected Host as the value of the Type field, the 255.255.255.255 value automatically is displayed in this field. If you have selected Network in the Type field, specify the net mask IP address for the route. • Gateway — Specify the gateway IP address for the route. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 119
- 120. System settings System settings Several important system-wide configuration settings are managed by using the System menu on the Administration Tool. This menu currently provides support for the following points of access: • Access to the Control Center License Management window. (For more information, see Control Center Management Server licensing on page 104.) • Access to the System Settings window. • Access to the Backup Server Status page that is used to view the status condition of the backup Management Servers if the High Availability (HA) Management Server option is configured for your operation. For more information, see Viewing the status of your backup Management Servers on page 122. Additionally, you can use the System Settings window from this System menu to configure additional information: • Specify the disclaimer information that is displayed when users log in to any of the tools in the Control Center Client Suite. • Specify the number of times that a user can unsuccessfully attempt to authenticate before being locked out. • Specify the length of time that he or she is locked out if he or she failed to properly authenticate. • Specify the default, system-wide, number of minutes that a user can be inactive, which means no keyboard activity or mouse movement, before he or she must re-authenticate to access the system. Disclaimer information One of the features of the Control Center is having the ability to place custom disclaimer information on the login page of each tool in the Control Center Client Suite. You can use this information for any purpose. For example, you can post general information of interest to other users on different shifts about general Control Center operations or configuration changes. The same information is displayed on all of the login pages of each tool in the Client Suite. You can specify information directly on the System Settings window or you can browse for a previously created ASCII flat file to use. Caution: When you are writing the disclaimer information, if you press Enter for a line feed (advancement to the next line), the disclaimer will close. To insert line feeds, press Ctrl+Enter. Locking out users To control firewall administration, most organizations tightly control the number of failed login authentication attempts that are allowed before the user is temporarily locked out. You can also control the length of time during which the user is prevented from authenticating. You can configure the default amount of time that a user can be idle (that is, with no mouse movement) before having to re-authenticate. Each of these settings is managed in the System Settings window. Your system operators can impose the level of security that is appropriate for your organization. 120 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 121. System settings Configuring system settings Use the System Settings window to configure several system-wide settings that are applicable across all of the tools in the Client Suite. Figure 31 System Settings window Accessing this window In the Administration Tool, from the System menu, select System Settings. The System Settings window is displayed. Fields and buttons This window has the following fields and buttons: • Control Center client disclaimer — Specify the disclaimer information in the provided text area. This field supports only flat ASCII text data. No html coding is supported. Caution: When composing the disclaimer information, pressing Enter to produce a line feed (next line) will NOT work and it will result in closure of the disclaimer process. Instead, press Ctrl+Enter to obtain the line feed. • Force disclaimer popup each login — Determine the frequency with which the new disclaimer data is displayed in the login window when a user logs into the Management Server from any Client Suite application. If this checkbox is cleared, the next user to access a login window sees a New Disclaimer Warning window that displays the new or changed disclaimer information. All subsequent users see the new disclaimer information on the login window for every tool in the Client Suite. If this checkbox is selected, the new disclaimer will be displayed in the login page each time that a user logs into the Management Server from any tool. To locate and use an optional text file for use as the disclaimer notice, click . • Force ticket value — Determine whether to force the user to start a ticket when a change is made. The default value is cleared. • Create backup at start of ticket — Determine whether to create a configuration backup when a ticket is started. The default value is cleared. • Failed Attempts Before Locking Out Accounts — Specify the number of times that a Control Center user can fail to properly authenticate before being locked out of the system. He or she will be locked out for the number of minutes that is set in the Minutes Account Locked Out field. If you select 0, this indicates that an unlimited number of failed attempts will be allowed. The user will not be locked out in this situation. The default value is 3 minutes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 121
- 122. System settings • Minutes Account Locked Out — Specify the number of minutes that a user is locked out after failing to authenticate the number of times that is specified in the Failed Attempts Before Locking Out Accounts field. Be careful to set a reasonable number of minutes. The locked out user will not be able to re-authenticate for the stated period of time. To shorten the amount of time, the administrator must delete and re-create the user. The default value is 30 minutes. • Default Application Timeout — Specify the number of minutes of inactivity (that is, with no mouse movement) that will be tolerated before requiring the user to re-authenticate. This is the default, system-wide setting. Each user can be assigned to this value or to a custom-created application timeout period that is created by using the Timeout tab of the Control Center User Manager window. The default value is 120 minutes. For more information, see Control Center User Manager window: Application Timeout tab on page 87. Viewing the status of your backup Management Servers Use the Backup Server Status page to view a visual indication of the status condition that is associated with each Management Server in your current configuration. This page displays only the condition of the backup Management Servers, and only if the High Availability (HA) Management Server option for the Control Center Management Servers was configured and installed. For more information, see High Availability (HA) on page 136. Figure 32 Backup Server Status page (without a backup server configured) Accessing this page In the Administration Tool, from the System menu, select Backup Server Status. The Backup Server Status page is displayed. Fields and buttons This page has the following fields and buttons: • Name — [Read-only] Displays the node name of the associated backup Management Server. • Status — [Read-only] Displays the status condition of the associated backup Management Server as of the last time that this page display was refreshed. • Replication Status — [Read-only] Displays the status of the synchronization attempt for this backup server with the primary server. 122 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 123. System settings • Last Replication Time — [Read-only] Displays the timestamp for the last time that this synchronization occurred. • Refresh — Refresh the displayed status. Creating backup files of your Management Server data by using the GUI Use the Backup Control Center System window to create a new backup file of the Control Center Management Server data or to replace an exiting backup file. Use the fields and buttons on this window to specify the scope of the backup, and (optionally) the off-box backup location. You can create a new backup or replace an existing backup. If an existing backup file or a scheduled backup file is highlighted in the Existing Backups table and you click Replace, you can specify a new backup name and description and the new backup will replace the previously saved backup. The resulting backup file can be restored by using the Restore System from Backup window. For more information, see Managing configuration data for the Management Server on page 23. Figure 33 Backup Control Center System window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 123
- 124. System settings Accessing this window If configuration domains have been activated (for more information, see Configuration domains on page 92): In the Administration Tool, from the System menu, select Backup System. The Backup Control Center System window is displayed. Note that only those users with configuration domain administrative privileges have access. If configuration domains have not been activated: In the Administration Tool, from the System menu, select Backup System. or In the Configuration Tool, from the System menu, select Backup System. The Backup Control Center System window is displayed. Fields and buttons This window has the following fields and buttons: • Backup Name — Specify a name for the backup configuration that is being generated. • Full system backup — Determines whether the backup that is being performed is a full system backup. A full system backup creates a full system backup file that can be used to resurrect a failed system. The full system backup that is generated by this window will not contain the backup files from /opt/security/var/gccserver/cfgbackups nor from /opt/security/var/gccserver/nightlybackups. It will also not contain the firewall audit logs from /opt/security/var/gccserver/auditlogs. To back up these files, see Managing configuration data for the Management Server on page 23. If you do not select this checkbox, only the cg_configuration database is included in this backup file, which includes all of the firewall configuration data, configurable objects, certificates, and similar data. For more information, see Managing configuration data for the Management Server on page 23. • Description — Provide a meaningful description of the reason that this backup was created. • Backup Encryption — Use the fields in this area to provide the custom passphrase that is assigned to this backup file for encryption purposes. The following fields are available: • Use the following custom passphrase — Determines whether a passphrase is assigned to this backup file. The default value is cleared. However, if this checkbox is selected, you must also specify values in the following two fields: • (passphrase) — Specify the passphrase for this file. • Confirm — Specify the same passphrase again (that you specified in the previous field) in this field. • Schedule Backup — Use the fields in this area to determine whether a backup will be scheduled and the frequency at which it will run if it is scheduled. • Schedule — Determines whether you will configure a schedule for a backup. • Run at — Specify the time (in hh:mm:ss::AM/PM format) at which the backup will run on the day or days that you specify. • Frequency — Use the field in this area to determine the frequency at which the backup will be run. • Perform this backup — Specify the frequency at which the backup will be run. The default value is One time. The value that you select in this field determines the fields that are displayed in the Schedule area. • Schedule — The fields that are displayed in this area depend on the value that you select in the Perform this backup list. Use the fields in this area to configure the details of the frequency at which the backup will run. 124 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 125. System settings • Run on date — [Available only if One time is the value that is selected in the Perform this backup field] Click the down arrow to display a calendar in which you can select the day and date on which the backup will run. • Every n day(s) — [Available only if Daily is the value that is selected in the Perform this backup field] Select the frequency (in days) at which the backup will run. • Every n week(s) — [Available only if Weekly is the value that is selected in the Perform this backup field] Select the frequency (in weeks) at which the backup will run. You can then select one or more days of each week at which the backup will run. • Day n of the month— [Available only if Monthly is the value that is selected in the Perform this backup field] Select the day of the month on which the backup will run. Use this field to select a specific day and then select or clear the individual months as needed. To select a day by its position in the month (for example, the second Tuesday of the month), select the The ordinal day_of_the_week field instead. Then select the months. • The ordinal day_of_the_week — [Available only if Monthly is the value that is selected in the Perform this backup field] Select a day and day of the week on which the backup will run. Use this field to select the day of the week and then select or clear the individual months as needed. To select a specific day of the month, select Day n of the month instead. • Backup Destination — Use the fields in this area to specify the location where the backup file is stored. • Control Center server — Select this option to specify that the backup will be stored on this Control Center Management Server in the /opt/security/var/gccserver/cfgbackups directory. • Remote location — Select this option to store the backup in a remote, off-box location. If you select this checkbox, you must also select a location. As part of this backup process, the backup file is first stored locally on the Management Server in the following directory: /opt/security/var/gccserver/cfgbackups It is then transferred to the location that is specified in the other fields in this area. The dbadmin Linux account (if enabled) has access privileges to this directory. If <New> is displayed, you have either just selected the Remote location option or you have not yet created a remote location. Use the remaining fields in this area to configure the information for the remote location. • Export using — Specify the protocol to use for this exportation. The following values are available: • SCP — Indicates that the SSH-enabled protocol will be used for this transfer. • FTP — Indicates that the File Transfer Protocol will be used for this transfer. • FTPS — Indicates that the Secure File Transfer Protocol will be used for this transfer. The secure ftp user account has the permissions required to write to the Management Server directories. The protocol that is used to export the archives to the Management Server is SCP. • Host name — Specify the host name or IP address of the remote location that will be used for this transfer. • Port — Specify the port for the remote location that will be used for this transfer. The default value varies, depending on the value that is selected in the Export using field. If SCP is selected, the default value is 22. If FTP is selected, the default value is 21. If FTPS is selected, the default value is 990. • Directory — Specify the directory on the remote system where the configuration files are stored. If the remote system is a firewall, the administrator’s home directory is the default. • User Name — Specify the user name of a user on the remote system. If this is a firewall, this user is a firewall administrator. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 125
- 126. System settings • Password — Specify the password that is used to authenticate the user on the remote system. • Confirm — Specify the same password value that was specified in the Password field for confirmation. • Existing Backups — Use the fields in this table to view the previously saved backup configurations. • Backup Name — [Read-only] Displays the name of the backup configuration that was being generated. • Date Created — [Read-only] Displays a time stamp when the associated backup was created. • Created By — [Read-only] Displays the Control Center user who created the backup. • Active — [Read-only] Displays the status of the configuration. The following values are available: • Y — Indicates that this configuration is currently being used by the McAfee Firewall Enterprise Control Center. • N — Indicates that the configuration is not the currently active one. • R — Temporarily indicates that a restoration of this configuration is currently in progress. • Full — [Read-only] Displays the scope of the backup at the time that it was created. If this value is Y (Yes), the backup is a full system backup. • Status — [Read-only] Displays the status of the backup. • Frequency — [Read-only] Displays the frequency at which this backup was run. • Remote Location — [Read-only] Displays the URL of the remote location where the backup was stored off-box. • Description — [Read-only] Displays the description text that was created when the backup was created. • Add — Save the backup configuration information. You are prompted to specify the password of the remote server again. If there are any validation issues, the appropriate validation window is displayed. If you have created a schedule for this backup, it will be started when the scheduled date and time is reached. If you have not scheduled this backup, it will start immediately. • Replace — Replace the failed or scheduled backup with the backup configuration that you have just configured. • Cancel — Cancel the backup and close this window. Restoring the Management Server configuration files from a backup file Use the Restore System from Backup window to: • Restore a previously-saved system backup file to the Control Center Management Server. • Modify a system backup name or description. • Delete a system backup file. This action restores the operation of the Control Center Management Server to the configuration that was in effect when the backup file was created. For more information, see Managing configuration data for the Management Server on page 23. Caution: Restoring a configuration will completely overwrite the current Control Center configuration. Exercise caution when requesting this action. Ensure that no other users are logged into the Management Server when you are restoring a previously saved configuration. This action forces all users that are currently logged into the Management Server to log off. 126 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 127. System settings Figure 34 Restore System from Backup window Accessing this window In the Administration Tool or in the Configuration Tool, from the System menu, select Restore System. The Restore System from Backup window is displayed. Fields and buttons This window has the following fields and buttons: • Select the backup to be restored from the following list — Select the backup file from the list of files in this tab. This list includes all of the backup system configurations that can be restored. • Name — Displays the name that is associated with the backup configuration. You can edit this value. There are several different types of backup configuration files that are displayed on this window: user-defined or system-generated. The user-defined files are stored either locally or off-box. (The off-box locations are indicated by the value in the URL field.) The system-generated configuration files were automatically generated before a retrieve was performed. They contain only the cg_configuration database data, which includes all of the firewall configuration data, configurable objects data, certificates, and similar data. • Description — Displays the description that is associated with the backup. You can edit this value. • Status — [Read-only] Displays the latest status of any restorations. • Full — [Read-only] Specifies whether this backup was a full system backup (Y for Yes) or a partial backup (N for No). • HA — [Read-only] Displays whether this backup was created on a high availability system (Y for Yes) or a standalone system (N for No). • Date — [Read-only] Displays a time stamp of the time and date that the backup system configuration was created. • URL — [Read-only] Displays the URL of the off-box location of the remote backup file. • Modify — Displays the Backup Details window, in which you can edit the name of the file and its description. • Delete — Delete the selected backup file. • Upload — Displays the Upload Backup Wizard, in which you can upload a backup file from your Client system to the Management Server. Note that this file must have a .bak.des3 filename extension. • Download — Displays the Save As window, in which you can specify a new name for the configuration backup file. Note that you cannot download backup files that have been saved to remote locations. • Close — Close this window. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 127
- 128. System settings Restoring a configuration backup file To restore a backup configuration file: 1 Click anywhere in the row of the backup file that you want to restore and click Restore. 2 If this is a local backup, skip to the next step. or If this is backup file is located on a remote server, the Remote Username and Password window is displayed. 3 If you need to change the login information (that is, it has changed since this configuration backup file was saved), do so now. Otherwise, click OK. A verification message is displayed. 4 Click OK. A message is displayed, indicating whether the restoration was successful or unsuccessful. 5 Click OK. If this was a successful restoration, a warning message is displayed, indicating that all users who were previously logged into this Control Center Client tool will be logged off, including you. You will need to log into the Control Center again. If this was an unsuccessful restoration, resolve the errors and then try this procedure again. Editing a system backup file To edit a backup configuration file: 1 In the Restore System from Backup window, double-click the file that you want to edit. The Backup Details window is displayed. 2 Make your changes. 3 To save your changes, click OK. 4 Repeat the steps 1–3 as needed. 5 When you have finished, click Close. Deleting a system backup file To delete a system backup file: Note: The Initial Configuration backup file cannot be deleted. 1 Click the row to be deleted and click Delete. 2 A confirmation message is displayed. To continue with the deletion, click Yes. Otherwise, click No to cancel the deletion. Uploading a backup configuration file from the Client to the Management Server Use the Upload Backup Wizard to identify a Management Server configuration file that is stored locally on the Client machine and make it available to use in a restore operation. Accessing this wizard 1 In the Administration Tool or in the Configuration Tool, from the System menu, select Restore System. The Restore System from Backup window is displayed. 2 Click Upload. The Upload Backup Wizard is displayed. Pages and fields Step 1 of 2 - Welcome to the Upload Backup Wizard page Use this page to specify the local configuration file that you want to upload to your Management Server. Note: This filename must have a .bak.des3 filename extension. Click Next>>. 128 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 129. System settings Step 2 of 2 - Backup Information page Use this page to add information about this configuration file and to establish an encryption passphrase if needed. This page has the following fields: • Name — Specify the name for this backup configuration file. • Description — Specify a description for this configuration file. • Backup type — Specify the type of backup that this file contains. The following values are available: • Configuration — Indicates that only the cg_configuration database will be included in this backup file. • Full — Indicates that this will be a full configuration backup that includes all of the firewall configuration data, configurable objects, certificates, and similar data. • Full backup was created on a high availability system — [Available only if Full is selected in the Backup type field] Determines whether the backup file that is being uploaded was created on a high availability system. It is very important that you select this checkbox if you are restoring a full configuration backup of an HA Management Server. Otherwise, database issues can occur. • Backup uses custom encryption passphrase — Determines whether to provide a passphrase for this backup file. Select this checkbox if a passphrase was specified when this configuration file was created. If you select this checkbox, the following two fields are required: • Passphrase — Specify the phrase that was used to encrypt this backup file when it was created. After you enter this passphrase the first time, it is saved. Therefore, you will not need to re-specify it again. • Confirm — Specify again the same value that you specified in the Passphrase field to confirm this passphrase. Specify values for these fields as needed. If you need to change the filename, click <<Back to go to the previous page. To continue with the actual upload, click Upload. A transferring message is displayed while the file is being uploaded. When the upload has completed, a confirmation message is displayed that includes the checksum for the file if you want to further verify this file on the Management Server. Click OK and the Wizard closes. Now you can go to the Restore System from Backup window and restore this configuration to the Management Server. Changing login information for remote system backups Use the Remote Username and Password window when you are attempting to restore a configuration file for the Control Center Management Server that is stored on a remote server and the login information for that server has changed since this file was saved. When this window is displayed as part of the restoration process, you can change the information to match the current login information for the remote server. Figure 35 Remote Username and Password window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 129
- 130. System settings Accessing this window This procedure assumes that you have already created a remote backup configuration file. For more information about how to do that, see Creating backup files of your Management Server data by using the GUI on page 123. If configuration domains have been activated (for more information, see Configuration domains on page 92): 1 In the Administration Tool, from the System menu, select Backup System. Note that only those users with configuration domain administrative privileges have access. Go to step 3. If configuration domains have not been activated: In the Administration Tool, from the System menu, select Backup System. Go to step 3. or In the Configuration Tool, from the System menu, select Backup System. Go to step 3. or 1 In the Configuration Tool, make sure that the Maintenance group bar is selected. 2 In the Control Center Maintenance tree, double-click Restore Configuration. The Restore System from Backup window is displayed. 3 Highlight the remote backup file (that is, a file that has a URL in the URL field) and click Restore. The Remote Username and Password window is displayed. Fields and buttons This window has the following fields and buttons: • Username — Displays the username with which this backup file was saved on the remote server. If this name has changed on the remote server since this file was backed up, you must specify the current username for this remote server account. • Password — Displays the password with which this backup file was saved on the remote server. If this password has changed on the remote server since this file was backed up, you must specify the current password for this remote server account. • Confirm Password — Displays the confirmation password with which this backup file was saved on the remote server. If the confirmation password has changed on the remote server since this file was backed up, you must specify the current confirmation password for this remote server account. • OK — Save any changes that you have made and continue with the restoration process. • Cancel — Close this window without continuing with the restoration process. 130 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 131. System settings Setting the date and time on the Management Server Use the Set Server Date and Time window to modify the date and time on the Control Center Management Server. Figure 36 Set Server Date and Time window Accessing this window In the Administration Tool, Configuration Tool, and Reporting and Monitoring Tool, from the System menu, select Set Server Date and Time....The Set Server Date and Time window is displayed. Fields and buttons This window has the following fields and buttons: • Update Server Date and Time — Determines whether the server date and time are being edited according to a specified date and time. The following fields are available: • Server Date — Click the down arrow to display a calendar in which you can select the day and date for the server date. • Server Time (24-hr) — Specify the time of day at which to set the server time. You must use a 24-hour clock format for this value. • Update Server Time Zone — Determines whether the server time zone is being edited according to a time zone. The following field is available: • Time Zone — Select the time zone in which the Control Center Management Server is located. Restarting the Management Server You can restart the entire Control Center Management Server. When the restart begins, the Client application will exit and all pending connections will be closed. Note: If you perform a restart to invoke new server properties, only the Management Server application will be affected, not the entire server. To restart the Management Server: 1 In any Client tool, from the System menu, select Restart Server…. 2 Click Yes. to restart the server. Caution: If you click Yes, the server will be immediately restarted. There is no second confirmation request. If you had several of the Client tools running when you requested the restart and any of them did not register the lost connection during the restart, the next time that you send a request from this tool to this newly restarted server, you will be asked to re-authenticate. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 131
- 132. ePolicy Orchestrator settings ePolicy Orchestrator settings ePolicy Orchestrator (ePO) provides a scalable platform for centralized policy management and ® enforcement of your security products and the systems on which they reside. It also provides comprehensive reporting and product deployment capabilities, all through a single point of control. The Control Center and the ePolicy Orchestrator can share data about host objects and firewalls. The Control Center can display information that it has obtained from the ePO server about hosts that are referenced in a policy or hosts that are passing traffic through the firewall. The ePolicy Orchestrator can display health and status information about firewalls and the Control Center Management Server that it has obtained from the Control Center. To be able to view the data on either the Control Center or on ePO, you must install the McAfee Firewall Enterprise ePO Extension on the ePO server. For more information about this, see McAfee Firewall Enterprise Control Center 4.0.0.04 Integration Guide for use with McAfee ePolicy Orchestrator 4.0. Prerequisites for communicating with the ePolicy Orchestrator server To be able to view data from the ePolicy Orchestrator server about hosts on the firewalls, the following prerequisites must be met: 1 The McAfee Firewall Enterprise ePO Extension must be installed on the ePO server that you will configure in the ePolicy Orchestrator Settings window. 2 You must configure settings for the ePO server in the ePolicy Orchestrator Settings window. This is to allow the Control Center to communicate with the ePO server. For the ePO server to communicate with the Control Center, an ePO user must also be defined on the Control Center. 3 On this same window, you must have selected the Allow Control Center to retrieve reports from the ePO server checkbox. After these prerequisites have been met, you can view ePolicy Orchestrator data for individual hosts from the host object in the Policy group bar (by right-clicking a host object and selecting Show ePO Data) or from the McAfee Firewall Enterprise Audit Report window (by right-clicking the Source IP or the Destination IP row value in the report and selecting Show ePO Data). For more information about the ePO Host Data report, see Viewing ePolicy Orchestrator host data on page 135. Configuring access to the ePolicy Orchestrator server Use the ePolicy Orchestrator Settings window to configure the Control Center Management Server to communicate with the ePO server. Data can be shared about hosts, firewalls, and the Control Center Management Server. The Control Center displays information about hosts, whereas ePO displays health and status information about the firewalls and the Control Center Management Server. In addition to configuring the Control Center to communicate with the ePO server in this window, you also must specify an ePO user (on the Control Center User tab). 132 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 133. ePolicy Orchestrator settings Figure 37 ePolicy Orchestrator Settings window Accessing this window In the Administration Tool, from the System menu, select ePolicy Orchestrator Settings. The ePolicy Orchestrator Settings window is displayed. Tabs and buttons This window has the following tabs and buttons: • ePO Reports — Use this tab to configure information about the ePO server so that the Control Center can communicate with it. For more information, see ePolicy Orchestrator Settings window: ePO Reports tab on page 133. • Control Center User — Use this tab to create a user who has the ePolicy Orchestrator role. ePO can then obtain and display health and status information from the Control Center about firewalls and the Control Center Management Server. For more information, see ePolicy Orchestrator Settings window: Control Center User tab on page 134. • OK — Save the changes that have been made on all of the tabs on this window. • Cancel — Close this window without saving any changes. ePolicy Orchestrator Settings window: ePO Reports tab Use the ePO Reports tab of the ePolicy Orchestrator Settings window to identify an ePO server and to configure settings for the Control Center so that it can obtain and display information from ePO about host objects that are referenced in the policy or that are passing traffic through the firewall. To view the fields on this tab, see Figure 37 on page 133. Accessing this window 1 In the Administration Tool, from the System menu, select ePolicy Orchestrator Settings. The ePolicy Orchestrator Settings window is displayed. 2 Make sure that the ePO Reports tab is selected. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 133
- 134. ePolicy Orchestrator settings Fields and buttons This tab has the following fields and buttons: • Allow Control Center to retrieve reports from the ePO server — Determines whether the Control Center will be able to retrieve reports from the ePO server. The default value is cleared. • ePO Server Information — Use the fields in this area to configure the settings that are required to access the ePO server. All of the fields in this area are required if the checkbox is selected. The following fields are available: • Hostname — Specify the IP address or hostname of the ePO server with which you want the Control Center to communicate. • Port — Specify the port that will be used to communicate with the ePO Server. The default value is 8443. • Username — Specify the ePO username that is required to access the ePO server. • Password — Specify the password for the ePO username. • Confirm Password — Specify the same value that you specified in the Password field to confirm this password. ePolicy Orchestrator Settings window: Control Center User tab Use the Control Center User tab of the ePolicy Orchestrator Settings window to create and edit the ePO user object in the Control Center User Manager window. You can create only one user with the ePolicy Orchestrator role. For more information, see Control Center users on page 81. The ePO requires a Control Center user with privileges to obtain and display health and status information from the Control Center about firewalls and the Control Center Management Server. When you create the ePO user, the user is automatically assigned the ePolicy Orchestrator role, which is available only to one ePO user. Additionally, the ePO user will be allowed to access only the ePolicy Orchestrator configuration domain, in which read-only access to all firewall objects is allowed, but in which all other object access is denied. By default, this user has access to all of the firewalls. However, you can restrict this access on the Firewall Access List tab of the Control Center User Manager window. Figure 38 ePolicy Orchestrator Settings window: Control Center User tab for first-time user Accessing this window 1 In the Administration Tool, from the System menu, select ePolicy Orchestrator Settings. The ePolicy Orchestrator Settings window is displayed. 2 Select the Control Center User tab. 134 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 135. ePolicy Orchestrator settings Fields and buttons This tab has the following fields and buttons: • Create User — [Available only if the ePO user has not yet been created] Displays the Control Center User Manager window, in which you can create a new user with ePolicy Orchestrator server access. You can create only one user with the ePolicy Orchestrator role. • Username — [Displays only if you have created the ePO user] [Read-only] Displays the name of the ePO user. • (Edit) — Displays the Control Center User Manager window. in which you can edit information about this user. • (Delete) — Deletes this user from the Control Center. A confirmation message is displayed. Click OK. You will need to create another ePO user to be able to use the ePO functionality. Viewing ePolicy Orchestrator host data The ePO Host Data page is a report that displays data about the selected host object. This data is maintained on the ePolicy Orchestrator server. To display data about a particular host, the host object must be managed by the ePolicy Orchestrator. Prerequisites for accessing this report To be able to view this report, the following prerequisites must be met: 1 The McAfee Firewall Enterprise ePO Extension must be installed on the ePO server that you will configure in the ePolicy Orchestrator Settings window. 2 You must configure settings for the ePO server in the ePolicy Orchestrator Settings window. This is to allow the Control Center to communicate with the ePO server. 3 On this same window, you must have selected the Allow Control Center to retrieve reports from the ePO server checkbox. Accessing this page 1 In the Configuration Tool, click the Policy group bar. 2 Select the Network Objects node. The subnodes are displayed. 3 Select the Hosts subnode. All of the defined host objects are displayed. 4 Right-click the object for which you want to view ePO data and select Show ePO Data. The ePO Host Data page is displayed. Note that this option is available only if you have selected the Allow Control Center to retrieve reports from the ePO server checkbox on the ePolicy Orchestrator Settings window. You can also access this report by generating the audit report and from the McAfee Firewall Enterprise Audit Report window, right-clicking the Source IP value or the Dest IP value in any row and selecting Show ePO Data. Fields and buttons The following fields are available on this page: • ePO Host Data for host_name — [Read-only] Displays the host name of the object for which this data was retrieved. • Name — [Read-only] Displays the name of the host parameter for which a value is being displayed. • Value — [Read-only] Displays the value of the host parameter. • Save — Save the report as an .html file. • Refresh — Retrieve updated data from the ePO server for this report. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 135
- 136. High Availability (HA) High Availability (HA) For the Control Center, the high availability (HA) feature refers to two Control Center Management Servers that are configured to work together to provide redundancy and continuity. You will designate one server as the primary Management Server and the other as the backup Management Server. The primary and backup server roles can be reversed at any time. Note: High availability on the firewall refers to firewall cluster configurations. On the Control Center, high availability refers to Management Server configurations. For more information on clusters, see McAfee Firewall Enterprise (Sidewinder) clusters on page 215. The High Availability (HA) Management Server uses this dual-server configuration to continue operations of the Control Center Management Server functions if one Management Server becomes unavailable for any reason. Although the HA Management configuration provides an effective way to maintain operation if a server fails, it is not an automated failover solution. The following diagram illustrates the difference between a single-server configuration and an HA configuration. Figure 39 High Availability Management Server configuration 136 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 137. High Availability (HA) How High Availability (HA) works When you configure HA by using the High Availability Setup Wizard, you are prompted to designate the primary Management Server. The other server will become the backup server. Subsequently, if you log onto the backup server, you are prompted to switch this server to be the primary server. If you agree that this is what you want, the backup server is then designated as the primary Management Server. The primary Management Server manages your security policy in its database. After HA is configured, the database of the backup Management Server is automatically synchronized with the data that is stored in the primary Management Server database. This process is referred to as data replication. Processing with an active primary Management Server The following diagram illustrates the processing that occurs in an HA configuration when the primary is active. Figure 40 High Availability process flow with primary Management Server McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 137
- 138. High Availability (HA) The following legend describes the HA process in this figure: 1 All of the managed firewalls are communicating with the primary Management Server only. 2 A user uses one of the Client Tools to access the primary Management Server and to make changes to the configuration of one of the managed firewalls. 3 The backup Management Server can be co-located with the primary server or it can be in a completely different location (although a reasonably fast and reliable connection is needed between the two servers). 4 All changes that are made to the database of the primary server are immediately replicated to the database of the backup server. Signing into a backup Management Server When a user logs into a backup Management Server by using the Client Suite, the next operation depends on the current state of the primary Management Server. If the primary Management Server is fully operational, a switchover is performed. If the primary Management Server is not operational, a failover is performed. Switchover versus failover A switchover is an orderly transfer of the master database designation from the primary Management Server to a backup Management Server. During a switchover, the two nodes are constantly communicating to make sure that no transactions are lost. This is the preferred operation. In a failover, the transfer of the master database designation still occurs. However, the backup Management Server does not wait for acknowledgment from the primary Management Server. If a user attempts to log into a backup Management Server, a warning is displayed, indicating that the user is attempting to log into the backup Management Server. If the user decides to continue, this server becomes the primary Management Server. The previously designated primary Management Server is automatically notified about the change and automatically becomes designated as the backup Management Server. Replication occurs whenever the database of the primary Management Server is updated. Information is written to the database of the primary server from the Control Center application. The replication subsystem adds these changes to the queue for replication to the database of the backup server. The replication typically happens within seconds of any database change. However, if a failure occurs, the transactions are queued and are then re-sent as needed. 138 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 139. High Availability (HA) Processing in a failover HA scenario The following diagram illustrates the processing that occurs in an HA configuration when the primary Management Server fails over to the backup Management Server. Figure 41 High Availability process flow when the primary Management Server fails over to the backup server The following legend describes the HA process in this figure: 1 A user logs into the backup Management Server and receives a warning that the backup server will perform a switchover that will make the backup server the new primary Management Server. 2 The new primary server notifies the other server that it now has the master database. The new primary server starts replicating data from its database to the new backup server after this point in time. The new primary server will also notify all of the managed firewalls that it is now the new primary server. All changes that are made to the database of the new primary server are immediately replicated to the database of the new backup server. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 139
- 140. High Availability (HA) HA configuration and status support The following table provides additional information about configuring and working with HA Management Servers. Table 6 HA configuration and status support Task Topics Configuring HA Management Servers Configuring the High Availability (HA) feature on page 140 Viewing the operational status of the backup Viewing the status of your backup Management Servers on Management Server page 122 Removing the HA feature Removing the High Availability (HA) configuration feature on page 143 Restoring a failed primary HA server Restoring a primary Management Server that has failed completely and that is part of a high availability (HA) pair on page 35 Restoring a failed backup HA server Restoring a backup Management Server that has failed completely and that is part of a high availability (HA) pair on page 36 Restoring both failed servers (primary and Restoring both Management Servers in a high availability (HA) pair backup) that have failed completely on page 37 Configuring the High Availability (HA) feature Use the Control Center High Availability Setup wizard to configure the High Availability (HA) feature on two different Management Servers that you designate as a primary and a backup Management Server. The purpose of the HA feature is to continue the Management Server processes if the primary Management Server is suddenly unavailable for any reason. For an overview about the HA feature, see High Availability (HA) on page 136. Prerequisites Before you begin this configuration process, make sure that the following requirements have been met for the two Management Servers that you want to use: 1 Both Management Servers must be installed and have proper network communication. 2 Refer to the following table for a list of TCP ports that are required for successful network communication for High Availability. Table 7 List of TCP port configurations that are required for High Availability Port Description Control Center HA Server-to-Control Center HA Server TCP Ports Port 22 SSH Port 5432 Control Center Management Server database Port 9005 Control Center Management Server HTTPS/SSL port HA Server-to Firewall TCP Ports Port 9005 Firewall SSL port for the Control Center Firewall-to Control Center HA Server Port 7080 Control Center Management Server HTTP port Port 9005 Control Center Management Server HTTPS/SSL port Port 9006 Control Center utt_server (program for receiving Secure Alerts) Control Center Client-to-Control Center Management Server Note: These ports are required for all client-to-server connections and are not specific to HA. Port 9005 Control Center Management Server HTTPS/SSL port Port 5432 Control Center Management Server database 140 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 141. High Availability (HA) 3 The backup Management Servers must be installed with a ccinit.txt file that is equivalent to the file that was installed on the primary Management Server. To configure the backup Management Server: a Using the Control Center Initialization Tool (that is started from the Start menu at Start > McAfee > McAfee Firewall Enterprise Control Center > Control Center Initialization Tool), load a copy of the ccinit.txt file that was used on the primary Management Server. b Make any changes that are necessary for the backup Management Server EXCEPT on the User Configuration page. That page must be exactly the same on both Management Servers. c Save the modified cccinit.txt file. The new ccinit.txt file can now be used to initialize the backup Management Server during installation. 4 Both Management Servers must be configured with the same user names and passwords for the following accounts: • Control Center administrator • Management Server administrator (mgradmin) 5 Both Management Servers must be properly licensed. For more information about licensing, see Licensing the Control Center Management Server on page 104. 6 Both Management Servers should have the correct server date and time. Use the Set Server Date and Time window to set these values. For more information, see Setting the date and time on the Management Server on page 131. Accessing this wizard In the Administration Tool, from the System menu, select High Availability Setup Wizard…. Pages and fields Step 1 of 7 - Welcome page If you have properly licensed the Management Servers, click Next>>. Step 2 of 7 - Server Configuration page Specify the following IP addresses and click Next>>. Note: These IP addresses must not be the same. • Primary Management Server IP address — Specify the IP address for the primary Management Server to which the backup Management Server connects. • Backup Management Server IP address — Specify the IP address for the backup Management Server to which the primary Management Server connects. Step 3 of 7 - Verification page Confirm that the certificate information is valid for the Management Server that is being configured as the backup Management Server. If it is valid, click Next>>. To troubleshoot this page if it is not correct: 1 Click <<Previous to go back to the previous page. 2 Make sure that the IP address is correct. 3 If it is correct, contact your network administrator to make sure that you are communicating with the expected Management Server. 4 When you have resolved the problem, click Next>>, McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 141
- 142. High Availability (HA) Step 4 of 7 - User Configuration page Specify the administrator and Management Server administrator (mgradmin) information for the backup Management Server. To configure these settings: 1 To use the same administrator information as you used to log into the Administration Tool, click Use current name and password. 2 Specify the password for the mgradmin account and then re-specify it to verify it. 3 Click Next>>. Step 5 of 7 - Confirmation page Preparations for the HA feature configuration are complete. The Create system recovery information checkbox is selected as the default value. This will create a backup of your existing configuration. Accept this default and click Next>>. Step 6 of 7 - Processing page The status of the configuration is displayed during the replication process. This process can take a considerable amount of time, depending on the amount of data that is stored in the primary Management Server database. If the HA feature is successfully configured on both of the Management Servers, the Complete page is automatically displayed. If the configuration is unsuccessful, an error message is displayed,. Depending on the progress of the wizard, a removal might be automatically performed. The Failure page is displayed. Note: If you click Close, this wizard page closes. However, the processing will still continue. Step 7 of 7 - Complete page or Failed page Depending on the success (Complete page) or failure (Failure page) of the HA feature configuration, one of the following pages is displayed. • Complete page — If the HA feature configuration is successful, this page is displayed. To view the status of your newly configured backup Management Server, see the Backup Server Status page by selecting Backup Server Status from the System menu. For information about additional HA feature log files, see Viewing additional HA log files on page 142. For an unsuccessful configuration, the configuration and removal logs are displayed. There are no backup server logs to view. • Failed page — If the HA feature configuration was unsuccessful, this page is displayed, along with the configuration logs. If you still want to configure the HA feature, see Troubleshooting tips after a successful removal on page 143. Viewing additional HA log files If the backup Management Server was successfully configured with the HA feature, there are two different types of logs that are generated: • Configuration logs that are displayed on the Server Logs page in the High Availability Setup folder. (From the System menu, select Server Logs.) • Transaction logs that are displayed on the Server Logs page in the High Availability folder. (From the System menu, select Server Logs.) For more information about the server logs, see Viewing Management Server logs on page 663. 142 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 143. High Availability (HA) Troubleshooting tips after a successful removal If your first attempt to configure the HA feature was unsuccessful, but the configuration was successfully removed, you can use the setup wizard to re-configure it again. To re-configure the HA feature: 1 Go through the Prerequisites section above. Make sure that both of the Management Servers meet all of these requirements. 2 Start the setup wizard again. (From the Tools menu, select High Availability Setup Wizard.). Removing the High Availability (HA) configuration feature Use the Control Center High Availability Removal wizard to remove the HA feature on the primary and backup Management Servers. If you have a failover state, in which the primary Management Server cannot communicate with the backup Management Server, restore the backup server before removing HA. However, if this is not possible, you can still remove HA, although an error is reported. For more information about this and other failover scenarios, see Disaster recovery restoration for Management Servers on page 33. Accessing this wizard In the Administration Tool, from the System menu, select High Availability Removal Wizard…. Note: This menu option is available only if you have previously configured the High Availability (HA) feature on two of your Management Servers—that is, one primary and one backup Management Server. Pages and fields Step 1 of 3 - Welcome page This page confirms that you want to remove the HA feature. Confirm by clicking Next>. Step 2 of 3 - Processing page The status of the configuration is displayed. If this step is successfully completed, the Complete page is displayed. If this step is not successfully completed and the HA feature is not successfully removed, the Failed page is displayed. Note: If you press Close and the processing has not yet completed, the wizard page closes. However, the processing will continue. Step 3 of 3 - Complete page or Failed page One of the following pages is displayed. • Complete page — The HA feature was successfully removed. There are no longer any backup servers displayed on the Backup Server Status page. You can view this page by selecting Backup Server Status… from the System menu. • Failed page — If the HA feature configuration was not successfully removed, this page is displayed. Verifying the removal If the removal wizard does not report a successful removal, but you think that it was successfully removed, use this procedure to verify the removal. This situation can occur if you ran the removal wizard while the backup server was not running. To verify that the removal wizard successfully removed the HA feature: 1 Go to the Administration Tool and open the Backup Server Status page. (From the System menu, select Backup Server Status….) This window displays the replication status of the backup Management Server. If the removal wizard was successful, this page will be blank. Continue on to step 2. However, if any data is displayed on this page (as in the backup Management Server displays a status of FAILED), the removal was not successful. Continue on to step 2 and then to step 3. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 143
- 144. High Availability (HA) 2 The removal wizard generates an haStop.log log file. View the contents of this log file in the Server Logs window. (From the Administration Tool System menu, select Server Logs…. Then select the High Availability Setup node and then the haStop.log node.) If you see information at the end of this log that indicates something other than the configuration completed, the removal wizard was not successful. 3 If either step 1 or 2 or both steps were unsuccessful, you must troubleshoot this problem. Go back to the Configuration Tool for the old backup server and try to run the High Availability Removal wizard again. If it is not available to you (that is, you see the High Availability Setup menu option as opposed to the High Availability Removal menu option), you must contact Technical Support. Final note After you have successfully run the High Availability Removal Wizard on the primary Management Server, there are additional steps that you can take regarding the control of firewalls. See Completing the HA removal on a standalone Management Server or on one or two Management Servers of an HA pair on page 144. Completing the HA removal on a standalone Management Server or on one or two Management Servers of an HA pair After you have successfully run the High Availability Removal Wizard, there are several additional steps to complete, depending on the way in which you want to control the firewalls for those Management Servers. The following scenarios are described: • Keep firewalls with the former primary server on page 144 • Keep firewalls with the former backup server on page 144 • Split firewalls between the two servers on page 144 Keep firewalls with the former primary server To keep management control of all of the firewalls with the former primary server: 1 Use the Configuration Tool to log into the former primary server. 2 Apply the configuration to all of the firewalls. Keep firewalls with the former backup server To keep management control of all of the firewalls with the former backup server: 1 Use the Configuration Tool to log into the former backup server. 2 From the System menu, select Device Control…. The Device Control window is displayed. 3 Select all of the firewalls in the Select Firewalls to control list. In the Control Actions list, select Request management control. 4 Apply the configuration to all of the firewalls. Split firewalls between the two servers To split management control of the firewalls between the two servers: 1 Use the Configuration Tool to log into the former primary server. 2 Apply the configuration to those firewalls that are going to remain under the control of this server. 3 [Optional — still on the former primary server] Delete the firewalls that are no longer needed (that is, that are not going to be managed by this Management Server). 4 Use the Configuration Tool to log into the former backup server. 5 Open the Device Control window (by selecting Device Control… from the System menu). 6 Select all of the firewalls and then select Request management control. Only those firewalls that were not applied to in step 2 above will respond to this request. 144 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 145. Authentication 7 Remaining on the former backup server, apply the configuration to all of the firewalls. Again, only those firewalls that were not applied to in step 2 will succeed. 8 [Optional — still on the former backup server] Delete the firewalls that are no longer needed (that is, that are not going to be managed by this Management Server). Authentication The Control Center supports using an external authentication mechanism, such as a POSIX-compatible LDAP or RADIUS server to provide off-box authentication support for Control Center users. This feature currently supports the use of external servers to manage authentication (by password management). It does not support Control Center role-based, authorization management. This means that Control Center users and their associated passwords can be assigned and managed by using the mechanisms that are associated with the selected external servers. However, the Control Center internal authentication and authorization database for each Control Center user must be updated and managed for each user to support the internal, role-based authorization mechanism. The Control Center role-based authorization features are not managed by using the external authentication system. This provides a greatly simplified and effective means to centrally manage passwords without needing to export a potentially complex role management interface that would be required by the Control Center user role and domain configuration management. IT systems management can globally suspend a user by using commonly used, centralized password management systems (that are available through the use of LDAP or RADIUS servers), without having to manage the role-based authorization management and configuration domain access management by using the same mechanism. When you use external authentication, you can configure multiple external servers (LDAP or RADIUS) to manage the Control Center user passwords. Each identified server is queried in the order that you specify (from top to bottom), as displayed in the Control Center User Authentication window. Note: When the Control Center Management Server contacts the LDAP server, it does so anonymously. Use the Control Center User Authentication window to select the authentication method. If either LDAP or RADIUS are selected, identify one or more external servers to use to authenticate Control Center users. You can use this window to configure additional server-specific configuration parameters for LDAP and RADIUS servers, as well as configurable port information. To support the Control Center user role and configuration domain configurations, each Control Center user must be defined in the internal and any external LDAP or RADIUS server to support external authentication and internal user role authorization requirements. All Management Server users will also require that their UNIX user names and passwords are defined in the RADIUS or LDAP servers. The Control Center authentication management scheme has an additional failsafe feature: the ability to selectively allow designated Control Center users to authenticate into the Management Server by presenting the external authentication credentials to the internal authentication system so that they can log into the Control Center Management Server if all identified external authentication servers are unreachable. You can enable this feature for any number of users by selecting the Allow authentication failback checkbox on the Control Center User Manager window. To work properly, the values that are specified for the user name and password combination that are held in the external authentication servers must be synchronized with the same values that are specified in the internal authentication system. If none of the specified external authorization servers can be reached to authenticate a Control Center client user, the user who is configured with this designation can still authenticate with the Management Server by using his or her internal credentials. The user name and password synchronization requirement also applies to all Management Server users who must have their UNIX user name and password accounts specified in and synchronized with the external authentication servers. For Management Server user accounts, all defined UNIX user accounts are automatically configured to have alternate internal authentication failover. If a Control Center user or Management Server UNIX user account is forced to fail over to internal authentication, he or she will automatically switch back to external authentication the next time that he or she logs in to a Client Suite client, a shell, or console account. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 145
- 146. Authentication Configuring Control Center user authentication Use the Control Center Authentication Configuration window to identity the type of authentication to be used for Control Center users. You can choose between an internal authentication management option or an external authentication option, by using either LDAP or RADIUS servers. If you select external authentication, additional features to identify and configure one or more RADIUS or LDAP servers are available. For information about authentication options for Control Center users, see Authentication on page 145. Figure 42 Control Center Authentication Configuration window Accessing this window In the Administration Tool, from the System menu, select Authentication.The Control Center Authentication Configuration window is displayed. Buttons This window has the following buttons: • OK — Save the authentication configuration settings. • Cancel — Close this window without saving any changes. 146 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 147. Authentication Tabs This window has the following tabs: • Settings — Specify the authentication method specify the authentication method and authentication settings. For more information, see Control Center Authentication Configuration window: Settings tab on page 147. • Authentication Servers — Specify the authentication servers. You can add, edit, or delete servers on this tab. For more information, see Control Center Authentication Configuration window: Authentication Servers tab on page 150. Control Center Authentication Configuration window: Settings tab Use the Settings tab on the Control Center Authentication Configuration window to specify the authentication method and authentication settings. To view the fields on this tab, see Figure 42 on page 146. Accessing this tab In the Administration Tool, from the System menu, select Authentication. The Settings tab of the Control Center Authentication Configuration window is displayed. Fields and buttons The fields on this tab depend on the value that is selected in the Select Authentication Method field: • Configuring internal authentication on page 147 — The Control Center Management Server database will be used to manage user passwords. • Configuring LDAP authentication or RADIUS authentication on page 148 — For LDAP authentication, one or more Lightweight Directory Access Protocol (LDAP) directory servers will be used to manage Control Center user authentication. For RADIUS authentication, one or more Remote Authentication Dial-In User Service (RADIUS) servers will be used to manage Control Center user authentication. Configuring internal authentication When Internal is selected as the value of the Select Authentication Method field, the following fields and buttons are displayed: • User Account Password Policy — Use the fields in this area to specify the password that will be used for users of this Control Center Management Server. The following fields are available: • Minimum password length (characters) — Specify the minimum number of characters that are required for user passwords. Passwords must contain at least four characters. The default value is 8. • Number of passwords in password history — Determines whether a password history will be enforced for this user account. Password history forces prevents users from using old passwords for the number of times that you specify in this field. If you select this checkbox, you must specify a number for the number of unique new passwords that must be associated with this user account before an old password can be reused. For an example of this functionality, if you specify 3 in this field, the user would not be allowed to use the same password until he or she has used three different passwords. Then he or she could reuse the original password. • Password age (days) — Determines whether the Control Center Management Server will consider the number of days since a password has been set to determine whether a password change is permitted or required. Use this field to prevent a user from changing his or her password and then immediately changing it again. If you select this checkbox, you must also configure a minimum and maximum number of days. Note: If you select 0 as the value in the Minimum field, the user is not restricted in terms of password age or history. He or she can recycle through all of his or her old passwords so that he or she can re-use the same password as he or she is currently using. Therefore, to enforce password history and age, you must select a value greater than 0 in this field. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 147
- 148. Authentication • Require complex passwords — Determines whether users will be required to create complex passwords by using the parameters that are specified in the subfields. This configuration is based on the following character categories: uppercase, lowercase, numeric, and non-alphanumeric. If you select this checkbox, configure the following subfields: • Required number of character categories — Specify the number of character categories that are required for each user password. For example, if you select 2, the user password can contain combinations of any two of categories. The default value is 2. • Required number of characters per character category — Specify the number of required characters in each character category. The default value is 1. • Example of a valid password — [Read-only] Displays an example of a valid password that reflects all of the parameters that have been configured and selected on this window. • Restore defaults — Overwrite the selected values on this tab with the system default values. Configuring LDAP authentication or RADIUS authentication Standalone LDAP directory servers have become popular in enterprises because they removed any need to deploy an OSI network. They can also be used directly over TCP/IP. Note: When the Control Center Management Server contacts the LDAP server, it does so anonymously. When the RADIUS server is used for user authentication, the values that were specified in the Control Center user name and password fields in the login window are passed to a RADIUS server over the RADIUS protocol. The RADIUS server checks that the information is correct. If the server accepts the information, it will then authorize access to the Control Center Management Server. When you select LDAP or RADIUS as the value in the Select authentication method field, the following fields are available on this tab: • Select Authentication Servers — Use the lists in this area to identify the defined servers (LDAP or RADIUS, depending on the selected authentication method) and the order in which to use them to authenticate the Control Center user. The servers are specified by using the fields on the Authentication Servers tab. • Selected Servers — Displays the list of servers to use and the order in which to use them (from top to bottom). • Available Servers — Displays those servers that have been specified, but not selected, to use to authenticate the Control Center users. To add, remove, and order the list of the servers that will be used to authenticate Control Center users, use any of the following buttons. Highlight the server object and select the appropriate button to move the object: (left), (right), (up), or (down). • LDAP Options — [Available only if LDAP is selected in the Select Authentication Method field] Use the fields in this area to further specify the directory location that contains the supplied user name and password. A directory is a tree of directory entries. Each entry is a set of attributes. Each entry also has a unique identifier, which is its Distinguished Name (DN). • Suffix (Base) — Specify the Distinguished Name (DN) of the directory entry at which to start the search. The following text is an example: dc=sales,dc=example,dc=com where dc is the domain component. • LDAP Filter — Specify the way to examine each entry in the scope. The following filter is an example of a search for persons who have either a given name of “John” or an e-mail address that starts with “john”: (&(objectClass=person)(|(givenName=John)(mail=john*))) 148 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 149. Authentication • Login Attribute — Select the LDAP attribute in which the authenticator will expect the username will be stored. The following values are available: • uid — Identifies the LDAP-standard unique identifier for a user. This is the default value. • sAMAccountName — identifies the name that is used in Microsoft environments to store the Active Directory account name. • msSFUName— Identifies the name that is used by environments that are running Microsoft Servers for UNIX 2.0. • msSFU30Name — Identifies the name that is used by environments that are running Microsoft Servers for UNIX 3.0. • LDAP Scope — Specify the depth at which to search, starting with the DN. Typically, the deeper the search, the longer that it takes to perform. However, this is fully dependent on the schema of the LDAP server that is being used. The following values are available: • Base — Searches on the named entry only. Use this value to read one entry at the top level. • One Level — Searches entries immediately below the base DN. • Sub Tree — Searches the entire subtree, starting at the base DN. • SSL Encryption — Determines whether the communication between the Control Center Management Server and the LDAP server is secured. If you select Use TLS, the Transport Layer Security (the descendant of SSL) is established on the connection. Select this value to encrypt the LDAP connection between the Control Center Management Server and the LDAP server. • Bind using specified credentials — Determines whether to use authentication when binding to the configured LDAP server. If this checkbox is selected, simple authentication will be used to bind to the LDAP server by using the specified distinguished name (DN) and password. The default value is cleared. The following fields are available when this checkbox is selected: • Bind as (distinguished name) — Specify the distinguished name (DN) to use for binding to the configured LDAP server. • Password — Specify the password to use for authenticating the distinguished name that is used to bind to the configured LDAP server. • Confirm password — Specify the same value that was entered in the Password field to ensure that the password has been entered correctly. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 149
- 150. Authentication Control Center Authentication Configuration window: Authentication Servers tab Use the Authentication Servers tab on the Control Center Authentication Configuration window to specify the authentication servers. You can add, edit, or delete servers on this tab. Figure 43 Control Center Authentication Configuration window: Authentication Servers tab Accessing this tab 1 In the Administration Tool, from the System menu, select Authentication. The Control Center Authentication Configuration window is displayed. 2 Select the Authentication Servers tab. The Authentication Servers tab of the Control Center Authentication Configuration window is displayed. Fields and buttons This tab has the following fields and buttons: • Filter by Type — Specify the external authentication servers to display. The following values are available: • ALL — Displays all of the defined external authentication servers. • LDAP — Displays only the defined LDAP servers. • RADIUS — Displays only the defined RADIUS servers. • Name — [Read-only] Displays the name of the server. If you want to add a server on this tab by clicking Add, it does not become a manageable object in the Configuration Tool. Conversely, RADIUS or LDAP server objects that are defined in the Configuration Tool are separate from the servers that are being defined here. • Type — [Read-only] Displays the type of server. The available values are: RADIUS or LDAP. • IP Address / FQDN — [Read only] Displays the IP address or the fully qualified domain name (FQDN) of the server. • Port — [Read-only] Displays the user-defined port number of the server. • Add — Display the Control Center Authentication Server window, in which you can add a new server. • Edit — Display the Control Center Authentication Server window, in which you can edit the settings of the highlighted server. • Delete — Delete the highlighted server. Make sure that you want to do this because there is no confirmation message. 150 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 151. Authentication Configuring external authentication servers Use the Control Center Authentication Server window to specify attributes that are associated with an external authentication server. For more information about the root configuration window or about using external authentication for Control Center users, see Authentication on page 145. Figure 44 Control Center Authentication Server window Accessing this window 1 In the Administration Tool, from the System menu, select Authentication. The Control Center User Authentication window is displayed. 2 Click the Authentication Servers tab. 3 Click Add or Edit. The Control Center Authentication Server window is displayed. Fields and buttons This window has the following fields and buttons: • Name — [Required] Specify the name of the authentication server object are creating or edit the displayed value. • Description — Provide or edit a useful description about the reason that this object was created. • Type — Determines whether this authentication server type is LDAP or RADIUS. • IP Address/FQDN — Specify the IP address or the fully qualified domain name (FQDN) of the authentication server being specified or edited. • Port — Specify the port number to associate with the server being specified or edited. The default port for LDAP is 389 and the default port for RADIUS is 1812. The default port values may vary, depending on the way that the servers were configured. • RADIUS Options — [Available only if RADIUS was selected as the value of the Type field] Use the fields in this area to specify additional RADIUS options for the RADIUS authentication server. The following fields are available: • Server Secret — Specify (or edit) the value of the shared secret that is configured on the RADIUS server. • Timeout — Specify (or edit) the length of time (in seconds) to wait for a response from the server before attempting to authentication to the next server in the list. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 151
- 152. Authentication 152 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 153. 4 Configuration Tool Overview Contents Configuration Tool Configuration Tool Use the Configuration Tool of the McAfee Firewall Enterprise Control Center (CommandCenter) to define, configure, and maintain multiple firewalls and security policies for a distributed homogeneous or heterogeneous configuration of McAfee Firewall Enterprise (Sidewinder) devices. You can accomplish the following tasks by using the features and functions of the Configuration Tool: • Create configurable objects — The components that comprise a security policy include a set of configurable objects that defines the characteristics of the building blocks that are used to implement the security policy. Use this object model of defined objects to share characteristics, options, and functionality, instead of having to provide raw configuration information for each aspect of an implemented security policy. Use the Configuration Tool to retrieve, create, and manage configurable object characteristics. For more information, see Configurable objects on page 154. • Manage configurable objects — After configurable objects have been defined or retrieved, you can edit, validate, and apply changes to the configured object. You can manage the implemented security policy across all of the supported firewalls in your configuration. For more information, see Firewall configuration management on page 574. • Create and manage rules — Rules provide the network security mechanism that controls the flow of data into and out of the internal network. They specify the network communications protocols that can be used to transfer packets, the hosts and networks to and from which packets can travel, and the time periods during which the rules can be applied. Rules are created by the system administrator and should reflect the internal network site's security policy. You can retrieve, create, and manage rules in the Configuration Tool. For more information, see Viewing and managing firewall licenses on page 658. Configuration Tool operations The Configuration Tool hosts the following operations in the work area of the interface. (For more information about the interface, see Configuration Tool on page 16.) • Rules — Firewall rules control the flow of data into and out of the network by defining the conditions that must be present to allow or disallow movement of packets. These rules are accumulative and sequence sensitive. Depending on the requirements of your configuration, there could be from hundreds to tens of thousands of rules to manage. The Rules tab provides the interface to view and manage these rules. For more information, see Viewing and managing firewall licenses on page 658. • Firewall configuration backup — Access this feature through either the Software Updates Tool or the Configuration Tool. Use the Firewall Configuration Backup tab to retrieve a backup firewall configuration file based on the current configuration of the selected firewalls and store it on the Management Server. The same interface can be used to restore this configuration. Use this feature to return a firewall to a default configuration, maintain a version of a working configuration before making configuration changes, or to recover from an unexpected loss of firewall configuration data. For information, see Backing up and restoring firewall configurations on page 704. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 153
- 154. Configuration Tool • Firewall Status — Use this page to provide a comprehensive visual display of the operational status for all the supported firewalls. You can access this feature on both the Configuration Tool and on the Reporting and Monitoring Tool. The Firewall Status page lists firewall-specific status information for each supported firewall that is configured in your system. For more information, see Viewing the overall status of your firewalls on page 574. • Configuration Validation Status Report — When changes are made to a firewall configuration by using the Control Center Client Suite, they are made to the data that is stored on the Management Server. These changes can then be viewed and validated against the previously applied configuration by using the features of the Configuration Validation Status Report page. For information about the validation report, see Viewing the status of Apply Configurations on page 593. For information about the validation process, see Firewall configuration management on page 574. • Configuration Status Report — After configuration changes have been made to a firewall, they must be applied to the appropriate firewall. This process is initiated by clicking Apply Configuration on the Configuration menu. The Configuration Status Report page is displayed, in which you can view the various status conditions for configuration changes that are being applied to firewalls. For information about configuration application status, see Viewing the status of Apply Configurations on page 593.For information about the validation process, see Firewall configuration management on page 574. In addition to the operations that are hosted in the work area of the Configuration Tool, you can access several other features and functions by using this tool: • You can access and manage all of the supported firewalls by using the Object area on the left side of the main window and the tools on the Action toolbar. (For more information, see Configuration Tool toolbars on page 70.) You can also access firewalls by making sure that Objects is selected in the View menu. (This is selected by default.) • You can protect selected operations from being simultaneously performed by multiple users. Access the Locking Manager window by clicking Locking Manager on the Configuration menu. • You can manage the way in which firewalls are displayed on the client. Access the Firewall Sorting Manager window by clicking Firewall Sorting on the Configuration menu. • You can re-initialize, reboot, and provide an orderly shutdown of selected firewalls. You can also terminate active sessions and security associations for user-selected firewalls. Access the Device Control window by clicking Device Control on the System menu. • You can view audit information for the Control Center. Manage the information that is contained in the audit trail by using the Administration Tool. Access the Audit Trail in the Configuration Tool by clicking Audit Trail on the Reports menu. You can also access this information from the Audit Trail menu in the Reporting and Monitoring Tool and in the Administration Tool. Configurable objects Use the Configuration Tool to define various components that are used to implement a security policy. The components are comprised of a set of configurable objects that encapsulate the characteristics of each of the individual building blocks. Using this object model, the defined objects are used to share characteristics, options, and functionality instead of having to provide raw configuration information each time an individual component is created. You can define objects and apply them in various situations, such as rules, while retaining the ability to change the characteristic of an object without having to locate and change every instance. 154 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 155. Configuration Tool For example, an address object can be defined that identifies a fixed set of addresses that use a base address and an address mask. This object can represent a group, division, or some other organizational characteristic that is associated with an enterprise. An entire set of rules can then be defined that use this object as a source or destination for a specific type of packet traffic. Eventually, dozens or even hundreds of rules can be defined to manage proxies and other services can be developed that use this network object as a source or destination address. When you need to change the addressing because the organization made a move, or for any other network-related reason, the base address and mask characteristics of the network object can be changed and automatically applied to all of the associated rules. The basic set of configurable objects consists of the following objects: • Firewalls — Identifies all of the physical firewalls that are defined in your configuration to support the implemented security policy. For more information, see Configuration Tool - Firewalls on page 163. These objects include firewalls and content management system devices: • Firewalls • Clusters • Device groups • Firewall settings — Identifies all of the objects that can be configured on a firewall. For more information about these objects, see Configuration Tool - Firewall Settings on page 263. The following objects can be configured: • Global settings — Specify a common group of features that can be applied to a number of firewalls. Features include a default application defense group, password and passport authenticators, burbs, server and service settings, and virus scanning properties. See Configuring common (global) settings on page 264. • Audit export — Configure audit archive settings for a firewall by using the Audit Export window. • Network defenses — Configure and maintain the audit data that the firewall generates for each of the specified protocols and the frequency with which to generate that audit. • Servers and service settings — Specify a network service that is associated with a server agent, or daemon, that is running on the firewall. Server services are created during the initial configuration of the firewall. They include services that are used for the following purposes: • Management of the firewall (for example, Admin Console) • Access to a networked service (for example, SNMP Agent) • Routing services (for example, gated, routed) • VPN connections (for example, ISAKMP server) • Firewall-specific functions (for example, cluster registration server) You can modify basic properties that are associated with these services. However, additional server services cannot be created. See Managing servers and service configurations on page 291. • IPS Signature Browser — Specify the Intrusion Prevention System (IPS) signatures that have been installed. Use the IPS Signature Browser window to view and manage these signatures. You can also separately manage the signature settings and the signatures. • TrustedSource — Specify global TrustedSource technology settings for rules. ™ • Virus Scan — Specify virus scanning properties. These properties include parameters for distributing scanner processes for incoming and outgoing traffic, controlling buffer sizes, handling archives, and scanning encrypted files. • Quality of Service — Specify Quality of Service (QoS) profiles that contain one or more queues that you can use to prioritize network performance based on network traffic type. See Creating Quality of Service profiles on page 311. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 155
- 156. Configuration Tool • DNS zones — Specify Domain Name System (DNS) zone objects that can be created and managed by a firewall. • Scheduled jobs — Specify jobs that can be scheduled to perform routine maintenance tasks on a firewall. • Package load — Specify a schedule that can be used to check for the availability of packages on the Secure Computing Corporation download site. You can then download them to a firewall. • Policy — Identifies all of the objects that can be configured to define the security policy for a firewall. For more information about these objects, see Configuration Tool - Policy on page 333. The following objects can be configured: • Network objects — Specify source or destination conditions in rules. For more information, see Network objects on page 336.The following categories of endpoint objects are defined on the firewall: • Hosts — Specify a fully qualified host name or an IP address • Networks — Specify an entire sub-network to use as an endpoint. • Address ranges — Specify an inclusive series of IP addresses. You can specify a portion of a sub-network to use as an endpoint. • Domains — Specify a domain to use as an endpoint. • Adaptive — Specify an adaptive endpoint, which is a single endpoint that can be used in different ways by multiple security firewalls. • Geo-Location — Specify a list of countries that are defined in a Geo-Location object to use as an endpoint. • Burbs — Specify a burb to use as an endpoint. • Burb groups — Specify a burb group to use as an endpoint. • Net groups — Specify and name groups of endpoints by using previously configured endpoint objects and a set of system-wide interface controls. • Services — Specify a network communications protocol. Services are used as conditions in rules. For more information, see Firewall objects on page 163. The firewall supports the following categories of network services: • Proxy services — Specify a network service that is associated with a proxy agent that is running on the firewall. The proxy agent controls communication between clients on one side of the firewall and servers on the other side. The user's client program communicates with the proxy agent instead of communicating directly with the server. The proxy agent evaluates requests from the client and determines the requests to permit and to deny, based on your security policy. If a request is approved, the proxy agent forwards the client's requests to the server and forwards the server's responses back to the client. The proxy agent is application aware (for example, it understands the application layer protocol and can interpret its commands). Proxy agents are used to create proxy services. Proxy services may be TCP-based or UDP-based. Many are defined by default for such TCP-based services as HTTP, FTP, and Telnet and for such UDP protocols as SNMP and NTP. Use the Service Manager window to create additional proxy services. 156 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 157. Configuration Tool • Filter services — Specify a network service that is associated with a filter agent that is running on the firewall. Filter agents provide another way for clients and servers to communicate. The filter agent inspects and passes traffic at the network layer or at the transport layer. The following types of filter agents are provided: • TCP/UDP — Transport Control Protocol (TCP) is a transport layer protocol that is defined by a specified port number or range of port numbers. User Datagram Protocol (UDP) is a transport layer protocol that is defined by a specified port number or range of port numbers. • ICMP — Internet Control Message Protocol (ICMP) is a network layer protocol that supports packets that contain error, control, and informational messages. • IP — Internet Protocol (IP) is a network layer protocol that is defined by a protocol number. • Service groups — Specify a collection of network services that are defined on the firewall. See Configuring service groups on page 353. • Application Defenses — Specify the settings for inspecting advanced application-level content, such as headers, commands, and filters. They also enable add-on modules such as virus scanning, spam filtering, and Web filtering. They can be used with filter services, most proxy services, and the sendmail server service. • IPS — Specify IPS response mappings so that you can create and maintain IPS signature groups. You can also use the IPS Signature Browser to view and manage IPS signatures • Authenticators — Specify authentication services that contain the authenticators that are used by the firewall. For more information, see Authentication services on page 424. The following types of authenticators are available: • Password • Passport • RADIUS • Safeword • Windows Domain • iPlanet • Active Directory • OpenLDAP • Custom LDAP • CAC • Users — Specify users who can access the Control Center and the way in which they can access it. User identification and authentication is a critical aspect of security. To access a firewall, a user must have a login ID and a method of authentication. Users can be configured to have one authentication method for inbound connections and another method for outbound connections. The firewall supports multiple methods of identification and authentication. These methods are explained in Authentication services on page 424. You can use the Control Center to create two classes of users: firewall users (who are defined by using the user objects on the Configuration Tool) and Control Center users. For information about defining and maintaining Control Center users, see Control Center users on page 81. The various firewalls support one or more of the following types of users: • Administrators — Identifies firewall administrator accounts. A firewall administrator is someone who logs directly into the firewall to perform administrative activities. • Users — Identifies user accounts to be stored on the firewall. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 157
- 158. Configuration Tool • User groups — Identifies internal groups that are used to restrict access to services through the firewall. • External groups — Identifies external groups that are used in rules to restrict access to services through the firewall. • Time periods — Specify time periods that represent named periods of time. These named time periods are used for various functions, such as limiting the time that a user has the ability to log into the Control Center or determining the time during which rules apply to the assigned firewall. For more information, see Managing time periods on page 470. • VPN — Specify a Virtual Private Network (VPN) that securely connects networks and nodes to form a single, protected network. The data is protected as it tunnels through unsecured networks, such as the Internet or intranets. The VPN ensures data origin authentication, data integrity, data confidentiality, and anti-replay protection. A VPN works by encapsulating packets to or from the network with which you want to communicate (the remote network) and by sending them (usually encrypted) as data in packets to or from the network to which you are connected The VPN is a security gateway between trusted and non-trusted networks that protects network access, network visibility (NAT), and network data (VPN). The two types of supported VPN connections are gateway-to-gateway and VPN host-to-gateway. For more information, see VPN on page 471. • VPN wizard — Create VPN channels, including configuration of peers, cryptographic parameters, and the authentication method. • VPN peers — Create peer objects that will participate in gateway-to-gateway VPN communities by using the VPN Peer window. • VPN communities — Configure VPN communities for a firewall by using the VPN Community window to configure VPN communities for a firewall. • VPN client configurations — Establish a network configuration for the VPN client to operate on the private side of a firewall by using the VPN Client Configuration window. • VPN bypass — Select certain traffic to bypass IPsec policy evaluation and to be sent outside of the encrypted tunnel by using the VPN Bypass window. • CA certificates — Import Certification Authority (CA) certificates. A public key certificate is an electronic document that binds a host’s identity with its private key. The purpose of a certificate is to provide proof of a host’s identity. This enables a secure means of encrypting the data communication between one host and another. In digitally signing the certificate, the Certification Authority (CA) vouches for the host's identification, and is then able to issue a secure certificate that will be used to create a digital signature for the data that is being sent. Use the sender’s digital signature, along with the sender’s certificate, to verify that (a) the data originated from the sender, and (b) that the data was not tampered with in transit. • Remote certificates — Manage remote certificates by using the Remote Certificate page. You can also request, load, retrieve, view, export, and delete certificates in this page. • Rules — Specify the network security mechanism that controls the flow of data into and out of the internal network by using the Rules page. • URL translation rules — Specify the redirection of inbound HTTP connections, based on application layer data, rather than on transport layer data that is used for the conventional redirect rules. • SSH known hosts — Specify strong known host associations. You can manage this database that includes only those SSH known host keys with strong trust levels across all firewalls. 158 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 159. Configuration Tool • Monitor — Specify the customized actions that occur when specific conditions occur on an associated firewall. Monitoring firewall activity is important so that you can detect and respond to threats and critical conditions. You can configure the firewall to recognize unusual or abnormal occurrences and customize your response to these events. For more information, see Configuration Tool - Monitor on page 573. • Audit filters — Specify parameters for filtering the audit data so that you can respond to audit events of particular interest to your site in an effective way by using the Audit Filters window. • Responses — Specify e-mail accounts that will receive alerts during an IPS attack response and specify hosts from which suspect traffic is to be blackholed, or ignored. • IPS attack responses — Configure and modify Intrusion Prevention System (IPS) attack responses by using the IPS Attack Responses window. IPS attack responses define the way that the firewall responds when it detects audit events that indicate such possible attacks as Type Enforcement violations and proxy floods. • System responses — Configure and modify system responses in the System Response window. System responses define the way that the firewall responds when it detects audit events that indicate such significant system events as license failures and log overflow issues. • Audit report —Configure the parameters for an audit report and generate the report for a single firewall or multiple firewalls. • Maintenance — Specify general maintenance settings for a specific firewall or for the Control Center Management Server. For more information, see Configuration Tool - Maintenance on page 647. • Firewall maintenance — Specify the following parameters for the individual firewall: • Device control — Re-initialize, reboot, and provide an orderly shutdown of selected firewalls in the Device Control window. You can also terminate active sessions and security associations for user-selected firewalls. • License firewall — Specify and manage firewall licenses by using the Firewall License window. • Control Center maintenance — Specify the following parameters for the Control Center Management Server: • Server logs — View various types of server logs in the Server Logs window. • Server properties editor — View and edit Control Center Management Server properties and add new properties in the Server Property Editor window. • Backup configuration — Create a backup file of the Control Center Management Server data or replace an existing backup file in the Backup Control Center System window. • Restore configuration — Restore a previously saved system backup file to the Management Server, modify an existing backup name or description, or delete a system backup file in the Restore System from Backup window. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 159
- 160. Configuration Tool Viewing details about objects Use the Object Details page to browse data in the Control Center database that is related to the object type that has been selected in one of the trees of the Configuration Tool. For example, if you selected the Burbs sub-node under Network Objects in the Policy group to view the Burbs window, this page then displays data about all of the burbs that have been defined. You can also edit an object that is displayed on this page by double-clicking it to display the window for this object (for example, the Burbs window if this page displays a list of burbs). And you can also export the data in comma-separated format (CSV) to a file. Figure 45 One example of the Object Details page Accessing this page Note: There is only one Object Details page for the Configuration Tool. Every time that you select a different object type, the data that is displayed on this page is overwritten with the data for the newly selected object type. 1 To view a list of objects, click that object node in one of the trees of the Configuration Tool. 2 Select the Object Details page in the work area of the main window to view a list of these objects. Fields and buttons The column names in the table are unique to the object type that has been selected. However, the navigational fields and buttons at the top of this page are the same for all object types. Because your list of objects (where objects refers to the entity for which you are searching) could potentially be very long, you can quickly retrieve only those objects that meet certain filter constraints by using the Find filtering mechanism. 1 In the Find or Search field, specify a term that matches a selection for any value displayed in the browser. 2 Click the down arrow to select the display for the search results (Highlight matching <objects> [where <objects> is the entity for which you are searching] or Only display matching <objects> [where <objects> is the entity for which you are searching]). 3 Click Find or press Enter. The results are displayed. If you had selected the highlight option, all objects that match the value in the Search field are highlighted in yellow. If you selected the other value, you will see only those objects that matched your search criteria. Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and view all of the objects again, click (Clear Find Results). 160 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 161. Configuration Tool • Export — Displays the Save as window, in which you can save the data as comma-separated values (CSV) in a file that can be opened as a spreadsheet. Specify the name and destination of the .csv file in the Save As window and click OK. Editing the object data from this page Double-click anywhere in the row of the object to be edited. The window for that object is displayed. For example, if you had the object details for all of your firewalls displayed on this page, double-click a particular firewall and the Firewall window is displayed with the data for that firewall. You can then change any of the data as required. You can also right-click on this object and you can select options to either add a new object, edit this object, copy this object, remove this object, or show all of the references to this object (Show Usage…). McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 161
- 162. Configuration Tool 162 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 163. 5 Configuration Tool - Firewalls Contents Firewall objects McAfee Firewall Enterprise (Sidewinder) McAfee Firewall Enterprise (Sidewinder) clusters Device groups Firewall objects Firewall objects represent the physical devices that are used to implement a security policy for an organization. They are designed to protect organization IT infrastructure by keeping out unauthorized users, code, and applications, both internally and externally. In the McAfee Firewall Enterprise Control Center (CommandCenter), firewall objects represent the configuration data and characteristics that are specific to a single firewall. Creating firewall objects is a two-part process: 1 All types of firewall objects that represent physical devices in your configuration must be identified by providing basic information. Use the Add New Firewall window or the Sign Up Firewalls window to accomplish this task. 2 All of the object-specific configuration information must be created for or retrieved from each firewall. Use the Firewall window to manage firewall configuration information. Use the Configuration Tool to obtain the configuration information directly from previously configured firewalls. You can select the specific configuration components to retrieve from a particular firewall. The information that has been retrieved is converted into Control Center objects and is then displayed in the associated areas of the Firewall window. The Configuration Tool has two ways to read configuration information directly from the firewall, to normalize the data, and to store this information in the database: • When the firewall is initially created, you can identify and retrieve a user-selected set of retrieval objects by using the Retrieval Item tab on the Add New Firewall window. • After a firewall has been created, you can identify and retrieve a user-selected set of retrieval objects by right-clicking the firewall object and selecting Retrieve Firewall Objects. The Firewall Retrieval Options window is displayed. The configuration data that is associated with a firewall depends on the specific firewall from which data is being retrieved. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 163
- 164. McAfee Firewall Enterprise (Sidewinder) McAfee Firewall Enterprise (Sidewinder) Use the firewall to connect your organization to the Internet while protecting your network from unauthorized users and attackers, while also protecting internal users as they access the Internet. It combines an application-layer firewall, IPsec VPN capabilities, Web filtering (McAfee SmartFilter), global-reputation-based filtering (McAfee TrustedSource), anti-virus/anti-spyware filtering engine, and SSL decryption into one Unified Threat Management (UTM) security appliance, designed to offer centralized perimeter security. You can use the Control Center to manage your firewalls in various different ways: • as standalone firewalls • as members of device groups • as members of a cluster However, before you can start managing firewalls in any of these ways, you must add them as objects in the Configuration Tool. The following information is presented in this section: • Registering your firewalls by using the rapid deployment option on page 164 • Registering a firewall manually on page 166 • Retrieving firewall components on page 168 • Configuring the firewall on page 170 Registering your firewalls by using the rapid deployment option Use the Sign Up Firewalls window to initiate the rapid deployment option. The rapid deployment option is used to sign up one or more firewalls by initiating the process from the Control Center Management Server, rather than from the firewall. This process can be initiated only under specific conditions and only for specific firewalls that have been prepared to employ this option. For more information, see Adding firewalls by using rapid deployment registration on page 38. You can also import a prepared file of multiple firewalls to avoid having to manually specify the details that are required to support this option. After identifying the firewalls to sign up, click OK to start the process. View the progress of the firewall enrollment process on the Deployment Status Report page. To delete a row in this table, highlight the row and press Delete. 164 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 165. McAfee Firewall Enterprise (Sidewinder) Figure 46 Sign Up Firewalls window Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 Right-click the Firewalls node and select Sign Up Firewalls…. The Sign Up Firewalls window is displayed. Fields and buttons This window has the following fields and buttons: • Enter the IP addresses of the firewalls to be signed up. — Use the fields in this area to define the firewall to sign up: • Host Name — Specify the fully qualified domain name (FQDN) of the firewall (for example, hostname.company.com). The firewall must be able to be successfully pinged from the Control Center by using the firewall FQDN, and the Control Center FQDN must be able to be successfully pinged from the firewall by using the Control Center FQDN. • IP Address — Specify the IP address that is used to access the firewall. • Password — Specify the value of the password that is used to access the firewall. Although the deployment passwords can be any length, to safely use the rapid deployment option, passwords should contain at least eight characters and no more than 256 characters. If the same password has been assigned to all of the firewalls that are being defined for rapid deployment, use the Default Sign Up Password field to specify the common password and leave this field blank. • Default Sign Up Password — If all of the firewalls that have been identified in the list use the same password, you can specify that password in this field and it will be used to sign up all of the identified firewalls. • OK — Save the changes on this window. • Cancel — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 165
- 166. McAfee Firewall Enterprise (Sidewinder) • Import — Import a space-delimited text file that contains the individual firewall host names, IP address, and passwords. The identified import file must contain the host name and IP address of one or more firewalls that have been prepared for enrollment. All of the firewalls that have been identified in an import file must use the same password. The following list is an example: fw1.company.net 172.26.113.171 fw2.company.net 198.115.56.121 fw3.company.net 191.21.115.101 Registering a firewall manually After the Control Center Management Server has been installed and the firewall-specific, Control Center enabling configurations have been made, you can begin to add new firewall objects and their associated configuration objects to the Control Center Management Server database. Creating firewall objects is a two-part process. Initially, all types of firewall objects that represent physical devices in your configuration must be identified by providing basic information. This task is accomplished by using this window. Next, all of the firewall-specific configuration information must be created or retrieved for each firewall. Firewall configuration information is managed by using the Firewall window. For more information, see Firewall objects on page 163. Figure 47 Add New Firewall window Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 Double-click the Firewalls node. or Right-click the Firewalls node and select Add Object. 166 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 167. McAfee Firewall Enterprise (Sidewinder) Fields and buttons This window has the following fields and buttons: • Name — Specify the name of the node or host. This is either the DNS name of the node or a user-specified name. It can be expressed in multiple parts. Node names can be any sequence of letters and numbers. But they cannot begin with a number nor can they contain most punctuation characters. • Location — Specify the description of the location. • Mgmt Address — Specify the management IP address to associate with the firewall. • Version — Specify the version of the software or firmware that is installed on the firewall. • Description — Specify any additional description to associate with the firewall. • Retrieval Items — Use the list on this tab to specify configuration components that are to be retrieved from the firewall. Each firewall has its own set of configuration objects that can be retrieved from the firewall and populated in the Management Server database. For more information about retrieval items and to learn more about an alternate method of retrieving configuration information from individual firewalls, see Retrieving firewall components on page 168. To select or clear all of the item checkboxes in this list, right-click the Retrieval Items column heading and click the respective option. You can access and edit retrieved objects by using the Firewall window. • Categories — Use the table on this tab to define objects for developing a classification hierarchy for the firewalls that are installed in your configuration. By using this category/value pair construction, you can sort firewalls by using your own sorting scheme. After you create a user-defined category, it appears in the category list. By carefully defining a sorting scheme and identifying each firewall by specifying one or more categories, you can use this powerful sorting scheme to obtain views of firewalls by using the Firewall Sorting Manager window, which is accessible from the System menu. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 167
- 168. McAfee Firewall Enterprise (Sidewinder) Retrieving firewall components Use the Firewall Retrieval Options window to select the components that you want to retrieve from the associated firewall and store them in the Control Center database. This list of the components that can be retrieved is firewall-specific. Each component has an associated checkbox. Select the checkbox to retrieve the associated components. If you select certain components, other related or subordinate components will automatically be selected. For example, if the Firewall window Information component is selected, the Firewall Interfaces, Firewall Certificates, CA Certificates, and Authentication Services components are also selected for the firewall. Figure 48 Firewall Retrieval Options window Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Right-click a supported firewall object and select Retrieve Firewall Objects. The Firewall Retrieval Options window is displayed. To select or clear all of the item checkboxes in this list, right-click the Retrieval Item Description column heading and click the respective option. After selecting the associated checkbox for each of the components to retrieve, click OK to start the retrieval process. 168 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 169. McAfee Firewall Enterprise (Sidewinder) For more information about the components in the list, including the information that is retrieved for each object and the location at which the information is managed in the Control Center Client application, see the following table. Table 8 Firewall retrieval options and information Component Information Placement in Client Interface Firewall Interfaces Endpoints, Services, NAT, Interfaces, Network Objects (Network Object Manager Cluster Interfaces (HA), Quality of window), Services (Service Manager window), Service Firewalls, Miscellaneous (Quality of Service window) Firewall Dialog Network Objects (Network Objects Manager Information window), Services (Service Manager window), Environment Objects (DNS Zones), Firewalls Firewall License Firewall Certificates CA Certificates Network Objects Endpoints Network Objects Services Services Services Users Users Users (User Types) Miscellaneous Time Periods, DNS Zones Application Defenses Content Scanning IPS Signature Categories and Class Types TrustedSource TrustedSource Content Security (TrustedSource window) IPS Objects VPN Endpoints, Services, NAT, CA VPN Certificates, Certificates, VPN Clients, VPN Peers, VPN Communities Audits and Alerts Audit Export objects, Audit Filters, Audits and Alerts Authentication Services RADIUS, LDAP Authentication Services Rules Endpoints, Services, Rules Network Objects, Services, Content Security, Rules Configuring settings for a standalone firewall The following topics provide more detailed information about configuring the settings on a standalone firewall: • Configuring the firewall on page 170 — Provides information about the Firewall window and all of the areas on this window. • Firewall window-related tasks on page 204 — Provides information about the various windows that can be accessed from the areas on the Firewall window. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 169
- 170. McAfee Firewall Enterprise (Sidewinder) Configuring the firewall Use the Firewall window to add or change configuration object data for the selected firewall. This window consists of a tree with nodes. Each node is an area with unique fields and buttons. For more information about firewall objects, see Firewall objects on page 163. In addition to the areas on this window, there is additional information about related tasks. For more information, see Firewall window-related tasks on page 204. Note: For information about firewall High Availability clusters, see McAfee Firewall Enterprise (Sidewinder) clusters on page 215. Figure 49 Firewall window for a version 7.0.1.02 firewall Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click the firewall object to be edited. The Firewall window is displayed. Buttons • OK — Save the changes that have been made on any of the areas and close this window. Note: Changes that you make on any individual area in this window are not saved until you click OK for the entire window. • Cancel — Close this window without saving any changes. 170 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 171. McAfee Firewall Enterprise (Sidewinder) Tree nodes This window has the following nodes in the tree: • General Settings — Select to display firewall identification and common configuration information. See Firewall window: General Settings area on page 172. • Offbox Settings — Configure audit export settings and for versions 7.0.1.02 and later of the cluster, you can also configure McAfee Profiler and McAfee Firewall Reporter settings. See Firewall window: Offbox Settings area on page 174. • Interfaces node — Select to configure interfaces for this firewall. See Firewall window: Interfaces area. • Static Routing — Specify the default gateway and entries in the static routing table of the firewall. There are different Static Routing areas, depending on the version of firewall that you have selected and whether you have enabled IPv6: • For the 7.0.1 version and later versions of the firewall when you have enabled IPv6 — See Firewall window: Static Routing area (for versions 7.0.1 and later with IPv6 enabled) on page 180. • For the 7.0.1 or later versions of the firewall without IPv6 enabled or the 7.0.0.06 or 7.0.0.07 versions of the firewall — See Firewall window: Static Routing area (for versions 7.0.1 or later without IPv6 enabled or for versions 7.0.0.06 or 7.0.0.07 only) on page 184. • Dynamic Routing — Modify configuration files that are associated with dynamic routing. See Firewall window: Dynamic Routing area on page 187. • Sendmail — Modify sendmail configuration files. See Firewall window: Sendmail area on page 189. • DNS — Manage and modify the DNS configuration. See Firewall window: DNS area on page 190. • Certificates — Generate certificate requests and manage firewall certificates. See Firewall window: Certificates area on page 196. • Miscellaneous node — Select or configure a group of features, or global settings, to be applied to the firewall. Additionally, you can configure firewall settings objects, policy objects, reputation threshold settings, lockout threshold settings, and additional settings in this area. See Firewall window: Miscellaneous area on page 201. Note: To read specific information directly from the firewall, use the Firewall Retrieval Options window. The Configuration Tool has two ways to read configuration information directly from the firewall, to normalize the data, and to store this information in the database: • When the firewall is initially created, identify and retrieve a user-selected set of retrieval objects by using the Retrieval Items tab on the Add New Firewall window. • After a firewall has been created, identify and retrieve a user-selected set of retrieval objects by right-clicking the firewall object and selecting Retrieve Firewall Objects. The Firewall Retrieval Options window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 171
- 172. McAfee Firewall Enterprise (Sidewinder) Firewall window: General Settings area Use the General Settings area of the Firewall window to specify firewall parameters such as the node name, management IP address, management port, and software version. For more information about defining firewall objects, see Firewall objects on page 163. Figure 50 Firewall window: General Settings area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click a supported firewall object. The Firewall window is displayed. 4 Make sure that the General Settings node is selected. Fields and buttons This area has the following fields and buttons: • Name — Displays the name of the firewall object as it appears in the list of firewalls in the Firewalls group bar. You can edit this value. • Description — Specify comments and information about the firewall and its configuration. • Node Name — [Read-only] Displays the host name by which the system identifies itself during network and login connections. • Configuration — Use the fields in this area to specify information about the firewall and its location. The following fields are available: • Firewall Mgmt Address — Specify the IP address of the network interface on the firewall that the Control Center uses to manage the firewall. 172 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 173. McAfee Firewall Enterprise (Sidewinder) • Firewall Mgmt Port — Specify the port number that the firewall uses to communicate with the Control Center Management Server. The default management port is 9005. The value that is selected or specified in this field must match the value that is specified on the firewall by using its native GUI. If you change the value on this window and apply the change, it does not change the value on the firewall. • Version — [Read-only] Displays the version of software installed on the firewall. This information is necessary so that the Control Center can produce the correct format of data that is sent to the firewall when the configurations are applied. • Time Zone — Specify the time zone in which the firewall is located. • Location — Specify user-defined location information. Use this information to provide your own alternate view of the way in which the firewalls are organized and displayed in the Firewalls group bar of the Configuration Tool tree. For more information, see Reviewing your configured firewalls on page 594. • Contact — Specify contact information for this firewall. The Administrator e-mail address will be displayed in this field. This is the e-mail address that was configured on and retrieved from the firewall. • Enable IPv6 — [Available for the 7.0.1 version and later versions of the firewall only] Determine whether to enable IPv6 for this firewall. If this is the first time that you are enabling IPv6 for any firewall in this domain, the IPv6 Rule Conversion window is displayed. For more information about this window, see Converting network objects in rules for the IPv6 protocol on page 204. • Management Servers — Use the table in this area to specify information about the Control Center Management Servers. If you are using the High Availability Management Server configuration option, specify the active and the standby server or servers. The following columns are in this area: • Host Name — Specify the fully qualified host name of the Management Server. • IP address — Specify the IP address of the Management Server. Note: Specify the IP address that the firewall uses to reach the Management Server. It may be different from the IP address configured for the server if there is a NAT device between the firewall and the server. • Firewall Properties — Use the table in this area to specify a user-defined category/value. Use this category/value pair to sort firewalls by using a user-defined sorting scheme (in addition to the built-in Location and Contact categories). By carefully defining a sorting scheme and identifying each by using one or more categories, a powerful sorting scheme can be applied to obtain views of firewalls by using the Firewall Sorting Manager window. The following columns are in this area: • Category — Specify a name of the grouping that you want to define. • Value — Specify a value for the category. • Mail Configuration — Use the fields in this area to specify a firewall mail configuration. • SMTP Mode — The following options are available: • Secure Split SMTP — Use the firewall-hosted sendmail servers. Select this option to take advantage of such sendmail features as header stripping, spam and fraud control, and mail routing. • Transparent — Pass mail by proxy through the firewall. Select this option to ensure that only the files that are necessary to send administrative messages will be configured. These include firewall-generated alerts, messages, and logs. • Internal SMTP Burb — Specify the burb in which your site's SMTP server resides. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 173
- 174. McAfee Firewall Enterprise (Sidewinder) Firewall window: Offbox Settings area Use the Offbox Settings area of the Firewall window to specify configuration information for exporting audit data, settings for the McAfee Firewall Profiler, and for the McAfee Firewall Reporter. Figure 51 Firewall window: Offbox Settings area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click a supported firewall object. The Firewall window is displayed. 4 In the tree on the left, select the Offbox Settings node. The Offbox Settings area is displayed. Fields and buttons This area has the following fields and buttons: • Audit Export — Use the fields in this area to specify an audit export configuration. • Configuration — Specify an audit export configuration that has been defined on the Audit Export window. Access this window by selecting the Firewall Settings group bar in the Object area of the Configuration Tool and double-clicking Audit Export. You can select or edit an existing configuration or add a new one. See Audit export on page 268. To edit an existing object: First, select the object in the list. Next, click (Edit selected). The respective object window is displayed. To add a new object: Click . The respective object window is displayed. • Certificate — Specify a certificate to use when transferring the firewall's archived audit files to the Control Center Management Server. This list includes the certificates that have been specified in the Certificates area of the Firewall window. • Attach Signature — [Available only if a value is selected in the Configuration field] Determines whether a signature is attached. This checkbox is cleared by default. 174 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 175. McAfee Firewall Enterprise (Sidewinder) • Delete logs after export — Determines whether to delete the audit export log file that resides on this firewall after it has been successfully exported to all of its specified locations. If you do not select this checkbox, the audit export log files will remain on the local firewall after they have been exported. The default value is cleared. • McAfee Firewall Profiler — [Available only for firewall versions 7.0.1.02 or later] Use the fields in this area to configure this firewall to send audit and policy data to the McAfee Firewall Profiler that you specify. You can create a new McAfee Firewall Profiler object in the Profler window. See McAfee Firewall Profiler on page 272. The following fields are available: • Archive verbose audit — [Available only if a McAfee Firewall Profiler has been configured] Determines whether the audit data that is being archived is at the verbose. level, which means the highest level of detail and larger file sizes. The default value is cleared. • Certificate — Specify the certificate for the McAfee Firewall Profiler. • McAfee Firewall Reporter — [Available only for firewall versions 7.0.1.02 or later] Use the field in this area to configure this firewall to enable real-time transmission of its audit data to the McAfee Firewall Reporter. The McAfee Firewall Reporter has advanced reporting functionality. The following field is available: • Configuration — Specify the Firewall Reporter / Syslog configuration that will be used by this firewall to transmit its audit data to the McAfee Firewall Reporter. You can also edit and add configurations from this field in the Firewall Reporter / Syslog window. For more information, see Firewall Reporter / Syslog settings on page 273. To edit an existing object: First, select the object in the list. Next, click (Edit selected). The respective object window is displayed. To add a new object: Click . The respective object window is displayed. Firewall window: Interfaces area Use the Interfaces area of the Firewall window to perform the following tasks: • Assign all of the network link elements to the interface, such as IP address, network mask, burb, NIC, and MTU size for outgoing packets. • Select Quality of Service (QoS) profiles and define alias addresses for an interface. • Create Standard, VLAN, DHCP, or transparent interfaces. The internal and external network interfaces of the firewall are defined during the initial configuration. You can create an unlimited number of interfaces. Up to 63 interfaces can be enabled at one time, in a combination of standard and VLAN interfaces. However, you can configure only one of these interfaces to be a transparent (bridged) interface. For more information about defining firewall objects, see Firewall objects on page 163. For more information about creating a transparent interface, see Creating a transparent (bridged) interface on page 179. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 175
- 176. McAfee Firewall Enterprise (Sidewinder) Figure 52 Firewall window: Interfaces area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click a supported firewall object. The Firewall window is displayed. 4 In the tree on the left, select the Interfaces node. The Interfaces area is displayed. Tabs This area has the following tabs: • Firewall Interfaces — Specify interfaces for this firewall. See Firewall Interfaces tab on page 176. • NICs/NIC Groups — Configure the physical NIC and create NIC groups for redundant NICs. See NICS/NIC Groups tab on page 177. Firewall Interfaces tab The Firewall Interfaces tab has the following fields and buttons: • Enabled — Determines whether the associated interface is enabled. Select or clear the checkbox to enable or disable the interface. • Name — Specify the name of a network, Virtual LAN (VLAN), or transparent (for firewall versions 7.0.1.02 and later) interface. This name can contain alphanumeric characters, dashes (-), underscores (_), and spaces ( ). • IP address — Specify the unique IP address of the network interface. This value must be a valid IPv4 address in dotted quad format. If you are configuring this interface to connect to a Dynamic Host Configuration Protocol (DHCP) server, leave this field blank and select DHCP in the Type field. This field will then display DHCP as its value. If you are using this interface as part of a transparent (bridged) interface, after you select Transparent as the value in the Type field, you can specify the IP address for the bridge parent. However, if this interface is a bridge member, the value in this field is changed to Bridge member and it is read-only. • Mask — Specify the length of the significant portion of the netmask. If you do not specify this value, the value will default to 24, which corresponds to a netmask of 255.255.255.0. If you are configuring this interface to connect to a DHCP server, leave this field blank and select DHCP in the Type field. This field will then display DHCP as its value. • Type — Specify the type of interface that you are configuring. The following values are available: • Standard — Indicates a single network that is attached to one NIC or NIC group. • DHCP — Indicates network settings that are governed by a DHCP server within the same physical network that is attached to the NIC. 176 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 177. McAfee Firewall Enterprise (Sidewinder) • Transparent — [Available only for firewall versions 7.0.1.02 and later] Indicates that two interfaces are joined together to form one transparent or bridged interface. • VLAN — Indicates that one of the virtual networks is managed by the NIC. • VLAN ID — Specify the VLAN identifier for this interface. For each NIC set of VLANs, each number must be unique. This field is not available if the value of the Type field is not set to VLAN. Valid values are from 1 to 4094. • Burb — Specify the burb that is attached to this network interface. • NIC/NIC Group — Specify the NIC or the NIC group that is currently attached to this network interface. • Bridged Interfaces — [Available only if Transparent was selected as the value in the Type field] Specify the two interfaces that will be used to form this transparent (bridged) interface. • Advanced... — Display the Firewall Interface window, in which you can configure additional features for this interface. See Configuring a network interface (for firewalls and cluster members) or a transparent interface (for firewalls) on page 206. • Delete — Click x (Delete) in the row to be deleted. The interface is deleted from the firewall. • (Information area) — [Read-only] Displays information about the highlighted interface in the list. • (Add) — Adds a new firewall interface to the bottom of the list. NICS/NIC Groups tab Use the NICs/NIC Group tab to configure the physical NIC and to create NIC groups for redundant NICs. A primary reason for NIC groups is to provide redundant NIC functionality. If a primary NIC in a group stops working or is disconnected, the standby NIC starts passing the traffic. To configure a new NIC group with a primary and a secondary NIC, click Add to display the NIC Group window. A maximum of 26 NICs can be installed in an firewall at one time, including the two onboard NICs. A dual-port NIC counts as two NICs, a quad-port NIC counts as four NICs, and so on. Figure 53 NICs/NIC Groups tab on the Firewall window: Interfaces area McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 177
- 178. McAfee Firewall Enterprise (Sidewinder) Fields and buttons This tab has the following fields and buttons: • NICs — Use the fields in this table to configure the settings for each NIC. • Name — [Read-only] Displays the name of the NIC. • MAC Address — [Read-only] Displays the MAC address of the NIC. The MAC address is used for communication at the data-link layer. • Speed Mode — Specify the speed for packet delivery. If you select autoselect, the NIC communicates with the network to determine this value. The none option is used for NICs that do not have any speed. An example of this is a virtualized firewall. Otherwise, you can select an exact value from this list. • Capabilities — Specify the media capabilities of the NIC. To select the values for this list: First, click the down arrow. The list of values is displayed, along with a Find field and button. Second, if you do not need to filter the list, go to the next step. To filter the list of values, in the Find field, specify a value or a partial value or an internal value (as in part of an IP address if you are working with objects that reference them) and click Find. Only those values that match your find criteria are displayed. Third, select the checkbox of each value that you want to add to this field and click the down arrow to close the drop-down display. If you have selected more than one value, they are displayed in a comma-delimited list in this field. The following values are available: • rxcsum — Enables hardware checksum verification for incoming IPv4 packets. • txcsum — Enables hardware checksum generation for outgoing IPv4 packets. • jumbo_mtu — Configures the network interface to receive jumbo frames. This value is available only on NICs that support jumbo frames. • Description — Specify a description for this NIC. • NIC Groups — Use the fields in this table to modify an existing NIC group or click Add to add a new one. • Name — [Read-only] Displays the name of the NIC group. • NICs — [Read-only] Displays the list of NICs that are attached to this NIC group. • Description — Specify a description for the NIC group. • Modify — Display the NIC Group window, in which you can edit the settings for this NIC group. • Delete — Click x (Delete) in the row to be deleted. The NIC group is deleted from the firewall. • Add — Display the NIC Group window, in which you can add a new NIC group. 178 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 179. McAfee Firewall Enterprise (Sidewinder) Creating a transparent (bridged) interface This functionality is available only for firewalls version 7.0.1.02 and later. It is not available for High Availability clusters. A transparent interface consists of two bridge member interfaces. You can use a transparent interface to separate a single network into two burbs. This allows you to enforce security policy on traffic that passes through your firewall’s transparent interface without having to re-address the network around the firewall. For more information, see Managing firewall interfaces on page 41. The following table shows the default firewall interface configuration. These interfaces, or any other two interfaces, can be used to configure one transparent interface. Table 9 Standard interfaces User defined interface name NIC or NIC Group Burb name external_network em0 external internal_network em1 internal The following table shows a transparent interface that has been configured by using the default interfaces. Note that bridge0 consists of two bridge member interfaces—em0 and em1. Table 10 Transparent interface User defined transparent interface name NIC or NIC Group bridged_network bridge0 (em0, em1) If you configure a transparent interface, you cannot enable or configure: • Split DNS • High Availability clusters • Sendmail • Dynamic routing • DHCP on the transparent interface • DHCP Relay agent • VPN termination in a transparent burb • IPv6 addresses on the transparent interface To create a transparent interface: 1 If the Firewall window is already displayed, skip to step 4. or In the Configuration Tool, make sure that the Firewalls group bar is selected. 2 Click the Firewalls node to display the list of configured firewalls. 3 Double-click the firewall for which you want to configure the transparent interface. The Firewall window is displayed. 4 In the tree, click Interfaces. The Interfaces area is displayed. 5 Click at the far right of this area to add a new interface row to the table. 6 Specify values in the Name, IP address, and Mask fields. In the Type field, select Transparent. For more information about the fields in this area, see Firewall window: Interfaces area on page 175. Note that as soon as you do this, the following changes occur in the table: a The value in the Burb field is changed to <None> and is read-only. b The value in the NIC/NIC Group field is changed to bridge0 and is read-only. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 179
- 180. McAfee Firewall Enterprise (Sidewinder) c A new Bridged Interfaces column is displayed, in which you can select two interfaces from the available list of configured interfaces to use for this transparent interface. 7 In the Bridged Interfaces field, select the two interfaces to use for this transparent interface. After you select the bridge members, their IP address values are changed to Bridge Member. 8 Click Advanced… to display the Firewall Interface window, in which you can configure additional settings. 9 In this window, you can configure alias addresses, MTU size, and ARP table cache size. For more information about these fields, see Configuring a network interface (for firewalls and cluster members) or a transparent interface (for firewalls) on page 206. 10 Click OK to save your changes. Firewall window: Static Routing area (for versions 7.0.1 and later with IPv6 enabled) Use the Static Routing area to modify the default route or to configure an alternate route to be used for the default route failover. The default route is the network route that is used by a router when no other known route exists for a packet’s destination address. The alternate default route is a redundant route. If your primary default route becomes inaccessible, the alternate default route will start to forward traffic. Note: If you are viewing this window for the 7.0.1 or later version of the firewall without IPv6 enabled or for versions 7.0.0.06 or 7.0.0.07 of the firewall, go to Firewall window: Static Routing area (for versions 7.0.1 or later without IPv6 enabled or for versions 7.0.0.06 or 7.0.0.07 only) on page 184. Figure 54 Firewall window: Static Routing area (for firewall versions 7.0.1 and later, IPv6 enabled) 180 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 181. McAfee Firewall Enterprise (Sidewinder) Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click a supported firewall object. The Firewall window is displayed. 4 In the tree on the left, select the Static Routing node. The Static Routing area is displayed. Tabs and buttons This area has the following tabs and buttons: • IPv4 — Configure static routes for your IPv4 addresses. For more information, see IPv4 tab on page 181. • IPv6 — [Available only when IPv6 is enabled] Configure static routes for your IPv6 addresses. For more information, see IPv6 tab on page 183. • OK — Save all of the information on the entire Firewall window. • Cancel — Close this window without saving any changes. IPv4 tab Use the fields on this tab to configure static routes for your IPv4 network traffic. To view the fields on this tab, see Figure 54 on page 180. Accessing this tab 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click a supported firewall object. The Firewall window is displayed. 4 In the tree on the left, select the Static Routing node. The Static Routing area is displayed. 5 Make sure that the IPv4 tab is displayed. Fields and buttons This tab has the following fields and buttons: • Configure default route failover — Determines whether you are going to configure an alternate default route. The default value is cleared. If you select this checkbox, the fields in the Alternate Default Route area are available. • Default Route — Use the fields in this area to configure the IP address for the default IPv4 route and, if you are configuring route failover, one or more IP addresses to ping to confirm primary default route availability. The following fields are available: • IP address — Specify a valid IP address of the device that forwards traffic with no known route to its destination address. This is usually the IP address of a router that forwards packets to your Internet Service Provider (ISP). You can also configure a DHCP route by specifying dhcp as the value in this field. However, you also must have a DHCP interface already configured. • Description — Provide information to assist in identifying this route. • Ping addresses — [Available only if Configure default route failover is selected] Use the fields in this table to manage the IP addresses that the firewall will ping to confirm that the primary default route is accessible. The primary default route IP address is automatically displayed. However, you can configure additional ping addresses. • IP address — Specify the IP address that the firewall will ping. To add a new IP address, click anywhere in a blank row. • Delete — Click x (Delete) in the row of an IP address that you want to delete from this table. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 181
- 182. McAfee Firewall Enterprise (Sidewinder) • Ping interval (s) — Specify the amount of time (in seconds) in between each ping that the firewall will send to the configured IP addresses to ensure that the path is accessible. Valid values are from 2 to and including 60. • Failures allowed — Specify the number of failed ping attempts that must occur before the alternate default route assumes the role of the default (primary) route. Failures are counted in increments and decrements rather than successively. This means that a failed ping adds to the failure total, and a successful ping subtracts from the failure total. The failure total is never less than zero and it is never more than the configured failures allowed. For example, if you set the allowed number of failures to 3, the following table demonstrates the way that successful and failed pings are counted to determine the failover. Ping result: failure success success failure failure success failure failure Failover event Failure 1 0 0 1 2 1 2 3 occurs total: • Alternate Default Route — [Available only if Configure default route failover is selected] Use the fields in this area to configure the IP address for the alternate default route and one or more IP addresses to ping to confirm alternate default route availability. The following fields are available: • IP address — Specify a valid IP address of the device that forwards traffic with no known route to its destination address. This should be a different route than the primary default route or it can also be a different ISP. • Description — Provide information to assist in identifying this route. • Ping addresses — Use this table to manage the IP addresses that the firewall will ping to confirm that the primary default route is accessible. • IP address — Specify the IP address that the firewall will ping. To add a new IP address, click anywhere in a blank row. • Delete — Click x (Delete) in the row of an IP address that you want to delete from this table. • Ping interval (s) — Specify the amount of time (in seconds) in between each ping that the firewall will send to the configured IP addresses to ensure that the path is accessible. Valid values are from 2 to and including 60. • Failures allowed — Specify the number of failed ping attempts that must occur before the alternate default route is considered to be inaccessible. Failures are counted in increments and decrements rather than successively. This means that a failed ping adds to the failure total, and a successful ping subtracts from the failure total. The failure total is never less than zero and it is never more than the configured failures allowed. Valid values are from 2 to and including 20. For example, if you set the allowed number of failures to 3, the following table demonstrates the way that successful and failed pings are counted to determine the failover. Ping result: failure success success failure failure success failure failure Failover event Failure 1 0 0 1 2 1 2 3 occurs total: 182 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 183. McAfee Firewall Enterprise (Sidewinder) • Static routes — Use this table to display, edit, or add static routes that are not specified as the primary default route and the alternate default route in the fields at the top of this area. The following fields are available: • Destination — Specify the IP address for the route destination. This value must be a valid IPv4 address in dotted quad format. You can specify a slash-format netmask length (for example, x.x.x.x/y where x is a number between 0 and 255 and y is a number between 0 and 31). After you move the mouse to another field, the mask length is removed from this field and the appropriate netmask is displayed in the Netmask field. For example, if you specified 24, the value will be 255.255.255.0. If you do not specify an IP address value, the default Netmask value, which is 255.255.255.255, is provided. • Netmask — Specify the netmask that is assigned to the route destination. This value must be a valid IPv4 address in dotted quad format and it must also be a contiguous netmask. • Gateway — Specify the IP address of the gateway to use in the route to the specified destination.This value must be a valid IPv4 address in dotted quad format. • Description — Provide information to assist in identifying this route. • Delete — Click x (Delete) in the row of a static route that you want to delete from this table. IPv6 tab Use the fields on this tab to configure static routes for your IPv6 network traffic. The IPv6 routes are saved in a compressed format with lowercase letters. For example, if you specify FFAB:0000:9::, the value is saved as ffab:0:9::. Note: This tab is available only if IPv6 is enabled. Figure 55 Firewall window for version 7.0.1 and later firewalls with IPv6 enabled: Static Routing area: IPv6 tab Accessing this tab 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click a supported firewall object. The Firewall window is displayed. 4 In the tree on the left, select the Static Routing node. The Static Routing area is displayed. 5 Select the IPv6 tab. The IPv6 tab is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 183
- 184. McAfee Firewall Enterprise (Sidewinder) Fields and buttons This tab has the following fields and buttons: • Default Route — Use the fields in this area to configure the IP address for the default IPv6 route. • IP address — Specify the IP address of the device that forwards traffic with no known route to its destination address. This is usually the IP address of a router that forwards packets to your Internet Service Provider (ISP). If you are configuring a link-local route (whereby your address begins with fe80), you must also specify an interface in the Interface column for this route. • Description — Provide information to assist in identifying this route. • Destination — Specify the host IP address or subnet address of your end target. This value must be an IPv6 address. You can also specify the prefix value at the end of this address by specifying slash (/) and then the prefix value (for example, 5::/128). • Prefix — Specify the mask length for this IP address. Valid values are 0–128. • Gateway — Specify the gateway address that the route will use to pass traffic onto the destination. The gateway address must be reachable by the firewall. If the IPv6 static route is a link-local address (that is, the address value begins with fe80), you must specify a valid interface in the Interface column. • Description — Provide information to assist in identifying this route. • Interface — [Available only if this IPv6 static route is a link-local address] Specify the interface for this route. • Delete — Click x (Delete) in the row of a static route that you want to delete from this table. Firewall window: Static Routing area (for versions 7.0.1 or later without IPv6 enabled or for versions 7.0.0.06 or 7.0.0.07 only) Use the Static Routing area to modify the default route or to configure an alternate route to be used for the default route failover. Note: If you are viewing this window for the 7.0.0.06 version or later versions of the firewall without IPv6 enabled, go to Firewall window: Static Routing area (for versions 7.0.1 or later without IPv6 enabled or for versions 7.0.0.06 or 7.0.0.07 only) on page 184.If you are viewing this window for the 7.0.1 or later version of the firewall with IPv6 enabled, see Firewall window: Static Routing area (for versions 7.0.1 and later with IPv6 enabled) on page 180. The default route is the network route that is used by a router when no other known route exists for a packet’s destination address. The alternate default route is a redundant route. If your primary default route becomes inaccessible, the alternate default route will start to forward traffic. With redundant default routes, use the fields in this area to define an alternate default route and ping addresses for the default routes. • The firewall continuously pings the default route IP address and any other ping addresses that you define in this area. • If all of the configured ping addresses fail, the alternate default route becomes the acting default route. • Reset the primary default route when it is active again by selecting the Revert default gateway to the primary default gateway option in the Control Actions field in the Device Control window. 184 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 185. McAfee Firewall Enterprise (Sidewinder) Figure 56 Firewall window: Static Routing area (for firewall versions 7.0.1 or later without IPv6 enabled or for 7.0.0.06 and 7.0.0.07 only) Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click a supported firewall object. The Firewall window is displayed. 4 In the tree on the left, select the Static Routing node. The Static Routing area is displayed. Fields and buttons This area has the following fields and buttons: • Configure default route failover — Determines whether you are going to configure an alternate default route. The default value is cleared. If you select this checkbox, the fields in the Alternate Default Route area are available. • Default Route — Use the fields in this area to configure the IP address for the default route and, if you are configuring route failover, one or more IP addresses to ping to confirm primary default route availability. The following fields are available: • IP address — Specify a valid IP address of the device that forwards traffic with no known route to its destination address. This is usually the IP address of a router that forwards packets to your Internet Service Provider (ISP). You can also configure a DHCP route by specifying dhcp as the value in this field. However, you also must have a DHCP interface already configured. • Description — Provide information to assist in identifying this route. • Ping addresses — [Available only if Configure default route failover is selected] Use the fields in this table to manage the IP addresses that the firewall will ping to confirm that the primary default route is accessible. The primary default route IP address is automatically displayed. However, you can configure additional ping addresses. • IP address — Specify the IP address that the firewall will ping. To add a new IP address, click anywhere in a blank row. • Delete — Click x in the row of an IP address that you want to delete from this table. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 185
- 186. McAfee Firewall Enterprise (Sidewinder) • Ping interval (s) — Specify the amount of time (in seconds) in between each ping that the firewall will send to the configured IP addresses to ensure that the path is accessible. Valid values are from 2 to and including 60. • Failures allowed — Specify the number of failed ping attempts that must occur before the alternate default route assumes the role of the default (primary) route. Failures are counted in increments and decrements rather than successively. This means that a failed ping adds to the failure total, and a successful ping subtracts from the failure total. The failure total is never less than zero and it is never more than the configured failures allowed. Valid values are from 2 to and including 20. For example, if you set the allowed number of failures to 3, the following table demonstrates the way that successful and failed pings are counted to determine the failover. Ping result: failure success success failure failure success failure failure Failover event Failure 1 0 0 1 2 1 2 3 occurs total: • Alternate Default Route — [Available only if Configure default route failover is selected] Use the fields in this area to configure the IP address for the alternate default route and one or more IP addresses to ping to confirm alternate default route availability. The following fields are available: • IP address — Specify a valid IP address of the device that forwards traffic with no known route to its destination address. This should be a different route than the primary default route or it can also be a different ISP. • Description — Provide information to assist in identifying this route. • Ping addresses — Use the fields in this table to manage the IP addresses that the firewall will ping to confirm that the primary default route is accessible. • IP address — Specify the IP address that the firewall will ping. To add a new IP address, click anywhere in a blank row. • Delete — Click x in the row of an IP address that you want to delete from this table. • Ping interval (s) — Specify the amount of time (in seconds) in between each ping that the firewall will send to the configured IP addresses to ensure that the path is accessible. Valid values are from 2 to and including 60. • Failures allowed — Specify the number of failed ping attempts that must occur before the alternate default route is considered to be inaccessible. Failures are counted in increments and decrements rather than successively. This means that a failed ping adds to the failure total, and a successful ping subtracts from the failure total. The failure total is never less than zero and it is never more than the configured failures allowed. For example, if you set the allowed number of failures to 3, the following table demonstrates the way that successful and failed pings are counted to determine the failover. Ping result: failure success success failure failure success failure failure Failover event Failure 1 0 0 1 2 1 2 3 occurs total: 186 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 187. McAfee Firewall Enterprise (Sidewinder) • Static routes — Use this table to display, edit, or add static routes that are not specified as the primary default route and the alternate default route in the fields at the top of this area. The following fields are available: • Destination — Specify the IP address for the route destination. This value must be a valid IPv4 address in dotted quad format. You can specify a slash-format netmask length (for example, x.x.x.x/y where x is a number between 0 and 255 and y is a number between 0 and 31). After you move the mouse to another field, the mask length is removed from this field and the appropriate netmask is displayed in the Netmask field. For example, if you specified 24, the value will be 255.255.255.0. If you do not specify an IP address value, the default Netmask value, which is 255.255.255.255, is provided. • Netmask — Specify the netmask that is assigned to the route destination. This value must be a valid IPv4 address in dotted quad format and it must also be a contiguous netmask. • Gateway — Specify the IP address of the gateway to use in the route to the specified destination.This value must be a valid IPv4 address in dotted quad format. • Description — Provide information to assist in identifying this route. • Delete — Click x in the row of a static route that you want to delete from this table. Firewall window: Dynamic Routing area Use the Dynamic Routing area of the Firewall window to modify configuration files that are associated with dynamic routing. Dynamic routing is performed by using a dynamic routing application along with a routing protocol such as the following protocols: • BGP (Border Gateway Protocol) • OSPF (Open Shortest Path First Protocol) • RIP (Routing Information Protocol) • PIM-SM (Protocol-Independent Multicast - Sparse Mode) The firewall implementation of the BGP, OSPF, and RIP protocols and corresponding server processes is based on the Quagga implementation. The firewall implementation of PIM-SM is based on the XORP (eXtensible Open Router Platform) implementation. Each routing application is associated with a configuration file that contains all of the information required for configuring dynamic routing. Use the Dynamic Routing area to select a configuration and to edit the associated configuration file. For more information about routing and the various protocols, see the “Routing” chapter of the McAfee Firewall Enterprise (Sidewinder) Administration Guide. Note: Editing configuration files associated with dynamic routing protocols and applications requires advanced knowledge. If you edit one of the Quagga configuration files that is accessible from this area and apply the configuration to the firewall, the modified configuration will be validated before the information from the Control Center can be applied to the firewall. If you edit the XORP configuration file, the modified file will be validated before the XORP implementation is modified. If the configuration is invalid, the XORP implementation will continue to use its older configuration. For the Quagga implementations, consult the documentation available at www.quagga.net. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 187
- 188. McAfee Firewall Enterprise (Sidewinder) Figure 57 Firewall window: Dynamic Routing area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click a supported firewall object. The Firewall window is displayed. 4 Select the Dynamic Routing node. The Dynamic Routing area is displayed. Fields and buttons This area has the following button and an associated field. • --Select Configuration — Determines the configuration file that is associated with the firewall server process. The following values are available: • BGP configuration — Display the configuration file that is associated with the firewall server process that implements BGP processing (bgpd). • OSPF configuration — Display the configuration file that is associated with the firewall server process that implements OSPF processing (ospfd). • zebra configuration — Display the configuration file that is associated with the kernel routing table manager server process, zebra. • XORP configuration — Display the configuration file that is associated with the XORP implementation of PIM-SM routing. • rip configuration - external — Display the configuration file that is associated with the external burb and the firewall server process that implements RIP processing (ripd). The RIP configuration is on a per-burb basis. There is an RIP configuration file for each burb registered to the firewall. • rip configuration - internal — Display the configuration file that is associated with the internal burb and the firewall server process that implements RIP processing (ripd). The RIP configuration is on a per-burb basis. There is an RIP configuration file for each burb registered to the firewall. • rip configuration - unbound — Display the configuration file that associated with the Control Center Management Server process that implements RIP processing across burbs (ripd-unbound). 188 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 189. McAfee Firewall Enterprise (Sidewinder) Firewall window: Sendmail area Use the Sendmail area of the Firewall window to edit the sendmail configuration files. These files contain such information as the delivery agents to use and the way to format message headers. Caution: Do not change your sendmail configuration options unless you are an experienced sendmail user and want to customize the files for your site. Be sure to make a backup copy of a sendmail configuration file prior to editing the file. Figure 58 Firewall window: Sendmail area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click a supported firewall object. The Firewall window is displayed. 4 Select the Sendmail node. The Sendmail area is displayed. Fields and buttons This area has the following fields and buttons: • Manage Sendmail files via Control Center — Determines whether the Sendmail files will be updated by the Control Center Management Server or by the firewall. The default value is selected. • File Set — Determines whether the files you want to modify are in the internal burb or the external burb. • Configuration File — Specify the configuration file to be modified. The following values are available for each file set: • Access Table — Define anti-relaying and anti-spamming policies for the SMTP server. • Aliases File (available only in the Internal burb) — Define the mail aliases that are used to redirect E-mail to another person or location. • Alternative Host Names — Identify alternate host names by which the firewall is known. E-mail addressed to any of the alternate names is treated as local mail by the firewall. • Domain Table — Provide a mapping from an old domain name to a new domain name. You might modify this file if your organization's external domain name changes. • M4 Config File — Define the initial sendmail configuration. Modify this file as needed to account for site-specific requirements. • Mailer Table — Map a domain to a mail relay that is responsible for mail delivery in that domain. The selected configuration file is available for edit in the associated text box. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 189
- 190. McAfee Firewall Enterprise (Sidewinder) • Save — Save your changes to the edited configuration file. Firewall window: DNS area Use the DNS area of the Firewall window to manage and modify the DNS configuration for the firewall. The firewall supports the following DNS configurations: • Transparent DNS • Hosted Single Server DNS • Hosted Split Server DNS Figure 59 Firewall window: DNS area (Transparent Configuration) Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click a supported firewall object. The Firewall window is displayed. 4 Select the DNS node. The DNS area is displayed. Fields and buttons This area has one field that affects the composition of the area and the fields and buttons that are available for configuration of DNS: • DNS Configuration — Specify the type of DNS configuration. The following values are available: • Transparent — In this configuration, DNS requests are proxied through the firewall to one or more remote DNS servers. See Transparent DNS Configuration on page 191. • Hosted Single Server — In this configuration, one DNS server is hosted on the firewall. That server handles all DNS queries. The server is protected by the hardened operating system on the firewall. See Hosted Single Server Configuration on page 191. • Hosted Split Server — In this configuration, two DNS servers are hosted on the firewall: one server is bound to the Internet burb (the Internet name server) and the other server (the unbound name server) is available for use by all other burbs. Both servers are protected by the hardened operating system on the firewall. See Hosted Split Server Configuration on page 193. Note: For firewall versions 7.0.1.00 and later, if IPv6 is enabled, you cannot use this configuration. 190 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 191. McAfee Firewall Enterprise (Sidewinder) Transparent DNS Configuration The following fields are available in this area: • Burb — [Read-only] Displays the burbs to which transparent name servers are assigned. • DNS Servers — [Read-only] Displays the name servers for transparent DNS services. • Add — Displays the Transparent DNS Servers window, in which you can configure a new transparent DNS server. For more information, see Configuring transparent DNS server objects on page 211. • Edit — Displays the Transparent DNS Servers window for the highlighted value in the table. You can edit the values and click OK to save the change to the area. Note that you must click OK in the Firewall window to save the changes to the firewall. • Delete — Delete the highlighted server from this table. Hosted Single Server Configuration Figure 60 Firewall window: DNS area (Hosted Single Server configuration) The following fields are available in this area: • Manage DNS files via Control Center — Determines whether DNS files are managed by using the Control Center. This checkbox is selected by default. If a DNS configuration that is not supported by Control Center is encountered during retrieve, then this checkbox will be cleared. If you clear this checkbox, the only field on the window that remains active is Enable server. • Generate loopback and multicast failover zones on apply — Determines whether loopback zones (0.x.127.in-addr.arpa, where x denotes the burb index) and the failover multicast zone (0.255.239.in-addr.arpa) are automatically generated by the Control Center when you apply the configuration. These zones are added to the Control Center database when DNS components are retrieved from the firewall (see Retrieving firewall components on page 168), and this checkbox is cleared. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 191
- 192. McAfee Firewall Enterprise (Sidewinder) Select this checkbox to ensure that the loopback zones and the failover multicast zone files are generated automatically when you apply, or propagate, a configuration from the Control Center database to the firewall. Otherwise, you will be responsible for adding the loopback and multicast zone files. • DNS Zones — Use the fields in this area to specify the zones that are associated with the name server. The following fields are available: • Create a new DNS Zone — Click to display the DNS Zone Manager window, in which you can create a new DNS zone. For more information, see Configuring DNS zones on page 315. • DNS Zone — Specify the DNS zone to associate with the name server. • Edit (button) — Displays the DNS Zone Manager window, in which you can edit the data for this DNS zone. • Server Configuration — Use the fields on this tab to specify configuration settings for the name server. The following fields are available: • Enable server — Determines whether the name server is enabled. This checkbox is selected by default. If you disable the name server by clearing the checkbox, only connections that use IP addresses will continue to work; connections that use host names will not. • Enable notify — Determines whether the master name server will notify all slave servers when the zone file changes. The notification indicates to the slaves that the contents of the master have changed and that a zone transfer is necessary. This checkbox is cleared by default. If you select this checkbox, the following fields are available: • Yes — Indicates that the slave servers will be notified about zone file changes. • No — Indicates that slave servers will not be notified about zone file changes. • Forwarders — Specify external name servers to which to forward queries that cannot be answered on the firewall. You can reposition a row in this table by highlighting the row and clicking either the (move up) or (move down) buttons. • Forward only — [Available only if a value is displayed in the Forwarders table] Determines whether the name server will attempt to contact the root server if the Forwarders cannot answer the query. This checkbox is selected by default. This indicates that queries will be directed only to the selected forwarders. If this checkbox is cleared, the name server forwards the query to the selected forwarders. If they cannot answer the query, the name server then attempts to contact the root server. • allow-query — Specify particular hosts that are allowed to query the zone. If none are selected, all requesters are authorized. • allow-transfer — Specify particular hosts that are allowed to update the zone. This option is valid only for master zones. If this field is left blank, updates are not allowed from any host. • • Dump-File — Specify the path name of the file to which the name server dumps the database when instructed to do so with rndc dumpdb. If a path is not specified, the default is named_dump.db.(rndc is the remote name daemon control program. • Statistics File — Specify the path name of the file to which the name server appends statistics when instructed to do so using rndc stats. If a path is not specified, the default is named.stats, which is located in the current directory of the name server. 192 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 193. McAfee Firewall Enterprise (Sidewinder) Hosted Split Server Configuration Figure 61 Firewall window: DNS area (Hosted Split Server configuration) The following fields are available in this area: • Manage DNS files via Control Center — Determines whether DNS files are managed by using Control Center. This checkbox is selected by default. If you clear this checkbox, the only field on the window that remains active is Enable server. • Generate loopback and multicast failover zones on apply — Determines whether loopback zones (0.x.127.in-addr.arpa, where x denotes the burb index) and the failover multicast zone (0.255.239.in-addr.arpa) are automatically generated by the Control Center when you apply the configuration. These zones are added to the Control Center database when DNS components are retrieved from the firewall (see Retrieving firewall components on page 168), and this checkbox is cleared. Select this checkbox to ensure that the loopback zones and the failover multicast zone files are generated automatically when you apply, or propagate, a configuration from the Control Center database to the firewall. Otherwise, you will be responsible for adding the loopback and multicast zone files. • DNS Zones — Use the fields in this area to specify the zones that are associated with the name server. The following fields are available: • Create a new DNS Zone — Click to display the DNS Zone Manager window, in which you can create a new DNS zone. For more information, see Configuring DNS zones on page 315. • Type — Specify the location to which this zone is added. The following values are available: • Internet — Indicates that the zone is added only to the Internet Server Configuration. • Unbound — Indicates that the zone is added only to the Unbound Server Configuration. • Both — Indicates that the zone is added to the Internet Server Configuration and to the Unbound Server Configuration. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 193
- 194. McAfee Firewall Enterprise (Sidewinder) • DNS Zone — Specify the DNS zone to associate with the name server. • Edit (button) — Displays the DNS Zone Manager window, in which you can edit the data for this DNS zone. • Unbound Server Configuration — Use this tab to specify configuration settings for the unbound name server. The unbound name server is available for use by all internal burbs. The following fields and buttons are available on this tab: • Enable server — Determines whether the unbound name server is enabled. This checkbox is selected by default. If you disable the name server by clearing the checkbox, only connections that use IP addresses will continue to work; connections that use host names will not. Caution: If you disable both the unbound server and the Internet server, connections will work only if they use IP addresses rather than host names. Mail will not work, and other errors will occur as other parts of the system attempt to access the network by name. • Enable notify — Determines whether the master name server will notify all slave servers when the zone file changes. The notification indicates to the slaves that the contents of the master have changed and that a zone transfer is necessary. This checkbox is cleared by default. If you select this checkbox, the following fields are available: • Yes — Indicates that the slave servers will be notified about zone file changes. • No — Indicates that the slave servers will be not be notified about zone file changes. • Forwarders — Specify external name servers to which to forward queries that cannot be answered on the firewall. You can reposition a row in this table by highlighting the row and clicking either the (move up) or (move down) buttons. • Forward only — [Available only if a value is displayed in the Forwarders table] Determines whether the name server will attempt to contact the root server if the Forwarders cannot answer the query. This checkbox is selected by default. This indicates that queries will be directed only to the selected forwarders. If this checkbox is cleared, the name server forwards the query to the selected forwarders. If they cannot answer the query, the name server then attempts to contact the root server. • Forward to Internet Server first — Determines whether queries that cannot be answered on the firewall are forwarded to the Internet server before they are forwarded to selected forwarders. This checkbox is cleared by default. If this checkbox is selected, queries will be forwarded first to the Internet server. • allow-query — Specify particular hosts that are allowed to query the zone. If none are selected, all requesters are authorized. If you do not specify any values in this field, on apply, the following values are added to the named.conf.u file: • allow-recursion (any; ); — For firewall versions 7.0.0.08 and later and versions 7.0.1.02 and later • allow-query-cache (any; ); — For firewall versions 7.0.1.02 and later • allow-transfer — Specify particular hosts that are allowed to update the zone. This option is valid only for master zones. If this field is left blank, updates are not allowed from any host. • Dump-File — Specify the path name of the file to which the name server dumps the database when instructed to do so with rndc dumpdb. If a path is not specified, the default is named_dump.db.(rndc is the remote name daemon control program. • Statistics File — Specify the path name of the file to which the name server appends statistics when instructed to do so using rndc stats. If a path is not specified, the default is named.stats, which is located in the current directory of the name server. 194 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 195. McAfee Firewall Enterprise (Sidewinder) • Internet Server Configuration — Use the fields on this tab to specify configuration settings for the Internet name server. The Internet name server is bound to the Internet burb. The following fields and buttons are available on this tab: • Enable server — Determines whether the Internet name server is enabled. This checkbox is selected by default. If you disable the Internet name server by clearing the checkbox, external connections that require host names will not work unless the name is already cached in the database of the unbound name server. Connections that use IP addresses will work. E-mail will be placed in a queue because IP addresses cannot be resolved. Caution: If you disable both the unbound server and the Internet server, connections will work only if they use IP addresses rather than host names. Mail will not work, and other errors will occur as other parts of the system attempt to access the network by name. • Enable notify — Determines whether the master name server will notify all slave servers when the zone file changes. The notification indicates to the slaves that the contents of the master have changed and that a zone transfer is necessary. This checkbox is cleared by default. If you select this checkbox, the following fields are available: • Yes — Indicates that the slave servers will be notified about zone file changes. • No — Indicates that the slave servers will not be notified about zone file changes. • Forwarders — Specify external name servers to which to forward queries that cannot be answered on the firewall. You can reposition a row in this table by highlighting the row and clicking either the (move up) or (move down) buttons. • Forward only — [Available only if a value is displayed in the Forwarders table] Determines whether the name server will attempt to contact the root server if the Forwarders cannot answer the query. This checkbox is selected by default. This indicates that queries will be directed only to the selected forwarders. If this checkbox is cleared, the name server forwards the query to the selected forwarders. If they cannot answer the query, the name server then attempts to contact the root server. • allow-query — Specify particular hosts that are allowed to query the zone. If none are selected, all requesters are authorized. • allow-transfer — Specify particular hosts that are allowed to update the zone. This option is valid only for master zones. If this field is left blank, updates are not allowed from any host. • Dump-File — Specify the path name of the file to which the name server dumps the database when instructed to do so with rndc dumpdb. If a path is not specified, the default is named_dump.db.(rndc is the remote name daemon control program. • Statistics File — Specify the path name of the file to which the name server appends statistics when instructed to do so using rndc stats. If a path is not specified, the default is named.stats, which is located in the current directory of the name server. To read specific information directly from the firewall, use the Firewall Retrieval Options window. The Configuration Tool has two ways to read configuration information directly from the firewall, to normalize the data, and to store this information in the database: • When the firewall is initially created, identify and retrieve a user-selected set of retrieval objects by using the Retrieval Item tab on the Add New Firewall window. • After a firewall has been created, identify and retrieve a user-selected set of retrieval objects. Right-click the firewall object and click Retrieve Firewall Objects, which displays the Firewall Retrieval Options window. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 195
- 196. Firewall window: Certificates area Use the Certificates area on the Firewall window to configure certificate server settings, view available firewall certificates, assign certificates to server services, and manage Secure Shell (SSH) keys. Also use this page to perform such actions as creating, importing, exporting, and deleting certificates and SSH keys. Figure 62 Firewall window: Certificates area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click a supported firewall object. The Firewall window is displayed. 4 Select the Certificates node. The Certificates area is displayed. Tabs This area has the following tabs: • Firewall Certificates — View the status of the firewall certificates. For more information, see Firewall Certificates tab on page 196. • SSH Keys — Manage the SSH keys for this firewall. For more information, see SSH Keys tab on page 197. • Settings — Configure certificate server settings and assign certificates to server services. For more information, see Settings tab on page 199. Firewall Certificates tab The Firewall Certificates tab displays the list of firewall certificate names and the status of those certificates. You can filter this list by selecting the appropriate value in the Status list at the bottom left corner of this tab. To view the fields on this tab, see Figure 62 on page 196. This tab has the following fields: • Name — [Read-only] Displays the names of firewall certificates in the table. • Status — [Read-only] Displays the status of the associated firewall certificates in the table. • Status — Specify the status by which the list of firewall certificates is filtered for display. Select one of the following values: • ALL — Displays all firewall certificates. 196 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 197. • Pending — Displays requested certificates by using the Manual PKCS10 signing mechanism. This status can occur in the following circumstances: • PKCS10 is used and a certificate has not been provided. • A Certificate Authority (CA) signed certificate is used and the certificate has not yet been retrieved from the Certificate Authority. • Completed — Displays certificates that have been received from the certificate server. • Revoked — Displays certificates for which a request has been rejected by Netscape CAs or CAs that support Simple Certificate Enrollment Protocol (SCEP). Use the buttons on the right side of the Certificates area to perform the following actions: • Add Certificate — Displays the Certificate Request Wizard, with which you can create a new certificate or import an existing certificate. The certificate will be added to the list of firewall certificates that are displayed on this page. For more information, see Creating certificates or importing them into the certificate database on page 515. • Load Certificate — [For Manual PKCS10 certificate requests only] Displays the Load Certificate wizard, in which you can import a certificate. For more information, see Loading certificates on page 522. • Retrieve Certificate — For a certificate request that has been submitted to be signed by a CA, start a query of the CA to determine whether the certificate has been approved. • Certificate Details — Displays the Certificate Manager window, in which you can view information about a selected certificate. Information includes such details as the certificate name, distinguished name, domain name, signature type (for example, RSA), and status (for example, Completed, CA Signed). • Export Certificate — Displays the Export Certificate wizard, in which you can export a certificate and private key to a file. For more information, see Exporting certificates on page 519. • Delete Certificate — Delete a certificate from the list of firewall certificates. Note: If the selected certificate is being used by VPN, an application defense, or other firewall component, it cannot be deleted. SSH Keys tab Use the SSH Keys tab to manage the SSH keys for this firewall. Figure 63 Firewall window: Certificates area: SSH Keys tab McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 197
- 198. Accessing this tab 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click a supported firewall object. The Firewall window is displayed. 4 Select the Certificates node. The Certificates area is displayed. 5 Select the SSH Keys tab. Fields and buttons This tab has the following fields: • Name — [Read-only] Displays the name of the SSH key. Note that Default_RSA_Key and Default_DSA_Key are reserved words for the firewall. You cannot add or delete these keys. However, you will see these keys in this tab when you retrieve from the firewall for the first time. • SSH Fingerprint — [Read-only] Displays the SSH fingerprint of the public key that is associated with this SSH key. The fingerprint is a hashed (shortened) version of the host key to make it easier for you to compare keys. • Signature Type — [Read-only] Displays the type of standard digital signature that is used when this SSH key is generated or verified. Valid values are: • RSA — Indicates a public key and private key combination • DSA — Indicates a Digital Signature Algorithm (DSA) Use the buttons on the right side of the SSH Keys tab to perform the following actions: • Add — Displays the Add SSH Key window, in which you can add a new SSH key. • Import — Displays the Import SSH Key window, in which you can import the SSH key directly from a file or from pasted text. • Export — Displays the Export SSH Key window in which you can export the highlighted SSH key directly to a file or display it on the SSH Keys window. • Delete — Delete the highlighted SSH key from the list of SSH keys. 198 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 199. Settings tab Use the Settings tab to configure certificate server settings and assign certificates to server services. Figure 64 Firewall window: Certificates area: Settings tab This tab has the following fields: • Certificate Server Options — Use the fields in this area to configure settings that are associated with the certificate server. The following fields are available: • LDAP — Use the fields in this area to configure LDAP settings. The following fields are available: • Use LDAP to search for Certificates — Determines whether the firewall cluster will attempt to retrieve certificates and CRLs (certificate revocation lists) from an LDAP server. This checkbox is cleared by default. When this option is selected, the following fields are available: • Server Address — Specify the IP address of the LDAP server. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). • Server Port — Specify the port number on which the LDAP server listens. The port number is 389 by default; however, the server can be configured to listen on other ports. • Timeout (sec.) — Specify the maximum amount of time (in seconds) that the certificate management daemon will wait while performing an LDAP search. Acceptable values range from 0 to 3600. The default value is 60. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 199
- 200. • Key Server — Use the fields in this area to configure settings associated with keys. • Maximum Validated Cache Size — Specify the maximum number of validated keys that will be stored in cache memory. Caching validated keys can increase system performance. Acceptable values range from 0 to 500. A value of 0 indicates that keys will not be cached. The default value is 100. • Certificate Key Cache Lifetime (min.) — Specify the maximum amount of time that a certificate can remain in the validated key cache before it must be re-validated. Acceptable values range from 0 to 360. A value of 0 indicates that certificate keys must be re-validated with each use. • CRL — Use the fields in this area to configure settings associated with Certificate Revocation Lists (CRLs). The following fields are available: • Perform CRL Checking — Determines whether CRL checking is enabled. This checkbox is selected by default. If this checkbox is cleared, CRL lists will not be consulted when validating certificates. • CRL Retrieval Interval: — Specify the frequency at which a Certificate Authority (CA) is queried to retrieve a new CRL. • Audit Level — Specify the level of auditing to be performed on the specified certificate server. The following values are available: • Error — Log major errors only. • Normal — Log major errors and informational messages. This is the default value. • Verbose — Log information that is useful in detecting configuration issues. • Debug — Log all errors and informational messages and also logs debugging information. • Application Defense Settings — Use the field in this area to specify HTTPS application defense settings for this certificate. The following field is available: • Default HTTPS Certificate — Specify the SSL certificate that will be used to decrypt HTTPS traffic. This certificate will be used by default for the HTTPS application defense. For more information, see HTTPS Application Defense window: General tab on page 371. • Common Access Card Configuration — [Available only for firewall version 7.0.1.02 and later] Use the fields in this area to specify the Common Access Card (CAC) authenticator and CAC Webserver certificate that are used to authenticate users when using a CAC to access the firewall. The following fields are available: • CAC Authenticator — Specify the CAC authenticator for this firewall. The default value is <None>. You can also edit an existing authenticator or add a new one by following these instructions. To edit an existing object: First, select the object in the list. Next, click (Edit selected). The respective object window is displayed. To add a new object: Click . The respective object window is displayed. • Webserver SSL Certificate — Specify the certificate that the CAC Webserver will present to a CAC user’s Web browser for the SSL session. If you select a CAC authenticator, you must specify the SSL certificate. • SSL Certificates — Use the fields in this area to specify the list of server services and their currently assigned SSL certificates. • Server — [Read-only] Displays the server services to which you can assign new SSL certificates. 200 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 201. • SSL Certificate — Displays the name of the certificate currently assigned to the associated server service. This certificate is the default certificate or a self-signed, RSA/DSA firewall certificate. You can select a different SSL certificate from the list. Firewall window: Miscellaneous area Use the Miscellaneous area to define a common group of features that can be applied to this firewall. As an alternative, you can use the settings from the Global Settings object that were defined in the Global Settings window by selecting Apply Global Settings. Figure 65 Firewall window: Miscellaneous area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click a supported firewall object. The Firewall window is displayed. 4 Select the Miscellaneous node. The Miscellaneous area is displayed. Fields and buttons The Global Settings, Firewall Settings Objects, and Policy Objects areas have the following buttons: • (Edit) — After you select a value in the list, click this button to edit the value in the respective window. Each field description below includes the name of the window that is displayed when this button is clicked. • (Add) — Click this button to the right of the object that you want to create. The window for this object is displayed, in which you can configure the new object. Each field description below includes the name of the window that is displayed when this button is clicked. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 201
- 202. • Global Settings — Use the fields in this area to select the global setting to apply to this firewall. • Apply Global Settings — Determines whether global settings are applied to the selected firewall. This checkbox is selected by default. If you have previously defined a Global Settings object in the Global Settings window, you can select it from the list. Clear the Apply Global Settings checkbox to use the other fields and buttons in the Miscellaneous area to define global settings to be associated with the selected firewall. • Firewall Settings Objects — Use the fields in this area to select a variety of previously defined configuration objects. You can view these objects in the Firewall Settings group bar of the Configuration Tool. The following fields are available: • Network Defense — Display the network defenses that have been defined on the system. Specify the network defense to apply to a firewall. (See Configuring network defense audit reports on page 279.) • Server and Service Settings — Display the server and service settings that have been defined on the system. Specify the server and service configuration to apply to a firewall. (See Managing servers and service configurations on page 291.) • IPS Signature Browser — Display the IPS Signature Browser objects that have been defined on this system. Specify the IPS signature object to apply to a firewall. (See Viewing and managing IPS signatures by using the IPS Signature Browser on page 302.) • Virus Scan — Display the virus scanning properties that have been defined on the system. Specify the virus scan configuration to apply to a firewall. (See Virus scanning on page 308.) • TrustedSource — Display the TrustedSource configurations that have been defined on this system. Specify the TrustedSource configuration to apply to a firewall. (See Configuring TrustedSource settings for rules and mail filtering on page 305.) • Third-Party Updates — Display the defined update schedules for downloading and installing IPS signature updates, anti-virus signature files, and Geo-Location updates that have been defined on the system. Specify the update schedule to apply to a firewall. (See Configuring third-party update schedules on page 326.) • Scheduled Jobs — Display the Scheduled Jobs window, in which you can view the scheduled jobs that have been defined on the system and apply them to a firewall. (See Scheduling jobs on page 322.) • Package Load — Display the package load configurations that have been defined on the system. Specify the configuration to use to check for and load packages to install on a firewall. (See Establishing a schedule to check for software updates on page 331.) • Policy Objects — Use the fields in this area to select a variety of previously defined configuration objects. You can view these objects in the Policy group bar of the Configuration Tool. The following fields are available: • Internet burb — Display the burbs that have been defined on the system. Specify the single burb that communicates directly with the Internet. (See Configuring burbs on page 341.) • Default application defense group — Display the application defense groups that have been defined on the system. Specify the application defense group to apply, by default, in new rules for a firewall. (See Configuring application defense groups on page 418.) • Password Authenticator — Display the password authenticators that have been defined on the system. Specify the password authenticator to apply to a firewall. (See Configuring password authenticators on page 426.) • Passport Authenticator — Display the passport authenticators that have been defined on the system. Specifies the passport authenticator to apply to a firewall. (See Configuring passport authenticators on page 428.) 202 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 203. • Reputation Threshold — Use the fields in this area to perform TrustedSource reputation service ™ filtering and specify an associated setting. • Perform TrustedSource filtering on inbound mail — Determines whether TrustedSource is used to reduce the amount of spam that reaches an organization's in-boxes. This value is cleared by default. If you select this checkbox, use the associated field to specify a value that is used to distinguish legitimate senders of e-mail from untrustworthy ones. Values range from 0 to 120. The default value is 80. Messages from senders with reputation scores above the selected reputation threshold value are rejected. Trustworthy senders receive low scores, and untrustworthy senders receive high scores. Values are associated with TrustedSource reputation classes. See the help topic for the Global Settings window for information about the reputation classes. • Lockout Threshold — Use the fields in this area to enable lockout and specify an associated setting. • Enable lockout — Determines whether a user whose account reaches a specified authentication attempt threshold is locked out until the lock is cleared by an administrator. This value is cleared by default. If you select this checkbox, you can specify the number of failed login attempts that can occur for a single user account before the user is locked out of the firewall. • Uninterruptible Power Supply (UPS) — [Available for all firewall versions except 7.0.1.00 and 7.0.1.01] Use the fields in this area to enable UPS and specify associated settings. The following fields are available: • Enable UPS — Determines whether a UPS device is enabled for a firewall. This checkbox is cleared by default. If you select this checkbox, the following fields are available: • Serial Port — Specify the serial port that is connected to the UPS. Available values are COM1 and COM2. The default value is COM1. • Battery Time (sec) — Specify the number of seconds that the UPS battery will last before its power is considered to be low. The default value is 900. If UPS is enabled and a power outage occurs, the firewall monitors the UPS and performs an orderly shutdown when the power of the UPS battery begins to be low. • Other Settings — Use the fields in this area to specify the following settings: • Enforce U.S. Federal Information Processing Standard 140-2 — Determines whether the requirements of the FIPS 14-2 standard are applied to a firewall. This standard specifies security requirements for cryptographic modules. This value is cleared by default. • Delete home directory upon deletion of user — Determines whether a user's home directory is deleted automatically when the user account is deleted. This value is cleared by default. • Blackhole source IP if attack IP cannot be confirmed (responses) — Determines whether a source IP address is blackholed when the related audit message does not have an Attack IP field. This value is cleared by default. If you select this checkbox, connections from the IP address originating the attack will not be accepted. • Enforce health monitor auditing — Determines whether audit data on the system's health status are generated and statistics about network and system utilization are recorded. This checkbox is selected by default. • Allow Secure Alerts to be sent to Control Center — Determines whether Secure Alerts are allowed to be sent by this firewall to the Control Center Management Server. To configure the alerts, you must also go to the IPS Attack Response window or the System Response window and select the Send Secure Alert checkbox. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 203
- 204. Firewall window-related tasks By selecting buttons on various areas of the Firewall window, you can access other windows, in which you can configure related information. The following tasks are available in this section: • General Settings area • Converting network objects in rules for the IPv6 protocol on page 204 -— on a 7.0.1 or later version of the firewall • Interfaces area • Configuring a network interface (for firewalls and cluster members) or a transparent interface (for firewalls) on page 206 • Configuring NIC groups on page 210 • DNS area • Configuring transparent DNS server objects on page 211 Converting network objects in rules for the IPv6 protocol Use the IPv4 Rule Conversion window to convert ANYWHERE network objects in existing IPv4 rules to ANY_IPv4 network objects. You can also choose not to change the ANYWHERE objects. Note: This window is displayed only the first time that you enable IPv6 on any firewall in a configuration domain—that is, it is a global, configuration domain-wide change. If you decide not to convert the ANYWHERE objects in this window and change your mind about this later, use the Search and Replace window to replace these objects or other network or service objects. For more information, see Replacing objects in rules on page 541. To convert the ANYWHERE object, you must have the following user permissions: • Access to all firewalls • Ability to update rules • Ability to update system objects • Ability to access privileged objects Figure 66 IPv4 Rule Conversion window 204 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 205. Accessing this window 1 In the Configuration Tool, make sure that the Firewalls group bar is selected. Select the Firewalls node. 2 Double-click a firewall in the tree. The Firewall window for the selected firewall is displayed. 3 Make sure that the General Settings area is displayed. Select Enable IPv6. If you have the correct user permissions, the IPv4 Rule Conversion window is displayed. Otherwise, an error message is displayed, indicating that you do not have the correct permissions. Contact your system administrator to obtain these permissions. Fields and buttons This window has the following fields and buttons: • Convert ANYWHERE rules to ANY_IPv4 — Indicates that the ANYWHERE network objects in your existing IPv4 rules will be converted to ANY_IPv4. Select this option to perform the conversion. Only IPv4 traffic can be sent to or received from ANY_IPv4 network objects. After this conversion is performed and you apply a rule to a firewall that either does not support IPv6 or that does not have it enabled, the ANY_IPv4 object will be applied as an ANYWHERE object. Note: After you go forward with this selection, if you change your mind and decide that you would rather have ANYWHERE objects, use the Search and Replace window to change the network objects. • Leave ANYWHERE rules as they are — Indicates that the ANYWHERE network objects in your existing rules will not be converted to ANY_IPv4. This means that ANYWHERE will apply to both IPv4 and IPv6 objects. • OK — Save the changes. If you selected to convert ANYWHERE to ANY_IPv4, your rule conversion will not occur until you click OK in the Firewall window. • Cancel — Close this window without enabling IPv6. If you change your mind about enabling IPv6, you should also clear the Enable IPv6 checkbox on the General Settings area of the Firewall window. Otherwise, the IPv4 Rule Conversion window will be displayed again when you click OK in the Firewall window. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 205
- 206. Configuring a network interface (for firewalls and cluster members) or a transparent interface (for firewalls) Use the Firewall Interface window to create or modify configuration information for a network interface on a firewall or on a cluster member. Figure 67 Firewall Interface window for a non-transparent interface Accessing this window 1 In the Configuration Tool, make sure that the Firewalls group bar is selected. Select the Firewalls node. 2 For firewalls, select the Firewalls node. or For cluster members, select the Clusters node. For cluster members, select a cluster node. 3 Double-click a firewall or cluster member in the tree or right-click the object and select Edit Object. For firewalls, the Firewall window for the selected firewall is displayed. or For cluster members, the Firewall Cluster Member window is displayed. 4 Select the Interfaces node. The Interfaces area is displayed. 5 Click Advanced.... The Firewall Interface window is displayed. 206 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 207. Fields and buttons This window has the following fields and buttons: • Name — Specify the name of the network interface. You can use alphanumeric characters, dashes (-), and underscores (_). • Enable interface — Determines whether the network interface is enabled on the firewall. • Description — Specify a description for this interface. • Interface type — Use the fields in this area to specify the type of network interface and an ID if VLAN is selected. The following fields are available: • (Interface type) — Specify the type of network interface. The following values are available: • Standard — Indicates a standard interface. • DHCP — (Dynamic Host Configuration Protocol) Indicates that this interface will centrally manage IP addresses within your network. You cannot specify DHCP for an interface that is being used in a high availability (HA) cluster. • Transparent — [Available only for firewall versions 7.0.1.02 and later] Indicates a transparent interface. • VLAN ID — (Virtual Local Area Network) Indicates a virtual interface that allows administrators to segment a LAN into different broadcast domains regardless of the physical location. • ID — [Available only if VLAN is selected in the Interface Type field] Specify the ID for the VLAN interface. Valid values are between 1 and 4094. • Address — Use the fields in this area to define information about the address for this network interface. The fields in this area are not available if DHCP is selected as the Interface Type value. • Burb — Specify the burb for the network interface. To edit an existing object: First, select the object in the list. Next, click (Edit selected). The respective object window is displayed. To add a new object: Click . The respective object window is displayed. • IP address — Specify the unique IP address of the interface. This value must be a valid IPv4 address in dotted quad format. • Mask — Specify the netmask length for this IP address. • Alias addresses — Use the fields in this area to add, edit, or delete alias addresses. Alias addresses are used in Multiple Address Translation (MAT). You can add alias addresses to a network interface for the following purposes: • To consistently map specific IP aliases on another interface to specific logical networks connected to this interface when you want to hide addresses. • To accept connection requests for any defined alias. • To communicate with more than one logical network without a router. • To allow DNS to resolve different domains to each host address when you have more than one address on the same network. The fields in this area are not available if DHCP is selected as the Interface Type field value. • Alias address — Specify the unique IP address of the alias to be associated with this network interface. This value must be a valid IPv4 address in dotted quad format. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 207
- 208. • Mask — Specify the netmask length for this IP address. • Delete — Click x (Delete) in the row to be deleted. The alias address is deleted from the firewall. • Quality of Service profile — [Available for Standard and DHCP interface types only] Specify the Quality of Service (QoS) profile to associate with this network interface. Each QoS profile contains one or more queues that allow you to prioritize network performance based on network traffic type. You can define QoS profiles in the Quality of Service window. The default value is <None>. Note: For the 7.0.1 version and later versions of the firewall, you cannot select a profile that contains any of the following characters: dash (-), period (.), or underscore (_). To edit an existing object: First, select the object in the list. Next, click (Edit selected). The respective object window is displayed. To add a new object: Click . The respective object window is displayed. QoS profiles are not supported on VLANs. • NIC or NIC Group — [Not available for transparent interfaces] Specify the list of NICs and NIC groups that are currently managed by this firewall. Select a name or select <None>, which indicates that this interface is not part of a NIC group. • Bridged interfaces — [Available only if this is a transparent interface] Use the fields in this area to add new bridge members to this bridge. When you have finished, only two members can be members of this bridge. The following fields are available: • — Displays the Firewall Interface window, in which you can add a new bridged (member) interface. Note that you cannot make address or MTU changes in this window. These changes must be made at the bridge (parent) level. • Use — Determines whether the bridge member is used in this bridge. Select or clear the checkbox to enable or disable the interface. Only two members can be selected. • Interface — [Read-only] Displays the name of the network, Virtual LAN (VLAN), or transparent (for firewall versions 7.0.1.02 and later) interface for this bridge member. • Burb — [Read-only] Displays the burb that is attached to this bridge member. • VLAN ID — [Read-only] Displays the VLAN identifier for this bridge member. • NIC/NIC Group — [Read-only] Displays the NIC or the NIC group for this bridge member. • MTU size (Bytes) — Specify the size of the Maximum Transfer Unit (MTU) for outgoing packets. The standard MTU is 1500 and the range is 576-1500. However, the upper limit of this range changes to 9000 if the selected NIC has jumbo frame capability enabled. • ARP table cache size — [Available only for transparent interfaces] Specify the size of the address resolution protocol (ARP) bridge table. This table contains a list of MAC addresses so that the firewall can determine the NIC on which traffic is entering. Because of traffic, the table can potentially reach its capacity, which means that subsequent traffic will be dropped. Use this field to set the size high enough so that traffic will not be dropped. The range of values is 100–2048. The default value is 100. • Failover IP address — [Available for cluster interfaces only] [Read-only] Displays common address for the cluster that is shared between all of the nodes in the cluster. 208 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 209. • Enable IPv6 on this interface — [Available only for firewall versions 7.0.1 and later and not available for cluster members or transparent interfaces] Determines whether IPv6 is enabled for this interface. A message is displayed, asking whether you want to continue with this configuration. Click Yes. The IPv4 Rule Conversion window is displayed, in which you can indicate whether you want to convert your ANYWHERE network objects in rules. Make your selection and click OK. You are returned to the Firewall Interface window and the remaining IPv6-related fields are now available. For more information about the IPv4 Rule Conversion window, see Converting network objects in rules for the IPv6 protocol on page 204. • IPv6 stateless auto address configuration — [Available only if Enable IPv6 on this interface is selected] Select a stateless auto-address configuration. The following selections are available: • Static — Indicates that the interface is assigned the link-local address plus any static addresses that you specify. The link-local address is automatically created whenever an interface becomes enabled. This is the default value. • Host mode — Indicates that the interface is assigned the link-local address plus any static addresses that you specify. It is also assigned auto-configured addresses derived by combining any prefixes that are received in router advertisements with the interface ID. • Router mode — Indicates that the interface is assigned the link-local address plus any static addresses that you specify. The firewall sends out router advertisements, either with prefixes in the rtadvd.conf file or with prefixes derived from the static addresses on the interface. Caution: Host mode and router mode should be used only if you want to use auto-configuration. If you use these modes, unexpected results can occur, such as the following examples: • A firewall with an interface that is configured in host mode can automatically add new IPv6 addresses to the interface that the user might not expect. • A firewall with an interface that is configured in router mode with static IPv6 addresses can, if the rtadvd.conf file is not modified, advertise prefixes derived from the static IPv6 addresses. This can result in unexpected addresses being added to IPv6 devices in the same network operating in host mode. Static configuration is the most suitable configuration for most firewalls. You should clearly understand the consequences of using host mode and router mode. • IPv6 addresses — Use the fields in this area to specify and configure the order of IPv6 addresses. The following fields are available: • IPv6 Address — Specify an IP address to be associated with this interface. If you have more than one address in this table, use the up and down arrows to change the order of addresses. • Prefix — Specify the mask length for this IP address. Valid values are 0–128. • Delete — Click x (Delete) in the row of the IP address to be deleted. • (Move up) — Move the highlighted row up one row. • (Move down) — Move the highlighted row down one row. • Interface ID — Use the field in this area to override the interface ID that has been automatically generated. The following field is available: • Manually override the default interface id — Determines whether to override the interface ID. The displayed 16-hexadecimal ID is derived from the NIC or NIC group’s MAC address and is used to generate the link-local address for the interface. Edit this ID as needed. • OK — Save the information on this window, close this window, and return to the Interfaces area of the Firewall window. • Cancel — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 209
- 210. Configuring NIC groups Use the NIC Group window to modify an existing NIC group or to add a new one. You can designate a primary and a standby NIC so that you can implement the redundant NIC functionality. If the link to the primary NIC in the NIC group is not active, the redundant NIC functionality is used. • The firewall verifies a link at the physical layer (layer 1). The firewall inspects the carrier detect status on the primary NIC in the NIC group. If the link is active, the primary NIC is used to pass traffic. If the link is not active, a failover event occurs and the standby NIC starts passing traffic. When the link for the primary NIC is active again, a failback event automatically occurs and the primary NIC starts passing traffic. • The firewall does not verify communication at the network layer with the next firewall. A failure in this part of the connection does not trigger a failover event. • There can be a delay before the standby NIC starts passing traffic while the switch or router recognizes the change and selects the appropriate port. • The NIC group uses the MAC address of the primary NIC no matter which NIC is actively passing traffic. The MAC address is used for communication at the data-link layer. Figure 68 NIC Group window Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click a firewall. The Firewall window is displayed. 4 Select the Interfaces node in the tree and then select NICs/NIC Groups. The NICs//NIC Groups tab is displayed. 5 Click Add. The NIC Groups window is displayed. Fields and buttons This window has the following fields and buttons: • Name — [Read-only] Displays the name of the NIC group that you are adding or modifying. This name is automatically generated and you cannot change it. A format of grpn is used, where n is 0 for the first group and then it is incremented for each subsequent group (for example, grp1, grp2, and so on). • Description — Specify a description for this NIC group. • Primary NIC — Specify the primary NIC in the NIC group. This list contains all of the firewall-specific NICs, plus <None>. If you select <None>, the Standby NIC field is disabled. • Standby NIC — Specify the standby NIC in the NIC group. This list contains all of the firewall-specific NICs except for the value selected for the Primary NIC, plus <None>. If you select <None>, the redundant NIC functionality will not be implemented. • OK — Save the changes in this window. Note that this group is not saved until you click OK in the Firewall window. 210 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 211. • Cancel — Close this window without saving any changes. Configuring transparent DNS server objects Use the Transparent DNS Servers window to add one or more transparent name servers. Figure 69 Transparent DNS Servers window Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 For firewall configurations, select the Firewalls node to display the list of firewalls. or For cluster configurations, select the Clusters node to display the list of clusters. 3 For firewall configurations, double-click the firewall for which you are creating this object. The Firewall window is displayed. or For cluster configurations, double-click the cluster node for which you are creating this object. The Cluster window is displayed. 4 Select the DNS node in the tree on the left. The DNS area is displayed. 5 Make sure that Transparent is the value selected in the DNS Configuration field and click Add. The Transparent DNS Servers window is displayed. Fields and buttons This window has the following fields and buttons: • Burb — Specify the burb to which the name servers will be assigned. • DNS Servers — Specify the name of a transparent name server. Servers can be ordered by using the move up ( ) and move down ( ) arrows. • OK — Save the changes in this window. Note that this object will not be saved until you click OK in the Firewall window. • Cancel — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 211
- 212. Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click the firewall for which you are creating this object. The Firewall window is displayed. 4 Select the Certificates node in the tree on the left and then select SSH keys. The Certificates area is displayed with the SSH keys tab selected. 5 Click Add. The Add SSH Key window is displayed. Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click the firewall for which you are creating this object. The Firewall window is displayed. 4 Select the Certificates node in the tree on the left and then select SSH keys. The Certificates area is displayed with the SSH keys tab selected. 5 Click Import. The Import SSH Key window is displayed. Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click the firewall for which you are creating this object. The Firewall window is displayed. 4 Select the Certificates node in the tree on the left and then select SSH keys. The Certificates area is displayed with the SSH keys tab selected. 5 Click Export. The Export SSH Key window is displayed. Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Double-click the firewall for which you are creating this object. The Firewall window is displayed. 4 Select the Certificates node in the tree on the left and then select SSH keys. The Certificates area is displayed with the SSH keys tab selected. 5 Click Export. The Export SSH Key window is displayed. 6 Select the Export this key to the screen option and click OK. The SSH Key window is displayed. 212 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 213. Deleting firewall objects Use the Delete Firewall window to remove a particular firewall object and all of the objects that reference that firewall. No firewall object can be deleted before all of its dependencies are removed. If an object is referenced by another firewall, it cannot be removed. Figure 70 Delete Firewall window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 213
- 214. Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node to display the list of firewalls. 3 Right-click a supported firewall object and select Remove Object(s). or Press Delete. A confirmation message is displayed. Click Yes to continue. The Delete Firewall window is displayed only if there are dependent objects that are associated with this firewall object. Fields and buttons This window displays a tree hierarchy of dependent objects that are associated with the selected firewall object. This window has the following fields and buttons: • Delete firewall configuration backups — Determines whether the configuration backup files for this firewall will also be deleted when the firewall is deleted. The default value is cleared. • Delete all referencing objects — Determines whether to delete all of the objects that reference this firewall and that are not referenced by any other firewall. If an object is not referenced by any other firewall, this value is selected by default. If the object is referenced by another firewall, this checkbox is cleared by default and the firewall cannot be deleted. Referencing objects include the following values that are represented as nodes in the list of referencing objects: SW Firewall License, Packet Filter Rules, and SW Responses. To preserve an object that is currently marked for removal (that is, its checkbox is selected), clear its checkbox. If a checkbox is cleared and you cannot edit it, this indicates that this object is referenced by another firewall and it will automatically be preserved. • Details — Use the columns in this table to view the details of the object that is selected in the tree. The following columns are displayed: • Property — Displays the name of the property for the selected object. • Value — Displays the value of the property for the selected object. • Delete Firewall — Delete the firewall and all of the selected objects. Then click Close to close the window. • Close — Close this window. If you have not already clicked Delete Firewall, the selected firewall object will not be deleted. 214 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 215. McAfee Firewall Enterprise (Sidewinder) clusters McAfee Firewall Enterprise (Sidewinder) clusters Control Center provides a straight-forward, easy-to-use interface for managing McAfee Firewall Enterprise High Availability (HA) clusters. A firewall HA cluster consists of two firewalls that are configured in a particular way for high availability. Firewall HA clusters can be configured in one of the following modes: • Primary/Standby — In this configuration, one firewall, the primary, actively processes traffic. The standby acts as a "hot backup." If the primary becomes unavailable, the standby takes over and assumes the role of the primary only until the primary becomes available again. When the primary does become available, a takeover event occurs. Use this mode if you have firewalls that do not share the same hardware configuration. • Load-Sharing — In this active-active HA configuration, two firewalls actively process traffic in a load-sharing capacity. Both firewall network interfaces maintain their unique IP address, the shared cluster address, and any aliases assigned to the cluster. The firewalls are able to coordinate traffic processing on a single shared IP address by using a multicast Ethernet address. Each connection is handled by the same firewall. The communication to coordinate load-sharing passes between firewalls on the heartbeat burb. Use this mode only if both firewalls have the same hardware configuration (for example, CPU speed, memory, active NICs). This mode is the recommended configuration. • Peer-to-Peer HA — In this configuration, two firewalls are configured as standbys with the same takeover time. The first firewall to come online becomes the primary. Only the primary passes traffic. If the primary becomes unavailable, the peer, which is currently acting as the standby, takes over as the primary and remains the primary until it becomes unavailable. At that time, the other peer takes over again as the acting primary. The Control Center provides support for managing all of these modes. Managing clusters Use the Control Center Configuration Tool to manage firewall HA clusters. The Configuration Tool accommodates management of the entire cluster and management of the particular nodes that are in the cluster. This allows a firewall security officer to perform such node-specific monitoring and control functions as running reports, shutting down the firewall, setting date and time, and licensing. In the Control Center, an HA cluster can be viewed as a single firewall. The reason is that for most configurations, one cluster node's configuration data is a replica of the other node's configuration data. A cluster object is created for every HA cluster in the Clusters group in the Firewalls group bar in the Object area. A cluster object expands to list all individual nodes that are part of the cluster. Individual nodes are called cluster node objects. You can view cluster configuration object data by double-clicking a cluster object to display the Cluster window. You can view cluster node object configuration data by double clicking a node to display the Cluster Member window. Certain firewall features are associated with the cluster object and are synchronized within all nodes in a cluster. Other firewall features are associated with the cluster node objects and are specific to each node. Features that are synchronized within a cluster The following features are synchronized within all nodes in an HA cluster. Configuration support for these features is associated with the cluster object. • Policy Configuration (Rules) • Network Defenses • Authentication • VPN • Groups • Firewall Accounts • Proxies • Servers • Certificate Management • IPS Attack Responses • Services • Interface Alias IP Addresses McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 215
- 216. McAfee Firewall Enterprise (Sidewinder) clusters • System Responses • UPS • User Interface Access Control • High Availability • Time Periods • DNS • Routing • Virus Scanner • Configuration Backup • Burb Configuration • SmartFilter • Reconfigure Mail (sendmail) • Interface Alias IP Addresses All cluster-related information is available in one location: the cluster object. The following functions are performed only on the cluster object: • Apply Configuration • Validate Configuration • Retrieve Firewall Objects After a node has been added to a cluster, these functions cannot be performed on the node. The following report can be generated only on the cluster object: Policy Report. This is the only report that can be generated for a cluster. Features that are configured Individually for each node The following features are specific to each node in a cluster. Configuration support for these features is associated with the cluster node object. • Firewall License • Reports • Date and Time • Interface Configuration • System Shutdown • Certificate Management • Audit • Reconfigure DNS • High Availability (Local Parameters) • Software Updates As indicated here, such control functions as licensing, shutting down, setting date and time, and displaying firewall status can be performed only on each node. Configuring, promoting and demoting cluster objects and cluster nodes Use the McAfee Firewall Enterprise Cluster Wizard to create a new cluster with one node, add a firewall to an existing cluster, or create a new two-node cluster. You can also use the same cluster wizard to demote one node of a cluster or to demote both nodes of a cluster to standalone firewalls. Cluster creation prerequisites Before you begin this process, make sure that the following requirements have been met: • Version — Both firewall objects must be the same version. Also, if the firewall is joining a single-node cluster, the version of the firewall must match the version of the existing node in the cluster object. • Interfaces — The firewall object that you are working with must have at least three enabled interfaces—internal, external, and heartbeat. • The number of and types of interfaces must be exactly the same. • Burbs — The number of and names of burbs must be exactly the same. Note that burb names are case-sensitive. • For any cluster configuration, a minimum of three burbs must exist in this configuration domain. • The burb creation order must be exactly the same. • A dedicated heartbeat burb and interface must be configured on each firewall 216 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 217. McAfee Firewall Enterprise (Sidewinder) clusters • For any cluster configuration, a minimum of three burbs must exist in this configuration domain. • The IPv6 protocol is not currently supported for clusters. Additional requirements for load-sharing clusters The following additional requirements are for configuring load-sharing clusters: • The firewalls must have identical hardware configurations. • The interface that is used for the heartbeat burb must be at least as fast as the fastest load-sharing interface on your firewall. • [For firewall versions 7.0.1 and later] The Unicast - mirrored and the Unicast - flooded layer 2 modes are only supported on em NICs. • [For firewall versions 7.0.1 and later] If VLAN interfaces that share the same parent NIC or NIC group are configured to use either the Unicast - mirrored or the Unicast - flooded layer 2 modes, they must meet the following requirements: • They must share the same cluster MAC address. • They must use the same layer 2 mode (either Unicast - mirror or Unicast - flooded). Accessing this wizard To create a cluster with a single firewall or two firewalls or to join a node to an existing cluster: 1 In the Configuration Tool, make sure that the Firewalls group bar is displayed. 2 Select the Firewalls node. 3 Right-click a firewall and select Create/Join Cluster. The McAfee Firewall Enterprise Cluster Wizard window is displayed. To demote an entire cluster: 1 In the Configuration Tool, make sure that the Firewalls group bar is displayed. 2 Select the Clusters node. 3 Right-click the cluster and select Demote Cluster. The McAfee Firewall Enterprise Cluster Wizard window is displayed. To demote one node from an existing cluster: 1 In the Configuration Tool, make sure that the Firewalls group bar is displayed. 2 Select the Clusters node. 3 Select the cluster node that contains the cluster member to be demoted. 4 Right-click the cluster member and select Demote to Standalone. The McAfee Firewall Enterprise Cluster Wizard window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 217
- 218. McAfee Firewall Enterprise (Sidewinder) clusters Functionality of the McAfee Firewall Enterprise Cluster Wizard Refer to the following links to view information about the McAfee Firewall Enterprise Cluster Wizard for different procedures: • Creating a cluster from within the Control Center on page 218 • Joining a cluster on page 220 • Creating a cluster from two firewalls from within the Control Center on page 221 • Demoting one cluster member (node) to a standalone firewall on page 223 • Demoting all of the cluster members to standalone firewalls on page 224 Creating a cluster from within the Control Center With the McAfee Firewall Enterprise Cluster Wizard, you can configure clusters completely within the Control Center Client. Step 1 of 10 - Welcome page If you have met all of the prerequisites listed above, click Next >>. Step 2 of 10 - Cluster State page 1 Select the action that you want to take with the selected firewall or firewalls. The following options are available: • Create new cluster — Promote the selected firewall to a one-node cluster that is managed by the Control Center. This is the default option. • Join existing cluster — Add the selected firewall to an existing one-node cluster in the Control Center. • Create cluster with 2 nodes — Create a cluster with two nodes—one of them being the selected firewall. For this procedure, select Create new cluster. 2 Click Next >>. Step 3 of 10 - Create Cluster page 1 Specify the name for the cluster object that you are creating. Do not use the fully qualified domain name (FQDN) or the object name of any firewall that currently exists in the McAfee Firewall Enterprise Control Center. The following characters are available, up to a limit of 63 total characters: a-z, A-Z, 0-9, dash (-) through underscore (_) Note: You cannot use any of the special characters as the first character in the cluster name. 2 Click Next >>. Step 4 of 10 - High Availability (HA) Mode page 1 Select the desired mode of the cluster. The following options are available: • Peer-to-peer HA — Both firewalls are configured as standbys. The firewall that is booted first becomes the primary node; the other node becomes the standby. • Load-sharing HA — Both the primary and the secondary nodes share traffic-related duties. This is the default selection. • Primary/Standby HA — One node is configured as the primary and the other is the standby. The standby node will become the primary node only if the current primary node is unavailable. After the original primary node is restarted, the original primary node will resume as the primary node, taking over from the standby node that was serving temporarily as the primary node. 2 Click Next >>. 218 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 219. McAfee Firewall Enterprise (Sidewinder) clusters Step 5 of 10 - Takeover Time page Note: This page is not available if you selected Primary/Standby HA on the previous page. Skip to the next page. 1 Specify the length of time (in seconds) that the primary node must be unavailable before the standby node will begin the takeover process. This value is an integer between 2 and 257. The value of this field varies, depending on the type of high availability configuration that you are using in your cluster. For load-sharing HA nodes and peer-to-peer nodes, this value will be the same for each node in the cluster. 2 Click Next >>. Step 6 of 10 - High Availability (HA) Layer 2 Mode page Note: This page is displayed only for version 7.0.1 or later of the McAfee Firewall Enterprise (Sidewinder) when you are configuring load-sharing clusters. 1 Select the default L2 mode to be used for this node. Refer to the descriptions on this page for each option. Only network devices that are “em” devices will support unicast modes. The default value is Multicast. 2 Click Next >>. Step 7 of 10 - High Availability (HA) Shared Cluster Addresses page 1 Specify a shared cluster IP address for each network. Note that you must configure at least three cluster interfaces. The following fields are available in this table: • Shared Cluster IP Address — Specify the cluster address for this interface. At least three interfaces must be defined. The following restrictions apply to this cluster address: • This must be a valid IP address. • This cannot be the broadcast address of the network of this cluster. • This cannot be an address that is outside of the selected network. • This cannot be the same address as the network address or any other address that the firewall is currently using. • Network Address — [Read-only] Displays the network address that is calculated from the IP address and subnet mask for the interface. • Burb — [Read-only] Displays the burb that is associated with this address. • Heartbeat burb — Specify the burb that is used for intra-cluster communication. The list includes all of the existing, non-virtual, non-Internet burbs. A cluster address should also have been specified for the heartbeat burb. Otherwise, the burb cannot be used as the heartbeat burb. 2 Click Next >>. Step 8 of 10 - Cluster Management Address page This page is displayed only if IP management address of the cluster cannot be automatically determined. This can occur when the firewall is behind NAT. 1 Specify the management IP address of the cluster in the Specify the cluster management address field. The following rules apply to this value: • This must be a valid IP address. • This address must be different from all of the cluster and cluster member IP addresses. 2 In the Cluster Member Management Address field, view the IP address or IP addresses of the cluster member or members that you are promoting to this cluster. Make a note of these values if you need to create a new NAT rule for this cluster. 3 Click Next >>. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 219
- 220. McAfee Firewall Enterprise (Sidewinder) clusters Step 9 of 10 - High Availability (HA) Advanced General Properties page 1 Specify the values for IPSec authentication. The following fields are available in this area: • Authentication type — Select the type of IPSec authentication that will be used for this node. Available values are SHA1 (the default value) or MD5. • Password — Specify the password that will be used to generate the authentication key for IPSec. This password must be the same value for both nodes in this cluster because they share the same virtual firewall ID. 2 Specify the high availability identification information. The following fields are available in this area: • Cluster ID — Specify the identification number that you are assigning to the cluster. This must be a value between 1 and 255. The default value is the last octet of the heartbeat cluster address. • Multicast group address — Specify the address of the multicast group that is used for high availability purposes on the heartbeat burb. The address that you specify must be within the range of from 239.192.0.0 to 239.255.255.255. The default address is 239.255.0.1. 3 Click Next >>. Step 10 of 10 - Cluster Wizard Summary page The status of the cluster node configuration is displayed. If this information is correct, click Finish >> to create the cluster. If this information is not correct, click << Previous to go back to the page or pages that you need to edit. When you have finished editing the information, click Next >> until you return to this summary page. Then click Finish >> to create the cluster. If this node was created successfully, the Apply Configuration window is displayed. Configure the settings to either schedule this apply process or to perform it now. For more information about the Apply Configuration window, see Applying firewall configurations on page 589. After the node configuration is applied, the firewall (cluster node) is restarted, except for version 7.0.1.01 and later firewalls, where only some of the services will be restarted. This node should now be displayed in the Clusters node in the Firewalls group bar of the Configuration Tool. Click the Clusters node and then click the cluster to which this node belongs. You should now see it beneath the cluster. Joining a cluster With the McAfee Firewall Enterprise Cluster Wizard, you can configure a standalone firewall to join an existing cluster. If you have not accessed the McAfee Firewall Enterprise Cluster Wizard, go to Configuring, promoting and demoting cluster objects and cluster nodes on page 216. The following restrictions apply for the firewall that you are promoting in this procedure: • The cluster already has two member nodes. • The cluster that you selected does not have any member nodes. • The version number of the existing cluster member does not match the version of the firewall that you are about to promote. Step 1 of 4 - Welcome page If you have met all of the prerequisites (see Cluster creation prerequisites on page 216), click Next >>. Step 2 of 4 - Cluster State page 1 Select the action that you want to take with the selected firewall or firewalls. The following options are available: • Create new cluster — Promote the selected firewall to a one-node cluster that is managed by the Control Center. This is the default option. • Join existing cluster — Add the selected firewall to an existing one-node cluster in the Control Center. 220 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 221. McAfee Firewall Enterprise (Sidewinder) clusters • Create cluster with 2 nodes — Create a cluster with two nodes—one of them being the selected firewall. For this procedure, select Join existing cluster. 2 Click Next >>. Step 3 of 4 - Join Cluster page 1 Specify the name for the cluster object that you want to join with this firewall. This list contains all of the firewall cluster objects. Do not use the fully qualified domain name (FQDN) or the object name of any firewall that currently exists in the Control Center. The following characters are available, up to a limit of 63 total characters: a-z, A-Z, 0-9, dash (-) through underscore (_) Note: You cannot use any of the special characters as the first character in the cluster name. 2 The partner member’s fully qualified domain name (FQDN) field displays the FQDN of the other node in this cluster. 3 Click Next >>. Step 4 of 4 - Cluster Wizard Summary page The status of the cluster node configuration is displayed. If this information is correct, click Finish >> to add this firewall as a cluster node to the selected cluster. If this information is not correct, click << Previous to go back to the page or pages that you need to edit. When you have finished editing the information, click Next >> until you return to this summary page. Then click Finish >> to join this node to the cluster. If this node was added to the cluster successfully, the Apply Configuration window is displayed. Configure the settings to either schedule this apply process or to perform it now. For more information about the Apply Configuration window, see Applying firewall configurations on page 589. After the node configuration is applied, the firewall (cluster node) is restarted, except for version 7.0.1.01 and later firewalls, where only some of the services will be restarted. The original primary node will also be restarted in the same manner as the new node. This node should now be displayed in the Clusters node in the Firewalls group bar of the Configuration Tool. Click the Clusters node and then click the cluster to which this node belongs. You should now see this new cluster node beneath the cluster. Creating a cluster from two firewalls from within the Control Center With the McAfee Firewall Enterprise Cluster Wizard, you can configure clusters completely within the Control Center Client. In this usage of the wizard, you can create a cluster from two firewalls. Step 1 of 9 - Welcome page If you have met all of the prerequisites listed above, click Next >>. Step 2 of 9 - Cluster State page 1 Select the action that you want to take with the selected firewall or firewalls. The following options are available: • Create new cluster — Promote the selected firewall to a one-node cluster that is managed by the Control Center. This is the default option. • Join existing cluster — Add the selected firewall to an existing one-node cluster in the Control Center. • Create cluster with 2 nodes — Create a cluster with two nodes—one of them being the selected firewall. For this procedure, select Create cluster with 2 nodes. 2 Click Next >>. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 221
- 222. McAfee Firewall Enterprise (Sidewinder) clusters Step 3 of 9 - Create Cluster page 1 Configure the following fields on this page: • Specify a name for the cluster object — Specify the name for the cluster object that you are creating. Do not use the fully qualified domain name (FQDN) of any of the cluster member nodes. However, any other string is acceptable. • Choose the second node — Specify the second firewall that will be a part of this new cluster. This list consists of all of the firewalls. Note that the version of the firewall that you select must be the same version as the firewall that you are using to create the cluster. • FDQN of the partner member — [Read-only] Displays the FQDN of the selected (second) node. 2 Click Next >>. Step 4 of 9 - High Availability (HA) Mode page 1 Select the desired mode of the cluster. The following options are available: • Peer-to-peer HA — Both firewalls are configured as standbys. The firewall that is booted first becomes the primary node; the other node becomes the standby. • Load-sharing HA — Both the primary and the secondary nodes share traffic-related duties. This is the default selection. • Primary/Standby HA — One node is configured as the primary and the other is the standby. The standby node will become the primary node only if the current primary node is unavailable. After the original primary node is restarted, the original primary node will resume as the primary node, taking over from the standby node that was serving temporarily as the primary node. 2 Click Next >>. Step 5 of 9 - Takeover Time page Note: This page is not available if you selected Primary/Standby HA on the previous page. Skip to the next page. 1 Specify the length of time (in seconds) that the primary node must be unavailable before the standby node will begin the takeover process. This value is an integer between 2 and 257. The value of this field varies, depending on the type of high availability configuration that you are using in your cluster. For load-sharing HA nodes and peer-to-peer nodes, this value will be the same for each node in the cluster. 2 Click Next >>. Step 6 of 9 - High Availability (HA) Layer 2 Mode page Note: This page is displayed only for version 7.0.1 or later of the firewall when you are configuring load-sharing clusters. 1 Select the default L2 mode to be used for this node. Refer to the descriptions on this page for each option. Only network devices that are “em” devices will support unicast modes (mirrored or flooded). The default value is Multicast. 2 Click Next >>. Step 7 of 9 - High Availability (HA) Shared Cluster Addresses page 1 Specify a shared cluster IP address for each network. Note that you must configure at least three cluster interfaces. The following fields are available in this table: • Shared Cluster IP Address — Specify the cluster address for this interface. At least three interfaces must be defined. The following restrictions apply to this cluster address: • This must be a valid IP address. • This cannot be the broadcast address of the network of this cluster. • This cannot be an address that is outside of the selected network. 222 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 223. McAfee Firewall Enterprise (Sidewinder) clusters • This cannot be the same address as the network address or any other address that the firewall is currently using. • Network Address — [Read-only] Displays the network address that is calculated from the IP address and subnet mask for the interface. • Burb — [Read-only] Displays the burb that is associated with this address. • Heartbeat burb — Specify the burb that is used for intra-cluster communication. The list includes all of the existing, non-virtual, non-Internet burbs. A cluster address should also have been specified for the heartbeat burb. Otherwise, the burb cannot be used as the heartbeat burb. 2 Click Next >>. Step 8 of 9 - High Availability (HA) Advanced General Properties page 1 Specify the values for IPSec authentication. The following fields are available in this area: • Authentication type — Select the type of IPSec authentication that will be used for this node. Available values are SHA1 (the default value) or MD5. • Password — Specify the password that will be used to generate the authentication key for IPSec. This password must be the same value for both nodes in this cluster because they share the same virtual firewall ID. 2 Specify the high availability identification information. The following fields are available in this area: • Cluster ID — Specify the identification number that you are assigning to the cluster. This must be a value between 1 and 255. The default value is the last octet of the heartbeat cluster address. • Multicast group address — Specify the address of the multicast group that is used for high availability purposes on the heartbeat burb. The address that you specify must be within the range of from 239.192.0.0 to 239.255.255.255. The default address is 239.255.0.1. 3 Click Next >>. Step 9 of 9 - Cluster Wizard Summary page The status of the cluster and cluster member configuration is displayed. If this information is correct, click Finish >> to create the cluster and its two members. If this information is not correct, click << Previous to go back to the page or pages that you need to edit. When you have finished editing the information, click Next >> until you return to this summary page. Then click Finish >> to create the cluster and its two members. If everything was created successfully, the Apply Configuration window is displayed. Configure the settings to either schedule this apply process or to perform it now. For more information about the Apply Configuration window, see Applying firewall configurations on page 589. After the configurations are applied, each firewall is restarted, except for version 7.0.1.01 and later firewalls, where only some of the services will be restarted on each firewall. You should now see the cluster and its two member nodes. In the Firewalls group bar of the Configuration tool, click the Clusters node and then click the newly created cluster. You should now see the two members beneath the cluster node. Demoting one cluster member (node) to a standalone firewall This section refers to the scenario in which you want to demote one cluster member of a two-cluster member node to a standalone firewall or there is only one cluster member in the cluster and you want to demote that one member. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 223
- 224. McAfee Firewall Enterprise (Sidewinder) clusters Demotion prerequisite Before you access the McAfee Firewall Enterprise Cluster Wizard to perform a demotion, the cluster must have been retrieved. The following actions take place when a single cluster member of a multi-member cluster is demoted: • Any object that is referenced by the cluster will be copied to the new standalone firewall. • This excludes the following objects, which will remain with the cluster and will not be associated with the new standalone firewall: • Interface aliases • VPN peers with cluster or alias gateway addresses • VPN bypasses Step 1 of 2 - Welcome page If you have met the prerequisite listed above, click Next >>. Step 2 of 2 - Cluster Wizard Summary page The status of the cluster member changes is displayed. Click Finish >> to demote the cluster member to a standalone firewall or click Cancel to exit the wizard. If the member was demoted successfully, the Apply Configuration window is displayed with the selected cluster node and the targeted firewall. Configure the settings to either schedule this apply process or to perform it now. For more information about the Apply Configuration window, see Applying firewall configurations on page 589. After the configurations are applied, you should see the cluster member that you just demoted now listed under the Firewalls node, not under the Clusters node. Demoting all of the cluster members to standalone firewalls This section refers to the scenario in which you want to demote all of the cluster members in a cluster to standalone firewalls. Demotion prerequisite Before you access the McAfee Firewall Enterprise Cluster Wizard to perform this type of a demotion, the cluster must have been retrieved—that is, its members and interface information. Step 1 of 4 - Welcome page If you have met the prerequisite listed above, click Next >>. Step 2 of 4 - Resolve Interface Aliases page This page is available only if the following conditions are met: • The entire cluster is being demoted—that is, the cluster node and its member nodes. • There is more than one cluster member in this cluster node. • The cluster node has at least one configured interface alias. 1 Specify the following fields and values on this page: • Associate these addresses with the selected firewall — Specify the firewall that will be demoted and that will accept the alias address associations. This list contains the names of all of the firewalls (that is, cluster members) that are being demoted. Select the one firewall for these alias associations. • IP Address — [Read-only] Displays the alias IP addresses that will be associated with the selected firewall. • Mask — [Read-only] Displays the subnet masks that are part of the alias addresses that will be associated with the selected firewall. 2 Click Next >>. 224 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 225. McAfee Firewall Enterprise (Sidewinder) clusters Step 3 of 4 - Resolve VPN Objects page This page is available only if the following conditions are met: • The entire cluster is being demoted—that is, the cluster node and its member nodes. • There is more than one cluster member in this cluster node. • The cluster node has at least one configured VPN object that cannot be automatically resolved. This includes VPN peer objects that have a cluster (non-alias) gateway address and VPN bypass objects. 1 Specify the following fields and values on this page: • Associate these VPN objects with the selected firewall — Specify the cluster member (firewall) that will be demoted and that will accept the VPN object associations. This list contains the names of all of the firewalls (that is, cluster members) that are being demoted. Select the one firewall for these VPN object associations. • Type — [Read-only] Displays the type of VPN object that is being affected by this wizard. Valid values are Peer and Bypass. • Name — [Read-only] Displays the name of the VPN object. • New Gateway IP Address — [Read-only] Displays the gateway IP address for the VPN object. This address changes for peer objects when the firewall selection is changed in the first field. • Description — [Read-only] Displays a description of the VPN object. 2 Click Next >>. Step 4 of 4 - Cluster Wizard Summary page The status of all of the changes is displayed. If this information is correct, click Finish >> to demote the cluster members to a standalone firewall and to demote the cluster node. If this information is not correct, click << Previous to go back to the page that you need to edit or click Cancel to exit the wizard. Start the wizard again when you are ready to proceed and click Next >> to return to this summary page. Then click Finish >> to demote the cluster members and the cluster node. If the members were demoted and the cluster node was removed successfully, the Apply Configuration window is displayed with the firewall objects selected. Configure the settings to either schedule this apply process or to perform it now. After the configurations are applied, you should now see the cluster members that you demoted listed under the Firewalls node, not under the Clusters node and the cluster node should be removed. Overview of configuring a cluster on the McAfee Firewall Enterprise Admin Console If you decide to configure a cluster on the McAfee Firewall Enterprise Admin Console and not on the Control Center Client, you must first perform some tasks on the Admin Console and then move to the Configuration Tool of the Control Center Client. The following procedures define this process at a high level. McAfee Firewall Enterprise Admin Console 1 Define the High Availability (HA) configuration and the cluster nodes and cluster interfaces. 2 Register the firewall cluster that is to be managed by the Control Center. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 225
- 226. McAfee Firewall Enterprise (Sidewinder) clusters Control Center Configuration Tool 1 In the Configuration Tool, select the Firewalls group bar. 2 Add a new cluster object by right-clicking the Clusters node and selecting Add Object. The Add Cluster window is displayed. For more information about this window, see Adding a cluster that was created on the McAfee Firewall Enterprise Admin Console on page 226. 3 Retrieve all of the configuration items from the firewall cluster. The cluster node objects are created and their names are displayed under the cluster object node. 4 Double-click the cluster object to display the Cluster window. All of the common objects that are handled by the HA cluster are represented in the window. The High Availability area has the common parameters of the cluster object. For more information about this window, see Configuring configuration information for a cluster on page 228. 5 Double-click a cluster node object to display the Cluster Member window. Configuration parameters that are specific to the cluster member node are represented in this window. The High Availability area has the HA settings that are unique to the selected cluster member node. For more information about this window, see Configuring configuration data for a cluster member on page 255. Adding a cluster that was created on the McAfee Firewall Enterprise Admin Console Use the Add Cluster window to add a cluster object that was created in the McAfee Firewall Enterprise Admin Console and its associated configuration objects to the Control Center Management Server database. The cluster object represents the configuration data and characteristics that are specific to a firewall High Availability (HA) cluster. Figure 71 Add Cluster window 226 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 227. McAfee Firewall Enterprise (Sidewinder) clusters Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 Double-click the Clusters node. The Add Cluster window is displayed. or You can right-click this node and select Add Object. Fields and buttons This window has the following fields and buttons: • Cluster Name — Specify the name of the cluster. You can use any string of characters, except for the fully qualified domain name (FQDN) of one of the cluster member nodes. • Cluster Mgmt Address — Specify the management interface IP address that is associated with the cluster. • Version — Specify the version of the software that is installed on the cluster. This information is necessary so that the Control Center can produce the correct format of data that is sent to the firewalls when the configurations are applied. • Location — Specify a description of the location of this cluster node. • Description — Specify any comments or information about the cluster and its configuration. • OK — Save the information on this window and create a cluster. • Cancel — Close this window without saving any changes. Tabs This window has the following tabs: • Retrieval Items — Select this tab to identify the configuration components that are to be retrieved from the cluster. If you right-click on the Retrieval Items heading, you can select or cancel the selection of all items. When the cluster node object is created and the configuration components are retrieved, member node objects for each of the firewalls in the cluster are created. Configuration objects that are retrieved include those that are common to the cluster and those that are unique to each member node. Retrieved objects that are common to the cluster can be accessed and edited by using the cluster-specific Cluster window. Retrieval objects that are unique to a node in the cluster can be accessed and edited by using the node-specific Cluster Member window. For specific information about common and unique retrieval objects, see McAfee Firewall Enterprise (Sidewinder) clusters on page 215. • Categories — Select this tab to develop a classification hierarchy for firewalls that are installed in your configuration. This category/value pair can be used to sort firewalls by using a user-defined sorting scheme. As you create user-defined categories, they appear in the Category list. By carefully defining a sorting scheme and identifying each firewall by using one or more categories, a powerful sorting scheme can be applied to obtain views of firewalls in the Firewall Sorting Manager window. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 227
- 228. McAfee Firewall Enterprise (Sidewinder) clusters Configuring configuration information for a cluster Use the Cluster window to add or change configuration object data for the selected firewall cluster object. Figure 72 Cluster window Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to expand the list of currently defined cluster nodes. 3 Double-click one of the cluster nodes. The Cluster window is displayed. Buttons This window has the following areas and buttons. • OK — Save the changes that have been made on any of the areas and close this window. Note: Changes that you make on any individual area in this window are not saved until you click OK for the entire window. • Cancel — Close this window without saving any changes. Tree nodes This window has the following nodes in the tree: • General Settings — Select to display cluster identification and common configuration information. See Cluster window: General Settings area on page 229. • Offbox Settings — Configure audit export settings and for versions 7.0.1.02 and later of the firewall, you can also configure McAfee Profiler and McAfee Firewall Reporter settings. See Cluster window: Offbox Settings area on page 231. • Cluster Interfaces — Configure interfaces for clusters. See Cluster window: Cluster Interfaces area on page 232. • High Availability — Define the cluster-specific, high-availability configuration options for firewalls that are installed in a high-availability cluster. See Cluster window: High Availability area on page 233. 228 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 229. McAfee Firewall Enterprise (Sidewinder) clusters • Static Routing — Specify the default gateway and entries in the static routing table of the firewall. See Cluster window: Static Routing area on page 235. • Dynamic Routing — Modify configuration files associated with dynamic routing. See Cluster window: Dynamic Routing area on page 238. • Sendmail — Modify sendmail configuration files. See Cluster window: Sendmail area on page 239. • DNS — Manage and modify the DNS configuration for the cluster. See Cluster window: DNS area on page 240. • Certificates — Generate certificate requests and manage firewall certificates. See Cluster window: Certificates area on page 245. • Miscellaneous — Select or configure a group of features, or global settings, to be applied to the firewall cluster. Global settings include default application defense group, password and passport authenticators, Internet burb, server and service settings, virus scanning properties, and UPS settings. See Cluster window: Miscellaneous area on page 250. To read specific information directly from the cluster, use the Firewall Retrieval Options window. The Configuration Tool has two ways to read configuration information directly from the firewall, to normalize the data, and to store this information in the database: • When the cluster is initially created, identify and retrieve a user-selected set of retrieval objects by using the Retrieval Items tab on the Add Cluster window. • After a cluster has been created, identify and retrieve a user-selected set of retrieval objects by right-clicking the firewall object and clicking Retrieve Firewall Objects. The Firewall Retrieval Options window is displayed. • OK — Save changes that were made on any of the areas to the cluster. • Cancel — Closes this window without saving any of the changes that were made on any of the areas. Cluster window: General Settings area Use the General Settings area of the Cluster window to specify such cluster parameters as the cluster name, management IP addresses, management port, software version, Management Servers, firewall properties, mail configuration, and audit export. To view the fields on this window, see Figure 72 on page 228. Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to expand the list of currently defined cluster nodes. 3 Double-click one of the cluster nodes. The Cluster window is displayed. 4 Make sure that the General Settings node is selected in the tree on the left. Fields and buttons This area contains the following fields and buttons: • Cluster Name — Specify a name for the cluster. The name may be any string, but it must not be the fully qualified domain of the member nodes. • Description — Provide comments and information about the cluster and its configuration. • Configuration — Use the fields in this area to specify information about the cluster and its location. The following fields are available: • Cluster Mgmt Address — Specify the management interface IP address that is associated with this cluster. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 229
- 230. McAfee Firewall Enterprise (Sidewinder) clusters • Firewall Mgmt Port — Specify the port number that the firewall uses to communicate with the Control Center Management Server. The default management port is 9005. The value that you specify in this field must match the value that is specified on the firewall by using its native GUI. Changing this value and applying the change does not change the value on the firewall. • Version — [Read-only] Displays the version of software installed in the cluster. This information is necessary so that the Control Center can produce the correct format of data sent to the firewall when the configurations are applied. • Time Zone — Specify the time zone in which the cluster exists. • Location — Specify user-defined location information. This information can be used to provide a user-defined alternate view of the way that the firewalls are organized and displayed in the Object area in the Firewalls group. For more information, see Viewing configuration information about each firewall on page 584. • Contact — Specify an administrator name to associated with the cluster. This information can be used to provide a user-defined alternate view of the way that the firewalls are organized and displayed in the Object area in the Firewalls group. For more information, see Viewing configuration information about each firewall on page 584. • Management Servers — Use the fields in this area to specify information about the Control Center Management Servers. • Host Name — [Read-only] Displays the fully qualified host name of the Management Server. • IP address — Specify the IP address of the Management Server. • Firewall Properties — Specify a user-defined category/value. Use the Categories tab to develop a classification hierarchy for firewalls that are installed in your configuration. Use this category/value pair to sort firewalls by using a user-defined sorting scheme (in addition to the built-in Location and Contact categories). As you create user-defined categories, they are displayed in the Category list. By carefully defining a sorting scheme and identifying each firewall by using one or more categories, a powerful sorting scheme can be applied to obtain views of firewalls by using the Firewall Sorting Manager window. • Mail Configuration — Use the fields in this area to specify a firewall mail configuration. • SMTP Mode — The following values are available: • Secure Split SMTP — Uses the firewall-hosted sendmail servers. Select this value to take advantage of such sendmail features as header stripping, spam and fraud control, and mail routing. • Transparent — Passes mail by proxy through the firewall. Select this value to ensure that only the files that are necessary to send administrative messages will be configured. These include firewall-generated alerts, messages, and logs. • Internal SMTP Burb — Specify the burb in which your site's internal SMTP server resides. 230 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 231. McAfee Firewall Enterprise (Sidewinder) clusters Cluster window: Offbox Settings area Use the Offbox Settings area of the Cluster window to specify configuration information for exporting audit data, settings for the McAfee Firewall Profiler, and for the McAfee Firewall Reporter. Figure 73 Cluster window: Offbox Settings area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to expand the list of currently defined cluster nodes. 3 Double-click one of the cluster subnodes. The Cluster window is displayed. 4 Select the Offbox Settings node in the tree on the left. Fields and buttons This area contains the following fields and buttons: • Audit Export — Use the fields in this area to specify an audit export configuration. • Configuration — Specify an audit export configuration that has been defined on the Audit Export window. Access this window by selecting the Firewall Settings group bar in the Object area of the Configuration Tool and double-clicking Audit Export. You can select or edit an existing configuration or add a new one. See Audit export on page 268. To edit an existing object: First, select the object in the list. Next, click (Edit selected). The respective object window is displayed. To add a new object: Click . The respective object window is displayed. • Certificate — Specify a certificate to use when transferring the cluster's archived audit files to the Control Center Management Server. This list includes the certificates that have been specified in the Certificates area of the Cluster window. • Attach Signature — [Available only if a value is selected in the Configuration field] Determines whether a signature is attached. This checkbox is cleared by default. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 231
- 232. McAfee Firewall Enterprise (Sidewinder) clusters • Delete logs after export — Determines whether to delete the audit export log file that resides on this cluster after it has been successfully exported to all of its specified locations. If you do not select this checkbox, the audit export log files will remain on the local firewall after they have been exported. The default value is cleared. • McAfee Firewall Profiler — [Available only for firewall versions 7.0.1.02 or later] Use the fields in this area to configure this cluster to send audit and policy data to the McAfee Firewall Profiler that you specify. You can create a new McAfee Firewall Profiler object in the Profiler window. See McAfee Firewall Profiler on page 272. The following fields are available: • Archive verbose audit — [Available only if a McAfee Firewall Profiler has been configured] Determines whether the audit data that is being archived is at the verbose. level, which means the highest level of detail and larger file sizes. This is data that is not usually archived on the firewall, but that will be sent to the McAfee Firewall Profiler if this checkbox is selected. The default value is cleared. • Certificate — Specify the certificate for the McAfee Firewall Profiler. • McAfee Firewall Reporter — [Available only for firewall versions 7.0.1.02 or later] Use the field in this area to configure this firewall to enable real-time transmission of its audit data to the McAfee Firewall Reporter. The McAfee Firewall Reporter has advanced reporting functionality. The following field is available: • Configuration — Specify the Firewall Reporter / Syslog configuration that will be used by this cluster to transmit its audit data to the McAfee Firewall Reporter. You can also edit and add configurations from this field in the Firewall Reporter / Syslog window. For more information, see Firewall Reporter / Syslog settings on page 273. To edit an existing object: First, select the object in the list. Next, click (Edit selected). The respective object window is displayed. To add a new object: Click . The respective object window is displayed. Cluster window: Cluster Interfaces area Use the Cluster Interfaces area of the Cluster window to specify cluster interface parameters. Figure 74 Cluster window: Cluster Interfaces area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to expand the list of currently defined cluster nodes. 3 Double-click one of the cluster nodes. The Cluster window is displayed. 4 Select the Cluster Interfaces node is selected in the tree on the left. The Cluster Interfaces area is displayed. 232 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 233. McAfee Firewall Enterprise (Sidewinder) clusters Fields and buttons This area has the following fields and buttons: • Cluster IP address — Specify the IP address of the cluster interface. This address should be in the same network as the burb of the interface. This value must be a valid IPv4 address in dotted quad format. However, a value is not required. You can also modify the cluster IP address on the Cluster Interface Properties window. If you modify the cluster IP address in one window, it is automatically updated in the other window. To delete a cluster IP address, click in the row of the address to be deleted and delete the value. • Network Address — [Read-only] Displays the network address for the burb in which this cluster interface resides. • Burb — [Read-only] Displays the name of the burb in which this cluster interface resides. • Advanced... — The Cluster Interface Properties window is displayed, in which you can configure additional features for this cluster interface. See Modifying cluster interface properties on page 253. Cluster window: High Availability area Use the High Availability area of the Cluster window to configure the common parameters of the High Availability cluster object. Figure 75 Cluster window: High Availability area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to expand the list of currently defined cluster nodes. 3 Double-click one of the cluster nodes. The Cluster window is displayed. 4 Select the High Availability node is selected in the tree on the left. The High Availability area is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 233
- 234. McAfee Firewall Enterprise (Sidewinder) clusters Fields and buttons This area has the following fields and buttons: • High Availability Identification — Use the fields in this area to set the following High Availability parameters. The following fields are available. • Cluster ID — Specify an identifier that is assigned to the cluster. Use this ID to distinguish among and manage multiple HA clusters. This value must be an integer between 1 and 255. • Multicast Group Address — Specify the address of the multicast group that is used for HA purposes on the heartbeat burb. Note: This address must be within the range from 239.192.0.0 to 239.255.255.255. • HeartBeat Burb — Specify the burb that HA will use to send or receive heartbeats. A heartbeat is a short message that is sent out at specific intervals to verify whether a firewall is operational. This must be a dedicated burb. • HeartBeat Verification Burb — Specify the burb that HA will use to send or receive a mini-heartbeat. Select a burb that regularly passes traffic (for example, the internal burb). • HA Status — Use the fields in this area to view the nodes in the HA cluster and their status. • HA Node — [Read-only] Displays the nodes in the cluster. • Status — [Read-only] Indicates whether a node is peer or primary. • Refresh — Retrieve the updated status of the cluster members. The status bar displays the latest information. • IPSec Authentication — Use the fields in this area to specify parameters associated with IPSec authentication. • Authentication Type — Specify the type of IPSec authentication to use for HA. The following values are available: • SHA1 • MD5 • Password — Specify the password to be used to generate the authentication key for IPSec. • Interface Test — Use the fields in this area to specify parameters that are associated with determining whether an interface is operational. • Time Between Tests — Specify the frequency (in seconds) with which the HA cluster will ping the remote address to ensure that an interface and path are operational. The value specified must be an integer between 2 and 60. • Consecutive Failures — Specify the number of failed ping attempts that must occur before a secondary (or standby) node takes over as the primary. The value specified must be an integer between 2 and 20. • Auto-Recover on Reconnect — Determines whether to automatically rejoin a firewall to an HA cluster if a monitored interface or a heartbeat interface fails and recovers. The recovered cluster member is restored to the appropriate state: • In a primary/secondary cluster, the recovered firewall becomes the primary of the cluster. • In a peer-to-peer cluster, the recovered firewall remains a standby member of the cluster. • In a load-sharing cluster, the recovered firewall becomes a participating member of the cluster and passes traffic. 234 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 235. McAfee Firewall Enterprise (Sidewinder) clusters If you do not select this checkbox, you must reboot the firewall to enable it to rejoin the cluster. Note: If the remote host becomes unavailable immediately after a ping attempt has been issued, the time that it takes for a secondary/standby to take over will be slightly longer. This is because it will take almost an entire test interval before the first failure is detected. Cluster window: Static Routing area Use the Static Routing area to modify the default route or to configure an alternate route to be used for the default route failover. The default route is the network route that is used by a router when no other known route exists for a packet’s destination address. The alternate default route is a redundant route. If your primary default route becomes inaccessible, the alternate default route will start to forward traffic. With redundant default routes, use the fields in this area to define an alternate default route and ping addresses for the default routes. • The firewall continuously pings the default route IP address and any other ping addresses that you define in this area. • If all of the configured ping addresses fail, the alternate default route becomes the acting default route. • Reset the primary default route when it is active again by selecting the Revert default gateway to the primary default gateway option in the Control Actions field in the Device Control window. Figure 76 Cluster window: Static Routing area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to display the list of clusters. 3 Double-click a supported cluster object. The Cluster window is displayed. 4 In the tree on the left, select the Static Routing node. The Static Routing area is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 235
- 236. McAfee Firewall Enterprise (Sidewinder) clusters Fields and buttons This area has the following fields and buttons: • Configure default route failover — Determines whether you are going to configure an alternate default route. The default value is cleared. If you select this checkbox, the fields in the Alternate Default Route area are available. • Default Route — Use the fields in this area to configure the IP address for the default route and, if you are configuring route failover, one or more IP addresses to ping to confirm primary default route availability. The following fields are available: • IP address — Specify a valid IP address of the device that forwards traffic with no known route to its destination address. This is usually the IP address of a router that forwards packets to your Internet Service Provider (ISP). You can also configure a DHCP route by specifying dhcp as the value in this field. However, you also must have a DHCP interface already configured. • Description — Provide information to assist in identifying this route. • Ping addresses — [Available only if Configure default route failover is selected] Use the fields in this table to manage the IP addresses that the firewall will ping to confirm that the primary default route is accessible. The primary default route IP address is automatically displayed. However, you can configure additional ping addresses. • IP address — Specify the IP address that the firewall will ping. To add a new IP address, click anywhere in a blank row. • Delete — Click x in the row of an IP address that you want to delete from this table. • Ping interval (s) — Specify the amount of time (in seconds) in between each ping that the firewall will send to the configured IP addresses to ensure that the path is accessible. Valid values are from 2 to and including 60. • Failures allowed — Specify the number of failed ping attempts that must occur before the alternate default route assumes the role of the default (primary) route. Failures are counted in increments and decrements rather than successively. This means that a failed ping adds to the failure total, and a successful ping subtracts from the failure total. The failure total is never less than zero and it is never more than the configured failures allowed. Valid values are from 2 to and including 20. For example, if you set the allowed number of failures to 3, the following table demonstrates the way that successful and failed pings are counted to determine the failover. Ping result: failure success success failure failure success failure failure Failover event Failure 1 0 0 1 2 1 2 3 occurs total: • Alternate Default Route — [Available only if Configure default route failover is selected] Use the fields in this area to configure the IP address for the alternate default route and one or more IP addresses to ping to confirm alternate default route availability. The following fields are available: • IP address — Specify a valid IP address of the device that forwards traffic with no known route to its destination address. This should be a different route than the primary default route or it can also be a different ISP. • Description — Provide information to assist in identifying this route. • Ping addresses — Use the fields in this table to manage the IP addresses that the firewall will ping to confirm that the primary default route is accessible. 236 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 237. McAfee Firewall Enterprise (Sidewinder) clusters • IP address — Specify the IP address that the firewall will ping. To add a new IP address, click anywhere in a blank row. • Delete — Click x in the row of an IP address that you want to delete from this table. • Ping interval (s) — Specify the amount of time (in seconds) in between each ping that the firewall will send to the configured IP addresses to ensure that the path is accessible. Valid values are from 2 to and including 60. • Failures allowed — Specify the number of failed ping attempts that must occur before the alternate default route is considered to be inaccessible. Failures are counted in increments and decrements rather than successively. This means that a failed ping adds to the failure total, and a successful ping subtracts from the failure total. The failure total is never less than zero and it is never more than the configured failures allowed. For example, if you set the allowed number of failures to 3, the following table demonstrates the way that successful and failed pings are counted to determine the failover. Ping result: failure success success failure failure success failure failure Failover event Failure 1 0 0 1 2 1 2 3 occurs total: • Static routes — Use this table to display, edit, or add static routes that are not specified as the primary default route and the alternate default route in the fields at the top of this area. The following fields are available: • Destination — Specify the IP address for the route destination. This value must be a valid IPv4 address in dotted quad format. You can specify a slash-format netmask length (for example, x.x.x.x/y where x is a number between 0 and 255 and y is a number between 0 and 31). After you move the mouse to another field, the mask length is removed from this field and the appropriate netmask is displayed in the Netmask field. For example, if you specified 24, the value will be 255.255.255.0. If you do not specify an IP address value, the default Netmask value, which is 255.255.255.255, is provided. • Netmask — Specify the netmask that is assigned to the route destination. This value must be a valid IPv4 address in dotted quad format and it must also be a contiguous netmask. • Gateway — Specify the IP address of the gateway to use in the route to the specified destination.This value must be a valid IPv4 address in dotted quad format. • Description — Provide information to assist in identifying this route. • Delete — Click x in the row of a static route that you want to delete from this table. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 237
- 238. McAfee Firewall Enterprise (Sidewinder) clusters Cluster window: Dynamic Routing area Use the Dynamic Routing area of the Cluster window to modify configuration files associated with dynamic routing. Dynamic routing is performed using a dynamic routing application along with a routing protocol such as the following: • BGP (Border Gateway Protocol) • OSPF (Open Shortest Path First Protocol) • RIP (Routing Information Protocol) • PIM-SM (Protocol-Independent Multicast - Sparse Mode) The firewall implementation of the BGP, OSPF, and RIP protocols and corresponding server processes is based on the Quagga implementation. The firewall implementation of PIM-SM is based on the XORP (eXtensible Open Router Platform) implementation. Each routing application is associated with a configuration file that contains all of the information required for configuring dynamic routing. Use the Dynamic Routing area to select a configuration and to edit the associated configuration file. For more information about routing and the various protocols, see the “Routing” chapter of the McAfee Firewall Enterprise (Sidewinder) Administration Guide. Caution: Editing configuration files associated with dynamic routing protocols and applications requires advanced knowledge. If you edit one of the Quagga configuration files accessible from this area and apply the configuration to the firewall, the modified configuration will be validated before the information from the Control Center can be applied to the firewall. If you edit the XORP configuration file, the modified file will be validated before the XORP implementation is modified. If the configuration is invalid, the XORP implementation will continue to use its older configuration. For the Quagga implementations, you are advised to consult the documentation available at www.quagga.net. Figure 77 Cluster window: Dynamic Routing area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to expand the list of currently defined cluster nodes. 3 Double-click one of the cluster nodes. The Cluster window is displayed. 4 Select the Dynamic Routing node is selected in the tree on the left. The Dynamic Routing area is displayed. 238 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 239. McAfee Firewall Enterprise (Sidewinder) clusters Fields and buttons This area has the following button and an associated field. • --Select Configuration — Specify the configuration file for this dynamic route. The following values are available: • BGP configuration — Display the configuration file that is associated with the firewall server process that implements BGP processing (bgpd). • OSPF configuration — Display the configuration file that is associated with the firewall server process that implements OSPF processing (ospfd). • zebra configuration — Display the configuration file that is associated with the kernel routing table manager server process (zebra). • XORP configuration — Display the configuration file that is associated with the XORP implementation of PIM-SM routing. • rip configuration - external — Display the configuration file that is associated with the external burb and the firewall server process that implements RIP processing (ripd). The RIP configuration is on a per-burb basis. There is an RIP configuration file for each burb registered to the firewall. • rip configuration - internal — Display the configuration file associated with the internal burb and the firewall server process that implements RIP processing (ripd). The RIP configuration is on a per-burb basis. There is an RIP configuration file for each burb registered to the firewall. • rip configuration - unbound — Display the configuration file that associated with the Control Center Management Server process that implements RIP processing across burbs (ripd-unbound). Cluster window: Sendmail area Use the Sendmail area of the Cluster window to edit the sendmail configuration files. These files contain such information as the delivery agents to use and the way to format message headers. Caution: Do not change your sendmail configuration options unless you are an experienced sendmail user and want to customize the files for your site. Be sure to make a backup copy of a sendmail configuration file prior to editing the file. Figure 78 Cluster window: Sendmail area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to expand the list of currently defined cluster nodes. 3 Double-click one of the cluster nodes. The Cluster window is displayed. 4 Select the Sendmail node is selected in the tree on the left. The Sendmail area is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 239
- 240. McAfee Firewall Enterprise (Sidewinder) clusters Fields and buttons This area has the following fields and buttons: • Manage Sendmail files via the Control Center — Determines whether the Sendmail files will be updated by the Control Center Management Server. The default value is selected. • File Set — Determines whether the files you want to modify are in the internal burb or the external burb. • Configuration File — Specify the configuration file to be modified. For each file set, the following values are available: • Access Table — Defines anti-relaying and anti-spamming policies for the SMTP server. • Aliases File (available only in the Internal burb) — Defines the mail aliases that are used to redirect e-mail to another person or location. • Alternative Host Names — Identifies alternate host names by which the firewall is known. E-mail addressed to any of the alternate names is treated as local mail by the firewall. • Domain Table — Provides a mapping from an old domain name to a new domain name. You should modify this file if the external domain name of your organization changes. • M4 Config File — Defines the initial sendmail configuration. Modify this file as needed to account for site-specific requirements. • Mailer Table — Maps a domain to a mail relay that is responsible for mail delivery in that domain. The selected configuration file is displayed and available for editing in the associated text box. • Save — Save your changes to the edited configuration file. Cluster window: DNS area Use the DNS area of the Cluster window to manage and modify the DNS configuration for the cluster. The firewall supports the following DNS configurations: • Transparent DNS • Hosted Single Server DNS • Hosted Split Server DNS Figure 79 Cluster window: DNS area 240 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 241. McAfee Firewall Enterprise (Sidewinder) clusters Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to expand the list of currently defined cluster nodes. 3 Double-click one of the cluster nodes. The Cluster window is displayed. 4 Select the DNS node is selected in the tree on the left. The Static Routing area is displayed. Fields and buttons This area has one field that affects the composition of the area and the fields and buttons that are available for configuration of DNS: • DNS Configuration — Specify the type of DNS configuration. The following values are available: • Transparent — In this configuration, DNS requests are proxied through the firewall to one or more remote DNS servers. See Transparent DNS configuration on page 241. • Hosted Single Server — In this configuration, one DNS server is hosted on the firewall. That server handles all DNS queries. The server is protected by the hardened operating system of the firewall. See Hosted single server DNS configuration on page 241. • Hosted Split Server — In this configuration, two DNS servers are hosted on the firewall: one server is bound to the Internet burb (the Internet name server) and the other server (the unbound name server) is available for use by all internal burbs. Both servers are protected by the hardened operating system of the firewall. See Hosted split server DNS configuration on page 243. Transparent DNS configuration The following fields are available in this area: • Burb — Specify the burbs to which transparent name servers are assigned. • DNS Servers — Specify the name servers for transparent DNS services. • Add — Displays the Transparent DNS Servers window, in which you can add a transparent name server. • Edit — Displays the Transparent DNS Servers window for the highlighted value in the table. You can edit the values and click OK to save the change to the area. Note that you must click OK in the Cluster window to save the changes to the firewall. • Delete — Delete the highlighted server from this table. Hosted single server DNS configuration The following fields are available in this area: • Manage DNS files via Control Center — Determines whether DNS files are managed by using the Control Center. This checkbox is selected by default. If a DNS configuration that is not supported by Control Center is encountered during retrieve, then this checkbox will be cleared. If you clear this checkbox, the only field on the window that remains active is Enable server. • Generate loopback and multicast failover zones on apply — Determines whether loopback zones (0.x.127.in-addr.arpa, where x denotes the burb index) and the failover multicast zone (0.255.239.in-addr.arpa) are automatically generated by the Control Center when you apply the configuration. These zones are added to the Control Center database when DNS components are retrieved from the firewall (see Retrieving firewall components on page 168), and this checkbox is cleared. Select this checkbox to ensure that the loopback zones and the failover multicast zone files are generated automatically when you apply, or propagate, a configuration from the Control Center database to the firewall. Otherwise, you will be responsible for adding the loopback and multicast zone files. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 241
- 242. McAfee Firewall Enterprise (Sidewinder) clusters • DNS Zones — Use the fields in this area to specify the zones that are associated with the name server. The following fields are available: • Create a new DNS Zone — Click to display the DNS Zone Manager window, in which you can create a new DNS zone. For more information, see Configuring DNS zones on page 315. • DNS Zone — Specify the DNS zone to associate with the name server. • Edit (button) — Displays the DNS Zone Manager window, in which you can edit the data for this DNS zone. • Server Configuration — Use the fields on this tab to specify configuration settings for the name server. The following fields are available: • Enable server — Determines whether the name server is enabled. This checkbox is selected by default. If you disable the name server by clearing the checkbox, only connections that use IP addresses will continue to work; connections that use host names will not. • Enable notify — Determines whether the master name server will notify all slave servers when the zone file changes. The notification indicates to the slaves that the contents of the master have changed and that a zone transfer is necessary. This checkbox is cleared by default. If you select this checkbox, the following fields are available: • Yes — Indicates that the slave servers will be notified about zone file changes. • No — Indicates that slave servers will not be notified about zone file changes. • Forwarders — Specify external name servers to which to forward queries that cannot be answered on the firewall. You can reposition a row in this table by highlighting the row and clicking either the (move up) or (move down) buttons. • Forward only — [Available only if a value is displayed in the Forwarders table] Determines whether the name server will attempt to contact the root server if the Forwarders cannot answer the query. This checkbox is selected by default. This indicates that queries will be directed only to the selected forwarders. If this checkbox is cleared, the name server forwards the query to the selected forwarders. If they cannot answer the query, the name server then attempts to contact the root server. • allow-query — Specify particular hosts that are allowed to query the zone. If none are selected, all requesters are authorized. • allow-transfer — Specify particular hosts that are allowed to update the zone. This option is valid only for master zones. If this field is left blank, updates are not allowed from any host. • Dump-File — Specify the path name of the file to which the name server dumps the database when instructed to do so with rndc dumpdb. If a path is not specified, the default is named_dump.db.(rndc is the remote name daemon control program. • Statistics File — Specify the path name of the file to which the name server appends statistics when instructed to do so using rndc stats. If a path is not specified, the default is named.stats, which is located in the current directory of the name server. 242 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 243. McAfee Firewall Enterprise (Sidewinder) clusters Hosted split server DNS configuration The following fields are available in this area: • Manage DNS files via Control Center — Determines whether DNS files are managed by using the Control Center. This checkbox is selected by default. If you clear this checkbox, the only field on the window that remains active is Enable server. • Generate loopback and multicast failover zones on apply — Determines whether loopback zones (0.x.127.in-addr.arpa, where x denotes the burb index) and the failover multicast zone (0.255.239.in-addr.arpa) are automatically generated by the Control Center when you apply the configuration. These zones are added to the Control Center database when DNS components are retrieved from the firewall (see Retrieving firewall components on page 168), and this checkbox is cleared. Select this checkbox to ensure that the loopback zones and the failover multicast zone files are generated automatically when you apply, or propagate, a configuration from the Control Center database to the firewall. Otherwise, you will be responsible for adding the loopback and multicast zone files. • DNS Zones — Use the fields in this area to specify the zones that are associated with the name server. The following fields are available: • Create a new DNS Zone — Click to display the DNS Zone Manager window, in which you can create a new DNS zone. For more information, see Configuring DNS zones on page 315. • Type — Specify the location to which this zone is added. The following values are available: • Internet — Indicates that the zone is added only to the Internet Server Configuration. • Unbound — Indicates that the zone is added only to the Unbound Server Configuration. • Both — Indicates that the zone is added to the Internet Server Configuration and to the Unbound Server Configuration. • DNS Zone — Specify the DNS zone to associate with the name server. • Edit (button) — Displays the DNS Zone Manager window, in which you can edit the data for this DNS zone. • Unbound Server Configuration — Use this tab to specify configuration settings for the unbound name server. The unbound name server is available for use by all internal burbs. The following fields and buttons are available on this tab: • Enable server — Determines whether the unbound name server is enabled. This checkbox is selected by default. If you disable the name server by clearing the checkbox, only connections that use IP addresses will continue to work; connections that use host names will not. Caution: If you disable both the unbound server and the Internet server, connections will work only if they use IP addresses rather than host names. Mail will not work, and other errors will occur as other parts of the system attempt to access the network by name. • Enable notify — Determines whether the master name server will notify all slave servers when the zone file changes. The notification indicates to the slaves that the contents of the master have changed and that a zone transfer is necessary. This checkbox is cleared by default. If you select this checkbox, the following fields are available: • Yes — Indicates that the slave servers will be notified about zone file changes. • No — Indicates that the slave servers will be not be notified about zone file changes. • Forwarders — Specify external name servers to which to forward queries that cannot be answered on the firewall. You can reposition a row in this table by highlighting the row and clicking either the (move up) or (move down) buttons. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 243
- 244. McAfee Firewall Enterprise (Sidewinder) clusters • Forward only — [Available only if a value is displayed in the Forwarders table] Determines whether the name server will attempt to contact the root server if the Forwarders cannot answer the query. This checkbox is selected by default. This indicates that queries will be directed only to the selected forwarders. If this checkbox is cleared, the name server forwards the query to the selected forwarders. If they cannot answer the query, the name server then attempts to contact the root server. • Forward to Internet Server first — Determines whether queries that cannot be answered on the firewall are forwarded to the Internet server before they are forwarded to selected forwarders. This checkbox is cleared by default. If this checkbox is selected, queries will be forwarded first to the Internet server. • allow-query — Specify particular hosts that are allowed to query the zone. If none are selected, all requesters are authorized. If you do not specify any values in this field, on apply, the following values are added to the named.conf.u file: • allow-recursion (any; ); — For firewall versions 7.0.0.08 and later and versions 7.0.1.02 and later • allow-query-cache (any; ); — For firewall versions 7.0.1.02 and later • allow-transfer — Specify particular hosts that are allowed to update the zone. This option is valid only for master zones. If this field is left blank, updates are not allowed from any host. • Dump-File — Specify the path name of the file to which the name server dumps the database when instructed to do so with rndc dumpdb. If a path is not specified, the default is named_dump.db.(rndc is the remote name daemon control program. • Statistics File — Specify the path name of the file to which the name server appends statistics when instructed to do so using rndc stats. If a path is not specified, the default is named.stats, which is located in the current directory of the name server. • Internet Server Configuration — Use the fields on this tab to specify configuration settings for the Internet name server. The Internet name server is bound to the Internet burb. The following fields and buttons are available on this tab: • Enable server — Determines whether the Internet name server is enabled. This checkbox is selected by default. If you disable the Internet name server by clearing the checkbox, external connections that require host names will not work unless the name is already cached in the database of the unbound name server. Connections that use IP addresses will work. E-mail will be placed in a queue because IP addresses cannot be resolved. Caution: If you disable both the unbound server and the Internet server, connections will work only if they use IP addresses rather than host names. Mail will not work, and other errors will occur as other parts of the system attempt to access the network by name. • Enable notify — Determines whether the master name server will notify all slave servers when the zone file changes. The notification indicates to the slaves that the contents of the master have changed and that a zone transfer is necessary. This checkbox is cleared by default. If you select this checkbox, the following fields are available: • Yes — Indicates that the slave servers will be notified about zone file changes. • No — Indicates that the slave servers will not be notified about zone file changes. • Forwarders — Specify external name servers to which to forward queries that cannot be answered on the firewall. You can reposition a row in this table by highlighting the row and clicking either the (move up) or (move down) buttons. • Forward only — [Available only if a value is displayed in the Forwarders table] Determines whether the name server will attempt to contact the root server if the Forwarders cannot answer the query. This checkbox is selected by default. This indicates that queries will be directed only to the selected forwarders. If this checkbox is cleared, the name server forwards the query to the selected forwarders. If they cannot answer the query, the name server then attempts to contact the root server. 244 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 245. McAfee Firewall Enterprise (Sidewinder) clusters • allow-query — Specify particular hosts that are allowed to query the zone. If none are selected, all requesters are authorized. • allow-transfer — Specify particular hosts that are allowed to update the zone. This option is valid only for master zones. If this field is left blank, updates are not allowed from any host. • Dump-File — Specify the path name of the file to which the name server dumps the database when instructed to do so with rndc dumpdb. If a path is not specified, the default is named_dump.db.(rndc is the remote name daemon control program. • Statistics File — Specify the path name of the file to which the name server appends statistics when instructed to do so using rndc stats. If a path is not specified, the default is named.stats, which is located in the current directory of the name server. Cluster window: Certificates area Use the Certificates area on the Cluster window to configure certificate server settings, view available firewall certificates, assign certificates to server services, and manage Secure Shell (SSH) keys. Also use this page to perform such actions as creating, importing, exporting, and deleting certificates and SSH keys. Figure 80 Cluster window: Certificates area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to expand the list of currently defined cluster nodes. 3 Double-click one of the cluster nodes. The Cluster window is displayed. 4 Select the Certificates node is selected in the tree on the left. The Certificates area is displayed. Tabs This area has the following tabs: • Firewall Certificates — View the status of the firewall certificates for the cluster. For more information, see Firewall Certificates tab on page 246. • SSH Keys — Manage the SSH keys for this cluster. For more information, see SSH Keys tab on page 247. • Settings — Configure certificate server settings and assign certificates to server services. For more information, see Settings tab on page 248. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 245
- 246. McAfee Firewall Enterprise (Sidewinder) clusters Firewall Certificates tab Use the Firewall Certificates tab to view the list of firewall certificate names and the status of those certificates. You can filter this list by selecting the appropriate value in the Status list at the bottom left corner of this tab. To view the fields on this tab, see Figure 80 on page 245. Fields and buttons The Firewall Certificates tab has the following fields: • Name — [Read-only] Displays the names of firewall certificates. • Status — [Read-only] Displays the status of the associated firewall certificates. • Status — (at the bottom of the tab) Specify the status by which the list of firewall certificates is filtered for display. The following values are available: • ALL — Displays all firewall certificates. • Pending — Displays requested certificates by using the Manual PKCS10 signing mechanism. This status can occur in the following circumstances: • PKCS10 is used and a certificate has not been provided. • A CA signed certificate is used and the certificate has not yet been retrieved from the Certificate Authority. • Completed — Displays certificates that have been received from the certificate server. • Revoked — Displays certificates for which a request has been rejected by Netscape CAs or CAs that support Simple Certificate Enrollment Protocol (SCEPl). • Add Certificate — Start the Certificate Request Wizard, with which you can create a new certificate or import an existing certificate. The certificate will be added to the list of firewall certificates that are displayed on this page. For more information, see Creating certificates or importing them into the certificate database on page 515. • Load Certificate — For Manual PKCS10 certificate requests, start the Load Certificate wizard, in which you can import a certificate. For more information, see Loading certificates on page 522. • Retrieve Certificate — For a certificate request that has been submitted to be signed by a CA, start a query of the CA to determine whether the certificate has been approved. • Certificate Details — Displays the Certificate Manager window, in which you can view information about a selected certificate. Information includes such details as the certificate name, distinguished name, domain name, signature type (for example, RSA), and status (for example, Completed, CA Signed). • Export Certificate — Start the Export Certificate wizard, in which you can export a certificate and private key to a file. For more information, see Exporting certificates on page 519. • Delete Certificate — Delete a certificate from the list of firewall certificates. Note: If the selected certificate is being used by VPN, an application defense, or other firewall component, it cannot be deleted. 246 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 247. McAfee Firewall Enterprise (Sidewinder) clusters SSH Keys tab Use the SSH Keys tab to manage the SSH keys for this firewall. Figure 81 Cluster window: Certificates area: SSH Keys tab Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to expand the list of currently defined cluster nodes. 3 Double-click one of the cluster nodes. The Cluster window is displayed. 4 Select the Certificates node is selected in the tree on the left. The Certificates area is displayed. 5 Select the SSH Keys tab. Fields and buttons This tab has the following fields and buttons: • Name — [Read-only] Displays the name of the SSH key. Note that Default_RSA_Key and Default_DSA_Key are reserved words for the firewall. You cannot add or delete these keys. However, you will see these keys in this tab when you retrieve from the firewall for the first time. • SSH Fingerprint — [Read-only] Displays the SSH fingerprint of the public key that is associated with this SSH key. The fingerprint is a hashed (shortened) version of the host key to make it easier for you to compare keys. • Signature Type — [Read-only] Displays the type of standard digital signature that is used when this SSH key is generated or verified. The following values are available: • RSA — Public key and private key combination • DSA — Digital Signature Algorithm • Add — Display the Add SSH Key window, in which you can add a new SSH key. • Import — Display the Import SSH Key window, in which you can import the SSH key directly from a file or from pasted text. • Export — Display the Export SSH Key window, in which you can export the SSH key directly to a file or display it on the SSH Keys window. • Delete — Delete the highlighted SSH key from the list of SSH keys. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 247
- 248. McAfee Firewall Enterprise (Sidewinder) clusters Settings tab Use the Settings tab to configure certificate server settings and assign certificates to server services. Figure 82 Cluster window: Certificates area: Settings tab Fields and buttons This tab has the following fields and buttons: • Certificate Server Options — Use the fields in this area to configure settings that are associated with the certificate server. The following fields are available: • Use LDAP to search for Certificates — Determines whether the firewall cluster will attempt to retrieve certificates and CRLs (Certificate Revocation Lists) from an LDAP server. This checkbox is cleared by default. When this checkbox is selected, the following fields are available: • Server Address — Specify the IP address of the LDAP server. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). • Server Port — Specify the port number on which the LDAP server listens. The port number is 389 by default. However, the server can be configured to listen on other ports. • Timeout (sec.) — Specify the maximum amount of time (in seconds) that the certificate management daemon will wait while performing an LDAP search. Acceptable values range from 0 to 3600. The default value is 60. • Key Server — Use the fields in this area to configure settings that are associated with keys. The following fields are available: • Maximum Validated Cache Size — Specify the maximum number of validated keys that will be stored in cache memory. Caching validated keys can increase system performance. Acceptable values range from 0 to 500. A value of 0 indicates that keys will not be cached. The default value is 100. 248 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 249. McAfee Firewall Enterprise (Sidewinder) clusters • Certificate Key Cache Lifetime (min.) — Specify the maximum amount of time that a certificate can remain in the validated key cache before it must be re-validated. Acceptable values range from 0 to 360. A value of 0 indicates that certificate keys must be re-validated with each use. • CRL — Use the fields in this area to configure settings that are associated with Certificate Revocation Lists (CRLs). The following fields are available: • Perform CRL Checking — Determines whether CRL checking is enabled. This checkbox is selected by default. If this checkbox is cleared, CRL lists will not be consulted when certificates are being validated. • CRL Retrieval Interval: — Specify the frequency with which a Certificate Authority (CA) is queried to retrieve a new CRL. • Audit Level — Specify the level of auditing to be performed on the specified certificate server. The following values are available: • Error — Logs major errors only. • Normal — Logs major errors and informational messages. This is the default value. • Verbose — Logs information that is useful in detecting configuration issues. • Debug — Logs all errors and informational messages and also logs debugging information. • Application Defense Settings — Use the field in this area to specify the HTTPS certificate that will be used to decrypt HTTPS traffic. The following field is available: • Default HTTPS Certificate — Specify the SSL certificate that will be used to decrypt HTTPS traffic. This certificate will be used, by default, for the HTTPS application defense. For more information, see HTTPS Application Defense window: General tab on page 371. • Common Access Card Configuration — [Available only for firewall version 7.0.1.02 and later] Use the fields in this area to specify the Common Access Card (CAC) authenticator and CAC Webserver certificate that are used to authenticate users when using a CAC to access the firewall. The following fields are available: • CAC Certificate — Specify the CAC remote certificate for this administrator. This list displays all of the remote certificates. The default value is <None>. You can also edit an existing certificate or add a new one by following these instructions. To edit an existing object: First, select the object in the list. Next, click (Edit selected). The respective object window is displayed. To add a new object: Click . The respective object window is displayed. • Webserver SSL Certificate — Specify the certificate that the CAC Webserver will present to your Web browser for the SSL session. If you select a CAC authenticator, you must specify the SSL certificate. • SSL Certificates — Use this table to specify the list of server services and their currently assigned SSL certificate. • Server — Displays the server services to which you can assign new SSL certificates. • SSL Certificate — Displays the name of the certificate that is currently assigned to the associated server service. This certificate is the default certificate or a self-signed, RSA/DSA firewall certificate. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 249
- 250. McAfee Firewall Enterprise (Sidewinder) clusters Cluster window: Miscellaneous area Use the Miscellaneous area to define a common group of features that can be applied to this cluster. As an alternative, you can use the settings from the Global Settings object that were defined in the Global Settings window by selecting Apply Global Settings. Figure 83 Cluster window: Miscellaneous area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to display the list of clusters. 3 Double-click a supported cluster object. The Cluster window is displayed. 4 In the tree on the left, click Miscellaneous. The Miscellaneous area is displayed. Fields and buttons The Global Settings, Firewall Settings Objects, and Policy Objects areas have the following buttons: • (Edit) — After you select a value in the list, click this button to edit the value in the respective window. Each field description below includes the name of the window that is displayed when this button is clicked. • (Add) — Click this button to the right of the object that you want to create. The window for this object is displayed, in which you can configure the new object. Each field description below includes the name of the window that is displayed when this button is clicked. • Global Settings — Use the fields in this area to select the global setting to apply to this cluster. • Apply Global Settings — Determines whether global settings are applied to the selected cluster. This checkbox is selected by default. If you have previously defined a Global Settings object in the Global Settings window, you can select it from the list. Clear the Apply Global Settings checkbox to use the other fields and buttons in the Miscellaneous area to define global settings to be associated with the selected cluster. 250 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 251. McAfee Firewall Enterprise (Sidewinder) clusters • Firewall Settings Objects — Use the fields in this area to select a variety of previously defined configuration objects. You can view these objects in the Firewall Settings group bar of the Configuration Tool. The following fields are available: • Network Defense — Display the network defenses that have been defined on the system. Specify the network defense to apply to a cluster. (See Configuring network defense audit reports on page 279.) • Server and Service Settings — Display the server and service settings that have been defined on the system. Specify the server and service configuration to apply to a cluster. (See Managing servers and service configurations on page 291.) • IPS Signature Browser — Display the IPS Signature Browser objects that have been defined on this system. Specify the IPS signature object to apply to a cluster. (See Viewing and managing IPS signatures by using the IPS Signature Browser on page 302.) • Virus Scan — Display the virus scanning properties that have been defined on the system. Specify the virus scan configuration to apply to a cluster. (See Virus scanning on page 308.) • TrustedSource — Display the TrustedSource configurations that have been defined on this system. Specify the TrustedSource configuration to apply to a cluster. (See Configuring TrustedSource settings for rules and mail filtering on page 305.) • Third-Party Updates — Display the defined update schedules for downloading and installing IPS signature updates, anti-virus signature files, and Geo-Location updates that have been defined on the system. Specify the update schedule to apply to a cluster. (See Configuring third-party update schedules.) • Scheduled Jobs — Display the Scheduled Jobs window, in which you can view the scheduled jobs that have been defined on the system and apply them to a cluster. (See Scheduling jobs on page 322.) • Package Load — Display the package load configurations that have been defined on the system. Specify the configuration to use to check for and load packages to install on a cluster. (See Establishing a schedule to check for software updates on page 331.) • Policy Objects — Use the fields in this area to select a variety of previously defined configuration objects. You can view these objects in the Policy group bar of the Configuration Tool. The following fields are available: • Internet burb — Display the burbs that have been defined on the system. Specify the single burb that communicates directly with the Internet. (See Configuring burbs on page 341.) • Default application defense group — Display the application defense groups that have been defined on the system. Specify the application defense group to apply, by default, in new rules for a cluster. (See Configuring application defense groups on page 418.) • Password Authenticator — Display the password authenticators that have been defined on the system. Specify the password authenticator to apply to a cluster. (See Configuring password authenticators on page 426.) • Passport Authenticator — Display the passport authenticators that have been defined on the system. Specifies the passport authenticator to apply to a cluster. (See Configuring passport authenticators on page 428.) McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 251
- 252. McAfee Firewall Enterprise (Sidewinder) clusters • Reputation Threshold — Use the fields in this area to perform TrustedSource™ reputation service filtering and specify an associated setting. • Perform TrustedSource filtering on inbound mail — Determines whether TrustedSource is used to reduce the amount of spam that reaches an organization's in-boxes. This value is cleared by default. If you select this checkbox, use the associated field to specify a value that is used to distinguish legitimate senders of e-mail from untrustworthy ones. Values range from 0 to 120. The default value is 80. Messages from senders with reputation scores above the selected reputation threshold value are rejected. Trustworthy senders receive low scores, and untrustworthy senders receive high scores. Values are associated with TrustedSource reputation classes. See the help topic for the Global Settings window for information about the reputation classes. • Lockout Threshold — Use the fields in this area to enable lockout and specify an associated setting. • Enable lockout — Determines whether a user whose account reaches a specified authentication attempt threshold is locked out until the lock is cleared by an administrator. This value is cleared by default. If you select this checkbox, you can specify the number of failed login attempts that can occur for a single user account before the user is locked out of the cluster. • Uninterruptible Power Supply (UPS) — Use the fields in this area to enable UPS and specify associated settings. The following fields are available: • Enable UPS — Determines whether a UPS device is enabled for a firewall. This checkbox is cleared by default. If you select this checkbox, the following fields are available: • Serial Port — Specify the serial port that is connected to the UPS. Available values are COM1 and COM2. The default value is COM1. • Battery Time (sec) — Specify the number of seconds that the UPS battery will last before its power is considered to be low. The default value is 900. If UPS is enabled and a power outage occurs, the firewall monitors the UPS and performs an orderly shutdown when the power of the UPS battery begins to be low. • Other Settings — Use the fields in this area to specify the following settings: • Enforce U.S. Federal Information Processing Standard 140-2 — Determines whether the requirements of the FIPS 14-2 standard are applied to a cluster. This standard specifies security requirements for cryptographic modules. This value is cleared by default. • Delete home directory upon deletion of user — Determines whether a user's home directory is deleted automatically when the user account is deleted. This value is cleared by default. • Blackhole source IP if attack IP cannot be confirmed (responses) — Determines whether a source IP address is blackholed when the related audit message does not have an Attack IP field. This value is cleared by default. If you select this checkbox, connections from the IP address originating the attack will not be accepted. • Enforce health monitor auditing — Determines whether audit data on the system's health status are generated and statistics about network and system utilization are recorded. This checkbox is selected by default. • Allow Secure Alerts to be sent to Control Center — Determines whether Secure Alerts are allowed to be sent by this cluster to the Control Center Management Server. To configure the alerts, you must also go to the IPS Attack Response window or the System Response window and select the Send Secure Alert checkbox. 252 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 253. McAfee Firewall Enterprise (Sidewinder) clusters Modifying cluster interface properties Use the Cluster Interface Properties window to modify cluster IP addresses, to create, modify, or delete remote test IP addresses, and to create, modify, or delete force ARP reset IP addresses for this cluster interface on the firewall. Figure 84 Cluster Interface Properties window Accessing this window 1 In the Configuration Tool, make sure that the Firewalls group bar is selected. Select the Clusters node. 2 Double-click a cluster in the tree. The Cluster window for the selected node is displayed. 3 Select the Cluster Interfaces node. The Cluster Interfaces area is displayed. 4 Click Advanced.... The Cluster Interface Properties window is displayed. Fields and buttons This window has the following fields and buttons: • Cluster IP Address — Specify the unique IP address of the network interface brought forward from the row in which you clicked Advanced.... You can edit the address in this window and the changes will be propagated back to the Cluster Interfaces page of the Cluster window. You can use alphanumeric characters, dashes (-), and underscores (_). • Network Address — [Read-only] Displays the network interface for the burb that is displayed on the Cluster Interfaces page. • Burb — [Read-only for firewall versions earlier than 7.0.1] Specify the burb name for the cluster IP address. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 253
- 254. McAfee Firewall Enterprise (Sidewinder) clusters • Quality of Service — Specify the Quality of Service profile that contains one or more queues that allow you to prioritize network performance based on network traffic type. Note: Only standard interfaces can use Quality of Service profiles, even if that interface is part of a cluster. Note: For the 7.0.1 version and later versions of the firewall, you cannot select a profile that contains any of the following characters: dash (-), period (.), or underscore (_). • MTU — [Available only for version 7.0.1 and later firewalls] Specify the size of the Maximum Transmission Unit (MTU) for outgoing packets. • Shared addresses — Use the fields in this area to add, edit, or delete shared addresses. The following fields are available: • IP Address — Specify the unique IP address to be associated with this network interface. This value must be a valid IPv4 address in dotted quad format. You can specify a slash-format netmask length (for example, x.x.x.x/y where x is a number between 0 and 255 and y is a number between 0 and 31). For example, if you specified 24, the value will be 255.255.255.0. If you do not specify an IP address value, the default mask value, which is 255.255.255.0, is provided. • Mask — Specify the netmask to be associated with this network interface. This value must be a valid IPv4 address in dotted quad format and it must also be a contiguous netmask. • Delete — Click x (Delete) in the row to be deleted. The address is deleted from the interface after you click OK. • Force Arp Reset — [Not available if this cluster interface is in load-sharing mode] In this table, configure hosts that are known to ignore gratuitous ARPs, but that need to know the new cluster alias. • IP address — Specify the unique IP address of the network interface that will not accept gratuitous requests. This value must be a valid IPv4 address in dotted quad format. You can specify a slash-format netmask length (for example, x.x.x.x/y where x is a number between 0 and 255 and y is a number between 0 and 31). After you move the mouse to another field, the mask length is removed from this field and the appropriate netmask is displayed in the Mask field. For example, if you specified 24, the value will be 255.255.255.0. If you do not specify an IP address value, the default mask value, which is 255.255.255.0, is provided. • Delete — Click x (Delete) in the row to be deleted. The IP address is deleted from the interface. • Interface test — Use the fields in this area to configure remote test IP addresses for networks that you want to periodically ping. • Monitor link status — Determines whether the interface link is active. This method checks only whether the interface is disconnected or the NIC stops working. It does not verify that other devices can be contacted by the firewall. • IP address — Specify the IP address to ping. • Delete — Click x (Delete) in the row to be deleted. The IP address is deleted from the interface. • Ping interval — Specify the length of time (in seconds) that the firewall will ping the remote address to ensure that an interface and path are operational. • Failures allowed — Specify the number of failed ping attempts that must occur before the standby interface takes over as the primary. Failures are counted in increments and decrements rather than successively. This means that a failed ping adds to the failure total, and a successful ping subtracts from the failure total. The failure total is never less than zero and it is never more than the configured failures allowed. 254 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 255. McAfee Firewall Enterprise (Sidewinder) clusters • Load sharing parameters — [Available only for version 7.0.1 and later clusters that are configured in load sharing mode] Use the fields in this area to specify.Layer 2 and cluster MAC address information. The following fields are available: • L2 Mode — Specify the layer 2 mode for this interface. The following values are available: • Unicast - mirrored — Select this value if the switches that are connected to your firewalls can be configured to send out, on multiple ports, traffic that is destined for single unicast MAC addresses. • Multicast — Select this value if the switches that are connected to your firewalls do not support Unicast - mirrored mode, but do support multicast MAC addresses. This is the default value. • Multicast no IGMP — Select this value if the switch that is connected to this interface supports multicast MAC addresses and you do not want this interface to send IGMP messages that advertise the cluster MAC address. • Unicast - flooded — Select this value if the switches that are connected to your firewalls do not support Multicast mode or Unicast - mirrored mode. This mode does increase network overhead for every device that is connected to the switch. • Cluster MAC — Specify the cluster MAC address that will be shared by both firewalls in the cluster. Do not modify the cluster MAC address unless this address conflicts with another device that is attached to the same network. If you need to edit the value, do not change the first three octets (xx.xx.xx.yy.yy.yy) of the address. • OK — Save the changes on this window. • Cancel — Close this window without saving any changes. Configuring configuration data for a cluster member Use the Cluster Member window to add or change configuration object data for the selected firewall cluster node object. This window has three nodes. Figure 85 Cluster Member window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 255
- 256. McAfee Firewall Enterprise (Sidewinder) clusters Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to expand the list of clusters. 3 Select a cluster to expand the list of nodes. 4 Double-click the cluster node (member). The Cluster Member window is displayed. Buttons • OK — Save the changes that have been made on any of the areas and close this window. Note: Changes that you make on any individual area in this window are not saved until you click OK for the entire window. • Cancel — Close this window without saving any changes. Tree nodes This window has the following nodes in the tree: • General Settings — Provide node identification and configuration information. For more information, see Cluster Member window: General Settings area on page 256. • Interfaces — Displays the interface configuration information for each network interface on the firewall cluster node. See Cluster Member window: Interfaces area on page 257 • High Availability — Defines the node-specific high-availability configuration options for firewalls that are installed in a high-availability cluster. For more information, see Cluster Member window: High Availability area on page 260. Cluster Member window: General Settings area Use the General Settings area of the Cluster Member window to specify such node parameters as the node name, management IP address, management port, and software version. For more information about defining firewall objects, see Firewall objects on page 163. To view the fields in this area, see Figure 85 on page 255. Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to expand the list of clusters. 3 Select a cluster to expand the list of nodes. 4 Double-click the cluster node (member). The Cluster Member window is displayed. 5 Make sure that the General Settings node in the tree is selected. Fields and buttons This area contains the following fields and buttons: • Name — [Read-only] Displays the host name by which the system identifies itself during network and login connections. The name may contain alphanumeric characters, hyphens, or periods. It cannot be totally numeric. • Description — Specify user-defined comments and information about the firewall and its configuration. • Configuration — Use the fields in this area to configure various parameters for the cluster member. The following fields are available: • Firewall Mgmt Address — Specify the IP address of the network interface on the firewall that the Control Center Management Server uses to manage the firewall. 256 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 257. McAfee Firewall Enterprise (Sidewinder) clusters • Firewall Mgmt Port — Specify the port number that the firewall uses to communicate with the Control Center Management Server. The default management port is 9005. The value that you specify in this field must match the value that is specified on the firewall by using its native GUI. Changing this value and applying the change does not change the value on the firewall. • Version — [Read-only] Displays the version of software installed in the firewall. This information is necessary so that the Control Center can produce the correct format of data sent to the firewall when the configurations are applied. • Time Zone — [Read-only] Displays the time zone in which the firewall is located. • Location — Specify user-defined location information. This information can be used to provide a user-defined alternate view of the way that the firewalls are organized and displayed in the Firewalls group bar of the Object Configuration area. For more information, see Reviewing your configured firewalls on page 594. • Contact — Specify user-defined contact information. This information can be used to provide a user-defined alternate view of the way that the firewalls are organized and displayed in the Firewalls group bar of the Object Configuration area. For more information, see Reviewing your configured firewalls on page 594. • Firewall Properties — Use the fields in this table to specify a user-defined category/value. Use the categories to develop a classification hierarchy for firewalls that are installed in your configuration. This category/value pair can be used to sort firewalls by using a user-defined sorting scheme (in addition to the built-in Location and Contact categories). As user-defined categories are created, they are displayed in the Category list. By carefully defining a sorting scheme and identifying each firewall by using one or more categories, a powerful sorting scheme can be applied to obtain views of firewalls by using the Firewall Sorting Manager window. Cluster Member window: Interfaces area Use the Interfaces area of the Cluster Member window to perform the following tasks: • Assign all of the network link elements to the interface, such as IP address, network mask, burb, and NIC for outgoing packets. • Select Quality of Service (QoS) profiles and define shared addresses for an interface. • Create standard or VLAN interfaces. The internal and external network interfaces of the firewall are defined during the initial configuration. You can create an unlimited number of interfaces. Up to 63 interfaces can be enabled at one time, in a combination of standard and VLAN interfaces. For more information about defining firewall objects, see Firewall objects on page 163. Figure 86 Cluster Member window: Interfaces area McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 257
- 258. McAfee Firewall Enterprise (Sidewinder) clusters Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to expand the list of clusters. 3 Select a cluster to expand the list of nodes. 4 Double-click the cluster node (member). The Cluster Member window is displayed. 5 Select the Interfaces node in the tree. The Interfaces area is displayed. Tabs This area has the following tabs: • Firewall Interfaces — Specify interfaces for this firewall. See Firewall Interfaces tab on page 258. • NICs/NIC Groups — Configure the physical NIC and create NIC groups for redundant NICs. See NICs/NIC Groups tab on page 259. Firewall Interfaces tab The Firewall Interfaces tab has the following fields and buttons: • Enabled — Determines whether the associated interface is enabled. Select or clear the checkbox to enable or disable the interface. • Name — Specify the name of a network interface or a Virtual LAN (VLAN) interface. • IP Address — Specify the unique IP address of the network interface. This value must be a valid IPv4 address in dotted quad format. If you want to configure this interface to connect to a Dynamic Host Configuration Protocol (DHCP) server, leave this field blank and select DHCP in the Type field. This field will then display DHCP as its value. You can specify a slash-format netmask length (for example, x.x.x.x/y where x is a number between 0 and 255 and y is a number between 0 and 31). After you move the mouse to another field, the mask length is removed from this field and the appropriate netmask is displayed in the Mask field. For example, if you specified 24, the value will be 255.255.255.0. If you do not specify an IP address value, the default Mask value, which is 255.255.255.0, is provided. • Mask — Specify the subnet mask assigned to a network interface. This value must be a valid IPv4 address in dotted quad format and it must also be a contiguous subnet mask. If you are configuring this interface to connect to a DHCP server, leave this field blank and select DHCP in the Type field. This field will then display DHCP as its value. • Type — Specify the type of interface that you are configuring. The following values are available: • Standard — Indicates a single network that is attached to one NIC or NIC group. • VLAN — Indicates that one of the virtual networks is managed by the NIC. • VLAN ID — Specify the VLAN identifier for this interface. For each NIC set of VLANs, each number must be unique. This field is not available if the value of the Type field is not set to VLAN. Valid values are from 1 to 4094. • Burb — Specify the burb that is attached to this network interface. • NIC/NIC Group — Specify the NIC or the NIC group that is currently attached to this network interface. • Advanced... — Display the McAfee Firewall Enterprise Interface window, in which you can configure additional features for this interface. • Delete — Click x (Delete) in the row to be deleted. The interface is deleted from the firewall after you click OK in this window. • (Information area) — [Read-only] Displays information about the highlighted interface in the list. • (Add) — Adds a new firewall interface to the bottom of the list. 258 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 259. McAfee Firewall Enterprise (Sidewinder) clusters NICs/NIC Groups tab Use the NICs/NIC Group tab to configure the physical NIC and to create NIC groups for redundant NICs. A primary reason for NIC groups is to provide redundant NIC functionality. If a primary NIC in a group stops working or is disconnected, the standby NIC starts passing the traffic. To configure a new NIC group with a primary and a secondary NIC, click Add to display the NIC Group window. A maximum of 26 NICs can be installed in an firewall at one time, including the two onboard NICs. A dual-port NIC counts as two NICs, a quad-port NIC counts as four NICs, and so on. Figure 87 NICs/NIC Groups tab on the Cluster Member window: Interfaces area Fields and buttons This tab has the following fields and buttons: • NICs — Use the fields in this table to configure the settings for each NIC. • Name — [Read-only] Displays the name of the NIC. • MAC Address — [Read-only] Displays the MAC address of the NIC. The MAC address is used for communication at the data-link layer. • Speed Mode — Specify the speed for packet delivery. If you select autoselect, the NIC communicates with the network to determine this value. The none option is used for NICs that do not have any speed. An example of this is a virtualized firewall. Otherwise, you can select an exact value from this list. • Capabilities — Specify the media capabilities of the NIC. To select the values for this list: First, click the down arrow. The list of values is displayed, along with a Find field and button. Second, if you do not need to filter the list, go to the next step. To filter the list of values, in the Find field, specify a value or a partial value or an internal value (as in part of an IP address if you are working with objects that reference them) and click Find. Only those values that match your find criteria are displayed. Third, select the checkbox of each value that you want to add to this field and click the down arrow to close the drop-down display. If you have selected more than one value, they are displayed in a comma-delimited list in this field. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 259
- 260. McAfee Firewall Enterprise (Sidewinder) clusters The following values are available: • rxcsum — Enables hardware checksum verification for incoming IPv4 packets. • txcsum — Enables hardware checksum generation for outgoing IPv4 packets. • jumbo_mtu — Configures the network interface to receive jumbo frames. This value is available only on NICs that support jumbo frames. • Description — Specify a description for this NIC. • NIC Groups — Use the fields in this table to modify an existing NIC group or click Add to add a new one. • Name — [Read-only] Displays the name of the NIC group. • NICs — [Read-only] Displays the list of NICs that are attached to this NIC group. • Description — Specify a description for the NIC group. • Modify — Click Modify NICs... to display the NIC Group window, in which you can edit the settings for this NIC group. • Delete — Click x (Delete) in the row to be deleted. The NIC group is deleted from the firewall after you click OK in the Cluster Member window. • Add — Displays the NIC Group window, in which you can add a new NIC group. Cluster Member window: High Availability area Use the High Availability area of the Cluster Member window to configure HA settings that are unique to the selected cluster node. You can designate a cluster mode, enable HA for the node, and specify a takeover time. Figure 88 Cluster Member window: High Availability area Accessing this area 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Clusters node to expand the list of clusters. 3 Select a cluster to expand the list of nodes. 4 Double-click the cluster node (member). The Cluster Member window is displayed. 5 Select the High Availability node in the tree. The High Availability area is displayed. 260 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 261. Device groups Fields and buttons This window has the following fields and buttons: • ClusterMode — Use the field in this area to specify the mode of the cluster to which this member (node) belongs. The following values are available. • Primary — Indicates that the node is primary in a primary/standby HA cluster. • Load Sharing — Indicates that the node is part of a load-sharing HA cluster • Standby — Indicates that the node is standby in a primary/standby HA cluster or is part of a peer-to-peer HA cluster. • Control — Use the fields in this area to indicate whether HA is enabled for the selected cluster node. • Enabled — Select this option to enable the node. • Disabled — Select this option to disable the node. • Takeover Time — Use the field in this area to specify the number of seconds that the primary node must be unavailable before the standby node will begin the takeover process. Device groups In the Firewalls group bar of the Configuration Tool, besides firewalls and clusters, you can add device groups to the list of firewall objects that can be managed by the Control Center. Configuring groups of related device objects Use the Device Groups Manager window to define groups of related objects that will be simultaneously managed. The purpose of a group is object-specific; however, the act of creating groups is the same. Two or more related objects are associated under an aggregated object name to simplify management of multiple objects. There are different ways to access the Device Groups Manager window, depending on the type of group that you want to create. The name of the window changes to match the group that is being created. Figure 89 Device Groups Manager window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 261
- 262. Device groups Accessing this window 1 In the Configuration Tool, select the Firewalls group bar. 2 Double-click Device groups in the tree. The Device Groups Manager window is displayed. Fields and buttons This window has the following fields and buttons: • Group Name — Specify a user-defined name for the firewall group that you are creating. • Description — Provide a meaningful description about the reason that this firewall group has been defined. • Members — Use the fields in this area to determine the firewalls that will be members of this group. • Find — Specify a value in this field and click Find to filter the display of firewalls so that only those that match the criteria that you have specified are displayed in the table. • Firewalls — Select one or more firewalls to include in this group. • OK — Save the firewall (device) group under the Device Groups node in the tree. • Cancel — Close this window without saving any changes. 262 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 263. 6 Configuration Tool - Firewall Settings Contents Firewall settings Common (global) settings Audit export McAfee Firewall Profiler Firewall Reporter / Syslog settings Network defenses Viewing and managing IPS signatures by using the IPS Signature Browser TrustedSource Virus scanning Quality of Service DNS zones Scheduled jobs Third-party updates Software update package status Firewall settings The Firewall Settings group bar of the Configuration Tool contains a tree that displays all of the objects that can be configured on a firewall. The following objects can be configured: • Global settings — Specify a common group of features that can be applied to a number of McAfee Firewall Enterprises. Features include a default application defense group, password and passport authenticators, burbs, server and service settings, and virus scanning properties. See Common (global) settings on page 264 • Audit export — Configure audit archive settings for a firewall by using the Audit Export window. See Audit export on page 268. • Profiler — Configure the McAfee Firewall Profiler object that you can assign to a firewall (version 7.0.1.02 and later) in the Offbox Settings area of the Firewall window. See McAfee Firewall Profiler on page 272. • Firewall Reporter / Syslog — Configure the export of audit data to the syslog server of a McAfee Firewall Reporter or to designated syslog servers. See Firewall Reporter / Syslog settings on page 273. • Network defenses — Configure and maintain the audit data that the firewall generates for each of the specified protocols and the frequency with which to generate that audit. See Network defenses on page 278. • Servers and service settings — Specify a network service that is associated with a server agent, or daemon, that is running on the firewall. Server services are created during the initial configuration of the firewall. They include services that are used for the following purposes: • Management of the firewall (for example, Admin Console) • Access to a networked service (for example, SNMP Agent) McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 263
- 264. Common (global) settings • Routing services (for example, gated, routed) • VPN connections (for example, ISAKMP server) • Firewall-specific functions (for example, cluster registration server) You can modify basic properties that are associated with these services. However, additional server services cannot be created. See Managing servers and service configurations on page 291. • IPS Signature Browser — Specify the Intrusion Prevention System (IPS) signatures that have been installed. Use the IPS Signature Browser window to view and manage these signatures. You can also separately manage the signature settings and the signatures. See Viewing and managing IPS signatures by using the IPS Signature Browser on page 302. • TrustedSource — Specify global TrustedSource technology settings for rules. See TrustedSource on page 304. • Virus Scan — Specify virus scanning properties. These properties include parameters for distributing scanner processes for incoming and outgoing traffic, controlling buffer sizes, handling archives, and scanning encrypted files. See Virus scanning on page 308. • Quality of Service — Specify Quality of Service (QoS) profiles that contain one or more queues that you can use to prioritize network performance based on network traffic type. See Quality of Service on page 310. • DNS zones — Specify Domain Name System (DNS) zone objects that can be created and managed by a firewall. See DNS zones on page 312. • Scheduled jobs — Specify jobs that can be scheduled to perform routine maintenance tasks on a firewall. See Scheduled jobs on page 322. • Third-party updates — Specify a schedule on which the entities for the following content inspection methods are updated: virus scan updates, IPS signature updates, and Geo-Location updates. See Third-party updates on page 326. • Package load — Specify a schedule that can be used to check for the availability of packages on the download site. You can then download them to a firewall. See Software update package status on page 331. Common (global) settings There are a group of features that can be applied to multiple firewalls, such as a default application defense group, password and passport authenticators, burbs, and so on. You can configure all of these settings from one window in the Configuration Tool—the Global Settings window. Configuring common (global) settings Use the Global Settings window to define a common group of features that can be applied to a number of firewalls. Such features include a default application defense group, password and passport authenticators, burbs, server and service settings, virus scanning properties, and other settings. After you have created a global setting, you can apply it to a particular firewall by using the Miscellaneous area of the Firewall window. Note: You can also define unique settings in that same Miscellaneous area instead of using these global settings. 264 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 265. Common (global) settings Figure 90 Global Settings window Accessing this window 1 In the Configuration Tool, click the Firewall Settings group bar. The Firewall Settings tree of objects is displayed. 2 Double-click the Global Settings node. Fields and buttons This window has the following fields and buttons: • Name — Specify a name for this group of global settings. • Description — Provide information about the global settings. • Firewall Settings Objects — Use the fields in this area to select, edit, or add objects that are located on the tree in the Firewall Settings group. You can create a new object or edit an existing object for every field in this area. To edit an existing object: First, select the object in the list. Next, click (Edit selected). The respective object window is displayed. To add a new object: Click . The respective object window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 265
- 266. Common (global) settings The following fields are available in this area: • Network Defense — Specify the network defense to use in this global setting. (See Configuring network defense audit reports on page 279.) • Server and Service Settings — Specify the server and service setting configuration to use in this global setting. (See Managing servers and service configurations on page 291.) • IPS Signature Browser — Specify the IPS Signature Browser objects to use in this global setting. (See Viewing and managing IPS signatures by using the IPS Signature Browser on page 302.) • Virus Scan — Specify the virus scan configuration to use in this global setting. (See Virus scanning on page 308.) • TrustedSource — Specify the TrustedSource configuration to apply to a firewall. (See Configuring TrustedSource settings for rules and mail filtering on page 305.) • Third-Party Updates — Specify the update schedule to apply to a firewall. (See Configuring third-party update schedules on page 326.) • Scheduled Jobs — Specify the scheduled job set to apply to a firewall. (See Scheduling jobs on page 322.) • Package Load — Specify the configuration to use to check for and load packages to install on a firewall. (See Establishing a schedule to check for software updates on page 331.) • Policy Objects — Use the fields in this area to configure the policy objects. To edit an existing object: First, select the object in the list. Next, click (Edit selected). The respective object window is displayed. To add a new object: Click . The respective object window is displayed. The following fields are available in this area: • Internet burb — Specify the single burb that communicates directly with the Internet. (See Configuring burbs on page 341.) • Default application defense group — Specify the application defense group to apply, by default, in new rules for a firewall. (See Configuring application defense groups on page 418.) • Password Authenticator — Specify the password authenticator to apply to a firewall. (See Configuring password authenticators on page 426.) • Passport Authenticator — Specify the passport authenticator to apply to a firewall. (See Configuring passport authenticators on page 428.) • Reputation Threshold — Use the field in this area to configure your TrustedSource filtering and to specify an associated setting. • Perform TrustedSource filtering on inbound mail — Determines whether the TrustedSource ™ reputation service is used to reduce the amount of spam that reaches an organization's in-boxes. This option is cleared by default. If you select this option, the associated control allows you to specify a value that is used to distinguish legitimate senders of e-mail from untrustworthy ones. Values range from 0 to 120. The default value is 80. Messages from senders with reputation scores above the selected Reputation Threshold are rejected. Trustworthy senders receive low scores, and untrustworthy senders receive high scores. Values are associated with TrustedSource reputation classes. 266 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 267. Common (global) settings TrustedSource reputation classes are defined as follows: Table 11 TrustedSource reputation classes Value Class Definition <0 Trusted The IP address is a legitimate sender or a source of substantial amounts of legitimate e-mail. 0-14 Neutral The IP address is probably a legitimate sender. However, the IP address could send small amounts of e-mail requiring further inspection. 15-29 Unverified The IP address may be a legitimate sender. However, the IP address displays a few properties indicating that there should be further content inspection of e-mails that are received from that address. 30-49 Suspicious The IP address shows many spam sender characteristics, and e-mail that is received from that address requires special scrutiny. 50+ Malicious The IP address has been used to send spam or phishing, or should not send any e-mail messages in general. • Lockout Threshold — Use the field in this area to enable lockout and to specify an associated setting. • Enable Lockout — Determines whether a user whose account reaches a specified authentication attempt threshold is locked out until the lock is cleared by an administrator. This option is cleared by default. If you select this option, you can specify the number of failed login attempts that can occur for a single user account before the user is locked out of the firewall. • Uninterruptible Power Supply (UPS) — Use the fields in this area to enable UPS and specify associated settings. The following fields are available: • Enable UPS — Determines whether a UPS device is enabled for a firewall. This checkbox is cleared by default. If you select this checkbox, the following fields are available: • Serial Port — Specify the serial port that is connected to the UPS. Available values are COM1 and COM2. The default value is COM1. • Battery Time (sec) — Specify the number of seconds that the UPS battery will last before its power is considered to be low. The default value is 900. If UPS is enabled and a power outage occurs, the firewall monitors the UPS and performs an orderly shutdown when the power of the UPS battery begins to be low. • Other Settings — Use the fields in this area to specify other settings. • Enforce U.S. Federal Information Processing Standard 140-2 — Determines whether the requirements of the FIPS 14-2 standard are applied to a firewall. This standard specifies security requirements for cryptographic modules. This checkbox is cleared by default. • Delete home directory upon deletion of user — Determines whether a user's home directory is deleted automatically when the user account is deleted. This option is cleared by default. • Blackhole source IP if attack IP cannot be confirmed (responses) — Determines whether a source IP address is blackholed when the related audit message does not have an Attack IP field. This option is cleared by default. If this option is selected, connections from the IP address originating the attack will not be accepted. • Enforce health monitor auditing — Determines whether audit data on the system's health status are generated and statistics about network and system utilization are recorded. This option is selected by default. • Allow Secure Alerts to be sent to Control Center — Determines whether Secure Alerts are allowed to be sent by any firewall to the Control Center Management Server. To configure the alerts, you must also go to the IPS Attack Response window or the System Response window and select Send Secure Alert. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 267
- 268. Audit export Audit export You can export audit reports to another location, where they can be printed, viewed directly, or opened in a reporting or editing tool. Configuring audit archive settings for a firewall Use the Audit Export window to configure audit archive settings for a firewall. Use this window to create an audit export configuration that specifies the information needed to export audit archives to a remote location (for example, location, protocol, format, target directory), and to set up a schedule for exporting them. You can also configure settings to export the audit archives to the Control Center Management Server. After you configure audit export settings using this window, you can use other features of the Configuration Tool and the Reporting and Monitoring Tool to select an audit export configuration for a particular firewall, export the audit archives for that firewall to the Management Server, and generate and view an audit report from the exported audit data. Use the following general procedures: Configuration Tool 1 Use the General Settings area of the Firewall window to select an audit export configuration for a firewall and to select a certificate for signing the archives. 2 Use the Device Control window to initiate export of audit archives for a particular firewall. Configuration Tool or Reporting and Monitoring Tool Use the McAfee Firewall Enterprise Audit Report window to generate an audit report from the exported audit archives. Figure 91 Audit Export window 268 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 269. Audit export Accessing this window 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Audit Export node. The Audit Export window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a name for this audit export configuration. • Enable Audit Export — Determines whether the audit export configuration is enabled. This checkbox is selected by default. • Description — Provide information about the audit export configuration. • OK — Save all of the changes on all of the tabs of this window. • Cancel — Close this window without saving any changes. Tabs This window also has the following tabs: • Export Locations — Specify settings required to transfer firewall audit archives to remote locations and export audit archives to the Control Center Management Server. For more information, see Audit Export window: Export Locations tab on page 269. • Frequency — Specify a schedule for transferring the audit logs to a remote location. For more information, see Audit Export window: Frequency tab on page 270. Audit Export window: Export Locations tab Use the Export Locations tab on the Audit Export window to specify the remote locations to which to transfer firewall audit archives, select the transfer protocol, and choose the format for exporting the audit data. To view the fields on this tab, see Figure 91 on page 268. Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Audit Export node. The Audit Export window is displayed. 3 Make sure that the Export Locations tab is selected. Fields and buttons This tab has the following fields and buttons: • Name — Specify a name that identifies a remote location. • Protocol — Specify the protocol to use for transferring archives to the remote location. The following values are available: • FTP — File Transfer Protocol • SCP — Secure Copy • Format — Specify the format to use when exporting the audit data. The following values are available: • ASCII — Converts audit data to ASCII and exports it to a text file. • Binary — Exports audit data in a binary format. • HTTP (W3C Extended Log) — Converts audit data to the W3C extended log file format, an improved format for Web server log files, and exports it for use by third-party reporting tools. • SEF — Converts audit data to ASCII text and exports it in the format used by the McAfee Firewall Reporter. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 269
- 270. Audit export • WebTrends Extended Logging — Converts audit data to the WebTrends Extended Log File format ® (WELF) and exports it for use by commercial software packages. • Verbose ASCII — Converts audit data to ASCII with additional information. It can be displayed with any text-viewing program. • XML — Converts audit data to standard XML, which can be viewed with any Web browser. • Host — Specify the host name or IP address of the remote system to which to export audit archives. You can specify one or more letters at the top of the list to filter your search. • User Name — Specify the login name to be used on the remote system. • Password — Specify the password that is associated with the login name specified in the User Name field. • Target Directory — Specify the path name of the directory on the remote system that can be used for audit archives. • Export to Control Center — Determines whether audit archives are exported to the Control Center Management Server. This checkbox is cleared by default. If you select this checkbox, you must manually unlock the ftp user account on the Management Server. The following fields are also available: • User Name — [Read-only] Displays ftp, which the denotes the secure ftp user account on the Management Server. The secure ftp user account has the permissions required to write to the Management Server directories. The protocol that is used to export the archives to the Management Server is SCP. • Password — Specify the password that is assigned to the secure ftp user on the Control Center Management Server. • Confirm Password — Specify the password that you specified in the Password field. Audit Export window: Frequency tab Use the Frequency tab of the Audit Export window to specify a schedule for transferring the audit logs to a remote location. Figure 92 Audit Export window: Frequency tab 270 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 271. Audit export Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Audit Export node. The Audit Export window is displayed. 3 Click the Frequency tab. Fields and buttons This tab has the following fields and buttons: • Frequency — Specify the frequency with which the audit logs are to be exported. The following values are available: • Bimonthly • Monthly • Weekly • Daily • Hourly (default value) • Custom If you select Custom, the Custom Frequency area is available. • Custom Frequency — Use the fields in this area to configure a schedule for exporting audit logs with a frequency that is tailored to meet the needs of your site. • Job begins daily at — Select this option to specify a daily schedule that begins at a particular time. Time is expressed in hours and minutes. If you select this option, the other fields in this area are disabled. • Custom Schedule — Select this option to specify a custom schedule. This option is selected by default. If this option is selected, use the other controls on this panel to specify the schedule. • Perform job every month — Determines whether the audit export is performed every month. This checkbox is selected by default. If you clear this checkbox, you may select one or more months in which to perform the job. • Perform job on every day of the month — Determines whether the audit export is performed on every day of the specified month(s). This checkbox is selected by default. Clear this checkbox, to select one or more days on which to perform the job. • Perform job on every day of the week — Determines whether the audit export is performed on every day of the week. This checkbox is selected by default. Clear this checkbox to select one or more days of the week on which to perform the job. • Perform job on each hour — Determines whether the audit export is performed on each hour of the specified day. This checkbox is selected by default. Clear this checkbox to specify the hour or hours during which to perform the job in the Perform job at the following hours field. Hours must be separated with commas or specified as a range (for example, 1, 3, 5, 11-12). Hours are expressed using a 24-hour clock. • Perform job on every minute — Determines whether the audit export is performed every minute of the specified day. This checkbox is selected by default. Clear this checkbox to specify the minute or minutes during which to perform the job in the Perform job at the following minutes field. Minutes must be separated with commas or specified as a range (for example, 0-2, 4, 7). McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 271
- 272. McAfee Firewall Profiler McAfee Firewall Profiler You can use McAfee Firewall Profiler to monitor your firewall by investigating support issues or assessing the impact of firewall policy changes. For McAfee Firewall Profiler information, see the McAfee Firewall Profiler Product Guide. Configuring McAfee Firewall Profiler settings Use the Profiler window to create an object for the McAfee Firewall Profiler. You can then assign this object to a firewall (version 7.0.1.02 and later). If the firewall loses connection to the McAfee Firewall Profiler for some reason, after the connection has been reestablished, you can resynchronize the firewall policy with the McAfee Firewall Profiler by configuring the Resyncronize policy to McAfee Firewall Profiler option in the Device Control window. For more information, see Managing firewall shutdown and suspension states and other maintenance settings on page 656. Figure 93 Profiler window Accessing this window 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Profiler node. The Profiler window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a name for this McAfee Firewall Profiler object. • Description — Specify a description for this object. • Profiler IP address — Specify the IP address for this McAfee Firewall Profiler object. • Port — Specify the port on which the Control Center will communicate with the McAfee Firewall Profiler. The default value is 7775. • Profiler common name (CN) — Specify the common name from the certificate that the McAfee Firewall Profiler uses to communicate with the firewall. • Profiler CA certificate — Specify the CA certificate that is used to validate the McAfee Firewall Profiler certificate that is used for communication. When you click either (Edit selected) or (Add), the CA Certificate Import Wizard is displayed. For more information, see Creating certificates or importing them into the certificate database on page 515. 272 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 273. Firewall Reporter / Syslog settings To edit an existing object: First, select the object in the list. Next, click (Edit selected). The respective object window is displayed. To add a new object: Click . The respective object window is displayed. • SCP connection — Use the fields in this area to specify the username and password values that are used to validate policy transfers to the McAfee Firewall Profiler. The following fields are available: • Username — Specify the username that is used to validate policy transfers to the McAfee Firewall Profiler. The default value is swcfg. • Password — Specify the password for the username that is specified in the Username field. • OK — Save the changes that were made on this window. • Cancel — Close this window without saving any changes. Firewall Reporter / Syslog settings The McAfee Firewall Enterprise uses the UNIX syslog facility to log messages that are sent by programs that are running on the firewall. These messages can be useful in tracking down unauthorized system users or in analyzing hardware or software problems. All syslog data is stored in the audit log files. Listed below are some basic points about syslog and how it works on the firewall: • syslog runs as a daemon process called syslogd. • Each application determines whether it will use syslog and also the types of messages that will be generated. Normally, applications generate messages of different severity levels, such as informational and critical. • Malicious users will often try to edit syslog files to hide any evidence of their break-ins. The firewall uses Type Enforcement to protect the syslog files from being modified by unauthorized users. • A copy of the syslog data is sent to the firewall’s audit log files. • The log files that have been generated by syslogd can grow large in size and can start using large amounts of hard disk space. To solve this problem, the log files are periodically rotated. To send audit data from your firewall to a McAfee Firewall Reporter or to designated syslog servers, use the Firewall Reporter / Syslog Settings window. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 273
- 274. Firewall Reporter / Syslog settings Configuring the exportation of audit data to a McAfee Firewall Reporter or to designated syslog servers Use the Firewall Reporter / Syslog window to configure the export of audit data to the syslog server of a McAfee Firewall Reporter or to designated syslog servers. Figure 94 Firewall Reporter / Syslog window Accessing this window 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Firewall Reporter / Syslog node. The Firewall Reporter / Syslog window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a name for this Firewall Reporter / Syslog object. • Description — Specify a description for this object. • Firewall Reporter — Use the fields in this area to determine whether audit data will be exported to the syslog server of a McAfee Firewall Reporter and to configure the settings for that server. The following fields are available: • Export audit to McAfee Firewall Reporter — Determines whether the firewall will export audit data to the syslog server of a McAfee Firewall Reporter. The default value is cleared. If you select this checkbox, specify the settings for this McAfee Firewall Reporter in the following fields: • IP address — Specify a valid IP address for the syslog server of the McAfee Firewall Reporter. This is the IP address to which the audit data will be sent. 274 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 275. Firewall Reporter / Syslog settings • Port — Specify the port on which the firewall will communicate with the syslog server of the McAfee Firewall Reporter. The default value is 514. • Remote facility — Specify a syslog facility on the syslog server of the McAfee Firewall Reporter to help identify the audit export. • Audit filter — Specify a filter to include or exclude certain types of audit records from your export file. For more information about audit filters, see Configuring and generating audit reports for one or more firewalls on page 625. • Export audit syslog servers — Use the fields in this table to specify, delete, or add syslog servers to which the firewall will export audit data. Depending on whether you are adding a syslog server or viewing an existing syslog server configuration, you can either specify information or view information in these columns. The following columns are available in this table: • Enabled — Determines whether this syslog server is going to receive audit data from the firewall. • IP Address — Specify (or view) the IP address of the syslog server. • Remote Facility — Specify (or view) the syslog facility to help identify the audit export. • Description — Specify (or view) a description for the syslog server. • Advanced — Displays the Syslog Server window, in which you can specify basic and advanced settings for the syslog server. For more information, see Configuring settings for a Syslog Server on page 276. • Delete — Click x (Delete) in the row to be deleted. The syslog server is deleted from the list after you click OK. You must also click OK in this window to save this deletion. • (Add) — Displays the Syslog Server window, in which you can specify a new syslog server to add to the bottom of the table on this window. For more information, see Configuring settings for a Syslog Server on page 276. • OK — Save the changes that were made in this window. • Cancel — Close this window without saving any changes. • Versions — Click this button to view a display of all of the fields on this window that have version-specific availability. You can also view this same information at the field level by holding your mouse over the version level icon and viewing the ToolTip. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 275
- 276. Firewall Reporter / Syslog settings Configuring settings for a Syslog Server Use the Syslog Server window to specify the basic and advanced settings for the syslog server to which audit data is being sent from the firewall. Figure 95 Syslog Server window Accessing this window 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Firewall Reporter / Syslog node. The Firewall Reporter / Syslog window is displayed. 3 In the Export audit to syslog servers table, click Advanced in the row of the syslog server for which you want to configure these additional settings. The Syslog Server window is displayed. Fields and buttons This window has the following fields and buttons: • Basic Settings — Use the fields in this area to configure basic settings for the syslog server. The following fields are available: • Send audit data to syslog server — Determines whether audit data will be sent to this syslog server. The default value is selected. • Server address — Specify the IP address for the syslog server to which the audit data will be sent. • Remote facility — Specify the remote facility for the syslog server to which the audit data will be sent. Valid values include the following values: auth, daemon, kern, lpr, mail, news, syslog, user, uucp, and local0 through local7. The default value is local1. • Description — Specify a description for this syslog server. • Advanced Settings — Use the fields in this area to configure advanced settings for the syslog server. The following fields are available: • Server port — Specify the port of the syslog server to which the audit data will be sent. The default value is 514. 276 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 277. Firewall Reporter / Syslog settings • Send data that matches the following filter — Specify the audit filter that will be used to filter the audit data that will be sent to the syslog server. Only the audit data that matches the specified filter will be sent to the syslog server. The default value is <All audit data>. For more information about audit filters, see Configuring and generating audit reports for one or more firewalls on page 625. • Output data in the following format — Specify the format that will be used on the audit data for output. The following values are available: • sef — SEF output. This is the default value. • binary — Binary audit format. This is not recommended for syslog output. • ascii — ASCII formatted output. • vascii — Verbose ASCII formatted output. • wt — WebTrends Extended Log File format (WELF) formatted output. • xml — Extensible Markup Language (XML) formatted output. • http — Hypertext Transfer Protocol (HTTP requests) formatted output. • Maximum message length — Specify the maximum length of the audit data that will be sent to the syslog server. However, you can specify additional treatment of messages that exceed this length in the Truncate messages that exceed maximum length checkbox. The default value is 1024. • Truncate messages that exceed maximum length — Determines whether additional treatment for these messages is implemented. If this checkbox is selected, any data that exceeds the maximum length that was specified in the Maximum message length field will be truncated. If this checkbox is cleared, the message is truncated when the first length is met. Then the next part of the same message is truncated at the next occurrence of the maximum length, and so on until the entire message has completed. The default value is selected. • Enable relaxed syslog — Determines whether to uphold the maximum length value that has been specified in the Maximum message length field and to include the hostname in the message. The default value is cleared. • OK — Save the changes that were made in this window. • Cancel — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 277
- 278. Network defenses Network defenses Network defenses control the audit output for suspicious traffic at the data link, network, and transport layers that is detected by the firewall. Some traffic is stopped because a packet, or sequence of packets, resembles a known attack. Other traffic is stopped because a packet does not comply with its protocol’s standards. If network defenses are enabled, the audit reports provide detailed information on the denied traffic as shown below. If network defenses are not enabled, the firewall still stops suspicious traffic but does not generate audit, as shown in the following diagram: After you decide that you want to view these denied packets’ audit, you can configure the following options: • Audit packets that the firewall determines to be part of an identifiable attack based on attack description (incorrect header length, incorrect redirect, and so on). • Audit packets that are not specifically identified as a potential attack yet are not compliant with their protocol standards at the following levels: • All packets that do not comply with their protocol’s standards. • Packets that do not comply with their protocol’s standards and have been identified as a severe or moderate risk to your network. • Packets that do not comply with their protocol’s standards and have been identified as a severe risk to your network. • Do not generate audit when the firewall stops a packet because it does not comply to its protocol’s standard. 278 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 279. Network defenses Configuring network defense audit reports Use the Network Defenses Configuration window to configure and maintain the audit that the firewall generates for each of the specified protocols and the frequency at which to generate that audit. A Network Defense object is automatically created for every registered firewall. Expand the Network Defenses node to access those objects. All tabs on this window are similar in function and allow you to control the audit output for the given protocol. Note: The Restore Defaults option is not available when you are using the Control Center Client Suite. Figure 96 Network Defenses Configuration window (with IPv6 enabled) Accessing this window 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click Network Defenses. The Network Defenses Configuration window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label for the update configuration. • Description — Provide information about the update configuration. • OK — Save the changes in this window. Changes on any tab are not saved until you click OK. • Cancel — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 279
- 280. Network defenses Tabs This window has the following tabs: • TCP — Customize audit output for TCP packets. For more information, see Network Defenses Configuration window: TCP tab on page 280. • IP — Customize audit output for IP packets. For more information, see Network Defenses Configuration window: IP tab on page 281. • UDP — Customize audit output for IP packets. For more information, see Network Defenses Configuration window: UDP tab on page 283. • ICMP — Customize audit output for ICMP packets. For more information, see Network Defenses Configuration window: ICMP tab on page 284. • ARP — Configure the audit data to be generated for ARP compliance issues that are stopped by the firewall. For more information, see Network Defenses Configuration window: ARP tab on page 286. • IPsec — Customize audit output for IPsec packets. For more information, see Network Defenses Configuration window: IPsec tab on page 287. • IPv6 — [Available only for version 7.01 or later firewalls with IPv6 enabled] Configure the audit data to be generated for IPv6 attacks and compliance issues. For more information, see Network Defenses Configuration window: IPv6 tab on page 289. Network Defenses Configuration window: TCP tab Use the TCP tab of the Network Defenses Configuration window to customize audit output for TCP packets that the firewall determines to be part of an identifiable attack based on attack description (for example, invalid offset or SYN flood) and non-protocol-compliant packets stopped by the firewall. If no attacks are selected and no compliances issues are selected, the firewall still stops suspicious traffic but does not generate audit. For the fields on this tab, see Figure 96 on page 279. Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click Network Defenses. The Network Defenses Configuration window is displayed. 3 Select the TCP tab if it is not already displayed. Fields and buttons This tab has the following fields and buttons: • TCP Audits — Use the fields in this area to specify the TCP attacks for which you want to generate audit. The following fields are available: • Attacks — Specify the attacks for which audit data is to be generated. Right-click the Attacks header to either select all checkboxes or to clear (unselect) all selected checkboxes. • Audit the selected TCP compliance issues — Select the way in which you want to audit packets that are not known attacks, but are also not compliant with the TCP standards. The following options are available: • All TCP compliance issues — Audits all TCP compliance issues • Severe and moderate TCP compliance issues — Audits severe and moderate TCP compliance issues • Severe TCP compliance issues — Audits severe TCP compliance issues only (This is the default.) • No TCP compliance issues — Does not audit TCP compliance issues 280 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 281. Network defenses • TCP Audit Frequency — Use the fields in this area to determine the frequency of generating audit for TCP issues. The following options are available: • Always audit — Indicates that an audit record will be generated for each audit event. With unlimited auditing, the log partition can overflow, thus creating problems for the firewall. • Limit auditing (recommended) — Specify parameters for limiting the number of records that are generated and the frequency at which they are generated. Generate an audit record for the first x occurrences at each y second interval. Multiple occurrences of the same audit event will not be recorded. An additional audit event will be generated to record the number of audit events that were suppressed. For example, the audit is limited to generating an audit event for the first three (3) occurrences at every 60 second interval. If the firewall stopped 100 SYN-ACK probes in 60 seconds, it generates three records for the first three denials, and then generates another audit record, stating that 97 occurrences were suppressed in that 60-second timeframe. If you limit your audits in this manner, system load is reduced. • Audit the first x occurrence(s) — Specify the number of audit records to be generated at the beginning of each timeframe. • every y seconds — Specify the timeframe at which to begin auditing the records. Network Defenses Configuration window: IP tab Use the IP tab of the Network Defenses Configuration window to customize audit output for IP packets that the firewall determines to be part of an identifiable attack based on attack description (for example, incorrect header length or bad options) and non-protocol-compliant packets stopped by the firewall. If no attacks are selected and no compliances issues are selected, the firewall still stops suspicious traffic but does not generate audit. Figure 97 Network Defenses Configuration window: IP tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click Network Defenses. The Network Defenses Configuration window is displayed. 3 Select the IP tab. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 281
- 282. Network defenses Fields and buttons This tab has the following fields and buttons: • IP Audits — Use the fields in this area to specify the IP attacks for which you want to generate audit. The following fields are available: • Attacks — Specify the attacks for which audit data is to be generated. Right-click the Attacks header to either select all checkboxes or to clear (unselect) all selected checkboxes. • Audit the selected IP compliance issues — Select the way in which you want to audit packets that are not known attacks, but are also not compliant with the IP standards. The following options are available: • All IP compliance issues — Audits all IP compliance issues • Severe and moderate IP compliance issues — Audits severe and moderate IP compliance issues • Severe IP compliance issues — Audits severe IP compliance issues only (This is the default.) • No IP compliance issues — Does not audit IP compliance issues • IP Audit Frequency — Use the fields in this area to determine the frequency of generating audit for IP issues. The following options are available: • Always audit — Indicates that an audit record will be generated for each audit event. Note that, with unlimited auditing, the log partition can overflow, thus creating problems for the firewall. • Limit auditing (recommended) — Specify parameters for limiting the number of records that are generated and the frequency at which they are generated. Generate an audit record for the first x occurrences at each y second interval. Multiple occurrences of the same audit event will not be recorded. An additional audit event will be generated to record the number of audit events that were suppressed. For example, the audit is limited to generating an audit event for the first three (3) occurrences at every 60 second interval. If the firewall stopped 100 source-routed packets in 60 seconds, it generates three records for the first three denials, and then generates another audit record, stating that 97 occurrences were suppressed in that 60-second timeframe. If you limit your audits in this manner, system load is reduced. • Audit the first x occurrence(s) — Specify the number of audit records to be generated at the beginning of each timeframe. • every y seconds — Specify the timeframe at which to begin auditing the records. 282 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 283. Network defenses Network Defenses Configuration window: UDP tab Use the UDP tab of the Network Defenses Configuration window to customize audit output for UDP packets that the firewall determines to be part of an identifiable attack based on attack description (for example, zero source port) and non-protocol-compliant packets stopped by the firewall. If no attacks are selected and no compliances issues are selected, the firewall still stops suspicious traffic, but does not generate audit. Figure 98 Network Defenses Configuration window: UDP tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click Network Defenses. The Network Defenses Configuration window is displayed. 3 Select the UDP tab. Fields and buttons This tab has the following fields and buttons: • UDP Audits — Use the fields in this area to specify the UDP attacks for which you want to generate audit. The following fields are available: • Attacks — Specify the attacks for which audit data is to be generated. Right-click the Attacks header to either select all checkboxes or to clear (unselect) all selected checkboxes. • Audit the selected UDP compliance issues — Select the way in which you want to audit packets that are not known attacks, but are also not compliant with the UDP standards. The following options are available: • All UDP compliance issues — Audits all UDP compliance issues • Severe and moderate UDP compliance issues — Audits severe and moderate UDP compliance issues • Severe UDP compliance issues — Audits severe UDP compliance issues only (This is the default.) • No UDP compliance issues — Does not audit UDP compliance issues McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 283
- 284. Network defenses • UDP Audit Frequency — Use the fields in this area to determine the frequency of generating audit for UDP issues. The following options are available: • Always audit — Indicates that an audit record will be generated for each audit event. Note that, with unlimited auditing, the log partition can overflow, thus creating problems for the firewall. • Limit auditing (recommended) — Specify parameters for limiting the number of records that are generated and the frequency at which they are generated. Generate an audit record for the first x occurrences at each y second interval. Multiple occurrences of the same audit event will not be recorded. An additional audit event will be generated to record the number of audit events that were suppressed. For example, the audit is limited to generating an audit event for the first three (3) occurrences at every 60 second interval. If the firewall stopped 100 zero source port UDP attacks in 60 seconds, it generates three records for the first three denials, and then generates another audit record, stating that 97 occurrences were suppressed in that 60-second timeframe. If you limit your audits in this manner, system load is reduced. • Audit the first x occurrence(s) — Specify the number of audit records to be generated at the beginning of each timeframe. • every y seconds — Specify the timeframe at which to begin auditing the records. Network Defenses Configuration window: ICMP tab Use the ICMP tab of the Network Defenses Configuration window to customize audit output for ICMP packets that the firewall determines to be part of an identifiable attack based on attack description (for example, invalid redirect) and non-protocol-compliant packets stopped by the firewall. If no attacks are selected and no compliances issues are selected, the firewall still stops suspicious traffic, but does not generate audit. Figure 99 Network Defenses Configuration window: ICMP tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click Network Defenses. The Network Defenses Configuration window is displayed. 3 Select the ICMP tab. 284 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 285. Network defenses Fields and buttons This tab has the following fields and buttons: • ICMP Audits — Use the fields in this area to specify the ICMP attacks for which you want to generate audit. The following fields are available: • Attacks — Specify the attacks for which audit data is to be generated. Right-click the Attacks header to either select all checkboxes or to clear (unselect) all selected checkboxes. • Audit the selected ICMP compliance issues — Select the way in which you want to audit packets that are not known attacks, but are also not compliant with the ICMP standards. The following options are available: • All ICMP compliance issues — Audits all ICMP compliance issues • Severe and moderate ICMP compliance issues — Audits severe and moderate ICMP compliance issues • Severe ICMP compliance issues — Audits severe ICMP compliance issues only (This is the default.) • No ICMP compliance issues — Does not audit ICMP compliance issues • ICMP Audit Frequency — Use the fields in this area to determine the frequency of generating audit for ICMP issues. The following options are available: • Always audit — Indicates that an audit record will be generated for each audit event. Note that, with unlimited auditing, the log partition can overflow, thus creating problems for the firewall. • Limit auditing (recommended) — Specify parameters for limiting the number of records that are generated and the frequency at which they are generated. Generate an audit record for the first x occurrences at each y second interval. Multiple occurrences of the same audit event will not be recorded. An additional audit event will be generated to record the number of audit events that were suppressed. For example, the audit is limited to generating an audit event for the first three (3) occurrences at every 60 second interval. If the firewall stopped 100 invalid redirect ICMP attacks in 60 seconds, it generates three records for the first three denials, and then generates another audit record, stating that 97 occurrences were suppressed in that 60-second timeframe. If you limit your audits in this manner, system load is reduced. • Audit the first x occurrence(s) — Specify the number of audit records to be generated at the beginning of each timeframe. • every y seconds — Specify the timeframe at which to begin auditing the records. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 285
- 286. Network defenses Network Defenses Configuration window: ARP tab Use the ARP tab of the Network Defenses Configuration window to configure what audit to generate for ARP compliance issues stopped by the firewall. If the No ARP compliance issues option is selected, the firewall still stops suspicious traffic, but does not generate audit. Note that unlike other Network Defense types, ARP does not have any listed protocol-specific attacks. Figure 100 Network Defenses Configuration window: ARP tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click Network Defenses. The Network Defenses Configuration window is displayed. 3 Select the ARP tab. Fields and buttons This tab has the following fields and buttons: • ARP Audits — Use the fields in this area to specify the level of ARP attacks for which you want to generate audit. The following fields are available: • Audit the selected ARP compliance issues — Select the way in which you want to audit packets that are not known attacks, but are also not compliant with the ARP standards. The following options are available: • All ARP compliance issues — Audits all ICMP compliance issues • Severe and moderate ARP compliance issues — Audits severe and moderate ARP compliance issues • Severe ARP compliance issues — Audits severe ARP compliance issues only (This is the default.) • No ARP compliance issues — Does not audit ICMP compliance issues • ICMP Audit Frequency — Use the fields in this area to determine the frequency of generating audit for ARP issues. The following options are available: • Always audit — Indicates that an audit record will be generated for each audit event. Note that, with unlimited auditing, the log partition can overflow, thus creating problems for the firewall. 286 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 287. Network defenses • Limit auditing (recommended) — Specify parameters for limiting the number of records that are generated and the frequency at which they are generated. Generate an audit record for the first x occurrences at each y second interval. Multiple occurrences of the same audit event will not be recorded. An additional audit event will be generated to record the number of audit events that were suppressed. For example, the audit is limited to generating an audit event for the first three (3) occurrences at every 60 second interval. If the firewall stopped 100 ARP attacks in 60 seconds, it generates three records for the first three denials, and then generates another audit record, stating that 97 occurrences were suppressed in that 60-second timeframe. If you limit your audits in this manner, system load is reduced. • Audit the first x occurrence(s) — Specify the number of audit records to be generated at the beginning of each timeframe. • every y seconds — Specify the timeframe at which to begin auditing the records. Network Defenses Configuration window: IPsec tab Use the IPsec tab of the Network Defenses Configuration window to customize audit output for IPsec packets that the firewall determines to be part of an identifiable attack based on attack description (for example, replay attack or decryption failure) and non-protocol-compliant packets stopped by the firewall. Unlike the other network defenses, the IPsec network defense also allows you to control non-malicious failure audits. If no attacks are selected and no compliances issues are selected, the firewall still stops suspicious traffic, but does not generate audit. Note: You can use the IPsec network defense to directly control audit output for some non-malicious failures because IPsec tends to have more of these types of failures than other protocols. Figure 101 Network Defenses Configuration window: IPsec tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click Network Defenses. The Network Defenses Configuration window is displayed. 3 Select the IPsec tab. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 287
- 288. Network defenses Fields and buttons This tab has the following fields and buttons: • IPsec Audits — Use the fields in this area to specify the IPsec attacks for which you want to generate audit. The following fields are available: • Attacks — Specify the attacks for which audit data is to be generated. Right-click the Attacks header to either select all checkboxes or to clear (unselect) all selected checkboxes. • Audit the selected IPsec compliance issues — Select the way in which you want to audit packets that are not known attacks, but are also not compliant with the IPsec standards. The following options are available: • All IPsec compliance issues — Audits all IPsec compliance issues • Severe and moderate IPsec compliance issues — Audits severe and moderate IPsec compliance issues • Severe IPsec compliance issues — Audits severe IPsec compliance issues only (This is the default.) • No IPsec compliance issues — Does not audit IPsec compliance issues • IPsec Audit Frequency — Use the fields in this area to determine the frequency of generating audit for IPsec issues. The following options are available: • Always audit — Indicates that an audit record will be generated for each audit event. Note that, with unlimited auditing, the log partition can overflow, thus creating problems for the firewall. • Limit auditing (recommended) — Specify parameters for limiting the number of records that are generated and the frequency at which they are generated. Generate an audit record for the first x occurrences at each y second interval. Multiple occurrences of the same audit event will not be recorded. An additional audit event will be generated to record the number of audit events that were suppressed. For example, the audit is limited to generating an audit event for the first three (3) occurrences at every 60 second interval. If the firewall stopped 100 source routed packets in 60 seconds, it generates three records for the first three denials, and then generates another audit record, stating that 97 occurrences were suppressed in that 60-second timeframe. If you limit your audits in this manner, system load is reduced. • Audit the first x occurrence(s) — Specify the number of audit records to be generated at the beginning of each timeframe. • every y seconds — Specify the timeframe at which to begin auditing the records. 288 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 289. Network defenses Network Defenses Configuration window: IPv6 tab Use the IPv6 tab of the Network Defenses window to configure the audit data to generate for IPv6 attacks that were stopped by this firewall. The firewall automatically stops all of the listed attacks. By selecting or clearing checkboxes, you are determining only the behavior is audited. Note: This tab is available only if this is a version 7.0.1 or later firewall and IPv6 is configured. Figure 102 Network Defenses Configuration window: IPv6 tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click Network Defenses. The Network Defenses Configuration window is displayed. 3 Select the IPv6 tab. Fields and buttons This tab has the following fields and buttons: • IPv6 Audits — Use the fields in this area to select the attacks for which you want to generate audit data. The following fields are available: • Attacks — Specify the attacks for which audit data is to be generated. Right-click the Attacks header to either select all checkboxes or to clear (unselect) all selected checkboxes. • Audit the selected IPv6 compliance issues — Select the way in which you want to audit packets that are not known attacks, but are also not compliant with the IPv6 standards. The following options are available: • All IPv6 compliance issues — Audits all IPv6 compliance issues. • Severe and moderate IPv6 compliance issues — Audits severe and moderate IPv6 compliance issues. • Severe IPv6 compliance issues — Audits severe IPv6 compliance issues only. (This is the default.) • No IPv6 compliance issues — Does not audit IPv6 compliance issues. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 289
- 290. Network defenses • IPv6 Audit Frequency — Use the fields in this area to determine the frequency of generating audit for IPv6 issues. The following options are available: • Always audit — Indicates that an audit record will be generated for each audit event. Note that, with unlimited auditing, the log partition can overflow, thus creating problems for the firewall. • Limit auditing (recommended) — Specify parameters for limiting the number of records that are generated and the frequency at which they are generated. Generate an audit record for the first x occurrences at each y second interval. Multiple occurrences of the same audit event will not be recorded. An additional audit event will be generated to record the number of audit events that were suppressed. For example, the audit is limited to generating an audit event for the first three (3) occurrences at every 60 second interval. If the firewall stopped 100 decryption failures in 60 seconds, it generates three records for the first three denials, and then generates another audit record, stating that 97 occurrences were suppressed in that 60-second timeframe. If you limit your audits in this manner, system load is reduced. • Audit the first x occurrence(s) — Specify the number of audit records to be generated at the beginning of each timeframe. • every y seconds — Specify the timeframe at which to begin auditing the records. 290 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 291. Managing servers and service configurations Managing servers and service configurations Use the Servers and Service Setting window to change the properties that are associated with server and service configurations. For information about the different types of services that are supported by security firewalls, see Services on page 346. Figure 103 Servers and Service Setting window Accessing this window 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Server and Service Settings node. The Servers and Service Setting window is displayed. Fields and buttons This window has the following fields and buttons that apply to all of the tabs on this window: • Name — Specify a label that is used to refer to the servers and service configuration. • Description — Provide information about the servers and service configuration. • OK — Save the changes on all of the tabs for this window. • Cancel — Close this window without saving any changes. • Versions — Click this button to view a display of all of the fields on this window that have version-specific availability. You can also view this same information at the field level by holding your mouse over the version level icon and viewing the ToolTip. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 291
- 292. Managing servers and service configurations Tabs This window has the following tabs: • Service Configuration — Modify global properties that are associated with proxy and filter agents and to modify basic properties that are associated with TCP and UDP services. For more information, see Servers and Service Setting window: Service Configuration tab on page 292. • SNMP Agent — Configure advanced properties for the SNMP agent on the firewall. For more information, see Servers and Service Setting window: SNMP Agent tab on page 294. • ISAKMP Server — Modify advanced properties for the ISAKMP server. For more information, see Servers and Service Setting window: ISAKMP Server tab on page 297. • NTP Server — Enable the Network Time Protocol (NTP) service in a particular burb and to configure one or more NTP servers. For more information, see Servers and Service Setting window: NTP Server tab on page 299. • Admin Console — Configure advanced properties for the Admin Console of the firewall and the SSH server. For more information, see Servers and Service Setting window: Admin Console tab on page 300. • DHCP Relay — Allow clients to obtain IP address from a DHCP server in a different burb. For more information, see Servers and Service Setting window: DHCP Relay tab on page 301. Servers and Service Setting window: Service Configuration tab Use the Service Configuration tab of the Servers and Service Setting window to modify global properties that are associated with proxy and filter agents and to modify basic properties that are associated with TCP and UDP services. To view the fields on this tab, see Figure 103 on page 291. To modify properties associated with selected servers, refer to the other tabs on this window tabs: • SNMP Agent • ISAKMP Server • NTP Server • Admin Console • DHCP Relay Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Server and Service Settings node. The Servers and Service Setting window is displayed. 3 Select the Service Configuration tab. Fields and buttons This tab has the following fields and buttons: • Proxy Configuration — Use the fields in this area to change the number of connections for the proxy agents on the firewall. You can configure these proxy agents to enable additional instances when traffic volume is high. By distributing the load across multiple instances, you can improve performance. • Proxy — [Read-only] Displays the name of a proxy agent. • Expected Connections — Specify the total number of connections that are expected for the proxy agent. The following options are available: • 1000 — Opens a single instance of a proxy agent. • 2000 — Opens a single instance of a proxy agent. • 4000 — Opens two instances of a proxy agent. • 8000 — Opens four instances of a proxy agent. This is the default value. 292 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 293. Managing servers and service configurations • 16000 — Opens eight instances of a proxy agent. • 32000 — Opens sixteen instances of a proxy agent. Global properties are shared by all services that use a particular agent. If you create a new service based on the FTP proxy agent, for example, and change the value of this global property, all of the services that are based on the FTP proxy agent are affected. • Generic Filter — Use the fields in this area to set the global properties associated with services that are using the TCP/UDP Packet Filter agent on the firewall. • Maximum TCP Sessions — Specify the maximum number of TCP sessions that are allowed to use the TCP/UDP Packet Filter agent at one time. • Maximum UDP Sessions — Specify the maximum number of UDP sessions that are allowed to use the TCP/UDP Packet Filter agent at one time. • Minimum Reserved Port — Specify the lowest port number in the range of ports that are reserved for use by the TCP/UDP Packet Filter agent. • Maximum Reserved Port — Specify the highest port number in the range of ports that is reserved for use by the TCP/UDP Packet Filter agent. • Allow Intra-Burb Forwarding — Determines whether traffic is forwarded between network interfaces located within a burb. This checkbox is cleared by default. You should clear this checkbox if you have a burb that has only one network interface. If it is cleared and a burb has two or more network interfaces, the interfaces are separated. Select this checkbox to ensure that packets are forwarded in burbs with more than one interface. • TCP Servers — Use the fields in this area to configure the basic properties for the listed TCP daemon servers. • Daemon Server — [Read-only] Displays the name of the TCP daemon server. • TCP Ports — Specify the TCP port number or port numbers that are used by the TCP daemon server. • Idle Timeout — Specify the total number of seconds that an established connection can remain idle before the daemon server closes the connection. • UDP Servers — Use the fields in this area to configure the basic properties for the listed UDP daemon servers. • Daemon Server — [Read-only] Displays the name of the UDP daemon server. • UDP Ports — Specify the UDP port number or port numbers that are used by the UDP daemon server. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 293
- 294. Managing servers and service configurations Servers and Service Setting window: SNMP Agent tab Use the SNMP Agent tab of the Servers and Service Settings window to configure properties associated with the Simple Network Management Protocol (SNMP) agent on the firewall. Such properties include the following information: • Location, contact information, allowed protocols and users for the firewall • Community names that are used by the SNMP agent and management stations to validate identity • Versions, destinations, and access information for traps that are being sent by the SNMP agent Figure 104 Servers and Service Setting window: SNMP Agent tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Server and Service Settings node. The Servers and Service Setting window is displayed. 3 Select the SNMP Agent tab. Tabs This tab has the following tabs: • Get Settings — Configure physical information about your SNMP agent. For more information, see Get Settings tab on page 295. • Trap Settings — Configure additional SNMP trap settings. For more information, see Trap Settings tab on page 296. 294 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 295. Managing servers and service configurations Get Settings tab Use the Get Settings tab on the SNMP Agent tab of the Servers and Service Setting window to configure physical information about your SNMP agent, whether you will allow authentication failure traps, the allowed versions of SNMP that incoming SNMP requests are allowed to use, and to configure and manage the list of SNMP v3 users who can issue requests to the firewall SNMP agent. Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Server and Service Settings node. The Servers and Service Setting window is displayed. 3 Select the SNMP Agent tab. 4 Make sure that the Get Settings tab is selected. Fields and buttons This tab has the following fields and buttons: • Location — Specify the physical location of the firewall. • Contact — Specify the user name or e-mail address of the administrator for the firewall. • Allowed Protocols — Specify the versions of SNMP that incoming SNMP requests are allowed to use. SNMP messages with versions that are not allowed are ignored. • Allowed Get Communities — Specify the community names that are allowed to retrieve management information base (MIB) information. The community name is part of the authentication header in SNMP messages. The firewall SNMP agent checks the community name in all of the v1 and v2c SNMP messages that it receives to verify the identity of a management station. The SNMP agent will not start unless a community name is specified. If you do not specify a name in this field, the default community is "public". Note: Communities are ignored in SNMP v3. The following field is available: • Community — Specify the name that is assigned to a management station. • SNMP v3 Users — Use the fields in this area to view, create and manage SNMP v3 users who can issue requests to the firewall SNMP agent. The following fields are available: • Username — Specify the user name that was established on the SNMP management station. • Password — Specify the password for this user that was established on the SNMP management station. This password must contain at least eight characters. • Security Level — Determines whether authentication and encryption should be used when issuing requests. The following options are available: • NoAuth — Any security level can be used. • AuthNoPriv — A password is required. Payload encryption is optional. • AuthPriv — A password and payload encryption are required • Description — Specify a description that can easily identify this user. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 295
- 296. Managing servers and service configurations Trap Settings tab Use the fields on the Trap Settings tab of the SNMP Agent tab of the Servers and Service Setting window to configure more specific settings for SNMP traps. Figure 105 Servers and Service Setting window: SNMP Agent tab: Trap Settings tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Server and Service Settings node. The Servers and Service Setting window is displayed. 3 Select the SNMP Agent tab. 4 Select the Trap Settings tab. Fields and buttons This tab has the following fields and buttons: • Trap Version — Specify the SNMP version that the firewall should use when sending traps. Note: This is a global setting that will affect all components that originate traps. • Enable Authentication Failure Trap — Determines whether authentication failure traps are enabled. This checkbox is cleared by default. If you select this checkbox, the firewall sends authentication failure traps to configured management stations if it detects an unauthenticated Get command. • Trap Destinations — Use the fields in this area to specify the hosts that will receive traps that are generated by the SNMP agent on the firewall. The following fields are available: • Host — Specify the name of a host that will receive an SNMP trap. Click in this field and then select a value from the list. • Community — Specify the name of the community to which this host belongs. If you do not specify a name in this field, the default community is "public". Note: Communities are ignored in SNMP v3. 296 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 297. Managing servers and service configurations • v3 Trap Settings — Use the fields in this area to configure the security settings to use when sending traps. The following fields are available: Note: The fields in this area are available only if v3 was selected as the value in the Trap Version field. • Username — Specify the user name to use when sending traps. All trap destinations will use the same SNMP user name when using SNMP v3. • Password — Specify the password for the user name specified in the Username field. • Security level — Determines whether authentication and encryption should be used when issuing requests. The following options are available: • NoAuth — Any security level can be used. • AuthNoPriv — A password is required. Payload encryption is optional. • AuthPriv — A password and payload encryption are required Servers and Service Setting window: ISAKMP Server tab Use the ISAKMP Server tab of the Servers and Service Setting window to change the following advanced properties associated with the Internet Security Association and Key Management Protocol (ISAKMP) server: • Audit level for the server's traffic • Internet Key Exchange (IKE) phase 1 negotiation parameters • Extended authentication (XAUTH) negotiation parameters Figure 106 Servers and Service Setting window: ISAKMP Server tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Server and Service Settings node. The Servers and Service Setting window is displayed. 3 Select the ISAKMP Server tab. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 297
- 298. Managing servers and service configurations Fields and buttons This tab has the following fields and buttons: • Audit Level — Specify the type of audit output for the ISAKMP server. The following values are available: • Error — Logs only major errors. • Normal — Logs only major errors and informational messages. This is the default value. • Verbose — Logs all errors and informational messages. This level is useful for detecting configuration issues. • Debug — Logs errors, informational messages, and debug information. • Trace — Logs errors, informational messages, and debug and function trace information. • IKE Phase One Negotiation Properties — Use the fields in this area to configure properties associated with IKE phase 1 negotiations. The following fields are available: • Allow Certificate Negotiation — Determines whether certificate negotiation is permitted. This checkbox is selected by default. If this checkbox is cleared, all of the certificates that are used to authenticate remote peers must be in the local certificate database or they must be accessible using Lightweight Directory Access Protocol (LDAP). • Negotiation Timeout (sec) — Specify the length of time (in seconds) that the ISAKMP server will wait for a response to its request to a remote peer before it resends a packet. • Maximum Retry Attempts — Specify the maximum number of times that the ISAKMP server will attempt to resend a packet if it does not receive a response. • Number of New Connections Allowed At Once — Use the fields in this area to determine the number of connections that are allowed to establish a connection to the ISAKMP server at one time. Select one of the following options: • Unlimited Connections — Indicates that the number of remote peers that are allowed to establish a connection to the ISAKMP server at one time is unlimited. This option is selected by default. • Maximum Connections — Indicates the maximum number of remote peers allowed to establish a connection to the ISAKMP server at one time. You must select or specify a value. • XAUTH Negotiation Properties — Use the fields in this area to configure properties that are associated with Extended Authentication. The following fields are available: • Only Allow One Active SA Per Authenticated User — Determines whether only one security association (SA) is permitted for each authenticated user. This checkbox is selected by default. • Negotiation Timeout (sec) — Specify the length of time (in seconds) that the ISAKMP server will wait for a response to its request to an authenticator before it resends a packet. • Maximum Negotiation Attempts — Specify the maximum number of times that the ISAKMP server will attempt to resend a packet if it does not receive a response. • XAUTH Authenticators — Specify the XAUTH authenticator or authenticators that can be used for extended authentication. • Default Authenticator — [Available only if more than one authenticator is selected in the XAUTH Authenticators table] Specify the authenticator that is used by default. 298 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 299. Managing servers and service configurations Servers and Service Setting window: NTP Server tab Use the NTP Server tab of the Servers and Service Setting window to enable the Network Time Protocol (NTP) service in an appropriate burb and to configure one or more NTP servers to be used for network time synchronization. The Network Time Protocol (NTP) is an Internet standard protocol that enables client computers to maintain system time synchronization that is relative to master clocks. The firewall is compatible with NTP versions 2, 3, and 4. NTP version 4 is preferred and is used by default on the firewall. The firewall can be configured as an NTP client or an NTP server. An NTP client receives time updates from another system; an NTP server supplies time updates to other systems. Typically, a firewall is configured as an NTP client that receives time updates from an internal NTP server. Configuring an firewall to receive time updates from both an internal and an external NTP server is not recommended. You can also configure peers and restricted addresses for NTP. Figure 107 Servers and Service Setting window: NTP Server tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Server and Service Settings node. The Servers and Service Setting window is displayed. 3 Select the NTP Server tab. Fields and buttons This tab has the following fields and buttons: • Enable NTP on burbs — Specify the firewall burb that is used to communicate with an NTP server. The following values are available, as well as all other configured burbs: • external — Indicates that the firewall receives time updates from an NTP server on an external network. • internal — Indicates that the firewall receives time updates from an NTP server on an internal network. • NTP Configuration — Use the fields in this area to configure one or more NTP servers to be used for synchronizing system clocks in your network. You can configure peers and restricted addresses for NTP in this table. The following fields and buttons are available: • Burb — [Read-only] Displays the firewall burb that is used to communicate with the NTP server. This enables the NTP service in the appropriate burb. • Servers — [Read-only] Displays the IP address or the host name of the NTP server that is used to synchronize clocks in your network. • Peers — [Read-only] Displays the peer for this NTP server configuration. • Restricted — [Read-only] Displays the restrictions that have been configured for this NTP server. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 299
- 300. Managing servers and service configurations • Add — Displays the Burb NTP Configuration window, in which you can configure a new NTP configuration. for a burb • Edit — Displays the Burb NTP Configuration window, in which you can edit the selected NTP configuration. • Delete — Delete the NTP burb configuration. Servers and Service Setting window: Admin Console tab Use the Admin Console tab of the Servers and Service Setting window to configure advanced properties that are associated with the Admin Console of the firewall. The Admin Console is the primary management tool for the firewall. It provides a graphical user interface for the configuration of firewall features. Figure 108 Servers and Service Setting window: Admin Console tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Server and Service Settings node. The Servers and Service Setting window is displayed. 3 Select the Admin Console tab. Fields and buttons This tab has the following fields and buttons: • Admin Console — Use the fields in this area to configure properties that are associated with the Admin Console of the firewall. • Require Login Greeting to be Displayed on Every Login — Determines whether a login greeting message is displayed each time that a user tries to connect to the firewall from the Admin Console. This checkbox is cleared by default. If you select this checkbox, the message is displayed on every login. • Greeting Message — Specify the text for the login greeting message. 300 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 301. Managing servers and service configurations Servers and Service Setting window: DHCP Relay tab Use the DHCP Relay tab of the Servers and Service Setting window to allow clients to obtain IP address from a DHCP server in a different burb. Figure 109 Servers and Service Setting window: DHCP Relay tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Server and Service Settings node. The Servers and Service Setting window is displayed. 3 Select the DHCP Relay tab. Fields and buttons This tab has the following fields and controls: • DHCP Servers — Specify a list of DHCP servers to which DHCP requests should be forwarded. Select the server or servers from this list. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). • Advanced — Use the fields in this area to configure additional DHCP Relay options. The following fields are available: • Reforwarding option — Use the fields in this area to determine the action to take when a packet is received that already contains an agent option field and gladdr is set. Select one of the following options: • Append to existing agent option field — Indicates that the DHCP relay agent option data for the firewall is appended to DHCP requests. Then the requests are forwarded to the specified DHCP server or servers that were selected in the DHCP Servers list. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 301
- 302. Viewing and managing IPS signatures by using the IPS Signature Browser • Replace existing agent option field — Indicates that the agent option data that was added to DHCP requests by other DHCP relays is replaced with the DHCP relay information from the firewall. Then the requests are forwarded to the specified DHCP server or servers that were selected in the DHCP Servers list. • Forward the packet unchanged — Indicates that the DHCP requests are forwarded to the specified DHCP servers without modifying the agent option data that was added by other DHCP relays. This is the default value. • Discard the packet — Indicates that any DHCP requests that have been forwarded by other DHCP relays is discarded. • Discard threshold — Specify the maximum number of DHCP relays that DHCP request packets can pass through before being dropped by the firewall. Valid values are between 1 and 255 hops. The default value is 2 hops. • Maximum packet size — Specify the maximum size of DHCP request packets that the DHCP Relay agent can create after appending its agent option information. Valid values are between 576 and 9000 bytes or between 1 and 8 kilobytes. The default size is 576 bytes. • Drop all packets received from a DHCP server that do not contain any relay agent options that refer to one of this relay agent's IP — Determines whether to drop packets from DHCP servers that do not correspond to requests that have been forwarded by this firewall. This field is selected by default. • Append agent option field — Determines whether to append additional DHCP Relay agent information to the agent option field of DHCP request packets, including the printable name of the firewall network interface on which the request was received. This field is cleared by default. Viewing and managing IPS signatures by using the IPS Signature Browser Use the IPS Signature Browser window to view and manage available signatures. You can perform the following actions: • Filter signatures for easier viewing. • Globally enable or disable signatures. • View signature vulnerabilities on the Common Vulnerabilities and Exposures (CVE®) web site. There are two objects beneath the Signature Browser object in the Object Configuration area: • IPS Signature Settings — This is the default signature object that is shipped with the Control Center. • IPS Signatures — This is the name of the object that is created when a retrieve from a firewall is performed. This object can contain user-defined signatures. Because your list of installed signatures could potentially be very long, you can quickly retrieve only those signatures that meet certain filter constraints using the Find filtering mechanism. 1 In the Search field, specify a term that matches a selection for any value displayed in the browser. 2 Click the down arrow to select the display for the search results (Highlight Matching Rules or Only Display Matching Signatures). 3 Click Find or press Enter. The results are displayed. If you had selected the Highlight Matching Rules option, all signatures that match the value in the Search field are highlighted in yellow. If you selected the other option, you will see only those signatures that matched your search criteria. 4 Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and view all of the objects again, select the Clear Find Results ( ) icon. 302 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 303. Viewing and managing IPS signatures by using the IPS Signature Browser Figure 110 IPS Signature Browser window Accessing this window 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the IPS Signature Browser node. The IPS Signature Browser window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a name that describes the purpose of the signature. For example, if you wanted a signature category that searches HTTP and FTP attack signature files, you could specify HTTP_FTP for the value. Valid values include: alphanumeric characters, dashes (-), underscores (_), and spaces ( ). However, the first and last character of the name must be alphanumeric. The name cannot exceed 256 characters. You can rename the mapping later. • Description — Specify useful information about the signature. • Search — Provides a filtering mechanism for viewing signatures in this list. For more information about how to perform a search, see the procedure earlier in this window description. • Find — See the description of this functionality earlier in this window description. • Enabled — Determines whether this signature will be used by a rule to scan traffic. All of the Enabled checkboxes are selected by default. If the checkbox is cleared, the signature will not be used when scanning traffic, even if it is part of a signature group that is referenced in a rule. By disabling the signature, you can possibly avoid false positives based on signature (for example, when a certain signature is identifying legitimate traffic as an attack). You can select multiple signatures by pressing and holding the Ctrl key while selecting the appropriate signatures. You can select a range of signatures by selecting the first signature in the range, pressing and holding the Shift key, and then selecting the last signature in the range. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 303
- 304. TrustedSource • Name — [Read-only] Displays the name of the signature. • Category— [Read-only] Displays the signature category for this signature. A signature category is a category of signatures that all involve the same type of attack. The signature category is classified by the network service targeted for attack, and it consists of a main category and a subcategory. One or more categories can be added to a signature group. • Class Type — [Read-only] Displays the class type for the signature. The class type identifies the intended purpose of the attack, such as Root Level Exploit or Discovery. • Type — [Read-only] Displays the threat level attribute for the signature. This threat level indicates a relationship between confidence level and severity. The following types can be displayed: • IPS — Detects attacks that are considered dangerous. • IDS — Detects attacks that are either considered minor (such as probe or discovery activity) or they are suspected attacks, meaning that the signature will possibly incorrectly identify legitimate traffic as an attack. • Policy — Identifies network traffic that you want to control based on your organization’s security policy, such as instant messaging or P2P communication. • Date Added — [Read-only] Displays the date that this signature was added or last updated. • Vulnerability — [Read-only] Displays the number that was assigned by Common Vulnerabilities and Exposures (CVE). Two types of identifiers can appear for a signature: • If CVE precedes the number, the vulnerability has been reviewed and accepted by CVE and is an official entry in the CVE list. • If CAN or nothing precedes the number, the vulnerability is under review by CVE and is not yet an official entry in the CVE list. • If NONE is displayed, CVE has not reviewed this signature. To view the CVE Web page associated with this number in a Web browser, click the link. • SID — [Read-only] Displays the signature ID (SID) for the signature that was automatically generated by the originator of the signature. • Description — [Read-only] Displays the description for the signature. • OK — Save the changes that were made in this window. • Cancel — Close this window without saving any changes. TrustedSource TrustedSource is a reputation service that assigns a reputation score to an IP address based on the behavior attributes of the traffic it generates. A reputation score is like a credit score that indicates the trustworthiness of an IP address. TrustedSource uses servers around the world to gather and analyze billions of packets dynamically to determine reputation scores. For each IP address on the internet, TrustedSource calculates a reputation value based on such attributes as sending behavior, blacklist and whitelist information, and spam trap information. Note: For more information about the service, see the TrustedSource web site at www.trustedsource.org. 304 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 305. TrustedSource Implement TrustedSource on your firewall to: • block spam e-mail from botnets. • help prevent hosts on your network from being infected with botnet agents. • identify hosts on your network that have been compromised in botnet or pharming attacks. • protect critical servers from access by authorized users who are inadvertently using external machines that are compromised. For more information, see the TrustedSource application note at mysupport.mcafee.com. Configuring TrustedSource settings for rules and mail filtering Use the TrustedSource window to more accurately filter network traffic passing through all of the firewalls that you specify in this window. TrustedSource inspects network traffic and assigns a reputation score to it. To enable TrustedSource settings for rules and mail filtering in this window, you will perform the following tasks: • Create a TrustedSource whitelist and configure reputation boundaries on the TrustedSource window. • Enable TrustedSource for individual rules in the Rule Editor window. Figure 111 TrustedSource window Accessing this window 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the TrustedSource node. The TrustedSource window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 305
- 306. TrustedSource Fields and buttons This window has the following fields and buttons: • Name — Specify the name for the TrustedSource object. • Description — Provide a description of the TrustedSource object • Whitelist — Use the fields in this area to select objects to be included in the TrustedSource whitelist. Selected objects will not be examined for TrustedSource reputation scores and will be exempt from the TrustedSource matching requirements for a rule. • Do not perform TrustedSource filtering on — Specifies the types of objects to be included in the whiltelist. These objects are selected by default because your security policy will probably define the "allow" and "deny" rules for these objects. If you clear a checkbox, all objects of that type will be included in TrustedSource queries and will be subject to the TrustedSource matching requirements for a rule. You can specify specific burbs to exclude. See the Burbs except the following field description. • IP address objects — Determines whether IP address objects are included in the whitelist, which means that they are excluded form TrustedSource examination. The default value is selected. • IP Range objects — Determines whether IP range objects are included in the whitelist, which means that they are excluded form TrustedSource examination. The default value is selected. • Subnet objects — Determines whether subnet objects are included in the whitelist, which means that they are excluded form TrustedSource examination. The default value is selected. • Host objects — Determines whether host objects are included in the whitelist, which means that they are excluded form TrustedSource examination. The default value is selected. • Burbs except the following — Determines whether specific burbs are excluded from the TrustedSource whitelist. This means that the selected burbs will be included in TrustedSource queries. If a selected burb is in a rule that has TrustedSource enabled, the IP address of that burb will be examined for reputation score and will be subject to the rule's TrustedSource matching requirement. The default value is cleared. To specify one or more burbs: 1 Select the checkbox for this field. The default value for this list is <None>. 2 Click the down arrow. 3 Select the individual burb or burbs. Note: Private IP addresses are not evaluated by TrustedSource nor are they examined in rules (for example, 10.x.x.x, 172.16.x.x, 192.168.x.x). • Do not perform TrustedSource filtering on these objects — Use the fields in this area to specify network objects for a specific burb to add to the whitelist. Note: If you specify one or more burbs in the Burbs except the following field, you cannot use the fields in this area. Conversely, if you want to include the entire burb and not specific network objects from it in the whitelist, use the Burbs except the following checkbox and list instead of these fields. • Burbs — Specify one or more burbs for which you are identifying specific network objects to be added to the whitelist. The default value is <None>. • Network Objects — Specify the network objects that will be added to the whitelist. Double-click any object in this list (except generic objects such as ANYWHERE) to open it. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). 306 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 307. TrustedSource • Advanced Settings — Use the fields in this area to adjust the reputation boundaries and to included reputation scores in the audit log. • Adjust reputation boundaries — Use these fields to change the range of values for any reputation class. You should not have to change these settings from their default values. The range of scores spans from -255 to 255, with the lowest score (-255) indicating the most trusted reputation and the highest score (255) indicating the least trusted reputation. Adjust each value as needed. The following table describes each class and its range of scores: Table 12 Class values and score ranges Value Class Class Description -255 to -1 Trusted The IP address is a source of substantial amounts of legitimate traffic. 0 to 14 Neutral The IP address is a source of legitimate traffic. However, it might send small amounts of unusual traffic or traffic that requires further inspection. 15 to 29 Unverified The IP address might be a legitimate sender. However, the data that has been gathered up until now has been either inconclusive or insufficient to make a firm reputation decision. Further inspection is required. 30 to 49 Suspicious The IP address has exhibited substantial suspicious behavior in the past. Connections should be treated with caution that is appropriate for the application protocol in question. 50 to 255 Malicious The IP address has a history of malicious behavior. • Default reputation if TrustedSource servers are unavailable — Specify the reputation score for an IP address if the TrustedSource servers are unavailable to verify the reputation. The default value is 30. • Audit traffic allowed by TrustedSource — Determines whether reputation scores for the IP address of an allowed connection are included in the audit log. If this checkbox is selected and TrustedSource is used to look up the reputation of the source and/or destination IP address of a connection that is allowed, the audit log entry is displayed in this format: dest_reputation: 20 An allow audit message appears in the audit log only if TrustedSource was used in the rule matching process. It will not appear in the audit log for allowed connections under these conditions: • The source and the destination IP addresses are on the TrustedSource whitelist. • The connection is allowed by a rule that is processed before the rule that uses TrustedSource. • The connection does not match another element in the rule that uses TrustedSource (for example, the destination burb did not match). However, the connection is allowed by a subsequent rule that does not use TrustedSource. • OK — Save the changes that you made on this window. • Cancel — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 307
- 308. Virus scanning Virus scanning Use the anti-virus service, which is a licensed, add-on module that uses a firewalll-hosted virus scanner, to configure rule-based MIME, virus, and spyware scanning. Use scanning services on HTTP and HTTPS traffic, FTP files, and mail messages. When using scanning services, you can specify the number of server processes to be dedicated to various data sizes, allowing the firewall to process data more efficiently. You can also configure how often to update the signature files. Configuring virus scanning properties Use the Virus Scan window to configure virus scanning properties. These properties include parameters for distributing scanner processes for incoming and outgoing traffic, controlling buffer sizes, handling archives, and scanning encrypted files. Note: You must have licensed the Anti-Virus feature to be able to perform virus scanning. Support for updating the anti-virus engine and signature files is provided in the Updates window. Support for scanning particular types of traffic (for example, HTTP, FTP, Sendmail) is provided in the application defense windows that are associated with those services: • FTP Application Defense window - Virus/Spyware tab • HTTP Application Defense window - MIME/Virus/Spyware tab • HTTPS Application Defense window - MIME/Virus/Spyware tab • Mail (Sendmail) Application Defense window - MIME/Virus/Spyware tab Figure 112 Virus Scan window Accessing this window 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Virus Scan node. The Virus Scan window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the Virus Scan configuration. • Description — Provide information about the Virus Scan configuration. 308 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 309. Virus scanning • Scanning Distribution — Use the fields in this area to specify the number of scanners to use for files of selected sizes. The following fields are available: • File Size Range — [Read-only] Displays one of the following options: • Up to 40K • Up to 100K • Up to 1M • Unlimited Note: A file is handled by the first file size range that is larger than the file's size; for example, a file of size 40K will be handled by scanners assigned to the Up to 100K file size range. • Scanners — Specify the number of scanners to use in distributing and servicing files in the associated range of file sizes. Acceptable values range from 1 to 10. Note: To ensure optimum performance, the total number of scanner processes across all ranges should not exceed 20. If you decrease the number of scanners, the virus scanner must be restarted. • Advanced — Use the fields in this area to configure properties for controlling buffer sizes, handling archives, and scanning encrypted files. • Scan Buffer Size (KB) — Specify the size (in kilobytes) of the memory buffer used for storing data until a temporary backup file is created. Acceptable values range from 8 KB to 64 KB. The default value is 64. • Archive Scan Buffer Size (MB) — Specify the size in megabytes of the memory buffer used for storing the contents of archive files until the anti-virus engine temporarily writes the contents to disk to perform the scan. The default value is 128. The maximum is 512 MB. • Maximum Number of Files to Scan in an Archive — Specify the largest number of files in an archive to be scanned. If an archive contains more files than the specified maximum, scanning will not be performed. The default value is 2000. • Scan Encrypted Files — Determines the way in which the scanner handles password-protected files (for example, .xls or .zip files). This checkbox is cleared by default. In this case, the scanner will generate an error and reject password-protected files. If this checkbox is selected, the scanner scans unencrypted parts of the files. If a virus is not detected, the file is allowed. • OK — Save the changes that were made on this window. • Cancel — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 309
- 310. Quality of Service Quality of Service Quality of Service (QoS) guarantees a certain level of performance for a data flow by using different priorities and queuing mechanisms to allocate available bandwidth. QoS is beneficial for networks with limited bandwidth that must pass latency-sensitive or bandwidth-intensive traffic. Using the Quality of Service window, you can create QoS profiles that can be applied to the network interfaces of the firewall. Each QoS profile contains one or more queues that allow you to prioritize network performance based on network traffic type. Each queue is assigned a priority value, is allocated a percentage of available bandwidth, and can be allowed to borrow bandwidth from other queues. When a queue is full, any additional packets that match that queue are dropped. Queues are applied to network traffic based on the services that are selected. When QoS policy is applied to a network interface, only outgoing traffic on that interface is controlled by QoS; packets arriving on that interface are not affected. If you want traffic for a particular service to be controlled in both directions, that service must be present in the QoS policy of both of the interfaces where traffic for that service leaves the firewall. The following QoS configurations are described to illustrate their effect on a connection between an internal client and external web server: • The QoS profile for the external interface includes HTTP. Traffic that is sent from the internal client to the external web server is affected by QoS. • The QoS profile for the internal interface includes HTTP. Traffic that is sent from the web server to the internal client is affected by QoS. • Both the internal and the external interface QoS profiles include HTTP. All traffic between the client and web server is affected by QoS. QoS is applied to network traffic at the IP and transport layers based on the service or services that are selected in each queue. Protocols that use dynamic ports that are negotiated at the application layer (for example, FTP or VoIP) will not match QoS queues that use those services because QoS does not examine the application layer when it processes packets. If you have a QoS queue that has been created with the FTP filter service selected, QoS is applied to the control connection (tcp port 21), but it is not applied to the data connection (high random tcp port or tcp port 20). Because the control connection is made on the port that is defined in the service, QoS policy is applied to it. However, QoS is not applied to the data connection because it is made on a port that is negotiated at the application layer between the client and server. To apply QoS to protocols that employ dynamic ports, create a service that includes the range of dynamic ports, and select this service on the QoS queue. Applying a QoS profile to a network interface The following high-level steps describe how to apply a QoS profile to a network interface: 1 Create a QoS profile (Quality of Service window). 2 Add QoS queues to the profile (Quality of Service window). 3 Apply the QoS profile to a network interface (McAfee Firewall Enterprise Interface window from the Firewall window). Note: QoS cannot be configured on VLANs. 310 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 311. Quality of Service Creating Quality of Service profiles Use the Quality of Service window to identify Quality of Service (QoS) profiles that contain one or more queues that you can use to prioritize network performance based on network traffic type. Figure 113 Quality of Service window Accessing this window 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Quality of Service node. The Quality of Service window is displayed. Fields and buttons This window has the following fields and buttons: • Object Name — Specify the name of this Quality of Service network object. • Remaining bandwidth — [Read-only] Displays the percentage of bandwidth that is potentially available for this profile. This amount is automatically calculated from a total of all of the percentages listed in the Allocated Bandwidth column. • Profile Name — Specify the unique name of this QoS profile. You can specify up to seven characters. This value is automatically populated with the value that you specified in the Object Name field as soon as you move out of that field. However, if the Object Name value is longer than seven characters, you must edit the value in this (Profile Name) field. Note: For version 7.0.1 and later firewalls, you cannot use the following characters in your profile name: dash (-), period (.), and underscore (_). • Description — Specify a more detailed description of the profile. • Queue Name — Specify the name of this queue. This queue name cannot be longer than seven characters. For version 7.0.1 and later firewalls, only alphanumeric characters can be used. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 311
- 312. DNS zones • Priority — Specify the priority value for this queue. The range is between 0 and 7, with 0 representing the lowest priority and 7 representing the highest priority. This value determines the order in which the queue is processed, relative to the other queues in the profile. Higher queues are processed first, which results in lower latency for those queues. • Allocated Bandwidth — Specify the percentage of available bandwidth that is to be dedicated to the queue. The available bandwidth for a QoS profile is determined by the link speed of the network interface with which it is associated. The range is between 0 and 100. The combined sum of this column for all of the queues cannot exceed 100. • Services — Specify the types of traffic to which this queue applies. Note that queues cannot share services. In other words, each service can be selected only once among all of the queues in this profile. You cannot specify values directly in this field. You must select them from the services list by clicking the down arrow. You can then either use the Find field (see description below) to filter your search criteria or you can scroll through the list manually and select one or more services. You must click outside of this field to close the list when you have completed your selection or selections. • Find — Use the Find field to search for specific values. Specify part or all of the service name for which you want to search and click Find. Any values matching the search text are highlighted. Select one or more services. • Can Borrow — Determines whether the queue can borrow bandwidth from the other queues in this profile after it exhausts its own allocated bandwidth. • Description — Specify additional information about this queue. • Delete — Click x (Delete) in the row to be deleted. The Quality of Service queue is deleted after you click OK. Note: Each profile contains a default queue that cannot be deleted or renamed. The default queue processes all packets that do not match any queues that you have explicitly defined. However, you can modify the values in the Priority, Allocated Bandwidth, and Can Borrow fields for this default queue to control how QoS allocates bandwidth for services that are not included in the custom queues. • OK — Save the changes that were made in this window. • Cancel — Close this window without saving any changes. • Versions — Click this button to view a display of all of the fields on this window that have version-specific availability. You can also view this same information at the field level by holding your mouse over the version level icon and viewing the ToolTip. DNS zones A typical IPV4 address looks something like the following: 192.168.237.114. This dotted decimal address is good for computing machines whose language is numbers. For humans, however, remembering numeric addresses for every computer to which they wish to connect is very cumbersome, if not impossible. What is needed is a system in which a human-recognizable patterns can be used to represent IP addresses. This is where a Domain Name System comes in. Domains, nodes, hosts, and the name space For the purpose of administration, an IP network can be organized into logical partitions called domains. With the Internet, for example, there are separate domains for government information (.gov), educational information (.edu), and commercial information (.com) to name just a few. The partitioning starts at what is called the root domain. All domains under the root domain (i.e., as children of the root) are called top-level domains. Top-level domains can be partitioned into subdomains: second-level domains; second-level domains can also be partitioned into subdomains: third-level domains; and so on. 312 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 313. DNS zones The Name part of Domain Name comes from the original need to create a mnemonic for IP addresses. Each domain and subdomain in the tree has a name assigned to it. Putting these concepts together results in something that looks like the following diagram: Figure 114 Sample of the DNS name space of the Internet In this figure (Figure 114), the following characteristics can be pointed out: • com, edu, and gov are top-level domains. yahoo.com, microsoft.com, berkeley.edu, mit.edu, nasa.gov, and irs.gov are second-level domains. ssl.berkeley.edu is a third-level domain. • A node is any dot in the figure above. • A domain includes the node that defines the domain and all subdomains under that node. For instance, yahoo.com and microsoft.com are part of the com domain even though yahoo.com and microsoft.com are domains themselves. • The nodes with circles are host names. www is a host name in the yahoo.com, berkeley.edu, and nasa.gov domains. setiathome is a host name in the ssl.berkeley.edu domain. • A fully qualified domain name (FQDN) can be obtained by adding the host name to the domain name. This is seen with www.yahoo.com for instance. In fact, to truly be an FQDN, a name must also specify the root domain as a dot (.) on the end—for instance, www.yahoo.com. Domain Name System (DNS) After the logical structure and its rules were defined, a mechanism to manage the name-to-address mapping was created. For this purpose, a distributed database that is indexed by the domain names exists. This distributed database maps a host name to an IP address using all the components of the appropriate domain name. The computers that contain portions of the database are called name servers. The name servers can contain the actual name-to-address mapping of some hosts. They can also contain pointers to other name servers that contain the name-to-address mapping of other hosts. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 313
- 314. DNS zones Domains versus zones Each domain or subdomain can be divided into appropriate pieces to administrate that part of the name space. To illustrate this, look at the edu domain in the figure above. The organization that is responsible for the edu domain has broken it up into subdomains berkeley.edu and mit.edu. The administrators at Berkeley and MIT are now able to administer the name space for those universities as needed. Although this is true, the edu organization is still responsible for the part of the distributed database that maps the edu domain. Rather than loading the whole edu name space into the name servers of the edu organization, the edu organization can create zones. It might create an edu zone, a berkeley.edu zone, and an mit.edu zone. In this case, the edu zone does not contain any of the name-to-address mapping for Berkeley or MIT, only pointers to the name servers at Berkeley and MIT that contain the needed mapping. Now, suppose that the administrators at Berkeley do not wish to hold the name-to-address mapping of the ssl.berkeley.edu domain on the main berkeley.edu name servers. They can, in turn, create another zone within their organization: the ssl.berkeley.edu zone. With this zone created, the main berkeley.edu name servers are free to contain only pointers to the ssl.berkeley.edu name servers for that part of the name space. These ideas are shown in the next figure (Figure 115). Figure 115 Possible zones of the sample edu domain Notice that the ssl.berkeley.edu zone is in the berkeley.edu domain but is separate from the berkeley.edu zone. The DNS name servers for a particular part of the name space can manage one or more zones. 314 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 315. DNS zones Configuring DNS zones Use the DNS Zone Manager window to configure the DNS zone objects. These objects can be identified when selecting the Hosted Single Server or Hosted Split Server DNS configuration for use with a firewall in the DNS area of the Firewall window. For general information about DNS, see DNS zones on page 312. Figure 116 DNS Zone Manager window Accessing this window 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the DNS Zones node. The DNS Zone Manger window is displayed. Fields and buttons This window has the following fields and buttons: • Object Name — Specify the name of the DNS zone. • Domain Name — Specify the domain name of the new zone for which the firewall is authoritative. For the purposes of this field, the zone name is the same as the domain name although the zone does not always incorporate the entire domain. • Description — Provide information about the DNS Zone object being created. • OK — Save the changes that were made on all of the tabs in this window. • Cancel — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 315
- 316. DNS zones Tabs This window has the following tabs: • Configuration — Specify the zone type and configure properties particular to each type. For more information, see DNS Zone Manager window: Configuration tab on page 316. • Advanced Configuration — [Available only if the value of the Zone Type field is Master or Slave] Specify properties that affect the name server's interaction with other devices (for example, enabling notification of zone changes and identifying the hosts allowed to query the name server or request zone transfers). For more information, see DNS Zone Manager window: Advanced Configuration tab on page 318. • Resource Records — [Available only if the value of the Zone Type field is Master] Specify the resource record types that are most commonly used on the firewall. For more information, see DNS Zone Manager window: Resource Records tab on page 319. DNS Zone Manager window: Configuration tab Use the Configuration tab of the DNS Zone Manager window to specify the type of zone and configure properties associated with the selected zone type. To view the fields on the Configuration tab, see Figure 116 on page 315. Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the DNS Zones node. The DNS Zone Manger window is displayed. 3 Make sure that the Configuration tab is selected. Fields and buttons This tab has the following fields and buttons: • Zone Type — Allows you to indicate whether the zone is configured as Master, Slave, or Forward. Fields and controls vary according to the selected zone type. • Master — Indicates that name server is the master of the zone (authoritative). When this option is selected, the following fields are available: • Notify other servers — Use this field to specify other name servers that should be notified when the zone information is updated. This is to ensure that zone changes on the master are propagated to the slaves. This field is not visible in the McAfee Firewall Enterprise Admin Console. Values specified here will be lost if you subsequently use the Admin Console to modify the configuration. • Allow Transfer — Use this field to specify any hosts and/or networks that are permitted to make zone transfers. • Name server advertisement — Use this field to specify the host name or fully qualified domain name to be used for the firewall system as name server in this domain. • Contact person — Use this field to specify the E-mail address of the person responsible for managing the zone. Use the following format to specify the address: admin_name.domain_name. • Serial Number — [Read-only] Displays a number that is used by slave name servers to keep their zone data up to date. This number is generated and maintained by the master name server. • Reverse Zone — Determines whether the zone is a reverse lookup zone. This checkbox is cleared by default. If you select this option, you may use the Resource Records tab of this window to add PTR resource records. 316 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 317. DNS zones • Generate PTR Records — Determines whether PTR resource records are generated automatically. This checkbox is cleared by default. Selecting this option enables the following fields: • Network — Use this field to specify the networks that are contained by this zone. Networks are specified using the Classless Inter-Domain Routing (CIDR) notation. This consists of the network part of the IP address, followed by a forward slash, followed by the number of bits in the mask (for example, 10.0.0.0/8). • Reverse Zone Name — Use this field to indicate the host name portion of the in-addr.arpa domain name. This field is filled in automatically when you make changes to and then exit a corresponding Networks field. You must check the value to ensure that it is correct. The firewall uses the information in this field to create a PTR type resource record. The following fields require a time period. Specify data in these fields in the form of a number followed by a letter (for example, 4d). The letter has the following significance: s = seconds (default), m = minutes, h = hours, d = days. • Default time-to-live — Use this field to specify the amount of time that resource records may remain cached on non-authoritative servers. The default value is four days (4d). When a query is answered by this name server, the external name server that initiated the query caches the resource records that resolved the query. External name servers are not authoritative for this zone, however, and must not keep the resource records forever. This value is overridden by any time-to-live value specified in the resource record. This field is not visible in the McAfee Firewall Enterprise Admin Console. The value specified here will be lost if you subsequently use the Admin Console to modify the configuration. • SOA time-to-live — Use this field to specify the amount of time that a Start Of Authority resource record may remain cached on non-authoritative servers. The default value is three hours (3h). External name servers send queries to obtain the name of the authoritative name server in a zone. When the firewall answers the query, the external name server that initiated the query caches the SOA resource record. External name servers are not authoritative for this zone, however, and must not keep the SOA resource record forever. This field is not visible in the Admin Console. The value specified here will be lost if you subsequently use the Admin Console to modify the configuration. • Negative response time-to-live — Use this field to specify the amount of time that a negative response may remain cached on non-authoritative servers. The default value is one day (1d). If the firewall responds negatively to a query from an external name server (for example, the sought-after host does not exist), the external name server caches this information for future reference. External name servers are not authoritative for this zone, however, and must not keep the negative response forever. • Expiration — Use this field to specify the amount of time before a slave name server should expire its zone data in a failed connection situation. The default value is 15 days (15d). If this expiration point is reached, the slave name server no longer answers queries for this zone. • Refresh interval — Use this field to specify the amount of time between refreshes. The default value is 12 hours (12h). A slave name server will check at this time to determine if it needs to refresh its zone data from the master name server. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 317
- 318. DNS zones • Retry interval — Use this field to specify the time interval between retries in a failed connection situation. The default value is two hours (2h). If a slave name server is unable to reach the master name server to refresh its zone data, it waits this amount of time before it tries again. • Slave — Indicates that the name server is a slave in the zone. When this option is selected, the following fields are available: • Other authoritative servers — This field is visible only when the value that is selected in the Zone Type field is Slave. This field is used to specify the name servers that can be used for zone transfers. If more than one name server is listed, the first in the list has the highest priority. • Reverse Zone — Determines whether the zone is a reverse lookup zone. This checkbox is cleared by default. If you select this option, you may use the Resource Records tab of this window to add PTR resource records. • Generate PTR Records — Determines whether PTR resource records are generated automatically. This checkbox is cleared by default. Selecting this option enables the following fields: • Network — Use this field to specify the networks that are contained by this zone. Networks are specified using the Classless Inter-Domain Routing (CIDR) notation. This consists of the network part of the IP address, followed by a forward slash, followed by the number of bits in the mask (e.g., 10.0.0.0/8). • Reverse Zone Name — Use this field to indicate the host name portion of the in-addr.arpa domain name. This field is filled in automatically when you make changes to and then exit a corresponding Networks field. You must check the value to ensure that it is correct. The firewall uses the information in this field to create a PTR type resource record. • Forward — Indicates that queries for names in the zone are forwarded to another name server. When this option is selected, the following field is available: • Forwarders — Specify one or more forwarders for the zone. DNS Zone Manager window: Advanced Configuration tab Use the Advanced Configuration tab of the DNS Zone Manager window to configure properties that affect the name server's interaction with other devices. Note: This tab is accessible only if the value of the Zone Type field that is selected on the Configuration tab of the DNS Zone Manager window is Master or Slave. Figure 117 DNS Zone Manager window: Advanced Configuration tab 318 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 319. DNS zones Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the DNS Zones node. The DNS Zone Manger window is displayed. 3 Make sure that the value for the Zone Type field on the Configuration tab is set to either Master or Slave. 4 Select the Advanced Configuration tab. The Advanced Configuration tab of the DNS Zone Manager window is displayed. Fields and buttons This tab has the following fields and buttons: • Enable notify — Determines whether the master server notifies all slave servers when the zone changes. This checkbox is selected by default. • allow-query — Specify particular hosts that are allowed to query the zone. If none are selected, all requesters are authorized. • allow-update — Specify particular hosts that are allowed to update the zone. This field is valid only for master zones. If this field is left blank, updates are not allowed from any host. DNS Zone Manager window: Resource Records tab Use the Resource Records tab of the DNS Zone Manager window to specify the resource record types that are most commonly used on the firewall. For more information about record types, see Resource record types on page 320. Note: This tab is accessible only if the value for the Zone Type field on the Configuration tab of the DNS Zone Manager window is set to Master. Figure 118 DNS Zone Manager window: Resource Records tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the DNS Zones node. The DNS Zone Manger window is displayed. 3 Make sure that the value for the Zone Type field on the Configuration tab is set to Master. 4 Select the Resource Records tab. The Resource Records tab is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 319
- 320. DNS zones Fields and buttons This tab has the following fields and buttons: • Type — Specify the type of a resource record. • Name — Specify name information for a resource record. A resource record without a value in its Name field takes the name of the preceding record. The NS (Name Server) record that is created automatically by the firewall is at the top of the list but has no name; consequently, it takes the name of the SOA (Start of Authority) record that is also created automatically by the firewall but not shown on the DNS Zone Manager - Resource Records page. For an example of resource records, see Resource record types on page 320. If you change the order of the resource records in the table, you must ensure that unnamed records are placed in a position that gives them the desired name. • Time to Live — Specify the time to live (TTL) encoded in a resource record, if any. • Data — Specify the data encoded in a resource record. • Enabled — Determines whether the resource record is enabled. • Navigation arrows — Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a resource record in this table. Resource record types Resource Record Types are used when configuring zone records associated with a particular zone using the DNS Zone Manager window. The following table provides a list of resource record types that are most commonly used on the firewall. Note: The following resource record types defined in the table are not supported by the McAfee Firewall Enterprise Admin Console: • AAAA • LOC • RP • SRV Resource records follow the general format: owner TTL class type data or owner class TTL type data For the purpose of this example, class is always IN for Internet; TTL, or time-to-live, is optional; owner is also sometimes called name. Table 13 Resource record types Type Owner (Name) Data Purpose *PTR The reverse zone The zone's domain name or the fully This record is used for the address-to-name pointer name qualified domain name of a host. mapping that is needed to find a host name given an IP address. *SOA The zone's domain Master name server information This record indicates to other name servers name that this name server is authoritative for Start of the zone. Authority A The fully qualified IP Address This record maps fully qualified domain domain name of a names to IP addresses. Address host 320 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 321. DNS zones Table 13 Resource record types (continued) Type Owner (Name) Data Purpose AAAA The fully qualified IPv6 Address This record maps fully qualified domain domain name of a names to IPv6 addresses. IPv6 Address host CNAME An alias fully The real fully qualified domain name This record creates an alias for a particular qualified domain host. Canonical name Name HINFO The fully qualified A pair of strings identifying the This record specifies the machine name and domain name of a host's hardware type and operating operating system name for a host. Host host system Information LOC The fully qualified Latitude, longitude, and altitude This record specifies the physical location of domain name of a a host on the planet. Location host MX The zone's domain A preference number and the fully This record specifies the mail exchange name qualified domain name of the mail servers that are available for a zone. Mail server Exchanger NS The zone's domain The fully qualified domain name of This record specifies an authoritative name Name Server name the name server server for the zone. RP The zone's domain The E-mail address (in domain This record indicates who is responsible for name or the fully name format) and the fully qualified a host or zone. Responsible qualified domain domain name of a host with Person name of a host additional information (in TXT records) SRV The service and Priority, weight, port number, and This record maps a service like FTP or HTTP protocol name fully qualified domain name for the to one or more hosts. The hosts can be Service followed by the host host that carries the service given priority and weight to facilitate load name distribution. TXT The fully qualified Text strings This record is used to present textual domain name of a information about a host. Text host *SOA records are generated automatically by the firewall. PTR records are generated if you select the Generate PTR Records checkbox on the Configuration tab of the DNS Zone Manager window, or they are allowed if you select the Reverse Zone checkbox on that page. Resource record example The following example should be used as a guide when creating or defining resource records. Caution: A resource record without a value in its Name field takes the name of the preceding record. The NS (Name Server) record that is created automatically by the firewall is at the top of the list but has no name; consequently, it takes the name of the SOA (Start of Authority) record that is also created automatically by the firewall but not shown on the Resource Records tab of the DNS Zone Manager window. The name of the SOA record is obtained from the Domain Name and Name server advertisement parameters that are set on the Configuration tab of the DNS Zone Manager window. The following table shows an example of resource records. Table 14 Resource records example Order Name Type Data TTL Enabled 1 NS nameserver 2 MX 10 mailserver1 3 nameserver A 10.1.0.2 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 321
- 322. Scheduled jobs Table 14 Resource records example (continued) Order Name Type Data TTL Enabled 4 mailserver1 A 10.1.0.3 5 www A 10.1.0.3 6 mail CNAME mailserver1 7 ftp CNAME www Notice that the NS record in Entry 1 does not have a name; therefore, it takes the name of the SOA record that is created by the firewall. The MX record in Entry 2 takes the name of the NS record in Entry 1. If you change the order of the resource records in the table, you must ensure that unnamed records are placed in a position that gives them the desired name. Scheduled jobs You can schedule jobs to perform routine maintenance tasks on a firewall. These tasks include exporting audit log files, installing or rolling back software updates, downloading available patches, checking status of licenses, and updating Virus Scan and IPS (Intrusion Prevention System) signature files. Scheduled jobs are run by the cron daemon. Scheduling jobs Use the Scheduled Jobs window to schedule jobs that perform routine maintenance tasks on a firewall. Use the Scheduled Jobs window to identify the tasks, the commands to run, and the schedule for running them. You may select the frequency with which jobs are run (for example, hourly, daily, weekly), or you may create a custom schedule for running them (for example, check system audit partition use at five minutes past every hour of every day). Figure 119 Scheduled Jobs window Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Scheduled Jobs node. The Scheduled Jobs window is displayed. 322 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 323. Scheduled jobs Fields and buttons • Name — Specify the name of the individual job. • Description — Provide a description of the individual job. • OK — Save the changes that have been made on all of the tabs in this window. • Cancel — Close this window without saving any changes. Tabs This window has the following tabs: • Firewall Crontab — Select the jobs to be scheduled and the frequency at which they will be run. See Scheduled Jobs window: Firewall Crontab tab on page 323. • Scheduled Backup — Schedule automatic configuration backups. See Scheduled Jobs window: Scheduled Backup tab on page 324. Scheduled Jobs window: Firewall Crontab tab Use the Firewall Crontab tab of the Scheduled Jobs window to select the jobs to be scheduled and the frequency at which they will be run. Each job must be able to be set so that the job can run at multiple, discrete times throughout the year. One-time tasks cannot be scheduled. To view the fields on this tab, see Figure 119 on page 322. Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Scheduled Jobs node. The Scheduled Jobs window is displayed. 3 Make sure that the Firewall Crontab tab is selected. Fields and buttons This tab has the following fields and buttons: • Enabled — Determines whether the job is enabled. This checkbox is cleared by default. To enable the job, select this checkbox. You can also double-click any row to display the Custom Job Schedule window, in which you can specify a unique schedule. Note: You cannot delete default cron jobs. If you clear this checkbox, the job will not be run on the firewall. • Name — [Read-only for default cronjobs only] Displays a label for the scheduled jobs configuration. • Command — Specify the command to be run. • Frequency — Specify the frequency with which the job is to be run. The following options are available: • Bimonthly • Monthly • Weekly • Daily • Hourly • Custom — If you select this value, you can double-click this row to display the Custom Job Schedule window, in which you can specify a schedule that is particular to the needs of your site. • Custom Frequency — Displays a frequency that you have defined on the Custom Job Schedule window. • Description — Specifies a description for the job. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 323
- 324. Scheduled jobs Scheduled Jobs window: Scheduled Backup tab Use the Scheduled Backup tab of the Scheduled Jobs window to schedule automatic configuration backups. You can back up configuration files to the firewall, a USB flash drive, a remote system, or a remote Control Center Management Server. Figure 120 Scheduled Jobs window: Scheduled Backup tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Scheduled Jobs node. The Scheduled Jobs window is displayed. 3 Select the Scheduled Backup tab. Fields and buttons This tab has the following fields and buttons: • Backup Destination — Use the fields in this area to specify the destination for the backup files. The following fields are available: • Local McAfee Firewall Enterprise — Select this option to save the files on the firewall. The following fields are available for this selection: • Location — Select the option that specifies the location where the backup files will be saved. The following options are available: • Disk — Select this option to save the file on the firewall. • USB flash drive — Select this option to save the backup file on a flash drive that is inserted into the USB port on the firewall. 324 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 325. Scheduled jobs • Maintain local configuration backups — Select the option to determine the number of backup files to maintain. The following options are available: • Keep all backups — Select this option to keep all of the backup files. • Keep the last n backups — [Available only if remote backups are not enabled] Select this option to only keep the last number of backups that you specify. If this limit is reached, the latest backup will overwrite the oldest backup file. • Remote backup (SCP) — Select this option to save the files on a remote system. The following fields are available for this selection: • Username — Specify the user name of a user on the remote system. If the remote system is a firewall, this is a firewall administrator. • Password — Specify the password that is used to authenticate the user to the remote system. (The firewall does not save the password.) • Hostname — Specify the host name or IP address of the remote system. • Port — Specify the port on the remote system. The default value is 22. • Directory — Specify the directory on the remote system where the configuration files are stored. If the remote system is a firewall, the home directory of the administrator is the default value. • Control Center Management Server — Select this option to save the files on the Control Center Management Server. The following fields are available for this selection: • Username — Specify the user name of an administrator on the Control Center Management Server. • Keep the last n backups — Select this option to only keep the last number of backups that you specify. If this limit is reached, the latest backup will overwrite the oldest backup file. • Password — Specify the password that is used to authenticate the administrator to the Control Center Management Server. • Backup Schedule — Use the fields in this area to configure the schedule for the backups. The following fields are available: • Frequency — Specify the frequency for exporting the file. The rest of the fields in this area are contingent on the value that you select. The following values are available: • Hourly — Indicates that the backup will be run on the hour. • n minutes after the hour — Specify this value for the minute after every hour that the backup is run. • Daily — Indicates that the backup will be run every day at the hour that you specify. • Randomize by up to n minutes — Indicates that the schedule can be varied a different number of minutes every day. • Weekly — Indicates that the backup will be run at the selected time on the selected days of the week. You can select multiple days. • Randomize by up to n minutes — Indicates that the schedule can be varied a different number of minutes every selected day. • Monthly — Indicates that the backup will be run at the selected time on the selected days of the month. You can select multiple days. • Randomize by up to n minutes — Indicates that the schedule can be varied a different number of minutes every selected day. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 325
- 326. Third-party updates • Custom — Indicates that the backup will be run according to a schedule that you configure. Use the values in these fields in accordance with the standard UNIX crontab syntax. The following fields are available: • Minute — Specify the minute at which the backup will be run. • Hour — Specify the hour at which the backup will be run. • Day of month — Specify the day of the month on which the backup will be run. • Month — Specify the month in which the backup will be run. • Day of week — Specify the day of the week at which the backup will be run. Third-party updates The firewall examines the content of a connection after it has matched a rule as a way of providing additional security. In the Third-Party Updates window, you can specify a schedule on which the entities for the following content inspection methods are updated: • Virus Scan — Schedule and download virus scan signature packages. • Intrusion Prevention System (IPS) — Schedule and download IPS signature packages. • Geo-Location — Schedule and download Geo-Location database updates. Configuring third-party update schedules Use the Third-Party Updates window to configure a schedule for updating Virus Scan signature files, IPS (Intrusion Prevention System) signature files, and Geo-Location network objects. Figure 121 Third-Party Updates window Accessing this window 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Third-Party Updates node in the tree. The Third-Party Updates window is displayed. 326 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 327. Third-party updates Fields and buttons This window has the following fields and buttons: • Name — [Required] Specifies a label used to refer to the update configuration. • Description — Specifies information about the update configuration. • OK — Save the changes that have been made on all of the tabs on this window. • Cancel — Close this window without saving any changes. Tabs This window also has the following tabs: • Virus Scan Signature Updates — Configure a schedule for updating Virus Scan signature files. See Third-Party Updates window: Virus Scan Signature Updates tab on page 327. • IPS Signature Updates — Configure a schedule for updating IPS signature files. See Third-Party Updates window: IPS Signature Updates tab on page 328. • Geo-Location Updates — Configure a schedule for updating the Geo-Location database that maps countries to IP addresses. See Third-Party Updates window: Geo-Location Updates tab on page 330. Third-Party Updates window: Virus Scan Signature Updates tab Use the Virus Scan Signature Updates tab of the Third-Party Updates window to establish a schedule for automatically downloading and installing updated anti-virus signature files. To download and install updated anti-virus signatures immediately, use the Device Control window. This window is accessible by selecting the Device Control option on the System menu of the Configuration Tool. To check the version number of the currently installed anti-virus signature file, use the Antivirus Patch Version Information report. This report is available by selecting Firewall Reports on the Reports menu of the Configuration Tool or the Reporting and Monitoring Tool. To view the fields on this tab, see Figure 121 on page 326. Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Third-Party Updates node in the tree. The Third-Party Updates window is displayed. 3 Make sure that the Virus Scan Signature Updates tab is selected. Fields and buttons This tab has the following fields and buttons: • Details — Use the fields in this area to configuration information about the virus scan signature updates. The following fields are available: • Download Site — Specify the Web site from which to download and install the anti-virus signature files. The default site is downloads.securecomputing.com. • Directory — Specify the path name of the directory on the download site from which to download and install the anti-virus signature files. The default directory is cgi-bin/avupdate. • Enable Automated Scanner Engine Updates — Determines whether updates to the anti-virus engine are automatically installed. This checkbox is cleared by default. If this checkbox is selected and an uninstalled anti-virus engine update is available, the engine update will be installed the next time that updated anti-virus signature files are installed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 327
- 328. Third-party updates • Enable Email Notification — Determines whether the administrator is notified about anti-virus signature updates. This checkbox is cleared by default. Selecting this checkbox enables the following field: • Recipient — Specify the e-mail address of the administrator to be notified when anti-virus signature updates have been installed (for example, admin@domain.com). • Enable Automated Download and Install — Use the fields in this area to specify the frequency at which anti-virus signature files are downloaded and installed. The following fields are available: • Frequency — Specify whether updated anti-virus signature files are downloaded and installed automatically. By default, N/A is selected. In this case, updated signature files are not automatically downloaded and installed. The following options are available: • Hourly — Indicates that signature files are updated every hour. If this option is selected, use the Time field to set to the desired time of day. • Daily — Indicates that signature files are updated every day. If this option is selected, use the Time field to set the desired time of day. • Weekly — Indicates that signature files are updated once a week. If this option is selected, use the Day and Time fields to set the desired day of the week and time. • Day — Specify the day of the week when anti-virus signature files are updated. • Time — Specify the time of day when anti-virus signature files are updated. This value is expressed in a 24-hour (official time) format, where hh:mm denotes hours:minutes. Third-Party Updates window: IPS Signature Updates tab Use the IPS Signature Updates tab of the Third-Party Updates window to establish a schedule for automatically downloading and installing updated IPS signatures. To download and install updated IPS signatures immediately, use the Device Control window. This window is accessible by selecting the Device Control option on the System menu of the Configuration Tool. To check the version number of the currently installed IPS signature file, use the IPS Signature Version report. This report is available by selecting Firewall Reports on the Reports menu of the Configuration Tool or Reporting and Monitoring Tool. Figure 122 Third-Party Updates window: IPS Signature Updates tab 328 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 329. Third-party updates Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Third-Party Updates node in the tree. The Third-Party Updates window is displayed. 3 Select the IPS Signature Updates tab. Fields and buttons This tab has the following fields and buttons: • Details — Use the fields in this area to configuration information about the IPS signature updates. The following fields are available: • Download Site — Specify the site from which to download the updated IPS signatures. The default site is downloads.securecomputing.com. • Directory — Specify the path name of the directory from which to download the updated IPS signatures. The default directory is cgi-bin/sigupdate.py. • Enable Email Notification — Determines whether the administrator is notified about IPS signature updates. This checkbox is cleared by default. Selecting this checkbox enables the following field: • Recipient — Specifies the e-mail address of the administrator to be notified when updated IPS signatures have been installed (for example, admin@domain.com). • Enable Email Notification — Determines whether the administrator is notified about IPS signature updates. This checkbox is cleared by default. Selecting this checkbox enables the following field: • Recipient — Specify the e-mail address of the administrator to be notified when IPS signature updates have been installed (for example, admin@domain.com). • Enable Automated Download and Install — Use the fields in this area to specify the frequency at which IPS signature files are downloaded and installed. The following fields are available: • Frequency — Specify whether updated IPS signature files are downloaded and installed automatically. By default, N/A is selected. In this case, updated signature files are not automatically downloaded and installed. The following options are available: • Hourly — Indicates that signature files are updated every hour. If this option is selected, use the Time field to set to the desired time of day. • Daily — Indicates that signature files are updated every day. If this option is selected, use the Time field to set the desired time of day. • Weekly — Indicates that signature files are updated once a week. If this option is selected, use the Day and Time fields to set the desired day of the week and time. • Day — Specify the day of the week when IPS signature files are updated. • Time — Specify the time of day when IPS signature files are updated. This value is expressed in a 24-hour (official time) format, where hh:mm denotes hours:minutes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 329
- 330. Third-party updates Third-Party Updates window: Geo-Location Updates tab Use the Geo-Location Updates tab of the Third-Party Updates window to update the Geo-Location database with the latest country IP information. You can also schedule automatic updates and configure e-mail to notify you when updates are downloaded and installed. To download and install Geo-Location database updates immediately, use the Device Control window. This window is accessible by selecting the Device Control option on the System menu of the Configuration Tool. To check the version number of the currently installed Geo-Location file, use the Geo-Location Version report. This report is available by selecting Firewall Reports on the Reports menu of the Configuration Tool or Reporting and Monitoring Tool. Figure 123 Third-Party Updates window: Geo-Location Updates tab Accessing this tab 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Third-Party Updates node in the tree. The Third-Party Updates window is displayed. 3 Select the Geo-Location Updates tab. Fields and buttons This tab has the following fields and buttons: • Details — Use the fields in this area to configuration information about the IPS signature updates. The following fields are available: • Download Site — Specify the Web site from which to download and install the Geo-Location files. The default site is downloads.securecomputing.com. • Directory — Specify the path name of the directory on the download site from which to download and install the Geo-Location files. The default directory is cgi-bin/geoupdate.py. • Enable Email Notification — Determines whether the administrator is notified about Geo-Location updates. This checkbox is cleared by default. Selecting this checkbox enables the following field: • Recipient — Specifies the e-mail address of the administrator to be notified when Geo-Location updates have been installed (for example, admin@domain.com). • Enable Email Notification — Determines whether the administrator is notified about IPS signature updates. This checkbox is cleared by default. Selecting this checkbox enables the following field: • Recipient — Specify the e-mail address of the administrator to be notified when IPS signature updates have been installed (for example, admin@domain.com). 330 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 331. Software update package status • Enable Automated Download and Install — Use the fields in this area to specify the frequency at which Geo-Location files are downloaded and installed. The following fields are available: • Frequency — Specify whether updated Geo-Location files are downloaded and installed automatically. By default, N/A is selected. In this case, updated signature files are not automatically downloaded and installed. The following options are available: • Hourly — Indicates that Geo-Location files are updated every hour. If this option is selected, use the Time field to set to the desired time of day. • Daily — Indicates that Geo-Location files are updated every day. If this option is selected, use the Time field to set the desired time of day. • Weekly — Indicates that Geo-Location files are updated once a week. If this option is selected, use the Day and Time fields to set the desired day of the week and time. • Day — Specify the day of the week when Geo-Location signature files are updated. • Time — Specify the time of day when Geo-Location signature files are updated. This value is expressed in a 24-hour (official time) format, where hh:mm denotes hours:minutes. Software update package status You can create a schedule on the Control Center to check for the availability of packages on the Secure Computing Corporation download site by using the Package Load Configuration window. Establishing a schedule to check for software updates Use the Package Load Configuration window to establish a schedule to check for the availability of packages on the Secure Computing Corporation download site and to download them to a firewall. You can then use the Software Updates Tool to schedule downloaded packages for installation on the firewall. Figure 124 Package Load Configuration window Accessing this window 1 In the Configuration Tool, select the Firewall Settings group bar. 2 Double-click the Package Load node in the tree. The Package Load Configuration window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 331
- 332. Software update package status Fields and buttons This window has the following fields and buttons: • Name — [Required} Specify a label used to identify the package load configuration. • Description — Provide information about the package load configuration. • Automatically check for and load packages — Determines whether to automatically check for available packages and download them to the firewall. This checkbox is cleared by default. • Automatically check for available packages — Determines whether to automatically check for available packages. This checkbox is cleared by default. If you select this option, a list of packages with Status of Available is displayed in the Manage Packages table on the firewall. (This table is accessible from the McAfee Firewall Enterprise Admin Console by selecting Maintenance -> Software Management.) • Restore Defaults — Restore the default settings for the remaining fields in this window. • Load Using — Specify the protocol to use for downloading a package to the firewall. The following values are available: • FTP — Indicates that File Transfer Protocol (FTP) will be used to download a package. • HTTPS — Indicates that Secure Hypertext Transfer Protocol (HTTPS) will be used to download a package. • Directory — Specify the path name of the directory from which to download a package (for example, packages/sidewinder/7.0). • Host — Specify the host name of the site from which to download a package (for example, downloads.securecomputing.com). • Port — Specify the port number to use to connect to the specified host. The default value is 21 for FTP and 443 for HTTPS. • User Name — Specify the user account to use to connect to the specified host. The default value is anonymous. • Password — Specify the password associated with the specified user name. • Confirm Password — Re-specify the password associated with the specified user name. • Frequency — Specify the frequency at which to check for the availability of packages. The following values are available: • Hourly • Daily • Weekly • Monthly • Bimonthly A time of day will be randomly generated when Frequency is changed. • Enable e-mail notifications for install, uninstall, automatic load and rollback — Determines whether e-mail is used to notify the firewall administrator of such software management activities as installation, uninstallation, automatic loading of packages, and rollback of the firewall to a previous state. This checkbox is not selected by default. If you select this option, the E-mail User field is enabled. • E-mail User — Specify the name of the firewall administrator to be notified about software management activities with E-mail. 332 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 333. 7 Configuration Tool - Policy Contents Policy objects Network objects Services Application defenses IPS inspection Authentication services Firewall users VPN Rules URL translation rules Alert processing rules SSH known hosts Policy objects Internet applications, such as e-mail, Web browsing, and instant messaging have become essential methods of communicating with your customers, suppliers, and partners. But you must balance the uses of these vital applications with the associated risks of unwanted content, malware, and unauthorized usage. While security is a top priority for most corporations, many consider it sufficient to simply set up a firewall to protect against unauthorized access. However, as threats and legal environments change, companies must struggle to stay ahead of direct attacks on critical business content and resources. Protecting corporate content while it is stored and transported must become a priority. The issues behind content security, the development of direct attacks against e-mail, content, and messaging are real and must be considered as part of the entire security policy that is deployed to protect corporate assets. To this end, an array of content security tools is supported through the firewall. The following content security objects can be managed through the Control Center in the Policy group bar of the Configuration Tool: • Network objects — Specify source or destination conditions in rules. For more information, see Network objects on page 336. The following categories of endpoint objects are defined on the firewall: • Hosts — Specify a fully qualified host name or an IP address • Networks — Specify an entire sub-network to use as an endpoint. • Address ranges — Specify an inclusive series of IP addresses. You can specify a portion of a sub-network to use as an endpoint. • Domains — Specify a domain to use as an endpoint. • Adaptive — Specify an adaptive endpoint, which is a single endpoint that can be used in different ways by multiple security firewalls. • Geo-Location — Specify a list of countries that are defined in a Geo-Location object to use as an endpoint. • Burbs — Specify a burb to use as an endpoint. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 333
- 334. Policy objects • Burb groups — Specify a burb group to use as an endpoint. • Net groups — Specify and name groups of endpoints by using previously configured endpoint objects and a set of system-wide interface controls. You can specify these objects individually or you can import IP address, hostname, network, and address range objects that are defined in a file. For more information, see Importing network objects on page 345. • Services — Specify a network communications protocol. Services are used as conditions in rules. For more information, see Firewall objects on page 163. The firewall supports the following categories of network services: • Proxy services — Specify a network service that is associated with a proxy agent that is running on the firewall. The proxy agent controls communication between clients on one side of the firewall and servers on the other side. The user's client program communicates with the proxy agent instead of communicating directly with the server. The proxy agent evaluates requests from the client and determines the requests to permit and to deny, based on your security policy. If a request is approved, the proxy agent forwards the client's requests to the server and forwards the server's responses back to the client. The proxy agent is application aware (for example, it understands the application layer protocol and can interpret its commands). , Proxy agents are used to create proxy services. Proxy services may be TCP-based or UDP-based. Many are defined by default for such TCP-based services as HTTP, FTP, and Telnet and for such UDP protocols as SNMP and NTP. Use the Service Manager window to create additional proxy services. • Filter services — Specify a network service that is associated with a filter agent that is running on the firewall. Filter agents provide another way for clients and servers to communicate. The filter agent inspects and passes traffic at the network layer or at the transport layer. The following types of filter agents are provided: • TCP/UDP — Transport Control Protocol (TCP) is a transport layer protocol that is defined by a specified port number or range of port numbers. User Datagram Protocol (UDP) is a transport layer protocol that is defined by a specified port number or range of port numbers. • ICMP — Internet Control Message Protocol (ICMP) is a network layer protocol that supports packets that contain error, control, and informational messages. • IP — Internet Protocol (IP) is a network layer protocol that is defined by a protocol number. • Service groups — Specify a collection of network services that are defined on the firewall. See Configuring service groups on page 353. • Application Defenses — Specify the settings for inspecting advanced application-level content, such as headers, commands, and filters. They also enable add-on modules such as virus scanning, spam filtering, and Web filtering. They can be used with filter services, most proxy services, and the sendmail server service. See Application defenses on page 355. • IPS — Specify IPS response mappings so that you can create and maintain IPS signature groups. You can also use the IPS Signature Browser to view and manage IPS signatures. See IPS inspection on page 419. • Authenticators — Specify authentication services that contain the authenticators that are used by the firewall. For more information, see Authentication services on page 424. The following types of authenticators are available: • Password • Passport • RADIUS • Safeword • Windows Domain 334 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 335. Policy objects • iPlanet • Active Directory • OpenLDAP • Custom LDAP • CAC • Users — Specify users who can access the Control Center and the way in which they can access it. User identification and authentication is a critical aspect of security. To access a firewall, a user must have a login ID and a method of authentication. Users can be configured to have one authentication method for inbound connections and another method for outbound connections. The firewall supports multiple methods of identification and authentication. These methods are explained in Authentication services on page 424. You can use the Control Center to create two classes of users: firewall users (who are defined by using the user objects on the Configuration Tool) and Control Center users. For information about defining and maintaining Control Center users, see Control Center users on page 81. The various firewalls support one or more of the following types of users: • Administrators — Identifies firewall administrator accounts. A firewall administrator is someone who logs directly into the firewall to perform administrative activities. • Users — Identifies user accounts to be stored on the firewall. • User groups — Identifies internal groups that are used to restrict access to services through the firewall. • External groups — Identifies external groups that are used in rules to restrict access to services through the firewall. • Time periods — Specify time periods that represent named periods of time. These named time periods are used for various functions, such as limiting the time that a user has the ability to log into the Control Center or determining the time during which rules apply to the assigned firewall. For more information, see Managing time periods on page 470. • VPN — Specify a Virtual Private Network (VPN) that securely connects networks and nodes to form a single, protected network. The data is protected as it tunnels through unsecured networks, such as the Internet or intranets. The VPN ensures data origin authentication, data integrity, data confidentiality, and anti-replay protection. A VPN works by encapsulating packets to or from the network with which you want to communicate (the remote network) and by sending them (usually encrypted) as data in packets to or from the network to which you are connected The VPN is a security gateway between trusted and non-trusted networks that protects network access, network visibility (NAT), and network data (VPN). The two types of supported VPN connections are gateway-to-gateway and VPN host-to-gateway. For more information, see VPN on page 471. • VPN wizard — Create VPN channels, including configuration of peers, cryptographic parameters, and the authentication method. • VPN peers — Create peer objects that will participate in gateway-to-gateway VPN communities by using the VPN Peer window. • VPN communities — Configure VPN communities for a firewall by using the VPN Community window to configure VPN communities for a firewall. • VPN client configurations — Establish a network configuration for the VPN client to operate on the private side of a firewall by using the VPN Client Configuration window. • VPN bypass — Select certain traffic to bypass IPsec policy evaluation and to be sent outside of the encrypted tunnel by using the VPN Bypass window. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 335
- 336. Network objects • CA certificates — Import Certification Authority (CA) certificates. A public key certificate is an electronic document that binds a host’s identity with its private key. The purpose of a certificate is to provide proof of a host’s identity. This enables a secure means of encrypting the data communication between one host and another. In digitally signing the certificate, the Certification Authority (CA) vouches for the host's identification, and is then able to issue a secure certificate that will be used to create a digital signature for the data that is being sent. Use the sender’s digital signature, along with the sender’s certificate, to verify that (a) the data originated from the sender, and (b) that the data was not tampered with in transit. • Remote certificates — Manage remote certificates by using the Remote Certificate page. You can also request, load, retrieve, view, export, and delete certificates in this page. • Rules — Specify the network security mechanism that controls the flow of data into and out of the internal network by using the Rules page. For more information, see Rules on page 527. • URL translation rules — Specify the redirection of inbound HTTP connections, based on application layer data, rather than on transport layer data that is used for the conventional redirect rules. For more information, see URL translation rules on page 559. • SSH known hosts — Specify strong known host associations. You can manage this database that includes only those SSH known host keys with strong trust levels across all firewalls. For more information, see SSH known hosts on page 568. Network objects Network objects represent source or destination conditions used in rules. The following categories of network objects can be defined. • Hosts — Specify a fully qualified host name or an IP address. To create a host object, see Configuring endpoints (network objects) on page 337. If you have configured the ePolicy Orchestrator to communication with the Control Center, you can also view ePO data for a specific host. For more information about the ePO Host Data report, see Viewing ePolicy Orchestrator host data on page 135. • Networks — Specify an entire subnetwork to use as an endpoint. To create a network object, see Configuring endpoints (network objects) on page 337. • Address Ranges — Specify an inclusive series of IP addresses. You can specify a portion of a subnetwork to use as an endpoint. To create an address range object, see Configuring endpoints (network objects) on page 337. • Domains — Specify a domain to use as an endpoint. To create a domain object, see Configuring endpoints (network objects) on page 337. • Adaptive — Specify an adaptive endpoint. An adaptive endpoint is a single endpoint that can be used in different ways by multiple firewalls. For information about creating adaptive endpoints, see Creating adaptive endpoints on page 339. • Geo-Location — Specify a Geo-Location network object, which is a specified group of country IP addresses. For information about creating a Geo-Location object, see Creating Geo-Location objects on page 340. • Burbs — Specify a burb. For information about creating burbs, see Configuring burbs on page 341. • Burb Groups — Specify burb groups. To create burb groups, see Configuring groups of related device objects on page 261. • Net Groups — Specify and name groups of endpoints using previously configured endpoint objects and a set of system-wide interface controls. To create groups of endpoints, see Configuring groups of related device objects on page 261. 336 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 337. Network objects • Import Network Objects — Displays the Import Network Objects Wizard, in which you can specify a file from which you can import network objects that are defined in that file. To import network objects, see Importing network objects on page 345. Configuring endpoints (network objects) Use the Network Objects Manager window to add or modify the following types of endpoints: hosts, networks, address ranges, and domains. The fields that are displayed on the window depend on the value selected in the Type field. You can also change the type and thus change the fields. For example, if you accessed this window to create a host and you decided instead to create a network object, you can change the value in the Type field and see all of the appropriate fields for this new object type. For additional information about network objects, see Network objects on page 336. For more information about configurable objects, see Firewall configuration management on page 574. Figure 125 Network Object Manager window for host objects Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Network Objects node in the tree. 3 Double-click Hosts, Networks, Address Ranges, or Domains, depending on the type of object that you want to create. The respective fields are displayed in the Network Object Manager window. Fields and buttons This window has the following fields and buttons: Note: Several of the fields on this window are type-specific as indicated. • Name — [Required] Specify a unique name for the object. • Privileged — Determines whether this object is created as a privileged object. This checkbox is cleared by default., To create a privileged object, the user must be assigned a role that allows access to privileged objects (View, Update, Add, Remove). Use the Actions tab on the Role Manager window in the Administration Tool to assign the privileged object action to a role.Description — Specify information about the configured endpoint. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 337
- 338. Network objects • Type — [Required] Initially displays the value that matches the node that you double-clicked to access this window. The value of this field determines the remaining fields that are displayed on this window. The following values are available: • Hosts — Configure a single host. When this value is selected, the following fields are displayed: • Address — Specify the Internet Protocol (IP) address. If there is at least one firewall that is enabled with the IPv6 protocol, you can specify an IPv6 address, which is a series of seven groups of alphanumeric characters that are separated by colons (:). An example of this format is: nnaa:an:n:nana:naa:aa:aann:nana. However, if there are no IPv6-enabled firewalls, you must specify an IPv4 address, which is a series of four groups of decimals in dot notation format. An example of an IPv4 address is: nnn.nn.nnn.nnn. • Hostname — Specify the fully qualified host name. • Use DNS lookups to resolve the hostname — [Available only if a hostname value has been specified in the Hostname field] Determines whether a DNS lookup is used to find the IP address associated with a specified hostname. If this checkbox is selected, the Override Default TTL (s) checkbox is available. • Alternate Addresses — [Available only if a hostname and address value has been specified in the Hostname and Address fields] Specify any alternate addresses that are used to reference the host. Multiple addresses can be specified by using a comma to separate entries. • Override Default TTL (s) — Determines whether the default Time to Live (TTL) period for caching DNS records is overridden by a specified value. The default value is 86400 seconds (one day). To override the default, select this checkbox and select a different value. • Networks — Configure a subnet. When this value is selected, the following fields are displayed: • Address — [Required] Specify the unique IP address of the subnet. If there is at least one firewall that is enabled with the IPv6 protocol, you can specify an IPv6 address, which is a series of seven groups of alphanumeric characters that are separated by colons (:). An example of this format is: nnaa:an:n:nana:naa:aa:aann:nana. However, if there are no IPv6-enabled firewalls, you must specify an IPv4 address, which is a series of four groups of decimals in dot notation format. An example of an IPv4 address is: nnn.nn.nnn.nnn. • Mask Length — [Required] Specify the length of the subnet mask in bits. If an IPv6 address is specified in the Address field, this length should be between 0 and 128. Otherwise, the length should be between 0 and 32. The default value is 24. • Address Ranges — Configure a range of IP addresses. When this value is selected, the following fields are displayed. • Begin Address — [Required] Specify the first matching IP address. • End Address — [Required] Specify the last matching IP address. Note: The range that is specified in the Begin Address and End Address fields is inclusive. The value that is specified in the Begin Address field must be less than or equal to the value that is specified in the End Address field. • Domains — Configure all of the hosts in a particular domain. The firewall performs a reverse DNS lookup to determine whether a host belongs to a particular domain. When this value is selected, the following field is displayed., Domain Name — Specify the name of the domain. • OK — Save this object and, if new, insert it in the list of objects below the respective object type node. • Cancel — Close this window without saving any changes. 338 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 339. Network objects Creating adaptive endpoints Use the Adaptive window to create an adaptive endpoint. An adaptive endpoint is a single endpoint object that can be used differently by multiple firewalls. Figure 126 Adaptive window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Network Objects node. 3 Double-click the Adaptive node. Fields and buttons This window has the following fields and buttons: • Name — Specify a label to identify to the adaptive object. • Privileged — Determines whether this object is created as a privileged object. This checkbox is cleared by default., To create a privileged object, the user must be assigned a role that allows access to privileged objects (View, Update, Add, Remove). Use the Actions tab on the Role Manager window in the Administration Tool to assign the privileged object action to a role. • Description — Provide information about the adaptive object. • Firewall — Specify the name of the firewall on which the object is being used. • Address — Specify the IP address or addresses that are used to reference this endpoint object. Specify multiple values by using a comma to separate them. Specify IP addresses in any of the following ways: • IP address in dot notation form (for example, four decimal numbers separated by periods) • Host name • Network address/subnet mask length in bits (for example, 192.168/16) • Address range (beginning_IP_address - ending_IP_address) • Delete — Click x (Delete) in the row to be deleted. • Default — Specify the default address to be used for firewalls that are not specified in the Firewall field. • OK — Save this object. • Cancel — Close this window without saving the object. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 339
- 340. Network objects Creating Geo-Location objects Use the Geo-Location window to define a Geo-Location object, which is a list of countries. Each Geo-Location object that you define is a network object. Geo-Location identifies the IP address for the country of origin. Use a Geo-Location object in a rule to allow or deny a network connection based on the source or destination country. Figure 127 Geo-Location window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Double-click the Geo-Location node. or Right-click the Geo-Location node and select Add object., The Geo-Location window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify the name of this Geo-Location object. This name cannot exceed 100 characters. You can use the following values: alphanumeric characters, periods (.), dashes (-), underscores (_), and spaces ( )., This name is the only value that you will see for this object in the Apply On list when you create a rule. Make sure that this name is descriptive of the object. • Privileged — Determines whether this object is created as a privileged object. This checkbox is cleared by default., To create a privileged object, the user must be assigned a role that allows access to privileged objects (View, Update, Add, Remove). Use the Actions tab on the Role Manager window in the Administration Tool to assign the privileged object action to a role. • Description — Specify any useful information about this Geo-Location object. • Countries — Specify the countries to be included in this Geo-Location object. Specify part or all of the country name on which you want to search and click Find. Any values that match the search text are highlighted. 340 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 341. Network objects • OK — Save this Geo-Location object. • Cancel — Close this window without saving any changes. Adding a Geo-Location object 1 In the Configuration Tool, select the Policy group bar. 2 Double-click the Geo-Location node. or Right-click the Geo-Location node and select Add object. Editing an existing Geo-Location object 1 In the Configuration Tool, select the Policy group bar. 2 Select the Geo-Location node. 3 Double-click the object to be edited in the tree. or Right-click the object and select Edit object. Deleting an existing Geo-Location object 1 In the Configuration Tool, select the Policy group bar. 2 Select the Geo-Location node. 3 Right-click the object and select Delete object. Configuring burbs Use the Burbs window to create and maintain burbs. A burb is a type-enforced network area used to isolate network interfaces from each other. An internal burb and an external burb are defined on the firewall during installation. The external burb is the Internet burb; it is the only burb that communicates directly with the outside world, and it cannot be removed. Use the table to specify a set of burb options for a particular firewall. For each burb, the table contains a -Default Options- entry, which specifies a default set of options that will be applied on each firewall. You can create a new entry in the table so that you can use a different set of options. The new entry will override the -Default Options- entry. Figure 128 Burbs window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 341
- 342. Network objects Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Network Objects node. 3 Double-click the Burbs node. The Burbs window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the burb., This name cannot be changed after the burb object has been created. Do not use Firewall or firewall for the Name value. These names are used elsewhere in the firewall. Also, case is significant. • Description — Specify information about the burb. • Firewall — Specify the name of the firewall to which the burb options apply. • Hide Port Unreachables — Determines whether the burb hides information about port unreachable error messages. This checkbox is cleared by default. If you select this checkbox, the firewall will not respond if a node on the network tries to connect to a port on which the firewall is not listening. • Respond to ICMP Echo and Timestamp — Determines whether the burb responds to ICMP echo and timestamp messages. The ping utility uses these messages to determine whether a host or IP address is accessible. This checkbox is cleared by default. If you select this checkbox, the firewall is allowed to respond to these messages. • Accept Routing Changes From ICMP Redirects — Determines whether the burb accepts routing changes from ICMP redirect messages. ICMP redirect messages are used to optimize the routes for directing IP traffic to the correct destination. On a trusted network, you can use ICMP redirect messages to improve throughput. On an untrusted network, their usage can allow hackers to examine or reroute traffic. This checkbox is cleared by default. If you select this checkbox, the firewall is allowed to honor ICMP redirect messages. • OK — Save this changes that were made in this window. • Cancel — Close this window without saving the changes. 342 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 343. Network objects Configuring groups of burb objects Use the Burb Groups Manager window to define groups of burb objects that will be simultaneously managed. The purpose of a group is object-specific; however, the act of creating groups is the same. Two or more related objects are associated under an aggregated object name to simplify management of multiple objects. Figure 129 Burb Groups Manager window Accessing this window In the Policy group bar of the Configuration Tool, select Network Objects and then double-click Burb Groups. The Burb Groups Manager window is displayed. Fields and buttons This window has the following fields and buttons: • Group Name — Specify a user-defined name for the burb group that you are creating. • Description — Provide a meaningful description about the reason that this burb group has been defined. • Members — Use the fields in this area to determine the burbs that will be members of this group. • Find — Specify a value in this field and click Find to filter the display of burbs so that only those that match the criteria that you have specified are displayed in the table. • Burbs — Select one or more burbs to include in this group. • OK — Save the burb group under the Network Objects node in the tree. • Cancel — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 343
- 344. Network objects Configuring groups of endpoint objects Use the Net Groups Manager window to define groups of endpoint objects that will be simultaneously managed. The purpose of a group is object-specific; however, the act of creating groups is the same. Two or more related objects are associated under an aggregated object name to simplify management of multiple objects. Figure 130 Net Groups Manager window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select Network Objects and then double-click Net Groups. The Net Groups Manager window is displayed. Fields and buttons This window has the following fields and buttons: • Group Name — Specify a user-defined name for the endpoint group that you are creating. • Privileged — Determines whether this object is created as a privileged object. This checkbox is cleared by default., To create a privileged object, the user must be assigned a role that allows access to privileged objects (View, Update, Add, Remove). Use the Actions tab on the Role Manager window in the Administration Tool to assign the privileged object action to a role. • Description — Provide a meaningful description about the reason that this endpoint group has been defined. • Members — Use the fields in this area to determine the endpoints that will be members of this group. • Find — Specify a value in this field and click Find to filter the display of endpoints so that only those that match the criteria that you have specified are displayed in the table. • Endpoints — Select one or more endpoints to include in this group. • OK — Save the endpoint group under the Network Objects node in the tree. • Cancel — Close this window without saving any changes. 344 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 345. Network objects Importing network objects Use the Import Network Objects Wizard to import the following types of network objects from a file: IP addresses, hostnames for host objects, network objects, and address range objects. Prerequisites for the imported file To create a valid file to use with this wizard, the following prerequisites must be met: • The file must be in either .txt or .csv (comma-delimited) format. • You can mix object types in one file. However, each object type must consist of the following format: Table 15 Imported file formats Format type Format Description .txt [Address] [Name] #[Description] where the address and name parameters are required and the # and description parameters are optional .csv [Address],[Name],[Description] where the address and name parameters are required and the last comma (,) and the description parameters are optional • The network object should also include the mask (for example, 1.1.1.1/24). • The address range object should include the start address and the end address, separated by a hyphen (-) (for example, 1.1.1.1-2.2.2.2). If there are any errors in your imported file, a message will be displayed and you can view your errors. For more about this, see the wizard steps that follow. Accessing this wizard 1 In the Configuration Tool, select the Policy group bar. 2 Select the Network Objects node to expand the list of subnodes. 3 Double-click the Import Network Objects subnode. The Import Network Objects Wizard is displayed. Wizard steps This wizard has two steps. Step 1 of 2 This page introduces you to the wizard. Before you import your file, you can view the required formats for each network object type that are displayed in the display area. To load the text file that contains your network object definitions, click Load File. After you locate the file to use and click Open, the contents of this file are displayed on this first page. Click Next >> to continue or Cancel to close the wizard. Step 2 of 2 Use this page to determine the objects in the file that you want to import and also to fix any errors in the file that are now displayed in the table. Then, you can import the objects by clicking Finish. The list of network objects is now displayed in the table on this page. If there are any errors in the imported file, each row that contains an error is highlighted and a message is displayed at the bottom of this page, along with a View Errors button. To troubleshoot the errors: 1 Click View Errors to display the Import Errors window, in which you can view a description of the errors. 2 Click x to close this window. 3 Click in the field in the table that contains the error. Edit the value so that it is correct for the type of object in this row. Note that these changes will not be propagated back to the file itself. 4 Repeat steps 3–4 for each row that contains an error. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 345
- 346. Services 5 When you have completed your edits, click Finish. The values will be checked again for validity and will be imported if they are correct. The following fields and buttons are available on this page: • Import — Determines whether this object will be imported when you click Finish. The default value is selected for each valid row. If a row is not valid, the checkbox will not be selected. After you correct the invalid data, you must still select the checkboxes for the objects that you want to import. Clear the checkbox for any object that you do not want to import now. • Type — [Read-only] Displays the type of object. • Name — Displays the name of the object as it was retrieved from the imported file. You can edit this value. • Address — Displays the address (and mask, if applicable) of the object as it was retrieved from the imported file. You can edit this value. • Description — Displays a description for the object as it was retrieved from the imported file. You can edit this value. • View Errors — Displays the Import Errors window, in which you can view a description of the errors that were found in the imported file. For information about how to use this window, see the troubleshooting section above. • <<Previous — Changes the display to the previous page of the wizard. • Finish — The objects are imported. Afterwards, an Import Complete message is displayed, indicating the number of network objects that have been successfully imported. Click OK and the wizard is closed. • Cancel — Closes the wizard without importing any objects. Services A service is a description of a network communications protocol. Computers can send information packets to each other by agreeing on a protocol and, for TCP and UDP, a port. Protocol and port numbers have well-established meanings; for example, IP protocol 89 is used for Open Shortest Path First (OSPF) routing traffic, and TCP (protocol 6) port number 23 is used for the Telnet remote login application. Control Center service objects are accustomed to the type of traffic that should be matched by a rule. Occasionally, they are also used to specify a TCP or UDP port number that a firewall service (for example, a content inspection agent or remote authorization agent) should use to communicate with a remote computer. Therefore, the firewall manager should create service objects that describe the type of traffic that will be recognized by the firewall. The security firewalls support the following categories of services. • Proxy services — A network service that is associated with a proxy agent that is running on the firewall. The proxy agent controls communication between clients on one side of the firewall and servers on the other side. The user's client program communicates with the proxy agent instead of communicating directly with the server. The proxy agent evaluates requests from the client and decides whether to permit or deny those requests, based on your security policy. If a request is approved, the proxy agent forwards the client's requests to the server and forwards the server's responses back to the client. The proxy agent is application-aware. (For example, it understands the application layer protocol and can interpret its commands.) , Proxy agents are used to create proxy services. Proxy services may be TCP-based or UDP-based. Many are defined by default for such TCP-based services as HTTP, FTP, and Telnet and for such UDP protocols as SNMP and NTP. Use the Proxy Service window to create additional proxy services. 346 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 347. Services • Filter services — Each service is a network service that is associated with a filter agent running on the firewall. Filter agents provide another method for clients and servers to communicate. The filter agent inspects and passes traffic at the network layer or the transport layer. The following types of filter agents are provided: • FTP Packet Filter — File Transfer Protocol (FTP) is a file transfer protocol that is defined by specified port numbers. This agent supports both active and passive FTP by monitoring the control connection and dynamically opening a port for the data connection., To allow FTP over IPv6, you must use this agent. The FTP proxy agent does not support IPv6. • Generic Filter — This is a network service that is associated with a proxy agent that is running on the firewall. The proxy agent controls communication between clients on one side of the firewall and servers on the other side. Proxy services may be TCP-based or UDP-based. • ICMP Filter — Internet Control Message Protocol (ICMP) is a network layer protocol that supports packets that contain error, control, and informational messages. A message type and code further qualify the service. • Protocol Filter — This is a network layer protocol that is defined by a protocol number. Filter agents are used to create filter services. A wide range of filter services is defined by default. Use the Filter Service window to create additional filter services. • Server services — A server service is a network service that is associated with a server agent, or daemon, running on the firewall. Server services are created during initial configuration of the firewall. They include services that are used for the following purposes: • Management of the firewall (for example, Admin Console) • Access to a networked service (for example, SNMP Agent) • Routing services (for example, gated, routed) • VPN connections (for example, ISAKMP server) • Firewall-specific functions (for example, cluster registration server) Basic properties that are associated with these services can be modified; however, additional server services cannot be created. See Managing servers and service configurations on page 291. • Service Group — A service group represents a collection of network services that are defined on the firewall. See Configuring service groups on page 353., By default, proxy services, filter services, and server services are disabled. If you use a proxy, filter, or server service in an enabled rule, the firewall automatically enables that service in the corresponding source burb or burbs. When all of the rules that are using a particular service are disabled or deleted, the service is automatically disabled. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 347
- 348. Services Configuring proxy services Use the Proxy Service window to add or change a proxy service. For more information about the types of services that are supported by the firewalls, see Services on page 346. Figure 131 Proxy Service window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 In the Policy tree, select the Services node. 3 Double-click Proxy Services. The Proxy Service window is displayed. Fields and buttons The fields that are displayed in this window will change, depending on the value that you select in the Agent list. The following fields are common to all service types: • Name — [Required] Specify a name for the service. • Privileged — Determines whether this object is created as a privileged object. This checkbox is cleared by default., To create a privileged object, the user must be assigned a role that allows access to privileged objects (View, Update, Add, Remove). Use the Actions tab on the Role Manager window in the Administration Tool to assign the privileged object action to a role. • Agent — Specify the type of traffic that will use this service. This field is synonymous with selecting the Agent value in the McAfee Firewall Enterprise Admin Console. Most of the protocols that are listed in this list use the standard TCP window fields. • OK — Save this changes that were made in this window. • Cancel — Close this window without saving the changes. The remaining fields that are displayed depend on the value that you select in this field. • Citrix Proxy — Allows remote clients to access applications within a Citrix server farm by using the Citrix Independent Computing Architecture (ICA) protocol. • DNS Proxy — Allows DNS query traffic and DNS zone file transfers. • FTP Proxy — Allows access to File Transfer Protocol (FTP) servers., To allow FTP over IPv6, you must use the FTP Packet Filter agent. This agent does not support IPv6. For more information, see Configuring filter services on page 350. • Generic Proxy — Transport layer that processes both TCP and UDP. This proxy agent is not application-aware. • H323 Proxy — Allows audio and video features for H.323 applications. • HTTP Proxy — Allows connections to Web servers by using the Hypertext Transfer Protocol (HTTP). 348 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 349. Services • HTTPS Proxy — Allows connections to Web servers by using the SSL-encrypted HTTP. • IIOP Proxy — Allows the Internet Inter-ORB Protocol (IIOP), which is the wire protocol that is used by Common Object Request Broker Architecture (CORBA) applications for interoperability in a heterogeneous environment. • Mail Proxy — Allows Simple Mail Transfer Protocol (SMTP) messages through the firewall. • MS-SQL Proxy — Allows Microsoft servers and clients to pass SQL traffic. ® • Oracle Proxy — Allows Structured Query Language (SQL) traffic between Oracle servers and clients. • Ping Proxy — Allows ICMP echo (ping) requests and ICMP echo responses through the firewall. • RealMedia Proxy — Allows RealMedia audio and video data packet connections. • Registration — Allows the firewall to join a High Availability cluster. • RSH Proxy — Allows remote file copy protocol (RCP) and remote shell (RSH) login. • RTSP Proxy — Allows the RealMedia Player and QuickTime Multimedia Player protocols. • SIP Proxy — Allows Session Initiation Protocol (SIP), a protocol that is commonly used by VoIP applications. • SNMP Proxy — Supports remote management by using the Simple Network Management Protocol (SNMP). • SOCKS Proxy — Allows the SOCKSv5 protocol. • SSH Proxy — Allows Secure Copy protocol (SCP), Secure FTP protocol (SFTP), and Secure Shell login. • Sun RPC Proxy — Relays requests between RPC clients and remote servers. • T120 Proxy — Allows T.120 applications. • Telnet Proxy — Allows access to Telnet servers. • Description — Specify information about the configured service. • TCP ports — Specify the TCP port or ports on which the service will accept traffic. Specify multiple ports by using a comma to separate entries. , Do not use ports 9000-9010. These ports are reserved by the firewall for administrative purposes. • Gatekeeper ports — [Available for H323 Proxy only] Specify the gatekeeper port or ports on which the service will accept traffic. Specify multiple ports by using a comma to separate entries. , Do not use ports 9000-9010. These ports are reserved by the firewall for administrative purposes. • UDP ports — [Available only for Citrix Proxy and Generic Proxy] Specify the UDP port or ports on which the service will accept traffic. Specify multiple ports by using a comma to separate entries. , Do not use ports 9000-9010. These ports are reserved by the firewall for administrative purposes. • TCP idle timeout (sec) — Specify the number of seconds that the connection can remain idle before it is terminated. The default is 7200 seconds. A value of 0 maintains idle sessions indefinitely. To set a data time-out, click the up or down arrow or specify a value in the field. • UDP idle timeout (sec) — [Available only for Citrix Proxy, Generic Proxy, and H323 Proxy] Specify the number of seconds that the connection can remain idle before it is terminated. The default is 300 seconds. A value of 0 maintains idle sessions indefinitely. To set a data time-out, click the up or down arrow or specify a value in the field. • Allow fast path sessions — [Not available for H323 Proxy] Specify whether fast path proxy sessions will be allowed on the firewall. A fast path session improves system performance by lessening the load that is placed on the system kernel when passing proxy data through the firewall. For more information about fast path sessions, see the "Services" chapter in the McAfee Firewall Enterprise (Sidewinder) Administration Guide. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 349
- 350. Services • Allowed connection types — [Available only for FTP Proxy, HTTP Proxy, and HTTPS Proxy] Specify the types of connections that will be allowed. The following values are available: • Transparent — Indicates that the client appears to connect directly to the server without connecting to the firewall first. • Non-Transparent — Indicates that the client connects to the firewall and then connects to the server. • Both — Indicates that either transparent or non-transparent connections are allowed. Configuring filter services Use the Filter Service window to add or change a filter service. For more information about the types of services that are supported by the firewalls, see Services on page 346. Figure 132 Filter Service window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 In the Policy tree, select the Services node. 3 Double-click Filter Services. The Filter Service window is displayed. Fields and buttons The fields that are displayed in this window will change, depending on the value that you select in the Agent list. The following fields are common to all service types: • Name — [Required] Specify a name for the service. • Privileged — Determines whether this object is created as a privileged object. This checkbox is cleared by default., To create a privileged object, the user must be assigned a role that allows access to privileged objects (View, Update, Add, Remove). Use the Actions tab on the Role Manager window in the Administration Tool to assign the privileged object action to a role. 350 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 351. Services • Agent — [Required] Specify the type of traffic that will use this service. This field is synonymous with selecting the Agent value in the McAfee Firewall Enterprise Admin Console.The following values are available: • FTP Packet Filter — [Available for firewall versions 7.0.1 and later] Indicates a file transfer protocol (FTP) that is defined by specified port numbers. When you select this service type, see the service type-specific fields that are described in the Agent: FTP Packet Filter on page 351. • Generic Filter — Indicates a service that handles TCP or UDP traffic through the kernel. When you select this service type, see the service type-specific fields that are described in Agent: Generic Filter on page 352. This is the default value. • ICMP Filter —(Internet Control Message Protocol) Indicates a network layer protocol that supports packets that contain error, control, and informational messages. A message type and code further qualify the service. When you select this service type, see the service type-specific fields that are described in Agent: ICMP Filter on page 352., You can use this filter with any firewall version. However, the ipv6_echo and ipv6_info messages are available only for versions 7.0.1 and later with the IPv6 protocol enabled. • Protocol Filter — Indicates a network layer protocol that is defined by a protocol number. When you select this service type, see the service type-specific fields that are described in Agent: Protocol Filter on page 353. • Description — Specify information about the configured service. • OK — Save this changes that were made in this window. • Cancel — Close this window without saving the changes. Agent: FTP Packet Filter • TCP source ports — Specify a range of valid source ports. By default, all source ports are specified., Do not use ports 9000-9010. These ports are reserved by the firewall for administrative purposes. • TCP destination ports — Specify the TCP port or ports on which the service will accept traffic. Specify multiple ports by using a comma to separate entries., Do not use ports 9000-9010. These ports are reserved by the firewall for administrative purposes. • Enable stateful packet inspection — Determines whether stateful packet inspection will occur for this service when it is used as an IP filter service on the firewall. Stateful packet inspection tracks the state of network connections traversing the firewall. Only packets that match a known connection state are allowed by the firewall; all others are rejected., Enable stateful session failover — Determines whether existing filter sessions will be transferred to the secondary node of a High Availability cluster during a failover event. This checkbox is selected by default. Tip: You might want to clear this checkbox for short-lived connections. • Bi-directional — Determines whether the firewall will allow traffic that is associated with this service to flow from either the source or the destination addresses. Select this checkbox only if your source port and destination port have the same value. This checkbox is cleared by default., NAT and redirection are not allowed for bi-directional rules with stateful packet inspection enabled. • Reset TCP connections after connection timeout — Specify whether a TCP Reset packet will be sent to the client and server after the specified connection timeout. This checkbox is selected by default. • TCP idle timeout (sec) — Specify the number of seconds that the connection can remain idle before it is closed. Valid values are between 0 and 2147483647. The default is 7200 seconds. A value of 0 maintains idle sessions indefinitely. To set a time-out, click the up or down arrow or specify a value in the field. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 351
- 352. Services • TCP connection timeout (sec) — Specify the number of seconds that are allowed to occur when establishing the TCP connection between the client and the server. The default is 15 seconds. Agent: Generic Filter • TCP source ports — Specify a range of valid source ports. By default, all source ports are specified. • TCP destination ports — Specify the TCP port or ports on which the service will accept traffic. Specify multiple ports by using a comma to separate entries. • UDP source ports — Specify a range of valid source ports. By default, all source ports are specified. • UDP destination ports — Specify the UDP port or ports on which the service will accept traffic. Specify multiple ports by using a comma to separate entries. • Require UDP checksums — Determines whether checksums of UDP packets will be required. • Bi-directional — Determines whether the firewall will allow traffic that is associated with this service to flow from either the source or the destination addresses. Select this checkbox only if your source port and destination port have the same value. This checkbox is cleared by default., NAT and redirection are not allowed for bi-directional rules with stateful packet inspection enabled. • Enable stateful packet inspection — Determines whether stateful packet inspection will occur for this service when it is used as an IP filter service on the firewall. Stateful packet inspection tracks the state of network connections traversing the firewall. Only packets that match a known connection state are allowed by the firewall; all others are rejected., Enable stateful session Failover — Determines whether existing filter sessions will be transferred to the secondary node of a High Availability cluster during a failover event. This checkbox is selected by default. Tip: You might want to clear this checkbox for short-lived connections. • Reset TCP connections after connection timeout — Specify whether a TCP Reset packet will be sent to the client and server after the specified connection timeout. This checkbox is selected by default. • TCP idle timeout (sec) — Specify the number of seconds that the connection can remain idle before it is closed. Valid values are between 0 and 2147483647. The default is 7200 seconds. A value of 0 maintains idle sessions indefinitely. To set a time-out, click the up or down arrow or specify a value in the field. • TCP connection timeout (sec) — Specify the number of seconds that are allowed to occur when establishing the TCP connection between the client and the server. The default is 15 seconds. • UDP idle timeout (sec) — Specify the number of seconds that the connection can remain idle before it is closed. The default is 300 seconds. A value of 0 maintains idle sessions indefinitely. To set a time-out, click the up or down arrow or specify a value in the field. Valid values are between 0 and 2147483647. Agent: ICMP Filter • Enable stateful packet inspection — Determines whether stateful packet inspection will occur for this service when it is used as an IP filter service on the firewall. Stateful packet inspection tracks the state of network connections that are traversing the firewall. Only those packets that match a known connection state are allowed by the firewall; all others are rejected. • Response timeout (sec) — Specify the number of seconds that are permitted to receive a response from the server. • Message types — Specify one or more types of ICMP messages that will be used for this filter. The following types are available: • echo — Indicates that echo requests and responses that are used by ping will be used. • info — Indicates that ICMP information requests and responses will be used. 352 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 353. Services • timestamp — Indicates that timestamp requests and responses will be used. • ipv6_echo — [Available for firewall versions 7.0.1 and later when the IPv6 protocol is enabled] Indicates that echo requests and responses that are used by ping and that are transmitted as IPv6 traffic will be used. • ipv6_info — [Available for firewall versions 7.0.1 and later when the IPv6 protocol is enabled] Indicates that ICMP information requests and responses that are transmitted as IPv6 traffic will be used. • Enable stateful session failover — Determines whether existing filter sessions will be transferred to the secondary node of a High Availability cluster during a failover event. Note: ICMP control and error messages that are generated by TCP/UDP traffic are managed by using the TCP/UDP rules, as opposed to ICMP rules. For example, to pass “host unreachable” error messages for undelivered TCP packets for a specific rule through the firewall, configure this value on the Packet Filter application defenses, instead of by using the ICMP service. • Bi-directional — Determines whether the firewall will allow traffic that is associated with this service to flow from either the source or the destination addresses. Select this checkbox only if your source port and destination port have the same value. This checkbox is cleared by default., NAT and redirection are not allowed for bi-directional rules with stateful packet inspection enabled. Agent: Protocol Filter • Protocol number — Specify the first IP protocol supported by this service. A protocol number must be an integer between 0 and 255. • Bi-directional — Determines whether the firewall will allow traffic that is associated with this service to flow from either the source or the destination addresses. Select this checkbox only if your source port and destination port have the same value. This checkbox is cleared by default., NAT and redirection are not allowed for bi-directional rules with stateful packet inspection enabled. Configuring service groups Use the Service Groups Manager window to define groups of related services that will be simultaneously managed. The purpose of a group is specific to the type of service. However, the procedure to create groups is the same. Two or more related objects are associated under an aggregated object name to simplify the management of multiple service objects. Figure 133 Service Groups Manager window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 353
- 354. Services Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Services node and then double-click Service Groups. The Service Groups Manager window is displayed. Fields and buttons This window has the following fields and buttons: • Group name — Specify a user-defined name for the service group that is being defined. • Privileged — Determines whether this object is created as a privileged object. This checkbox is cleared by default., To create a privileged object, the user must be assigned a role that allows access to privileged objects (View, Update, Add, Remove). Use the Actions tab on the Role Manager window in the Administration Tool to assign the privileged object action to a role. • Description — Provide a meaningful description of the reason that this service group has been defined. • Type — Specify the kind of services that this group will contain. For more information about each of these types, see Services on page 346. The following values are available: • Proxy Services — Indicates a network service that is associated with a proxy agent that is running on the firewall. • Filter Services — Indicates a network service that is associated with a filter agent that is running on the firewall. • Server Services — Indicates a network service that is associated with a server agent, or daemon, that is running on the firewall. • Members — Select the checkbox for each service object to include in the group. Use the Find field to search for specific values. Specify part or all of the member name for which you want to search and click Find. Any values that match the search text are highlighted. Select one or more members. • OK — Save this service group. • Cancel — Close this window without saving any changes. 354 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 355. Application defenses Application defenses Use application defenses to configure advanced properties for rules. You can refine rules for specific applications that use proxies and filter agents. You can also configure key services such as anti-virus/ anti-spyware, SSL decryption, and web services management. The Control Center provides the follow application defenses for configuration: • HTTP — Configuring HTTP application defenses on page 355 • HTTPS — Configuring HTTPS application defenses on page 370 • Mail (Sendmail) — Configuring Mail (Sendmail) application defenses on page 382 • Mail (SMTP proxy) — Configuring Mail (SMTP proxy) application defenses on page 388 • Citrix — Configuring Citrix application defenses on page 395 • FTP — Configuring FTP application defenses on page 396 • IIOP — Configuring IIOP application defenses on page 400 • T.120 — Configuring T120 application defenses on page 401 • H.323 — Configuring H.323 application defenses on page 402 • Oracle — Configuring Oracle application defenses on page 403 • MS SQL — Configuring MS SQL application defenses on page 404 • SOCKS — Configuring SOCKS application defenses on page 405 • SNMP — Configuring SNMP application defenses on page 406 • SIP — Configuring SIP application defenses on page 408 • SSH — Configuring SSH application defenses on page 409 • Packet Filter — Configuring Packet Filter application defenses on page 415 • Application defense groups — Configuring application defense groups on page 418 Configuring HTTP application defenses Use the HTTP Application Defense window to create and maintain HTTP application defenses. An HTTP application defense specifies advanced properties for HTTP. These properties include: connection parameters, URL control properties, header filtering for HTTP requests and replies, content filtering using SmartFilter, and resource scanning for MIME, viruses, and spyware. Figure 134 HTTP Application Defense window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 355
- 356. Application defenses Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTP. The HTTP Application Defense window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the HTTP application defense. • Description — Provide information about the HTTP application defense. • Type — Specify whether the application defense is used to protect the client, the server, or both applications. The following options are available: • Client — Protect a client behind the firewall network gateway security firewall. • Server — Protect a server behind the firewall network gateway security firewall. • Combined — Protect both an HTTP client and an HTTP server behind the firewall gateway security firewall. This is the default value. • OK — Save all of the changes on this window, including all of the tabs. • Cancel — Close this window without saving any changes. • Versions — Click this button to view a display of all of the fields on this window that have version-specific availability. You can also view this same information at the field level by holding your mouse over the version level icon and viewing the ToolTip. Tabs This window contains a series of tabs. As shown in the following table, the value that you select in the Type field determines the tabs that are displayed. A link and a brief description of each tab follows the table. Table 16 HTTP Application Defense: type selection and tabs Tab Client Server Combined General X X X HTTP URL X X X FTP URL X X HTTP Request X X HTTP Reply X X X MIME/Virus/Spyware X X Content Scanning X X X Connection X X • General — Relax RFC requirements for HTTP. For more information, see HTTP Application Defense window: General tab on page 357. • HTTP URL — Configure HTTP URL control properties. For more information, see HTTP Application Defense window: HTTP URL tab on page 358. • FTP URL — Configure FTP URL control properties. For more information, see HTTP Application Defense window: FTP URL tab on page 360. • HTTP Request — Configure header filtering for HTTP requests. For more information, see HTTP Application Defense window: HTTP Request tab on page 361. • HTTP Reply — Configure header filtering for HTTP replies. For more information, see HTTP Application Defense window: HTTP Reply tab on page 363. 356 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 357. Application defenses • MIME/Virus/Spyware — Enable MIME, virus, and spyware scanning services. For more information, see HTTP Application Defense window: MIME/Virus/Spyware tab on page 365. • Content Scanning — Enable filtering of Web traffic using SmartFilter and to enable filtering of particular types of content. For more information, see HTTP Application Defense window: Content Scanning tab on page 367. • Connection —Specify connection properties for the HTTP application defense. For more information, see HTTP Application Defense window: Connection tab on page 368. HTTP Application Defense window: General tab Use the General tab of the HTTP Application Defense window to relax Request for Comments (RFC) requirements for HTTP on traffic from clients, servers, or both. To view the fields on this tab, see Figure 134 on page 355. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTP. The HTTP Application Defense window is displayed. 4 Make sure that the General tab is selected. Fields and buttons This tab has the following field: • Relax Protocol Enforcements — Determines whether RFC requirements for HTTP are relaxed. This checkbox is cleared by default. If this checkbox is selected, the following options are available: Note: If you select the Relax Protocol Enforcements checkbox, RFC infractions such as the following are allowed: • Media types in Content-Type; headers in a relaxed form, in which the subtype attribute is not required • Empty headers • Duplicated responses from the server when the response is the same, but the version is different • Query strings containing arbitrary data Caution: Each of these infractions introduces an element of risk into your security policy, particularly if enabled on server-side rules. Use this mode only when necessary, and implement on a rule-by-rule basis. • Client — Relaxes requirements only on HTTP traffic received from clients. This allows you to create an application defense that protects a client behind the firewall. As a result of this selection, you will not be able to configure options that are not applicable to client protection (such as HTTP requests). • Server — Relaxes requirements only on HTTP traffic received from servers. This allows you to create an application defense that protects a server behind the firewall. As a result of this selection, you will not be able to configure options that are not applicable to server protection (such as content scanning options for other than SOAP objects). • Both — Relaxes requirements on HTTP traffic received from both clients and servers. This allows you to create an application defense that can protect both an HTTP client (outbound) and an HTTP server (inbound) behind the firewall. As a result of this selection, you will be able to configure all of the options for this defense. However, some of the options that you configure will apply only to the client or only to the server. (For example, HTTP request properties do not apply to the client. Therefore, if you select Both, HTTP request properties that you configure will apply only to the server.) McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 357
- 358. Application defenses HTTP Application Defense window: HTTP URL tab Use the HTTP URL tab of the HTTP Application Defense window to configure HTTP URL control properties. These properties determine the way that the URL that is contained in an HTTP request is filtered. The properties include allowed commands, disallowed URLs, maximum length of a URL, and other options. Figure 135 HTTP Application Defense window: HTTP URL tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTP. The HTTP Application Defense window is displayed. 4 Select the HTTP URL tab. Fields and buttons This tab has the following fields and buttons: • Enforce URL Control configuration — Determines whether URL control properties are configured. This checkbox is cleared by default. If this checkbox is selected, you can configure specific properties. • Allowed Commands — Specify the HTTP commands that are allowed by the proxy. A description for each command is included in this list. Select the checkbox associated with each command to include it in the permitted commands list. Right-click the column heading to access options to quickly select or clear fields. The following options are available: • Select All — Selects all of the HTTP commands in this list. • Unselect All — Clears all of the HTTP commands in this list. • (Deny Specified URL Matches) — Use the fields in this area to specify a list of URLs to be denied or allowed. The following fields are available: • (List below table) — Specify whether the strings that you list will be denied or allowed when matched to parts of the URL. The following options are available: Note: URLs that do not contain a string that is listed in this table are denied. • Deny — Indicates that if the string is found in a particular URL, the request is explicitly denied. The table lists the match strings that are currently denied. 358 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 359. Application defenses • Allow specified URL matches — Indicates that if the string is found in a particular URL, the request is allowed. The table lists the match strings that are currently allowed. • Match Type — Specify the part of the URL that will be matched against the string value and be denied or allowed, depending on the value in the Deny Specified URL Matches field. The following options are available: • Contains — Indicates that a match is considered to be anything that contains the specified string. • Begins with — Indicates that a match is considered to be anything that begins with the same characters as the specified string. • Ends with — Indicates that a match is considered to be anything that ends with the same characters as the specified string. • Match Parameter — Specify the portion of the URL to be matched against the specified string. The following options are available: • Host — Indicates that the host component of the request URL will be matched with the specified string. • Path — Indicates that the path component of the request URL will be matched with the specified string. • All — Indicates that the entire request URL will be matched with the specified string. • String — Specifies the string to be denied. For an example of how this works, consider the following URL: http://www.mycompany.com/resources/logos.html You specify "logos" as the value in the String field. This URL will be allowed if the Match Parameter value is set to Host; it will be denied if the Match Parameter value is set to Path or All. • Options — Use the fields in this area to configure additional requirements. • Enforce Strict URLs — Determines whether URLs containing special characters are denied. If this checkbox is selected, URLs with certain special characters will be disallowed under certain circumstances (such as RFC violation). For example, the following special characters will not be permitted: angle brackets (<>), braces ({}), brackets ([]), quote ("), back quote (`), back slash (), caret (^), and pipe (|). • Allow Unicode — Determines whether international multi-byte characters are allowed in a query. If this checkbox is selected, international multi-byte characters are allowed. • Require HTTP Version in Request — Determines whether the HTTP version is required in HTTP requests. If this checkbox is selected, the checkboxes associated with the acceptable versions, 1.0 and 1.1, are selected: • 1.0 — Indicates that HTTP version 1.0 is allowed. • 1.1 — Indicates that HTTP version 1.1 is allowed. • Max URL Length — Specify the maximum number of characters allowed in a URL. The default value is 1024. Acceptable values range from 1 to 10000. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 359
- 360. Application defenses HTTP Application Defense window: FTP URL tab Use the FTP URL tab of the HTTP Application Defense window to configure FTP URL control properties. These properties control access to FTP servers through HTTP proxies. Access to FTP servers is allowed by default. Note: The FTP URL tab is available only if you selected Client or Combined as the value in the Type field on this window. Figure 136 HTTP Application Defense window: FTP URL tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTP. The HTTP Application Defense window is displayed. 4 Select the FTP URL tab. Fields and buttons This tab has the following fields and buttons: • Enforce FTP URL Control — Determines whether URL control properties are configured. This checkbox is cleared by default. If this checkbox is selected, use the other fields on this tab to configure specific properties. • Server Mode — Specify the mode to be used for FTP connections. The following options are available: • Active — Indicates that the FTP client will tell the server the port number that will be used for the data connection. In this normal mode of operation, the FTP client issues the PORT command. • Passive — Indicates that the FTP server will tell the FTP client the port number of the port that will be used for the data connection. In this mode, the FTP client issues the PASV command. • Both — Indicates that both modes are available. The passive mode is tried first. This is the default value. 360 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 361. Application defenses • Allowed FTP Commands — Specify the FTP commands that are allowed by the proxy. The checkboxes associated with these commands are cleared by default. Select the checkbox associated with each command to include it in the list of permitted commands. Right-click the column heading to access options to quickly select (Select All) or clear (None) all fields. The following fields are available: • GET - Get file from server — Determines whether files are allowed to be downloaded from an FTP server. If this checkbox is cleared, all downloaded files are denied. • PUT - Put file on server — Determines whether files are allowed to be uploaded to an FTP server. If this checkbox is cleared, all uploaded files are denied. HTTP Application Defense window: HTTP Request tab Use the HTTP Request tab of the HTTP Application Defense window to configure header filtering on HTTP requests. Note: The HTTP Request tab is available only if you selected Server or Combined as the Type field value in this window. Figure 137 HTTP Application Defense window: HTTP Request tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTP. The HTTP Application Defense window is displayed. 4 Select the HTTP Request tab. Fields and buttons This tab has the following fields and buttons: • Enforce HTTP Request configuration — Determines whether filtering properties for HTTP request headers are configured. This checkbox is cleared by default. If this checkbox is selected, use the other fields on this tab to configure specific properties for request headers. • Filter Option — Determines whether selected HTTP request header types are allowed. The following options are available: • Allow — Permits all selected HTTP request header filter types. If this option is selected, all other HTTP request header types are denied. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 361
- 362. Application defenses • Deny — Denies all selected HTTP request header filter types. If this option is selected, all other HTTP request header types are allowed. • HTTP Request Header Filter Types — Specify the types of HTTP request headers to be allowed or denied. Select the checkbox associated with each type to include it in the list. Note: The X-* filter type is a wildcard filter that will allow or deny all X-xxx request headers (often found in user-defined headers). If you are creating a list of allowed headers (that is, the Filter Options field value is Allow) and you do not include the X-* filter type, most HTTP traffic will be denied. Right-click the column heading to select from the following options to quickly select or clear portions or all of the checkboxes in this list. The following options are available: Note: Header types that do not appear in this list are handled the same way as if they were not selected. • None — Clear all HTTP request header filter types in the list. • Standard — Select all of the HTTP request header filter types in the list. (This is the same as Select All.) • Paranoid — Select only those HTTP request header filter types that are defined in the RFC. All other header types are excluded. • Custom — Manually select the HTTP request header filter types to include in the list. • Select All — Select all of the HTTP request header filter types. • Denied Header Action — Determines whether a page containing a denied header is displayed. The following options are available: • Allow Page Without Denied Header — Mask the denied HTTP request header, but allows the page to be displayed. (A denied HTTP request header will be overwritten with Xs.) • Block Entire Page — Block the entire page when an HTTP request header is denied. • Denied header values — Use the fields in this area to create a list of headers and matching values that you want to block. If a specified header appears in a request or in a response, and it contains the specified value, it is dropped from the message. • Full header names must be used. • Regular expressions are not supported. • Values are matched in a case-insensitive manner, and are used exactly as specified. For more information on HTTP message headers, refer to RFC 2616 which can be found at www.ietf.org/rfc.html. • Header — Specify the header to be blocked. • Value — Specify the value of the header to be blocked. • Deny binary data — Determines whether to block headers that contain binary data. Every header will be scanned to detect binary data. This prevents attacks that put binary data in requests. However, performance on your firewall will be reduced. • Binary data means ASCII codes 0x00 to 0x1f and 0x7f hexadecimal. • This does not affect escaped characters that convert to legal ASCII characters. For example, %41 in a header would convert to the letter A in ASCII. 362 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 363. Application defenses HTTP Application Defense window: HTTP Reply tab Use the HTTP Reply tab of the HTTP Application Defense window to configure header filtering on HTTP replies. Figure 138 HTTP Application Defense window: HTTP Reply tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTP. The HTTP Application Defense window is displayed. 4 Select the HTTP Reply tab. Fields and buttons This tab has the following fields and buttons: • Enforce HTTP Reply configuration — Determines whether filtering properties for HTTP reply headers are configured. This checkbox is cleared by default. If this checkbox is selected, use the other fields on this tab to configure specific properties for reply headers. • Filter Option — Specify whether selected HTTP reply header types are allowed. The following options are available: • Allow — Permits all selected HTTP reply header filter types. If this option is selected, all other HTTP reply header types are denied. • Deny — Denies all selected HTTP reply header filter types. If this option is selected, all other HTTP reply header types are allowed. • HTTP Reply Header Filter Types — Specify the types of HTTP reply headers to be allowed or denied. Select the checkbox associated with each type to include it in the list. Note: The X-* filter type is a wildcard filter that will allow or deny all X-xxx reply headers (often found in user-defined headers). If you are creating a list of allowed headers (that is, the Filter Options field value is Allow) and you do not include the X-* filter type, most HTTP traffic will be denied. Right-click the column heading to select from the following options to quickly select or clear portions or all of the checkboxes in this list. The following options are available: Note: Header types that do not appear in this list are handled the same way as if they were not selected. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 363
- 364. Application defenses • None — Clear all HTTP reply header filter types in the list. • Standard — Select all of the HTTP reply header filter types in the list. (This is the same as Select All.) • Paranoid — Select only those HTTP reply header filter types that are defined in the RFC. All other header types are excluded. • Custom — Manually select the HTTP reply header filter types to include in the list. • Select All — Select all of the HTTP reply header filter types. • Denied Header Action — Determines whether a page containing a denied header is displayed. The following options are available: • Allow Page Without Denied Header — Masks the denied HTTP reply header, but allows the page to be displayed. (A denied HTTP reply header will be scrubbed.) • Block Entire Page — Blocks the entire page when an HTTP reply header is denied. • Denied header values — Use the fields in this area to create a list of headers and matching values that you want to block. If a specified header appears in a request or in a response, and it contains the specified value, it is dropped from the message. • Full header names must be used. • Regular expressions are not supported. • Values are matched in a case-insensitive manner, and are used exactly as specified. For more information on HTTP message headers, refer to RFC 2616 which can be found at www.ietf.org/rfc.html. • Header — Specify the header to be blocked. • Value — Specify the value of the header to be blocked. • Deny binary data — Determines whether to block headers that contain binary data. Every header will be scanned to detect binary data. This prevents attacks that put binary data in requests. However, performance on your firewall will be reduced. • Binary data means ASCII codes 0x00 to 0x1f and 0x7f hexadecimal. • This does not affect escaped characters that convert to legal ASCII characters. For example, %41 in a header would convert to the letter A in ASCII. 364 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 365. Application defenses HTTP Application Defense window: MIME/Virus/Spyware tab Use the MIME/Virus/Spyware tab of the HTTP Application Defense window to configure settings required for the scanning of resources for Multipurpose Internet Mail Extensions (MIME) types, viruses, and spyware. Use these settings to enable scanning, to control scanner behavior, and to specify the actions to be taken with different types of resources. Note: The MIME/Virus/Spyware tab is available only if you selected Server or Combined as the Type field value on this window. Figure 139 HTTP Application Defense window: MIME/Virus/Spyware tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTP. The HTTP Application Defense window is displayed. 4 Select the MIME/Virus/Spyware tab. Fields and buttons This tab has the following fields and buttons: • Enforce Virus/Spyware Scanning — Determines whether file scanning for MIME types, viruses, and spyware is enabled. This checkbox is cleared by default. If you select this checkbox, you can configure parameters that control file content scanning and infected file handling. • Virus/Spyware Extensions — Use the fields in this area to specify the types of resources that will be scanned and the action that will be taken for each type. To change the order of a row in this list, highlight the row and click the up or down arrow button. The following fields are available: • Default Action — Specify the action to be taken, by default, for resources that are not specified in the table below this field. The following options are available: • Allow — Indicates that all resources are allowed, except those that are defined as being denied in the table. This is the default value. If you select this option, you must specify the resources that you want to scan or deny in the table. • Scan — Indicates that all resources are to be scanned for MIME types, viruses, and spyware, except those that are defined as being denied in the table. • Deny — Indicates that all resources are to be denied, except those that are defined as being allowed in the table. If you select this option, you must specify the resources that you want to scan or allow in the table. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 365
- 366. Application defenses • Action — Specify the action to be taken for each resource that is specified in this table. The following options are available: • Allow — Permit files with the specified extensions to be transferred. Note that this option excludes scanning for viruses and spyware. • Scan — Require files with the specified extensions to be scanned for viruses and spyware. If scanning does not detect viruses or spyware, the files are allowed to be transferred. • Deny — Prohibit files with the specified extensions from being transferred. Note that this option excludes scanning for viruses and spyware. • MIME Type — Specify the MIME type that you want to filter. If you select asterisk (*), the filter rule will ignore this field when it determines a match. • MIME Subtype — Specify the MIME subtype associated with the selected value in the MIME Type column. If you select asterisk (*), the filter rule will ignore this field when it determines a match. • Extension Type — Specify the types of file name extensions to be filtered. The following options are available: • All File Extensions — Indicates that file name extensions of all types (*). Extensions are ignored when the filter rule determines a match. • Archive File Types — Indicates usage of the list of predefined file name extensions that are displayed in the Extensions column (such as tar and zip, for example). • Mime Specific Types — Displays the file name extensions that are associated with the selected Mime Type and Mime Subtype field values. If you have selected a Mime Type of text and a Mime Subtype of html, for example, this field displays html and htm. • Custom List — You can specify text in the Extensions field to create a customized list of file name extensions. • Extensions — Specify the file name extensions to be included. If you selected Archive File Types or Mime Specific Types for the value of the Extension Type field, the associated extensions are displayed in this field. If you selected Custom List for the Extension Type field value, specify your file extensions in this list. Use the following guidance for your values: • Do not specify the leading period for each extension value. • If you have more than one file extension value to specify, use commas (,), not spaces (), to delimit your values. • Up and down buttons — Use the buttons to move the selected row up or down one row in the table, respectively. • Scanner Behavior — Use the fields in this area to configure scanning parameters. The following fields are available: • Reject all files if scanning is unavailable — Determines whether file transfer using HTTP is prevented if the proxy cannot communicate with the scanners. This checkbox is cleared by default. If you select this option, the connection will be dropped if scanning is unavailable (for example, due to out-of-date virus data, an expired license, or a configuration error). • Use heuristic scanning (scan for unknown viruses) — [Available only for firewall versions 7.0.0.08 and later and 7.0.1.02 and later] Determines whether to enable scanning for unknown viruses. This checkbox is cleared by default. • Infected File Handling — Use the fields in this area to specify the way that infected files are handled. The following options are available: • Discard infected files — Indicates that infected files will be discarded. 366 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 367. Application defenses • Repair infected files — Indicates that infected files will be disinfected prior to processing. If an infected file cannot be disinfected, it will be discarded. • Maximum Scan Size — Use the fields in this area to specify file size parameters for scanning. The following fields are available: Note: The “allow” and “reject” options are available only for firewall versions 7.0.0.08 and later and versions 7.0.1.02 and later. • Scan File Size Limit (KB) — Specify the maximum file size (in kilobytes) that will be allowed. The default value is 32768. • Files over the scan limit will be allowed through unscanned — Indicates that, even though a file exceeds the specified limit, it will be allowed to pass through without being scanned. • Files over the scan limit will be rejected — Indicates that if a file exceeds the specified limit, scanning will not be performed and the file will be denied. This is the default selection. HTTP Application Defense window: Content Scanning tab Use the Content Scanning tab of the HTTP Application Defense window to configure settings associated with filtering Web content and denying embedded objects and scripting. McAfee SmartFilter, a content management solution that controls users' access to Web resources, can be configured to work with the firewall to filter Web traffic. Use this tab to enable filtering of HTTP requests by using McAfee SmartFilter. Figure 140 HTTP Application Defense window: Content Scanning tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTP. The HTTP Application Defense window is displayed. 4 Select the Content Scanning tab. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 367
- 368. Application defenses Fields and buttons This tab has the following fields and buttons. • Enforce McAfee SmartFilter — Determines whether McAfee SmartFilter is used to filter Web traffic. This checkbox is cleared by default. If this checkbox is selected, the following field is available: • Reject all requests if McAfee SmartFilter is unavailable — Determines whether HTTP requests are denied if the McAfee SmartFilter server on the firewall is unavailable. • Enforce Content Control — Determines whether certain types of content are denied. This checkbox is cleared by default. If this checkbox is selected, use the following fields to specify the denial of particular types of content from Web documents. Note: The Deny SOAP field is not available if the selected value of the Type field is Client. The Deny ActiveX, Deny Scripting, and Deny Java Applets fields are not available if the selected value of the Type field is Server. • Deny SOAP — Determines whether to deny the entire page if it contains SOAP-embedded objects. If this checkbox is selected, the SOAP embedded objects are scrubbed from the Web content. • Deny ActiveX — Determines whether to deny the entire page if it contains ActiveX®-embedded objects. If this checkbox is selected, the ActiveX embedded objects are scrubbed from the Web content. • Deny Scripting — Determines whether to deny the entire page if it contains scripting languages. If this checkbox is selected, the scripting languages are scrubbed from the Web content. • Deny Java Applets — Determines whether to deny the entire page if it contains Java™ applet objects. If this checkbox is selected, the Java applet objects are scrubbed from the Web content. HTTP Application Defense window: Connection tab Use the Connection tab of the HTTP Application Defense window to configure connection properties for the HTTP application defense. These properties include enabling traffic to an upstream proxy and identifying ports for traffic from non-transparent proxies. Note: The Connection tab is available only if you selected Client or Combined as the Type in this window. Figure 141 HTTP Application Defense window: Connection tab 368 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 369. Application defenses Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTP. The HTTP Application Defense window is displayed. 4 Select the Connection tab. Fields and buttons This tab has the following fields and buttons: • Upstream proxies — Use the fields in this area to configure whether the HTTP proxy can communicate with a non-transparent proxy. The following fields are available: • Enabled — Determines whether the defined scheme can be forwarded. • Scheme — Specify the scheme of the requests to be forwarded. A scheme is the protocol identifier in the URI naming structure (for example, gopher). • IP address — Specify the IP address of the upstream proxy where the request is being sent. The list of addresses from which you can select is for existing network objects. • Port — Specify the port number to use for communication with the upstream proxy. • Destination ports allowed through non-transparent HTTP proxy — Use the fields in this area to configure the range of ports to which the non-transparent proxy can send traffic. Pre-defined ports are: 80, 443, and 1024 through 65535. • Start Port — Specify the first port in the range. • End Port — Specify the last port in the range. • Allow non-transparent HTTPS traffic through the HTTP proxy — Determines whether non-transparent secure HTTP (that is, HTTPS) traffic is allowed through the HTTP proxy. This checkbox is cleared by default. • Destination ports allowed through non-transparent HTTP proxy using FTP — Use the fields in this area to configure the range of ports to which the non-transparent proxy can send traffic by using FTP. The pre-defined port is 21. • Start Port — Specify the first port in the range. • End Port — Specify the last port in the range. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 369
- 370. Application defenses Configuring HTTPS application defenses Use the HTTPS Application Defense window to create and maintain HTTPS application defenses. An HTTPS application defense specifies advanced properties for HTTPS proxy rules. Such properties include connection parameters, SSL decryption, URL control properties, header filtering for HTTP requests and replies, filtering of content by using McAfee SmartFilter, and scanning of resources for MIME, virus, and spyware. Figure 142 HTTPS Application Defense window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTPS. The HTTPS Application Defense window is displayed. Fields and buttons This window contains the following fields and buttons: • Name — Specify a label used to refer to the HTTPS application defense. • Description — Provide information about the HTTPS application defense. • Type — Specify whether the application defense is used to protect client or server. The following values are available: • Client — Protects a client behind the firewall network gateway security firewall. • Server — Protects a server behind the firewall network gateway security firewall. • OK — Save the changes that were made on any of the tabs in this window. • Cancel — Close this window without saving any changes that were made on any tabs of this window. • Versions — Click this button to view a display of all of the fields on this window that have version-specific availability. You can also view this same information at the field level by holding your mouse over the version level icon and viewing the ToolTip. 370 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 371. Application defenses Tabs This window contains a number of tabs. As shown in the following table, the Type selection determines the tabs that are displayed and the fields on those tabs. Table 17 HTTPS Application Defense: type selection and tabs Tab Client Server Content Scanning X X Connection X X General X • Content Scanning — Enable filtering of Web traffic using SmartFilter and enable filtering of SOAP objects. See HTTPS Application Defense window: Content Scanning tab on page 373. • Connection — Specify connection properties for the HTTPS application defense. See HTTPS Application Defense window: Connection tab on page 374. • General — Determine whether to enable SSL decryption for Web traffic. See HTTPS Application Defense window: General tab on page 371. If you select the Decrypt Web Traffic checkbox on this tab, the following additional tabs are displayed. Table 18 Additional tabs for Decrypt Web Traffic Tab Client Server HTTP URL X HTTP Request X HTTP Reply X MIME/Virus/Spyware X • HTTP URL — Configure HTTP URL control properties. See HTTPS Application Defense window: HTTP URL tab on page 375. • HTTP Request — Configure header filtering for HTTP requests. See HTTPS Application Defense window: HTTP Request tab on page 377. • HTTP Reply — Configure header filtering for HTTP replies. See HTTPS Application Defense window: HTTP Reply tab on page 378. • MIME/Virus/Spyware — Enable MIME, virus, and spyware scanning services. See HTTPS Application Defense window: MIME/Virus/Spyware tab on page 380. HTTPS Application Defense window: General tab Use the General tab of the HTTPS Application Defense window to configure SSL decryption and select other options for the HTTPS application defense. Note: The General tab is available only if you selected Server as the Type on this window. To use SSL decryption services on the firewall network gateway security firewall, you must have licensed the following features: • Strong Cryptography — This feature is included with the basic firewall Security Appliance license. • SSL Decryption — This feature is an add-on module. If you purchase it after the initial activation of the firewall, you must re-license the firewall to activate this feature. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 371
- 372. Application defenses Figure 143 HTTPS Application Defense window: General tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTPS. The HTTPS Application Defense window is displayed. 4 Select Server as the value for the Type field. 5 Make sure that the General tab is selected. Fields and buttons This tab the following fields and buttons: • Decrypt Web Traffic — Determines whether SSL decryption is enabled. This checkbox is cleared by default. In this case, Web traffic passes through without encryption. If this checkbox is selected, the other controls on this page may be used to configure SSL settings and enable other options. Note: Proxy rules that use HTTPS application defenses with this checkbox selected must have redirection configured. • Relax Protocol Enforcements — Determines whether RFC requirements for HTTP are relaxed. This checkbox is cleared by default. If this checkbox is selected, select one of the following options from the list: • Client — Relaxes requirements only on HTTP traffic received from clients. • Server — Relaxes requirements only on HTTP traffic received from servers. • Both — Relaxes requirements on HTTP traffic received from both clients and servers. Note: If you select the Relax Protocol Enforcements checkbox, RFC infractions are allowed as stated in the following list: • Media types in Content-Type headers do not require the subtype attribute • Empty headers • Duplicated responses from the server where the response is the same but the version is different • Query strings containing arbitrary data Select Relax Protocol Enforcements only if these types of infractions are acceptable or required in your network. 372 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 373. Application defenses • Rewrite Microsoft OWA HTTP (Outlook Web Access) — Determines whether clientless VPN sessions are allowed to access a Microsoft Exchange Server. This checkbox is cleared by default. ® • SSL Settings — Use the fields in this area to configure your SSL settings. The following fields are available: • Allow Selected SSL/TLS Versions —Specify the SSL/TLS versions that will be accepted for secure Web connections. The following checkboxes are available: • SSL2 — If selected, indicates that the SSL Version 2 protocol will be accepted. SSL2 is not recommended. It is provided only to allow compatibility with older Web browsers and SSL applications. • SSL3 — If selected, indicates that the SSL Version 3 protocol will be accepted. • TLS1 — If selected, indicates that the TLS Version 1 protocol will be accepted. • Require Diffie-Hellman Key Exchange — Determines whether Diffie-Hellman Key Exchange is required. This checkbox is enabled only if you have selected the SSL3 or TLS1 checkbox in the Allow Selected SSL/TLS Versions field. This checkbox is cleared by default. • Minimum Crypto Strength — Specify the minimum level of cryptography desired. Allowed values are 40 bit, 56 bit, 128 bit, and 168 bit. • Firewall Certificates — Use the table in this area to configure the SSL certificates that will be used to decrypt HTTPS traffic. Unless you specify overrides here, the certificate that is specified in the Firewall window will be used. • Firewall — Select the firewall that has the certificate that you want to use as an override. • Certificate — Specify the certificate that is used to authenticate the firewall to the remote HTTPS/SSL client. HTTPS Application Defense window: Content Scanning tab Use the Content Scanning tab of the HTTPS Application Defense window to configure settings associated with filtering Web content and denying SOAP objects. Figure 144 HTTPS Application Defense window: Content Scanning tab McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 373
- 374. Application defenses Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTPS. The HTTPS Application Defense window is displayed. 4 Select Server as the value for the Type field. 5 Select the Content Scanning tab. Fields and buttons This tab has the following fields and buttons. • Enforce McAfee SmartFilter — Determines whether the McAfee SmartFilter is used to filter HTTPS traffic. This checkbox is cleared by default. If this checkbox is selected, the following field can be used: • Reject all requests if McAfee SmartFilter unavailable — Determines whether HTTPS requests are denied if the McAfee SmartFilter server on the firewall is unavailable. • Enforce Content Control — [Available only if you select Server as the Type field value on this window] Determines whether certain types of content are denied. This checkbox is cleared by default. If this checkbox is selected, the following field can be used to deny particular types of content from Web documents: • Deny SOAP — Deny SOAP objects. HTTPS Application Defense window: Connection tab Use the Connection tab of the HTTPS Application Defense window to configure connection properties for the HTTPS application defense. Figure 145 HTTPS Application Defense window: Connection tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTPS. The HTTPS Application Defense window is displayed. 4 Select Server as the value for the Type field. 5 Select the Connection tab. 374 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 375. Application defenses Fields and buttons This tab has the following fields and buttons: • Upstream proxies — Use the fields in this table to specify the upstream proxies. The following fields are available: • Enabled — Determines whether the HTTP proxy can communicate with a non-transparent proxy. This checkbox is cleared by default. • Scheme — Specify the scheme of the requests to be forwarded. A scheme is the protocol identifier in the URI naming structure (for example, gopher). • IP address — Specify the IP address of the upstream proxy where the request is being sent. The default value is <None>. • Port — Specify the port of the upstream proxy where the request is being sent. The default value is <None>. Valid values are integers between 1 and 65535. • Destination ports allowed through non-transparent HTTP proxy — Use the fields in this area to specify the range of allowable destination ports for non-transparent proxies. The following fields are available: • Start Port — Specify the first port in the range. • End Port — Specify the last port in the range. HTTPS Application Defense window: HTTP URL tab Use the HTTP URL tab of the HTTPS Application Defense window to configure HTTP URL control properties. These properties include allowed commands, disallowed URLs, maximum length of a URL, and other options. Figure 146 HTTPS Application Defense window: HTTP URL tab McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 375
- 376. Application defenses Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTPS. The HTTPS Application Defense window is displayed. 4 Select Server as the value for the Type field. 5 Make sure that you select Decrypt Web Traffic on the General tab. 6 Select the HTTP URL tab. Fields and buttons This tab has the following fields and buttons: • Enforce URL Control configuration — Determines whether URL control properties are configured. This checkbox is cleared by default. If this checkbox is selected, the remaining fields on this tab are available. • Allowed Commands — Specify the HTTP commands that are allowed by the proxy. • (Deny Specified URL Matches) — Specify whether you can specify a list of URLs to be denied or whether to deny all of them. • Deny — Indicates that, if the string is found in a particular URL, the request is explicitly denied. The table lists the match strings that are currently denied. • Allow specified URL matches — Indicates that the URLs that you have specified will be allowed. • Match Type — Specify the way that the value specified in the Match Parameter field will match with the value in the String field. • Contains • Begins with • Ends with • Match Parameter — Specify the portion of the URL to be matched against the value that is specified in the String field. The following values are available: • Host — Indicates that the host component of the request URL will be matched with the value in the String field. • Path — Indicates that the path component of the request URL will be matched with the value in the String field. • All — Indicates that the entire request URL will be matched with the value in the String field. • String — Specify the string to be denied. Consider the following URL http://www.mycompany.com/resources/logos.html and the String "logos." This URL will be allowed if the Match Parameter value is Host; it will be denied if the Match Parameter value is Path or All. • Options — Use the fields in this area to specify additional options. The checkboxes associated with these options are cleared by default. • Enforce Strict URLs — Determines whether URLs containing special characters are denied. If this checkbox is selected, special characters excluded from URL syntax by RFC, for example, will not be permitted. This includes angle brackets (<>), braces ({}), brackets ([]), double quotation mark ("), back quote (`), back slash (), caret (^), pipe (|). • Allow Unicode — Determines whether international multibyte characters are allowed in a query. If this checkbox is selected, international multibyte characters are allowed. 376 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 377. Application defenses • Require HTTP Version in Request — Determines whether the HTTP version is required in HTTP requests. If this checkbox is selected, the checkboxes associated with the acceptable versions, 1.0 and 1.1, are selected. • 1.0 — Indicates that HTTP version 1.0 is allowed. • 1.1 — Indicates that HTTP version 1.1 is allowed. • Max URL Length — Specify the maximum number of characters allowed in a URL. The default is 1024. Acceptable values range from 1 to 10000. HTTPS Application Defense window: HTTP Request tab Use the HTTP Request tab of the HTTPS Application Defense window to configure filtering of headers on HTTP requests. Note: The HTTP Request tab is available only if you selected Server or Combined as the value of the Type field on this window. Figure 147 HTTPS Application Defense window: HTTP Request tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTPS. The HTTPS Application Defense window is displayed. 4 Select Server as the value for the Type field. 5 Make sure that you select Decrypt Web Traffic on the General tab. 6 Select the HTTP Request tab. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 377
- 378. Application defenses Fields and buttons This tab has the following fields and buttons: • Enforce HTTP Request Configuration — Determines whether HTTP request header filtering properties are configured. This checkbox is cleared by default. If this checkbox is selected, the other controls on this page may be used to configure specific request header properties. • Filter Option — Determines whether selected HTTP request header types are allowed or denied. The following values are available: • Allow — Permits all selected HTTP Request Header Filter Types. If this option is selected, all other HTTP request header types are denied. • Deny — Denies all selected HTTP Request Header Filter Types. If this option is selected, all other HTTP request header types are allowed. • Denied Header Action — Determines whether a page containing a denied header is displayed. The following values are available: • Allow Page Without Denied Header — Masks the denied header but allows the page to be displayed. • Block Entire Page — If the HTTP header is denied, prevents the whole page from being displayed. • HTTP Request Header Filter Types — Specify the types of HTTP request headers to be allowed or denied. Select the checkbox associated with each type to include. Right-click on the column heading to access options to quickly select or clear fields. The following values are available: • None — Clears all HTTP request header types • Standard — Selects all HTTP request header types • Paranoid — Selects only the HTTP request header types defined in RFCs. • Custom — Allows you to manually select desired HTTP request header types. • Select All — Selects all HTTP request header types. HTTPS Application Defense window: HTTP Reply tab Use the HTTP Reply tab of the HTTPS Application Defense window to configure filtering of headers on HTTP replies. Figure 148 HTTPS Application Defense window: HTTP Reply tab 378 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 379. Application defenses Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTPS. The HTTPS Application Defense window is displayed. 4 Select Server as the value for the Type field. 5 Make sure that you select Decrypt Web Traffic on the General tab. 6 Select the HTTP Reply tab. Fields and buttons This tab has the following fields and buttons: • Enforce HTTP Reply Configuration — Determines whether HTTP reply header filtering properties are configured. This checkbox is cleared by default. If this checkbox is activated, the other controls on this page may be used to configure specific request header properties. • Filter Option — Determines whether selected HTTP reply header types are allowed or denied. The following values are available: • Allow — Permits all selected HTTP Reply Header Filter Types. If this option is selected, all other HTTP reply header types are denied. • Deny — Denies all selected HTTP Reply Header Filter Types. If this option is selected, all other HTTP reply header types are allowed. • HTTP Reply Header Filter Types — Specify the types of HTTP reply headers to be allowed or denied. Select the checkbox associated with each type to include. Right-click on the column heading to access options to quickly select or clear fields. The following values are available: • None — Clears all HTTP reply header types. • Standard — Selects all HTTP reply header types. • Paranoid — Selects only the HTTP reply header types defined in RFCs. • Custom — Allows you to manually select desired HTTP reply header types. • Select All — Selects all HTTP reply header types. • Denied Header Action — Determines whether a page containing a denied header is displayed. The following values are available: • Allow Page Without Denied Header — Masks the denied header but allows the page to be displayed. • Block Entire Page — If the HTTP header is denied, prevents the whole page from being displayed. • Denied header values — Use the fields in this area to create a list of headers and matching values that you want to block. If a specified header appears in a request or in a response, and it contains the specified value, it is dropped from the message. • Full header names must be used. • Regular expressions are not supported. • Values are matched in a case-insensitive manner, and are used exactly as specified. For more information on HTTP message headers, refer to RFC 2616 which can be found at www.ietf.org/rfc.html. • Header — Specify the header to be blocked. • Value — Specify the value of the header to be blocked. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 379
- 380. Application defenses HTTPS Application Defense window: MIME/Virus/Spyware tab Use the MIME/Virus/Spyware tab of the HTTPS Application Defense window to configure settings required for scanning of resources for MIME (Multipurpose Internet Mail Extensions) types, viruses, and spyware. These settings allow you to enable scanning, control scanner behavior, and specify the actions to be taken with different types of resources. Note: The MIME/Virus/Spyware tab is available only if you selected Server as the value of the Type field in this window and selected Decrypt Web Traffic on the General tab in this window. Figure 149 HTTPS Application Defense window: MIME/Virus/Spyware tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click HTTPS. The HTTPS Application Defense window is displayed. 4 Select Server as the value for the Type field. 5 Make sure that you select Decrypt Web Traffic on the General tab. 6 Select the MIME/Virus/Spyware tab. Fields and buttons This tab has the following fields and buttons: • Enforce Virus/Spyware Scanning — Determines whether scanning of files for MIME types, viruses, and spyware is enabled. This checkbox is cleared by default. If you select this checkbox, the other controls on this page may be used to configure parameters that control scanning of file content and handling of infected files. • Virus/Spyware Extensions — Use the fields in this area to specify the types of resources to be scanned and the action to be taken for each type. The following fields are available: • Default Action — Specify the action to be taken by default for resources that are not specified in the table below this field. The following values are available: • Allow — [Default] Indicates that all resources other than those explicitly denied by MIME Type, MIME Subtype, Extension Type and Action are allowed. Note: If you select this option, you must use the Action and MIME Type, MIME Subtype, and Extension Type fields to specify the resources that you want to scan or deny. • Scan — Indicates that all resources are to be scanned for MIME types, viruses and spyware, except those that are defined as being denied in the table. 380 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 381. Application defenses • Deny — Indicates that all resources are to be denied, except for those that are defined as being allowed in the table. Note: If you select this option, you must use the Action and MIME Type, MIME Subtype, and Extension Type fields to specify the resources that you want to allow or scan. • Action — Specify the action to be taken for resources with extensions of the type specified by Extension Type. The following values are available: • Allow — Permit files with the specified extensions to be transferred. Note that this option excludes scanning for viruses and spyware. • Scan — Require files with the specified extensions to be scanned for viruses and spyware. If scanning does not detect viruses or spyware, the files are allowed to be transferred. • Deny — Prohibit files with the specified extensions from being transferred. Note that this option excludes scanning for viruses and spyware. • MIME Type — Specify the MIME type that you want to filter. If you select the asterisk (*), the filter rule will ignore this field when it determines a match. • MIME Subtype — Specify the MIME subtype associated with the selected value in the MIME Type column. If you select the asterisk (*),the filter rule will ignore this field when it determines a match. • Extension Type — Specify the types of file name extensions to be filtered. The following values are available: • All File Extensions — Indicates file name extensions of all types (*). Extensions are ignored when the filter rule determines a match. • Archive File Types — Indicates usage of the list of predefined file name extensions that are displayed in the Extensions column (for example, tar, zip). • Mime Specific Types — Displays the file name extensions that are associated with the selected MIME Type and MIME Subtype field values. If you have selected a MIME Type of text and a MIME Subtype of html, for example, this field displays html and htm. • Custom List — You can specify text in the Extensions field. to create a customized list of file name extensions. • Extensions — Specify the file name extensions to be included. If you selected Archive File Types or Mime Specific Types for the value of the Extension Type field, the associated extensions are displayed in this field. If you selected Custom List for the Extension Type field value, specify your file extensions in this list. Use the following guidance for your values: • Do not specify the leading period for each extension value. • If you have more than one file extension value to specify, use commas (,), not spaces (), to delimit your values. • Up and down buttons — Use the buttons to move the selected row up or down one row in the table, respectively. • Scanner Behavior — Use the fields in this area to configure scanning parameters. The following fields are available: • Reject all files if scanning is unavailable — Determines whether file transfer using HTTP is prevented if the proxy cannot communicate with the scanners. This checkbox is cleared by default. If you select this option, the connection will be dropped if scanning is unavailable (for example, due to out-of-date virus data, an expired license, or a configuration error). • Use heuristic scanning (scan for unknown viruses) — [Available only for firewall versions 7.0.0.08 and later and 7.0.1.02 and later] Determines whether to enable scanning for unknown viruses. This checkbox is cleared by default. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 381
- 382. Application defenses • Infected File Handling — Use the fields in this area to specify the way that infected files are handled. The following options are available: • Discard infected files — Indicates that infected files will be discarded. • Repair infected files — Indicates that infected files will be disinfected prior to processing. If an infected file cannot be disinfected, it will be discarded. • Maximum Scan Size — Use the fields in this area to specify file size parameters for scanning. The following fields are available: Note: The “allow” and “reject” options are available only for firewall versions 7.0.0.08 and later and versions 7.0.1.02 and later. • Scan File Size Limit (KB) — Specify the maximum file size (in kilobytes) that will be allowed. The default value is 32768. • Files over the scan limit will be allowed through unscanned — Indicates that, even though a file exceeds the specified limit, it will be allowed to pass through without being scanned. • Files over the scan limit will be rejected — Indicates that if a file exceeds the specified limit, scanning will not be performed and the file will be denied. This is the default selection. Configuring Mail (Sendmail) application defenses Use the Sendmail Application Defense window to create and maintain Sendmail application defenses. A Sendmail application defense is used in Sendmail rules. Figure 150 Mail (Sendmail) Application Defense window 382 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 383. Application defenses Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the Mail (Sendmail) node. The Mail (Sendmail) Application Defense window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the Sendmail application defense. • Description — Provide information about the Sendmail application defense. • OK — Save the changes that have been made on all of the tabs on this window and closes the window. • Cancel — Closes the window without saving any changes that were made on any tab. Tabs This window has the following tabs: • General — Configure certain types of filters for sendmail services (for example, size, keyword search, and spam/fraud). See Mail (Sendmail) Application Defense window: General tab on page 383. • MIME/Virus/Spyware — Enable MIME and virus and spyware scanning services. See Mail (Sendmail) Application Defense window: MIME/Virus/Spyware tab on page 385. Mail (Sendmail) Application Defense window: General tab Use the General tab of the Mail (Sendmail) Application Defense window to configure filters for sendmail services. These filters include size, keyword search, and spam/fraud. The size filter allows you to specify a maximum size for messages allowed through the firewall. The keyword search filter allows you to screen mail messages according to specified keywords and character sequences. The spam/fraud filter allows you to screen mail messages for spam, fraud, and identity theft. Requirements for use of this filter are as follows: • The Anti-Spam feature must be licensed on the firewall. • The firewall must be configured for hosted sendmail. • The rules governing traffic to be filtered must use the sendmail server and must specify a Mail (Sendmail) application defense that enables the spam/fraud filter. To view the fields on the General tab, see Figure 150 on page 382. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the Mail (Sendmail) node. The Mail (Sendmail) Application Defense window is displayed. 4 Make sure that the General tab is selected. Fields and buttons This tab has the following fields and buttons: • Rejected Mail Handling — Specify the way that rejected mail messages are handled. The following values are available: • Discard — Indicates that rejected mail messages are discarded without notifying the sender. • Return to Sender — Indicates that notification is sent to the sender of a rejected mail message. • Enforce Keyword Search Filtering — Determine whether to allow phrases or character strings on which to filter mail messages. The default value is cleared. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 383
- 384. Application defenses • Keyword Search — Use the fields in this area to specify filter parameters and a list of phrases. The following fields are available: • Minimum Number of Phrase Matches Required for Rejection of Message — Specify the lowest number of matches required to reject a mail message. • Total Number of Phrase Matches to verify Before Rejection — Specify the extent of the search for a specified phrase. The following values are available: • Minimum — Indicates that the search stops when the number of matches specified by the value in the Minimum Number of Phrase Matches Required for Rejection of Message field is reached. If this minimum is reached, the message is rejected; if not, the message is transmitted to the next filter or the intended recipient. • All — Indicates that the search stops only when the entire message has been scanned. • Phrase List — Use this table to specify one or more phrases for which to search. • Phrase Text — Specify a character string of at least two and no more than 255 characters. The string can contain any printable character and spaces. • Space (Before/After) — Specify the spacing around the value in the Phrase Text field that is required for a match. The following values are available: • N/A — Indicates that spaces do not occur before or after the specified text. • Before — Indicates that a space must occur immediately before the specified text to be a match. • After — Indicates that a space must occur immediately after the specified text to be a match. • Before and After — Indicates that a space must occur both immediately before and immediately after the specified text to be a match. • Enforce Message Size Filtering — Determines whether to use the size of a mail message as a filtering mechanism. • Maximum Message Size (KB) — Specify the size (in kilobytes) of the largest mail message, including the mail header, that is allowed through the firewall. A mail message whose size is equal to or greater than this value is rejected. The default value is 1024. 384 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 385. Application defenses Mail (Sendmail) Application Defense window: MIME/Virus/Spyware tab Use the MIME/Virus/Spyware tab of the Mail (Sendmail) Application Defense window to configure settings required for scanning mail messages for MIME (Mulitpurpose Internet Mail Extensions) type, viruses, and spyware. Use these settings to enable scanning, to control scanner behavior, and to specify the actions to be taken with different types of resources. Figure 151 Mail (Sendmail) Application Defense window: MIME/Virus/Spyware tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the Mail (Sendmail) node. The Mail (Sendmail) Application Defense window is displayed. 4 Select the MIME/Virus/Spyware tab. Fields and buttons This tab has the following fields and buttons: • Enforce Virus/Spyware Scanning — Determines whether scanning of files for MIME types, viruses, and spyware is enabled. This checkbox is cleared by default. If you select this checkbox, the other controls on this page may be used to configure parameters that control file content scanning and infected file handling. • Virus/Spyware Extensions — Use the fields in this area to specify the types of resources to be scanned and the action to be taken for each type. The following fields are available: • Default Action — Specify the action to be taken by default for resources that are not specified in the table below this field. The following values are available: • Allow — [Default] Indicates that all resources other than those explicitly denied by MIME Type, MIME Subtype, Extension Type and Action are allowed. Note: If you select this option, you must use the Action and MIME Type, MIME Subtype, and Extension Type fields to specify the resources that you want to scan or deny. • Scan — Indicates that all resources are to be scanned for MIME types, viruses and spyware, except those that are defined as being denied in the table. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 385
- 386. Application defenses • Deny — Indicates that all resources are to be denied, except for those that are defined as being allowed in the table. Note: If you select this option, you must use the Action and MIME Type, MIME Subtype, and Extension Type fields to specify the resources that you want to allow or scan. • Action — Specify the action to be taken for resources with extensions of the type specified by Extension Type. The following values are available: • Allow — Permit files with the specified extensions to be transferred. Note that this option excludes scanning for viruses and spyware. • Scan — Require files with the specified extensions to be scanned for viruses and spyware. If scanning does not detect viruses or spyware, the files are allowed to be transferred. • Deny — Prohibit files with the specified extensions from being transferred. Note that this option excludes scanning for viruses and spyware. • MIME Type — Specify the MIME type that you want to filter. If you select the asterisk (*), the filter rule will ignore this field when it determines a match. • MIME Subtype — Specify the MIME subtype associated with the selected value in the MIME Type column. If you select the asterisk (*),the filter rule will ignore this field when it determines a match. • Extension Type — Specify the types of file name extensions to be filtered. The following values are available: • All File Extensions — Indicates file name extensions of all types (*). Extensions are ignored when the filter rule determines a match. • Archive File Types — Indicates usage of the list of predefined file name extensions that are displayed in the Extensions column (for example, tar, zip). • Mime Specific Types — Displays the file name extensions that are associated with the selected MIME Type and MIME Subtype field values. If you have selected a MIME Type of text and a MIME Subtype of html, for example, this field displays html and htm. • Custom List — You can specify text in the Extensions field. to create a customized list of file name extensions. • Extensions — Specify the file name extensions to be included. If you selected Archive File Types or Mime Specific Types for the value of the Extension Type field, the associated extensions are displayed in this field. If you selected Custom List for the Extension Type field value, specify your file extensions in this list. Use the following guidance for your values: • Do not specify the leading period for each extension value. • If you have more than one file extension value to specify, use commas (,), not spaces (), to delimit your values. • Up and down buttons — Use the buttons to move the selected row up or down one row in the table, respectively. • Scanner Behavior — Use the fields in this area to configure scanning parameters. The following fields are available: • Reject all files if scanning is unavailable — Determines whether transfer of files via sendmail is prevented if scanning is not available. This checkbox is cleared by default. If you select this option, files will be rejected or discarded as specified by the field settings on the General tab. • Use heuristic scanning (scan for unknown viruses) — [Available only for firewall versions 7.0.0.08 and later and 7.0.1.02 and later] Determines whether to enable scanning for unknown viruses. This checkbox is cleared by default. 386 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 387. Application defenses • Infected File Handling — Use the fields in this area to specify the way that infected files are handled. The following options are available: • Discard infected files — Indicates that infected files will be discarded. • Repair infected files — Indicates that infected files will be disinfected prior to processing. If an infected file cannot be disinfected, it will be discarded. • Maximum Scan Size — Use the fields in this area to specify file size parameters for scanning. The following fields are available: Note: The “allow” and “reject” options are available only for firewall versions 7.0.0.08 and later and versions 7.0.1.02 and later. • Scan File Size Limit (KB) — Specify the maximum file size (in kilobytes) that will be allowed. The default value is 32768. • Files over the scan limit will be allowed through unscanned — Indicates that, even though a file exceeds the specified limit, it will be allowed to pass through without being scanned. • Files over the scan limit will be rejected — Indicates that if a file exceeds the specified limit, scanning will not be performed and the file will be denied. This is the default selection. • SMTP Scanning — Use the fields in this area to determine the SMTP scanning settings for messages. The following fields are available. • Full scan of entire mail message — Determines whether the entire mail message (for example, the message and all of its MIME types) is scanned. • Discard entire message if denied or infected files are found — Determines whether the entire message is discarded if it contains a denied or infected attachment. This checkbox is cleared by default. If you select this option, files will be discarded without notifying the sender, or they will be returned to the sender as specified by the selections for the Rejected Mail Handling field on the General tab. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 387
- 388. Application defenses Configuring Mail (SMTP proxy) application defenses Use the Mail (SMTP proxy) Application Defense window to create and maintain Mail (SMTP proxy) application defenses. The Mail (SMTP Proxy) application defense is used to filter mail by using the SMTP proxy rules and is used to conceal your internal mail infrastructure. Figure 152 Mail (SMTP proxy) Application Defense window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node to display the tree. 3 Double-click Mail (SMTP Proxy). The Mail (SMTP proxy) Application Defense window is displayed. 388 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 389. Application defenses Fields and buttons This window has the following fields and controls: • Name — Specify a label used to refer to the Mail (SMTP proxy) application defense. • Description — Provide information about the Mail (SMTP proxy) application defense. • Disable application defense filtering — Determines whether mail is filtered (or not) according to destination address. This checkbox is cleared by default. If this checkbox is selected, all of the settings in this window will be ignored. The SMTP proxy would behave as if it was a transport layer relay. • OK — Save the changes that were made on any of the tabs in this window. • Cancel — Close this window without saving any changes that were made on any tabs of this window. Tabs This window has the following tabs: • General — Hide your internal mail infrastructure and configure message destination and size options. For more information, see Mail (SMTP proxy) Application Defense window: General tab on page 389. • Commands — Specify the SMTP commands that are allowed. For more information, see Mail (SMTP proxy) Application Defense window: Commands tab on page 391. • Header Filters — Configure the mail headers that are allowed. For more information, see Mail (SMTP proxy) Application Defense window: Header Filters tab on page 393. Mail (SMTP proxy) Application Defense window: General tab Use the General tab of the Mail (SMTP Proxy) Application Defense window to specify a replacement greeting for the server, to specify the SMTP commands that are permitted, to limit the length of replies received from mail servers, and various other settings. To view the fields on the General tab, see Figure 152 on page 388. Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node to display the tree. 3 Double-click Mail (SMTP Proxy). The Mail (SMTP proxy) Application Defense window is displayed. 4 Make sure that the General tab is displayed. Fields and buttons This tab has the following fields and buttons: • Replace server's greeting with — Determines whether the server greeting will be replaced with a value that you specify in this field. If you select this checkbox, specify the name of a replacement greeting (of up to 128 characters) or leave the field blank to remove the server's greeting. The default is to replace the greeting text with Service ready. Valid values include: alphanumeric characters, dash (-), underscore (_), period (.), space ( ), apostrophe ('), and ampersand (@). Use the following fields in this group to replace the fully qualified domain name (FQDN) of an internal mail transfer agent (MTA): Note: In SMTP connections, the MTA that is sending the message is considered to be the client, while the MTA that is receiving the message is considered to be the server. • Replace server's FQDN with — Determines whether you will replace the FQDN of the SMTP server with a value that you specify. If you select this checkbox, specify an FQDN (of up to 250 characters) to replace the FQDN of the SMTP server. This feature is commonly used with inbound redirect rules to hide an internal e-mail server’s domain name. Valid values include: alphanumeric characters, dash (-), underscore (_), and period (.). McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 389
- 390. Application defenses • Replace client's FQDN with — Determines whether you will replace the FQDN of the SMTP client with a value that you specify. If you select this checkbox, specify an FQDN (of up to 250 characters) to replace the SMTP client’s FQDN. This feature is commonly used with outbound NAT rules to hide an internal e-mail server’s domain name. Valid values include: alphanumeric characters, dash (-), underscore (_), and period (.). • Verify client's FQDN — Determines whether the client’s IP address must match the domain specified in the client’s HELO or EHLO command. If this is selected and the client's domain and IP address do not match, a 554 reply code is sent to the client. • Pass server's reply text — Determines whether to allow human-readable reply text to pass from the server to the client. Note: If you select this checkbox to enable this feature on outbound SMTP rules, private network information can be revealed. • Max PDU size — Specify the allowed length of SMTP commands and responses for the Protocol Data Unit (PDU). Allowed values are 512 bytes to 64 kilobytes. This limit does not apply to data or authorization commands. • Mail Messages — Use the fields in this area to configure destination-based mail filtering. The SMTP proxy blocks messages that contain source routing information by default. To configure the proxy to allow these messages while stripping the source routing information, use the destination table. • Allow mail to — [Available only if Enforce Destination Address Filtering is selected] Specify the destinations to which mail is allowed. The following options are available: • Allow mail to any destination — Indicates that mail will be allowed at any destination. • Only allow mail to defined destinations — Indicates that you can specify the destinations to which the firewall will forward mail. The firewall allows mail based on the contents of its RCPT TO: field. If the domain name portion of the RCPT TO: field matches a character string in the domain address list, the mail is allowed to pass. To configure the destinations, use the destination table below. • Destination Type — Specify the format of the destination for this row. To add a destination, click the Destination Type field when it has no value. Select a value from the list and continue with the other fields in the destination table. The following options are available: • Domains — Indicates that this destination is fully qualified domain name (FQDN). • IP address — Indicates that this destination is a single IP address. • IP Range — Indicates that this destination is an address range. • Destination — Specify the value of the destination, depending on the value in the Destination Type column. • Domains — Specify a fully qualified domain name (FQDN). • IP address — Specify a valid IP address. • IP Range — Specify an address range, with beginning and ending IP addresses. • Include Subdomains — Determines whether the subdomains for an FQDN are included in this destination. For example, if you allow mail to be sent to example.com and select this option, messages sent to mail.example.com are also allowed. This is the most reliable option to go with the Domains value in the Destination Type field because most destinations in the RCPT TO: field are formatted as a domain name. 390 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 391. Application defenses • Limit message size — Determines whether to restrict the allowed size for mail messages. Mail that exceeds the specified limit is rejected. Allowed values are 1 byte up to (but not including) 2 gigabytes. • Limit number of recipients — Determines whether to limit the number of recipients allowed per mail message. Allowed values are 1–100000 recipients. • Banned mailbox characters — Specify the banned non-printable or potentially dangerous characters in mailbox addresses. Specify the characters with no delimiters. Specify up to 255 characters. Note: You should not add often-used characters in this field. For example, specifying the character "o" blocks mail to all .com domains. • Add received header — Determines whether to configure the SMTP proxy to add an informational header to the beginning of messages that it receives. This header advertises that the firewall handled the message. For firewall version 7.0.0.06, the default value was selected. However, for versions 7.0.0.07 and later, the default value is cleared. Note: This field should be used for troubleshooting or internal auditing purposes only. You should not select this checkbox on outbound SMTP rules because private network information can be revealed. Mail (SMTP proxy) Application Defense window: Commands tab Use the Commands tab of the Mail (SMTP proxy) Application Defense window to specify the SMTP commands that are allowed. Figure 153 Mail (SMTP proxy) Application Defense window: Commands tab McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 391
- 392. Application defenses Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node to display the tree. 3 Double-click Mail (SMTP Proxy). The Mail (SMTP proxy) Application Defense window is displayed. 4 Select the Commands tab. Fields and buttons This tab has the following fields and buttons: • Allowed Extensions — Specify the SMTP extensions to allow. Note: If you allow STARTTLS and a session includes that command, the firewall will no longer perform any command filtering for the rest of that session. • Relayed Commands — Use the fields in this area to specify the SMTP commands to relay. To add a command, scroll down to a blank row and specify the information. Any entry that you add to this list, within this SMTP object, will be available to other SMTP objects. To delete an existing command, click x (Delete) in that row. The default commands (onex, x-exps, x-link2state, and xexch50) cannot be deleted. Note: When a command selected in this list is encountered in a session, the firewall will no longer perform any command filtering for the rest of that session. • Use — Determines whether this command will be relayed. • Command — Displays the name of the command. If you are adding a relayed command, specify the value. • Extension — Displays the SMTP extension. If you are adding a command and it is defined by an SMTP extension, you must specify the extension name or SMTP clients will be unaware that the extension is supported. If the command that you are adding is not defined by an extension, leave this field blank. • Description — Displays a description for the relay command. If you are adding a command, you can specify a value for this column. • Delete — Delete the command in this row of the table. 392 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 393. Application defenses Mail (SMTP proxy) Application Defense window: Header Filters tab Use the Header Filters tab of the Mail (SMTP proxy) Application Defense window to configure the mail headers that are allowed. The SMTP proxy allows a maximum of 1000 headers per mail message. Figure 154 Mail (SMTP proxy) Application Defense window: Header Filters tab Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node to display the tree. 3 Double-click Mail (SMTP Proxy). The Mail (SMTP proxy) Application Defense window is displayed. 4 Select the Header Filters tab. Fields and buttons This tab has the following fields and buttons: • Header Names — Use the fields in this area to specify the way in which the headers are filtered. If you select an option that requires you to specify specific headers, select specific headers by selecting the Use checkbox for that header. The following values are available in this area: • Allow all headers — Indicates that no header filtering will be used. This selection also disables the table. • Allow selected headers only— Indicates that only the headers that are selected in this table will be allowed. • Strip selected headers — Indicates that certain headers will be removed from this table. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 393
- 394. Application defenses To add a header, scroll down to a blank row and specify the information. Any entry that you add to this list, within this SMTP object, will be available to other SMTP objects. However, after you add this header, you cannot edit the header name or its description. To delete an existing header from this list, click x (Delete) in that row. Note that default headers in this table cannot be deleted. You can delete only those headers that have been added to the default list. • Use — Determines whether this header is allowed or stripped, depending on the value that you selected in the Header Names field. • Header — Specify the name of the header that you are adding or it displays an existing name. • Description — Provide a description for the header that you are adding or it displays an existing description. • Delete — Delete this row. This row is not actually deleted until you click OK to save the changes in this window. • Header Values — Use the fields in this area to specify the way in which messages are blocked based on header-value pairs. If you select an option that requires you to specify specific headers, select specific header values by selecting the Use checkbox for that header value. The following values are available in this area: • Allow all header values — Indicates that no message blocking will be used. This selection also disables the table. • Block messages with selected header-value pairs — Indicates that messages with specific header values will be blocked. Header values are not case-sensitive. To add a header value, scroll down to a blank row and specify the information. Any entry that you add to this list, within this SMTP object, will be available to other SMTP objects. To delete an existing header value from this list, click x (Delete) in that row. • Use — Determines whether message blocking will be used for this header. • Header — Specify the name of the header that you are adding or it displays the name of an existing header. • Value — Specify the value for the header. Note that matches that are made on this value are not case-sensitive. Also, partial matches are allowed. For example, specifying example in this field would match testexampledomain.net. • Delete — Delete this row. This row is not actually deleted until you click OK to save the changes in this window. 394 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 395. Application defenses Configuring Citrix application defenses Use the Citrix Application Defense window to create and maintain Citrix application defenses. A Citrix ® application defense allows you to configure advanced properties for the Citrix ICA (Independent Computing Architecture) proxy. This proxy allows users to locate and connect to a Citrix server farm within a private address space. By configuring a Citrix application defense, you can control access to resources by enabling filtering of certain types of Citrix ICA application and communication channels (for example, drive mapping, clipboard operations, and printers). Figure 155 Citrix Application Defense window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the Citrix node. The Citrix Application Defense window is displayed. Fields and buttons This window has the following fields and buttons. • Name — Specify a label used to refer to the Citrix application defense. • Description — Provide information about the application defense. • Enforce Citrix Filters — Determines whether Citrix filtering is enabled. This checkbox is cleared by default. If this checkbox is selected, use the Denied Filters list to select items to be denied. • Denied Filters — Specify the types of application or communication channels that are supported by Citrix that are to be denied. Select the checkbox that is associated with each type to include. Right-click on the column heading to access options to quickly select or clear fields. The following options are available: • Select All — Select all filters, thereby denying all types of channels. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 395
- 396. Application defenses • Unselect All — Clear all filters, thereby allowing all types of channels. • OK — Save this changes that were made in this window. • Cancel — Close this window without saving the changes. Configuring FTP application defenses Use the FTP Application Defense window to create and maintain FTP application defenses. An FTP application defense configures advanced properties for FTP. Such properties include the types of FTP commands allowed and the parameters to use in scanning files transferred by using FTP. Figure 156 FTP Application Defense window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the FTP node. The FTP Defense window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the FTP application defense. • Description — Provide information about the FTP application defense. • OK — Save this changes that were made in this window. • Cancel — Close this window without saving the changes. 396 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 397. Application defenses Tabs This window has the following tabs: • General — Ensure that only specified FTP commands are allowed for a particular connection. For more information, see FTP Application Defense window: General tab on page 397. • Virus/Spyware — Ensure that files transferred via FTP are scanned for viruses and spyware. It also allows you to specify criteria to use for scanning and handling the files. For more information, see FTP Application Defense window: Virus/Spyware tab on page 398. FTP Application Defense window: General tab Use the General tab of the FTP Application Defense window to indicate whether FTP commands may be used for a particular connection and to specify the allowed commands. To view the fields on this tab, see Figure 156 on page 396. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the FTP node. The FTP Defense window is displayed. 4 Make sure that the General tab is selected. Fields and buttons This tab has the following fields and buttons: • Enforce Command Filtering — Determines whether FTP commands are allowed. This checkbox is cleared by default. If you select this checkbox, use the Allowed Commands list to specify the commands that are permitted. • Allowed Commands — Specify the FTP commands that are permitted. Select the checkbox that is associated with each command to include it in the permitted commands list. Right-click on the column heading to access options to quickly select or clear fields. The following options are available: • Select All — Selects all commands. • Unselect All — Clears all commands. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 397
- 398. Application defenses FTP Application Defense window: Virus/Spyware tab Use the Virus/Spyware tab of the FTP Application Defense window to ensure that files transferred via FTP are scanned for viruses and spyware and to specify the criteria for scanning and handling the files. Note: You must have licensed and configured scanning services to be able to use the features of this tab. Use the Virus Scan window to configure scanning services. These services include updating the scanner engine and signature files and distributing scanner processes for incoming and outgoing traffic. Figure 157 FTP Application Defense window: Virus/Spyware tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the FTP node. The FTP Defense window is displayed. 4 Select the Virus/Spyware tab. Fields and buttons This tab has the following fields and buttons: • Enforce Virus/Spyware Scanning — Determines whether scanning of files for viruses and spyware is enabled. This checkbox is cleared by default. If you select this checkbox, you can configure parameters that control the scanning of file content and the handling of infected files by using the fields in the Virus/Spyware Extensions and Scanner Behavior areas. • Virus/Spyware Extensions — Use the fields in this area to specify the types of files to be scanned and the action to be taken for each type. The following fields are available: • Default Action — Specify the action to be taken by default for file types other than those specified and handled by the values specified in the Extension Type and Action column. The following values are available: • Allow — Indicates that all file types other than those explicitly denied by the values specified in the Extension Type and Action column are allowed. This is the default value. Note: If you select this value, you must use the Action and Extension Type controls to specify the file types that you want to scan or deny. • Scan — Indicates that file types other than those specified by the values specified in the Extension Type and Action columns are scanned for viruses and spyware. 398 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 399. Application defenses • Deny — Indicates that all file types other than those explicitly allowed by the values specified in the Extension Type and Action column are denied. Note: If you select this option, you must use the Action and Extension Type controls to specify the file types that you want to allow or scan. • Action — Specify the action to be taken for files with extensions of the type that is specified in the Extension Type column. The following values are available: • Allow — Permits files with the specified extensions to be transferred. Note that this option excludes scanning for viruses and spyware. • Scan — Requires files with the specified extensions to be scanned for viruses and spyware. If scanning does not detect viruses or spyware, the files are allowed to be transferred. • Deny — Prohibits files with the specified extensions from being transferred. Note that this option excludes scanning for viruses and spyware. • Extension Type — Specify the types of file name extensions to be subjected action that is specified in the Action column. The following values are available: • All File Extensions — Allow file name extensions of all types. • Predefined list — Select file name extensions from a predefined list that is displayed in the Extensions field. • Custom List — Create a list of extensions by specifying text in the Extensions column. • Extensions — Specify the file name extensions to be included. If the value that is specified in the Extension Type column is Pre-defined list, select values for Category (for example, application, image, text) and their associated file extensions. (For example, if you select application as your category, you can select doc, bin, and exe for your file extensions.) • Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a selected action in this table. • Scanner Behavior — Use the fields in this area to configure scanning parameters. The following fields are available: • Reject all files if scanning is unavailable — Determines whether file transfer using FTP is prevented if the proxy cannot communicate with the scanners. This checkbox is cleared by default. If you select this option, the connection will be dropped if scanning is unavailable (for example, due to out-of-date virus data, an expired license, or a configuration error). • Use heuristic scanning (scan for unknown viruses) — [Available only for firewall versions 7.0.0.08 and later and 7.0.1.02 and later] Determines whether to enable scanning for unknown viruses. This checkbox is cleared by default. • Infected File Handling — Use the fields in this area to specify the way that infected files are handled. The following options are available: • Discard infected files — Indicates that infected files will be discarded. • Repair infected files — Indicates that infected files will be disinfected prior to processing. If an infected file cannot be disinfected, it will be discarded. • Maximum Scan Size — [Available only for firewall versions 7.0.0.08 and later and 7.0.1.02 and later] Use the fields in this area to specify file size parameters for scanning. The following fields are available: • Scan File Size Limit (KB) — Specify the maximum file size (in kilobytes) that will be allowed. The default value is 32768. • Files over the scan limit will be allowed through unscanned — Indicates that, even though a file exceeds the specified limit, it will be allowed to pass through without being scanned. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 399
- 400. Application defenses • Files over the scan limit will be rejected — Indicates that, if a file exceeds the specified limit, scanning will not be performed and the file will be denied. This is the default selection. • Apply Filter Rules to FTP — Use the fields in this area to specify the FTP command or commands to which the actions that were specified in the Virus/Spyware Extensions area are applied. The following options are available: • Uploads (PUT) — Apply rules only on PUT commands (upload files to a server). • Downloads (GET) — Apply rules only on GET commands (download files from a server). • Uploads, Downloads (PUT, GET) — Apply rules on both PUT and GET commands. Configuring IIOP application defenses Use the IIOP Application Defense window to create and maintain Internet Inter-ORB Protocol (IIOP) application defenses. An IIOP application defense specifies such properties as those controlling bidirectional GIOP, validation of content, and maximum message size. IIOP is General Inter-ORB Protocol (GIOP) that is operating in a TCP/IP environment. The IIOP proxy provides transparent GIOP access through the firewall that thereby allows Common Object Request Broker Architecture (CORBA) applications to access CORBA resources on configured networks as permitted by the site security policy. Figure 158 IIOP Application Defense window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the IIOP node. The IIOP Application Defense window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the IIOP application defense. • Description — Provide information about the application defense. • Allow Bi-directional GIOP — Determines whether bidirectional GIOP is allowed. This checkbox is cleared by default. • Validate Content Format — Determines whether the format of data in the GIOP PDU (protocol data unit) is validated. This checkbox is cleared by default. If you select this checkbox, the message contained in the PDU is examined to ensure that header content, message direction, and message length are valid for the GIOP message type identified in the GIOP message header. 400 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 401. Application defenses • Maximum message size (PDU) — Specify the largest message that is allowed through the proxy. The default value is 72000. • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. Configuring T120 application defenses Use the T120 Application Defense window to create and maintain T120 application defenses. Use this window to ensure that permissions are checked to determine whether a connection is allowed and to ensure that only specified T.120 services are permitted over that connection. The T.120 standard produced by the International Telecommunication Union (ITU) is composed of a suite of communication and application protocols for real-time data connections and multimedia conferencing. These protocols are used to support whiteboarding, file transfer, application sharing, and text chat. The T.120 proxy facilitates the control of T.120 services. It can control the T.120 nodes that are allowed to initiate a connection to other nodes and mediate the services that are allowed during a session over an allowed connection between nodes. Figure 159 T120 Application Defense window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the T.120 node. The T120 Application Defense window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label to refer to the T.120 application defense. • Description — Provide information about the T.120 application defense. • Enforce permission checking for T120 — Determines whether permissions are checked for an allowed connection between nodes. This checkbox is cleared by default. If you select this checkbox, use the checkboxes in the Allowed Service list to specify the T.120 services that are permitted. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 401
- 402. Application defenses • Allowed Service — Specify the T.120 services that are allowed. Select the checkbox associated with each service to include it in the list. Right-click on the column heading to access options to quickly select or clear fields. The following options are available: • Select All — Selects all services. • Unselect All — Clears all services. • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. Configuring H.323 application defenses Use the H323 Application Defense window to create and maintain H.323 application defenses. H.323 is an International Telecommunication Union (ITU) standard that specifies how multimedia terminals, equipment, and services communicate over networks that do not provide a guaranteed quality of service (such as the Internet). H.323 allows users to participate in the same video conference even if they are using different video conferencing applications. Use the H323 Application Defense window to ensure that permissions are checked and that only specified audio and video codecs are allowed. Codecs define the format for transmitting audio and video information. Figure 160 H323 Application Defense window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the H.323 node. The H323 Application Defense window is displayed. 402 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 403. Application defenses Fields and buttons This window has the following fields and buttons: • Name — Specify a label to refer to the H.323 application defense. • Description — Provide information about the H.323 application defense. • Maximum call duration (sec) — Specify the maximum call duration. The default value is 86400 seconds. • Enforce permission checking for H323 — Determines whether permissions are checked for allowed audio and video codecs. This checkbox is cleared by default. If you select this checkbox, use the fields in the Allowed Common Codecs list to specify the codecs that are permitted. • Allowed Common Codecs — Specify the audio and video codecs that are allowed within the H.323 protocol. Select the checkbox associated with each codec to include it in the permissions list. Right-click on the column heading to access options to quickly select or clear fields. The following values are available when you right-click anywhere in this list: • Required — Selects the codecs required by the H.323 standard. • Required + Low Bandwidth Audio — Selects the codecs required by the H.323 standard and low bandwidth audio codecs. • Required + All Audio — Selects the codecs required by the H.323 standard and all audio codecs. • Required + All Audio + Video — Selects the codecs required by the H.323 standard and all audio and video codecs. • Custom — Manually select desired codecs. • Select All — Selects all codecs. • Unselect All — Clears all codecs. • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. Configuring Oracle application defenses Use the Oracle Application Defense window to create and maintain Oracle application defenses. Use this window to indicate whether Oracle service name checking is enabled and to configure the service names that are allowed access to the SQL server. Figure 161 Oracle Application Defense window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 403
- 404. Application defenses Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the Oracle node. The Oracle Application Defense window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the Oracle application defense • Description — Provide information about the application defense • Enforce Service Name Checking — Determines whether Oracle service name checking is enabled. This checkbox is cleared by default. If this checkbox is selected, the Service Name field is enabled. • Service Name — If the Enforce Service Name Checking checkbox is selected, specify the Oracle service names that are allowed access to the SQL server. Only sessions that match the service name or names that are specified in this field are allowed. • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. Configuring MS SQL application defenses Use the MS SQL Application Defense window to create and maintain MS SQL application defenses. Note: The MS SQL application defense is not currently available. It is reserved for future features. Figure 162 MS SQL Application Defense window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the MS SQL node. The MS SQL Application Defense window is displayed. Fields and buttons This window has the following fields and buttons. • Name — Specify a label to refer to the MS SQL application defense. • Description — Provide information about the MS SQL application defense. • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. 404 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 405. Application defenses Configuring SOCKS application defenses Use the SOCKS Application Defense window to create and maintain SOCKS application defenses. Use this window to indicate whether SOCKSv4 is supported, indicate the types of traffic allowed, and specify the destination ports of the application server. Figure 163 SOCKS Application Defense window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the SOCKS node. The SOCKS Application Defense window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the SOCKS application defense. • Description — Provide information about the application defense. • Enable SOCKS 4 filtering — Determines whether SOCKS Version 4 is supported. This checkbox is cleared by default. If you select this checkbox, only SOCKSv4 will be supported; it will not be possible to pass SOCKSv5 traffic. • SOCKS Traffic Option — Specify the type of traffic that is allowed if the SOCKS5 proxy is being used. The following checkboxes are available: • Allow TCP — Permits TCP traffic. • Allow UDP — Permits UDP traffic. These checkboxes are cleared by default. You may select one or both checkboxes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 405
- 406. Application defenses • Ports open through SOCKS Proxy — Configure a range of destination ports of the connection from the SOCKS proxy on the firewall to the application server. The following fields are available: • Begin Port — Specify the first port in the range. • End Port — Specify the last port in the range. • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. Configuring SNMP application defenses Use the SNMP Application Defense window to create and maintain Simple Network Management Protocol (SNMP) application defenses. SNMP is used to manage and monitor network devices such as routers, servers, switches, hubs, and hosts. It accesses hierarchical databases called management information bases (MIBs) to manage the devices in a network. Entries in the MIB are addressed by a unique object identifier, or OID. An OID is a unique numeric representation of a device in the SNMP network. For an understanding of OIDs, MIBs, and SNMP, review the following RFCs: • RFC 2578, "Structure of Management Information Version 2 (SMIv2)" • RFC 1155, "Structure and Identification of Management Information for TCP/IP-based Internets" • RFC 1157, "A Simple Network Management Protocol (SNMP)" For assistance in obtaining OIDs, consult the Internet Assigned Numbers Authority (IANA) Web site at www.iana.org/assignments/enterprise-numbers. Use the SNMP Application Defense window to configure advanced properties for the SNMP proxy. Such properties include the type of SNMP traffic to allow, the types of requests and events to filter, and for SNMP version 1 traffic, the object identifiers to allow or deny. Figure 164 SNMP Application Defense window 406 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 407. Application defenses Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the SMNP node. The SMNP Application Defense window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the SNMP application defense. • Description — Provide information about the SNMP application defense. • Maximum message size (PDU) — Specify the maximum protocol data unit (PDU) allowed for a message. This field is set to 535 by default. Valid value is an integer between 120 and 1450 inclusively. • Allowed SNMP Versions — Specify the SNMP version. The following values are available: • Allow v1 filtration — Permits SNMP version 1 traffic and allows configuration of object ID (OID) filtering. If this option is selected, the list of actions in the SNMP V1 Settings list are available. • Allow v2c traffic — Permits SNMP v2c (Community-Based SNMP version 2) traffic. • Allow v1 and v2c traffic — Permits both SNMP version 1 and SNMP v2c traffic. • SNMP V1 Settings — Use this area to configure SNMP filtering properties. The following fields are available: • Allowed Actions — Specify the types of requests and events that the SNMP proxy will filter. The following values are available: • Allow get requests — Allows Get and Get Next requests. • Allow set requests — Allows Set requests. • Allow trap requests — Allows v1 traps. The checkboxes that are associated with these options are cleared by default. Select the checkbox that is associated with each option to include it in the list of permitted actions. Note: If you selected SNMP v2c, all of these options are automatically allowed. • OID Filtering — Use the fields in this area to configure properties that are associated with filtering of object IDs (OIDs). The following fields are available: • Action — Determines whether OID filtering is enabled and whether specified OIDs are allowed or denied. The following values are available: • Off — Indicates that OID filtering is disabled. • Allow — Enables OID filtering and indicates that the specified OIDs are permitted. • Deny — Enables OID filtering and indicates that the specified OIDs are denied. If Allow or Deny is selected, use the OID Options and OIDS fields to specify the types of OIDs to be filtered. • OID Options — The following values are available: • Standard — Allows you to select an OID from the OIDS list. • Custom — Allows you to create a list of desired OIDs by specifying text in the OIDS field. • OIDS — Specify the Standard or Custom OIDs to be included. • OK — Save this changes that were made in this window. • Cancel — Close this window without saving the changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 407
- 408. Application defenses Configuring SIP application defenses Use the SIP Application Defense window to create and maintain SIP application defenses. As described in RFC 3261, SIP (Session Initiated Protocol) is "an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions include Internet telephone calls, multimedia distribution, and multimedia conferences." The SIP proxy provides transparent VoIP access through the firewall, allowing users to talk through SIP devices on configured networks according to the site security policy. SIP is used to establish multimedia sessions between endpoints. The SIP proxy transfers the SIP traffic that negotiates the multimedia sessions, as well as the multimedia traffic itself. Use the SIP Application Defense window to configure general properties and media filters for the SIP application defense. Figure 165 SIP Application Defense window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the SIP node. The SIP Application Defense window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label for to the SIP application defense. • Description — Provide information about the SIP application defense. • Enforce Media filters — Determines whether media filters are enabled. This checkbox is cleared by default. If you select this checkbox, the following fields are enabled in the Media Filters list: • Audio — Determines whether SIP agents in the call can negotiate audio connections. If this checkbox is cleared, negotiation of audio connections is prohibited. 408 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 409. Application defenses • Video — Determines whether SIP agents in the call can negotiate video connections. If this checkbox is cleared, negotiation of video connections is prohibited. • Maximum call duration (sec) — Specify the maximum length of a call in seconds. After this period of time elapses, the call is automatically terminated. The default is 86400 seconds. Valid values are integers between 60 and 86400, inclusively. • Peer Types — Use the fields in this area to determine user agents. The following options are available: • Only allow SIP user agents — Requires that all calls must be negotiated by the SIP user agents of a call. The source and destination of each SIP message must be the SIP user agents (for example, SIP phones). Some SIP routers and gateways can masquerade as SIP user agents. • Allow SIP user agents and routers — Allows SIP devices to negotiate calls on behalf of the SIP user agents, In this case, the source and destination of SIP messages that are processed by the proxy may differ from the SIP user agents that are participating in the call. • OK — Save this changes that were made in this window. • Cancel — Close this window without saving the changes. Configuring SSH application defenses Use the SSH Application Defense window to configure advanced properties for SSH proxy rules. Figure 166 SSH Application Defense window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 409
- 410. Application defenses Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the SSH node. The SSH Application Defense window is displayed. Fields and buttons This window contains the following fields and buttons: • Name — Specify a label for the SSH application defense. • Description — Provide information about the SSH application defense. • OK — Save the changes that were made in this window. • Cancel — Close this window without saving the changes. Tabs This window also has the following tabs: • Channels — Configure channel filtering for SSH connections. For more information, see SSH Application Defense window: Channels tab on page 410. • Client Authentication — Configure client authentication methods and the client greeting banner. For more information, see SSH Application Defense window: Client Authentication tab on page 411. • Client Advanced — Configure advanced options for client connections. For more information, see SSH Application Defense window: Client Advanced tab on page 412. • Server Advanced — Configure advanced options for server connections. For more information, see SSH Application Defense window: Server Advanced tab on page 414. SSH Application Defense window: Channels tab Use the Channels tab to configure channel filtering for SSH connections. For information about the fields on this tab, see Figure 166 on page 409. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the SSH node. The SSH Application Defense window is displayed. 4 Make sure that the Channels tab is selected. Fields and buttons This tab has the following fields and buttons: • Allow remote shell execution — Determines whether to allow terminal access to remote hosts. • Allow remote command execution (includes SCP) — Determines whether to allow commands to be sent to remote hosts. Note: Select this option to allow Secure Copy (SCP) file transfers. Because SCP uses remote command execution to transfer files, it cannot function without remote command execution. • Allow X11 forwarding — Determines whether to allow UNIX-based X Window System traffic. • Port forwarding (tunneling) — Use the fields in this area to determine the way that port forwarding is controlled. Port forwarding allows the TCP/IP connection of another application to be redirected through an SSH tunnel. The following fields are available: • Allow local port forwarding — Determines whether to allow hosts to initiate port forwarding. 410 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 411. Application defenses • Allow remote port forwarding — Determines whether to allow hosts to request that the remote host initiate port forwarding. • Allowed SFTP operations — Use the fields in this area to determine the SSH File Transfer Protocol (SFTP) operations that you want to allow. Select one of the following options: • None — Denies all SFTP operations. • Any — Allows all SFTP operations. • Selected from list — Specify the SFTP operations to allow. Manually select the operations in the Operation list. • Allowed non-SFTP subsystems — Use the fields in this area to determine the non-SFTP subsystems that you want to allow. Select one of the following options: • None — Denies all non-SFTP subsystems. • Any — Allows all non-SFTP subsystems. • Selected from list — Specify the non-SFTP subsystems to allow. For each subsystem that you want to allow, specify the name of the subsystem in the Allowed Subsystems field. To delete a subsystem from this list, highlight the subsystem and click x (Delete). SSH Application Defense window: Client Authentication tab Use the Client Authentication tab of the SSH Application Defense window to configure client authentication methods and the client greeting banner. Figure 167 SSH Application Defense window: Client Authentication tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the SSH node. The SSH Application Defense window is displayed. 4 Select the Client Authentication tab. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 411
- 412. Application defenses Fields and buttons This tab has the following fields and buttons: • Allowed client authentication methods — Use the fields in this area to determine the authentication methods to allow. The following fields are available: • Any — Select this option to allow any authentication method on which the client and server agree. • Selected from list — Select this option to specify that only the selected authentication methods are allowed. To add a new, custom authentication method to this list, click New. The Client Authentication - New Method window is displayed. Specify a value in the Method field and click OK. Only custom methods that are created in this way can be deleted. Note: The publickey and hostbased authentication methods are not supported. To delete a custom authentication method, highlight the method in the list and click Delete. • Enabled — Determines whether this authentication method is allowed. • Authentication Method — [Read-only] Displays the names of the authentication methods. The following values are provided by default: • keyboard-interactive — Indicates that authentication methods that are based on the keyboard-interactive method that is defined in RFC 4252 are allowed. • password — Indicates that password authentication is allowed. • Client greeting — Specify the text for a message that is sent to the client immediately after a secure connection is established. Clear this field if you do not want to use a client greeting. SSH Application Defense window: Client Advanced tab Use the Client Advanced tab of the SSH Application Defense window to configure advanced options for client connections. Figure 168 SSH Application Defense window: Client Advanced tab 412 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 413. Application defenses Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the SSH node. The SSH Application Defense window is displayed. 4 Select the Client Advanced tab. Fields and buttons This tab has the following fields and buttons: • Encryption — Use the fields in this area to configure the rekey options for the client connection. When a rekey is triggered, the firewall and the client renegotiate the shared key that is used to encrypt the session. Configure the following options: Note: If you select both options, the first threshold that is reached triggers a rekey. When a rekey occurs, both counters are reset. • Rekey after specified bytes — Determines whether to specify a data threshold. The client connection is rekeyed when the data threshold is reached. • Rekey after specified time — Determines whether to specify a time threshold. The client connection is rekeyed when the specified time elapses. Also in this Encryption area are several other fields. Select the down arrow to configure each set of allowed algorithms and the order in which they are presented. • Cipher algorithms — Cipher algorithms are used to encrypt the client connection. • MAC algorithms — Message Authentication Code (MAC) algorithms are used to verify the integrity of the client connection. • Key exchange methods — Key exchange methods are used to exchange private keys between the SSH proxy and the client. • Proxy host keys — Use the fields in this area to select the SSH host keys that the SSH proxy presents to clients. You can also specify firewall keys that are used to override the default keys. By default, this application defense will use the Default_RSA_Key value and the Default_DSA_Key value specified on the SSH Keys tab in the Certificates area on the Firewall window. To use a key other than one of the default keys mentioned above for a specific firewall, you must select it in the respective key field in this area. • Preferred type — Specify the type of key that the proxy presents to clients by default. Valid values are DSA and RSA. • Firewall — Specify the name of the firewall to which you are adding a firewall key. • DSA Key — Specify the DSA key that the proxy presents to clients. If this field is left blank, the default DSA key will not be used. • RSA Key — Specify the RSA key that the proxy presents to clients. If this field is left blank, the default RSA key will not be used. • Delete — Click x (Delete) in the row to delete the firewall key. • Known bugs handling — Use the fields in this area to configure the way that the SSH proxy handles bugs in the client connection: • Software version — Specify the server name that the SSH proxy uses to represent itself to clients. Clients use this information to work around known bugs in SSH servers. The default value is OpenSSH_4.6. • Inability to rekey — Determines whether connections from clients that do not have the ability to rekey are rejected. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 413
- 414. Application defenses SSH Application Defense window: Server Advanced tab Use the Server Advanced tab of the SSH Application Defense window to configure advanced options for server connections. Figure 169 SSH Application Defense window: Server Advanced tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the SSH node. The SSH Application Defense window is displayed. 4 Select the Server Advanced tab. Fields and buttons This tab has the following fields and buttons: • Encryption — Use the fields in this area to configure the rekey options for the server connection. When a rekey is triggered, the firewall and the server renegotiate the shared key that is used to encrypt the session. The following fields are available: Note: If you select both options, the first threshold that is reached triggers a rekey. When a rekey occurs, both counters are reset. • Rekey after specified bytes — Determines whether to specify a data threshold. The server connection is rekeyed when the data threshold is reached. • Rekey after specified time — Determines whether to specify a time threshold. The server connection is rekeyed when the specified time elapses. Also in this Encryption area are several other fields. Click the down arrow to configure each set of allowed algorithms and the order in which they are presented. • Cipher algorithms — Cipher algorithms are used to encrypt the server connection. • MAC algorithms — Message Authentication Code (MAC) algorithms are used to verify the integrity of the server connection. 414 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 415. Application defenses • Key exchange methods — Key exchange methods are used to exchange private keys between the SSH proxy and the server. • Allowed server key types — Use the fields in this area to determine the types of host keys that the SSH proxy accepts from servers. Note: You cannot select the same value for both allowed server key types. If you do not want to configure a secondary key type, select <None>. • Primary key — Specify the preferred server key type. • Secondary key — Specify the type of server key to accept if the primary server key type is not available. • Key checking policy — Specify the level of inspection that is applied to server host keys. If a server’s host key does not meet the requirements set by the selected value, the connection is denied. To view descriptions of these levels, select the level and view the text on the window. • Strict • Medium • Relaxed • Known bugs handling — Use the fields in this area to configure the way that the SSH proxy handles bugs in the server connection: • Software version — Specify the client name that the SSH proxy uses to represent itself to servers. Servers use this information to work around known bugs in SSH clients. The default value is OpenSSH_4.6. • Inability to rekey — Determines whether connections to servers that do not have the ability to rekey are rejected. Configuring Packet Filter application defenses Use the Packet Filter Application Defense window to configure advanced properties for rules that use filter agents. To use a Packet Filter application defense, you must first have configured a service that uses a filter agent. Next, you must have already applied that service to a rule. A filter agent is responsible for handling a service's traffic. The following filter agents may be used to create services: • TCP/UDP Packet Filter — Used to create services for the UDP and TCP protocols • ICMP Packet Filter — Used to create services for the ICMP protocol • FTP Packet Filter — Used to create services for the FTP protocol • Other Protocol Packet Filter — Used to create services for such protocols as AH, ESP, and GRE Filter services inspect traffic at the network (IP) and transport (TCP/UDP) layers. They inspect a packet's source and destination IP address, protocol, and if applicable, port. They are not application aware and cannot enforce traffic based on the application protocol. Filter application defenses can be used to control request and response rates, error and control messages, and the audit rate for denied filter rules. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 415
- 416. Application defenses Figure 170 Packet Filter Application Defense window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the Packet Filter node. The Packet Filter Application Defense window is displayed. Fields and buttons This window has the following fields and buttons: • Name — [Required] Specify a label for the Packet Filter application defense. • Description — Provide information about the Packet Filter application defense. • OK — Save the changes made on this window. • Cancel — Close this window without saving any changes. • Versions — Click this button to view a display of all of the fields on this window that have version-specific availability. You can also view this same information at the field level by holding your mouse over the version level icon and viewing the ToolTip. Note: This button is displayed only if a version 7.0.1 or later firewall has IPv6 enabled. Tabs This window also has the following tabs: • General — Determine whether to limit the request rate and to configure audit parameters. For more information, see Packet Filter Application Defense window: General tab on page 417. • Advanced — Control the types of ICMP and IPv6 messages (if IPv6 is enabled) that can be generated by a rule's TCP/UDP traffic. For more information, see Packet Filter Application Defense window: Advanced tab on page 417. 416 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 417. Application defenses Packet Filter Application Defense window: General tab Use the General tab of the Packet Filter Application Defense window to limit the request rate to a particular number of packets per second and to configure audit parameters. To view the fields on this tab, see Figure 170 on page 416. Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the Packet Filter node. The Packet Filter Application Defense window is displayed. 4 Make sure that the General tab is displayed. Fields and buttons This tab has the following fields and buttons: • Limit request rate to n requests/second — Determines whether the number of packets that are allowed per second is limited. This checkbox is cleared by default. If this checkbox is selected, you can select the number of packets (n) per second. • Auditing — Use the fields in this area to determine frequencies for audits. The following fields are available: • Audit the first n denied requests every n second — Specify the number of denied requests to audit in a specified number of seconds. An audit record will be generated for the first n occurrences every n seconds. • Provide informational audits every n requests — Determines whether informational audits are provided at a specified frequency. This checkbox is cleared by default. If this checkbox is selected, you can select an appropriate number of requests (n). Packet Filter Application Defense window: Advanced tab Use the Advanced tab of the Packet Filter Application Defense window to specify the types of ICMP and IPv6 messages (if IPv6 is enabled) that can be generated by a rule's TCP/UDP traffic. Figure 171 Packet Filter Application Defense window with IPv6 enabled Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the Packet Filter node. The Packet Filter Application Defense window is displayed. 4 Select the Advanced tab. The Advanced tab of the Packet Filter Application Defense window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 417
- 418. Application defenses Fields and buttons This tab has the following fields and buttons: • Allowed control and error responses — Specify the types of responses that are allowed. The checkboxes that are associated with these responses are cleared by default. Select the checkbox that is associated with each response to include it in the list of allowed responses. Right-click on the column heading to access options to quickly select or clear fields. The following options are available: • Select All — Select all responses. • Unselect All — Clear all responses. • Allowed IPv6 control and error responses — [Available only for version 7.0.1 firewalls and later with IPv6 enabled] Specify the types of IPv6 responses that are allowed. The checkboxes that are associated with these responses are cleared by default. Select the checkbox that is associated with each response to include it in the list of allowed responses. Right-click on the column heading to access options to quickly select or clear fields. The following options are available: • Select All — Select all responses. • Unselect All — Clear all responses. Configuring application defense groups Use the Application Defense Groups window to create and maintain application defense groups. An application defense group consists of one application defense for each existing type of application defense. Application defense groups are used in rules to specify advanced properties for service groups. One application defense group is set as the default and is selected by default when a new rule that uses an application defense is created. Only application defenses that apply to the services that are specified on the rule are implemented in the rule. For more information, see Configuring rules on page 533. Figure 172 Application Defense Groups window 418 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 419. IPS inspection Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Application Defenses node. 3 Double-click the Group node. The Application Defense Groups window is displayed. Fields and buttons This window has the following fields and buttons. • Name — Specify a label to refer to the group application defense. • Description — Provide information about the group application defense. • Mapping List — Use the fields in this table to associate a particular application defense with each type of application defense that is available. The following columns are available: • Type — [Read-only] Displays the types of application defenses available. • Name — [Read-only] Displays all of the application defenses that have previously been defined for the value that you have selected in the Type field. Specify the application defense to be associated with the selected type. • Add — Displays the window for the selected application defense type, in which you can create a new application defense. When you have saved the application defense (by clicking OK), the newly created application defense is added to the list of application defenses in the Name column and it is selected. • OK — Save the changes that you made on this window. • Cancel — Close this window without saving any changes. IPS inspection Use the IPS object to configure IPS response mappings and signature groups. • A response mapping contains a list of class types, their threat level, and their response settings. Each class type refers to a set of known network-based attacks. Class types classified as IPS detect confirmed attacks that are also considered dangerous. Class types classified as IDS detect either suspected attacks or traffic that is considered less dangerous, such as probe or discovery activity. Class types classified as Policy identify traffic based on organizational security practices. For more information, see Configuring IPS response mappings on page 420. • A signature group can contain one or more signature categories. A signature category is a category of signatures that all involve the same type of attack. The IPS engine provides the categories and may update them occasionally. You can also add individual signatures to a signature group. This gives you finer control in creating a signature group, and it allows you to add Policy signatures, which are not included in the default signature categories because they are specific to an organization. For more information, see Configuring IPS signature groups on page 421. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 419
- 420. IPS inspection Configuring IPS response mappings Use the IPS Response Mapping window to create and maintain IPS response mappings. A response mapping associates a class type with an action. A class type defines the nature and severity of attack (for example, backdoor activity, root-level exploit, worms, and viruses). You can specify a wide variety of responses—from allowing, but auditing, suspicious traffic to prohibiting the traffic. You can also prohibit (or blackhole) the traffic for a specified period of time. A response mapping describes the response that should be taken for traffic that matches signatures of specified class types. Figure 173 IPS Response Mapping window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the IPS node. 3 Double-click the Response Mappings node. The IPS Response Mapping window is displayed. Fields and buttons This window has the following fields and buttons: • Name — [Required] Specify a unique label that is used to refer to the response mapping. You can specify up to 100 characters. • Description — Provide information about the response mapping. • Name — [Read-only] Displays the names of the class types. • Type — [Read-only] Displays the associated signature type, which also more specifically defines the type of traffic to match. The following options can be displayed: • IPS — Indicates a prevention signature. This indicates a higher probability of a real attack and implies a stronger response (for example, prohibit the traffic and generate an audit event). • IDS — Indicates a detection signature. This indicates a suspected attack or activity that is considered less dangerous, such as a probe or a discovery activity. It also implies a more lenient response (for example, allow the traffic, but generate an audit event). • POLICY — Indicates traffic based on organizational security practices. 420 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 421. IPS inspection • Response — Specify the action to take for the values specified in the Name and Type fields. The following values are available: • Allow no Audit — Allow the anomalous traffic to pass, but do not generate an IPS audit event. • Allow — Allow the anomalous traffic to pass and generate an IPS audit event. • Blackhole — Prohibit traffic from an offending host for a period of time specified by the value in the Duration(s) field and generate an IPS audit event. • Deny — Prohibit traffic, send a TCP Reset to the originating host, indicating that the connection has been closed, and generate an IPS audit event. • Drop — Prohibit anomalous traffic and generate an IPS audit event. • Drop no Audit — Prohibit anomalous traffic, but do not generate an IPS audit event. • Duration(s) — [Available only if the Response field value is Blackhole] Specify the length of time (in seconds) during which traffic from an offending host is prohibited. Valid values range from 0 through 100000. A value of 0 indicates that the offending host is blackholed for an indefinite amount of time. The default value is 0. • Description — [Read-only] Displays information about the associated class type. • OK — Save the changes that you have made on this window. • Cancel — Close this window without saving any changes. Configuring IPS signature groups Use the IPS Signature Group window to create and maintain IPS signature groups. Use signatures to detect particular types of network attacks (for example, back-door activity, root user exploit, worms, and viruses). They are contained in signature categories such as BROWSER - IE, DB - MSSQL, and FTP - LOGIN, and those signature categories can be grouped. Many signature groups are defined for you by default. However, you can also create your own groups by using this window. Figure 174 IPS Signature Group window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 421
- 422. IPS inspection Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the IPS node. 3 Double-click the Signature Groups node. The IPS Signature Group window is displayed. Fields and buttons This window has the following fields and buttons: • Name — [Required] Specify a unique label used to refer to the signature group. • Description — Provide information about the signature group. • OK — Save the changes made on this window. • Cancel — Close this window without saving any changes. Tabs This window also has the following tabs: • Categories — View a list of all of the available signature categories from which you can build a signature group. For more information, see IPS Signature Group window: Categories tab on page 422. • Signatures — View a list of all of the available signatures from which you can build a signature group. For more information, see IPS Signature Group window: Signatures tab on page 423. IPS Signature Group window: Categories tab Use the Categories tab of the IPS Signature Group window to select the categories to be used in an IPS signature group. To view the fields on this tab, see Figure 174 on page 421. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the IPS node. 3 Double-click the Signature Groups node. The IPS Signature Group window is displayed. 4 Make sure that the Categories tab is selected. Fields and buttons This tab has the following fields and buttons: • Enable — Determines whether the signature category is included in the signature group. This checkbox is cleared by default. If this checkbox is selected, the IPS and IDS checkboxes are enabled. If they are enabled, you must select either IPS or IDS or both checkboxes must be selected. • Category — [Read-only] Lists all of the available signature categories. • IPS — Determines whether the IPS signatures in the associated category are enabled. IPS signatures are used to identify attacks that are an exact match to a signature file. This checkbox is selected by default. However, only if you select Enable is this signature enabled. • IDS — Determines whether the IDS signatures in the associated category are enabled. IDS signatures are used to identify attacks that are considered minor, such as probe or discovery activity, or they are suspected attacks, meaning that the signature might incorrectly identify legitimate traffic as an attack. This checkbox is selected by default. However, only if you select Enable is this signature enabled. • Description — [Read-only] Displays useful information about the signature. 422 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 423. IPS inspection IPS Signature Group window: Signatures tab Use the Signatures tab of the IPS Signature Group window to select the signatures to be used in an IPS signature group. Note: If you have selected one or more categories on the Categories tab, the signatures in this list that are part of those categories will automatically be selected and will be displayed with a grey background. Figure 175 IPS Signature Group window: Signatures tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the IPS node. 3 Double-click the Signature Groups node. The IPS Signature Group window is displayed. 4 Select the Signatures tab. Fields and buttons This tab has the following fields and buttons: Because your list of objects (where objects refers to the entity for which you are searching) could potentially be very long, you can quickly retrieve only those objects that meet certain filter constraints by using the Find filtering mechanism. 1 In the Find or Search field, specify a term that matches a selection for any value displayed in the browser. 2 Click the down arrow to select the display for the search results (Highlight matching <objects> [where <objects> is the entity for which you are searching] or Only display matching <objects> [where <objects> is the entity for which you are searching]). 3 Click Find or press Enter. The results are displayed. If you had selected the highlight option, all objects that match the value in the Search field are highlighted in yellow. If you selected the other value, you will see only those objects that matched your search criteria. 4 Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and view all of the objects again, click (Clear Find Results). • Search — Provides a filtering mechanism for viewing signatures in this list. See the procedure above for more information about how to perform a search. • Enabled — Determines whether this signature will be added to the signature group. • Name — [Read-only] Displays the name of the signature. • Category — [Read-only] Displays the signature category for this signature. A signature category is a category of signatures that all involve the same type of attack. The signature category is classified by the network service targeted for attack, and it consists of a main category and a subcategory. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 423
- 424. Authentication services • Class Type — [Read-only] Displays the class type for the signature. The class type identifies the intended purpose of the attack, such as Root Level Exploit or Discovery. • Type — [Read-only] Displays the threat level attribute for the signature. This threat level indicates a relationship between confidence level and severity. The following types can be displayed: • IPS — Detects attacks that are considered dangerous. • IDS — Detects attacks that are either considered minor (such as probe or discovery activity) or they are suspected attacks, meaning that the signature will possibly incorrectly identify legitimate traffic as an attack. • Policy — Identifies network traffic that you want to control based on your organization’s security policy, such as instant messaging or P2P communication. • Date Added — [Read-only] Displays the date that this signature was added or last updated. • Vulnerability — Displays the number that was assigned by Common Vulnerabilities and Exposures (CVE). Two types of identifiers can appear for a signature: • If CVE precedes the number, the vulnerability has been reviewed and accepted by CVE and is an official entry in the CVE list. • If CAN or nothing precedes the number, the vulnerability is under review by CVE and is not yet an official entry in the CVE list. • If NONE is displayed, CVE has not reviewed this signature. To view the CVE Web page associated with this number in a Web browser, click the link. • SID — [Read-only] Displays the signature ID (SID) for the signature that was automatically generated by the originator of the signature. • Description — [Read-only] Displays the description for the signature. Authentication services Authentication refers to a process that validates a person’s identity before he or she is allowed to pass traffic through the firewall. The firewall authenticates two types of users: • Administrators who are connecting to the firewall • Proxy users who are connecting through the firewall The supported firewalls use similar, but different, objects to support different configuration options for authentication services and rules. When assigning an authenticator to a rule, you have the option of restricting proxy connections to specific external user groups, which are configured by using the External Group window in the User area. This area provides an overview of the authenticators and their use: • Password authenticators — Standard password authentication requires a user to specify the same password each time he or she logs in. Standard password authentication is typically used for internal-to-external SOCKS 5, Telnet, FTP, and HTTP connections through the firewall, and for administrators logging into the firewall from the internal (trusted) network. See Configuring password authenticators on page 426. 424 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 425. Authentication services • Passport authenticators — Passport (also known as single sign-on) works in conjunction with a specified authentication method to allow access to multiple services with a single successful authentication to the firewall. Passport also allows authentication for encrypted services and services that do not handle authentication. A successful passport authentication caches the source IP address for a specified time. All further proxy connections that require Passport authentication will check that cache for a successfully authenticated user. If the source IP address exists in the cache, and Passport is the authentication method for the rule, the connection is allowed without being prompted for authentication. You can configure the firewall to revoke the passport after a specified time period has passed (for example, you may choose to require each user to re-authenticate every two hours). You can require a user to re-authenticate after a specified period of idle time (for example, a user must re-authenticate if the passport has not been accessed for one hour or more). You can also manually revoke a Passport for a specific user or for all users at any time. See Configuring passport authenticators on page 428. • RADIUS authenticators — The Remote Authentication Dial In User Service (RADIUS) is a client/server protocol described in RFC 2138, 2865, and 2866. RADIUS enables remote access servers to communicate with a central server to authenticate users and authorize their access to the requested system or service. RADIUS allows a company to maintain user profiles in a central database that all remote servers can share. It provides better security, allowing a company to set up a policy that can be applied at a single administered network point. Having a central service also means that it's easier to track usage and easier to keep network statistics. If your organization operates a RADIUS server, you can use it to provide strong authentication for SOCKS 5, Telnet, FTP, and HTTP sessions through the firewall. It can also be used to authenticate logins and SSH logins to the firewall. SafeWord RemoteAccess and SafeWord PremierAccess are RADIUS servers that have been certified for full interoperability with the firewall. See Configuring RADIUS authenticators on page 431. • Safeword authenticators — The SafeWord family of authentication servers that interoperate with the firewall includes SafeWord RemoteAccess and SafeWord PremierAccess. With SafeWord PremierAccess, you can use fixed passwords or passcode authentication for Telnet and FTP sessions through the firewall, and for administrator login attempts directly to the firewall or through an SSH session. You can authenticate HTTP (Not all tokens support this option.) • Windows Domain authenticators — If your organization operates a Windows primary domain controller (PDC) or backup domain controller (BDC), you can use it to provide authentication for login, SOCKS 5, Telnet, FTP, HTTP, and SSH sessions to the firewall. The PDC or BDC can be used to provide password authentication. Be sure the domain controller does not allow blank or default logins that can be easily guessed by outsiders. You can also use transparent browser authentication. For more information about configuring your organization’s PDC or BDC to use transparent browser authentication on the firewall, see the related application note located in the Application Notes area of the McAfee Knowledge Base. Note: Transparent browser authentication is also known as NT LAN Management (NTLM) or integrated Windows authentication. See Configuring Windows Domain authenticators on page 438. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 425
- 426. Authentication services • LDAP authenticators — Lightweight Directory Access Protocol (LDAP) is a protocol used by many different authentication servers. You can use the LDAP authentication servers, listed here, to provide fixed password authentication for SOCKS 5, Telnet, FTP, and HTTP sessions through the firewall. It can also be used to authenticate logins and SSH logins to the firewall. You can set up an LDAP directory server containing users and passwords. Use any valid combination of LDAP attributes and values as an optional filter string to distinguish authorized firewall users. The following LDAP servers are supported: • Active Directory authenticators — Lightweight Directory Access Protocol (LDAP) server owned by Microsoft. • iPlanet authenticators — Lightweight Directory Access Protocol (LDAP) server owned by iPlanet, Inc. • Open LDAP authenticators — OpenLDAP Software is a free, open source implementation of LDAP developed by the OpenLDAP Project. • Custom LDAP authenticators — Use Custom LDAP to customize the directory user identifier and directory member identifier, the attributes used in the LDAP server searches. See Configuring OpenLDAP authenticators on page 450 or Configuring custom LDAP authenticators on page 455. • Common Access Card (CAC) authenticators — [Available only for firewall versions 7.0.1.02 and later] Use the CAC authenticator to log into a firewall by using a U.S. Department of Defense Common Access Card (CAC). You can log into a firewall by using the McAfee Firewall Enterprise Admin Console, Telnet, or SSH. Generate a one-time password on a secure web page on the firewall and specify that password in the appropriate login field. See Configuring CAC authenticators on page 459. Configuring password authenticators Use the Password Authenticator window to create and maintain standard password authenticators. Authenticators are used in rules to require users to authenticate before their request is allowed through the firewall. Standard password authentication is typically used for internal-to-external SOCKS 5, Telnet, FTP, and HTTP connections, and for administrators logging into the firewall from the internal (trusted) network. Using the Control Center Configuration Tool, you can create multiple Password authenticators. (Using the McAfee Firewall Enterprise Admin Console, you cannot rename the default Password authenticator nor create additional Password authenticators.) To assign a specific Password authenticator to a firewall, go to the Miscellaneous Settings area of the Firewall window. In the Password Authenticator field, select the appropriate authenticator. When creating rules, set the Authenticator field value to Password, which is a placeholder. When the policy is applied, that placeholder is replaced with the authenticator that is specified in the Password field. For more information, see Firewall window: Miscellaneous area on page 201. 426 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 427. Authentication services Figure 176 Password Authenticator window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click the Password node. The Password Authenticator window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label for the Password authenticator. Only alphanumeric characters, dashes (-), underscores (_), and a dot (.) are supported. • Description — Provide information about the authenticator. • Login prompt — Specify the text to appear asking for user identification. The default is Username:. • Password prompt — Specify the text to appear asking for a password. The default is Password:. • Expiration message — Specify the text to appear when a password has expired. The default value is Password has expired. • Maximum login attempts — Specify the maximum number of login attempts allowed before the connection is dropped. The default is 8 attempts. • Expiration period (days) — Specify the number of days a password remains valid. The default is 1 day. • Minimum password length — Specify the minimum number of characters a password must contain. The default is 6 characters. • Example of a valid password — [Read-only] Displays a valid password according to the values that you have specified in the other fields on this window. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 427
- 428. Authentication services • Require complex passwords — Determines whether the firewall requires complex password parameters. This checkbox is cleared by default, indicating that complex passwords are not required. When this checkbox is selected, the firewall enforces the values that are specified in the following fields: • Required number of character groups — Specify the number of character groups that are required for passwords. The character groups are: • lowercase • uppercase • numbers • special characters (all printable characters that can be typed from the keyboard, such as ^ % $ @ !, and so on.) For example, if you specify two character groups, passwords must use characters from any two of the four character groups. • Required number of characters per character group — Specify the number of characters that are required from each character group. For example, if you specify three characters from each group, and two character groups are required, passwords must contain three characters from two different groups, such as a13c7b. • OK — Save the changes that you have made on this window. • Cancel — Close this window without saving any changes. Configuring passport authenticators Use the Passport Authenticator window to create and maintain your Passport authenticators. You can also use this window to automatically and manually manage session duration. Passport (also known as single sign-on) works in conjunction with a specified authentication method to cache a user’s initial authentication, thereby allowing access to multiple services with a single successful authentication. Passport also allows authentication for encrypted services and services that do not handle authentication. This is possible because a successful Passport authentication caches the source IP address for a specified time. All further proxy connections that require Passport authentication check that cache for a successfully authenticated user. If the source IP address exists in the cache, and Passport is the authentication method for the rule, the connection is allowed without prompting the user to authenticate. When configuring a Passport authenticator, you have the option of selecting multiple authenticators to be used for establishing Passport credentials. You then select one of those authenticators to be the default authenticator. When an end user first tries to access a service managed by a rule using that Passport authenticator, the user is prompted to authenticate. To authenticate using the default method, the user only specifies his or her username and password for the default method. To authenticate using a different authenticator enabled in the Passport authenticator, the user must use the username:authenticatorname syntax. An end user cannot use more than one authenticator for a single authentication event. If a user fails authentication using one authenticator, the user must start a new authentication process. The user can try again with the same authenticator, or use the username:authenticatorname syntax to select another authenticator. 428 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 429. Authentication services Use the Control Center Configuration Tool to create multiple passport authenticators. (In the McAfee Firewall Enterprise Admin Console, you cannot rename the default passport authenticator, nor can you create additional passport authenticators.) To assign a specific passport authenticator to a firewall, go to the Miscellaneous Settings area of the Firewall window. In the Passport Authenticator field, select the appropriate authenticator. When creating rules in the Rule Editor window, set the Authenticator field value to Passport, which is a placeholder. When the policy is applied, that placeholder is replaced with the authenticator that you have specified in the Passport field. For more information, see Firewall window: Miscellaneous area on page 201. Note: You can manage cached Passport users by using the Current Passport Users report. To view this report, in either the Configuration Tool or the Reporting and Monitoring Tool, right-click the Firewall node or a specific firewall. Then select Firewall Reports > Current Passport Users. Figure 177 Passport Authenticator window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Passport Authenticators. The Passport Authenticator window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label for the Passport authenticator. Only alphanumeric characters, dashes (-), underscores (_), and a dot (.) are supported. • Description — Provide information about the authenticator. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 429
- 430. Authentication services • Authenticators to establish passport credentials — Specify the authenticators that can be used to authenticate users when they encounter a rule using this Passport authenticator. The table includes all of the configured authenticators. By default, only the default Password authenticator is selected. Note: The CAC Authenticator is available for firewall versions 7.0.1.02 and later only. It is one of the authenticators that can be used to establish Passport credentials for the Passport authenticator. If you want to use CAC authentication, you must select this checkbox. • (checkbox) — Indicates the authenticator to be used to establish credentials. The default authenticator (that is the value that is specified in the Default authenticator to establish Passport credentials field) is selected in this table. • Name — [Read-only] Displays the name of the authenticator. • Type — [Read-only] Displays the type of authentication that is used for this authenticator (that is, the value that is displayed in the Name column). • Description — [Read-only] Displays a description of this authenticator. • Default authenticator to establish Passport credentials — Specify the authenticator to use in rules that have Passport as the authenticator. The default authenticator should be the authentication method that is mostly commonly used by users. • Web Login — Use the fields in this area to configure whether web login is required and whether active session mode is also used. The following fields are available: • Require web Login — Determines whether users are required to acquire a Passport for an HTTP connection. Users are redirected from a web request to an authentication login page. Passport authentication for other connection times is denied. After a user has been authenticated, a “Successful Login” browser window is displayed. The user is then redirected to the requested web page. This checkbox is cleared by default. To configure the Web login page and logout page banners, you must connect directly to the firewall. • Active session mode — [Available only for firewall versions 7.0.1.00 and later] Use the fields in this area to determine whether to require the Passport holder to maintain an open network connection to the firewall. This increases security when multiple users share the same IP address. When active session mode is enabled, the “Successful Login” browser must remain open during the life of the passport. The following fields are available: • Refresh period (sec) — [Available only for firewall versions 7.0.1.00 and later] Specify the time at which a heartbeat message is sent to the “Successful Login” web page. A heartbeat message periodically tests the HTTPS connection and refreshes the page. If the connection is broken, the Passport is revoked and all of the sessions that were authorized by that passport are closed. Note: Time-outs vary for each web browser. A high refresh period could result in revoked Passports for some browsers because the HTTPS connection has timed out. • Grace period (sec) — [Available only for firewall versions 7.0.1.00 and later] Specify the number of seconds that the HTTPS connection can be broken before the Passport is revoked. • Redirect delay (sec) —[Available only for firewall versions 7.0.1.00 and later] Specify the number of seconds that a web redirect page remains open after a successful Passport login. If a user makes a web request and has not yet been authenticated for Passport, the user is redirected to the authentication login page. After successful authentication, the “Successful Login” browser window is displayed, including information that the user will be redirected to the requested page in a new browser window. 430 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 431. Authentication services • Timeouts — Use this fields in this area to configure re-authentication timeframes. The following fields are available: • Idle timeout — Specify the length of time that a user can be inactive before he or she must log into Passport again. The default is 36000 seconds. Select the value and the measurement value, which can be seconds, minutes, hours, days, weeks, or years. • Session timeout — Specify the length of time that a session can last before the users is required to log in again. This setting applies even if a user is currently active. The default is 36000 seconds. Select the value and the measurement value, which can be seconds, minutes, hours, days, weeks, or years. • OK — Save the changes on this window. • Cancel — Close this window without saving any changes. • Versions — Click this button to view a display of all of the fields on this window that have version-specific availability. You can also view this same information at the field level by holding your mouse over the version level icon and viewing the ToolTip. Configuring RADIUS authenticators Use the RADIUS Authenticator window to create and maintain your RADIUS authenticators. SafeWord ® RemoteAccess and SafeWord PremierAccess are RADIUS servers that have been certified for full ™ ® ™ interoperability with the firewall. If your organization operates a RADIUS server, you can use it to provide strong authentication for SOCKS 5, Telnet, FTP, and HTTP sessions through the firewall. It can also be used to authenticate logins and SSH logins to the firewall. Authenticators are used in rules to require users to authenticate to the specified server before their request is allowed through the firewall. When you use a RADIUS authenticator in a rule, you also have the option of only allowing users from a specified internal user group. For more information about creating internal user groups, see Configuring firewall user groups on page 468. Note: Create all host objects for authentication servers and external groups before configuring this authenticator. Host objects must have an IP address or they will not appear in the Host list on the Servers tab. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 431
- 432. Authentication services Figure 178 RADIUS Authenticator window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click RADIUS Authenticators. The RADIUS Authenticator window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the RADIUS authenticator. Only alphanumeric characters, dashes (-), underscores (_), and a dot (.) are supported. • Description — Provide information about the authenticator. • OK — Save the changes made on the main window and on any of the tabs in this window. • Cancel — Close this window without saving any changes. Tabs This window also has the following tabs: • Servers — Define and rank the RADIUS servers that are used with this authenticator and specify the way in which the firewall authenticates to those servers. For more information, see RADIUS Authenticator window: Servers tab on page 433. • Groups — Specify external or internal groups that are used to restrict proxy connections to specific RADIUS users. For more information, see RADIUS Authenticator window: Groups tab on page 434. 432 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 433. Authentication services RADIUS Authenticator window: Servers tab Use the Servers tab on the RADIUS Authenticator window to create and maintain the list of RADIUS servers that the firewall can query to authenticate users. Also use this tab to specify connection information between the firewall and the RADIUS server. To view the fields on the Servers tab, see Figure 178 on page 432. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click RADIUS Authenticators. The RADIUS Authenticator window is displayed. 4 Make sure that the Servers tab is selected. Fields and buttons This tab has the following fields and buttons: • RADIUS servers — Specify the RADIUS server for the firewall to query when a user attempts to pass traffic matching a rule that references this authenticator. If needed, specify additional hosts for the firewall to try if the first host is unavailable. This list contains all hosts objects with an associated IP address, which are created in the Network Objects area. See Network objects on page 336. To change the order, or rank, of the listed servers, select a server and use the up or down arrow to change its position. The firewall tries to connect to the servers in the order shown here. Note: If you intend to use more than one RADIUS server as a primary server, create multiple RADIUS authenticators. The additional servers listed here are only queried only when the top-ranked server does not respond. The following columns are available: • Host — Specify the host IP address for each server entry. • Port — Specify the port number for each server entry. The default is port 1812. • Shared Secret — Specify the text string or phrase that matches the shared secret of the listed RADIUS server. • Delete — Click x to delete the server. • — Displays the Network Object Manager window, in which you can add a host. • Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a selected action in this table. • Login prompt — Specify the login prompt you want to appear during the user's login process. The default value is Username:. • Password prompt — Specify the password prompt you want to appear during the user's login process.The default value is Password:. • Failed authentication message — Specify the message to display if a user's authentication attempt fails. The default value is Login incorrect. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 433
- 434. Authentication services RADIUS Authenticator window: Groups tab Use the Groups tab of the RADIUS Authenticator window to create a list of external users groups that are available when adding this authenticator to a rule. Only select external groups that are valid for this RADIUS authentication server. When creating a rule, select the external group or groups that will be required to authenticate when those users attempt to pass traffic that matches that rule. For information about configuring external user groups, see Configuring external firewall groups on page 469. Figure 179 RADIUS Authenticator window: Groups tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click RADIUS Authenticators. The RADIUS Authenticator window is displayed. 4 Select the Groups tab. Fields and buttons This tab has the following fields and buttons: • Group source — Use the options in this area to determine whether this is an internal or external group that is allowed in proxy connections. The following options are available: • Internal — Indicates that this is an internally managed group. • External — Indicates that this is an externally created group. • External groups — Use the fields in this table to specify one or more external users groups to associate with this authenticator. • External Group — [Read-only] Displays the name of the external group. • Delete — Click x to delete the server. • — Displays the External Group window, in which you can add an external group. 434 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 435. Authentication services • RADIUS group options — Use the fields in this area to specify the attributes that are defined in the dictionary files on the RADIUS server. The firewall searches for these attributes in the response of the RADIUS server. The following fields are available: • Group type — Specify the attribute type for this server. The default value is 26, which is a vendor-specific attribute. • Vendor ID — [Available only if the value of the Group type field is 26] Specify a vendor ID from the dictionary files of the RADIUS server. • Vendor type — [Available only if the value of the Group type field is 26] Specify a vendor type from the dictionary files of the RADIUS server. • Group delimiters — Specify the character or characters that separate groups in a string. This is needed only if the RADIUS server sends attributes in a single string. You can specify multiple delimiter characters consecutively—that is, without any spaces or separators between them. Configuring Safeword authenticators Use the Safeword Authenticator window to create and maintain your SafeWord authenticators. Authenticators are used in rules to require users to authenticate to the specified server before their request is allowed through the firewall. The SafeWord family of remote authentication servers includes SafeWord RemoteAccess and SafeWord PremierAccess. With SafeWord PremierAccess, you can use fixed passwords or passcode authentication for Telnet and FTP sessions through the firewall, and for administrator login attempts directly to the firewall or through an SSH session. You can authenticate HTTP sessions by using either fixed passwords or passcodes without the challenge or response option. (Not all tokens support this option.) When creating a rule, you can also select the external group or groups that will be required to authenticate when those users attempt to pass traffic that matches that rule. For more information about configuring external groups, see Configuring external firewall groups on page 469. Figure 180 Safeword Authenticator window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Safeword Authenticators. The Safeword Authenticator window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 435
- 436. Authentication services Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the Safeword authenticator. Only alphanumeric characters, dashes (-), underscores (_), and a dot (.) are supported. • Description — Provide information about the authenticator. • OK — Save the changes made on the main window and on any of the tabs in this window. • Cancel — Close this window without saving any changes. Tabs This window also has the following tabs: • Servers — Define and rank the SafeWord servers that are used with this authenticator and specify the way in which the firewall authenticates to those servers. For more information, see Safeword Authenticator window: Servers tab on page 436. • Groups — Specify external or internal groups that are used to restrict proxy connections to specific RADIUS users. For more information, see Safeword Authenticator window: Groups tab on page 437. Safeword Authenticator window: Servers tab Use the Servers tab on the Safeword Authenticator window to create and maintain the list of SafeWord servers that the firewall can query to authenticate users. Also use this tab to specify connection information between the firewall and the SafeWord server. To view the fields on the Servers tab, see Figure 180 on page 435. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Safeword Authenticators. The Safeword Authenticator window is displayed. 4 Make sure that the Servers tab is selected. Fields and buttons This tab has the following fields and buttons: • SafeWord servers — Specify the SafeWord server for the firewall to query when a user attempts to pass traffic matching a rule that references this authenticator. If needed, specify additional hosts for the firewall to try if the first host is unavailable. This list contains all of the hosts objects with an associated IP address, which are created in the Network Objects area. See Network objects on page 336. To change the order, or rank, of the listed servers, select a server and use the up or down arrow to change its position. The firewall tries to connect to the servers in the order shown here. Note: To use more than one SafeWord server as a primary server, create multiple SafeWord authenticators. The additional servers listed here are queried only when the top-ranked server does not respond. The following columns are available: • Host — Specify the host IP address for each server entry. • Port — Specify the port number for each server entry. The default is port 5030. • Delete — Click x to delete the server. • — Displays the Network Object Manager window, in which you can add a host. • Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a selected action in this table. 436 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 437. Authentication services Safeword Authenticator window: Groups tab Use the Groups tab of the Safeword Authenticator window to create a list of external users groups that are available when adding this authenticator to a rule. Only select external groups that are valid for this SafeWord authentication server. When creating a rule, select the external group or groups that will be required to authenticate when those users attempt to pass traffic that matches that rule. For information about configuring external user groups, see Configuring external firewall groups on page 469. Figure 181 Safeword Authenticator window: Groups tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Safeword Authenticators. The Safeword Authenticator window is displayed. 4 Select the Groups tab. Fields and buttons This tab has the following fields and buttons: • Group source — Use the options in this area to determine whether this is an internal or external group that is allowed in proxy connections. The following options are available: • Internal — Indicates that this is an internally managed group. • External — Indicates that this is an externally created group. • External groups — Use the fields in this table to specify one or more external users groups to associate with this authenticator. • External Group — [Read-only] Displays the name of the external group. • Delete — Click x to delete the server. • — Displays the External Group window, in which you can add an external group. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 437
- 438. Authentication services Configuring Windows Domain authenticators Use the Windows Domain Authenticator window to create and maintain your Windows Domain authenticators. A Windows Domain authenticator consists of a list of Windows primary domain controllers (PDC) and backup domain controllers (BDC) that the firewall can query to authenticate users. This authentication method can be used to provide authentication for login, SOCKS 5, Telnet, FTP, and HTTP, as well as SSH sessions to the firewall. Use this window to specify the prompts and messages that are displayed to users, as well as to determine whether prompted or transparent authentication is to be used. (Transparent browser authentication is also known as NTLM or integrated Windows authentication.) Authenticators are used in rules to require users to authenticate to the specified server before their request is allowed through the firewall. When you use a Windows Domain authenticator in a rule, you also have the option of only allowing users from a specified internal user group. For more information about creating internal user groups, see Configuring firewall user groups on page 468. Note: Make sure that the domain controller does not allow blank or default logins that can be easily guessed by outsiders. Figure 182 Windows Domain Authenticator window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Windows Domain Authenticators. The Windows Domain Authenticator window is displayed. 438 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 439. Authentication services Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the Windows Domain authenticator. Only alphanumeric characters, dashes (-), underscores (_), and a dot (.) are supported. • Description — Provide information about the authenticator. • Host — Specify the Windows Domain Primary Domain Controller (PDC) or Backup Domain Controller (BDC) for the firewall to query when a user attempts to pass traffic matching a rule that references this authenticator. If needed, specify additional hosts for the firewall to try if the first host is unavailable. This list contains all hosts objects that have an associated IP address, which are created in the Network Objects area. See Network objects on page 336. To change the order, or rank, of the listed controllers, select a controller and use the up or down arrow to change its position. The firewall attempts to connect to the controllers in the order shown here. Note: If you intend to use more than one Windows Domain controller as a primary host, create multiple Windows Domain authenticators. The additional hosts listed here are queried only when the top-ranked host does not respond. • Port — Specify the port used by the Windows Domain controller. The default is 139. • Name — Specify the name of the Windows Domain controller. • Delete — Click x to delete the controller. • — Displays the Network Object Manager window, in which you can add a host. • Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a selected action in this table. • Login prompt — Specify the login prompt you want to appear during the user's login process. The default is Username:. • Password prompt — Specify the password prompt you want to appear during the user's login process. The default is Password:. • Failed authentication message — Specify the message to display if a user's authentication attempt fails. The default is Login incorrect. • Windows NTLM authentication — Use the fields in this area to determine whether the users are to be prompted repeatedly or authenticated transparently. Select Both if your user population uses browsers at various versions. The following options are available: • Domain (MSNT) — Indicates to use domain authentication, which prompts users for a user name and password. This is typically used for older browsers that do not support transparent authentication. Caution: The user password is not encrypted in this method. • Transparent (NTLM) — Indicates to use transparent browser authentication. If a user has already been authenticated by the Windows domain, the user is not prompted for a user name and password when using a rule that requires this authenticator. If this option is selected and the user’s browser does not support transparent authentication, the authentication will fail. No further rule matching is attempted. • Both — Indicates to attempt both authentication methods. Transparent authentication is attempted first. If it is not supported, domain authentication is used. • OK — Save the changes that have been made on the main window. • Cancel — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 439
- 440. Authentication services Configuring iPlanet authenticators Use the iPlanet Authenticator window to create and maintain your iPlanet Authenticators. An iPlanet server is an LDAP server owned by iPlanet, Inc. Authenticators are used in rules to require users to authenticate to the specified server before their request is allowed through the firewall. Figure 183 iPlanet Authenticator window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click iPlanet Authenticators. The iPlanet Authenticator window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the iPlanet authenticator. Only alphanumeric characters, dashes (-), underscores (_), and a dot (.) are supported. • Description — Provide information about the authenticator. • OK — Save the changes made on the main window and on any of the tabs in this window. • Cancel — Close this window without saving any changes. 440 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 441. Authentication services Tabs This window has the following tabs: • Servers — Define and rank the iPlanet servers used with this firewall authenticator and specify the way that the firewall authenticates to those servers. For more information, see iPlanet Authenticator window: Servers tab on page 441. • Search — Manage the search parameters for filtering and searching the iPlanet containers and sub-containers. For more information, see iPlanet Authenticator window: Search tab on page 442. • Logins — Manage the prompts displayed to users authenticating by using iPlanet, and set the maximum number of login attempts. For more information, see iPlanet Authenticator window: Logins tab on page 443. • Groups — Select an external group that is used to restrict proxy connections to specific iPlanet users. For more information, see iPlanet Authenticator window: Groups tab on page 444. Note: Create all host objects for authentication servers and external groups before configuring this authenticator. Host objects must have an IP address or they will not appear in the Host lists. iPlanet Authenticator window: Servers tab Use the Servers tab of the iPlanet Authenticator window to create and maintain the list of iPlanet servers that the firewall can query to authenticate users. Also use this window to specify connection information between the firewall and the iPlanet server. To view the fields on this tab, see Figure 183 on page 440. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click iPlanet Authenticators. The iPlanet Authenticator window is displayed. 4 Make sure that the Servers tab is selected. Fields and buttons This tab has the following fields and buttons: • Host — Specify the iPlanet server for the firewall to query when a user attempts to pass traffic matching a rule that references this authenticator. If needed, specify additional hosts for the firewall to try if the first host is unavailable. This list contains all host objects that have been created in the Network Objects area of the Policy group bar tree. See Network objects on page 336. To change the order, or rank, of the listed servers, select a server and use the up or down arrow to change its position. The firewall attempts to connect to the servers in the order shown here. Note: If you intend to use more than one iPlanet server as a primary server, create multiple iPlanet authenticators. The additional servers listed here are queried only when the top-ranked server does not respond. • Port — Specify the port used by the iPlanet server. The default is port 389. • Delete — Click x to delete the server. • — Displays the Network Object Manager window, in which you can add a host. • Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a selected action in this table. • Connection timeout (seconds) — Specify the number of seconds that the firewall will wait before the connection to the iPlanet server is closed as a timeout. The default is 60 seconds. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 441
- 442. Authentication services • Use anonymous connections — Determines whether the firewall uses anonymous authentication to authenticate to the iPlanet server. When this checkbox is cleared, the firewall requires the following information to authenticate to the iPlanet server: • User name — Specify the login name that is required by the iPlanet server. • Password — Specify the password that is required by the iPlanet server. • Confirm password — Confirm the password. iPlanet Authenticator window: Search tab Use the Search tab of the iPlanet Authenticator window to manage the search parameters for filtering and searching the iPlanet containers and sub-containers. Figure 184 iPlanet Authenticator window: Search tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click iPlanet Authenticators. The iPlanet Authenticator window is displayed. 4 Select the Search tab. Fields and buttons This tab has the following fields and buttons: • Search containers — Use the fields in this table to specify container names. The following fields are available: • Search Container — Specify the container name. If needed, specify additional containers. Specify either a single container name or a concatenated container name (for example, dc=sales,dc=example,dc=com). • Delete — Click x to delete the server. • — Displays the Network Object Manager window, in which you can add a host. 442 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 443. Authentication services • Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a selected action in this table. • Search options — Use the fields in this area to specify the search options. The following fields are available: • Search scope — Specify the levels of the containers that will be searched. The following values are available: • Base — Search only in the containers defined here. When this option is selected, the valid search container format is an LDAP Distinguished Name, such as cn=My Name, sn=Name, o=Bizco, c=US. • Sub-Tree — Search in the defined containers and their sub-containers. When this option is selected, the valid search container format is the same as when Base is selected. • Apply search filter — Determines whether the filter search is to be based on a profile filter. This checkbox is cleared by default. If it is selected, you must specify the filter to use (for example, objectclass=person). • LDAP directory identifiers — Use the fields in this area to view the directory identifiers. The following fields are available: • Directory user identifier — [Read-only] Displays the directory user identifier for iPlanet, which is uid. • Directory member identifier — [Read-only] Displays the directory member identifier, which is uniquemember. iPlanet Authenticator window: Logins tab Use the Logins tab of the iPlanet Authenticator window to define the prompts displayed to users when prompted to log into the iPlanet server and the maximum number of allowed login attempts. Figure 185 iPlanet Authenticator window: Logins tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click iPlanet Authenticators. The iPlanet Authenticator window is displayed. 4 Select the Logins tab. Fields and buttons This tab has the following fields and buttons: • Login prompt — Specify the login prompt you want to appear during the user's login process. The default is Username:. • Password prompt — Specify the password prompt you want to appear during the user's login process.The default is Password:. • Maximum login attempts — Specify the maximum number of login attempts that are allowed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 443
- 444. Authentication services iPlanet Authenticator window: Groups tab Use the Groups tab of the iPlanet Authenticator window to create a list of external users groups that are available when adding this authenticator to a rule. Select only those external groups that are valid for this iPlanet authentication server. When creating a rule, select the external group or groups that will be required to authenticate when those users attempt to pass traffic that matches that rule. For information about configuring external user groups, see Configuring external firewall groups on page 469. Figure 186 iPlanet Authenticator window: Groups tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click iPlanet Authenticators. The iPlanet Authenticator window is displayed. 4 Select the Groups tab. Fields and buttons This tab has the following fields and buttons: • Group source — Use the options in this area to determine whether this is an internal or external group that is allowed in proxy connections. The following options are available: • Internal — Indicates that this is an internally managed group. • External — Indicates that this is an externally created group. • External groups — Use the fields in this table to specify one or more external users groups to associate with this authenticator. • External Group — [Read-only] Displays the name of the external group. • Delete — Click x to delete the server. • — Displays the External Group window, in which you can add an external group. 444 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 445. Authentication services Configuring Active Directory authenticators Use the Active Directory Authenticator window to create and maintain your Active Directory authenticators. Authenticators are used in rules to require users to authenticate to the specified server before their request is allowed through the firewall. An Active Directory server is a Lightweight Directory Access Protocol (LDAP) server owned by Microsoft. Figure 187 Active Directory Authenticator window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Active Directory Authenticators. The Active Directory Authenticator window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label that is used to refer to the Active Directory authenticator. Only alphanumeric characters, dashes (-), underscores (_), and a dot (.) are supported. • Description — Provide information about the authenticator. • OK — Save the changes made on the main window and on any of the tabs in this window. • Cancel — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 445
- 446. Authentication services Tabs This window also has the following tabs: • Servers — Define and rank the Active Directory servers that are used with this firewall authenticator and specify the way in which the firewall authenticates to those servers. For more information, see Active Directory Authenticator window: Servers tab on page 446. • Search — Manage the search parameters for filtering and searching the Active Directory containers and domains. For more information, see Active Directory Authenticator window: Search tab on page 447. • Logins — Manage the prompts that are displayed to users who are authenticating by using Active Directory, and set the maximum number of login attempts. For more information, see Active Directory Authenticator window: Logins tab on page 448. • Groups — Select an external group that is used to restrict proxy connections to specific Active Directory users. For more information, see Active Directory Authenticator window: Groups tab on page 449. Note: Create all host objects for authentication servers and external groups before you configure this authenticator. Host objects must have an IP address or they will not appear in the Host lists. Active Directory Authenticator window: Servers tab Use the Servers tab of the Active Directory Authenticator window to create and maintain the list of Active Directory servers that the firewall can query to authenticate users. Also use this window to specify connection information between the firewall and the Active Directory server. To view the fields on this tab, see Figure 187 on page 445. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Active Directory Authenticators. The Active Directory Authenticator window is displayed. 4 Make sure that the Servers tab is selected. Fields and buttons This tab has the following fields and buttons: • Host — Specify the Active Directory server for the firewall to query when a user attempts to pass traffic that matches a rule that references this authenticator. If needed, specify additional hosts for the firewall to try if the first host is unavailable. This list contains all host objects that have been created in the Network Objects area of the Policy group bar tree. See Network objects on page 336. To change the order or rank of the listed servers, select a server and use the up or down arrow to change its position. The firewall will attempt to connect to the servers in the order that is displayed here. Note: To use more than one Active Directory server as a primary server, create multiple Active Directory authenticators. The additional servers that are listed here are queried only when the top-ranked server does not respond. • Port — Specify the port that is used by the Active Directory server. The default is port 389. • Delete — Click x to delete the server. • — Displays the Network Object Manager window, in which you can add a host. • Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a selected action in this table. • Connection timeout (seconds) — Specify the number of seconds for the firewall to wait before the connection to the Active Directory server is closed due to timeout. The default is 60 seconds. 446 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 447. Authentication services • Use anonymous connections — Determine whether the firewall uses anonymous authentication to authenticate to the Active Directory server. This option is selected by default. When this checkbox is cleared, the firewall requires the following information to authenticate to the Active Directory server: • User Name — Specify the login name that is required by the Active Directory server. • Password — Specify the password that is required by the Active Directory server. • Confirm password — Confirm the password. Active Directory Authenticator window: Search tab Use the Search tab of the Active Directory Authenticator window to manage the search parameters for filtering and searching the Active Directory containers, sub-containers, and domains. Figure 188 Active Directory Authenticator window: Search tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Active Directory Authenticators. The Active Directory Authenticator window is displayed. 4 Select the Search tab. Fields and buttons This tab has the following fields and buttons: • Search containers — Use the fields in this table to specify container names. The following fields are available: • Search Container — Specify the container name. If needed, specify additional containers. Specify either a single container name or a concatenated container name (for example, dc=sales,dc=example,dc=com). • Delete — Click x to delete the server. • — Displays the Network Object Manager window, in which you can add a host. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 447
- 448. Authentication services • Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a selected action in this table. • Search options — Use the fields in this area to specify the search options. The following fields are available: • Search scope — Specify the levels of the containers that will be searched. The following values are available: • Base — Search only in the containers defined here. When this option is selected, the valid search container format is an LDAP Distinguished Name, such as cn=My Name, sn=Name, o=Bizco, c=US. • Sub-Tree — Search in the defined containers and their sub-containers. When this option is selected, the valid search container format is the same as when Base is selected. • Apply search filter — Determines whether the filter search is to be based on a profile filter. This checkbox is cleared by default. If it is selected, you must specify the filter to use (for example, objectclass=person). • LDAP directory identifiers — Use the fields in this area to view the directory identifiers. The following fields are available: • Directory user identifier — [Read-only] Displays the directory user identifier for Active Directory, which is sameaccountname. • Directory member identifier — [Read-only] Displays the directory member identifier, which is memberof. Active Directory Authenticator window: Logins tab Use the Logins tab of the Active Directory Authenticator window to define the prompts displayed to users when prompted to log into the Active Directory server and the maximum number of allowed login attempts. Figure 189 Active Directory Authenticator window: Logins tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Active Directory Authenticators. The Active Directory Authenticator window is displayed. 4 Select the Logins tab. Fields and buttons This tab has the following fields and buttons: • Login prompt — Specify the login prompt you want to appear during the user's login process. The default is Username:. • Password prompt — Specify the password prompt you want to appear during the user's login process.The default is Password:. 448 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 449. Authentication services • Maximum login attempts — Specify the maximum number of allowed login attempts. Active Directory Authenticator window: Groups tab Use the Groups tab of the Active Directory Authenticator window to create a list of external users groups that are available when adding this authenticator to a rule. Only select external groups that are valid for this Active Directory authentication server. When creating a rule, select the external group or groups that will be required to authenticate when those users attempt to pass traffic that matches that rule. For more information about configuring external groups, see Configuring external firewall groups on page 469. Figure 190 Active Directory Authenticator window: Groups tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Active Directory Authenticators. The Active Directory Authenticator window is displayed. 4 Select the Groups tab. Fields and buttons This tab has the following fields and buttons: • Group source — Use the options in this area to determine whether this is an internal or external group that is allowed in proxy connections. The following options are available: • Internal — Indicates that this is an internally managed group. • External — Indicates that this is an externally created group. • External groups — Use the fields in this table to specify one or more external users groups to associate with this authenticator. • External Group — [Read-only] Displays the name of the external group. • Delete — Click x to delete the server. • — Displays the External Group window, in which you can add an external group. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 449
- 450. Authentication services Configuring OpenLDAP authenticators Use the OpenLDAP Authenticator window to create and maintain your OpenLDAP authenticators. Authenticators are used in rules to require users to authenticate to the specified server before their request is allowed through the firewall. OpenLDAP Software is a free, open source implementation of LDAP developed by the OpenLDAP Project. Figure 191 OpenLDAP Authenticator window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click OpenLDAP Authenticators. The OpenLDAP Authenticator window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specifies a label used to refer to the OpenLDAP authenticator. Only alphanumeric characters, dashes (-), and underscores (_) are supported. • Description — Provides information about the authenticator. • OK — Save the changes made on the main window and on any of the tabs in this window. • Cancel — Close this window without saving any changes. 450 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 451. Authentication services Tabs This window also has the following tabs: • Servers — Define and rank the OpenLDAP servers used with this firewall authenticator and specify how the firewall authenticates to those servers. For more information, see OpenLDAP Authenticator window: Servers tab on page 451. • Search — Manage the search parameters for filtering and searching the OpenLDAP containers and domains. For more information, see OpenLDAP Authenticator window: Search tab on page 452. • Logins — Manage the prompts displayed to users authenticating by using OpenLDAP, and set the maximum number of login attempts. For more information, see OpenLDAP Authenticator window: Logins tab on page 453. • Groups — Select an external group that is used to restrict proxy connections to specific OpenLDAP users. For more information, see OpenLDAP Authenticator window: Groups tab on page 454. Note: Create all host objects for authentication servers and external groups before configuring this authenticator. Host objects must have an IP address, or they will not appear in the Host lists. OpenLDAP Authenticator window: Servers tab Use the Servers tab of the OpenLDAP Authenticator window to create and maintain the list of OpenLDAP servers the firewall can query to authenticate users. Also use this window to specify connection information between the firewall and the OpenLDAP server. To view the fields on this tab, see Figure 191 on page 450. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click OpenLDAP Authenticators. The OpenLDAP Authenticator window is displayed. 4 Make sure that the Servers tab is selected. Fields and buttons This tab has the following fields and buttons: • Host — Specify the OpenLDAP server for the firewall to query when a user attempts to pass traffic matching a rule that references this authenticator. If needed, specify additional hosts for the firewall to try if the first host is unavailable. This list contains all host objects that have been created in the Network Objects area of the Policy group bar tree. See Network objects on page 336. To change the order, or rank, of the listed servers, select a server and use the up or down arrow to change its position. The firewall tries to connect to the servers in the order shown here. Note: To use more than one OpenLDAP server as a primary server, create multiple OpenLDAP authenticators. The additional servers listed here are queried only when the top-ranked server does not respond. • Port — Specify the port that will be used by the OpenLDAP server. The default is port 389. • Delete — Click x to delete the server. • — Displays the Network Object Manager window, in which you can add a host. • Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a selected action in this table. • Connection timeout (seconds) — Specify the number of seconds for the firewall to wait before the connection to the OpenLDAP server is closed due to timeout. The default is 60 seconds. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 451
- 452. Authentication services • Use anonymous connections — Determines whether the firewall uses anonymous authentication to authenticate to the OpenLDAP server. When this checkbox is cleared, the firewall requires the following information to authenticate to the OpenLDAP server: • User Name — Specify the login name that is required by the OpenLDAP server. • Password — Specify the password that is required by the OpenLDAP server. • Confirm password — Confirm the password. OpenLDAP Authenticator window: Search tab Use the Search tab of the OpenLDAP Authenticator window to manage the search parameters for filtering and searching the OpenLDAP containers and sub-containers. Figure 192 OpenLDAP Authenticator window: Search tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click OpenLDAP Authenticators. The OpenLDAP Authenticator window is displayed. 4 Select the Search tab. Fields and buttons This tab has the following fields and buttons: • Search containers — Use the fields in this table to specify container names. The following fields are available: • Search Container — Specify the container name. If needed, specify additional containers. Specify either a single container name or a concatenated container name (for example, dc=sales,dc=example,dc=com). • Delete — Click x to delete the server. • — Displays the Network Object Manager window, in which you can add a host. 452 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 453. Authentication services • Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a selected action in this table. • Search options — Use the fields in this area to specify the search options. The following fields are available: • Search scope — Specify the levels of the containers that will be searched. The following values are available: • Base — Search only in the containers defined here. When this option is selected, the valid search container format is an LDAP Distinguished Name, such as cn=My Name, sn=Name, o=Bizco, c=US. • Sub-Tree — Search in the defined containers and their sub-containers. When this option is selected, the valid search container format is the same as when Base is selected. • Apply search filter — Determines whether the filter search is to be based on a profile filter. This checkbox is cleared by default. If it is selected, you must specify the filter to use (for example, objectclass=person). • LDAP directory identifiers — Use the fields in this area to view the directory identifiers. The following fields are available: • Directory user identifier — [Read-only] Displays the directory user identifier, which is cn. • Directory member identifier — [Read-only] Displays the directory member identifier, which is uniquemember. OpenLDAP Authenticator window: Logins tab Use the Logins tab of the OpenLDAP Authenticator window to define the prompts displayed to users when prompted to log into the OpenLDAP server and the maximum number of allowed login attempts. Figure 193 OpenLDAP Authenticator window: Logins tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click OpenLDAP Authenticators. The OpenLDAP Authenticator window is displayed. 4 Select the Logins tab. Fields and buttons This tab has the following fields and buttons: • Login prompt — Specify the login prompt you want to appear during the user's login process. The default is Username:. • Password prompt — Specify the password prompt you want to appear during the user's login process.The default is Password:. • Maximum login attempts — Specify the maximum number of allowed login attempts. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 453
- 454. Authentication services OpenLDAP Authenticator window: Groups tab Use the Groups tab of the OpenLDAP Authenticator window to create a list of external users groups that are available when adding this authenticator to a rule. Only select external groups that are valid for this OpenLDAP authentication server. When creating a rule, select the external group or groups that will be required to authenticate when those users attempt to pass traffic that matches that rule. For more information about configuring external groups, see Configuring external firewall groups on page 469. Figure 194 OpenLDAP Authenticator window: Groups tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click OpenLDAP Authenticators. The OpenLDAP Authenticator window is displayed. 4 Select the Groups tab. Fields and buttons This tab has the following fields and buttons: • Group source — Use the options in this area to determine whether this is an internal or external group that is allowed in proxy connections. The following options are available: • Internal — Indicates that this is an internally managed group. • External — Indicates that this is an externally created group. • External groups — Use the fields in this table to specify one or more external users groups to associate with this authenticator. • External Group — [Read-only] Displays the name of the external group. • Delete — Click x to delete the server. • — Displays the External Group window, in which you can add an external group. 454 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 455. Authentication services Configuring custom LDAP authenticators Use the Custom LDAP Authenticator window to create and maintain your Custom LDAP authenticators. Authenticators are used in rules to require users to authenticate to the specified server before their request is allowed through the firewall. The primary difference between a Custom LDAP Authenticator and the other LDAP-based authenticators is that you can customize the directory user identifier and the directory member identifier. Figure 195 Custom LDAP Authenticator window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Custom LDAP Authenticators. The Custom LDAP Authenticator window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the Custom LDAP authenticator. Only alphanumeric characters, dashes (-), underscores (_), and a dot (.) are supported. • Description — Provide information about the authenticator. • OK — Save the changes made on the main window and on any of the tabs in this window. • Cancel — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 455
- 456. Authentication services Tabs This window also has the following tabs: • Servers — Define and rank the Custom LDAP servers used with this firewall authenticator and specify how the firewall authenticates to those servers. For more information, see Custom LDAP Authenticator window: Servers tab on page 456. • Search — Manage the search parameters for filtering and searching the containers and domains for the specified LDAP server. For more information, see Custom LDAP Authenticator window: Search tab on page 457. • Logins — Manage the prompts displayed to users authenticating via the specified LDAP server, and set the maximum number of login attempts. For more information, see Custom LDAP Authenticator window: Logins tab on page 458. • Groups — Select an external group that is used to restrict proxy connections to specific LDAP users. For more information, see OpenLDAP Authenticator window: Groups tab on page 454. Note: Create all host objects for authentication servers and external groups before configuring this authenticator. Host objects must have an IP address or they will not appear in the Host lists. Custom LDAP Authenticator window: Servers tab Use the Servers tab of the Custom LDAP Authenticator window to create and maintain the list of LDAP servers that the firewall can query to authenticate users. Also use this window to specify connection information between the firewall and the LDAP server. To view the fields on this tab, see Figure 195 on page 455. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Custom LDAP Authenticators. The Custom LDAP Authenticator window is displayed. 4 Make sure that the Servers tab is selected. Fields and buttons This tab has the following fields and buttons: • Host — Specify the LDAP server for the firewall to query when a user attempts to pass traffic matching a rule that references this authenticator. If needed, specify additional hosts for the firewall to try if the first host is unavailable. This list contains all host objects that have been created in the Network Objects area of the Policy group bar tree. See Network objects on page 336. To change the order, or rank, of the listed servers, select a server and use the up or down arrow to change its position. The firewall will attempt to connect to the servers in the order shown here. Note: To use more than one customized LDAP server as a primary server, create multiple Custom LDAP authenticators. The additional servers listed here are queried only when the top-ranked server does not respond. • Port — Specify the port that will be used by the LDAP server. The default is port 389. • Delete — Click x to delete the server. • — Displays the Network Object Manager window, in which you can add a host. • Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a selected action in this table. • Connection timeout (seconds) — Specify the number of seconds for the firewall to wait before the connection to the LDAP server is closed due to timeout. The default is 60 seconds. 456 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 457. Authentication services • Use anonymous connections — Determines whether the firewall uses anonymous authentication to authenticate to the LDAP server. When this checkbox is cleared, the firewall requires the following information to authenticate to the LDAP server: • User Name — Specify the login name that is required by the LDAP server. • Password — Specify the password that is required by the LDAP server. • Confirm password — Confirm the password. Custom LDAP Authenticator window: Search tab Use the Search tab of the Custom LDAP Authenticator window to manage the search parameters for filtering and searching the containers and sub-containers of the specified LDAP server. Figure 196 Custom LDAP Authenticator window: Search tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Custom LDAP Authenticators. The Custom LDAP Authenticator window is displayed. 4 Select the Search tab. Fields and buttons This tab has the following fields and buttons: • Search containers — Use the fields in this table to specify container names. The following fields are available: • Search Container — Specify the container name. If needed, specify additional containers. Specify either a single container name or a concatenated container name (for example, dc=sales,dc=example,dc=com). • Delete — Click x to delete the server. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 457
- 458. Authentication services • — Displays the Network Object Manager window, in which you can add a host. • Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the order of a selected action in this table. • Search options — Use the fields in this area to specify the search options. The following fields are available: • Search scope — Specify the levels of the containers that will be searched. The following values are available: • Base — Search only in the containers defined here. When this option is selected, the valid search container format is an LDAP Distinguished Name, such as cn=My Name, sn=Name, o=Bizco, c=US. • Sub-Tree — Search in the defined containers and their sub-containers. When this option is selected, the valid search container format is the same as when Base is selected. • Apply search filter — Determines whether the filter search is to be based on a profile filter. This checkbox is cleared by default. If it is selected, you must specify the filter to use (for example, objectclass=person). • LDAP directory identifiers — Use the fields in this area to view the directory identifiers. The following fields are available: • Directory User Identifier — Specify the directory user identifier. • Directory Member Identifier — Specify the directory member identifier. Custom LDAP Authenticator window: Logins tab Use the Logins tab of the Custom LDAP Authenticator window to define the prompts displayed to users when prompted to log into the specified LDAP server and the maximum number of allowed login attempts. Figure 197 Custom LDAP Authenticator window: Logins tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Custom LDAP Authenticators. The Custom LDAP Authenticator window is displayed. 4 Select the Logins tab. Fields and buttons This tab has the following fields and buttons: • Login prompt — Specify the login prompt you want to appear during the user's login process. The default is Username:. • Password prompt — Specify the password prompt you want to appear during the user's login process.The default is Password:. • Maximum login attempts — Specify the maximum number of allowed login attempts. 458 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 459. Authentication services Custom LDAP Authenticator window: Groups tab Use the Groups tab of the Custom LDAP Authenticator window to create a list of external users groups that are available when adding this authenticator to a rule. Only select external groups that are valid for the authentication server listed on the Servers tab. When creating a rule, select the external group or groups that will be required to authenticate when those users attempt to pass traffic that matches that rule. For more information about configuring external groups, see Configuring external firewall groups on page 469. Figure 198 Custom LDAP Authenticator window: Groups tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click Custom LDAP Authenticators. The Custom LDAP Authenticator window is displayed. 4 Select the Groups tab. Fields and buttons This tab has the following fields and buttons: • Group source — Use the options in this area to determine whether this is an internal or external group that is allowed in proxy connections. The following options are available: • Internal — Indicates that this is an internally managed group. • External — Indicates that this is an externally created group. • External groups — Use the fields in this table to specify one or more external users groups to associate with this authenticator. • External Group — [Read-only] Displays the name of the external group. • Delete — Click x to delete the server. • — Displays the External Group window, in which you can add an external group. Configuring CAC authenticators Use the CAC Authenticator window to create and maintain your Common Access Card (CAC) authenticators. CAC authenticators are used in rules to require users who are using CACs for authentication to authenticate to the CAC Webserver on the firewall before their request is allowed through the firewall. Use the Control Center Configuration Tool to create multiple CAC authenticators. To assign a specific CAC authenticator to a firewall, go to the Settings tab of the Certificates area of the Firewall window. In the CAC Authenticator field, select the appropriate authenticator. You must also specify a certificate on this tab to be used by the CAC Webserver on the firewall. When creating rules in the Rule Editor window, set the Authenticator field value to CAC, which is a placeholder. When the policy is applied, that placeholder is replaced with the authenticator that you have specified in the CAC Authenticator field. For more information, see Firewall window: Certificates area on page 196. Note: This authenticator is available only for firewall versions 7.0.1.02 and later. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 459
- 460. Authentication services For additional instructions about configuring and using a CAC authenticator, see the application note entitled Using the McAfee Firewall Enterprise Control Center to Configure Department of Defense Common Access Card Authentication on the McAfee Firewall Enterprise (Sidewinder) at mysupport.mcafee.com. Figure 199 CAC Authenticator window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Authenticators node. 3 Double-click CAC Authenticators. The CAC Authenticator window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label for the CAC authenticator. Only alphanumeric characters, dashes (-), underscores (_), and a dot (.) are supported. • Description — Provide information about the authenticator. • Password generation — Use the fields in this area to specify information about the one-time password that is used to authenticate with the one-time password that is specified on the McAfee Firewall Enterprise Admin Console, Telnet Client, or SSH Client. The following fields are available: • Expire one-time password after n second(s) — Specify the length of time (in seconds) that a one-time password is valid. Valid values are between 10 and 300 seconds. The default value is 120. • One-time password size: n character(s) — Specify the length of or the number of characters for the one-time password that is generated. Valid values are between 8 and 128. The default value is 12. • Webserver configuration — Use the field in this area to specify the TCP port on which the CAC Webserver will listen. The following field is available: • Port (1 - 65535) — Specify the TCP port on which the CAC Webserver will listen. Valid values are between 1 and 65535. The default port is 9006. • OK — Save the changes made on this window. • Cancel — Close this window without saving any changes. 460 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 461. Firewall users Firewall users The Control Center provides interfaces to manage two types of firewall users: • Control Center users — These are users of the Control Center tools and interfaces. These administrative users are managed by using the Administration Tool. For more information, see Control Center users on page 81. • Firewall administrators and users — These are users, often with administrative privileges, who can authenticate to, or through, the firewall. The privileges and definition requirements vary by firewall type. For information about defining different user types. see Configuring firewall users on page 462 and Configuring firewall administrators on page 464. For information about user groups, see Configuring firewall user groups on page 468 and Configuring external firewall groups on page 469. Firewall administrators, users, user groups, and external groups On the firewall, administrators are people who have accounts on the firewall and who can be granted permission to log directly into the firewall. Most administrators also have a home directory on the firewall. Users are also people who have accounts on the firewall. However, they can be granted permission to access network services only through the firewall. Access is controlled using rules; accounts must be assigned to a group before the accounts can be assigned to a rule. The differences in the two types of accounts are described here: • Administrators — An administrator is someone who logs directly into the firewall to perform administrative activities. Each administrator account has a home directory and a password stored on the firewall. This is the password information that is used if administrators are required to authenticate using the Password authentication service. The administrator accounts can be added to a user group and then can be added to rules that require authentication to manage access to services. • Users — A user is someone who uses the networking services provided by the firewall. User accounts can be added to user groups and then can be used in rules that require authentication to manage access to services. • Users for Windows and RADIUS are maintained on their respective remote servers. However, the user groups for Windows and RADIUS must also be maintained on the firewall by using the User Groups window. • Users and user groups for other authentication methods are created and maintained on the respective remote servers. The differences in the two types of groups are described here: • User groups — A user group is a logical grouping of one or more users. A user group can be assigned to a rule to restrict access to services on and through the firewall. Users are selected in the Internal User Groups list on the Rules page. In general, a single user group contains either administrator accounts or user accounts, not both. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 461
- 462. Firewall users • External groups — An external group is a logical grouping of one or more users where the user database is stored on a remote authentication server. Authenticators that support external groups are: • Safeword • iPlanet • Active Directory • OpenLDAP • Custom LDAP An external group must first be assigned to an authenticator. When that authenticator is used in a rule, you can then select that external group. Configuring firewall users Use the Firewall User Manager - Users window to create and maintain user accounts to be stored on the firewall. To grant or deny a user access to a network resource, first add the user to a user group. Then create a rule that specifies the desired authenticator, and then select the appropriate user group in the Internal User Groups list. Figure 200 Firewall User Manager - Users window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Users node to expand the tree and then double-click Users. The Firewall User Manager - Users window is displayed. 462 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 463. Firewall users Fields and buttons This window has the following fields and buttons: • Object Name — Specify a unique object name for the user account. The name that is specified in this field is displayed in the Username field. However, if you use uppercase letters in this field, they display as lowercase letters in the Username field. • Description — Provide information about the use account. • Type — Specify the type of account to be defined for a firewall. The following values are available: • Users — Indicates a user is a network user who uses the networking services provided by the firewall. This is the default value. • Administrators — Indicates an administrator who can connect directly to the firewall to perform administrative functions. Note: If you select Administrator as Type, the window changes to the Firewall User Manager - Administrators window. Refer to the help topics associated with this window to configure administrators. • Username — Specify the username the user must provide when he or she logs in. Only alphanumeric characters are supported, and there is a maximum of 16 characters. The username must begin with a letter. Generally, this is the same as the Object Name. • Employee ID — Specify the user's employee ID. • Organization — Specify the user's organization. • User Field 1-4 — Specify any additional information that your organization requires. For example, if you will be generating chargeback reports for authenticated FTP, Telnet, or HTTP connections, you might specify account numbers in these fields. • Password Options — Use the fields in this area to specify password information for this user. The following fields are available: • Password — Specify the password associated with this user account. The password can be created manually or automatically. To create a password manually, type a password in the Password field. The characters appear as asterisks (*). There is an 8-character minimum. Use these guidelines to create a strong password: • Use passwords that are at least eight characters in length. • Use a mix of upper- and lowercase letters, and non-alphabetic characters such as symbols and numbers. • Do not use any easily guessed words or words found in a dictionary, including foreign languages. After you click OK, you are asked to verify the password. To automatically create a password, click Generate. The password displays in clear text in the Password field. Note: This password will not be visible after you click OK. If the user forgets the password, you will need to create a new password for this account. • Discard Password Info — Determines whether to delete the user’s password account from the database. You might want to do this if you are changing a user’s authentication method from password to SafeWord, for example, and you need to remove the previous password information. • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. • Versions — Click this button to view a display of all of the fields on this window that have version-specific availability. You can also view this same information at the field level by holding your mouse over the version level icon and viewing the ToolTip. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 463
- 464. Firewall users Configuring firewall administrators Use the Firewall User Manager - Administrators window to create and maintain firewall administrator accounts. A firewall administrator is someone who logs directly into the firewall to perform administrative activities. Each account also has a /home/username directory on the firewall. You must assign each firewall administrator to a firewall before he or she can directly log into that firewall. You must also assign each administrator a role that indicates the types of privileges that he or she has on the selected firewalls. Access to the firewall is controlled using rules. By default, firewall access is controlled by using the Login Console, Admin Console, and Secure Shell Server rules, which allow access from the anywhere on the internal burb to the firewall internal burb. They also require password authentication. These rules are needed only when an administrator needs to connect directly to the firewall, instead of using the Control Center Client Suite. Figure 201 Firewall User Manager - Administrators window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Users node to expand the tree and then double-click Administrators. The Firewall User Manager - Administrators window is displayed. Fields and buttons This window has the following fields and buttons: • Object Name — Specify a unique object name for the administrative account. Generally, this is the same as the username. The name that you specify in this field is displayed in the Username field. However, if you use uppercase letters in this field, they display as lowercase letters in the Username field. 464 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 465. Firewall users • Description — Provide information about the configured administrative account. • Type — Specify the type of account to be defined for a firewall. The following values are available: • Administrators — Indicates an administrator who can connect directly to the firewall to perform administrative functions. This is the default value. • Users — Indicates a user who is a network user who uses the networking services provided by the firewall. Note: If you select Users as the value for the Type field, the window changes to the Firewall User Manager - Users window. Refer to the help topics that are associated with this window to configure users. • OK — Save the changes in this window and on all tabs on this window. • Cancel — Close this window without saving any changes. • Versions — Click this button to view a display of all of the fields on this window that have version-specific availability. You can also view this same information at the field level by holding your mouse over the version level icon and viewing the ToolTip. Tabs This window has the following tabs: • Account Information — Specify the login ID and password and provide administrator identification information. For more information, see Firewall User Manager - Administrators window: Account Information tab on page 465. • Firewalls — Associate this account with one or more firewalls in your enterprise network. For more information, see Firewall User Manager - Administrators window: Firewalls tab on page 467. Firewall User Manager - Administrators window: Account Information tab Use the Account Information tab to create and maintain firewall login, identification, and password information for this administrator account. The administrator's level of privilege and default login shell are also configured on this tab. To view the fields on this window, see Figure 201 on page 464. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the Users node to expand the tree and then double-click Administrators. The Firewall User Manager - Administrators window is displayed. 3 Make sure that the Account Information tab is selected. Fields and buttons This tab has the following fields and buttons: • Username — Specify the username that the administrator must provide at login time. Only alphanumeric characters are supported, and there is a maximum of 16 characters. The username must begin with a letter. Generally, this is the same as the value as the value of the Object Name field. Caution: Do not use uppercase characters in the username field because sendmail will automatically convert the user name to lowercase before mail is delivered. Therefore, any mail addressed to a user name that contains uppercase characters will not be forwarded. • Employee ID — Specify the administrator's employee ID. • Organization — Specify the administrator's organization. • User Field 1-4 — Specify any additional information that your organization requires. For example, if you will be generating chargeback reports for authenticated FTP, Telnet, or HTTP connections, you might specify account numbers in these fields. • Full Name — Specify the administrator's full name. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 465
- 466. Firewall users • Office — Specify the administrator's office address. • Office Phone — Specify the administrator's office phone number. • Home Phone — Specify the administrator's office home number. • Home Directory — Specify the home directory for this administrator. The default value for this field is /home/username. • Login Shell — Specify the UNIX shell that will be used when this administrator logs in. • Role — Specify the authorized roles for this administrator. This role determines the level of access this administrator account is allowed on the firewall or firewalls selected on the Firewalls tab of the Firewall User Manager - Administrators window. The following values are available: • Admin — Grants administrator privileges for all areas. This is the default. • Admin Read Only — Grants read privileges only. This role allows an administrator to view all system information, as well as create and run audit reports. An administrator with read-only privileges cannot commit changes to any area of the firewall. • Admin no privileges — Limits access to the firewall. An administrator with no admin privileges cannot log into firewall. This role is generally used to temporarily disable an administrator account. • CAC Certificate — [Available only for firewall version 7.0.1.02 and later] Specify the Common Access Card (CAC) remote certificate for this administrator. This list displays all of the remote certificates. The default value is <None>. • Password Options — Use the fields in this area to specify password information for this user. The following fields are available: • Password — Specify the password associated with this user account. The password can be created manually or automatically. To create a password manually, type a password in the Password field. The characters appear as asterisks (*). There is an 8-character minimum. Use these guidelines to create a strong password: • Use passwords that are at least eight characters in length. • Use a mix of upper- and lowercase letters, and non-alphabetic characters such as symbols and numbers. • Do not use any easily guessed words or words found in a dictionary, including foreign languages. After you click OK, you are asked to verify the password. To automatically create a password, click Generate. The password displays in clear text in the Password field. Note: This password will not be visible after you click OK. If the user forgets the password, you will need to create a new password for this account. • Discard Password Info — Determines whether to delete the user’s password account from the database. You might want to do this if you are changing a user’s authentication method from password to SafeWord, for example, and you need to remove the previous password information. 466 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 467. Firewall users Firewall User Manager - Administrators window: Firewalls tab Use the Firewalls tab of the Firewall User Manager window to associate an administrator account with one or more firewalls. Each administrator is given a home directory on the assigned firewalls. You can choose to automatically delete the administrator's home directory when deleting an account or when removing an account from a particular firewall. See the Delete home directory upon deletion of user checkbox in the Miscellaneous area of the Firewall window. Figure 202 Firewall User Manager - Administrators window: Firewalls tab Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Users node to expand the tree and then double-click Administrators. The Firewall User Manager - Administrators window is displayed. 3 Select the Firewalls tab. Fields and buttons This tab has the following field: • Firewall — Specify the firewalls on which this account will be created. To create this administrator account on all firewalls, select ALL FIREWALLS. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 467
- 468. Firewall users Configuring firewall user groups Use the Firewall User Manager - User Groups window to create and maintain user groups. A user group is a logical grouping of one or more users, identified by a single name. You can nest one or more groups inside of another group. User groups are used in rules with Passport, Password, Windows, or RADIUS authenticators, and are listed in the Internal User Groups list. You can lock out users who fail a specified number of consecutive authentication attempts. Lockout settings are managed in the Miscellaneous area of the Firewall window. There is also a report that lists users who are currently locked out of the firewall due to exceeded authentication failures. To view the report, in either the Configuration Tool or in the Reporting and Monitoring Tool, right-click the Firewall node or a specific firewall, and then select Firewall Reports > Authentication- Locked Out Users. Figure 203 Firewall User Manager - User Groups window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Users node to expand the tree and then double-click User Groups. The Firewall User Manager - User Groups window is displayed. Fields and buttons This window has the following fields and controls: • Object Name — Specify the name of the group. A group name can contain a maximum of 100 characters. Numbers, uppercase letters, lowercase letters, periods (.), underscores (_), and spaces ( ) are allowed. The name must begin with a letter. • Description — Provide information about the user group. • Group Members — Specify the group members to be included in this group from the list of all of the available group members. A group's members can also be viewed by expanding the specific group in the User Group subnode beneath the Users node. The icons that precede the group member name indicate the member type: • Users • Administrators • User groups (also known as internal user groups) In general, a user group contains only users or only administrators. Because groups can be added to other user groups, they are also listed as group members. 468 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 469. Firewall users • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. Configuring external firewall groups Use the External Group window to create external groups that are used in rules to restrict access to services through the firewall. Create external groups that correspond to specific user groups on remote authentication servers. Then assign the external groups to the appropriate authenticator server by using the authenticator windows. To use an external group in a rule, you must assign the group to an authenticator and then select that authenticator and the group when creating the rule. Figure 204 External Group window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the Users node to expand the tree and then double-click External Groups. The External Group window is displayed. Fields and buttons This window has the following fields and controls: • Name — Specify a label for the external group. This name must exactly match the corresponding group name on an external authentication server. • Description — Provide information about the external group. • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 469
- 470. Time periods Time periods You can specify periods of time when a rule is in effect. Use the TIme Period Manager window to create these time periods. See Managing time periods on page 470. Managing time periods Use the Time Period Manager window to create and maintain time periods. Time periods are used in rules to indicate when a rule is in effect. For more information, see Configuring rules on page 533. Figure 205 Time Period Manager window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Double-click the Time Periods node. The Time Period Manager window is displayed. Fields and buttons This window has the following fields and buttons: • Name — [Required] Specify a label for this time period. • Description — Provide information about this time period. • Type — Specify the type of time period to use. The following values are available: • Continuous — Indicates that a rule is active for one episode per week. If this option is selected, the Start and End controls are enabled. • Recurring — Indicates that a rule is active on particular days and times every week. If this option is selected, the Days of Week and Times fields are enabled. This is the default value. • Days of Week — [Displayed only if the selected Type value is Recurring] Specify the days of the week on which a rule is active. The following options are available: • Every Day of the Week — Indicates that the rule is active every day of the week. This checkbox is selected by default. • S M T W Th F Sa — Indicates that the rule is active on the selected days of the week. When the Every Day of the Week checkbox is cleared, you can click the toggle button representing the day of the week to include or exclude. When the field is blue, its value is included in the time period. 470 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 471. VPN • Times — [Displayed only if the selected Type value is Recurring] Specify the times during which a rule is active. The following options are available: • All Day — Determines whether the rule is active 24 hours of the selected days in the Days of Week field. This checkbox is selected by default. • Start — Specify a starting time for the rule to become active on each selected day of the week. When the All day checkbox is cleared, you can type or select the start time. • End — Specify an ending time for the rule to be active on each selected day of the week. When the All day checkbox is cleared, you can type or select the end time. • Start — [Displayed only if the selected Type value is Continuous] Specify the day of the week and the time when the rule becomes active each week. • End —[Displayed only if the selected Type value is Continuous] Specify the day of the week and the time when the rule becomes inactive until the following week. • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. VPN A Virtual Private Network (VPN) securely connects networks and nodes to form a single, protected network. The data is protected as it tunnels through unsecured networks, such as the Internet or intranets. The VPN ensures data origin authentication, data integrity, data confidentiality, and anti-replay protection. A VPN works by encapsulating packets and sending them to a VPN peer for decapsulation. The encapsulated packets can be sent in the clear on the unsecured network between the VPN peers. The VPN is a security gateway between trusted and non-trusted networks that protects network access, network visibility, and network data. The two types of supported VPN connections are gateway-to-gateway and host-to-gateway. A gateway-to-gateway is often used when passing traffic from firewall to firewall between offices located in different cities. In this configuration, each gateway is identified by its IP address. Any end of the VPN can initiate and respond to a VPN connection. In the following illustration, the gateway-to-gateway tunnel connects networks A and B via Security Gateway A and Security Gateway B to form a VPN. In a host-to-gateway connection, one or more single remote hosts (also known as road warriors) connect to a protected network. This type of VPN access is often used to provide access to protected business-related services for external users, such as telecommuters, a company’s mobile sales force, and extranet partners. VPN hosts are typically end-user (personal) computers equipped with IPsec-based VPN client software. The client software is invoked to establish a secure connection with the VPN. Unlike a gateway-to-gateway VPN which automatically allows either node to initiate or respond to a connection, a host-to-gateway VPN must be configured to allow secure connection initiated by the VPN client software. These connections are McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 471
- 472. VPN different from gateway-to-gateway connections because the physical IP address of the host is not always known in advance. In the above illustration, the host-to-gateway tunnel connects the remote host running a VPN client to Security Gateway B. If the remote host authenticates successfully, it can access resources in Network B. The administrator of Security Gateway B is responsible for setting up a security policy for the remote hosts. VPN hosts initiate the negotiation with the Internet Key Exchange (IKE) service on the firewall. After the host is authenticated by IKE, the IPsec parameters are negotiated, and a secure tunnel to the firewall is established. Client software for VPN hosts often has the capability of configuring a virtual IP address to use after communication with the security gateway is established. The virtual IP address is assigned to the VPN host user. This enables remote users to appear as internal users on a private network. When a virtual address is used, the source address of traffic originating from the VPN host is different from its physical address. Note: Virtual addresses (addresses located on the host end of a VPN tunnel) do not need to be routable; however, packet filter parsing generates warning messages for non-routable addresses that it encounters. To avoid these warning messages, it is strongly recommended that you configure a default route. For more information on understanding the basics of VPNs, see the first section of the VPN chapter in the McAfee Firewall Enterprise (Sidewinder) Administration Guide. Configuration features Configuration sequence As a guide, define a VPN configuration in the following order: 1 Certificates 2 Global information in the device-specific firewall manager window 3 Client Configuration objects 4 VPN Peer objects (can be created by using the VPN Wizard) 5 VPN Community objects (can be created by using the VPN Wizard) More detailed descriptions of each step are found below. Certificates If your organization uses certificates to authenticate peers in its VPNs, configure those certificates before running the VPN Wizard or creating the necessary peers and community. While you can occasionally request a certificate directly from an authentication window, the best practice is to have all certificates available before configuring the VPN components. For more information, see CA certificates on page 512. Device-specific firewall Each device-specific firewall window supports some global configuration information for all VPN configurations. For each firewall, the firewall certificate management is handled in the Certificates area of the firewall-specific window. Server settings are also managed in this area. You can configure settings for the firewall Certificate server and assign certificates to various firewall-hosted servers that they then use to present when clients request a secure, authenticated connection. For more information, see Configuring the firewall on page 170. 472 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 473. VPN Client configuration objects A VPN Client Configuration is used to establish a network configuration for a VPN client so that it can operate on the private side of a firewall. When a remote host connects to the firewall using a VPN client, you may want the host to appear as if it is located on an internal network (for example, a network behind the firewall). To provide this capability, you create one or more virtual subnets of IP addresses which can be assigned to remote clients as they successfully connect using a VPN. You can use host and subnet network objects to create the virtual subnet. You can also map fixed addresses to specified remote clients from the pool of virtual addresses. A fixed IP mapping enables a remote client to initiate a VPN, present identifying information, and then be assigned the fixed address. The fixed addresses that you specify must be within the range of available IP address as defined by the client configuration. Once an address is assigned, the remote client appears to be part of the protected network. The client configuration can also make specific DNS and/or WINS servers available to the client. If you are creating a host-to-gateway VPN, create the necessary client configuration object before running the VPN Wizard or creating the necessary peers and community. You can then associate the communities with the appropriate firewall while you are using the VPN Wizard or creating the individual peers. Wizard The simplest way to create a VPN channel is to use the VPN Wizard. This wizard takes you through creating the necessary peers, setting the required cryptographic parameters, and selecting the authentication method. When the wizard completes, it adds a new community object and any new peer objects to the appropriate VPN areas. These objects can then be tweaked individually, without running the wizard again. (For firewalls, this process is the equivalent of creating a new VPN definition.) Peer objects Each VPN node and all or part of its protected domain is configured as a VPN peer by using the VPN Peer window. These defined VPN peers participate in VPN Communities. A gateway peer is that gateway that is described by its IP address, a set of protected networks behind it, and identities and certificates it presents during authentication. Gateway peers can consist of a managed firewall or an unmanaged gateway with a static IP address. A Road Warrior peer (a set of VPN clients) is described by a set of protected networks, and the identities and certificates it presents during authentication. A Road Warrior peer may connect only to a gateway peer. Community objects VPN Communities provide a mechanism for sharing VPN properties between two or more VPN peers. These properties include authentication methods, such as certificates and pre-shared keys; and cryptographic properties, such as IKE version and modes, encryption and hash strength, and other advanced options. A community is a set of tunnels that share the same authentication and behavioral attributes. A community is described as a set of peers and a topology. The tunnel definitions are created automatically by combining pairs of peers according to the topology. These topologies correspond to the three types of VPN communities: • Mesh — A mesh community is type of gateway-to-gateway VPN in which a secure channel is defined between all participating gateways. The mesh topology establishes a tunnel between each pair of peers. • Star — A star community is a type of gateway-to-gateway VPN in which a secure channel is defined between the central gateway and each satellite gateway. The star topology uses a specified central peer and establishes a tunnel between it and each of the other peers. A star topology with only two peers is indistinguishable from a mesh topology. Secure channels are not defined between satellite gateways. • Remote Access — A remote access community is a host-to-gateway VPN. A secure channel is defined based on a specific interface of a particular firewall. The remote access topology requires exactly one gateway peer and one remote access peer. It is the only topology in which a remote host can participate. This model uses a peer object for the remote road warrior peer, but uses the community object to store information about the local gateway peer—which allows connections from the remote peer by opening an interface for the tunnel rather than knowing a remote peer address. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 473
- 474. VPN As a configuration convenience, a community can exist with less than two peers. This allows the operator to pre-configure specific future-use scenarios. Components and considerations Many components of a firewall must be considered when configuring VPN configurations including: • Rules • Network Address Translation (NAT) • Proxies • Remote Hosts Rules In general, all packets that enter or leave the firewall by way of a VPN must pass through a rule. On the firewall, if the packets that are coming into the firewall are to cross a burb boundary, you must create a rule to allow that traffic from its termination burb to its destination burb. A termination burb is where the traffic arrives from the VPN channel and is decapsulated. It is recommended that you use a virtual burb as the termination burb and then configure policy to move the unencrypted traffic from that burb to its appropriate destination. Because the default behavior of any firewall is to drop IP packets that do not match a configured rule, it is necessary to ensure that any tunneled traffic from remote gateways or hosts is covered by a corresponding rule. Configure rules by using the Rule Editor window. Network Address Translation (NAT) The basic premise behind NAT is that the IP addresses of internal hosts either cannot be or should not be exposed to the external network. NAT changes an outbound IP packet's header, replacing the actual source IP address with an alias IP address. For inbound packets, the destination IP address specifies the alias address. NAT replaces this address with an internal host's IP address before passing the packet on to the internal network. If NAT has not been enabled for a particular VPN tunnel, the VPN rules that are associated with the tunnel can be defined normally, specifying the internal network or hosts as the local endpoints. If, however, NAT has been enabled for a particular VPN tunnel, the VPN rules that are associated with the tunnel must specify the appropriate alias as the local endpoint. Remote hosts and extended authentication (XAUTH) When a remote host is being used by an individual who is traveling or working from home, there is typically no way to know the IP address of the remote host's gateway or the IP address of the remote host itself. Special consideration may need to be given to VPN tunnels and rules for remote hosts. VPN tunnel configurations for remote hosts specify a firewall interface as the peer. This allows phase 1 negotiations through the interface, regardless of the remote host's gateway IP address. However, the corresponding VPN rule must specify the IP address of the remote host or the range of IP addresses in which the remote host can be found. To solve this problem, the VPN client software on the remote host must allow the user to specify a virtual IP address or must be able to accept an IP address that is dynamically assigned by the firewall. To further enhance security, it is important that a user authenticates separately with the firewall. When possible, configure the VPN to use Extended Authentication (XAUTH). In addition to the normal authentication checks that are inherent during the negotiation process at the start of every VPN association, Extended Authentication goes one step further by requiring the person who is requesting the VPN connection to validate his or her identity. The Extended Authentication option is most useful if you have traveling employees who remotely connect to your network by using laptop computers. If a laptop computer is stolen, without Extended Authentication, it might be possible for an outsider to illegally access your network. This is because the information that is needed to establish the VPN connection (the self-signed certificate, and so on) is saved within the VPN client software. When Extended Authentication is used, however, a connection will not be established until the user specifies an additional piece of authentication information that is not saved on the computer—either a one-time password, passcode, or PIN. This additional level of authentication renders the VPN capabilities of the laptop useless when in the hands of a thief. 474 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 475. VPN Client configurations and XAUTH Client configurations VPN Client Configuration objects are used to simplify the management of VPN clients. They do so by having the firewall manage certain configuration details on behalf of the client. All that the client needs is the following information: • Client software that supports ISAKMP mode-config exchange • Authorization information (for example, a client certificate or a password) • The address of the firewall Here is how it works: you create a list of virtual subnets that will be used by remote peers when they attempt to make a VPN connection. When a client attempts a connection, the firewall assigns it one of the IP addresses that is available in the list. The firewall also negotiates with the client to determine other VPN requirements, such as the internal DNS and/or WINS servers that will be made available to the client. If the negotiation is successful, the client is connected and the VPN connection is established. Not all VPN client software supports the negotiation of every client address pool parameter. Make sure that you verify that your client or clients support the necessary features. You define the list of IP addresses available to the VPN client configuration. Even though the client might have a fixed IP address, the address that is used within the VPN tunnel is the address that has been assigned to it from the virtual subnet list. A client configuration can be used for fixed and dynamic clients. Extended authentication (XAUTH) The Extended Authentication (XAUTH) option provides an additional level of security for remote access VPN clients. In addition to the normal authentication checks that are inherent during the negotiation process at the start of every VPN association, Extended Authentication goes one step further by requiring the person who is requesting the VPN connection to validate his or her identity. The Extended Authentication option is most useful if you have travelling employees who connect remotely to your network by using laptop computers. If a laptop computer is stolen, without Extended Authentication, it might be possible for an outsider to illegally access your network. This is because the information that is needed to establish the VPN connection (the self-signed certificate, and so on) is saved within the VPN client software. When Extended Authentication is used, however, a connection will not be established until the user specifies an additional piece of authentication information that is not saved on the computer—either a one-time password, passcode, or PIN. This additional level of authentication renders the VPN capabilities of the laptop useless when in the hands of a thief. On Control Center, XAUTH can be configured in two areas: in VPN communities that are configured for remote access and in VPN client configurations as a way of authenticating remote clients that are configured to use a fixed IP. Creating VPN channels Use the VPN Wizard to create mesh, star, and remote (road warrior) VPN channels. This wizard steps through the basic VPN configuration considerations without having to understand the more intricate details associated with configuring VPN channels using the VPN object model. The resulting VPN channel configuration object can be viewed by inspecting the VPN Peers objects, VPN Communities objects, and VPN Client Configurations objects that are created as a result of using the wizard. Note: Create all network objects and client configurations that are to be used in this VPN channel before you start the wizard. You might need objects to identify gateways, hosts, and endpoints. Because a firewall can be defined only once for each VPN channel configuration, identifying protected resources that are being made available might require pre-defining an endpoint group. Accessing this wizard 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node to expand the tree and then double-click VPN Wizard. The VPN Wizard window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 475
- 476. VPN Step 1 of 7 Select the type of VPN channel being configured. • Select the type of VPN channel to be configured — Specify the type of VPN channel being created. The following options are available: • Mesh — Form VPN tunnels so that all defined gateways can access the protected resources for all other gateway participants in the configuration. • Star — Allow all defined gateways to access the protected resources of a central gateway. • Remote — Specify a configuration that will allow one or more remote clients to access the protected resources of the associated gateway. • Enter a Name to identify the VPN Channel — Specify the name used to identify the VPN channel. • Enter a Description for the VPN Channel (optional) — Provide information on the VPN channel being defined. Click Next >> to proceed to the next page. Step 2 of 7 - Mesh VPN Channel For a mesh configuration, identify the gateways that will participate in the mesh VPN channel configuration. At least two gateways must be configured. The list displays the gateway information after the gateway has been added by clicking Add Gateway. • Name — Displays the name of the VPN peer objects that defines gateway addressing and its associated protected networks. • Address — Displays the access address to the gateway. • Protected Resources — Displays the protected resources of the gateway that each other gateway in the mesh configuration can access. This can be an endpoint group that defines an array of resources. Click Next >> to proceed to the next page. Step 2 of 7 - Star VPN Channel For a star configuration, a single central gateway must be defined to act as the hub of the VPN channel configuration. All other participating gateways are defined in the lower portion of this page. The lists display the gateway information after the gateway has been added by clicking Configure Gateway or Add Gateway. • Configure the Central Gateway for the VPN Channel — This table contains the following information: • Name — [Read-only] Displays the name of the VPN peer object that serves as the central gateway of the star configuration. To select a previously defined VPN peer object or to define a new one, click Configure Gateway. • Address — [Read-only] Displays the address associated with the selected VPN Peer object. • Protected Resources — [Read-only] Displays the protected resources that have been defined for the central gateway. These resources are made available to all other gateways in the configuration. • Configure the VPN Gateways that will connect to the Central Gateway — This table contains the following information: • Name — [Read-only] Displays the name of the VPN peer object that serves as participating gateway of the star configuration. To select a previously defined VPN peer object or to define a new one, click Add Gateway. • Address — [Read-only] Displays the address associated with the selected VPN peer object. • Protected Resources — [Read-only] Displays the protected resources that have been defined for the gateway. These resources are made available to the central gateway in the configuration. Click Next >> to proceed to the next page. 476 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 477. VPN Step 2 of 7 - Remote Clients VPN Channel For a remote configuration, identify the remote client configuration, the range of address that will be used by the VPN clients for communication to the protected resources of the VPN gateways, and the gateway VPN peer. • Select the Client Configuration that will be given to the Remote Clients — Specify a previously defined remote client configuration object. If the appropriate client configuration option is not listed, click Add Configuration to create a new one. • Select the address range to be used by the Remote Clients — Displays the addresses and address ranges from which the firewall can assign internal IP addresses to remote access VPN clients. Each endpoint can be associated with only one VPN client configuration. If the resource does not appear in the list, you can create a new network object by clicking Add. For more information, see the Configuring endpoints (network objects) on page 337. The address range to be used by remote clients can contain up to 65535 (64K – 1) host addresses. Selecting an address range endpoint in this field requires special consideration. To be useful, the virtual IP addresses specified here must also be selected for the remote client configuration object. The virtual IP addresses can be specified as host, subnet, or address range endpoints; however, the protected resources in a VPN tunnel configuration allows only host and subnet endpoints. If the virtual IP addresses are specified as an address range endpoint, you must create a subnet endpoint, several host endpoints, or a group of host endpoints that represent the virtual IP addresses. • Configure the VPN Gateway that the Remote Clients will connect to — This table contains the following information: • Name — [Read-only] Displays the name of the VPN peer object that serves as the participating gateway of the star configuration. To select a previously defined VPN peer object or to define a new one, click Configure Gateway. • Firewall — [Read-only] Displays the name associated with the selected firewall object. • Protected Resources — [Read-only] Displays the protected resources that have been defined for the gateway. These resources will be made available to the remote client in the configuration. Click Next >> to proceed to the next page. Step 3 of 7 Cryptographic (IKE) Configuration Use this page to define the Cryptographic configuration parameters for the VPN channel being created. • Select the Mode to establish a VPN tunnel — Specify the mode that is used to establish an IKE phase 1 tunnel. The following options are available: • Main — Six packets must be exchanged to establish the phase 1 tunnel. This is the default value. • Aggressive — [Optional) Three packages must be exchanged to establish the phase 1 tunnel. Although the phase 1 tunnel is established more quickly in Aggressive mode, Main mode provides greater protection against denial of service attacks. • Select the Encryption Algorithms to use — Specify one or more algorithms to protect IKE phase 1 and phase 2 (IPSec) traffic. The following values are available: • aes256 — Denotes the Advanced Encryption Standard using a 256-bit key. • aes192—Denotes the Advanced Encryption Standard using a 192-bit key. • aes128— Denotes the Advanced Encryption Standard using a 128-bit key. This is the default value. • cast128 — Denotes the CAST design procedure that uses a 128-bit key. • 3des— Denotes the Triple Data Encryption Standard. It uses three stages of DES, giving an effective keying strength of 168 bits. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 477
- 478. VPN • des — Denotes the Data Encryption Standard. It uses a 56-bit key. Note: The None option is not available in the VPN Wizard. If your security policy requires that the encryption algorithm is set to None, make this change by using VPN Community - Cryptography Phase 2 Properties page for the appropriate VPN community object. • Preferred — Select the preferred encryption algorithm to receive from the VPN channel. • Alternates — [Optional] Select one or more alternative algorithms that will be accepted when received from the VPN channel. • Select the Hash Algorithms to use — Specify one or more algorithms to authenticate IKE phase 1 and phase 2 traffic. The following options are available: • md5 — Denotes a Hash Message Authentication Code that uses the MD5 hash algorithm. • sha1 — (Default) Denotes a Hash Message Authentication Code that uses the SHA1 hash algorithm. This is the default value. Note: The None option is not available in the VPN Wizard. If your security policy requires that the encryption algorithm is set to None, make this change by using the VPN Community - Cryptography Phase 2 Properties page for the appropriate VPN community object. • Preferred — Select the preferred hash algorithm to receive from the VPN channel. • Alternates — [Optional] Select one or more alternative algorithms that will be accepted when received from the VPN channel. • Select the Diffie-Hellman Groups to use — Specify the group that determines the length of the base prime numbers that are used during the key exchange process. The following values are available: • 1 — Provides 768 bits of keying strength • 2 — Provides 1024 bits of keying strength • 5 — Provides 2048 bits of keying strength. This is the default value. When this value is selected, the following fields are available: • Preferred— Select the preferred Diffe-Hellman Group to receive from the VPN channel. • Alternates — [Optional] Select one or more alternative algorithms that will be accepted when received from the VPN channel. • Use Perfect Forward Secrecy — Determines whether the key material associated with each IPsec security association is derived from the key material that is used to authenticate the remote peer during the ISAKMP negotiation. If this checkbox is selected, the key material associated with each IPsec security association cannot be derived. Click Next >> to proceed to the next page. Step 4 of 7 Authentication Configuration (Pre-Shared Keys) At least one authentication method must be specified: pre-shared keys, certificates, or both. Use this page to indicate whether pre-shared keys are going to be used, and if so, the passphrase to use. If you are going to be using certificates only, click Next >> without doing anything on this page. Otherwise, configure the fields on this page as needed. • Authenticate using Pre-Shared Key — Determines whether pre-shared keys can be used to authenticate the VPN channel. • Enter a Passphrase — Specify the passphrase, or key. The key can be a maximum of 128 ASCII characters or 256 hexadecimal characters excluding the 0x. The key must be at least eight characters long and can consist of any valid characters. If hexadecimal representation is used, remember that an eight-bit value is represented by two hexadecimal characters. • Confirm Passphrase — Confirm the passphrase. Click Next >> to proceed to the next page. 478 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 479. VPN Step 5 of 7 Authentication Configuration (Certificates) At least one authentication method must be specified: pre-shared keys, certificates, or both. Use this page to indicate whether certificates are going to be used, and if so, the certificates to use. If both pre-shared keys and certificates are specified, certificates are preferred over pre-shared keys. • Authenticate using Certificates — Specify that certificates can be used to authenticate the VPN channel. Select one of the following options to specify the allowed verification type: • Certificate Authority verification — Displays all the CA certificates that have been imported into the Control Center Management Server. Select one or more CA certificates to be trusted by the VPN channel. The certificate(s) that are identified here must be coordinated with the certificates that are identified with each firewall that participates in the VPN channel. To import a new certificate, click Add CA Certificate. The CA Certificate Import Wizard is displayed. • Single Certificate verification — Requires one certificate per peer. Assign certificates in the table below. • Select the Certificate that will be presented by each VPN Gateway — Use this table to identify the firewall certificate that is installed on each gateway that is participating in the VPN channel. The certificate identified here must be coordinated with the CA certificate that is trusted by the VPN channel. The Certificate and Manage Certificates fields are interactive. • VPN Gateway — [Read-only] Displays the gateways to be used in this VPN channel. • Firewall — [Read-only] Displays the fully qualified domain name of the gateway object. If the object is not a managed firewall, this field is blank. • Certificate — Specify the CA certificate to be trusted by the VPN channel. The list includes all of the relevant certificates that have been imported into the Management Server. The certificate that you select must be coordinated with the certificates that are identified with each firewall that participates in the VPN channel. • Manage Certificates. — Click Manage… to display the Certificates window, in which all of the available certificates for the selected gateway are displayed. In the Certificates window, to import a new certificate, click Add Certificate. • For managed firewalls, this displays the Certificate Request Wizard. • For unmanaged gateways, this displays the Remote Certificates Wizard. Click Next >> to proceed to the next page. Step 6 of 7 Remote Identities Note: This page is available only when configuring remote identities. Use this page to specify the list of identities that will be provided by the remote clients for identification purposes. Remote identities are used to identify the authorized users who participate in a VPN definition and either have been issued a certificate from a particular CA or they use a VPN client that is configured with a pre-shared password. • Identity Type — Specify the type for this identity. This value determines the format of the value that you specify in the Identity field. The following types are available: • Email — Restrict access based on e-mail address. Specify one e-mail address per identity or use a wildcard to indicate all e-mail addresses (for example, @example.com). • Distinguished Name — Restrict access based on Distinguished Name. Note: The order of distinguished names in this table must match the order in which they are listed in the certificate. • Domain Name — Restrict access by domain name. Specify one fully qualified domain name (FQDN) per identity or use a wildcard to indicate all domain names (such as *.example.com). McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 479
- 480. VPN • IP address — Restrict access by a unique IP address or by a group of IP addresses. For example, 182.19.0.0/16 indicates that only users with IP addresses beginning with 182.19 (as contained in the certificate) will be authorized to use this VPN. • Identity — Specify the value for the identity type that was specified in the previous column. Click Next >> to proceed to the next page. Step 7 of 7 Summary This page provides a summary the VPN channel information for the VPN channel that you are defining. The top portion of this page shows the configurable objects that are created as a result of the configuration decisions that you made when progressing through the VPN wizard. • Type — [Read-only] Displays the VPN objects that were created. The following object types are possible: • VPN Peers — These objects define the participating VPN Channel gateways. • VPN Communities — These objects define the VPN Channel configuration. • VPN Client Configurations — These objects define the VPN remote (road warrior) hosts. • IKE Strategies — These objects define the Internet Key Exchange (IKE) strategy that is used by the VPN feature of the firewall to establish a secure tunnel between hosts. • IPSEC Strategies — These objects define the IPsec Strategy that identifies groups of cryptographic properties to use as an IPsec strategy. For the negotiation to be successful, one of the groupings will be agreed on, and its parameters will be used. The successful negotiation of an IPsec Strategy results in an IPsec Security Association (SA) between the managed VPN and the peer. • Name — [Read-only] Displays the associated object name that you defined during the wizard configuration process. The bottom portion of the page displays a VPN Channel Overview area. To export this configuration as a text file, click Save As…. If you agree to the contents and want to save the VPN, click Finish. Otherwise, you can click << Back to return to a previous page to make adjustments or you can click Cancel to exit the wizard without saving any changes. 480 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 481. VPN Managing firewall certificates for VPN gateways Use the firewall_name Certificates window to manage the certificates for the selected firewall that will be presented by each VPN gateway. Figure 206 firewall_name Certificates window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node to expand the tree and then double-click VPN Wizard. The VPN Wizard window is displayed. 3 Proceed through the wizard until you get to step 5, which is the Authentication Configuration (Certificates) page. In the list of certificates at the bottom of this page, click Manage… for the VPN gateway that you want to manage. The firewall_name Certificates window is displayed. Fields and buttons This window has the following fields and buttons: • Name — [Read-only] Displays the name of the certificate. Select the certificate that you want to work with and then select the button for the action that you want to perform. • Status — [Read-only] Displays the status of the selected certificate. • Close — Close this window. • Add Certificate — The Certificate Request Wizard starts. Run this wizard to create a new certificate or to import an existing certificate. • Load Certificate — The Load Certificate Wizard starts. Run this wizard to load a certificate from a file or from an LDAP server. • Retrieve Certificate — Retrieve a certificate from the URL address. • Certificate Details — Displays the certificate's status, signature type, and identifying information, such as distinguished name, e-mail address, domain name, or IP address. • Export Certificate — The Export Certificate Wizard starts. Run this wizard to export a stored certificate. • Delete Certificate — Delete the selected certificate. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 481
- 482. VPN • Status — Specify the certificates to display in the table based on their selected certificate status. The following options are available: • ALL (the default value) • Pending • Completed • Revoked Configuring VPN gateways Use the VPN Gateway window to define the participating local or remote gateways and their protected resources. The gateway usage depends on the type of VPN channel that you are configuring: • Mesh — VPN gateways that will participate in the VPN channel • Start — Central gateway for the VPN channel and the VPN gateways that connect to the central gateway • Remote clients — VPN gateway to which the remote clients will connect Figure 207 VPN Gateway window 482 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 483. VPN Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node to expand the tree and then double-click VPN Wizard. The VPN Wizard window is displayed. 3 For Mesh or Star VPN channels, proceed through the wizard until you get to step 2 for configuring Mesh or Star VPN channels. This is either the Mesh VPN Channel page or the Star VPN Channel page. Click Add Gateway. The VPN Gateway window is displayed. or For Remote VPN channels, proceed through the wizard until you get to step 2. The Remote Clients VPN Channel page is displayed. Click Configure Gateway. The VPN Gateway window is displayed. Fields and buttons This window has the following fields and buttons: • Configure a new VPN Gateway to connect to the VPN Channel — Specify a new VPN gateway and the associated protected resources. If an existing VPN gateway has been defined with identical protected resources, select Add an existing VPN Gateway (VPN Peer object) to the VPN Channel at the bottom of the page and then select the appropriate object. • Enter a name to identify the VPN Gateway — Specify a unique name to identify the combination of the gateway addressing information and the associated protected resources that is being created. This VPN peer object can be used in other configurations. • Select the Managed Firewall to use for this VPN Gateway — Specify a firewall object that is managed by the Control Center. If the gateway is not managed by the Control Center, select <None>. Each firewall and the associated protected resources can be identified only once per configuration. • Enter the IP address that other VPN gateways will use to connect to this gateway — Specify the address that other hosts in this VPN channel will use to connect to this gateway. The following information refers to specific options in this list: • If a managed firewall is selected, this list contains only the defined interfaces for that firewall. Note: For clustered interfaces, only the cluster name and IP address of each available clustered interface associated with the clustered configuration are identified. • If the managed firewall value is set to <None> and the IP Address option is selected, this list contains only the endpoints that contain an IP address. • If the managed firewall value is set to <None> and the DNS Host Name option is selected, this list contains only the endpoints that contain a host name. • Select the Burb that VPN Traffic will be terminated on — Specify the burb in which VPN traffic transitions between plain-text and encrypted data. If the resource does not appear in the list, click (Add) to create a new burb. For more information, see the Configuring burbs on page 341. • Select the interface on which Remote Clients will connect to this VPN Gateway — [Available only for remote client configurations] Specify the interface that the remote client will use to connect to the selected VPN gateway. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 483
- 484. VPN • Select the resources that will be protected by the VPN Gateway — Specify the resources that are protected by this VPN gateway. This list contains all of the host and network objects that are configured on the Control Center. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). For more information, see the Configuring endpoints (network objects) on page 337. You can also use the Find button to perform a user-defined, partial search on specific characters. Note: Because a firewall can be defined only once for each VPN channel configuration, you can use an endpoint group to explicitly identify the appropriate protected resources. • Add an existing VPN Gateway (VPN Peer object) to the VPN Channel — Specify a previously defined VPN peer object that identifies a combination of the gateway addressing information and the associated protected resources. • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. Configuring VPN peer objects Use the VPN Peer window to create peer objects that will participate in gateway-to-gateway and gateway-to-host VPN communities. For more information, see VPN on page 471. Figure 208 VPN Peer window 484 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 485. VPN Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Peers node or right-click it and select Add Object. The VPN Peer window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a unique name for the VPN peer object being created. This is the name that appears in the Participating Gateways list when you are configuring star and mesh VPN communities. • Description — Provide a user-defined description of the VPN peer object being created. • Peer Type — Specify the type for this VPN peer object. The following options are available: • Gateway — Select this option if this peer object is a firewall/gateway used in a gateway-to-gateway configuration. • Road warrior — Select this option if this peer object is a road warrior (remote client) used in a host-to-gateway configuration. • Enabled — Determines whether this VPN peer object is enabled. When selected, the VPN peer object can participate in the VPN tunnel configurations of all the VPN communities to which it belongs. By default, this checkbox is selected, indicating that the peer is available for use in a VPN tunnel. Note: If this peer is identified as the central gateway in a Star type of community and it is disabled, the entire community is disabled. • OK — Save the changes in this window, including all of the tab changes. • Cancel — Close this window without saving any changes. Tabs This window has the following tabs: • Address — Define the firewall and its identifying network information for this VPN peer object. For more information, see VPN Peer window: Address tab on page 485. • Authentication — Define how this peer will authenticate. For more information, see VPN Peer window: Authentication tab on page 488. • Road Warrior Identities — Specify the remote certificates from a CA that can be used to authenticate this peer to a VPN. For more information, see VPN Peer window: Road Warrior Identities tab on page 490. VPN Peer window: Address tab Use the Address tab of the VPN Peer window to configure network information for this peer object. The fields that are active depend on both the peer type and firewall that are selected. See the section that is appropriate for the VPN peer type that you are configuring: • Adding a VPN gateway based on a firewall on page 486 • Adding a VPN gateway based on an unmanaged firewall on page 487 • Adding a VPN road warrior on page 488 Note: You must create the needed network objects and client configurations before you configure this page. To view the fields on this tab, see Figure 208 on page 484. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 485
- 486. VPN Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Peers node or right-click it and select Add Object. The VPN Peer window is displayed. 4 Make sure that the Address tab is selected. Adding a VPN gateway based on a firewall The following fields are displayed if the option selected for Peer Type is Gateway and the value of the Firewall field is set to a firewall: • Firewall — Specify the firewall to use as the gateway in this peer object. This list includes all of the registered firewalls and an <Unmanaged Device> option. • Only accept connections on the specified address — Determines whether to allow the firewall to listen for connections on a specific address, instead of listening on all interfaces. To configure the firewall to listen for connections on an address other than one of its interfaces (such as an alias address), you must select this checkbox. • IP address — Specify the address to use when communicating with the selected firewall. The default value is <Enter gateway IP address>. • Protected networks — Specify the endpoints that are protected by this VPN peer object. This feature identifies the network resources to the other peers. This list contains all of the host and network objects that are configured on the Control Center. You must specify at least one protected network. Although multiple VPN peer objects can be created for each gateway, the protected networks defined for a VPN peer can be defined only once per gateway. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). You can also use the Find button to search for a partial match of network names. • Burb — Specify the burb on the firewall where the VPN will terminate. The firewall terminates each VPN in a burb so that access rules can be applied to the VPN. To edit an existing object: First, select the object in the list. Next, click (Edit selected). The respective object window is displayed. To add a new object: Click . The respective object window is displayed. • Client configuration — Specify the client configuration to be associated with this VPN peer. This list includes all existing client configuration objects. This area is similar in function to the firewall client address pools. To edit an existing object: First, select the object in the list. Next, click (Edit selected). The respective object window is displayed. To add a new object: Click . The respective object window is displayed. 486 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 487. VPN • Enable initial contact — Determines whether the firewall can send and receive initial contact notify messages when it first connects with a VPN peer. This setting causes the peer to reload any previous state. This is useful for resynching state after a firewall reboot. This option is selected by default. • Use NAT traversal — Determines whether NAT traversal is negotiated with the remote VPN peer. NAT traversal is needed if either VPN peer is behind a NAT device. If you use NAT Traversal, the changes that are made by NAT are circumvented and the free usage of AH, ESP, and IPComp in tunnel and transport modes is allowed, regardless of NAT usage on the network route between IPsec endpoints. A UDP header is added to IPsec traffic and port 500 is changed to port 4500 to allow traffic across a NAT device. For NAT Traversal to work properly, it must be able detect one or more NATs between IPsec hosts. Then, it must negotiate the usage of UDP encapsulation of the IPsec packets through the NAT devices. During IKE phase one (for example, Main Mode), IPsec devices first determine whether they both support NAT Traversal. Next, the devices determine whether NAT occurs anywhere on the communications path between them by sending NAT Discovery (NAT-D) packets. NAT-D packets send information about source and destination IP addresses and ports. If the IP address and ports are not the same, the VPN devices know that a NAT device exists somewhere in between them. During the IKE phase two (Quick Mode) exchange, if a NAT device was detected, the VPN policy manager negotiates the usage of UPD-encapsulated tunnel mode for the IPsec security association (SA). Usually, NAT assignments last for a short period of time and are then released. For IPsec to work properly, the same NAT assignment needs to remain intact for the duration of the VPN tunnel. NAT-T accomplishes this by requiring any end point communicating through a NAT device to send a “keepalive”' packet to prevent NAT end points from being remapped during the session. All NAT Traversal communications begin over UDP port 500, which is already open for Internet Key Exchange (IKE) communications in IPsec VPNs. After a NAT device is discovered, all subsequent IKE exchanges occur on UDP port 4500. NAT Traversal (UDP-tunnel mode) of the AH protocol is not supported. If NAT Traversal is enabled in the Secure Channel associated with the AH-enabled packet-filtering rule, it is silently ignored. Note the following restrictions: • Both sides of the VPN tunnel must have NAT Traversal capability. • This feature is intended only for dynamic IP policies. • This function works only in Tunnel mode; it does not work in Transport mode VPNs. By default, this option is cleared, meaning that NAT-T is not allowed. Adding a VPN gateway based on an unmanaged firewall The following fields are displayed if the Peer Type option is set to Gateway and the Firewall field value s set to <Unmanaged Device>: • Firewall — Specify the firewall to use as the gateway in this peer object. This list includes all of the registered firewalls and an <Unmanaged Device> option. • IP address — Specify the gateway IP address to use when communicating with this peer object. • Protected networks — Specify the endpoints that are protected by this VPN peer object. This feature identifies the network resources to the other peers. This list contains all of the host and network objects that are configured on the Control Center. You must specify at least one protected network. Although multiple VPN peer objects can be created for each gateway, the protected networks defined for a VPN peer can be defined only once per gateway. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 487
- 488. VPN To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). You can also use the Find button to search for a partial match of protected network names. Adding a VPN road warrior The following fields are displayed if the Peer Type option is set to Road Warrior: • Protected networks — Specify the endpoints that are protected by this VPN peer object. This feature identifies the network resources to the other peers. This list contains all of the host and network objects that are configured on the Control Center. You must specify at least one protected network. Although multiple VPN peer objects can be created for each gateway, the protected networks defined for a VPN peer can be defined only once per gateway. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). You can also use the Find button to search for a partial match of protected network names. VPN Peer window: Authentication tab Use the Authentication tab of the VPN Peer window to define the way that this peer will authenticate. VPN nodes can be configured to present one or more local identities and permit or deny peers based on their presented identities. In Control Center, authentication can be accomplished using pre-shared keys or certificates. At least one of the authentication methods (pre-shared keys or certificates) must be used. If both pre-shared keys and certificates are specified, certificates are preferred over pre-shared keys. Figure 209 VPN Peer window: Authentication tab 488 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 489. VPN Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Peers node or right-click it and select Add Object. The VPN Peer window is displayed. 4 Select the Authentication tab. Fields and buttons This tab has the following fields and buttons: • Pre-shared Keys — Use the field in this area to determines whether pre-shared keys can be used as an authentication method for IKE phase 1 negotiations. • Allow authentication using preshared secrets — Determines whether pre-shared keys can be used as an authentication method for IKE phase 1 negotiations. By default, pre-shared keys are not allowed. • Certificates — Use the fields in this area to determine whether certificates can be used as an authentication method. The following fields are available: • Allow authentication using certificates — Determines whether certificates can be used as an authentication method for IKE phase 1 negotiations. If the peer is a managed firewall, a firewall certificate is required. In these cases, the list of values in the Certificate to present list includes all of the certificates that are installed on the associated firewall. Select the certificate to use. For remote clients (for example, for Road Warrior when the Firewall type is specified as <None> or for unmanaged gateways), you can select <None> or a remote certificate. When certificates are used as an authentication method, the certificates of the firewall and peer are exchanged, and the identity of each is verified. In addition to initial verification, constraints can be defined that must also be satisfied to begin IKE negotiations. The type of constraint is defined on the Authentication page of the VPN Community window. • Gateway Local Identity — Specify the identifiers that the gateway presents to the remote peer. Ensure that the identifying information matches the information that the peer is expecting. The following options are available in the Present identity as field: • Use gateway IP address as identity • Distinguished Name • Email • Domain Name • IP address McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 489
- 490. VPN VPN Peer window: Road Warrior Identities tab Use the Road Warrior tab of the VPN Peer window to specify the identification information to be provided by the remote peer. Note: This tab is available only if you have selected Road warrior as the Peer Type value at the top of the main window. To delete an entry, select the first column of the entry to be deleted and then press Delete. Figure 210 VPN Peer window: Road Warrior Identities tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Peers node or right-click it and select Add Object. The VPN Peer window is displayed. 4 Select the Road Warrior Identities tab. Fields and buttons This tab has the following fields and buttons: • Type — Specify the type of identification that must be provided by this peer to successfully authenticate and connect to the VPN. The following options are available: • Distinguished Name • Email • Domain Name • IP address • Identity — Specify a value to identify this peer. 490 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 491. VPN Building Star, Mesh, and remote access VPN communities Use the VPN Community General page to build Star, Mesh, and Remote Access VPN communities of previously defined VPN peers. For more information, see VPN on page 471. Figure 211 VPN Community window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community window is displayed. Buttons This window has the following buttons: • OK — Save the changes made to all of the tabs on this window. • Cancel — Close this window without saving any changes. • Analyze — Analyze the community components and then display the analysis results on the Analysis Results tab. Review these results to see if you need modify your current community configuration or if there any notes on the current configuration. You are automatically prompted to analyze your VPN community before saving it. Tabs This window has the following tabs: • General — Specify the type of community (Network Topology) and participating gateways, or the gateway and remote host. For more information, see VPN Community window: General tab on page 492. • Authentication — Specify the authentication parameters. For more information, see VPN Community window: Authentication tab on page 493. • Cryptography — Specify cryptographic properties, such as IKE version and mode; preferred encryption algorithm, hash, and Diffie-Hellman configurations; and Security Association lifetimes. For more information, see VPN Community window: Cryptography tab on page 494. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 491
- 492. VPN VPN Community window: General tab Use the General tab on the VPN Community window to build Star, Mesh, and Remote Access VPN communities of previously defined VPN peers. VPN communities are also created as a result of running the VPN Wizard. After a VPN community is created, you must create rules to manage the traffic sent between the specified protected endpoints. To view the fields on this tab, see Figure 211 on page 491. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community window is displayed. 4 Make sure that the General tab is selected. Fields and buttons This tab has the following fields and buttons: • Name — Specify a user-defined name for the VPN Community object being created. • Description — Provide a user-defined description of the purpose of the VPN Community object being created. • Community Type — Specify the type of community that is being defined. The following values are available: • Mesh — Configure a mesh community. A Mesh community is type of gateway-to-gateway VPN community in which a secure channel is defined between all participating gateways. • Star — Configure a star community. A Star community is a type of gateway-to-gateway VPN in which a secure channel is defined between the central gateway and each satellite gateway. Secure channels are NOT defined between satellite gateways. • Central Gateway — [Available only if Star is selected as the value of the Community Type field] Select the hub of the star community from the list that contains all of the previously-defined firewall VPN peer objects that have been defined by using the VPN Peers window. • Remote Access — Define a gateway to host community. This option is used to support road warrior peer types. A remote access community is a host-to-gateway VPN community. • Remote Peer — [Available only if Remote Access is selected as the value of the Community Type field] Select the remote host VPN peer object from the list that contains all of the previously defined remote host VPN Peer objects that have been defined by using the VPN Peers window. • Participating Gateways — Select the gateways that will participate in this VPN Community object. This list includes all of the previously defined gateways that have been configured in the Control Center. 492 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 493. VPN VPN Community window: Authentication tab Use the Authentication tab of the VPN Community window to configure that way that the VPN peers authenticate each other. Figure 212 VPN Community window: Authentication tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community window is displayed. 4 Select the Authentication tab. Fields and buttons This tab has the following fields and buttons. • Certificates — Use the fields in this area to specify information about certificates that will be used for authentication. • Support Certificates — Determines whether certificates are used as the authentication method for IKE Phase 1 negotiations. When certificates are used as an authentication method, the certificates of the firewall and peer are exchanged to verify each side's identity. In addition to initial verification, constraints that must also be satisfied to begin IKE negotiations can be put on the peer's certificate. By default, this checkbox is cleared, indicating that certificates are not supported for this VPN community. • CA Signed Certificates — Determines whether the certificates that are used are CA certificates. Select the CA certificates that are valid in the Trusted CA Certificates area. Specify the certificates from certificate authorities (CAs) that are trusted as issuers of this community's certificate. This field contains all the CA certificates that have been imported into the registered firewalls. Select the checkbox associated with each of the certificates from the certification authorities (CAs) that are trusted as issuers of the peer's certificate. If the peer's certificate has been issued by a CA whose certificate is selected, then the peer's certificate is accepted as authentic (pending checks against any client identifiers). If the issuer of the peer's certificate is not found among the selected CA certificates, and then the peer's certificate is rejected. Note: To view a list of the CA certificates stored in the firewall Management Server, expand the CA Certificates node in the Policy tree. To view a certificate, double-click it in the tree. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 493
- 494. VPN • Single Certificate — If the community includes a firewall, you can choose to use a single firewall certificate instead of using CA certificates. • Use Extended Authentication (XAuth) — [Available only when a Remote Access community object is being defined] Indicates that extended authentication can be used for remote client authentication. If one or more gateways have been defined for the remote access community, XAuth authentication is only applied between the client and associated gateway if the gateway has a VPN Client Configuration object defined in its VPN Peer object definition. • Pre-Shared Keys — Use the fields in this area to determine whether pre-shared keys are to be used for authentication. The following fields are available: • Use A-B Keys — Determines whether A-B pre-shared keys are used as an authentication method for IKE phase 1 negotiations. The first portion of the A-B key (A Key) is specified in the Pre-shared Key field by the first user. The second portion of the A-B Key (B Key) is specified by having a second user log in and navigate to this object to specify the second key. Until the second key has been specified and the change has been applied to each managed firewall in the community, a warning message is displayed for the object to indicate that the A-B key pair is not complete. • Pre-Shared Key — This is the sum of 128 ASCII characters or 256 hexadecimal characters, excluding the 0x. It must be at least eight characters long and can consist of any valid characters. If hexadecimal representation is used, remember that an eight-bit value is represented by two hexadecimal characters. You are required to confirm this key after you analyze the configuration and select OK. If the Use A-B Keys checkbox has been selected, this is the field that is used to specify the respective keys. The B key is specified by having another user log in and add the B key portion in this field. VPN Community window: Cryptography tab Use the Cryptography tab of the VPN Community window to define and manage the allowed cryptographic settings for this VPN Community. Figure 213 VPN Community window: Cryptography tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community window is displayed. 4 Select the Cryptography tab. 494 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 495. VPN Tabs This tab has the following tabs: • General — Specify the IKE version and mode. You also determine if the Phase 1 and Phase 2 cryptographic properties are to be configured identically or individually. For more information, see VPN Community window: Cryptography General tab on page 495. • Cryptographic Properties — Configure the encryption, hash, and Diffie-Hellman Group settings. You can also enable perfect forward secrecy on this page. For more information, see VPN Community window: Cryptography Cryptographic Properties tab on page 499. • Phase 1 Properties — [Available only if you select the Configure Phase 1 and Phase 2 Cryptographic Properties Individually option on the General tab] Specify the IPsec cryptographic properties to use during the phase 1 key exchange. For more information, see VPN Community window: Cryptography Phase 1 Properties tab on page 496. • Phase 2 Properties — [Available only if you select the Configure Phase 1 and Phase 2 Cryptographic Properties Individually option on the General tab] Specify the IPsec cryptographic properties to use during the phase 2 key exchange. For more information, see VPN Community window: Cryptography Phase 2 Properties tab on page 498. • SA Lifetimes — Configure the Phase 1 and Phase 2 lifetime settings. For more information, see VPN Community window: Cryptography SA Lifetimes tab on page 501. VPN Community window: Cryptography General tab Use the Cryptography General tab of the VPN Community window to set the Internet Key Exchange (IKE) version and mode, and to determine if phase 1 and phase 2 are to be configured identically or individually. To view the fields on this tab, see Figure 213 on page 494. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community window is displayed. 4 Select the Cryptography tab. 5 Make sure that the General tab is displayed. Fields and buttons This tab has the following fields and buttons: • IKE Version — Specify the IKE version to use. Options are IKE v1 and IKE v2. Here are some characteristics of each version: • IKEv2 is simpler, more robust, and more reliable. However, not many products currently support the newer IKEv2. Check your product documentation. • IKEv1 is not compatible with IKEv2. Both sides of a VPN connection must use the same version of IKE. • When using IKEv2, each side of a VPN connection can use a different authentication method. With IKEv1, both sides must agree on an authentication method. • In IKEv2, extended authentication (XAUTH) can be used as a standalone authentication method. In IKEv1, extended authentication must be used in conjunction with password/certificate authentication. • IKE Mode — [Available only if you are using IKE v1] Specify the mode to be used for key exchange. The following values are available: • Main — This mode has three exchanges between the initiator and the receiver. It is slower, but secure. It cannot be used with dynamic IP clients with password authentication. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 495
- 496. VPN • Aggressive — This mode has fewer exchanges between the initiator and the receiver. It is faster than Main mode, but it is less secure. • Configure Identical Phase 1 and Phase 2 Cryptographic Properties — Select this option to specify one set of cryptographic properties to be used by both the phase 1 and phase 2 key exchanges. If your security policy requires Perfect Forward Secrecy and you select this option, you enable PFS on the Cryptographic Properties page. If you select the Use Perfect Forward Secrecy option, PFS uses the settings in the DH Groups area. • Configured Phase 1 and Phase 2 Cryptographic Properties Individually — Select this option to specify have the option to configure separate properties for phase 1 and phase 2 key exchanges. If your security policy requires Perfect Forward Secrecy and you select this option, you enable PFS by specifying a PFS group other than None on the Phase 2 Properties page. VPN Community window: Cryptography Phase 1 Properties tab Use the Cryptography Phase 1 tab of the VPN Community window to define the IPsec cryptographic properties to use during the phase 1 key exchange. These properties must match the cryptographic properties configured on the remote peer. Note: This tab is available only if you selected the Configure Phase 1 and Phase 2 Cryptographic Properties Individually option on the General tab. Figure 214 VPN Community window: Cryptography tab: Phase 1 Properties tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community window is displayed. 4 Select the Cryptography tab. 5 In the General tab, make sure that you have selected Configure Phase 1 and Phase 2 Cryptographic Properties Individually. 6 Select the Phase 1 Properties tab. Fields and buttons This tab has the following fields and buttons: • Encryption — Specify the type of encryption that you and the remote peer have chosen to use to protect IKE phase 1 traffic. The following values are available: • aes256 — Indicates the Advanced Encryption Standard using a 256-bit key. • aes192 — Indicates the Advanced Encryption Standard using a 192-bit key. 496 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 497. VPN • aes128 — Indicates the Advanced Encryption Standard using a 128-bit key. This is the default value. • 3des — Indicates the Triple Data Encryption Standard. It uses three stages of DES, giving an effective keying strength of 168 bits. • des — Indicates the Data Encryption Standard. It uses a 56-bit key. • Preferred — Specify the preferred encryption algorithm to receive from the remote peer. • Alternates — [Optional] Select one or more alternative algorithms that will be accepted when received from the remote peer. • Hash — Specify the algorithm that will be used to authenticate IKE phase 1 traffic. The list contains the available hash algorithms. The following values are available: • md5 — Indicates a Hash Message Authentication Code that uses the MD5 hash algorithm. • sha1 — Indicates a Hash Message Authentication Code that uses the SHA1 hash algorithm. This is the default value. • Preferred — Specify the preferred hash algorithm to receive from the remote peer. • Alternates — [Optional] Specify one or more alternative algorithms that will be accepted when received from the remote peer. • DH Groups — Specify the group that determines the length of the base prime numbers that will be used during the key exchange process The list contains the available Diffie-Hellman groups. The following values are available: • 1 — Provides 768 bits of keying strength • 2 — Provides 1024 bits of keying strength. This is the default value. • 5 — Provides 2048 bits of keying strength • None — The key length is 0. • Preferred — Specify the preferred DH group to receive from the remote peer. • Alternates — [Optional] Specify one or more alternative groups that will be accepted when received from the remote peer. • PRF — Specify the PRF algorithm to use during Phase 1 (IKEv2 only). The following values are available: • sha1 — Indicates a Hash Message Authentication Code that uses the SHA1 hash algorithm. This is the default value. • md5 — Indicates a Hash Message Authentication Code that uses the MD5 hash algorithm. • Preferred — Specify the preferred PRF algorithm to receive from the remote peer. • Alternates — [Optional] Specify one or more alternative algorithms that will be accepted when received from the remote peer. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 497
- 498. VPN VPN Community window: Cryptography Phase 2 Properties tab Use the Cryptography Phase 2 tab of the VPN Community window to define the IPsec cryptographic properties to use during the phase 2 key exchange. These properties must match the cryptographic properties configured on the remote peer. Note: This tab is available only if you selected Configure Phase 1 and Phase 2 Cryptographic Properties Individually on the General tab. Figure 215 VPN Community window: Cryptography tab: Phase 2 Properties tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community window is displayed. 4 Select the Cryptography tab. 5 In the General tab, make sure that you have selected Configure Phase 1 and Phase 2 Cryptographic Properties Individually. 6 Select the Phase 2 Properties tab. Fields and buttons This tab has the following fields and buttons: • Encryption — Specify the type of encryption that you and the remote peer have chosen to use to protect IKE phase 2 (IPSec) traffic. The following values are available: • aes256 — Indicates the Advanced Encryption Standard using a 256-bit key. • aes192 — Indicates the Advanced Encryption Standard using a 192-bit key. • aes128 — Indicates the Advanced Encryption Standard using a 128-bit key. This is the default value. • 3des — Indicates the Triple Data Encryption Standard. It uses three stages of DES, giving an effective keying strength of 168 bits. • des — Indicates the Data Encryption Standard. It uses a 56-bit key. • none — Contains an encryption header but does not specify an encryption algorithm. It is generally only used during testing. Note: This option applies only to phase 2 traffic. If None is selected, an algorithm is negotiated by the VPN peers for phase 1 traffic. md5 is the preferred algorithm and sha1 is the fallback. • Preferred — Specify the preferred encryption algorithm to receive from the remote peer. • Alternates — [Optional] Specify one or more alternative algorithms that will be accepted when received from the remote peer. 498 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 499. VPN • Hash — Specify the algorithm used to authenticate IKE phase 2 traffic. The list contains the available hash algorithms. The following values are available: • md5 — Indicates a Hash Message Authentication Code that uses the MD5 hash algorithm. • sha1 — Indicates a Hash Message Authentication Code that uses the SHA1 hash algorithm. This is the default value. • Preferred — Specify the preferred hash algorithm to receive from the remote peer. • Alternates — [Optional] Specify one or more alternative algorithms that will be accepted when received from the remote peer. • PFS Group — [Available only if the PFS option is enabled] Specify the Diffie-Hellman group to use for the PFS derivation of IPsec keys. (This corresponds to the PFS Oakley group in the firewall VPN definition area.) The following values are available: • 1 — Provides 768 bits of keying strength • 2 — Provides 1024 bits of keying strength. This is the default value. • 5 — Provides 2048 bits of keying strength • None — The key length is 0. VPN Community window: Cryptography Cryptographic Properties tab Use the Cryptographic Properties tab of the VPN Community window to define the IPsec cryptographic properties. These properties must match the cryptographic properties configured on the remote peer. Note: This tab is available only if you selected Configure Identical Phase 1 and Phase 2 Cryptographic Properties on the General tab. Figure 216 VPN Community window: Cryptography tab: Cryptographic Properties tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community window is displayed. 4 Select the Cryptography tab. 5 In the General tab, make sure that you have selected Configure Identical Phase 1 and Phase 2 Cryptographic Properties. 6 Select the Cryptographic Properties tab. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 499
- 500. VPN Fields and buttons This tab has the following fields and buttons: • Encryption — Specify the type of encryption that you and the remote peer have chosen to use to protect IKE phase 1 and phase 2 (IPSec) traffic. The following values are available: • aes256 — Indicates the Advanced Encryption Standard using a 256-bit key. • aes192 — Indicates the Advanced Encryption Standard using a 192-bit key. • aes128 — Indicates the Advanced Encryption Standard using a 128-bit key. This is the default value. • 3des — Indicates the Triple Data Encryption Standard. It uses three stages of DES, giving an effective keying strength of 168 bits. • des — Indicates the Data Encryption Standard. It uses a 56-bit key. • none — Contains an encryption header but does not specify an encryption algorithm. It is generally only used during testing. • Preferred — Specify the preferred encryption algorithm to receive from the remote peer. • Alternates — [Optional] Specify one or more alternative algorithms that will be accepted when received from the remote peer. • Hash — Specify the algorithm that will be used to authenticate IKE phase 1 and phase 2 traffic. The list contains the available hash algorithms. The following values are available: • sha1 — Indicates a Hash Message Authentication Code that uses the SHA1 hash algorithm. This is the default value. • md5 — Indicates a Hash Message Authentication Code that uses the MD5 hash algorithm. • Preferred — Specify the preferred hash algorithm to receive from the remote peer. • Alternates — [Optional] Specify one or more alternative algorithms that will be accepted when received from the remote peer. • DH Groups — Specify the group that determines the length of the base prime numbers that will be used during the key exchange process The list contains the available Diffie-Hellman groups. The following values are available: • 1 — Provides 768 bits of keying strength • 2 — Provides 1024 bits of keying strength. This is the default value. • 5 — Provides 2048 bits of keying strength • None — The key length is 0. • Preferred — Specify the preferred DH group to receive from the remote peer. • Alternates — [Optional] Specify another group that will be accepted when received from the remote peer. • PRF — Specify the PRF algorithm to use during Phase 1 (IKEv2 only). The following values are available: • sha1 — Indicates a Hash Message Authentication Code that uses the SHA1 hash algorithm. This is the default value. • md5 — Indicates a Hash Message Authentication Code that uses the MD5 hash algorithm. • Preferred — Specify the preferred PRF algorithm to receive from the remote peer. • Alternates — [Optional] Specify one or more alternative algorithms that will be accepted when received from the remote peer. 500 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 501. VPN • Use Perfect Forward Secrecy — Determines whether the key material that is associated with each IPsec security association can be derived from the key material used to authenticate the remote peer during the ISAKMP negotiation. If this checkbox is selected, the key material that is associated with each IPsec security association cannot be derived. When establishing a VPN tunnel, it is possible to re-use existing keying material. This is done to make the creation of new keys more efficient, but it also creates a mathematical relationship between new keys and existing keys. If any of the existing keys have been compromised, it is possible that the new keys can also be compromised. For some applications, it is important to ensure that a tunnel's keys have no relationship to any other keys. A tunnel operating under these conditions is said to have Perfect Forward Secrecy. The firewall's VPN feature can be configured to have perfect forward secrecy at the IKE phase 1 level. In this case, the IKE SA is deleted after the IPsec SA is created. The firewall's VPN feature can also be configured to have perfect forward secrecy at the IKE phase 2 level. In this case, new keying material is generated each time a new IPsec SA is needed. If your VPN will be passing applications that require PFS, select this option. VPN Community window: Cryptography SA Lifetimes tab Use the Cryptography SA Lifetimes tab of the VPN Community window to indicates how often the system must negotiate for new IPsec keys and how much traffic it can encrypt. To begin negotiating for new keys in advance of the lifetime limits, configure a soft percentage on the Advanced Options tab. Figure 217 VPN Community window: Cryptography tab: SA Lifetimes tab Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community window is displayed. 4 Select the Cryptography tab. 5 Select the SA Lifetimes tab. Fields and buttons This tab has the following fields and buttons: • Phase 1 Lifetimes — Specify the Phase 1 SA lifetime (in seconds and KB) before the firewall must negotiate for new IKE keys. To leave a value unspecified, select Unspecified in the appropriate checkbox. • Security Association Lifetime (sec) — Specify the length of time that the firewall waits before requiring new phase 1 IKE keys. The default is 3600 seconds (one hour). McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 501
- 502. VPN • Security Association Lifetime (KB) — Specify the amount of traffic that can be encrypted before the firewall requires new phase 1 IKE keys. The default is to leave this value unspecified, which means there is no limit. • Phase 2 Lifetimes — Specify the Phase 2 SA lifetime (in seconds and KB) before the firewall must negotiate for new IPsec keys. To leave a value unspecified, select Unspecified in the appropriate checkbox. • Security Association Lifetime (sec) — Specify the length of time that the firewall waits before requiring new phase 2 IPsec keys. The default is 700 seconds. • Security Association Lifetime (KB) — Specify the amount of traffic that can be encrypted before the firewall requires new phase 1 IPsec keys. The default is to leave this value unspecified, which means there is no limit. VPN Community window: Cryptography Advanced Options tab Use the Cryptography Advanced Options tab of the VPN Community window to configure the more advanced points of a VPN community. This page only appears when one of the peers in the community is a firewall. • As a general rule, only administrators who are VPN experts should modify the information on this tab. • The information on this tab is used only with automatic key exchange. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Communities node or right-click it and select Add Object. The VPN Community window is displayed. 4 Select the Cryptography tab. 5 Select the Advanced Options tab. Fields and buttons This tab has the following fields and buttons: • Force Rekeying — Determines whether the firewall forces the connection to rekey when the Security Association (SA) lifetime limits are reached, even if no traffic has passed through the VPN since the last rekey. Set the SA lifetime values on the Cryptography SA Lifetimes tab. Caution: Do not select the Forced Rekey option if you have High Availability/Load Sharing configured and are using static IP addresses for your VPNs. Doing so will cause both of the firewalls in the cluster to attempt to instantiate the VPN at the same time, resulting in failure. • Phase 1 Soft (%) — Indicates how far in advance of the hard limit to begin negotiating for new Phase 1 keys. This makes sure you have some new keys on hand by the time the hard limit expires. The default is 85%. • Phase 2 Soft (%) — Indicates how far in advance of the hard limit to begin negotiating for new Phase 2 keys. This makes sure you have some new keys on hand by the time the hard limit expires. The default is 85%. • Encrypt Final Aggressive Mode Packet — Determines whether the firewall encrypts the final aggressive mode packet in the exchange for aggressive mode IKEv1 exchanges. Select this checkbox if you are experiencing interoperability issues with your VPN peer using aggressive mode. By default, this checkbox is cleared, indicating the final aggressive mode packet is not encrypted. 502 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 503. VPN • Enable Extended Sequence Numbers — Determines whether to double the IPsec sequence number to a 64-bit number. This checkbox is useful if you expect extremely heavy traffic, ensuring that you can pass traffic over a VPN without running out of sequence numbers. By default, this checkbox is cleared, indicating that the sequence numbers are a 32-bit number. • Relax Strict Identity Matching — Determines whether the identity matching restrictions are relaxed. If you are experiencing issues associated with identity processing with the remote VPN peer, selecting this checkbox can improve interoperability, but it would decrease security. By default, this checkbox is cleared, indicating that identity processing occurs at the standard level. • Encapsulation — Specify the way that the packets in the VPN are encrypted. The following values are available: • Tunnel — The more common form of VPN encapsulation. Both the data and the source and destination IP addresses are encrypted within the encapsulated payload. This is the default. • Transport — Transport mode encrypts the data but the source and destination IP addresses are not concealed. Adding a VPN community Use the VPN Community window in the Configuration Tool to add a VPN communities object. Note: Prior to adding a VPN community, ensure that the necessary VPN peers, hosts, and networks objects have been created. To add a VPN community: 1 Select VPN in the Object Configuration area of the Configuration Tool. 2 Double-click VPN Communities to open the VPN Community window. You can also right-click and select Add Object from the menu. To complete the General tab: 1 Click the General tab. 2 In the Name field, specify a unique, user-defined name for the VPN community object that is being created. 3 [Optional] In the Description field, specify a user-defined description of the purpose of the VPN community object being created. 4 Select the Community Type value from the list: • If you select Mesh: a Select the associated checkbox for two or more participating gateways. b Continue with the To complete the Authentication tab: section. • If you select Star: a Select a central gateway from the list to be used as the center of the star network topology. b Select the associated checkbox for one or more participating gateways. c Continue with the To complete the Authentication tab: section. • If you select Remote Access: a Select ne of the remote peers from the list. b Select the associated checkbox for one or more participating gateways. c Continue with the To complete the Authentication tab: section. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 503
- 504. VPN To complete the Authentication tab: Use the Authentication tab to set the allowed authentication method for this VPN community. You can configure the community to use pre-shared keys or certificates, or both. 1 Select the Support Certificates checkbox to use certificates as the authentication method for IKE phase 1 negotiations. When certificates are used as an authentication method, the certificates of the firewall and peer are exchanged, and the identity of each is verified. In addition to initial verification, constraints that must also be satisfied in order to begin IKE negotiations can be put on the peer's certificate. 2 In the Trusted CA Certificates area, select the certificates from the certification authorities (CAs) that are trusted as issuers of the peer's certificate. This field contains all of the CA certificates that have been imported into the firewalls. If the peer's certificate has been issued by a CA whose certificate is selected, the peer's certificate is accepted as authentic. If the issuer of the peer's certificate is not found among the selected CA certificates, the peer's certificate is rejected. 3 Use the Pre-Shared Key field to specify the key that has been shared between the firewall and the peer. The key can be a maximum of 128 ASCII characters or 256 hexadecimal characters, excluding the 0x. It must be at least eight characters long and can consist of any valid characters. If hexadecimal representation is used, remember that an eight-bit value is represented by two hexadecimal characters. You are required to confirm this key after you analyze the configuration and click OK. 4 Select the Use A-B Keys checkbox to use A-B pre-shared keys as an authentication method for IKE phase 1 negotiations. If the Use A-B Keys checkbox is selected, use the Pre-Shared Key field to specify the respective keys. The first portion of the A-B key (A Key) is specified into the Pre-shared Key field by the first administrator. The second portion of the A-B Key (B Key) is specified by having a second administrator log in and specify the second key in this field. Until the second key has been specified and the change has been applied to each managed firewall in the community, a warning message is displayed for the object to indicate that the A-B key pair is not complete. 5 Continue with the To complete the Cryptography tab: section. To complete the Cryptography tab: Use the VPN Community Key Exchange tab to configure the key exchange properties that will be used for the VPN community. 1 Select the IKE version. Available values are IKEv1 and IKEv2. 2 Select the mode used to establish an IKE phase 1 tunnel. In Main mode (the default), six packets must be exchanged to establish the phase 1 tunnel. In Aggressive mode only three packet exchanges are required. Aggressive mode establishes the phase 1 tunnel faster, but Main mode provides greater protection against denial of service attacks. 3 Determine whether you want to use the same or distinct cryptographic properties for phase 1 and phase 2 key exchange by selecting one of the following values: • To configure the same cryptographic properties for both phases, select Configure Identical Phase 1 and Phase 2 Cryptographic Properties. Continue with the To complete the Cryptographic Properties tab: section. • To configure different cryptographic properties for each phase, select Configure Phase 1 and Phase 2 Cryptographic Properties Individually. Continue with the To complete the Phase 1 and Phase 2 Properties tabs: section. 504 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 505. VPN To complete the Cryptographic Properties tab: 1 In the Encryption area, select one preferred type of encryption, and one or more alternative types of encryption, to be used in this VPN community. The following values are available: • aes256 • aes192 • aes128 • cast128 • 3des • des • none 2 In the Hash area, select one preferred type of authentication hash, and one or more alternative hash types, to be used in this VPN community. The following values are available: • sha1 • md5 • none 3 In the DH Groups area, select one preferred Diffie-Hellman group, and one or more alternative Diffie-Hellman groups, to be used in this VPN community. The following values are available: • 5 • 2 • 1 4 Select the Use Perfect Forward Secrecy checkbox to ensure that the key material associated with each IPsec security association cannot be derived from the key material used to authenticate the remote peer during the ISAKMP negotiation. 5 Continue with the To complete the SA Lifetimes tab: section. To complete the Phase 1 and Phase 2 Properties tabs: 1 On the Phase 1 Properties page in the Encryption area, select one preferred type of encryption, and one or more alternative types of encryption, to be used in this VPN community. The following values are available: • aes256 • aes192 • aes128 • cast128 • 3des • des • none 2 In the Hash area, select one preferred type of authentication hash, and one or more alternative hash types, to be used in this VPN community. The following values are available: • sha1 • md5 • none McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 505
- 506. VPN 3 In the DH Groups area, select one preferred Diffie-Hellman group, and one or more alternative Diffie-Hellman groups, to be used in this VPN community. The following values are available: • 5 • 2 • 1 4 Select the Use Perfect Forward Secrecy option to ensure that the key material that is associated with each IPsec security association cannot be derived from the key material used to authenticate the remote peer during the ISAKMP negotiation. 5 On the Phase 2 Properties page in the Encryption area, select one preferred type of encryption and one or more alternative types of encryption to be used in this VPN community. The following values are available: • aes256 • aes192 • aes128 • cast128 • 3des • des • none 6 In the Hash area, select one preferred type of authentication hash, and one or more alternative hash types, to be used in this VPN community. The following values are available: • sha1 • md5 • none 7 In the PFS Group area, if you are configuring IKEv2, select the Diffie-Hellman group to use for the PFS derivation of IPsec keys. This is available only if the PFS option is enabled. (This corresponds to the PFS Oakley group in the Firewall VPN definition area.) The following values are available: • 1 — Provides 768 bits of keying strength • 2 — [Default] Provides 1024 bits of keying strength • 5 — Provides 2048 bits of keying strength • None — The key length is 0. 8 Continue with the To complete the SA Lifetimes tab: section. To complete the SA Lifetimes tab: 1 Select the Phase 1 SA lifetime (in seconds and KB) before the firewall must negotiate for new IKE keys. To leave a value unspecified, select Unspecified in the appropriate checkbox. 2 Select the Phase 1 SA lifetime (in seconds and KB) before the firewall must negotiate for new IPsec keys. To leave a value unspecified, select Unspecified in the appropriate checkbox. 3 Continue with the To complete the Firewall Options tab: section. 506 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 507. VPN To complete the Firewall Options tab: 1 To force the connection to rekey when the SA lifetimes limits are reached, even if no traffic has passed through the VPN since the last rekey, select the Forced Rekey option. 2 [Conditional] If Force Rekeying is selected, set the phase 1 and phase 1 soft rekey percentages. These indicate how far in advanced of the SA Lifetime limit to begin negotiating new keys. This makes sure you have some new keys on hand by the time that the hard limit expires. 3 [Optional] If your policy uses aggressive mode IKEv1 exchanges, the Encrypt Final Aggressive Mode Packet option causes the firewall to encrypt the final aggressive mode packet in the exchange. You might need to enable this option if you are experiencing interoperability issues with your VPN peer when using aggressive mode. 4 [Optional] Select Enable Extended Sequence Numbers if you need to double the IPsec sequence number to a 64-bit number. This option is useful if you expect extremely heavy traffic, ensuring that you can pass traffic over a VPN without running out of sequence numbers. 5 [Optional] Select Relax Strict Identity Matching to relax the identity matching restrictions. If you are experiencing issues associated with identity processing with the remote VPN peer, selecting this option can improve interoperability. However, it does decrease security. 6 Select the encapsulation method. Options are Tunnel and Transport. The most common option is Tunnel. 7 Continue with the To complete the VPN Community configuration: section. To complete the VPN Community configuration: Click Analyze to validate your configuration. If you are satisfied with the analysis, click OK to save the VPN community object. Note: Some data validation will be applied to ensure that all of the required and conditionally required information has been specified. If you do not properly complete the VPN community configuration, an error message is generated. Creating a network configuration for a VPN client Use the VPN Client Configuration window to establish a network configuration for the VPN client to operate on the private side of a firewall. When a remote host connects to the firewall using a VPN client, you might want the host to appear as though it is located on an internal network (for example, a network behind the firewall). To provide this capability, you create one or more virtual subnets of IP addresses that will be used by remote peers when they attempt to make a VPN connection. When a client attempts a connection, the firewall assigns it one of the IP addresses that are available in the virtual subnet. The firewall also negotiates with the client to determine other VPN requirements, such as the DNS and/or WINS servers that will be made available to the client. If the negotiation is successful, the client is connected and the VPN connection is established. Note: Not all VPN client software supports the negotiation of every client address pool parameter. Make sure to verify that your client or clients support the necessary features. You define the number and size of the available virtual subnets. Even though the client might have a fixed IP address, the address that is used within the VPN definition is the address that has been assigned to it from the specified virtual subnet. The virtual subnet works for both fixed and dynamic clients. You can also create multiple client configurations. You can group VPN clients into distinct virtual subnets to limit the resources that the clients in each group can access. In some cases, VPN client configuration objects can be used by more than one peer. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 507
- 508. VPN Figure 218 VPN Client Configuration window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Client Configurations node or right-click it and select Add Object. The VPN Client Configuration window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a unique name for this VPN Client Configuration object. • Description — Provide a user-defined description for this object. • OK — Save the changes that were made on all of the tabs in this window. • Cancel — Close this window without saving any changes. Tabs This window has the following tabs: • General — Configure a pool of virtual addresses to be used by remote peers when they attempt to make a VPN connection. On this page you can also determine which DNS and/or WINS servers will be made available to the remote client. For more information, see VPN Client Configuration window: General tab on page 509. • Fixed IP Mappings — Assign fixed addresses to selected clients from the pool of available options specified on the General page. For more information, see VPN Client Configuration window: Fixed IP Mappings tab on page 509. 508 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 509. VPN VPN Client Configuration window: General tab Use the General tab on the VPN Client Configuration window to configure a pool of virtual addresses to be used by remote peers when they attempt to make a VPN connection. You can also determine the DNS and/or WINS servers that will be made available to the remote client. For more information, see the Creating a network configuration for a VPN client on page 507. To change the order, or rank, of the listed servers, select an entry and use the up or down arrow to change its position. The firewall will attempt to connect to the servers in the order that is shown here. To delete an entry, select that entry's far left column and then press Delete. To view the fields on this tab, see Figure 218 on page 508. Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Client Configurations node or right-click it and select Add Object. The VPN Client Configuration window is displayed. 4 Make sure that the General tab is selected. Fields and buttons This tab has the following fields and buttons: • Navigation arrows — Use the move up ( ) and move down ( ) arrows to change the position of an object in any of these three tables. • Virtual Subnets — Specify the objects that define the range of virtual IP addresses that can be assigned to the VPN clients to appear as a private address for the client. This list contains all of the previously defined host and subnet network objects. • DNS Servers — [Optional] Specify the DNS servers to be used to provide DNS services to the VPN clients that are using this client configuration. • NBNS/WINS Servers — [Optional] Specify the WINS servers to be used to provide NBNS/WINS services to the VPN clients that are using this client configuration. VPN Client Configuration window: Fixed IP Mappings tab Use the Fixed IP Mappings tab of the VPN Client Configuration window to assign fixed addresses to selected clients from the pool of available options that are specified on the General tab and to configure client identification strings for this object. For more information, see Creating a network configuration for a VPN client on page 507. Figure 219 VPN Client Configuration window: Fixed IP Mappings tab McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 509
- 510. VPN Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Client Configurations node or right-click it and select Add Object. The VPN Client Configuration window is displayed. 4 Select the Fixed IP Mappings tab. Fields and buttons This tab has the following fields and buttons: • Address — Specify the address to use in the fixed IP mapping. This address must be part of a virtual subnet that was selected on the General tab. • Client Identifier(s) — [Read-only] Displays the client identifier or identifiers that are associated with the displayed address. • Add — Displays the VPN Client Fixed Mapping window, in which you can add a client identifier. • Edit — Displays the VPN Client Fixed Mapping window, in which you can edit a client identifier. Make sure that you have highlighted the identifier that you want to edit before clicking this button. • Delete — Deletes the selected fixed IP mapping, but only after you click OK. Defining fixed addresses for VPN clients Use the VPN Client Fixed Mapping window to define fixed addresses for selected clients. One of the benefits of assigning fixed IP addresses to selected clients is that it allows you to govern what each client can do. For example, you might restrict access to certain clients, and you might grant additional privileges to other clients. You do this by creating a network object for a selected IP address and then using the network object within a rule. Each unique IP address can appear in the fixed IP mappings table only once. Multiple identities representing a single client, however, can be mapped to one IP address. Figure 220 VPN Client Fixed Mapping window Accessing this tab 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Client Configurations node or right-click it and select Add Object. The VPN Client Configuration window is displayed. 4 Select the Fixed IP Mappings tab. 5 Click Add or Edit. The VPN Client Fixed Mapping window is displayed. 510 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 511. VPN Fields and buttons This window has the following fields and buttons: • Address — Specify the address to be assigned to the client that is specified in the Client Identifiers area below. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). • Description — Provide a user-defined description of this fixed mapping. • Client Identifiers — Use the fields in this area to specify the client identification strings for this entry. All entries listed in this area will be mapped to the associated IP address. Because a client can use one of several different IDs (a distinguished name, an e-mail address, and so on) when negotiating a session, you can map multiple IDs to one IP address. However, you cannot map two separate clients to the same address. If you define all of the possible IDs for a client, you will be ready, regardless of the ID that is presented during the negotiation. The following fields are available: Note: If a user will be using extended authentication, that user name will override any other ID. • Type — Specify the type of client identifier or identifiers to be accepted for this client configuration. The following values are available: • XAUTH Username • E-mail Address • Domain Name • IP address • Distinguished Name • Identifier — Specify a string that must be provided by the client to be allowed to establish a VPN connection. Follow the standard conventions for the selected type. • OK — Save the changes that have been made in this window. • Cancel — Close the window without saving any changes. Adding a VPN client configuration Use the VPN Client Configuration window in the Configuration Tool to add a VPN client configuration object. This object can be used when you create VPN Peer objects for a firewall and when you create VPN remote gateway objects. When a remote host connects to the firewall using a VPN client, you may want the host to appear as if it is located on an internal network (for example, a network behind the firewall). To provide this capability, you create one or more virtual subnets of IP addresses that will be used by remote peers when they attempt to make a VPN connection. When a client attempts a connection, the firewall assigns it one of the IP addresses available in the virtual subnet. The firewall also negotiates with the client to determine other VPN requirements, such as which DNS and/or WINS servers will be made available to the client. If the negotiation is successful, the client is connected and the VPN connection is established 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click VPN Client Configurations. The VPN Client Configuration window is displayed. 4 In the Name field, specify a unique name for the VPN client configuration object being created. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 511
- 512. VPN 5 In the Description field, specify an appropriate user-defined description of the object being created. 6 On the General tab, specify the following information: a In the Virtual Subnets list, select a previously defined interface, network, or address range that identifies the address range of possible addresses to be assigned to the clients that use this configuration. b [Optional] In the DNS Server field, select the previously defined network object to serve as the DNS server for this configuration. c [Optional] In the NBNS/WINS Server field, select the previously-defined network object to serve as the NetBIOS Name Server or WINS server for this configuration. 7 On the Fixed IP Mappings tab, click Add and select an IP address and the client identifier(s) to be used to identify a client connecting from the specified address. Repeat as necessary for this client configuration. 8 On the main VPN Client Configuration window, click OK to save the data. CA certificates On the firewall, certificates play an important role in allowing the use of automatic key generation in Internet Key Exchange (IKE) VPNs. With automatic key generation, after you gather the initial information for the remote end of the VPN, there is no further direct contact between you and the remote end of the VPN. Session keys are automatically and continually generated and updated based on this initial identifying information. As a result, the firewall requires a way to assure that the machine with which you are negotiating session keys is actually whom it claims to be—a way to authenticate the other end of the VPN. To allow automatic key generation, the firewall can use pre-shared keys or certificates as the authentication method. Certificates are generally more reliable and tougher to spoof, and, therefore, are favored over shared passphrases (keys). The firewall can use the following certificate trust sources: • Single certificate — Single certificate authentication requires that the firewall generates a certificate and private key to be kept on the firewall and a certificate and private key to be exported and installed on a client. Each certificate, after it has been installed on its end of a VPN connection, acts as a trust point. A single certificate (also referred to as a “self-signed certificate”) differs from Certificate Authority (CA) based certificates in that no root certificate is necessary. • Certificate Authority policy — The firewall can be configured to trust certificates from a particular certificate authority (CA). Thus, it will trust any certificate that is signed by a particular CA that meets certain administrator-configured requirements for the identity contained within the certificate. Because of the nature of this type of policy, only locally administered Certificate Authorities should be used in this type of policy. Certificate Revocation List (CRL) The CRL is a list of subscribers who are paired with their digital certificate status. The list enumerates revoked certificates along with the reason or reasons for revocation. The dates of certificate issue and the authorities that issued them are also included. In addition, each list contains a proposed date for the next release. When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for that particular user. Both certificates and CRLs are stored in repositories to make them accessible to users. LDAP servers, Web servers, and FTP servers are examples of repositories. You can configure the firewall Certificate server to query a specified LDAP server for retrieving certificates and CRLs that are needed for certificate verification. Use the Certificates area on the Firewall window to manage the CRL. Certificate file formats The Control Center supports the importation and exportation of certificates as binary or PEM-encoded X.509 files or as part of a PKCS-12 file. (A PKCS-12 file contains both a certificate and a private key and is normally protected with a password.) The private key that is associated with a certificate can also be imported or exported, either as part of a PKCS-12 file or as a separate PKCS-1 or PKCS-8 file. The PKCS-10 format is also supported for requesting a certificate from a CA. 512 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 513. VPN Firewall certificate server The firewall Certificate server performs several functions, including providing support for the certificate management daemon (CMD) and for an optional, external LDAP server. If the LDAP function is configured, it can be used to automatically retrieve certificates and Certificate Revocation Lists (CRLs) from a Version 2 or Version 3 Lightweight Directory Access Protocol (LDAP) server. The firewall will attempt to retrieve any certificates and (optionally) any CRLs that it needs to validate certificates in a CA-based VPN. Note that the LDAP functionality is used only for non-Netscape Certificate Authorities (for example, Entrust). You can also control the level of audit that is generated by the certificate server. The Certificate server is managed in the Certificates area of the Firewall window. CA certificate management For a firewall, when a VPN configuration is retrieved from the firewall, the content of the certificate, as well as the certificate name, is retrieved. This means that this CA certificate can be used in other firewall configurations without having to implicitly import the certificate into the firewalls. When managing certificates by using the Control Center Configuration Tool, certificates are added and stored based on their function. These functional areas are: • Firewall certificates — A firewall certificate is used to identify the firewall to a potential peer in a VPN connection, or to a client requesting a secure (SSL or HTTPS) connection. These certificates are created on a per-firewall basis by using the Certificates area in the Firewall window for each firewall. When creating a certificate for the firewall, you have the option to submit the certificate to a CA for signing, or have the firewall generate a self-signed certificate. The available actions in the firewall certificate area include requesting, loading, retrieving, viewing, exporting, and deleting certificates. You can also assign certificates to specific servers, such as the McAfee Firewall Enterprise Admin Console server and the Cluster Registration server, and to the HTTP application defense. • Remote certificates — A remote certificate identifies one or more peers that can be involved in a VPN connection with a firewall. These certificates are created by using the Remote Certificates page. The available actions in the remote certificate area include requesting, loading, retrieving, viewing, exporting, and deleting certificates. You are most likely to export a remote certificate if your users use a VPN client to establish a VPN connection between their machines and the firewall. The VPN client requires the use of a certificate to identify itself during the VPN connection negotiations. It is possible to use the firewall to create a self-signed certificate for the VPN client. After it is created, it can be converted to a new file format and then exported. From there, it is imported to the VPN client program. • CA certificates — A Certificate Authority certificate is generally a root certificate that has been imported from a local or trusted CA server. These certificates are imported by using the CA Certificate Import Wizard. After the certificate has been imported, you can use the Certificate Manager window to change a CA certificate's name and some of its information, such as its SCEP URL and CA ID. The identifier, such as its Distinguished Name, cannot be modified. CA certificates can also be exported for use as trust sources on clients. Note: For more information about how a firewall uses certificates, see the VPN chapter of the McAfee Firewall Enterprise (Sidewinder) Administration Guide. For firewalls, certificates are used by the following features: • VPNs • HTTPS Application Defense • McAfee Firewall Enterprise Admin Console • Cluster Registration Server • Control Center Control • Control Center Status McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 513
- 514. VPN Use the Certificate Request Wizard, Import Wizard, and Export Wizard to create and manage firewall and remote certificates. Use the CA Certificate Import Wizard and the CA Certificates right-click menu to import and manage CA certificates. Use the Certificate Manager window to view details of, and to make minor modifications to, existing certificates. Managing certificate names Use the Certificate Manager window to assign certificate names to actual certificate files and store this data in the database of the Control Center. After a certificate has been imported to the Control Center, the only fields that may be modified are the name, URL, and CA ID fields. Note: To view and manage certificate server settings, see Managing firewall certificates for VPN gateways on page 481. Figure 221 Certificate Manager window Accessing this window To access remote certificates: 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the Remote Certificates node. The Remote Certificates page is displayed. 4 Click Certificate Details. The Certificate Manager window is displayed. To view a certificate for a specific firewall: 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node. 3 Double-click the firewall for which you want to view the certificate. The Firewall window is displayed. 4 Select the Certificates node. The Certificates area is displayed. 5 Click Certificate Details. The Certificate Manager window is displayed. To view a CA certificate: 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the CA Certificates node. The CA Certificates page is displayed. 4 Double-click a CA certificate. The Certificate Manager window is displayed. 514 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 515. VPN Fields and buttons This window has the following fields and buttons: • Certificate Name — Specify the unique name of the certificate that is used by the Control Center to reference the certificate. • Distinguished Name — [Read-only] Displays the distinguished name, e-mail address, domain name, and/or IP address that is associated with the certificate. • Signature Type — [Read-only] Displays whether the signature that is associated with the certificate is RSA or DSA. • Status — [Read-only] Displays whether the certificate is complete or pending. • SCEP URL — [CA certificates only] Specify the URL of the SCEP server that issued the CA certificate. • SCEP CA ID — [CA certificates only—optional] Specify the value that is used to identify this specific CA. Creating certificates or importing them into the certificate database Use the Certificate Request Wizard to add or import a certificate into the Control Center certificate database. The wizard has two paths: one for creating a new certificate and one for importing an existing certificate. For information about how to add a certificate, see the appropriate section. Accessing this wizard To create certificates: 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node. 3 Double-click a firewall. The Firewall window is displayed. 4 Select the Certificates node. The Certificates area is displayed. 5 Click Add Certificate. The Certificate Request wizard is displayed. To import remote certificates: 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the Remote Certificates node. The Remote Certificates page is displayed. 4 Click Add Certificate. The Certificate Request Wizard is displayed. Create a new certificate Step 1 of 8 Select Create a new certificate. Click Next >. Step 2 of 8 Specify a unique name for the certificate. This name will be given to the certificate and will be used when importing the certificate into the Control Center. Click Next >. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 515
- 516. VPN Step 3 of 8 Specify the subject name attributes listed on this page. Required attributes are marked with an asterisk (*). Certain attributes (such as organizational unit) can have multiple values. Separate multiple values with a comma (,). Note: For more information about distinguished name syntax, see the VPN chapter of the McAfee Firewall Enterprise (Sidewinder) Administration Guide. • *Common Name — Specify the name. The valid character string type is DirectoryString. The maximum number of allowed characters is 64. • *Country — Specify the country of origin. The valid character string type is PrintableString. The maximum number of allowed characters is 2. • Organization — Specify the organization for this certificate. The valid character string type is DirectoryString. The maximum number of allowed characters is 64. • Organizational Unit — Specify the organizational unit for this certificate. The valid character string type is DirectoryString. The maximum number of allowed characters is 64. • City or Locality — Specify the city or locality for this organization. The valid character string type is DirectoryString. The maximum number of allowed characters is 128. • State or Province — Specify the state or province for this organization. The valid character string type is DirectoryString. The maximum number of allowed characters is 128. • Domain Component — Specify the domain name for this certificate. Use standard domain name notation, such as example.com. • Email Address — Specify the e-mail address for this certificate. Use standard e-mail notation, such as a@example.com. Click Next >. Step 4 of 8 Specify any additional identities to be bound to the subject of the certificate. Options are: • E-mail address (optional) • DNS name (optional) • IP address (optional) Click Next >. Step 5 of 8 Select a public key encryption algorithm and key size. • Encryption Algorithm — Specify the encryption algorithm to use for this certificates public key. Options are RSA and DSA. The default is RSA. • RSA is faster at signature verification. It is the most commonly used encryption and authentication algorithm. • DSA is faster at signature generation. DSA provides only digital signatures. • Public Key Length (bits) — Specify the length of the public key in bits. Options are 768, 1024, and 2048. The default is 1024. Click Next >. 516 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 517. VPN Step 6 of 8 Specify the mechanism to be used to sign the certificate. • Signature Mechanism — Specify the enrollment method to which the certificate will be submitted for signing. The following values are available: • Manual PKCS10 — Indicates that the certificate enrollment request will need to be submitted to a CA. • Self Signed — Indicates that the new certificate will be signed by the Control Center, rather than by a CA. If you select this option, the wizard automatically imports at the certificate after you have reviewed and accepted it. • CA Certificate — Indicates that the new certificate will be signed by a CA certificate that is currently stored in the Control Center certificate database. You must also select the name of the CA to which the certificate is submitted for signing. The CA can be either private (one that you own and manage) or it can be public (a trusted CA administered that is elsewhere). • Control Center CA — Indicates that the new certificate will be signed by the default Control Center CA. For more information on Control Center CA certificates, see Importing certificates into the known certificates database on page 518. Click Next >. Step 7 of 8 Review your selections. To create the certificate request, click Next >. Step 8 of 8 Review the final summary. If you selected Manual PKCS10 as the signature mechanism, either copy and paste the displayed text into an online CA form or click Save as to save the certificate file. If the certificate was successfully created or saved and no further action is necessary, click Finish. Import an existing certificate Step 1 of 5 Select Import an existing certificate. Click Next >. Step 2 of 5 Specify a unique name for the certificate. This name will be used when importing the certificate into the Control Center. Click Next >. Step 3 of 5 Select the way in which to import the certificate. • Import Mechanism — Specify the import method to which the certificate will be submitted for signing. The following values are available: • File — Imports an unencrypted file. • Encrypted File (PKCS12) — Imports a certificate and its key file. This method requires that you specify the password. • LDAP — Imports a certificate directly from an online LDAP server. Click Next >. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 517
- 518. VPN Step 4 of 5 Specify the appropriate information for retrieving the certificate. The fields on this page vary, depending on the import method that you selected on the previous page. • If you selected File — Specify the certificate location and format. • Certificate Path — Specify the path or browse to the certificate file. • Certificate Format — Specify the format of the certificate. The following values are available: • X.509-PEM • X.509-DER • If you selected Encrypted File (PKCS12) — Specify the certificate location and the password that is required to decrypt the certificate. • File Path — Specify the path or browse to the certificate file. • Password — Specify the password that was specified when the certificate was encrypted. • Confirm Password — Re-specify the password. • Hide Password Characters — Determines whether password characters appear as asterisks (*) or as human-readable characters. By default, this checkbox is selected, indicating that the password characters appear as asterisks. • If you selected LDAP — Specify the IP address and port of the LDAP server where the certificate is saved. Also provide the distinguished name that will be used to identify the certificate. • LDAP Server Address — Specify the IP address for the Control Center to use to contact the server. • LDAP Server Port — Specify the port on which the Control Center will contact the server. The default is 389. • Distinguished Name — Specify the distinguished name that was specified when the certificate was created. Click Next >. Step 5 of 5 Read the final summary. If the certificate was successfully created, click Finish. Importing certificates into the known certificates database Use the Certificate Import Wizard to import certificates into the database of known certificates. These certificates can be used for VPN authentication and as certificate authorities for certificates that are stored in the Remote Certificates subnode beneath the VPN node in the Policy tree. Accessing this wizard 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the CA Certificates node. The CA Certificate Import wizard is displayed. Step 1 of 5 The first page is an introduction. Click Next >. Step 2 of 5 Specify a unique name for the certificate you are importing. This name will help you to quickly identify the certificate when you assign it for other uses. Click Next >. 518 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 519. VPN Step 3 of 5 Select the method to use to import the CA certificate. • Import Mechanism — Specify the import method to which the certificate will be submitted for signing. The following values are available: • File — Imports an unencrypted file. • SCEP — Imports a certificate directly from a Simple Certificate Enrollment Protocol server. This method requires you to specify the CA ID. • Netscape 4.2 — Imports a certificate directly from a Netscape certificate server. Click Next >. Step 4 of 5 Specify the appropriate information for importing the certificate. The fields on this page vary, depending on the import method that you selected on the previous page. • If you selected File — Specify the path or browse to the certificate file. • If you selected SCEP — Specify the certificate server values for the URL and CA ID fields. Certificates that need to be signed by the CA are sent to this URL. The CA ID is the value that is used to identify this specific CA. Check with your CA administrator to determine the identifier to use. Many administrators use the fully qualified domain name of the CA as the identifier. • If you selected Netscape 4.2 — Specify the certificate server URL in the URL field. Certificates that need to be signed by the CA are sent to this URL. Click Next >. Step 5 of 5 Read the final summary. If the certificate was successfully imported, click Finish. Exporting certificates Use the Export Certificate Wizard to export a certificate. The wizard guides you through exporting the certificate only, or combining the certificate with a private key. Note: When you use the Control Center Client Suite, you cannot export the certificate to the screen as you can when using the McAfee Firewall Enterprise Admin Console. To view the details about a certificate, use the Certificate Manager window. You can export certificates from either the Remote Certificates page, the Certificates area on the Firewall window, or from the CA Certificates subnode beneath the VPN node in the Policy tree. The procedure that you use is very simple and is the same from any of these locations. The reasons that you export a certificate from one area rather than another, however, are quite different, as described below. • Exporting a remote certificate — You are most likely to export a remote certificate if your users use a VPN client to establish a VPN connection between their machines and the firewall. The VPN client requires the use of a certificate to identify itself during the VPN connection negotiations. It is possible to use the firewall to create a self-signed certificate for the VPN client. After it has been created, it can be converted to a new file format and then exported. From there, it is imported to the VPN client program. • Exporting a firewall certificate — This is used to export the firewall certificate to a remote peer. This allows the remote peer to recognize the firewall. On the remote peer, the firewall certificate is imported as a remote certificate. • Export a CA certificate — Similar to a firewall certificate, this is used to export the CA certificate to a remote peer. This allows the remote peer to recognize the firewall. On the remote peer, the certificate is imported as a root CA certificate. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 519
- 520. VPN Accessing this wizard To export a remote certificate: 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the Remote Certificates node. The Remote Certificates page is displayed. 4 Click Export Certificate. The Export Certificate wizard is displayed. To export a firewall certificate for a specific firewall: 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node. 3 Double-click the firewall for which you want to view the certificate. The Firewall window is displayed. 4 Select the Certificates node. The Certificates area is displayed. 5 Click Export Certificates. The Export Certificate wizard is displayed. To view a remote certificate: 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the Remote Certificates node. The Remote Certificates page is displayed. 4 Click Certificate Details. The Export Certificate wizard is displayed. To export a CA certificate: 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the CA Certificates node. The CA Certificates page is displayed. 4 Click Export CA Certificate. The Export Certificate wizard is displayed. Export the certificate without a private key Step 1 of 4 Select Export Certificate. Click Next >. Step 2 of 4 Specify the location where you want to save the certificate and the format in which it will be saved. • Path — Specify a path or browse to a location to save the certificate file. • Format — Specify the format for the certificate. The following values are available: • X.509 • X.509(PEM) Click Next >. Step 3 of 4 Confirm your selection against the path and file name displayed here. Click Next >. Step 4 of 4 Read the final summary. If the certificate was successfully exported, click Finish. 520 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 521. VPN Export the certificate and its private key as one file Step 1 of 4 Select Export Certificate and Private Key as one file. Click Next >. Step 2 of 4 Specify the location where you want to save the certificate and the key to use to encrypt it. • Path — Specify a path or browse to a location to save the certificate file. • Password — Specify a password with which to encrypt the file. • Confirm Password — Specify the same password again. • Hide Password Characters — Determines whether to display the characters in the Password field as your type them in clear text or as asterisks (*). By default, this checkbox is cleared, indicating that the password characters appear as asterisks. Click Next >. Step 3 of 4 Confirm your selection against the path and file name displayed here. Click Next >. Step 4 of 4 Read the final summary. If the certificate was successfully exported, click Finish. Export the certificate and its private key as multiple files Step 1 of 5 Select Export Certificate and Private Key as multiple files. Click Next >. Step 2 of 5 Specify the location where you want to save the certificate and the format in which it will be saved. • Path — Specify a path or browse to a location to save the certificate file. • Format — Specify the format of the certificate. The following values are available: • X.509 • X.509(PEM) Click Next >. Step 3 of 5 Specify the location where you want to save the private key file and the format in which it will be saved. • Path — Specify a path or browse to a location to save the certificate file. • Format — The following values are available: • PKCS1 • PKCS1(PEM) • PKCS8 • PKCS8(PEM) Click Next >. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 521
- 522. VPN Step 4 of 5 Confirm your selections against the paths and file names displayed here. Click Next >. Step 5 of 5 Read the final summary. If the certificate was successfully exported, click Finish. Loading certificates Use the Load Certificate Wizard to load a certificate with a status of Pending. The wizard guides you through loading the certificate from a file or from an LDAP server. Accessing this wizard To load a remote certificate: 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the Remote Certificates node. The Remote Certificates page is displayed. 4 Click Load Certificate. The Load Certificate wizard is displayed. To load a firewall certificate for a specific firewall: 1 In the Configuration Tool, select the Firewalls group bar. 2 Select the Firewalls node. 3 Double-click the firewall for which you want to view the certificate. The Firewall window is displayed. 4 Select the Certificates node. The Certificates area is displayed. 5 Click Load Certificates. The Load Certificate wizard is displayed. To view a remote certificate: 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the Remote Certificates node. The Remote Certificates page is displayed. 4 Click Certificate Details. The Export Certificate wizard is displayed. To load a CA certificate: 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the CA Certificates node. The CA Certificates page is displayed. 4 Click Load CA Certificate. The Load Certificate wizard is displayed. Load the certificate from a file Step 1 of 3 Select Load From File. Click Next >. Step 2 of 3 Specify or browse to the location of the certificate file that you want to load. Click Next >. 522 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 523. VPN Step 3 of 3 Read the final summary. If the certificate was successfully loaded, click Finish. Load the certificate from an LDAP server Step 1 of 3 Select Load From File. Click Next >. Step 2 of 3 Specify the IP address and port of the LDAP server that is hosting the certificate that you want to load. Also provide the Distinguished Name that is used to identify the certificate. When you click Next >, the Control Center server issues a query command for your requested certificate. • LDAP Server Address — Specify the IP address for the Control Center to use to contact the server. • LDAP Server Port — Specify the port on which the Control Center will contact the server. The default is 389. • Distinguished Name — Specify the distinguished name that was specified when the certificate was created. Click Next >. Step 3 of 3 Read the final summary. If the certificate was successfully loaded, click Finish. Managing remote certificates Use the Remote Certificate page to manage remote certificates. Actions include requesting, loading, retrieving, viewing, exporting, and deleting certificates. Most of the fields on this page start a wizard that guides you through the desired action. Note: This information is displayed as a standalone window when accessed from the Authentication (Certificates) page of the VPN Wizard. Accessing this page 1 In the Configuration Tool, from the View menu, select Remote Certificates. The Remote Certificates page is displayed. or In the Configuration Tool, select the Policy group bar. 2 Select the VPN node to expand the tree. 3 Double-click Remote Certificates. The Remote Certificates page is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 523
- 524. VPN Fields and buttons This page has the following fields and buttons: • Name — [Read-only] Displays the name of the remote certificate. • Status — [Read-only] Displays the current status of the remote certificate. • Status — Specify the certificates that will be displayed in the table, based on their certificate status. The following values are available: • ALL • Pending • Completed • Revoked • Add Certificate — Displays the Certificate Request Wizard. Run this wizard to create a new certificate or to import an existing certificate. • Load Certificate — Displays the Load Certificate Wizard. Run this wizard to load a certificate from a file or from an LDAP server. • Retrieve Certificate — Retrieve a certificate from the URL address. • Certificate Details — Displays the Certificate Manager window, in which the following information is displayed: certificate status, signature type, and identifying information, such as Distinguished Name, E-mail address, domain name, or IP address. • Export Certificate — Displays the Export Certificate Wizard. Run this wizard to export a stored certificate. • Delete Certificate — Delete the selected certificate. 524 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 525. VPN Bypassing IPsec policy evaluation Use the VPN Bypass window to select certain traffic to bypass IPsec policy evaluation and to be sent outside of the encrypted tunnel. This traffic is defined based on its source and destination endpoints, which are represented as subnets. Other non-VPN security policy rules will apply to this traffic. Example: Traffic between two networks at two different sites is encrypted; however, you want traffic to and from the web server to be sent outside of the encrypted tunnel. You would configure a VPN bypass and place it in front of a more general definition in the VPN Definitions list. Note: Unlike when you directly manage a firewall, you do not rank order the VPN definitions (channels) and bypasses. All VPN bypass objects are automatically processed before processing any VPN Channels. Figure 222 VPN Bypass window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Select the VPN node. 3 Double-click the VPN Bypass node. The VPN Bypass window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a label to use to identify this traffic. • Description — Provide information about this traffic. • Firewall — Specify the firewall on which this bypass is to be used. • Enabled — Determines whether this VPN bypass is enabled. By default, this checkbox is selected, which means that the bypass is enabled. • Burb — Specify the burb to which this VPN bypass is assigned. Similar to VPN definitions, the firewall terminates each VPN bypass in a burb so that access rules can be applied to the designated traffic. • Networks — The Local list displays the network names or IP addresses that the firewall can use in a VPN bypass. The addresses in this list and the addresses in the Remote list together identify the allowed and reachable addresses for this VPN bypass. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 525
- 526. VPN To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). • Local — Select the IP addresses of the local peer. This address is generally located within the burb that was selected in the Burb field. • Remote — Select the IP addresses of the remote peer. This address is generally external to the firewall that was selected in the Firewall field. • OK — Save the changes on this window. • Cancel — Close this window without saving any changes. 526 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 527. Rules Rules Rules provide the network security mechanism that controls the flow of data into and out of the internal network. The order of rules is significant. When a packet arrives, the network packet-filtering software scans the rules list from top to bottom looking for a rule match. The first rule that matches the defined packet criteria is applied. All subsequent rules are ignored. If no rule matches, the packet is denied. Rules specify the network communications protocols that can be used to transfer packets, the hosts and networks to and from which packets can travel, and the time periods during which the rules can be applied. Rules are created by the system administrator and should reflect the internal network site's security policy. The Rules page displays the complete list of the packet-filtering rules that have been defined on your system in the sequence that they are to be applied based on the order of the rules from top to bottom. An important concept to remember is that any traffic that is not specifically allowed is prohibited. Use the Rules page to view, add, insert, change, delete, or prioritize rules. Some rule settings (for example, Apply On, Services, Sources) can be controlled directly from this page. Use the Rule Editor window to change other rule settings (for example, Options) or to create new rules. Because many rules can be created when managing enterprise-class firewalls, a filtering mechanism is provided to allow operators to quickly retrieve only those rules that meet certain filter constraints. Use the Rules Filter Selection window to specify filter criteria to display subsets of rules. Generally speaking, rules determine whether the types of packets or datagrams that are used by specific services are permitted, denied, or proxied between specified sources and destinations. The individual rules can be specifically applied to one or more homogeneous firewalls or generally applied to heterogeneous groups of firewalls. Rules are session-level rules. A network session is a traffic stream between two endpoints. It is made up of many datagrams and is identified by a signature that includes the following components: source address, destination address, protocol, source port, and destination port. The packet filter maintains a record of all of the sessions that it has seen and maintains the state that is associated with a session. How rules work When a datagram arrives at the firewall, the firewall tries to find a packet filter session whose signature matches that of the datagram. If it finds a matching session, it handles the datagram; it does not search the rules list. If it does not find a matching session, it searches the rules list from top (Rule 1) to bottom looking for a rule that matches the datagram's signature, applies the first rule that matches, and ignores subsequent rules. Using information from the datagram and the rule, a new session is created so that a rule lookup is not required for subsequent datagrams that are part of the session. If no rules match, the datagram is dropped. ICMP error messages are managed differently. A host or router that is unable to deliver a datagram (hereinafter called the offending datagram) often notifies the sender using an ICMP error message. The error message contains a copy of the initial part of the offending datagram. When it sees an ICMP error message, the firewall attempts to find the session for the offending datagram. If no session grants passage to the offending datagram, the firewall drops the error message. If a session grants passage to the offending datagram, the firewall also consults the rules list. An ICMP error message will pass through the firewall only if a session grants passage to the offending datagram and the packet-filtering rules list grants passage to the error message. A traffic stream matches a rule only if it matches the rule's service, source, destination, and time categories. For the firewall, it must also match the application defense settings, if applicable, burb settings, authentication requirements, and IPS (Intrusion Protection Services) settings, if applicable. A traffic stream matches a category if it matches any of the objects in the category. The way in which a traffic stream matches an object in a category varies with the type of object. Generally, if an object specifies several criteria, a traffic stream must match all of those criteria. To match on a service object named FTP, for example, a traffic stream must match all of the following criteria: source port range, destination port range. As explained, a datagram's signature contains components that can be matched against a rule's service, source, and destination condition categories. Time and user components are not contained in the datagram, however. A datagram's arrival time, which is found in the system clock, is matched against a rule's time condition category. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 527
- 528. Rules Other kinds of actions that are taken for a matching network session are specified by the SYN flood defense and Audit Level settings on a rule. If the SYN flood defense is enabled, TCP connection attempts are discarded if they are not acknowledged within a specified number of seconds. Audit Level controls the generation of audit data for a network session matching the rule. Audit events with a level higher than or equal to the selected level are recorded; audit events with a lower level are not recorded. Rule management Because large numbers of rules can be created over time, the Configuration Tool provides some tools to help the administrator manage rules. • Default Rule Settings window — Specify default settings for new rules. See Configuring default settings for creating rules on page 540. • Rules Filter Selection window — Specify filter criteria to display subsets of rules. This is to enable an operator to locate and manage a smaller subset of a potentially large set of rules that can be developed to meet the criteria of an implemented security policy. See Filtering rules to display on the Rules page on page 545. • Quick Filter window — Displays (in the Rules page) only those rules that have been defined for the selected firewalls. See Displaying filtered rules on the Rules page on page 550. • Manage Filters window — Load and manage previously named filters used to display only those rules that meet the filter requirements that were defined when using the Rules Filter Selection window. See Loading and managing previously saved rule filters on page 549. Highlight the filter and select the action to perform (Apply, Edit, or Delete). The rules that meet the requirements that are defined in the filter are displayed on the Rules page and the Filter Off menu option are displayed in the Rules menu of the Configuration Tool. Select the menu option to cancel the filtered view. • Rules Group window — Organize sequences of rules into groups that can be expanded and collapsed. The purpose is allow administrators to manage large numbers of rules. See Configuring groups of rules on page 551. • Reveal or conceal selected groups of rules — After the rules are formed into groups by using the Rules Group window, the expand and contract buttons on the left end of the Rule Description table when the Rules page is displayed in the work area of the Configuration Tool are used to reveal or conceal selected groups of rules. • Right-click menu — Any time that the cursor is in the work area of the Configuration Tool when the Rules page is open, the administrator can right-click to display a menu. The selections on the menu vary according to the options that are currently available. One notable feature is the ability to insert a new rule at the current insertion point in the displayed rules. You can also do this by pressing Ins (Insert) on the keyboard. Creating, viewing, or modifying rules Use the Rules page to view, add, insert, change, delete, or prioritize rules. Certain rule settings can be changed directly from this page (such as enabling or disabling a rule, or renaming a rule). You can move a firewall into the Apply On column by using the drag-and-drop feature; You can also add the associated objects for services, sources, destinations, and time periods directly from the column using drag-and-drop; and you can also move burb objects using drag-and-drop into the Source Burbs or Destination Burbs columns. Changes made from the Rules page are automatically saved. (Drag-and-drop changes generate a confirmation pop-up message.) You can change other rule settings in the Rule Editor window. 528 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 529. Rules Because many rules can be created when managing enterprise-class firewalls, a filtering mechanism is provided so that you can quickly retrieve only those rules that meet certain filter constraints. • Use the Quick Filter option to identify rules associated with one or more selected firewalls. • Use the Rules Filter Selection window to specify filter criteria to display subsets of rules by using a more complex filtering mechanism. • Use the Manage Filters option to quickly retrieve a previously defined filter. From the Rules page, use the Filter list to filter the rules for display. You can perform the following tasks: • Select a firewall to display all rules for that firewall, or select a device group to display the rules for all of the firewalls in that group. • Create a custom filter. When Custom Filter is selected, the Rules Filter Selection window displays, allowing the creation of a dynamic filter. • Select a saved filter. • Select (Clear Find Results) to clear a filter and display all of the rules on the Rules page. Use Find to search for rules. 1 In the Search field, specify a term that matches a selection for any value displayed in the table. 2 Click the down arrow to select the display for the search results (Highlight Matching Rules or Only Display Matching Signatures). 3 Click Find or press Enter. The results are displayed. 4 Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and view all of the objects again, click (Clear Find Results). When the cursor is in the work area of the Configuration Tool and the Rules page is open, you can right-click to display a pop-up menu. The selections on the menu vary, according to the options that are currently available. One notable feature is the ability to insert a new rule at the current insertion point in the displayed rules. This action can also be accomplished by pressing the Insert key (Ins) on the keyboard. The following capabilities make it easier to manage rules: • Move rules using drag-and-drop. • Select multiple rules on the page. • Delete multiple selected rules. • Apply drag-and-drop to all selected rules. • View multiple instances of the Rules page. • Manage rule groups. • Select the first and last rules in a series, then right-click to create a group for that series, or right-click somewhere on the Rules page and select Create Group in the window. • Right-click on a group in the table to: • Edit or remove the rule group. • Delete, enable, or disable all rules in a rule group. • Move rule groups up or down, to the top or bottom, and above the rule or below it. • Move rule groups using drag-and-drop. • Expand a group of rules. Then add an existing rule by dragging and dropping it into the group. • Move burb objects into the Source Burbs or Destination Burbs columns by using drag-and-drop. • The drag-and drop-option is not allowed when Any Burb or All Burbs is selected. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 529
- 530. Rules • If a burb object is dragged to a cell with an existing burb object, the new burb is added to the list. • If a burb object is dragged to a cell with burb groups, or a burb group is dragged to a cell with burb objects, the burb is not added to the list. Figure 223 Rules page Accessing this page This page is displayed by default when you log into the Configuration Tool. Select the Rules tab. The Rules page is displayed in the work area. Columns The following columns appear by default. To select the columns you want to display on this page, see Configuring columns to display on the Rules page on page 532. • Enabled — Determines whether the rule is enabled. This checkbox is selected by default. If this box is cleared, the firewall behaves as though the rule was not present. • Rule Name — [Read-only] Displays the name of the rule. • Action — [Read-only] Displays the way in which packets matching the rule are handled. The following values are possible: • Allow — Indicates that packets matching this rule pass through the firewall without intervention. • Deny — Indicates that packets matching this rule are prohibited from passing through the firewall. • Drop — Indicates that packets matching this rule are silently dropped. • Apply On (firewalls) — [Read-only] Displays the firewalls to which the rule applies. • Services — [Read-only] Displays the network services to which the rule applies. • Source Burbs — [Read-only] Displays the burbs from which traffic that matches the rule can come. • Sources — [Read-only] Displays the network sources to which the rule applies. • Destination Burbs — [Read-only] Displays the burbs to which traffic matching the rule can go. • Destinations — [Read-only] Displays the network destinations to which the rule applies. • Time Periods — [Read-only] Displays the time periods when the rule is in effect. 530 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 531. Rules • Application Defense — [Read-only] Displays the application defense for the rule. • Authenticator — [Read-only] Displays the authenticator for the rule. • Rule Description — [Read-only] Displays information about the rule. Use the options accessed on the Rule Options toolbar or from the Rules menu to manage rules. The following options are provided: • Add New Rule — Displays the Rule Editor window, in which you can create a new rule. • Edit Rule — Displays the Rule Editor window, in which you can edit the highlighted rule. • Delete Rule — Delete the highlighted rule. • Delete Rules — Displays a window in which you can specify groups, sequences, and single rules to delete. • Cut Rule — Cut or move the highlighted rule. • Paste Rule — Paste a rule in the position of the insertion point. • Copy Rule — Create a copy of the highlighted rule. • Move to Top — Move the highlighted rule to the top of the page. If you move a General Rule, it is moved to the top of the General Rules. • Move Up — Move the highlighted rule up one position on the page. • Move Down — Move the highlighted rule down one position on the page. • Move to Bottom — Move the highlighted rule to the bottom of the page. If you move a Priority Rule, it is moved to the bottom of the Priority Rules. • Move Above Rule — Move the highlighted rule above a specific rule. • Move Below Rule — Move the highlighted rule below a specific rule. • Filter Rules — Displays the Rules Filter Selection window, in which you can specify the filter criteria that are used to display subsets of rules. The rules that meet the requirements that have been defined in the filter are displayed in the Rules page. Also as a result of configuring the filter, the Filter Off menu option becomes available on the Rules menu of the Configuration Tool. Select the Filter Off menu option to cancel the filtered view. • Manage Filters — Load and manage filters that have been defined by using the Rules Filter Selection window. These filters are used to limit the rules display to those rules that meet the requirements defined in the filter selection window. Also as a result of configuring the filter, the Filter Off menu option becomes available on the Rules menu of the Configuration Tool. Select the Filter Off menu option to cancel the filtered view. • Quick Filter — Display only those rules that have been defined for selected firewalls. This action opens the Quick Filter window. When you complete the window and click OK, the list of rules is filtered to show only the rules that meet the requirements defined in the quick filter. The Filter Off menu option is now available on the Rules menu of the Configuration Tool. Select Filter Off from the Rules menu to cancel the filtered view. • Default Rule Settings — Displays the Default Rule Settings window, in which you can specify default parameters for new rules that are created. For more information, see Configuring default settings for creating rules on page 540. • Create Groups — Create or delete groups of rules. For more information, see Configuring groups of rules on page 551. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 531
- 532. Rules • Configure Columns — Displays the Rules Display Columns window, in which you can specify the columns to display on the Rules page. Note: Move options have the following constraints: • Move options cannot be used to move a rule into or out of a group. • Moving a Privileged General rule to Priority moves it to the top of the General rules. • Moving a Privileged Priority rule to Bottom moves it to the bottom of the Priority rules. • Neither a Privileged General rule nor a non-Privileged rule can be moved above a Privileged Priority Rule. For information about defining Privileged Rules and identifying their location in the rule set, see Configuring rules on page 533. Configuring columns to display on the Rules page Use the Rules Display Columns window to select the columns to display on the Rules page. Figure 224 Rules Display Columns window Accessing this window 1 In the Configuration Tool, select the Rules tab. The Rules page is displayed in the work area. 2 From the Rules menu, select Configure Columns. The Rules Display Columns window is displayed. Fields and buttons This window has the following fields and buttons: • Column — Select the checkboxes to the left of each column that you want to display on the Rules page. • Row Height — Select the value to adjust the height of each row in the Rules page display. Adjusting this value affects the number of rules that are displayed in the viewing area on the Rules page (that is, without scrolling); the smaller the value, the more rules that will display. 532 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 533. Rules Configuring rules Use the Rule Editor window to define a rule. In this window, you can enable or disable a rule, specify the action to take on packets that match the rule, and configure the firewalls, services, and sources and destinations to which the rule applies. For more information, see Rules on page 527. Figure 225 Rule Editor window Accessing this window 1 In the Configuration Tool, select the Rules tab. The Rules page is displayed. 2 From the Rules menu, select Add New Rule or Edit Rule. The Rule Editor window is displayed. Fields and buttons This window has the following fields and buttons. • General — Use the fields in this area to define general attributes of this rule. The following fields are available: • Name — Specify a name that indicates the purpose of this rule. For example, the pre-configured rule that allows typical Internet services is called “Internet Services.” Valid values include alphanumeric characters, periods (.), dashes (-), underscores (_), and spaces ( ). However, the first and last character of the name must be alphanumeric. The name cannot exceed 256 characters. You can rename the rule later. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 533
- 534. Rules If you do not provide a name, a name in one of the following formats will be assigned to the rule: Table 19 Rule formats Default Prefix Name Field Left Saved Rule Name Value Defined? Blank? No Yes RuleID_internal_ID where internal_ID refers to a Control Center internal identifier (for example, RuleID_110013). Yes Yes <Rule_name_prefix><internal_ID> where internal_ID refers to a Control Center internal identifier (for example, myprefix110013). • Enable rule — Determines whether this rule is enabled. All new rules are enabled by default. If this checkbox is cleared, the firewall identifies and manages traffic as if this rule did not exist. • Description — Provide a basic description for the rule. You can use this value when you are creating a filtered view of the rules as part of your filtering strategy. • Rule Type — Specify the service type for this rule. The following values are available: • Proxy — Indicates that packets (datagrams) that match this rule are intercepted and passed to a proxy that performs specific actions. This setting offers the highest level of security; however, performance can be reduced. Select this option for potentially threatening or revealing packet transmissions. Proxy services inspect traffic at the application layer. Proxy rules determine whether traffic will be allowed or denied using basic criteria such as protocol, port, source and destination address. However, they can also inspect the traffic to make sure that it complies with the standards of its protocol. Many proxy services also allow for advanced filtering and scanning services. Advanced application-specific properties, or application defenses, can be configured for each proxy. • Filter — Indicates that packets that match this rule are handled by filter services. Filter services inspect traffic at the network and transport layers. Filters operate directly on the IP packets, allowing the firewall to securely forward IP packets between networks. Filter rules determine whether traffic will be allowed or denied using basic criteria such as protocol, port, source and destination address. Very little protocol and content inspection is available when using filter services. Because filters are inherently less secure than proxies, filter services should be used only when necessary. • Server — Indicates that packets (datagrams) that match this rule are handled by daemon servers. If this option is selected, only daemon servers appear in the Services column. Use server services to control access to firewall-hosted servers. Servers are typically used in management traffic rules when an administrator or another system needs to communicate directly with the firewall. Many of the server rules are created and enabled automatically. A few servers, such as the Sendmail server, allow for extensive configuration of its server properties. However, ® most servers do not require changes to their default settings. • Comment — Indicates that explanatory information will be provided for a single rule or a group of rules. • Allow — Specify that traffic will pass through without intervention. This setting offers the best performance, but compromises security. It is usually used with trusted transmissions (for example, from the firewall to an internal server). Because all traffic is denied by default, you will mostly create this type of rule. This is the default value. • Deny — Specify that traffic that matches this rule is denied. An audit message is generated and the initiator is notified that the packets have been denied. 534 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 535. Rules • Drop — Specify that traffic that matches this rule is silently dropped. (No notification is sent to the initiator.) Note: Do not use a rule where the action is Drop and the Service, Source, and Destination are all set to ANYWHERE. Such a rule will block traffic for servers on the firewall (such as DNS, NTP, or Admin Console). If you do use Drop with ANYWHERE for the Service, Source or Destination values, do not use ANYWHERE for at least one of the remaining Service, Source, or Destination values. • Audit level — Specify the generation of audit data for a network session that matches the rule. The following values are available: • Errors Only — Generates errors only. • Standard — Generates major errors and informational messages. This level is selected by default. • Verbose — Generates information that helps to detect configuration issues. • Apply On — Specify firewalls, clusters, or device groups to which the rule applies. Double-click any object in this list (except generic objects such as ALL FIREWALLS) to open it. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). Use the Find button to filter the objects in the column to display only those objects that match the character or sequence of characters that you have specified in this field. • Services — Specify the network services or service groups that this rule will allow or deny. Double-click any object in this list to open it. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). Use the Find button to filter the objects in the column to display only those objects that match the character or sequence of characters that you have specified in this field. If you change your service selection, review your other selections because the new service can use different options. • Effective Times — Use the fields in this area to specify the start and end time in which this rule is enforced. • Time periods — Specify the time period during which this rule will be active. Click the down arrow and then select each checkbox for the time periods that you want. You can also right-click in this list to select all values or clear all values. By default, all rules are always active (that is, the ANYTIME value is selected). • Start on — Specify a specific date and time at which to start enforcing this rule. There are several different ways to edit this value: • Click the down arrow to select the month and day from the calendar. • Click in the month, day, year, hour, or minute values and specify a new value or use the spin control to select a new value. • Expire on — Specify a specific date and time at which to stop enforcing this rule. There are several different ways to edit this value: • Click the down arrow to select the month and day from the calendar. • Click in the month, day, year, hour, or minute values and specify a new value or use the spin control to select a new value. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 535
- 536. Rules • Sources — Use the fields in this area to determine the location from which the traffic for this rule can begin. • (Sources list) — Specify the network source or sources (for example, IP address, domain, netmap, and so on) to which the rule applies. Double-click any object in this list to open it. Source and destination endpoints must have the same type of address—an IPv4 source can connect only to an IPv4 destination, and an IPv6 source can connect only to an IPv6 destination. Note: If you want this rule to match all endpoints in the selected source burb(s), select one of the following network objects: • ANYWHERE – This network object matches both IPv4 and IPv6 addresses. • Any_IPv4 – This network object matches IPv4 addresses only. If IPv6 is not enabled on your firewall, selecting this endpoint ensures that this rule will not allow any traffic from IPv6 addresses if you choose to enable IPv6 in the future. • Any_IPv6 – [Available only if IPv6 is enabled] This network object matches IPv6 addresses only. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). To perform a filtered search, specify the first few characters of the object and click Find. The list of objects is limited to those objects that match the text that you specified. • Burbs — Specify the burb or burb groups in which the source endpoint is located. You can select one or more burbs or one or more burb groups. Click the down arrow. Select one of the following options and then select one or more burbs or burb groups: • Any burb — Permits matching traffic from any burb. • Selected burbs — Permits matching traffic from one or more burbs selected from associated list. • Selected burb groups — Permits matching traffic from one or more burb groups selected from associated list. • NAT — Specify the network object that will replace the original source address as the traffic leaves the firewall. By default, NAT is enabled and it uses the IP address of the firewall interface that matches the destination burb (localhost). NAT allows you to rewrite a packet's source address. For example, if the internal network uses private addresses, replace the actual source address with the publicly routable external address of the firewall. Click the down arrow. The following options are available: • NONE — Indicates that NAT is disabled. • Host — Indicates that you must select the addresses of the network sources that are mapped to a single address. • Netmap — Indicates that you must select the addresses of the selected network sources that are mapped to different objects. If this option is selected, you must specify the mapping of sources to objects in the table that contains the following columns: • Original — Lists the selected network source or sources. • Mapped — Lists the host or network endpoints that are defined on the system. Specifies the host or network endpoint to which the corresponding original network source is to be mapped. Note: By default, all source objects displayed in the Original column are mapped to themselves in the Mapped column. 536 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 537. Rules • Preserve source port — Determines whether the source port is preserved after the source address has been translated. This checkbox is cleared by default. Select this option only when required by the application protocol. • Destinations — Use the fields in this area to specify the network destinations to which the rule applies. • (Destinations list) — Specify the network destination or destinations (for example, IP address, domain, netmap, and so on) to which the rule applies. Double-click any object in this list to open it. Destination and source endpoints must have the same type of address—an IPv4 source can connect only to an IPv4 destination, and an IPv6 source can connect only to an IPv6 destination. Note: If you want this rule to match all endpoints in the selected source burb(s), select one of the following network objects: • ANYWHERE – This network object matches both IPv4 and IPv6 addresses. • Any_IPv4> – This network object matches IPv4 addresses only. If IPv6 is not enabled on your firewall, selecting this endpoint ensures that this rule will not allow any traffic from IPv6 addresses if you choose to enable IPv6 in the future. • Any_IPv6 – [Available only if IPv6 is enabled] This network object matches IPv6 addresses only. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). To perform a filtered search, specify the first few characters of the object and click Find. The list of objects is limited to those objects that match the text that you specified. • Burbs — Specify the burb or burb groups in which the destination endpoint is located. Note: If you are using redirection, match the destination burb to the destination endpoint, even if the redirect endpoint is in another burb. You can select one or more burbs or one or more burb groups. Click the down arrow. Select one of the following options and then select one or more burbs or burb groups: • Any burb — Permits matching traffic from any burb. • Selected burbs — Permits matching traffic from one or more burbs selected from the associated list. • Selected burb groups — Permits matching traffic from one or more burb groups selected from the associated list. • Redirect — Specify settings for redirection. Use redirection to rewrite a packet's destination address. If the traffic needs to be redirected to a different endpoint, the original destination redirects to the network object that you select in this field. Click the down arrow. The following options are available: • NONE — Indicates that redirection is disabled. • Host — Indicates that the addresses of all of the selected destinations are mapped to a single address. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 537
- 538. Rules • Netmap — Indicates that the addresses of the selected network destinations are mapped to different objects. If this option is selected, you must specify the mapping of destinations to objects in the table that contains the following columns. • Original — Lists the selected network destination or destinations. • Mapped — Lists the host or network endpoints that are defined on the system. Specifies the host or network endpoint to which the corresponding original destination address is to be mapped. Note: By default, all destination objects displayed in the Original column are mapped to themselves in the Mapped column. • Translate destination port — Determines whether the destination ports of all traffic that matches the rule are translated to a specified port number. This checkbox is cleared by default. • Privileged Rules — Use the fields in this area to determine whether this rule is enabled as a privileged rule. • Privileged rule — Determines whether the rule is enabled as a privileged rule. To be able to create a privileged rule, you must have a user role that has access to the Control Center Rules object (View, Update, Add, Remove) and that can enable the Privileged Rules action, which allows creation and modification of privilege rules. (To update your user role, use the User Manager window of the Administrator Tool or to define a user role, use the Role Manager window.) This checkbox is cleared by default. Note: When you subsequently see this privileged rule on the Rules page, it is displayed in a pink color to distinguish it from other rules. • Location — Determines the location of the privileged rule in the rule set. The following options are available: • Priority — Indicates that the privileged rule is placed at the top of the rule set. • General — Indicates that the privileged rule is interspersed with other rules in the rule set. This option is selected by default. • Content Inspection — Use the fields in this area to configure the application defense and IPS options to be used for the rule. • Application defense — Specify a particular application defense or application defense group that is defined on the Control Center. This field is accessible only under the following circumstances: • The value for Rule type is Proxy and the proxy uses an application defense. • The value for Rule type is Server and the selected service is sendmail. • The selected action is Allow. • Multiple services are selected in the Services list. • Inspection level — Specify the level of inspection to be performed by the selected application defense. The following options are available: • Full — Indicates that all of the application defense's settings are enforced. This is the default value. • Minimal — Indicates that filtering and scanning are prevented, such as header filtering and virus scanning. Some protocol inspection is used, as is necessary, to allow traffic to pass. • <None> — Indicates that defense inspection is disabled. This selection severely limits how deeply that the traffic is inspected. You should disable defense inspection only for troubleshooting purposes, or in very detailed rules that have been created to allow non-standards compliant traffic into your site. Note: With this selection, services will act like a packet filter and some may stop passing traffic that is typical for their protocol. 538 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 539. Rules • IPS signature group — Specify the IPS signature groups that have been defined on the firewall. Indicates the type of attack to be handled by the rule. The default value is <None>. For more information, see the Configuring IPS signature groups on page 421. • IPS response mapping — Specify the IPS response mappings that have been defined on the firewall. Indicates the response mapping that will be used by the firewall to determine the action to take against an attack identified by the IPS signature group selected in the IPS signature group field. For more information, see Configuring IPS response mappings on page 420. • Authentication — Use the fields in this area to specify the way in which the identities of proxy users are verified on connection attempts. • Authenticator — Specify the authenticators that have been defined on the system. Selections vary according to selected action (Allow, Deny, or Drop) and the values that were selected in the Services list. The following default options can be available, in addition to other authenticators: • <None> — Indicates that authentication is not required. This is the default value. • CAC — Indicates that the user must use a U.S. Department of Defense Common Access Card (CAC) to log in. For detailed instructions about configuring and using a CAC authenticator, see the application note entitled Configuring Department of Defense Common Access Card Authentication on the Control Center at mysupport.mcafee.com. • Passport — Indicates that access to multiple services is possible with a single successful authentication to the firewall. This is because another authentication method works with this selection to cache a user's initial authentication. • Password — Indicates that the user is required to specify the same password at each login. • Allow all authenticated users — Select this option to specify that all users who authenticate successfully have access. • Only allow users in the following groups — Select this option to specify that access is limited to those users who authenticate successfully and who are members of the selected group or groups. • Internal user groups — Specify the user groups for whom all of the application defense's settings are enforced. Click the down arrow and then select the groups that you want. • External user groups — Specify the user groups for whom the security context filtering aspects of the application defense are not enforced. Application layer data is examined to the minimum extent that is necessary to perform proxy activities as defined by the associated protocol. Click the down arrow and then select the groups that you want. • TrustedSource — Use the fields in this area to enable TrustedSource for this rule and to specify the traffic that will match this rule. • Enable Trusted Source — Determines whether TrustedSource is used for this rule. The firewall queries a TrustedSource server to obtain a reputation score for all of the IP addresses that are involved in the connection. Note: You can whitelist objects to exempt them from TrustedSource queries. For more information, see Configuring TrustedSource settings for rules and mail filtering on page 305. You can accept the default value for the TrustedSource slider or you can change it. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 539
- 540. Rules • (Slider) — Specify the traffic that will match the rule. The categories of traffic are Trusted, Neutral, Unverified, Suspicious, and Malicious. Move the slider to the threshold that you want. For more information about changing default scores for reputation boundaries, see Configuring TrustedSource settings for rules and mail filtering on page 305. Traffic is not explicitly allowed or denied based on a TrustedSource score. The score is one of the elements in the rule that is examined for a match. • In an allow rule (when you have selected Allow as the action), traffic with reputation scores to the right of the threshold value (towards the Trusted end of the scale), where the IP addresses have good reputations, will match this rule. • In a deny or drop rule (when you have selected Deny or Drop as the action), traffic with reputation scores to the left of the threshold value (towards the Malicious end of the scale), where IP addresses have bad reputations, will match this rule. • OK — Save the changes on this window. • Cancel — Close this window without saving any changes. Configuring default settings for creating rules Use the Default Rule Settings window to define default settings for creating rules. For example, if you want all of your rule names to begin with the same prefix, you can set that in this window, along with any of the settings that are available in this window. By default, all new rules that are created in the Control Center have the following settings that are defined in the Rule Editor window: • The value of the Rule Type field is set to Proxy. • The value of the NAT field is set to host mode (that is, the Host option is selected in the list and localhost is selected in the Host list. • The user must manually select a source and destination burb for each rule. With this window, you can establish all of those values as defaults from this window, thus making it easier to create rules. However, you should also be aware of the following implications of establishing these defaults: • These settings will be shared among all of the users in this configuration domain. You can and must configure default settings for each configuration domain separately. • Although you can set the default name prefix in this window, the user is not required to use this prefix when he or she is creating a new rule. Figure 226 Default Rule Settings window 540 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 541. Rules Accessing this window In the Configuration Tool, from the Rules menu, select Default Rule Settings…. The Default Rule Settings window is displayed. Fields and buttons This window has the following fields and buttons: • Configure default name prefix — Determines whether to configure a prefix that will be prepended to each new rule (that is, the value in the Name field on the Rule Editor window). If you select this checkbox, specify the prefix value. The default value for this checkbox is cleared. • Default rule type — Specify the type of the rule that you want to display in the Rule Editor window as the default rule type. The values are either Proxy or Filter. The default value is Proxy. For more information about the Rule Type field and the other related fields on the Rule Editor window, see Configuring rules on page 533. • Configure default source burb — Determines whether a default setting for one or more source burbs is defined here that will be displayed in the Burbs field in the Sources area of the Rule Editor window. If you select this checkbox, select the values in the list. The default value for this checkbox is cleared. • Configure default destination burb — Determines whether a default setting for one or more destination burbs is defined here that will be displayed in the Burbs field in the Destinations area of the Rule Editor window. If you select this checkbox, select the values in the list. The default value for this checkbox is cleared. • Default NAT — Determines whether NAT is enabled and a value used for the NAT field in the Rule Editor window. The default value is Host and localhost for the destination burb. You cannot configure Netmap as a default setting. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). • OK — Save the default settings and close this window. These values will now be displayed in the Rule Editor window every time that you add a new rule. • Cancel — Closes this window without saving any changes. Replacing objects in rules Use the Search and Replace window to replace network objects, service objects, or firewalls in your rules. For example, you need to change a server that is being used in your rules. By using this window, you can make the changes all at one time, instead of having to edit each rule individually. To use this window, you must have the following administrative permissions: • Access to the ALL FIREWALLS object (that is displayed in the Apply On list in the Rule Editor window) • Ability to update rules in this configuration domain • Ability to update privileged rules If you do not have all of these permissions, an error message is displayed when you click OK. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 541
- 542. Rules Guidelines Review the following guidelines for using this window: • Domain objects. You can replace domain objects only with domain objects. You cannot replace a domain object with a network object of another type (such as a host, network, and so on). To view all of the network object types, see the Network Objects tree in the Policy group bar. • Network protocols. You cannot replace an IPv4 network object with an IPv6 network object. You can replace objects only of the same protocol type. (For example, replace one IPv6 object with another IPv6 object). You can also replace ANY_IPv4 with ANYWHERE because these objects have the same behavior in rules. • Services. You can replace one service with another service only if they both are the same service type and have the same agent. This also means that you cannot replace a single service with a service group. • Firewalls. The following guidelines apply to firewalls: • Versions. Both firewalls must be the same version. Additionally, if you are working with version 7.0.1 or later firewall objects, they both must have the same IPv6 enabled state. (This state is defined on the Firewall window.) • Replacing a firewall with a device group. Each firewall in the group must comply with the versions criteria that is mentioned above. • Replacing a device group with a single firewall. At least one firewall in the device group must match the version and IPv6 enabled state of the target single firewall. • Replacing a single firewall with ALL FIREWALLS. You can perform this replacement only if all of the firewalls in this configuration domain are the same version. • Replacing ALL FIREWALLS. You can replace this object with any firewall, regardless of firewall version or IPv6-enabled states. • Replacing one device group with another device group. This is not allowed. Figure 227 Search and Replace window Accessing this window 1 In the Configuration Tool, the Rules page must be displayed. If it is not, select the Rules tab. 2 From the Rules menu, select Search and Replace…. The Search and Replace window is displayed. 542 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 543. Rules Fields and buttons • Network objects — Select this option to specify that you are identifying the names of network objects as the source and target replacement values. You can also specify whether these objects are sources, destinations, or both sources and destinations by selecting the appropriate checkbox. The default value is for all of these fields to be selected. • Services — Select this option to specify that you are identifying the names of service objects as the source and target replacement values. • Firewalls — Select this option to specify that you are identifying the names of firewalls as the source and target replacement values. • Select the object in a rule to be replaced — Select the object from the list or click (Search) to filter your list of objects. • (Search) — Displays the Search window, in which you can search for one or more objects that match a specific criteria that you specify. • Select the replacement object for the object that you have selected above — Select the object from the list or click (Search) to filter your list of objects. • (Search) — Displays the Search window, in which you can search for one or more objects that match a specific criteria that you specify. • OK — Displays the Replace Rule Objects Verification window, in which you can view the list of rules that will be impacted by this process. • Cancel — Close this window without replacing any objects. Verifying the objects to be replaced in your rules Use the Search and Replace Verification window to view a list of rules that are impacted by the proposed substitution that you have defined in the Search and Replace window. Additionally, you can view a specific rule in this list in read-only mode in the Rule Editor window. Figure 228 Search and Replace Verification window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 543
- 544. Rules Accessing this window 1 In the Configuration Tool, the Rules page must be displayed. If it is not, select the Rules tab. 2 From the Rules menu, select Search and Replace…. The Search and Replace window is displayed. 3 Select the types of objects and the object values that you want to search for and replace. 4 Click OK. The Search and Replace Verification window is displayed. Fields and buttons This window has the following fields and buttons: • Edit — This column identifies the row that is being edited. The following icons can be displayed: • [blank] — Indicates that this row is not currently selected. • — Indicates that this row is currently selected. You can double-click this row to see a read-only version of this rule in the Rule Editor window. • Rules name — [Read-only] Displays the names of each rule that is affected by this object substitution. You can double-click a highlighted rule to view it in the Rule Editor window. You can also double-click the up and down arrow to the right of this column name to change the displayed order of rules alphabetically (either top to bottom or bottom to top, alphabetically). • OK — Proceed to make all of the object substitutions in your rules. • Cancel — Close this window and cancel the substitution process. However, the Search and Replace window is again displayed, in which you can change the parameters for this process and click OK again or click Cancel to stop the substitution process. 544 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 545. Rules Filtering rules to display on the Rules page Use the Rules Filter Selection window to specify filter criteria to display subsets of rules. You can locate and manage a smaller subset of a potentially large set of rules that can be developed to meet the criteria of an implemented security policy. Figure 229 Rules Filter Selection window Accessing this window 1 In the Configuration Tool, select the Rules page. The Rules page is displayed in the work area. 2 From the Rules menu, select Filter Rules. The Rules Filter Selection window is displayed. Fields and buttons This window has the following fields and buttons: • Matching Type — Select by using the list: • Include rules that match ALL fields — Include rules that match all of the characteristics defined in the filter window. • Include rules that match ANY field — Include rules that match any of the characteristics defined in the filter window. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 545
- 546. Rules • Include Related Objects — Determines whether to recursively search each group and nested group for the identified search criteria (if any have been defined). Depending on the number of groups defined and the depth of group nesting, this search can take a significant amount of time to return the results. A warning message is initially displayed to inform the user of this condition. • General — Use the fields in this area to define general settings for this filter. This area includes the following fields: • Enabled Rules — Select the rules to include in the filtered view of rules. The following values are available: • All — Consider all enabled and disabled rules. • Enabled — Only consider rules that have been enabled. • Disabled — Only consider rules that have been disabled. • Rule Types — Select the checkbox next to all of the actions to consider in the subsequent filtered view. Select any combination of actions: • Proxy — Indicates that packets (datagrams) matching the rule are intercepted and then passed to a proxy that performs specific actions. Consider all Proxy rules. • Filter — Indicates that packets matching the rule are handled by filter services. Consider all Filter rules. • Server — Indicates that packets (datagrams) matching the rule are handled by daemon servers. If this option is selected, only daemon servers appear in the Services column. Consider all Server rules. • Comment — Provides explanatory information for a single rule or a group of rules. Consider all Comment rules. • Actions — Select the checkbox next to all of the actions to consider in the subsequent filtered view. Select any combination of actions: • Allow — Indicates that packets matching the rule pass through the firewall without intervention. • Deny — Indicates that packets matching the rule are prohibited from passing through the firewall. • Drop — Indicates that packets matching the rule are silently dropped. • Audit Level — Include audit data for a network session matching the rule. The following values are available: • Errors Only — Generates errors. • Standard — Generates major errors and informational messages. • Verbose — Generates information that helps detect configuration issues. • Description — Only consider rules with any or all of this case-insensitive description text. • Select Firewalls to include — Select the checkbox next to the firewalls to consider in the subsequent filtered view. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). Use the Find button to filter the objects in the column to display only those objects that match the character or sequence of characters that you have specified in this field. 546 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 547. Rules • Select Services to include — Select the checkbox next to the services to consider in the subsequent filtered view. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). Use the Find button to filter the objects in the column to display only those objects that match the character or sequence of characters that you have specified in this field. • Select Sources to include — Select the checkbox next to the sources to consider in the subsequent filtered view. Additional source considerations include the following fields: To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). Use the Find button to filter the objects in the column to display only those objects that match the character or sequence of characters that you have specified in this field. • Burbs — Select the checkbox for each burb to consider in the filtered view • NAT Type — Select from the following considerations: • None — NAT is disabled. • Host — Addresses of all selected network sources are mapped to a single address. • Netmap — Addresses of all selected network sources are mapped to different objects. • Hosts — If NAT Type is set to Host, select the source hosts for consideration. • Preserve Source Port — The following values are available: • All • Enabled • Disabled • Select Destinations to include — Select the checkbox next to the destinations to consider in the subsequent filtered view. Additional destination considerations include the following fields: To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). Use the Find button to filter the objects in the column to display only those objects that match the character or sequence of characters that you have specified in this field. • Burbs — Select the checkbox for each burb to consider in the filtered view. • Redirect Type — Select from the following values: • None — NAT is disabled. • Host — Addresses of all selected network destinations are mapped to a single address. • Netmap — Addresses of all selected network destinations are mapped to different objects. • Hosts — If Redirect Type is set to Host, select the destination host for consideration. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 547
- 548. Rules • Translate Destination Port — Determines whether to include a determination for whether the destination ports of all traffic matching the rule are translated to a specified port number. In the number field, specify the number of the port where you want to redirect this traffic. (The valid range is 0–65535.) • Content Inspection — Use the fields in this area to configure content inspection parameters. The following fields are available: • Application Defense — Select the application defenses to consider in the filter. • Inspection Level — Select the inspection levels to consider. • IPS Signature Group — Select the IPS signature groups to consider. • IPS Response Mapping — Select the IPS response mappings to consider. • Authentication — Use the fields in this area to configure the authentication parameters. The following fields are available: • Authenticator — The following authenticators are always available: • <None> • Passport • Password If the Control Center has any non-Password or non-Passport authenticators defined (such as RADIUS or Safeword), the following options will be displayed. • Allow all authenticated users — Determines whether to allow all authenticated users. • Internal User Groups — When the Allow all authenticated users checkbox is cleared, select the internal user groups for consideration in the filter. • External User Groups — When the Allow all authenticated users checkbox is cleared, select the external user groups for consideration in the filter. • Misc — Use the fields in this area to configure miscellaneous parameters for this filter. The following fields are available: • Time Periods — Specify the time periods for consideration. • Privileged Rule — Selections include all, enabled (enabled as a Privilege Rule), and disabled (disabled as a Privilege Rule). • Location — Specify the area where a rule may be found. The following values are available: • All — All rules in the Priority and General areas. • Priority — All rules placed at the top of the rule set. • General — All rules that are not flagged as Priority. • Save Filter… — Use the fields in this area to specify the name of this filter and add a description. The following fields are available: • Filter Name — Specify a name for the filter you are creating if you want to preserve the ability to recall the filtered view in the future by using the Manage Filters window. • Description — Specify a description for the filter you are creating that will appear in the Manage Filters window that is associated with the value in the Filter Name field. • OK — Save the changes on this window. Filter the set of rules and display a subset of rules based on the selected filter criteria. • Cancel — Close this window without saving any changes. 548 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 549. Rules Loading and managing previously saved rule filters Use the Manage Filters window to load and manage previously saved filters. Saved filters store previous settings specified in the Rules Filter Selection window. They can be used later to display only those rules that currently meet the previously defined filter requirements. Note: This window is available only if filters have been saved. Figure 230 Manage Filters window Accessing this window 1 In the Configuration Tool, select the Rules tab. The Rules page is displayed. 2 In the toolbar, select (Manage Filters). or From the Rules menu, select Manage Filters. The Manage Filters window is displayed. Fields and buttons This window has the following fields and buttons: • Filter Name — [Read-only] Displays the name that was applied to the filter when it was defined by using the Rules Filter Selection window. • Description — [Read-only] Displays the description that was applied to the filter when it was defined by using the Rules Filter Selection window. • Apply — Apply the selected filter to the rules that will be displayed on the Rules page. • Edit — Display the Rules Filter Selection window for the selected filter so that you can edit the information. • Delete — Delete the selected filter. • Cancel — Close this window without making any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 549
- 550. Rules Displaying filtered rules on the Rules page Use the Quick Filter window o display (in the Rules page) only those rules that have been defined for the selected firewalls. Figure 231 Quick Filter window Accessing this window 1 In the Configuration Tool, select the Rules tab. The Rules page is displayed. 2 From the Rules menu, select Quick Filter. The Quick Filter window is displayed. Fields and buttons This window has the following fields and buttons: • Include Related Objects — Determines whether to recursively search each group and nested group for the identified firewalls. Depending on the number of groups defined and the depth of group nesting, this search can take a significant amount of time to return the results. A warning message is initially displayed to inform the user of this condition. • Find — Use this field to filter the objects in the column to display only those objects that match the character or sequence of characters that you have specified in this field. • Firewalls — This column contains a list of all of the firewalls that have been added to the Management Server database by using the Add New Firewall window. Select the firewall or firewalls to be included in this filter. • OK — Save the changes in this window and filter the rules that are displayed on the Rules page. • Cancel — Close this window without filtering any of the rules. 550 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 551. Rules Configuring groups of rules Use the Rules Group window to help organize sequences of rules into groups that can be saved. For more information see Rules on page 527. After the rules are formed into groups, use the expand and contract buttons on the left end of the Rule Description table when the Rules page is displayed the work area of the Configuration Tool to reveal or conceal selected groups of rules: Figure 232 Expand and contract buttons Figure 233 Rules Group window Accessing this window 1 In the Configuration Tool, select the Rules tab. The Rules page is displayed. 2 From the Rules menu, select Create Group. The Rules Group window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a group name to a new group of rules being created or to identify an existing name of a group of rules to un-group. • Description — Provide information about the rules group. • Start Rule — Specify the starting number of a sequence of numbers that are to be formed into a group. Only rule numbers that are not assigned to other groups can be selected. • End Rule — Specify the ending number of a sequence of numbers that are to be formed into a group. Only rule numbers that are not assigned to other groups can be selected. • OK — Save the changes in this window. • Cancel — Close this window without filtering any of the rules. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 551
- 552. Rules Merging rules with common elements Use the Merge Rules Wizard to analyze your rule set and combine rules that have common elements. Elements include Apply On, Services, Sources, Source Burbs, Destinations, Destination Burbs, and Time Periods. The wizard will scan your rule set and identify the rules that have common elements. You can then combine those rules to form a single rule. Accessing this wizard In the Configuration Tool, from the Configuration menu, select Merge Rules Wizard. The Merge Rules Wizard is displayed. Wizard steps This wizard has five steps. Step 1 of 5 - Description This page introduces you to the Merge Rules Wizard and identifies the users who are currently logged in. To analyze your existing rules, click Next >. Step 2 of 5 - Description The rules have been analyzed for common elements. The number of rules that contain common elements are displayed on this page. Click Next >. Step 3 of 5 - Setting Criteria for Merging Rules Use this page to set the criteria for merging rules. Criteria for merging rules with common elements are set by choosing an action for each element. Actions are defined as follows: • Merge — Combine all values for the associated element when merging a rule with other rules. • Compare — Compare values for the associated element across all rules and merge rules only if values for the element are identical. • Ignore — Disregard values for the associated element in determining whether or not a rule can be merged with other rules. Any of these actions may be selected for the condition elements. Only Compare or Ignore can be selected for other elements. • Condition Elements — Use the fields in this area to define the criteria for each element type that is listed. The following elements are available: • Apply On • Services • Sources • Destinations • Source burbs • Destination burbs • Time periods • Firewalls — Use the fields in this area to determine the firewalls to which the merge instructions will apply. The following options are available: • Merge rules that are applicable to all firewalls — Indicates that the merge instructions will be applied to all of the firewalls. This is the default selection. 552 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 553. Rules • Merge rules that are applicable to the following firewalls — Indicates that the merge instructions will be applied only to the firewalls that you select in the table. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). Use the Find button to filter the objects in the column to display only those objects that match the character or sequence of characters that you have specified in this field. • Other Elements — Use the fields in this area to determine the way that merge instructions will be applied to elements that are selected in the tree. The following fields are available in this area: • Denotes ignore — Determines whether the elements that are selected in the tree are ignored during the merge. • Denotes compare — Determines whether the elements that are selected in the tree are compared during the merge. • Ignore All — Select the checkboxes of all of the other elements in this area. • Compare All —Clear the checkboxes of all of the other elements in this area. • (Element tree) — Displays the elements and sub-elements of each rule in the tree. Select an element or a sub-element to ignore it during merge processing. The following categories of elements are included in this tree: • Basic Elements — This checkbox includes the following sub-elements: Table 20 Merge Rules Wizard: Basic Elements Basic Elements Firewall-Specific Elements Enable Rule General (including Content Inspection and Authentication) Audit Level NAT Privileged Rules Redirect Duration • Content Inspection — This checkbox includes the following sub-elements: • Application Defense • Inspection Level • IPS Settings • Authentication — This checkbox includes the following sub-element: • Authentication Settings • NAT — This checkbox includes the following sub-elements • NAT Settings • Redirect — This checkbox includes the following sub-element: • Redirect Settings • Duration — This checkbox includes the following sub-elements: • Initiation • Expiration McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 553
- 554. Rules • TrustedSource — This checkbox includes the following sub-elements: • TrustedSource Enabled • TrustedSource Reputation For more information about condition elements and other elements, see Configuring rules on page 533. After you have made your selections, click Next > to begin analyzing and combining rules with common elements. Step 4 of 5 - Merge Rules If there are candidates for merging rules in your rule set, the following tables are displayed on this page: • Merge Rule Groups — Use this table to view and configure the usage of individual rules in a merge rule group. A merge rule group includes the individual rules that are candidates for being merged to form the merge result rule that is displayed at the top of the group. Every merge rule group has a group header that contains information about the group: whether it is used, the number of the group, and the number of rules that belong to the group. If the color of the header is green or red, the merge rule group is used; if the color of the header is gray, it is not used. The color red indicates that the merge can possibly cause a policy change in the rule set. This can occur if services, sources, destinations, or time periods were selected to merge or ignore in Step 3 of 5 - Setting Criteria for Merging Rules on page 552. Use the navigation controls at the top of the Merge Rules table to move among the merge groups. This table contains all of the information that the All Rules table contains, plus the following additional column: • Use — Determines whether to make changes to the merge rule groups. This column contains a checkbox that is selected for all of the merge rule groups and the rules that they contain. If you accept the merge result rule (by selecting this checkbox), the component rules will be deleted as indicated by strike-through text in the rules. If you clear the checkbox associated with a rule in a merge rule group, that rule will not be part of the merge and will not be deleted. The merge result rule will be re-generated, and the All Rules table will be updated. Rule numbers are the same in both of the tables so that you can easily locate a rule. Note: The only column in this table that can be modified is the Use column. All of the other columns are read-only. You can double-click a rule in the Merge Rule Groups table to display the Rule Details window, in which all of the information about this rule is displayed. This can be helpful because the tables in the Merge Rules Wizard do not display all of the configuration information for a rule. In this Rule Details window, you can make changes only to a merge result rule. The window will display existing rules in read-only mode. • All Rules — Use this table to view all of the rules in the rule set. Merge rule sets and merged rules that are targeted for merging have strike-through text and color to distinguish them from the other rules in the set. This table has the following columns: • Number — [Read-only] Displays the number of this rule in the rule set. You can change the sort order on this column. • Enabled — [Read-only] Displays the status of the Enabled rule checkbox for this rule, which indicates whether the rule is enabled. (This checkbox is located on the Rule Editor window or the Rule Details window.) • Name — [Read-only] Displays the label that is associated with the rule. • Apply On — [Read-only] Displays the firewalls to which the rule applies. • Last Updated — [Read-only] Displays the date on which the associated firewall was last updated. 554 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 555. Rules • Action — [Read-only] Indicates the way that packets that match the rule are handled. The following options are possible: • Allow — Indicates that packets that match this rule pass through the firewall without intervention. • Deny — Indicates that packets that match this rule are prohibited from passing through the firewall. • Drop — Indicates that packets that match this rule are silently dropped. • Services — [Read-only] Displays the network services to which the rule applies. • Sources — [Read-only] Displays the network sources to which the rule applies. • Destinations — [Read-only] Displays the network destinations to which the rule applies. • Time Periods — [Read-only] Displays the time periods during which the rule is in effect. • Source Burbs — [Read-only] Displays the source burbs to which the rule applies. • Destination Burbs — [Read-only] Displays the destination burbs to which the rule applies. After you have finished configuring the rules in all of the merge rule groups, click Next >. Step 5 of 5 - Results This page displays a summary of the merge settings. The following fields are available: • Summary — Use the fields in this area to determine whether to make a backup of the Control Center configuration before you go ahead with the merge process and it also displays the results of the changes that you made in Step 3 of 5 - Setting Criteria for Merging Rules and Step 4 of 5 - Merge Rules. • Backup Control Center System before merging the rules — Determines whether to make a backup of the Control Center configuration before you actually perform the merge processing. The default value is cleared. • Number of Merges — [Read-only] Displays the number of merges that you have selected to perform. • Number of Deleted Rules — [Read-only] Displays the number of rules that you have selected for deletion. • Number of Rules — [Read-only] Displays the number of rules that have been defined on this Management Server. • New Rule Set — [Read-only] Displays the projected results of the merge process—that is, all of the rules that would exist after the wizard has merged the specified rules. Review the rule set and decide whether you want to proceed with deleting the selected rules. If there are no rules to be merged, click Close. To commit your changes to the Control Center Management Server, click Finish. To close the wizard without committing any changes, click Cancel. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 555
- 556. Rules Deleting duplicate rules Use the Duplicate Rule Wizard to analyze your rule set and delete duplicate rules. Accessing this wizard In the Configuration Tool, from the Configuration menu, select Duplicate Rules Wizard. The Duplicate Rule Wizard is displayed. Steps This wizard has the following steps. • Step 1 of 4 - Description on page 556 • Step 2 of 4 - Description on page 556 • Step 3 of 4 - Delete Duplicate Rules on page 556 • Step 4 of 4 - Results on page 557 Step 1 of 4 - Description This page introduces you to the Duplicate Rules Wizard and identifies the users who are currently logged in. To analyze your existing rules, click Next >. Step 2 of 4 - Description The rules have been analyzed for duplication. The number of rules that contain duplicates are displayed on this page. If there are no duplicate rules, click Close to close this wizard. If there are duplicate rules, click Next > to continue with the wizard. Step 3 of 4 - Delete Duplicate Rules If there are duplicate rules in your rule set, this page displays the following tables: • Duplicate Rules — Use the table in this area to navigate through all of the duplicate rule groups by using the navigation buttons at the top of the table. For each duplicate rule group, each rule is displayed in this table. Rule numbers are the same in both tables so that you can easily locate a rule. The following columns are available: Note: The only column in this table that can be modified is the Delete column. All of the other columns are read-only. • Delete — Determines whether the rule is to be deleted. In each duplicate rule group, the checkbox that is associated with the first rule is cleared. By default, the checkbox that is associated with each of the other rules in the duplicate group is selected. Select all of the rules that you want to delete by selecting the associated Delete checkbox. When you select a row in the Duplicate Rules table, note that the same row is also selected in the All Rules table. • Enabled — Determines whether the rule is enabled. • Name — Displays the label associated with the rule. • Apply On — Displays the firewalls to which the rule applies. • Last Updated — Displays the date on which the associated firewall was last updated. • Action — Indicates the way in which packets matching the rule are handled. The following values are available: • Allow — Indicates that packets matching this rule pass through the firewall without intervention. • Deny — Indicates that packets matching this rule are prohibited from passing through the firewall. • Drop — Indicates that packets matching this rule are silently dropped. 556 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 557. Rules • Services — Displays the network services to which the rule applies. • Sources — Displays the network sources to which the rule applies. • Destinations — Displays the network destinations to which the rule applies. • Time Periods — Displays the time periods during which the rule is in effect. • All Rules — Use the table in this area to view all of the rules in the rule set. Rules that contain strike-through text and color have been designated for deletion. Except for the Delete column, all of the other columns in this table are the same as those that are displayed in the Duplicate Rules area. In either area, you can double-click a row in the table to display the Rule Details window, in which all of the information about this rule is displayed. This can be helpful because the tables in the Duplicate Rule Wizard do not display all of the configuration information for a rule. Note: The Rule Details window is read-only. Click Next > to continue with the wizard. Step 4 of 4 - Results This page displays a summary of the duplicate rule settings. The following fields are available: • Summary — Use the fields in this area to determine whether to go ahead and commit the changes that you made in Step 3 of 4 - Delete Duplicate Rules on page 556 to the Control Center Management Server. • Old Number of Rules — [Read-only] Displays the original number of rules that existed before you ran this wizard. • Deleted Rules — [Read-only] Displays the number of rules that you have selected for deletion. • New Number of Rules — [Read-only] Displays the number of rules that are the result of committing this change to the Management Server. • New Rule Set — [Read-only] Displays the projected results of the duplicate rule deletion process—that is, all of the rules that would exist after the wizard has deleted the specified duplicate rules. Review the rule set and decide whether you want to proceed with deleting the selected rules. If there are no rules to be deleted, click Close. This is probably because you have cleared all of the Deleted checkbox selections that were made by default. To commit your changes to the Control Center Management Server, click Finish. To close the wizard without committing any changes, click Cancel. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 557
- 558. Rules Viewing configuration information for duplicate rules Use the Rule Details window to view all configuration information for rules when you are using the Duplicate Rule Wizard. Figure 234 Rule Details window Accessing this window 1 In the Configuration Tool, from the Configuration menu, select Duplicate Rules Wizard or the Merge Rules Wizard. The Duplicate Rule Wizard or the Merge Rules Wizard is displayed. 2 For the Duplicate Rules Wizard, click Next > twice. The Delete Duplicate Rules page (Step 3 of 4) is displayed. or For the Merge Rules Wizard, click Next > three times. The Merge Rules page (Step 4 of 5) is displayed 3 Double-click a row in the All Rules table or the Duplicate Rules or Merge Rule Groups table, depending on the wizard that you are currently using. The Rule Details window is displayed. 558 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 559. URL translation rules Fields and buttons The Rule Details window is almost exactly the same as the Rule Editor window, with the following exceptions: • Buttons. The Rule Details window has only the Close button as opposed to the OK and Cancel buttons on the Rule Editor window. Click Close to return to the Duplicate Rules Wizard or to the Merge Rules Wizard. • Editable fields. You cannot edit any of the fields on the Rule Details window. Therefore, to view more information about the fields on this window, see Configuring rules on page 533. URL translation rules Use URL translation to configure your firewall to redirect inbound HTTP connections based on application layer data, rather than on transport layer data like conventional redirect rules. By examining the HTTP application layer data, the firewall determines the internal web server for which inbound requests are destined—even if multiple servers share the same external IP address. Use URL translation if your network environment matches one or more of the following scenarios: • You have multiple web sites that resolve by using DNS to a single IP on your firewall. • You have a one or more web sites that contain resources that are hosted on different physical servers behind your firewall. Viewing your URL translation rules Use the URL Translation Rules page to view a complete list of the URL translation rules that have been defined on your system. To edit an existing rule, right click the rule or from the Rules menu, select one of the following options: • Add New — Displays the URL Translation Rules Editor window, in which you can create a new URL translation rule. • Edit — Displays the URL Translation Rules Editor window, in which you can edit the highlighted URL translation rule. • Copy Rule — Create a copy of the highlighted URL translation rule. • Delete Rule — Delete the highlighted translation rule. • Move Up — Move the highlighted URL translation rule up one position on the page. • Move Down — Move the highlighted URL translation rule down one position on the page. Figure 235 URL Translation Rules page Accessing this page In the Configuration Tool, from the View menu, select URL Translation Rules. or Select the Policy group bar and double-click the URL Translation Rules node. The URL Translation Rules page is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 559
- 560. URL translation rules Columns The following columns appear on this page by default: • Rank — [Read-only] Displays the position of the URL translation rule in the rule set. You can change the position of this rule by highlighting the rule and clicking Move Up or Move Down on the toolbar (or from the Rules menu). • Name — [Read-only] Displays the name of this rule. • Apply On — [Read-only] Displays a comma-delimited list of firewalls to which this rule is mapped. • Burbs — [Read-only] Displays a comma-delimited list of burbs or burb groups to which this rule is mapped. • Original URL — [Read-only] Displays the URL to which inbound HTTP requests are sent for this rule. This is the value that is specified in the Matching URL field in the URL Translation Rules window. • Ports — [Read-only] Displays a comma-delimited list of custom ports that have been specified for the URL in the Original URL field. • Server — [Read-only] Displays the name of the server that corresponds to the internal web server to which connections that match this rule should be directed. This is the value that was specified in the Server Address field in the URL Translation Rules Editor window. • New URL — [Read-only] Displays the name of the URL that should replace the destination URL that is displayed in the Original URL field on this page. • Description — [Read-only] Displays the user-defined description of this rule. Configuring URL translation rules Use the URL Translation Rules Editor window to configure your firewall to redirect inbound HTTP connections based on application layer data, rather than on transport layer data as per conventional redirect rules. By examining the HTTP application layer data, the firewall determines the internal web server for which inbound requests are destined, even though multiple servers are sharing the same external IP address. Use URL translation if your network environment matches one or more of the following scenarios: • You have multiple web sites that resolve to a single IP address on your firewall by using DNS. • You have one or more web sites that contain resources that are hosted on different physical servers behind your firewall. If URL translation is enabled on an internet-facing burb, inbound HTTP requests are handled as follows: 1 An inbound HTTP request reaches the firewall. The TCP connection must be destined for an IP address that is assigned to the firewall. 2 The firewall examines the HTTP request’s application layer data and compares it to the defined URL translation rules to determine the internal web server to which the request should be sent. 3 If you select the Rewrite URL checkbox, thefirewall rewrites the application data in the HTTP request as configured, so that it conforms to the requirements of the internal web server. 4 Based on the IP address of the destination web server that was determined in step 2, a policy rule match is performed. 5 If a policy rule is matched, the connection is redirected to the internal web server. 560 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 561. URL translation rules Figure 236 URL Translation Rule Editor window with the advanced fields displayed (after clicking Advanced >>) ) Accessing this window 1 In the Configuration Tool, from the View menu, select URL Translation Rules. or Select the Policy group bar and double-click the URL Translation Rules node. The URL Translation Rules page is displayed. 2 Select either (Add New Rule) or (Edit Rule) in the toolbar or from the Rules menu. The URL Translation Rule Editor window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a descriptive name for this rule. Valid values include alphanumeric characters, periods (.), dashes (-), underscores (_), and spaces ( ). However, the first and last character of the name must be alphanumeric. The name cannot exceed 256 characters. You can rename the rule later. • Description — Specify any useful information about this rule. • Apply on — Specify firewalls, clusters, or device groups to which the URL translation rule applies. Double-click any object in this list (except generic objects such as ALL FIREWALLS) to open it in the respective object window. (For example, if you double-clicked a firewall, the Firewall window is displayed.) To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 561
- 562. URL translation rules • Source — Use the fields in this area to select burbs or burb groups where the clients that generate the inbound HTTP requests are located and to configure HTTP matching parameters. You can either specify the entire URL in the Matching URL field or you can build the URL from its attributes by using the fields in the Matching URL attributes area. • Burbs — Specify the burb or burb groups where the clients that generate the inbound HTTP requests are located. You can select one or more burbs or one or more burb groups. Click the down arrow. The following options are available: • Selected Burbs — Specify one or more burbs selected from associated list. • Selected Burb Groups — Specify one or more burb groups selected from associated list. • Matching URL — Select this option to configure the URL that this rule should match. This URL contains all of the attributes and it must be a valid URL format. To specify a custom port, add the port to the end of the URL (for example, http://example.net:3128 where 3128 is the port number). To specify multiple ports to match, use the Port field in the Matching URL attributes area on the advanced page. You can also add a path prefix that will be added after the port (for example, http://example.net:3128/myDirectory where /myDirectory is the path prefix). The values in the Host, Port, and Path Prefix fields in the Matching URL attributes area will automatically match the value that you are specifying in this field. • Matching URL attributes — [Available only if you have clicked the Advanced >> button at the bottom of this window] Select this option to build the URL by specifying the values in attributes for the URL. • Host — Specify the host to be used to match inbound HTTP requests. • Port — Specify the port or ports to be used to match inbound HTTP requests. Specify multiple ports in a comma-delimited list. • Path prefix — Specify the path prefix to be used to match inbound HTTP requests. • Destination — Use the fields in this area to select or create an IP address object that corresponds to the internal web server to which connections matching this rule should be redirected. You can either specify the entire URL in the New URL field or you can build the URL from its attributes by using the fields in the New URL attributes area. • Server address — Specify the IP address object that corresponds to the internal web server to which connections that match this rule should be redirected. To search for objects, use the filter field to control the number of objects that are displayed. To limit the search to exact matches of a specified sequence of characters that appears anywhere in the object name, specify one or more characters and press Enter. To perform an advanced search for an object, click (Advanced search). To view a list of objects that you can add, click (Add). To add an object, click (Add) to display the Network Object Manager window for the type of object that you are adding. • Rewrite URL — Determines whether the inbound HTTP request is translated so that it matches the host name and path structure of the internal Web server. This checkbox applies to the values that were specified in either the Matching URL field or in the Matching URL attributes fields. If you clear this checkbox, the New URL and New URL attributes fields are not available. Note: Path information beyond the matching URL path prefix in the HTTP request is not affected by selecting this checkbox. 562 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 563. Alert processing rules • New URL — Select this option to configure the URL that will replace the value that was specified in the Matching URL field. This URL contains all of the attributes and it must be a valid URL format. To keep the other attributes and to change only the port from the value that was specified in the Matching URL field, clear the Maintain original port checkbox. This also changes the value of the destination Port field in the New URL attributes area to <Maintain original port> and it cannot be edited while this checkbox is selected. Note: The firewall does not modify hyperlinks in HTML files. Therefore, whenever possible, relative links should be employed for the Web servers by the firewall that is performing the URL translation. The firewall does translate the Location header in 3xx redirection server status codes. • New URL attributes — [Available only if you have clicked the Advanced >> button at the bottom of this window] Select this option to build the URL by specifying the values in attributes for the URL. • Host — Specify the host to be used to rewrite the URL. • Port — Specify the port to be used to rewrite the URL. • Path prefix — Specify the path prefix to be used to rewrite the URL. • Advanced >> — Click this button to view the Matching URL attributes and New URL attributes fields. If you are using the Matching URL or New URL fields, you do not need to click this button. However, to specify multiple ports, you must click Advanced >> to be able to specify the values in the Port field in the Matching URL attributes area. • Collapse << — [This button is available only after you have clicked the Advanced >> button.] Click this button to hide the Matching URL attributes and New URL attributes fields. • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. Alert processing rules When you are managing multiple firewalls, similar alerts that are generated from different firewalls can be difficult to distinguish. Alert processing rules are used to evaluate every firewall alert that is being sent to the Management Server to determine the way that the alert will be reported in the Reporting and Monitoring Tool. Additionally, several different types of Management Server alerts are also captured and displayed. Similar to other processing rules, the alerts that are being sent to the Management Server from the firewalls are evaluated by the alert processing rules from top to bottom. The first processing rule that matches the characteristic and condition requirements for the incoming alert is reported in the way in which it has been defined by the rule. To ensure that all alerts are reported, the last processing rule in the list of rules is generic enough to catch and report any alerts that are not characterized by any of the preceding processing rules. The following main alert processing rule management components are available to assist you: • Alert Processing Rules page — The table on this page displays all of the alert processing rules that are currently defined. For more information, see Viewing alert processing rules on page 564. • Alert Processing Rule window — Each processing rule defines alert actions, such as triggering an e-mail message, to associate with the alert. For more information, see Modifying pre-defined alert processing rules on page 565. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 563
- 564. Alert processing rules Viewing alert processing rules Use the Alert Processing Rules page to view all of the alert processing rules that are available. For more information about alert processing rules, see Alert processing rules on page 563. The alert actions are defined by using the Alert Processing Rule window. Figure 237 Alert Processing Rules page Accessing this page In the Configuration Tool, from the View menu, select Alert Processing Rules. The Alert Processing Rules page is displayed. Columns This page has the following columns that are all read-only: • Name — Displays the administrator-defined name associated with the alert processing rule. • Alert Actions — If an event satisfies the condition, this column value displays the actions that are to be performed. There are three types of actions: • alarm — Indicates whether an alarm is sounded when the alert is generated. • sendmail — Indicates whether an e-mail is sent from the defined sender to the defined receivers using the defined subject and message. • snmp trap — Indicates whether a Simple Network Management Protocol (SNMP) trap is sent when the alert is generated. 564 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 565. Alert processing rules • Type — Displays the type alert that is specified in the Name field. The following values are available: Firewall and ManagementServer. Modifying pre-defined alert processing rules Use the Alert Processing Rule window to edit the pre-defined alert processing rules that manage the way in which alerts that are sent from the managed firewalls or from the Management Server are reported by the Reporting and Monitoring Tool. For more information about processing alerts, see Alert processing rules on page 563. Figure 238 Alert Processing Rule window Accessing this window: 1 In the Configuration Tool, from the View menu, select Alert Processing Rules. The Alert Processing Rules page is displayed. 2 Double-click a specific rule. or In the toolbar, click (Edit Rule). The Alert Processing Rule window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 565
- 566. Alert processing rules Fields and buttons This window has the following fields and buttons: • Name — Displays the name that is associated with the alert processing rule. • SNMP Trap Action — Use the fields in this area to enable and configure an SNMP trap action to associate with this alert processing rule. • Enabled — Determines whether to enable the SNMP trap action. The default value is cleared. If you select this checkbox, you must also select the SNMP Version in the SNMP Version field. • SNMP Version — Specify the version of SNMP that you are using for this rule. • Host IP address — Specify the IP address of the host to which the SNMP Trap message will be sent. • Community — [Available only if SNMP Trap v1 or SNMP Trap v2c is selected in the SNMP Version field] Specify the name of the community that is authorized to retrieve information. This is the management station (manager) and the nodes that it will manage. • Security Name — [Available only if SNMP Trap v3 is selected in the SNMP Version field] Specify the name of the user. • Trap — Specify the type of trap that will be used if this SNMP Trap action is enabled (that is, the Enabled checkbox is selected). The following values are available: • Cold Start (the default value) • Warm Start • Link Down • Link Up • Authentication Failure • EGP Neighbor Loss • Enterprise Specific • Specific — If you select this value, you must also set the value. • Use Default Message — Determines whether the server will send the default message as the message attribute (Alert body) of the Trap. If this is cleared, the Message field is available so that you can provide your own message text. • Message — Specify the message that will be sent as the message attribute of this trap. • Authentication Protocol — [Available for SNMP Trap v3 only] Specify the authentication protocol to use for this rule. Valid values are MD5 and SHA, where MD5 is the default value. • Authentication Key — [Available for SNMP Trap v3 only] Specify the authentication key that is required to authenticate the user. To copy the contents of a file into this field, click to navigate to the file and then click Open. The contents are copied into this field. • Privacy Protocol — [Available for SNMP Trap v3 only] Specify the encrypted privacy protocol to use for this rule. Valid values are DES, AES128, AES192, and AES256, where DES is the default value. • Private Key — [Available for SNMP Trap v3 only] Specify the encrypted private key that is required to authenticate the user. To copy the contents of a file into this field, click to navigate to the file and then click Open. The contents are copied into this field. 566 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 567. Alert processing rules • Mail Action — Use the fields in this area to configure an e-mail notice that can be sent to one or more recipients. This e-mail provides notification that an alert has occurred that matches the processing requirements stated in this rule. • Enabled — Determines whether to enable the mail action, which also enables the remaining fields in this area. • Receiver Email(s) — Specify one or more receiver e-mail addresses in the following format: recipient@domain.tld. Use a space ( ) to separate multiple address recipients. • Supplemental Message — Specify the content of the message. • Include alert event details in message — Determines whether to include details about the alert event in the e-mail message. This checkbox is selected by default. • Alarm Action — Use the fields in this area to configure the alarm that sounds when the alert is generated. • Enabled — Determines whether to enable the alarm action. • Alarm Sound — Specify the sound of an alarm that has been defined in the Alarm Sound Mapping window. • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. Assigning priority levels to alerts Use the Priority Mappings window to set the reported priority level of the associated alert. All predefined alerts have an assigned alert priority that can be changed by using this window. Figure 239 Priority Mappings window Accessing this window In the Configuration Tool, from the Configuration menu, select Priority Mappings…. The Priority Mappings window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 567
- 568. SSH known hosts Fields and buttons This window has the following fields and buttons: • New Mapping — Use the fields in this area to specify a new mapping and priority level. The following fields are available: • Name — Specify the name of the new priority mapping. This is the alert name that is assigned to the alert when a custom alert is defined. The content of Name field must match exactly the displayed content of the alert or the priority setting will have no effect on the displayed priority for the associated alert. • Priority — Specify the priority of the alert when it is displayed in the Reporting and Monitoring Tool. The following table lists the priorities. Table 21 Alert priorities Priority Alert Color Critical High Low Warning Information <transparent> • Name — Displays the displayed content associated with the alert. • Priority — Specify the priority to be assigned to the alert when it is displayed in the Reporting and Monitoring Tool. You can select a new value. • Add — Add the new mapping to the list. • OK — Save the changes made on this window. • Cancel — Close this window without saving any changes. SSH known hosts You can configure the SSH proxy to decrypt SSH traffic, perform content inspection, and then re-encrypt the traffic before sending it to its destination. To decrypt and re-encrypt the SSH traffic, the proxy acts like a server when it communicates with the client, and acts like a client when it communicates with the server. Therefore, the proxy must maintain two databases: • A known hosts database to store SSH server keys • A database of SSH server keys to present to clients The known hosts database and the server keys are both managed on the SSH proxy agent. For more information, see “Services” chapter of the McAfee Firewall Enterprise (Sidewinder) Administration Guide. 568 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 569. SSH known hosts Configuring strong known host associations Use the SSH Known Hosts window to manage the database of strong known host associations. This list includes only those SSH known host keys with strong trust levels across all firewalls. Figure 240 SSH Known Hosts window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Double-click the SSH Known Hosts node. The SSH Known Hosts window is displayed. Fields and buttons This window has the following fields and buttons: • Apply On — [Read-only] Displays the name of a specific firewall or ALL FIREWALLS to indicate the firewall or firewalls on which this known host key is to be applied. • IP Address — [Read-only] Displays the IP address of the SSH server. • Port — [Read-only] Displays the port on which the SSH server is listening. • Retrieved From — [Read-only] Displays the firewall from or through which the key was obtained. If a key was manually specified, a blank value is displayed. • Key Type — [Read-only] Displays the type of SSH key that the SSH server presents. Valid values are RSA or DSA. • Fingerprint — [Read-only] Displays the fingerprint that the SSH server presents. A fingerprint is a hashed (shortened) version of the host key. • Delete — Delete the known host association in the row in which you click x (Delete). • OK — Saves the changes that were made in this window. • Cancel — Close this window without saving any changes. • Add Known Host — Displays the Add SSH Known Host window, in which you can add known host keys. All known host keys that you add in that window will have strong trust levels. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 569
- 570. SSH known hosts • Manage Known Hosts — Displays the Manage Known Hosts window, in which you can view known host keys with weak trust levels for a specific firewall. Creating strong SSH known host keys Use the Add SSH Known Host window to add strong SSH known host keys. Figure 241 Add Known Hosts window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Double-click the SSH Known Hosts node. The SSH Known Hosts window is displayed. 3 Click Add Known Host. The Add SSH Known Host window is displayed. Fields and buttons This window has the following fields and buttons: • IP address — Specify the IP address of the SSH server for which you are defining this known host key. • Port — Specify the port on which the SSH server is listening. • Key type — Specify the encryption format to be used when signing the certificate. • RSA — This format is faster when verifying signatures. It is the most commonly used encryption and authentication algorithm. • DSA — This format is faster when generating signatures. • Apply on — Specify the firewall on which you want to apply this SSH known host key. You can also select ALL FIREWALLS to apply this key to all firewalls. • Retrieve the SSH Key via a request from a firewall — Determines whether to retrieve the key from the server by using a firewall request. • Firewall — Specify the name of the firewall to use for this retrieval. 570 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 571. SSH known hosts • Retrieve key — Perform the retrieval. If the retrieval is successful, the data is displayed in the Key field and the fingerprint is displayed in the Fingerprint field. Click OK. The new SSH known host key is added to the list on the SSH Known Hosts window. • Manually enter the SSH Key — Determines whether to manually paste the host key data from another source or to specify it manually. You can also generate a fingerprint for this SSH key. • Key — Specify the host key value. If you have specified a new SSH key or edited a retrieved one, click Calculate to create or update the fingerprint and then click OK to add this key to the list on the SSH Known Hosts window. • Fingerprint — [Read-only] Displays the fingerprint of the SSH key. • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. Configuring host associations Use this window to delete weak associations from the firewall or to promote weak associations to strong associations. Figure 242 Manage Known Hosts window Accessing this window 1 In the Configuration Tool, select the Policy group bar. 2 Double-click the SSH Known Hosts node. The SSH Known Hosts window is displayed. 3 Click Manage Known Hosts. The Manage SSH Known Hosts window is displayed. Fields and buttons This window has the following fields and buttons: • Firewall — Specify the name of the firewall from which to retrieve weak associations and click Retrieve Weak Associations. You can then either promote the weak associations to strong ones or you can delete them. • Promote to Strong — Determines whether to promote a weak association to a strong one. If this is selected, when you click OK, this association will be displayed on the SSH Known Hosts window, along with the other strong associations. • Address — [Read-only] Displays the SSH server IP address that is stored on the firewall. • Port — [Read-only] Displays the port on which the SSH server is listening. • Key type — [Read-only] Displays the type of SSH key that the SSH server presents. Values are RSA and DSA. • Fingerprint — [Read-only] Displays the fingerprint that the SSH server presents. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 571
- 572. SSH known hosts • Delete — Click x (Delete) in the row that you want to delete. The weak association is deleted from the firewall. • Apply promoted associations to all firewalls — Determines whether the promoted associations selected are applied to all firewalls or only to the one selected in the Firewall field above. • OK — Save the changes in this window. • Cancel — Close this window without saving any changes. 572 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 573. 8 Configuration Tool - Monitor Contents Monitoring Firewall configuration management Responses Audit trail Audit archives Reporting Firewall audit reports Firewall license reports Monitoring The nodes and objects that are displayed in the Monitor tree of the Configuration Tool represent customized actions that occur when specific conditions occur on an associated firewall. Monitoring firewall activity is important so that you can detect and respond to threats and critical conditions. You can configure the firewall to recognize unusual or abnormal occurrences and customize your response to these events. The following nodes are displayed in the Monitor tree of the Configuration Tool. • Audit Filters — Select this node to view a list of contains user-defined or pre-defined filter objects. Each object contains parameters that are used for filtering audit data in the McAfee Firewall Enterprise Audit Report window. By filtering the audit data, you can respond to audit events of particular interest to your site in an effective way. For more information, see Configuring filters for audit reports on page 632. • Responses — Select this node to view the following sub-nodes: E-mail Accounts and Host Blackhole. Select the E-mail Accounts node to view e-mail accounts that will receive alerts during an IPS attack response. Select the Host Blackhole sub-node to view hosts from which suspect traffic will be blackholed, or ignored. For more information, see Configuring alert notification for e-mail accounts on page 606 and Configuring blackholes for suspected hosts on page 607. • IPS Attack Responses — Select this node to view Intrusion Prevention System (IPS) attack responses. These attack responses define the way that the firewall responds when it detects audit events that indicate such possible attacks as Type Enforcement violations and proxy floods. Configure and modify IPS attack responses by using the IPS Attack Responses window. For more information, see Configuring IPS attack responses on page 609. • System Responses — Select this node to view system responses. These system responses define the way that the firewall responds when it detects audit events that indicate such significant system events as license failures and log overflow issues. Configure and modify system responses in the System Response window. For more information, see Configuring system responses on page 613. • Audit Report — Select this node to view the McAfee Firewall Enterprise Audit Report window, in which you can select parameters to generate a report of all of the audit events for one or more firewalls. For more information, see Configuring and generating audit reports for one or more firewalls on page 625. • License Report — Select this node to view the License Report Manager window, in which you can select the firewall against which to run this report. The License Report page displays the status of various licenses for the selected firewall. For more information, see Viewing the status of all of the licenses for a firewall on page 645. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 573
- 574. Firewall configuration management • Policy Report — Select this node to view the Policy Report window, in which you can select parameters to generate a report about the security policy that has been defined and implemented on the selected firewall. For more information, see Selecting the criteria for the firewall policy report on page 640. Firewall configuration management You can remotely manage components of the firewall by using the Configuration Tool. To that end, several windows and pages are available including: • Updating the status of one or more apply configurations by using the Validation Configuration window (Validating firewall configurations on page 586) • Correcting any potential issues with the validation configuration as displayed in the Validation Warnings window () • Viewing the status of firewall apply configurations by using the Validation Status Report page (Viewing the status of Apply Configurations on page 593) • Applying a configuration by using the Apply Configuration window (Applying firewall configurations on page 589) • Correcting any potential issues with the apply configuration as displayed in the Apply Warnings window (Troubleshooting apply configuration warnings on page 591) • Viewing configuration information by using the Configuration Status Report page (Viewing configuration information about each firewall on page 584) Viewing the overall status of your firewalls Use the Firewall Status page to view a summary of the status for all of the firewalls that are configured for your operation. You can quickly determine the information about the operation of each firewall, such as the current operational status, the version of the installed software, the health of the firewall, and additional information. In the dashboard section at the bottom of this page, you can also view charts that display information about other characteristics, such as CPU utilization and disk utilization. For more specific information about the data that is displayed on this page, see Table fields and buttons on page 575 and Dashboard fields and buttons on page 577. Although this information can help you to determine operational information about the individual firewalls that are distributed throughout your system, this is one of several different windows and pages that you can use to evaluate the status of your security system against the requirements of your security policy. 574 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 575. Firewall configuration management Figure 243 Firewall Status page Accessing this page In the Reporting and Monitoring Tool, select (Firewall Status) in the toolbar or from the View menu, select Firewall Status. or In the Configuration Tool, the Firewall Status page should be one of the default tabs that are displayed. Select this tab. or If you do not see the Firewall Status tab in the Configuration Tool, from the Reports menu, select Firewall Status or select (Firewall Status) in the toolbar. The Firewall Status page is displayed. Table fields and buttons Use each column heading in the data table to sort the column data in ascending or descending order by clicking the column heading. The Firewall column sorts by firewall status (red or green) or by firewall name. Double-click a row in this table and the Firewall Dashboard window is displayed for that firewall. • Current firewall status as of — [Read-only] Displays the timestamp of the last update to the data on this page. • Update Status — Force an update of the status for the selected firewall. To use this feature, highlight one or more firewalls and click Update Status. A message is sent to each firewall to return its current status information. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 575
- 576. Firewall configuration management • Settings… — Displays the Firewall Status Settings window, in which you can configure the columns to be displayed in this table, the thresholds for various columns, and the charts to be displayed in the dashboard part of this page. For more information, see Configuring settings for the Firewall Status page on page 579. • Status — [Read-only] Displays the status of the associated firewall the last time that the page data was refreshed. (Red) indicates a status of not running. (Green) indicates a status of running, (Amber) indicates that the firewall is running, but that it is in a policy mismatch state. (Question mark) indicates that the state of the firewall is unknown. • Firewall — [Read-only] Displays (the firewall icon) for the firewall and the name that was assigned to the firewall when it was configured. • Cluster — [Read-only] Displays the name of the cluster of which this firewall is a member. • Version — [Read-only] Displays the current version of the software or firmware that is running on the associated firewall. This value is also displayed in the data files on the left side of the dashboard. • Policy Status — [Read-only] Displays whether the configuration policy has been applied from the Control Center to the firewall. This value is also displayed in the data files on the left side of the dashboard. The following values are available: • POLICY MISMATCH — Indicates that the policy on the Control Center for the specified firewall does NOT match the policy on the firewall. • Policy in sync — Indicates that the policy on the Control Center for the specified firewall matches the policy on the firewall. • Never applied — Indicates that the policy for the firewall has never been applied from the Control Center. • Unknown — Indicates that the Control Center cannot verify the state of the policy on the firewall. • Health — [Read-only] Displays the status of the health of the firewall as determined by a combination of warning and critical threshold values as determined on the Firewall Status Settings window. These thresholds are for: CPU utilization, physical memory utilization, virtual memory utilization, and disk utilization. (Red) indicates that one of these values has exceeded the specified critical threshold on this firewall. (Green) indicates that none of the warning or critical thresholds have been exceeded on this firewall, (Amber) indicates that one of these values has exceeded the specified warning threshold on this firewall. (Unknown) indicates that the thresholds for this firewall cannot be determined. • CPU — [Read-only] Displays the percentage of existing CPU that is being used in this firewall. This value is also graphically displayed and charted in the CPU Utilization chart in the dashboard. This value is also one of the values that is monitored for the Health column indicator. • Memory — [Read-only] Displays the percentage of existing memory that is being used in this firewall. This value is also graphically displayed and charted in the Memory Utilization chart in the dashboard. This value is also one of the values that is monitored for the Health column indicator. • Swap — [Read-only] Displays the percentage of existing swap space that is being used in this firewall. This value is also one of the values that is monitored for the Health column indicator. • Disk — [Read-only] Displays the percentage of existing disk space that is being used in this firewall. This value is also graphically displayed and charted in the Disk Utilization chart in the dashboard. This value is also one of the values that is monitored for the Health column indicator. • Proxy Sessions — [Read-only] Displays the number of proxy sessions that are currently running on this firewall. • Filter Sessions — [Read-only] Displays the number of filter sessions that are currently running on this firewall. • Boot Time — [Read-only] Displays the timestamp for the date and time at which the associated firewall was last started. 576 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 577. Firewall configuration management • Last Apply — [Read-only] Displays a timestamp for the last time that a successful change was applied to the associated firewall. This value is also displayed in the data files on the left side of the dashboard. • Last Status Change — [Read-only] Displays the timestamp at which the firewall status was last updated by the Control Center. • Location — [Read-only] Displays the location data that was assigned to the associated firewall when it was configured. This value is also displayed in the data files on the left side of the dashboard. • Contact — [Read-only] Displays the contact data that was assigned to the associated firewall when it was configured. This value is also displayed in the data files on the left side of the dashboard. Dashboard fields and buttons The dashboard part of this window is split into two different sections that are read-only. The section on the left contains data about the firewall. There are a few fields that are not displayed elsewhere on this page, either in the table at the top of the page or in the charts. This includes information such as inbound and outbound data and the status of the interface or interfaces on this firewall. The section on the right contains charts. The following charts are available on this window (again, as controlled in the Firewall Status Settings window): • Unacknowledged Alerts (available only if this firewall is configured to send Secure Alerts to the Control Center) • CPU Utilization • Memory Utilization • Disk Utilization • Active Sessions • Data Rate (bytes / sec) • VPN Sessions The data for all of these charts is updated periodically as the information is received. Note that, for the Unacknowledged Alerts chart, this is information that the firewall has sent to the Control Center. Viewing the status of a specific firewall Use the Firewall Dashboard window to view a summary of the status for one firewall in your configuration domain. Or you can display additional windows for other firewalls and monitor them all at the same time while you are working in the Control Center Client Suite. The data in this window is the same data that is displayed at the bottom of the Firewall Status page. However, your view in this window is for one firewall only. The charts that are displayed in this window can be changed in the Charts tab of the Firewall Status Settings window. For more information, see Configuring settings for the Firewall Status page on page 579. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 577
- 578. Firewall configuration management Figure 244 Firewall Dashboard window Accessing this window 1 In the Reporting and Monitoring Tool, select (Firewall Status) in the toolbar or from the View menu, select Firewall Status. or In the Configuration Tool, the Firewall Status page should be one of the default tabs that are displayed. Select this tab. or If you do not see the Firewall Status tab in the Configuration Tool, from the Reports menu, select Firewall Status or select (Firewall Status) in the toolbar. The Firewall Status page is displayed. 2 Double-click the firewall for which you want to view the dashboard information. The Firewall Dashboard window is displayed. Fields and buttons This window is split into two different sections that are read-only. The section on the left contains data about the firewall. There are a few fields that are not displayed elsewhere on this page, either in the table at the top of the page or in the charts. This includes information such as inbound and outbound data and the status of the interface or interfaces on this firewall. 578 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 579. Firewall configuration management Charts The section on the right contains charts. The following charts are available on this window (again, as controlled in the Firewall Status Settings window): • Unacknowledged Alerts (available only if this firewall is configured to send Secure Alerts to the Control Center) • CPU Utilization • Memory Utilization • Disk Utilization • Active Sessions • Data Rate • VPN Sessions The data for all of these charts is updated periodically as the information is received. Note that, for the Unacknowledged Alerts chart, this is information that the firewall has sent to the Control Center. Click the Close button to close this window and return to the Firewall Status page. Configuring settings for the Firewall Status page Use the Firewall Status Settings window to specify the following information: • Columns to be displayed in the Firewall Status page • Warning and critical thresholds for various fields in the Firewall Status page that determine the displayed health status of the firewall • Charts to display in the dashboard section of the Firewall Status page or the Firewall Dashboard window Figure 245 Firewall Status Settings window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 579
- 580. Firewall configuration management Accessing this window 1 In the Reporting and Monitoring Tool, select (Firewall Status) in the toolbar or from the View menu, select Firewall Status. or In the Configuration Tool, the Firewall Status page should be one of the default tabs that are displayed. Select this tab. or If you do not see the Firewall Status tab in the Configuration Tool, from the Reports menu, select Firewall Status or select (Firewall Status) in the toolbar. The Firewall Status page is displayed. 2 Click Settings…. The Firewall Status Settings window is displayed. Buttons This window has the following buttons: • OK — Save the setting changes. The Firewall Status page will be updated to reflect these changes. • Cancel — Close this window without saving any setting changes. • Defaults — Reset all of the settings on all of the tabs to their default settings. Tabs This window has the following tabs: • Display Columns — Specify the columns to display or hide in the Firewall Status page. For more information, see Firewall Status Settings window: Display Columns tab on page 580. • Health Thresholds — Specify the warning and critical threshold percentages for various fields in the Firewall Status page. For more information, see Firewall Status Settings window: Health Thresholds tab on page 581. • Charts — Specify the charts to display in the Firewall Status page or on the Firewall Dashboard window. For more information, see Firewall Status Settings window: Charts tab on page 583. Firewall Status Settings window: Display Columns tab Use the Display Columns tab on the Firewall Status Settings window to define the columns that are to be displayed on the Firewall Status page and the order in which they will be displayed. To view the fields on this tab, see Figure 245 on page 579. Accessing this tab 1 If the Firewall Status Settings window is not displayed, go to step 2. or If the Firewall Status Settings window is displayed, make sure that the Display Columns tab is displayed. 2 In the Reporting and Monitoring Tool, select (Firewall Status) in the toolbar or from the View menu, select Firewall Status. or In the Configuration Tool, the Firewall Status page should be one of the default tabs that are displayed. Select this tab. or If you do not see the Firewall Status tab in the Configuration Tool, from the Reports menu, select Firewall Status or select (Firewall Status) in the toolbar. The Firewall Status page is displayed. 3 Click Settings…. The Firewall Status Settings window is displayed. 4 Make sure that the Display Columns tab is displayed. 580 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 581. Firewall configuration management Fields and buttons Remember that you can always revert back to the default settings for all of the tabs by clicking Defaults. This tab has the following fields and buttons: • Fields to display — Displays a list of the available columns that are currently selected to be displayed on the Firewall Status page. To move a column from this display list to the hidden list (so that it will not appear in the Firewall Status page table), highlight the column and click the right arrow button. The column is then moved to the hidden list. To change the order of columns that are displayed, highlight the column to be moved and then click the up arrow or down arrow to move it into the appropriate position. When you click OK, the Firewall Status page will display the columns in the order that you have them in this list, from left to right in the table. • Fields to hide — Displays a list of the available columns that are currently selected to be hidden from the Firewall Status page. These columns will not display in the table on that page. To move a hidden column in this list to the displayed columns list, highlight the column and click the left arrow button. The column is then moved to the display list. Use the up and down arrows to change the displayed order of this column as needed. When you click OK, the Firewall Status page will hide the columns that you have moved to this list. Firewall Status Settings window: Health Thresholds tab Use the Health Thresholds tab of the Firewall Status Settings window to configure the percentages of several fields for a warning indication or for a critical indication in the Health column of the Firewall Status page. For example, if you set a warning threshold of 75% for CPU utilization, any firewall that uses more than 75% of the CPU at any moment will trigger the Health column indicator to change from (no thresholds have been reached) to (at least one warning threshold has been exceeded). Figure 246 Firewall Status Settings window: Health Thresholds tab McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 581
- 582. Firewall configuration management Accessing this tab 1 If the Firewall Status Settings window is not displayed, go to step 2. or If the Firewall Status Settings window is displayed, make sure that the Health Thresholds tab is displayed. 2 In the Reporting and Monitoring Tool, select (Firewall Status) in the toolbar or from the View menu, select Firewall Status. or In the Configuration Tool, the Firewall Status page should be one of the default tabs that are displayed. Select this tab. or If you do not see the Firewall Status tab in the Configuration Tool, from the Reports menu, select Firewall Status or select (Firewall Status) in the toolbar. The Firewall Status page is displayed. 3 Click Settings…. The Firewall Status Settings window is displayed. 4 Select the Health Thresholds tab. The Health Thresholds tab is displayed. Fields and buttons Remember that you can always revert back to the default settings for all of the tabs by clicking Defaults. This tab has the following fields and buttons: • Warning threshold — Specify the percentage above which a warning indicator ( ) is triggered to display in the Health field on the Firewall Status page. The default value for all of the warning thresholds is 75. • Critical threshold — Specify the percentage above which a critical indicator ( ) is triggered to display in the Health field on the Firewall Status page. The default value for all of the critical thresholds is 90. • CPU — Specify the warning and critical threshold percentages for CPU utilization. When a firewall exceeds this threshold, the Health field in the Firewall Status page displays the appropriate indicator. • Physical memory— Specify the warning and critical threshold percentages for physical memory utilization. When a firewall exceeds this threshold, the Health field in the Firewall Status page displays the appropriate indicator. • Swap usage — Specify the warning and critical threshold percentages for swap utilization. When a firewall exceeds this threshold, the Health field in the Firewall Status page displays the appropriate indicator. • Hard disk — Specify the warning and critical threshold percentages for hard disk utilization. When a firewall exceeds this threshold, the Health field in the Firewall Status page displays the appropriate indicator. 582 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 583. Firewall configuration management Firewall Status Settings window: Charts tab Use the fields on the Charts tab of the Firewall Status Settings window to configure the charts that are displayed on the Firewall Status page and in the Firewall Dashboard window and the way in which they are displayed. Figure 247 Firewall Status Settings window: Charts tab Accessing this tab 1 If the Firewall Status Settings window is not displayed, go to step 2. or If the Firewall Status Settings window is displayed, make sure that the Charts tab is displayed. 2 In the Reporting and Monitoring Tool, select (Firewall Status) in the toolbar or from the View menu, select Firewall Status. or In the Configuration Tool, the Firewall Status page should be one of the default tabs that are displayed. Select this tab. or If you do not see the Firewall Status tab in the Configuration Tool, from the Reports menu, select Firewall Status or select (Firewall Status) in the toolbar. The Firewall Status page is displayed. 3 Click Settings…. The Firewall Status Settings window is displayed. 4 Select the Charts tab. The Charts tab is displayed. Fields and buttons Remember that you can always revert back to the default settings for all of the tabs by clicking Defaults. This tab has the following fields and buttons: • Charts to display — Displays a list of charts that are currently displayed on the Firewall Status page and in the Firewall Dashboard window. All of the charts are displayed by default. You can change the order of the charts being displayed by highlighting the chart to be moved and clicking the up or down arrow. You can also remove (hide) a chart from being displayed by highlighting the chart and clicking the right arrow to move the chart to the Charts to hide list. • Charts to hide — Displays a list of charts that are currently hidden from view on the Firewall Status page and in the Firewall Dashboard window. All of the charts are displayed by default. You can move a chart from being hidden to being displayed by highlighting the chart and clicking the left arrow to move the chart to the Charts to display list. You can then change the order of this chart in the display by highlighting the chart to be moved and clicking the up arrow. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 583
- 584. Firewall configuration management • Number of minutes of data to display — Specify the number of minutes to display in each chart. Subdivisions of this time period are automatically generated in each chart so that you can view segments of the time. The default value is 30. • Show chart data in 3-D — Determines whether to display the chart data in a three-dimensional view or a one-dimensional view. The default value is selected. Viewing configuration information about each firewall Use the Configuration Status Report page to view information about the propagation of configuration data from the Control Center Management Server database to each selected firewall. When the Configuration Status Report page is displayed, the propagation status is refreshed every 15 seconds. For more information, see Firewall configuration management on page 574. Figure 248 Configuration Status Report page Accessing this page In the Configuration Tool, select (Configuration Status Report) in the toolbar. or From the Report menu, select Configuration Status Report. The Configuration Status Report page is displayed. Fields and buttons The data displayed on this report is determined by the value that is selected in the Display Configurations area that is located in the lower right corner of the page. When Current is selected as the value in the Display Configurations area, the following buttons and field data are displayed: • Last Refreshed — [Read-only] Displays the time at which this page was last refreshed (by clicking the Refresh button) or when this page was opened, if the Refresh button has not been clicked yet. • Firewall (name and icon) — [Read-only] Displays the name of the firewall and its associated icon. As of the time displayed in the Last Refreshed field at the top of the page, the current communication status of the associated firewall is indicated by an icon preceding this field. The following values are possible: • (Green) — Responding • (Red) — Not Responding • Groups — [Read-only] Displays the names of the device groups to which the firewall belongs or none. • Last Update — [Read-only] Displays the date and time that the firewall was last updated. • Pending Update — [Read-only] Displays the date and time that a pending update was created. 584 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 585. Firewall configuration management • Pending Status — [Read-only] Displays the status of the pending propagation request. The following values can be displayed: • Notified — Indicates that the server has notified the firewall that an update is available and it (the server) is waiting for a reply from the firewall. • Notify Failed — Indicates that the server was not able to notify the firewall about a new update because of a communication failure. • Requested — Indicates that the firewall has requested an update, and that the server is preparing to send it. • Sent — Indicates that the server has sent new configuration data to the firewall. • Send Failed — Indicates that the server was unable to send the new configuration data to the firewall because of a communication failure. • ! - Apply failed — Indicates that the apply for this configuration failed. Double-click the row to view an explanatory message about the failure. • Completed — Indicates that the new configuration has been applied, and that the firewall has reported success. • Rejected — Indicates that the new configuration was not applied, and that the firewall has reported a failure. • Unknown — Indicates that there is no record of ever having sent a configuration update to the firewall. • Refresh — Immediately refresh the status information. • Re-init All — Immediately re-initialize all of the firewalls that have a pending re-initialize status. This does not affect firewalls that do not have a pending re-initialization status. • Reinitialize Select — Immediately re-initialize the one or more selected firewalls that have a pending re-initialize status. This does not affect firewalls that do not have a pending re-initialization status. • Display Configurations — The selected option determines whether to display the firewalls with a completed configuration update (select Current) or those firewalls that are scheduled to perform a configuration update (select Scheduled). When Scheduled is the value that is selected for the Display Configurations area, the following buttons and field data are displayed: • Firewall (name and icon) — [Read-only] Displays the name of the firewall and its associated icon. As of the time displayed in the Last Refreshed field at the top of the page, the current communication status of the associated firewall is indicated by an icon preceding this field. The following values are possible: • — Responding • — Not Responding • Configuration Created — [Read-only] Displays a time/date stamp of the time at which the pending configuration was created. • Pending Update — [Read-only] Displays a time/date stamp of the time at which the pending configuration is to be applied. • Pending Status — [Read-only] Displays the status of the pending propagation request. The following values may be displayed: • Pending — Indicates that the update is waiting for the propagation time to occur. • Notified — Indicates that the server has notified the firewall that an update is available and it (the server) is waiting for a reply from the firewall. • Notified Failed — Indicates that the server was unable to notify the firewall about a new update because of a communication failure. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 585
- 586. Firewall configuration management • Requested — Indicates that the firewall has requested an update, and that the server is preparing to send it. • Sent — Indicates that the server has sent new configuration data to the firewall. • Send Failed — Indicates that the server was unable send the new configuration data to the firewall because of a communication failure. • Completed — Indicates that the new configuration has been applied, and that the firewall has reported success. • Rejected — Indicates that the new configuration was not able to be applied, and that the firewall has reported a failure. • Unknown — Indicates that there is no record of ever having sent a configuration update to the firewall. • Refresh — Immediately refresh the status information. • Cancel Selected — Cancel the propagation request for the selected firewall. • Re-Schedule Selected — Reschedule the propagation request to another time. A new window is displayed, in which you can configure a new date and time. • Display Configurations — The selected option determines whether to display the firewalls with a completed configuration update (select Current) or those firewalls that are scheduled to perform a configuration update (select Scheduled). Validating firewall configurations Use the Validate Configuration window to ensure that firewall configurations stored on the Control Center Management Server are valid. You can also use this window to view the differences between the current configuration and the proposed configuration of a firewall. For more information, see Firewall configuration management on page 574. The configuration validation process transfers all of the related rules and configuration data from the Control Center database to the selected firewalls. The receiving firewalls attempt to validate the configuration. But they do not actually apply any changes. The results of the validation process are recorded in the Validation Status Report, which can be opened by selecting the Validation Status Report option from the View menu. If the configuration of a particular firewall is reported to be valid, select the Apply Configurations option on the Configuration menu to apply the configuration to the firewall. Figure 249 Validate Configuration window 586 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 587. Firewall configuration management Accessing this window 1 In the Configuration Tool, click (Validate Configurations…) in the toolbar. The Validate Configuration window is displayed. or From the Configuration menu, select Validate Configurations…. The Validate Configuration window is displayed. or In the Configuration Tool, make sure that the Firewalls group bar is selected. Select the Firewalls node to display the tree. 2 Right-click a firewall for which you want to validate its configuration and select Validate Configuration. The Validate Configuration window is displayed. Fields and buttons This window has the follow fields and buttons: • Ticket — Specify the active ticket value. If there is a global ticket being used, the global ticket value is displayed in this field and cannot be edited. However, to use a ticket for each apply or validate, specify a value in this field. The ticket value is then added to the audit trail for the apply/validate functionality. • Firewall — Displays a list of the firewalls that are being managed by this Control Center. Select one or more firewalls to validate. • OK — Continue with the validation. If there are no warnings, the Validation Status Report page is displayed. If there are warnings, the Validation Warnings window is displayed. • Cancel — Close this window and cancel the validation. Troubleshooting validation configuration warnings Use the Validation Warnings window to learn about any validation issues and to configure whether warning messages will be displayed in the future for specific issues. Before you continue with the apply configuration process, there is now a validation process that occurs. If there are any issues that could cause the apply process to fail, this window is displayed and the specific issues are identified. You have the following options in this window: • Proceed with the validation process, ignoring these issues. The result of this selection is that some of the values that you have configured may not be applicable to the firewall. As a result, the firewall may behave differently than your configuration would suggest. • Cancel the validation process. This window closes. You can then fix the identified issues and re-validate. Note: This action cancels the validation for all of your selected firewalls, including for those firewalls that had no potential issues. • Identify a particular type of issue as one that you do not want to see warnings for in the future. The validation process will proceed. When you select this checkbox. the next time that a validation process is started and a scenario occurs (in which a warning would be displayed), no warning will be issued. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 587
- 588. Firewall configuration management Figure 250 Validation Warnings window Accessing this window In the Configuration Tool, highlight the firewall or firewalls in the tree that you want to update and select (Validate Configurations) in the toolbar. If there are any issues with the validation, this window is displayed. Otherwise, the validation will proceed and you will not see this window. Fields and buttons This window has the following fields and buttons: • Firewall — [Read-only] Displays the name of the firewall that has the apply or validation issue. Note: If this apply or validation includes multiple firewalls, firewalls that do not have issues will not be displayed in this table. • Issue — [Read-only] Displays a brief description of the apply or validation issue for the firewall. • Proceed with the apply or validation process. — Determines whether to continue with the apply or validation process. If you select this option, you are ignoring the issues that have been displayed on this window. Your apply might fail as a result. Click OK and the apply or validation process will continue, with the issues that have been identified here. • Never warn me about these issues for any firewall again. — Determines whether all of the issues in the table will be displayed for future applies or validations. This checkbox applies to all of the issues. For example, if you see a warning for a version issue and you do not care about those warnings, you can select that issue and then select this checkbox. You will not receive any version warnings in this window in the future. Those types of warnings will be ignored in this pre-validation process. However, the issue still exists and might cause apply issues. Note: If there are multiple issues on this window and you want to specify only one of them to hide, select the cancel option, fix the other issues, and then re-apply or re-validate again. When you have only the one issue remaining, you can select this checkbox. • Cancel the apply or validation process, resolve the issues, and then re-apply or re-validate the configuration. — Determines whether the apply or validation process is cancelled for all of the firewalls that were selected, even if they have no issues. Click OK and this window is closed without making any changes. Then you can fix the issues and re-apply or re-validate all of the firewalls again. • OK — Perform the selected action for this apply or validation process. The Configuration Status Report is displayed for applies and the Validation Status Report is displayed for validations. 588 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 589. Firewall configuration management Validating the configuration of one or more firewalls Use the Validate Configuration window in the Configuration Tool to validate configuration data for the selected firewall or firewalls. 1 In the Configuration Tool, from the Configuration menu, select Validate Configurations…. The Validate Configuration window is displayed. 2 Select the checkbox for each firewall to be validated. When managing an HA pair, only the served firewall will be validated against the cluster configuration information. 3 Click OK to validate the configuration of the selected firewall or firewalls. 4 If there are no validation warnings or errors, the Validation Status Report is displayed. or If there are validation warnings or errors, the Validation Warnings window is displayed. Make a decision about how you want to proceed and click OK. 5 If you decided to proceed with the validation process, go to the apply process now. or If you decided to cancel the validation process, fix the warning issues and then re-validate the configuration or configurations (for multiple firewalls). Then go to the apply process. Applying firewall configurations Use the Apply Configuration window to propagate configurations from the Control Center database to the managed firewalls—to select the target firewalls and, optionally, to schedule the time at which the configuration should be applied. When a configuration is scheduled to occur at a future date and time, the current configuration that is stored in the Management Server when the schedule is defined is preserved, along with the status of the checkbox that is used to determine whether the target firewall(s) should be re-initialized. The Apply Configuration task sends configuration information to the selected target firewalls, transforming and implementing the data on the firewall, restarting firewall components as necessary, and reporting the results of the task back to the Control Center. The configuration status and any problems that occur while connecting to the firewalls are reported on the Configuration Status Report page. When this page is displayed, the propagation status is refreshed every 15 seconds. Configurations can be applied only to firewalls that are currently in communication with the Management Server. Therefore, verify the firewall status before applying your changes. For more information, see Viewing configuration information about each firewall on page 584. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 589
- 590. Firewall configuration management Figure 251 Apply Configuration window Accessing this window 1 In the Configuration Tool, click (Apply Configurations…) in the toolbar. The Apply Configuration window is displayed. or From the Configuration menu, select Apply Configurations…. The Apply Configuration window is displayed. or In the Configuration Tool, make sure that the Firewalls group bar is selected. Select the Firewalls node to display the tree. 2 Right-click a firewall for which you want to apply its configuration and select Apply Configuration. The Apply Configuration window is displayed. Fields and buttons This window has following fields and buttons: • Schedule Apply Configuration — Determines whether to schedule the Apply Configuration task for a future time. When selected, use the down arrow to access the calendar and select a date, or add the date and time manually or by scrolling. Note: A new Apply Configuration task will replace an earlier version that is pending. • Ticket — [Optional] Associate a change tracking ticket and description with each apply task. • Firewalls — Specify the firewalls that are included in the Apply Configuration task. Select the checkbox for each firewall to be included. • OK — Start the Apply Configuration task or saves a scheduled task. If the configuration deployment is successful, the Propagation to Firewall(s) is in progress, please check the Status Report message displays. • Cancel — Close the window without further action. For information about the information that can be configured for each type of supported firewall, see Registering your firewalls by using the rapid deployment option on page 164. 590 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 591. Firewall configuration management Applying a configuration to one or more firewalls 1 In the Configuration Tool, from the Configuration menu, select Apply Configurations. The Apply Configuration window is displayed. 2 Select the checkbox associated with each firewall to be configured. 3 [Optional] Select the Schedule Apply Configuration checkbox to define a future date and time to apply the configuration. A special date/time window is displayed, in which you can select a date and time when the current configuration is to be applied. Note: When you are scheduling a configuration to be applied at a future date and time, the current configuration is preserved and applied at the scheduled time, regardless of configuration changes that have occurred between the time that the apply was scheduled and when the apply occurs. 4 When managing an HA pair, only the served firewall will receive configuration information during the configuration propagation. The standby system's configuration is automatically synchronized when the served firewall's configuration has changed. Click OK to apply the configuration to the selected firewall or firewalls. To view information about the status of the propagation in the Configuration Status Report, select Configuration Status Report from the Reports menu. Troubleshooting apply configuration warnings Use the Apply Warnings window to learn about any apply (configuration) issues and to configure whether warning messages will be displayed in the future for specific issues. Before your changes are applied to the selected firewalls, there is now a validation process that occurs. If there are any issues that could cause the apply process to fail, this window is displayed and the specific issues are identified. You have the following options in this window: • Proceed with the apply process, ignoring these issues. The result of this selection is that some of the values that you have configured may not be applicable to the firewall. As a result, the firewall may behave differently than your configuration would suggest. • Cancel the apply process. This window closes. You can then fix the identified issues and re-apply. Note: This action cancels the apply for all of your selected firewalls, including for those firewalls that had no potential issues. • Proceed with the apply process and do not show any warnings in the future. The apply configuration process will proceed. When you select this checkbox, the next time that an apply process is started and a scenario occurs (in which a warning would be displayed), no warning will be issued. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 591
- 592. Firewall configuration management Figure 252 Apply Warnings window Accessing this window In the Configuration Tool, highlight the firewall or firewalls in the tree that you want to update and select (Apply Configurations) in the toolbar. If there are any issues with the apply, this window is displayed. Otherwise, the apply will be processed on the selected firewall or firewalls. Fields and buttons This window has the following fields and buttons: • Firewall — [Read-only] Displays the name of the firewall that has the apply or validation issue. Note: If this apply or validation includes multiple firewalls, firewalls that do not have issues will not be displayed in this table. • Issue — [Read-only] Displays a brief description of the apply or validation issue for the firewall. • Proceed with the apply or validation process. — Determines whether to continue with the apply or validation process. If you select this option, you are ignoring the issues that have been displayed on this window. Your apply might fail as a result. Click OK and the apply or validation process will continue, with the issues that have been identified here. • Never warn me about these issues for any firewall again. — Determines whether all of the issues in the table will be displayed for future applies or validations. This checkbox applies to all of the issues. For example, if you see a warning for a version issue and you do not care about those warnings, you can select that issue and then select this checkbox. You will not receive any version warnings in this window in the future. Those types of warnings will be ignored in this pre-validation process. However, the issue still exists and might cause apply issues. Note: If there are multiple issues on this window and you want to specify only one of them to hide, select the cancel option, fix the other issues, and then re-apply or re-validate again. When you have only the one issue remaining, you can select this checkbox. • Cancel the apply or validation process, resolve the issues, and then re-apply or re-validate the configuration. — Determines whether the apply or validation process is cancelled for all of the firewalls that were selected, even if they have no issues. Click OK and this window is closed without making any changes. Then you can fix the issues and re-apply or re-validate all of the firewalls again. • OK — Perform the selected action for this apply or validation process. The Configuration Status Report is displayed for applies and the Validation Status Report is displayed for validations. 592 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 593. Firewall configuration management Viewing the status of Apply Configurations Use the Validation Status Report to view the status of the validation process for each of the firewall configurations in the Control Center database and to view the differences between the current configuration and the proposed configuration of a firewall. When this report is displayed, the validation status is refreshed every 15 seconds. For more information, see Firewall configuration management on page 574. Figure 253 Validation Status Report page Accessing this page In the Configuration Tool, select (Validation Status) in the toolbar. or In the Configuration Tool, from the Reports menu, select Validation Status. The Validation Status Report page is displayed. Fields and buttons This page has the following fields and buttons: • Last Refresh — [Read-only] Displays the time at which the data on this page was last refreshed. • Apply Selected — Perform an apply configuration on one or more firewalls that are displayed in this table. • Refresh — Perform an immediate refresh of the data on this page. Although this page is automatically refreshed every 15 seconds, you can click this button for an immediate refresh. • Firewall — [Read-only] Displays the name assigned to the firewall. The communication status of the firewall is indicated by an icon preceding this field. The color indicates the communication status as of the time displayed in the Last Refresh field at the top of the page: • (Green) — Responding • (Red) — Not Responding • Last Update — [Read-only] Displays the time when the validation process was started for a firewall. • Status — [Read-only] Displays the status of the validation process for a firewall. The following values can be displayed: • Started — Indicates that the validation process has been started for the firewall. • Notified — Indicates that the Control Center has notified the firewall that configuration information is available. The Control Center is waiting for a reply from the firewall. • Notify failed — Indicates that the Control Center could not notify the firewall about the configuration information because of a communication failure. • Requested — Indicates that the firewall has responded to the Control Center's notification by requesting the configuration information. The Control Center is preparing to send the information. • Sent — Indicates that the Control Center has sent the configuration information to the firewall. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 593
- 594. Firewall configuration management • Send failed — Indicates that the Control Center could not send the configuration information to the firewall because of a communication failure. • Completed — Indicates that the firewall has processed the configuration information and has reported that the proposed configuration is valid. • Validation failed — Indicates that the firewall has processed the configuration information and has reported that the proposed configuration is invalid. • Errors — [Read-only] Displays any errors that occurred during validation. • Differences — View the differences between the current configuration and the proposed configuration of a firewall. If the Validation Status field displays a status of Completed and there are differences between the firewall configuration and the confirmation that the Control Center currently has for the firewall, the View button is displayed. Click this button to display the Configuration Changes Details window, in which you can view the differences between the proposed and the current configuration. Note: If the values in the Last Update and Status fields are empty for a particular firewall, the configuration for that firewall has never been validated. Reviewing your configured firewalls Use the Firewall Sorting Manager window to provide a user-defined view of the firewalls that have been configured for your operation. You can select the firewall characteristics and the order of consideration of those characteristics to determine how the firewalls are to be displayed using a standard selection list. The available sort characteristics are: type (type of firewall), location (uses the user-defined location information), contact (uses the user-defined contact information associated with a firewall), and any user-defined category/value pair. By careful management of the location information, contact information, and user-defined categories associated with each firewall, an organization can create a powerful and effective firewall-sorting plan to help make managing large numbers of firewalls easier. One or more user-defined categories and values are assigned to firewalls by using the Add New Firewalls window when defining a firewall or the firewall-specific firewall manager window after the firewall has defined. The manager window for the firewall is the Firewall window. Figure 254 Firewall Sorting Manager window 594 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 595. Firewall configuration management Accessing this window In the Configuration Tool, from the System menu, select Firewall Sorting…. The Firewall Sorting Manager window is displayed. Fields and buttons This window has the following fields and buttons: • Use Default Firewall Sorting — Determines whether to use the default sorting. Default sorting is by firewall type, location, and contact in that sequence. • (Left list) — Displays the unused characteristics that can be used to sort the view. • (Right list) — Displays the characteristics used to sort the list in the sequence that each characteristic is considered. • Add — Move the highlighted characteristic in the left list to the right list. • Remove — Move the highlighted characteristic in the right list to left list. • Move Up — Move the highlighted characteristic in the right list up one position. • Move Down —Move the highlighted characteristic in the right list down one position. • OK — Apply the selected sort characteristics. to the firewall. • Cancel — Close the window without making any changes. Comparing impacts of proposed configuration changes for a firewall Use the Configuration Changes Details window to examine the differences between the current configuration and the proposed configuration of a firewall. Figure 255 Configuration Changes Details window example data Accessing this window 1 In the Configuration Tool, from the Reports menu, select Validation Status. The Validation Status Report page is displayed. 2 If a firewall has configuration differences, a View button is displayed in the Differences column. Click View in the row of the firewall for which you want to view these differences. The Configuration Changes Details window is displayed. Fields and buttons This window has comparison information that is arranged in the following manner: • (Details area)— Displays the details of the changes that will take place in each file when these changes in the configuration file are applied to the firewall. • Close — Close the window without saving the displayed text. • Save As… — Displays the Save Validation Report As… window, in which you can specify a destination, file name, and format (either HTML or text file [.txt]) for the information on this window. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 595
- 596. Firewall configuration management Configuring compliance report settings Use the Compliance Report Settings window to automatically run compliance reports at a specified time and e-mail the results to an identified list of recipients. For more information, see Viewing the compliance status of the current firewall configuration on page 597. Figure 256 Compliance Report Settings window Accessing this window In the Configuration Tool, from the System menu, select Compliance Report Settings. The Compliance Report Settings window is displayed. Fields and buttons This window has the following fields and buttons: • Enable Compliance Report — Determines whether to generate the compliance report at the specified time. • Daily Run — Specify the time of day (by using a 24-hour clock) that an enabled compliance report would be generated. • Timeout (min) — Specify the number of minutes to wait for the validation to complete on a firewall before it is assumed that a time-out has occurred. This value defaults to 30 minutes. When you are generating the compliance report, a validation of the firewall’s configuration will be performed. For large configurations this could take a long time. The time-out value should be set to the amount of time it typically takes to apply a configuration. • Send Results To — Specify the e-mail addresses of the intended recipients of the compliance report. The report is a listing of the node name of the managed firewall and the reported compliance report status condition. The following compliance status values are possible on the Compliance Report page: • Unknown — Validation between the managed firewall and the Management Server has not been performed. • Compliant — Validation between the managed firewall and the Management Server has been performed and the configurations match. • Not Compliant — Validation between the managed firewall and the Management Server has been performed and the configurations do not match. 596 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 597. Firewall configuration management Search window Use the Search window to locate a configurable object from a potentially large list of objects that meet the general criteria. Often, the name that is associated with an object is not enough information to identify the object that you need to find. By using the Search window, you can specify any character or string of characters to search through all the presented data columns to locate the item that you seek. Accessing this window From various locations in windows and pages, click . The Search window is displayed. Fields and buttons This window has the following fields and controls: • (filter) — Specify any character or string that is associated with any column of relevant search data in this field. • Filter — Display the data that meets the character or string in any field of the associated field data in the original window or page. • Results — The result candidates are displayed in the list. Highlight the sought-after object and click OK, or specify a new character or string of characters in the Filter field and click Filter again to refine the search. Viewing the compliance status of the current firewall configuration Use the Compliance Report page to quickly determine whether the current configuration that is installed on the managed firewalls matches the configuration that is stored in the Control Center Management Server. This page also provides a quick overview of the communication status between the managed firewall and the Management Server, a time stamp of the last time that an update was applied, any error conditions that were reported on the last update, and a listing of the differences between the configuration that is stored on the Management Server and the current configuration on the managed firewall. Click Refresh to ensure that you are viewing the most recent information. A compliance report summary can be configured to run at a specified time and the results can be sent to a defined list of e-mail addresses. For more information, see Configuring compliance report settings on page 596. Figure 257 Compliance Report page Accessing this page In the Configuration Tool, from the Reports menu, select Compliance Status. The Compliance Report page is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 597
- 598. Firewall configuration management Fields and buttons This page has the following fields and buttons: • Last Refresh — [Read-only] Displays the last time the data being shown was updated. • Refresh — Refresh the data being displayed. • (Status) — [Read-only] Displays the current status of the communication between the associated firewall and the Management Server. The following indications are possible: • — Green indicates that the Management Server is in communication with the managed firewall. • — Yellow indicates that the Management Server is negotiating communication with the managed firewall. • — Red indicates that the Management Server is not in communication with the managed firewall. • (Firewall Type) — [Read-only] Displays the icon that represents the managed firewall: (firewall). • Firewall — [Read-only] Displays the node name that is associated with the managed firewall. • Last Update — [Read-only] Displays a time stamp that indicates the last time the data being viewed was refreshed. • Compliance Status — [Read-only] Displays the compliance status. The following values are possible: • Unknown — Validation between the managed firewall and the Management Server has not been performed. • Compliant — Validation between the managed firewall and the Management Server has been performed and the configurations match. • Not Compliant — Validation between the managed firewall and the Management Server has been performed and the configurations do not match. • Errors — [Read-only] Displays any error conditions that were detected during the last update. • Differences — A View button is displayed for those firewalls whose configurations that are stored on the firewall are different from the configuration that is stored on the Management Server. Click this button to view the differences in the Configuration Changes Detail window. For more information, see Comparing impacts of proposed configuration changes for a firewall on page 595. Viewing your firewall enrollment (deployment) status Use the Deployment Status Report page to view the status of the enrollment process when the rapid deployment option is used to initiate enrolling one or more firewalls from the Control Center Management Server. The enrollment process is initiated by using the Sign Up Firewalls - Firewall window. For more information, see Adding firewalls by using rapid deployment registration on page 38. Figure 258 Deployment Status Report page Accessing this page In the Configuration Tool, from the Reports menu, select Deployment Status. The Deployment Status Report page is displayed. 598 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 599. Firewall configuration management Fields and buttons This page has the following fields and buttons: • Status — This column indicates the status of the enrollment process. When the enrollment is successful, this column displays Operation completed. The following values are possible: • Retrieving status — Displayed when the server has not yet begun working on the sign up task for this particular firewall. • Initializing — Displayed when the server has started working on this particular firewall. • Authenticating — Displayed when the Control Center Management Server and firewall are authenticating each other using the sign-up password. • Sending Request — Displayed when the Control Center Management Server is requesting the firewall to initialize itself. The server sends some data to the firewall that the firewall can use to initialize itself. • Operation started — Displayed when the firewall has notified the Control Center Management Server that it has received the initialization request. • Operation in progress — Displayed when the firewall is in the process of initializing itself. At this stage, it is running cmsetup. • Operation completed — Displayed when the firewall has notified the Control Center Management Server of successful completion of the initialization task. • Operation failed — Displayed when the firewall has notified the Control Center Management Server of initialization failure. The details field may include the content of the error with more useful error information. • Device Type — [Read-only] Displays the type of firewall. • Device Name — [Read-only] Displays the supplied firewall name. • IP Address — [Read-only] Displays the supplied firewall IP address. • Last Updated — [Read-only] Displays a time stamp for the status of the row. • Details — [Read-only] Displays any error conditions that occurred during the enrollment process. • Clear Completed — Clear all rows that display Operation completed in the Status column. Configuring the firewall for usage inside the Control Center Client Use the McAfee Firewall Reporter Settings window to configure the settings that the Control Center Management Server will use to connect for the first time with the McAfee Firewall Reporter server. (After you have configured these settings, you will not see this window again.) Note that this connection is made by using the Internet options that are specified on your client machine. Figure 259 McAfee Firewall Reporter Settings window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 599
- 600. Firewall configuration management Accessing this window In the Configuration Tool or in the Reporting and Monitoring Tool, from the Reports menu, select McAfee Firewall Reporter. If this is the first time that you have accessed this option, the McAfee Firewall Reporter Settings window is displayed. Fields and buttons • Use SSL connection (HTTPS) — Determines whether the connection to the McAfee Firewall Reporter server will use a secure HyperText Transfer Protocol (HTTPS). The default value is cleared. • McAfee Firewall Reporter server address — Specify the IP address of the McAfee Firewall Reporter server. • McAfee Firewall Reporter management port — Specify the port for the McAfee Firewall Reporter server connection. For Apache, the default port is 9216; for the Internet Information Server (ISS), the default port is 8216. • OK — Display the McAfee Firewall Reporter page. • Cancel — Close this window without saving the settings. You will be prompted with this window again the next time that you select the McAfee Firewall Reporter menu option, until you configure these settings. You can also access this window again to change settings by clicking Update Settings on the McAfee Firewall Reporter page. Viewing real-time Web data for your network Use the McAfee Firewall Reporter page to view more detailed reporting and monitoring information about the status of the firewalls that are being managed by the Control Center. Additionally, you can view the following information on this page: • Reports for multiple firewalls on this one page • Reports that are displayed with color and in graphics for easier readability • Reports that are available in multiple languages • Reports that are available without having to log into a firewall For information about how to configure a firewall to send its log files to the McAfee Firewall Reporter, refer to the McAfee Firewall Enterprise (Sidewinder) Administration Guide. For more information about the McAfee Firewall Reporter documentation, go to mysupport.mcafee.com. Accessing this page In the Configuration Tool or in the Reporting and Monitoring Tool, from the Reports menu, select McAfee Firewall Reporter. 1 If you have already configured the settings on the McAfee Firewall Reporter Settings window, the McAfee Firewall Reporter page is displayed. or If this is your first attempt to view this report, the McAfee Firewall Reporter Settings window is displayed. Configure the settings on this window and click OK. The login window is displayed. 2 Specify your user name and password values and click OK. An information message displays. Ignore this message and click OK. The McAfee Firewall Reporter page is displayed. 600 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 601. Firewall configuration management Fields and buttons Note: All of the fields and tabs and buttons on this page are described in the McAfee Firewall Reporter help, except for the Update Settings button, which is described below. To access help for this page, click (Help). • Update Settings — Displays the McAfee Firewall Reporter Settings window, in which you can change the settings that are used to connect to the McAfee Firewall Reporter server. Viewing services and managing service agents Use the Service Status page to view the service status report, which contains configuration and status information for all of the services that are enabled on the selected firewall. This report provides the following information: • Status of the service • Burbs on which the service is listening • Ports on which the service is accepting connections • Rules that have been configured to use the service In addition to this view, you can also: • View additional information about the highlighted service (Service Information button) • View audit data for this service (Audit Data button) • Restart the service (Restart Agent button) — This is helpful when you have made configuration changes or when you want to troubleshoot this service. • Temporarily disable one or more services McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 601
- 602. Firewall configuration management Figure 260 Service Status page Accessing this page 1 In the Configuration Tool or the Reporting and Monitoring Tool, in the Firewalls group bar, click the Firewalls node to display the list of available firewalls. 2 Right-click the firewall for which you want to run the report. Select Firewall Reports > Service Status. The Service Status window is displayed. For more information about this window, see Generating firewall reports on page 623. 3 Make your selections on this window and then click Request Report. If you were requesting this report in the Configuration Tool or in the Reporting and Monitoring Tool with the value of the Wait For Report checkbox selected, the report is displayed in a new tab in the work area. If you had selected not to wait for the report in the Reporting and Monitoring Tool, a Reports group is created, along with a folder for this report and the individual report listed in (below) this folder. 4 If you did not wait for the report in the Reporting and Monitoring Tool, double-click the report in the Reports group area and the report is displayed as a page (tab) in the work area. Fields and buttons • Filter row (first row in the table) — For each column, you can specify the filter that you want to apply to the data for this column. The following options are available for each column: • (All) — Indicates that no filtering is to be performed on this column. All records are displayed, unless a particular record is filtered out by the criteria set in a different column. • (Empty) — Indicates that column filtering is performed on records that do not have data in this column. The records that have data in this column are not displayed, regardless of the settings in any other column. 602 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 603. Firewall configuration management • Displayed_column_value — Indicates that column filtering is performed on records that match the value or values in this column. The data in the list for each column is different, depending on the values that are displayed for that column. There is one entry in this list for each unique value that is displayed in this column. • Report-specific column names — The following columns are displayed in this report: • Status — [Read-only] Visually indicates the status of the service. The following values are available: • (Running) — The service is processing traffic as expected. • (Running with errors) — The service is processing traffic. However, it is also generating errors. The service could be temporarily disabled or there could be an issue that you need to troubleshoot. • (Not running) — Either the service is not running or there is no available information about the status of this service. You must investigate this status. • Service — [Read-only] Displays the name of the service. • Agent — [Read-only] Displays the agent for the service. This information can be useful when you are considering restarting or disabling a particular service. • Burbs — [Read-only] Displays the burbs in which this service is enabled. When a service is used in a rule, the service is enabled in the source burb for that rule. All source burbs for rules that use this service are listed on this page. Note: Some services display the Firewall burb in the Burbs column. This burb is used for internal firewall processing and it cannot be modified. Also, the Sendmail service runs only in two burbs, even if the source burb is set to <Any>. • Ports — [Read-only] Displays the ports that have been configured for this service. • Active Rules — [Read-only] Displays the enabled rules that use this service. • Service Information — Displays the Service Information window, in which more specific information about this service is displayed. This button is available only after you have selected a row in the report. For more information about this window, see Viewing details about a firewall service on page 604. • Audit Data — Displays the McAfee Firewall Enterprise Audit Report window and generates a report of the audit data for the last 24 hours for this service. Select this button if the service is not running that way that it was configured. For more information about this window, see Configuring and generating audit reports for one or more firewalls on page 625. • Restart Agent — Restart or re-enable the selected service. First, the service is disabled and then the agent for this service is immediately re-enabled. All current connections are dropped and any audit counts are reset. Do not restart an agent unless it is part of a procedure, you have completed other troubleshooting measures, or you have been instructed to do so by McAfee Technical Support. Caution: If you restart a service, all of the current connections for this agent are dropped—in addition to the connections for the selected service. • Temporarily Disable Agent — Temporarily disable the selected service. This stops the agent for this service. The agent is then restarted as soon as any policy configuration changes are saved. Do not temporarily disable an agent unless it is part of a procedure, you have completed other troubleshooting measures, or you have been instructed to do so by McAfee Technical Support Tip: A quick way to safely re-enable all of the stopped agents is to change a rule or the description of a service and then save the changes. • Refresh — Update the service information for the selected firewall. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 603
- 604. Firewall configuration management Viewing details about a firewall service Use the Service Information window to view the burbs and ports on which the service should be listening, along with the current status of the service. You can also check the current status of this service and perform some of the same actions that are available from the Service Status page: • Display audit data for this service (Audit Data button) • Restart this service (Restart button) • Temporarily disable this service (Temporarily Disable button) Figure 261 Service Information window Accessing this window If the Service Status page is already displayed, skip to step 5. 1 In the Configuration Tool or the Reporting and Monitoring Tool, in the Firewalls group bar, click the Firewalls node to display the list of available firewalls. 2 Right-click the firewall for which you want to run the report. Select Firewall Reports >Service Status. The Service Status window is displayed. For more information about this window, see Generating firewall reports on page 623. 3 Make your selections on this window and then click Request Report. If you were requesting this report in the Configuration Tool or in the Reporting and Monitoring Tool with the value of the Wait For Report checkbox selected, the Service Status report is displayed in a new tab in the work area. If you had selected not to wait for the report in the Reporting and Monitoring Tool, a Reports group is created, along with a folder for this report and the individual report listed in (below) this folder. 4 If you did not wait for the report in the Reporting and Monitoring Tool, double-click the report in the Reports group area and the report is displayed as a page (tab) in the work area. The Service Status page is displayed. 5 Select a service in the report and click Service Information. The Service Information window is displayed. Fields and buttons • Service information as of — [Read-only] Displays the timestamp of the date and time at which this report was last run or refreshed (by clicking Refresh). • Agent_name agent is service_status — [Read-only] Displays the name of the agent (Agent_name) and its current status (service_status). The following service status values are available: • running — The service is processing traffic as expected. 604 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 605. Responses • running with errors — The service is processing traffic. However, it is also generating errors. The service could be temporarily disabled or there could be an issue that you need to troubleshoot. • not running — Either the service is not running or there is no available information about the status of this service. You must investigate this status. • Configured Burb — [Read-only] Displays the source burb in a rule where this service was used. All of the source burbs for rules that use this service are listed in this column. • Configured Port — [Read-only] Displays all of the ports that are configured for this service. • Listening or Running — [Read-only] Indicates whether the service is listening (accepting connections) on a port. However, if this is a special service that does not listen on any ports, this column heading will be “Running”, indicating the status of this service. • Audit Data — Displays the McAfee Firewall Enterprise Audit Report window and generates a report of the audit data for the last 24 hours for this service. Select this button if the service is not running that way that it was configured. For more information about this window, see Configuring and generating audit reports for one or more firewalls on page 625. • Restart — Restart or re-enable the selected service. First, the service is disabled and then the agent for this service is immediately re-enabled. All current connections are dropped and any audit counts are reset. Do not restart an agent unless it is part of a procedure, you have completed other troubleshooting measures, or you have been instructed to do so by McAfee Technical Support. Caution: If you restart a service, all current connections for this agent are dropped—in addition to the connections for the selected service. • Temporarily Disable — Temporarily disable the selected service. This stops the agent for this service. The agent is then restarted as soon as any policy configuration changes are saved. This button is not available if this is a service that is used for firewall internal processing. Do not temporarily disable an agent unless it is part of a procedure, you have completed other troubleshooting measures, or you have been instructed to do so by McAfee Technical Support Tip: A quick way to safely re-enable all of the stopped agents is to change a rule or the description of a service and then save the changes. • Refresh — Update the service information for the selected firewall. • Close — Close this window and return to the Service Status page. Responses Use firewall IPS attack responses and system event responses to monitor your network for abnormal and potentially threatening activities that range from an attempted attack to an audit overflow. You can configure the number of times that a particular event must occur within a specified time frame before it triggers a response. When the firewall encounters audit activity that matches the specified type and frequency criteria, the response that you configured for that system event or attack type determines the way in which the firewall will react. The firewall can be configured to respond by alerting an administrator about the event by using e-mail and SNMP trap and by ignoring packets from particular hosts for a specified period of time Some default attack and system event responses are automatically created on the firewall during its initial configuration. The additional configuration options you select will depend mainly on your site’s security policy and, to some extent, on your own experiences using the features. You might want to start with the default options and make adjustments as necessary to meet your site’s needs. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 605
- 606. Responses For more about this feature, see the following topics: • Configuring alert notification for e-mail accounts on page 606 • Configuring blackholes for suspected hosts on page 607 • Viewing IPS attack responses on page 608 • Configuring IPS attack responses on page 609 • Viewing system responses on page 612 • Configuring system responses on page 613 Configuring alert notification for e-mail accounts Use the Responses - E-mail Accounts window to specify e-mail accounts that will receive alerts during an IPS attack response. Figure 262 Responses - E-mail Accounts window Accessing this window 1 In the Configuration Tool, select the Monitor group bar. 2 In the tree, click the Responses node and then double-click E-mail Accounts. The Responses - E-Mail Accounts window is displayed. Fields and buttons This window has the following fields and buttons: • Name — Specify a unique label to refer to the e-mail account. • Description — Provide information about the e-mail account. • Mail Recipients (separated by comma) — Specify one or more e-mail accounts. Separate multiple accounts by using a comma (,) • OK — Save the changes that have been made. • Cancel — Close the window without making any changes. 606 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 607. Responses Configuring blackholes for suspected hosts Use the Responses window to specify hosts from which suspect traffic is to be blackholed or ignored. The firewall blackholes traffic based on source address, rather than the type of traffic. If you blackhole a host, all traffic from that host will be ignored. Figure 263 Responses - Host Blackhole window Accessing this window 1 TIn the Configuration Tool, select the Monitor group bar. 2 In the tree, select the Responses node and then double-click Host Blackhole. Fields and buttons This window has the following fields and buttons: • Name — Specify a unique label to refer to the host blackhole response. • Description — Provide information about the host blackhole. • Blackhole host packets for n seconds — Specify the number of seconds (from 1 to 100000) before the firewall will accept and respond to traffic from the host or hosts that are in the Blackhole field. • Blackhole — Specify the host or hosts to blackhole. The following selections are available: • All attacking hosts — Blackhole all hosts that are involved with triggering the alert. • Each host responsible for n % of attacks — Limit blackholing to a certain percentage of attacks, where n is a value from 1 to 100. • OK — Save the changes that have been made. • Cancel — Close the window without making any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 607
- 608. Responses Viewing IPS attack responses Use the IPS Attack Responses page to view a complete list of the IPS attack responses that have been defined on your system. To modify attack response settings, double-click the specific response. The IPS Attack Response window is displayed, in which you can configure these settings. For more information, see Configuring IPS attack responses on page 609. Figure 264 IPS Attack Responses page Accessing this page 1 In the Configuration Tool, select the Monitor group bar. 2 Double-click the IPS Attack Responses node. The IPS Attack Responses page is displayed. Fields and buttons The following fields and buttons are displayed. • Filter — Specify the firewall for which you want to display IPS attack responses or select ALL RESPONSES to view them for all firewalls. If you need to change your display, click (Clear Filter results). • Find — Because your list of objects (where objects refers to the entity for which you are searching) could potentially be very long, you can quickly retrieve only those objects that meet certain filter constraints by using the Find filtering mechanism. a In the Find or Search field, specify a term that matches a selection for any value displayed in the browser. b Click the down arrow to select the display for the search results (Highlight matching <objects> [where <objects> is the entity for which you are searching] or Only display matching <objects> [where <objects> is the entity for which you are searching]). c Click Find or press Enter. The results are displayed. If you had selected the highlight option, all objects that match the value in the Search field are highlighted in yellow. If you selected the other value, you will see only those objects that matched your search criteria. d Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and view all of the objects again, click (Clear Find Results). • Enabled — Determines whether the IPS Attack Response is enabled. • Name — [Read-only] Displays the name assigned to the IPS attack response. • Audit Filter — [Read-only] Displays the audit filter associated with the IPS Attack Response. Audit filters are defined on the Audit Filter window. • Apply On — [Read-only] Displays the firewalls to which the IPS Attack Response applies. 608 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 609. Responses • Attack Responses — [Read-only] Displays the IPS attack response(s) associated with the IPS attack. Responses are defined on the Responses window. • Frequency — [Read-only] Displays the frequency parameters associated with the IPS attack response. Frequency parameters are defined on the IPS Attack Response window. • Description —Specify information about the IPS attack response. Configuring IPS attack responses Use the IPS Attack Response window to configure and modify Intrusion Prevention System (IPS) attack responses. IPS attack responses define the way that the firewall responds when it detects audit events that indicate such possible attacks as Type Enforcement violations and proxy floods. Figure 265 IPS Attack Response window Accessing this window 1 If the IPS Attack Responses page is already displayed, skip to step 4. 2 In the Configuration Tool, select the Monitor group bar. 3 Double-click the IPS Attack Responses node. The IPS Attack Responses page is displayed. 4 Double-click an attack response on the IPS Attack Responses page. The IPS Attack Response window is displayed McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 609
- 610. Responses Fields and buttons This window has the following fields and buttons: • Name — Specify a label used to refer to the IPS attack response. • Description — Provide information about the IPS attack response. • Characteristics — Use the fields in this area to specify the characteristics for this attack response. The following fields are available: • Filter — Specify the audit filter to use. For a list of the audit filters and descriptions of the event types that they audit, see Pre-defined audit filters for IPS attacks on page 611. • Enabled — Determines whether the response is enabled. This is selected by default. • Attack Frequency — Use the fields in this area to determine the attack frequency. The following fields are available: • Frequency — Specify the frequency at which the response is to be generated. The following values are available: • Always Respond — Indicates that a response is generated every time the attack occurs. • Limit Responses — Indicates that a response is generated when the pattern of attack matches the following settings: • Respond if n Attacks in — Specify the number of attacks to occur before a response is generated, where n ranges from 2 to 100000. The firewall will respond when the nth attack occurs. • y seconds — Specify the number of seconds within which the specified number of attacks must occur before a response is generated, where y ranges from 1 to 100000. • Reset attack count to zero after responding — Determines whether the firewall zeroes out its attack counter after responding and waits until another n attacks occur in y seconds before sending out the next response. If this checkbox is not selected, the same attacks may be used to generate additional alerts. • Attack Response Alerts (E-mail/SNMP Trap) — Use the fields in this area to specify the frequency at which alerts that use e-mail and SNMP traps are triggered. The following fields are available: • Wait n seconds between alerts — Specify the number of seconds for the firewall to wait before sending the next e-mail or SNMP trap for the same type of attack. Caution: Be careful when setting the wait time between alerts. If the Frequency is set to Always Respond and the wait time between alerts is zero, an e-mail or SNMP trap could be sent every second. • Find — Use this field and the associated controls described above to find matching firewalls in the Apply On list or to filter or search for matching responses in the Attack Responses list. • Apply On — Use this column to select the firewalls on which to apply the IPS attack responses. • Attack Responses — Specify the way that the firewall will respond when the IPS attack type pattern that is specified matches the Frequency field settings. This list contains the responses that have been defined on the system (for example, e-mail, Host Blackhole, SNMP Trap, and Secure Alert). Specifies the types of responses to generate for the selected IPS attack. Note: You must select Send Secure Alert if you want IPS attack responses to generate a Secure Alert. • OK — Save the changes to this attack response. • Cancel — Close this window without saving any changes. 610 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 611. Responses Pre-defined audit filters for IPS attacks The following pre-defined audit filters are for IPS attacks: • ACL Deny — Detects when a connection is denied by a rule in the active policy. • denied authentication — Detects when a user attempts to authenticate and specifies invalid data. For example, if a user is required to specify a password and specified it incorrectly, the denied auth event would log the event. • IPFilter Deny — Detects when a connection is denied by the active filter policy. • IPS — Detects severe attacks. This option also detects application defense violation attacks, buffer overflow attacks, general attacks, DOS attacks, policy violation attacks, protocol violation attacks, virus attacks and spam attacks. Severe attacks indicate something is occurring that an administrator should know. • keyword filter failure — Detects when an SMTP mail message is rejected due to a configured keyword filter. • network probe — Detects network probe attacks, which occur any time a user attempts to connect or send a message to a TCP or UDP port that is not configured. • proxy flood — Detects potential connection attack attempts. A connection attack is defined as one or more addresses launching numerous proxy connection attempts to try and flood the system. When NSS (network service sentry) receives more connection attempts than it can handle for a proxy, new connections to that proxy are briefly delayed (to allow the proxy to catch up) and the attack is audited. • signature IPS intrusion all — Detects all attacks identified by the signature-based IPS. This category detects attacks that were denied, dropped, or rejected, as well as suspected attacks that were allowed, but were audited by IPS. • signature IPS intrusion blackholed — Detects attacks identified by the signature-based IPS, where the attacker was blackholed. • signature IPS intrusion deny — Detects attacks identified by the signature-based IPS, where the offending network session was dropped, or rejected, or the attacker was blackholed. • spam filter failure — Detects attacks of all severities that are spam. • TCP SYN attack — Detects a possible attempt to overrun the firewall with connection attempts. • TrustedSource — Detects attacks identified as spam by TrustedSource. • Type Enforcement — Detects when there is a TE violation due to an unauthorized user or process attempting to perform an illegal operation. • virus filter failure — Detects attacks of all severities that are viruses. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 611
- 612. Responses Viewing system responses Use the System Responses page to view a complete list of the system responses that have been defined on your system. To modify system response settings, double-click the specific response. The System Response window is displayed, in which you can configure these settings. For more information, see Configuring system responses on page 613. Figure 266 System Responses page Accessing this page 1 In the Configuration Tool, select the Monitor group bar. 2 Double-click the System Responses node. The System Responses page is displayed. Fields and buttons The following columns are displayed by default. • Filter — Specify the firewall for which you want to display system responses or select ALL RESPONSES to view them for all firewalls. If you need to change your display, click (Clear Filter results). • Find — Because your list of objects (where objects refers to the entity for which you are searching) could potentially be very long, you can quickly retrieve only those objects that meet certain filter constraints by using the Find filtering mechanism. a In the Find or Search field, specify a term that matches a selection for any value displayed in the browser. b Click the down arrow to select the display for the search results (Highlight matching <objects> [where <objects> is the entity for which you are searching] or Only display matching <objects> [where <objects> is the entity for which you are searching]). c Click Find or press Enter. The results are displayed. If you had selected the highlight option, all objects that match the value in the Search field are highlighted in yellow. If you selected the other value, you will see only those objects that matched your search criteria. d Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and view all of the objects again, click (Clear Find Results). • Enabled — Determines whether the system response is enabled. • Name — [Read-only] Displays the name assigned to the system response. • Audit Filter — [Read-only] Displays the audit filter associated with the system response. Audit filters are defined on the Audit Filter window. 612 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 613. Responses • Apply On — [Read-only] Displays the firewalls to which the system response applies. • System Responses — [Read-only] Displays the system response(s) associated with the system event. Responses are defined on the Responses window. • Frequency — [Read-only] Displays the frequency parameters associated with the system response. Frequency parameters are defined on the System Response window. • Description — Specify information about the IPS attack response. Configuring system responses Use the System Response window to configure and modify system responses. System responses define the way that the firewall responds when it detects audit events that indicate such significant system events as license failures and log overflow issues. Figure 267 System Response window Accessing this window 1 If the System Responses page is already displayed, skip to step 4. 2 In the Configuration Tool, select the Monitor group bar. 3 Double-click the System Responses node. The System Responses page is displayed. 4 Double-click a system response on the System Responses page. The System Response window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 613
- 614. Responses Fields and buttons This window has the following fields and buttons: • Name — Specify a label that is used to refer to the system response. • Description — Provide information about the system response. • Characteristics — Use the fields in this area to specify the characteristics for this system response. The following fields are available: • Filter — Specify the audit filter to use. For a list of the audit filters and descriptions of the event types that they audit, see Pre-defined audit filters for system events on page 615. • Enabled — Determines whether the response is enabled. This is selected by default. • Event Frequency — Use the fields in this area to determine the response frequency. The following fields are available: • Frequency — Specify the frequency at which the response is to be generated. The following values are available: • Always Respond — Indicates that a response is generated every time the system event response occurs. • Limit Responses — Indicates that a response is generated when the pattern of system events matches the following settings: • Respond if n Events in — Specify the number of system events to occur before a response is generated, where n ranges from 2 to 100000. The firewall will respond when the nth event occurs. • y seconds — Specify the number of seconds within which the specified number of system events must occur before a response is generated, where y ranges from 1 to 100000. • Reset event count to zero after responding — Determines whether the firewall zeroes out its event counter after responding and waits until another n events occur in y seconds before sending out the next response. If this option is not selected, the same events may be used to generate additional alerts. • Event Response Alerts (Email/SNMP Trap) — Use the fields in this area to specify the frequency at which alerts using e-mail and SNMP traps are triggered. Includes the following setting: • Wait n seconds between alerts — Specify the number of seconds for the firewall to wait before sending the next e-mail or SNMP trap for the same type of attack. Caution: Be careful when setting the wait time between alerts. If the Frequency is set to Always Respond and the wait time between alerts is zero, an e-mail or SNMP trap could be sent every second. • Find — Use this field and the associated controls described above to find matching firewalls in the Apply On list or to filter or search for matching responses in the System Responses list. • Apply On — Select the firewalls on which to apply the system responses. • System Responses — Specify the way that the firewall will respond when the system event type pattern that is specified matches the Frequency field settings. This list contains the responses that have been defined on the system (for example, E-mail, Host Blackhole, SNMP Trap, and Secure Alert). Specifies the types of responses to generate for the selected system event. Note: You must select Send Secure Alert if you want system responses to generate a Secure Alert. • OK — Save the changes to this attack response. • Cancel — Close this window without saving any changes. 614 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 615. Audit trail Pre-defined audit filters for system events The following pre-defined audit filters are for system events: • HA failover — Detects when a failover IP address changes because a High Availability (HA) cluster failed over to its secondary/standby. • hardware software failure — Detects when a hardware or software component fails. • host license exceeded — Detects when the number of hosts protected by the firewall exceeds the number of licensed hosts. • IPsec error — Detects when traffic generates IPsec errors. • license expiration — Detects when a licensed feature is about to expire. • log overflow — Detects when the log partition is close to filling up. • network traffic — Detects all connections that successfully pass through the firewall. • power failure — Detects when an Uninterruptible Power Supply (UPS) device detects a power failure and the firewall is running on UPS battery power. • UPS system shutdown — Detects when a UPS is running out of battery power or has been on battery power for the estimated battery time. Audit trail The auditing subsystem creates a chronological record of system events. These records are used to: • Reconstruct system events • Deter improper system use • Assign accountability for system activities • Assess damage and allow efficient damage recovery • Monitor problem areas of the system • Produce reports and statistics about various system events Viewing audit trail information Use the Audit Trail page to view and analyze the Control Center user activity that is stored in the audit trail tables in the database of the Management Server. You can use this data in a variety of uses. You can review activities that are performed by a specific user, track the specific activities that are performed on a specific firewall, or audit all of the activities that occurred in a specific time frame. These, and many other, audit trail filtering and presentation features are possible. Use the Audit Tracking and Archive Management window to configure the audit data that is stored in the database of the Management Server. The saved data can then be sorted (in ascending or descending order) by a specific column, and filtered by using existing column content or by using user-defined custom filters on one or more columns to provide precise control over the data that is presented in any view. You can view or print the resulting data. Use the Audit Trail page to list, filter, preview, and print the audit trail data. No previously-recorded information is changed when using this window. By default, all of the data is recorded until individual audit settings have been selected using the Audit Tracking and Archive Management window. For more information, see Audit data management on page 100. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 615
- 616. Audit trail Figure 268 Audit Trail page Accessing this page In the Configuration Tool, select the Audit Trail tool from the Actions toolbar or from the Reports menu, select Audit Trail. or In the Administration Tool, from the Audit Trail menu, select View Audit Trail. or In the Reporting and Monitoring Tool, from the Reports menu, select Audit Trail. The Audit Trail page is displayed. Fields and buttons This page has the following fields and buttons: • Export — Save the data as comma-separated values (CSV) in a separate file that can be opened as a spreadsheet. Specify the name and destination of the .csv file in the Export to CSV file window. • Print Preview — View a print preview of the currently displayed data. A printer must be defined to use this option. • Print — Print the current view of the audit data. You must define a printer to be able to use this option. The printed report includes the data in the Object Name, Row ID, Action, Date/Time, Action By, Ticket, Formatted Data, and Raw Data columns. • Refresh — Retrieve the latest audit data from the audit tables in the Management Server database. • Filter — Select a time range within which to view the audit data. If you have selected a filter and you want to revert back to the default value, click (Clear FIlter). • Find — Search for audit trail data. Because your list of objects (where objects refers to the entity for which you are searching) could potentially be very long, you can quickly retrieve only those objects that meet certain filter constraints by using the Find filtering mechanism. a In the Find or Search field, specify a term that matches a selection for any value displayed in the browser. b Click the down arrow to select the display for the search results (Highlight matching <objects> [where <objects> is the entity for which you are searching] or Only display matching <objects> [where <objects> is the entity for which you are searching]). c Click Find or press Enter. The results are displayed. If you had selected the highlight option, all objects that match the value in the Search field are highlighted in yellow. If you selected the other value, you will see only those objects that matched your search criteria. d Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and view all of the objects again, click (Clear Find Results). • (Right-click) Copy — Copy the contents of any cell in the table to the clipboard. Right click in any cell and select Copy. 616 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 617. Audit trail • Domain — [Read-only] Displays the domain type that is associated with the audit trail row. The rows to be displayed can be controlled by specifying the domain preference. • Object Name — [Read-only] Displays the list of object names that were captured by the audit tracking configuration. • Row ID — [Read-only] Displays the list of object row IDs. This field is unique for each object in the Control Center. • Action — [Read-only] Displays the operation (Insert, Update, Delete) that was performed. • Date/Time — [Read-only] Displays the date and time of the object change. • Action By — [Read-only] Displays the Control Center user ID of the person who was responsible for the object change. When the value listed in this column is set to Unknown, look to the object's parent for the correct user ID value. • Ticket — [Read-only] Displays the name of the ticket that is associated with the listed change. • Formatted Data — [Read-only] Displays the details of an audit entry in common language. • Raw Data — [Read-only] Displays the command that was sent to the Management Server in XML format. • (Details area) — [Read-only] Displays additional details about the highlighted row of data in this area below the table. Configuring a custom audit trail filter Use the Audit Trail Filter window to configure a customized range of time that will be used to display the audit data on the Audit Trail page. You can specify various types of ranges or milestones as identified in the Select time range field description. Figure 269 Audit Trail Filter window Accessing this window 1 If the Audit Trail page is already displayed, skip to step 3. 2 In the Configuration Tool, select the Audit Trail tool from the Actions toolbar or from the Reports menu, select Audit Trail. or In the Administration Tool, from the Audit Trail menu, select View Audit Trail. or In the Reporting and Monitoring Tool, from the Reports menu, select Audit Trail. The Audit Trail page is displayed. 3 In the Audit Trail page, in the Filter list, select Custom Time Range. The Audit Trail Filter window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 617
- 618. Audit archives Fields and buttons This window has the following fields and buttons: • Select time range — Use the fields in this area to configure the custom time for the audit trail report. The following fields are available: • (condition) — Specify the conditional setting for this time range. The value in this field determines the other fields that are displayed in this window. The following values are available: • between … — Indicates that the Start time and End time field values will be used to create a range for this filter. • since … — Indicates that the Start time field value will be used to create a filter. Any data that has been generated since the Start time field value will be included in the report. • before … — Indicates that the Start time field value will be used to create a filter. Any data that has been generated before the Start time field value will be included in the report. • In the last 15 minutes, 1 hour, 6 hours, 12 hours, 1 day, 2 days, 7 days, 15 days, or 30 days — Indicates that the data that has been generated between now and the last value selected will be included in the report. Note: You can also change any of these time-specific values directly in the Filter list at the top of the Audit Trail page. • Start time — Select the start day for this time range. When you click in this field, a calendar is displayed, in which you can select a day for this value. • End time — Select the end day for this time range. When you click in this field, a calendar is displayed, in which you can select a day for this value. • OK — Filter the audit trail report according to the parameters that you have selected in this window. • Cancel — Close this window without filtering the audit trail data. Audit archives Audit Archives are log files that contain a historical record of all suspicious and monitored network activity. Since these log files can grow very large over time, they need to be managed to prevent the hard disk from becoming full. Caution: Care is required when configuring frequent or numerous audit archives since this may result in possible system performance issues. For the firewall, use the controls and other features of the Audit Export window to create an audit export configuration that specifies the information needed to export audit archives to a remote location (for example, location, protocol, format, target directory) and set up a schedule for exporting them. It also allows you to configure settings needed to export the audit archives to the Control Center Management Server. Alerts Monitoring firewall activity is important so that you can detect and respond to threats and critical conditions. The firewall can be configured to recognize unusual or abnormal occurrences, and the response to these events can be customized. These types of events are referred to as alerts. Alerting is the process of detecting, recording, and notifying firewall administrative personnel of unusual or abnormal events observed during real-time monitoring of the firewall audit trail. Alerts help administrators to: • Monitor problem areas of the system • Fix small problems before they become large problems • Counter security attacks 618 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 619. Reporting Alerts operate by monitoring the auditing logs for the occurrence of specific, abnormal conditions and building a customized response. If, for example, a virus is detected, the firewall can send an e-mail to the administrator and run a command to stop the virus. Audit filters are used to configure IPS attack responses and system responses. Firewall IPS attack responses and system event responses allow you to monitor your network for abnormal and potentially threatening activities. They define criteria that determine how the firewall will react when audit events matching the filter expression occur (for example, defining the number of times that an event must occur within a specified time frame before a response is triggered). When the firewall encounters audit activity that matches the criteria, it can respond by triggering alerts by E-mail and SNMP traps or by blackholing, or ignoring, traffic from suspect hosts for a specified period of time. Refer to the following topics to configure audit filters and responses: • Configuring IPS attack responses on page 609 • Configuring system responses on page 613 Reporting There are several different ways that you can generate a report: • From the Reports menu, select a report. • From the toolbar, select a report. • Right-click a firewall object and select a specific report or a report from the Firewall Reports menu option. You can generate and view reports from within the Configuration Tool and also within the Reporting and Monitoring Tool. There are currently more than 70 different reports that can be generated. Firewall reports The Control Center Reporting and Monitoring Tool has an interface to request a wide variety of firewall-specific reports. These reports can also be accessed from the Configuration Tool. Although some firewalls share similar reports, each firewall can generate unique reports that provide insight into its operation and configuration. Firewall report results You can initiate a firewall-specific report in the Firewalls group bar by right-clicking a specific firewall and selecting a report. Only the available reports for the selected firewall are displayed. After selecting the report to generate, the window for the specific report is displayed. Depending on the report, this window can contain several fields. You can also choose between waiting for the report to be generated or you can initiate the report for asynchronous viewing (whereby you can request the report and view the results at some other time). In either scenario, the report results are temporarily stored in the Reports group bar in the object area. If you select the option to not wait for the report to be generated, the Reports group bar immediately indicates that the report has been requested by displaying the report object in the tree. You will not see the Reports group bar until the first report object has be generated during your current session. The icon associated with the report object changes from (report pending) to (report ready) when the report is available for viewing. Click the icon to display the report. All of the reports that you have requested during the current session are retained and displayed in the Reports group bar. Right-click any report object to display the available sorting options that you can select to organize the way in which the reports are displayed. You can generate multiple reports of the same type for the same firewall or device group. Each requested report object is displayed in descending order, based on the time at which it was generated. A date and time stamp is recorded at the bottom of each report to help you distinguish between subsequent iterations of the same report. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 619
- 620. Reporting All firewall-specific reports are transient. They are saved only for the current session. When you close the Reporting and Monitoring Tool, all report objects and reports are discarded. Generating aggregate reports If you are generating an aggregate report for a device group (when you right-click a device group object and select Aggregate Reports), the subsequent report combines the firewall-specific reports for each firewall in the device group into one report. This can be convenient when you are generating reports for many firewalls. You can also generate aggregate reports by selecting a report that allows you to select multiple firewall objects or device groups from the report generation window. An example of this type of report, which is accessed from the right-click Firewall Reports menu option of a firewall is the Blackholed IPs report. Viewing firewall report data Some reports have report-specific parameters and options that can be specified when you request a report. The name of this page will be the name of menu option that you select from the Firewall Reports right-click menu. For example, if you select the Running Processes menu option, the Running Processes window is displayed, in which you specify your report parameters. When the report is generated, the Running Processes page is displayed. For more information about each of these reports and the information that they display, see Table 22 on page 621. Accessing this page 1 In the Configuration Tool or the Reporting and Monitoring Tool, select the Firewalls group bar. For ePO host data reports only, select the Policy group bar. 2 Depending on the object for which you want to generate the report, select the Firewalls node, the Clusters node, or the Device Groups node. The list of available firewalls, clusters, and device groups are displayed, respectively. 3 [For cluster member reports only] Select the cluster node that contains the cluster member for which you want to generate a report. 4 Right-click the object for which you want to generate the report. For firewall reports, select Firewall Reports and then the name of the report that you want to generate. The report window is displayed. 5 For firewall objects, specify the options on the report window. For some reports, you can schedule the report to be generated at a later time. However, for most of the reports, they will be generated immediately. Click Generate Report. If you did not schedule the report, the report page is displayed. If you scheduled the report, it will appear in the Reports group bar after it has been generated. Note: The generated reports are saved only for the current session. When you log out, the reports will not be saved. 620 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 621. Reporting Reports Use the following summary description of the reports and their associated report parameters (if any) to determine the report or reports that you want to generate. Table 22 Reports and associated parameters Report Name Description and Optional Parameters Active Internet This report displays information about active Internet connections, including the protocol, the receive and send Connections queue size (in bytes), the local and foreign address, and the internal state of the protocol. Report presentation is by Protocol, Recv-Q, Send-Q, Bu, Local Address, Foreign Address, and State. Parameter Name Parameter Value Use Include Servers Checkbox Select this checkbox to display the state of all sockets, including those that are used by server processes. Do not resolve Checkbox Creates a report that displays IP addresses, rather than host names and domain names. Name resolution can be time-consuming. If there are network problems (for example, if the DNS server is unavailable), name resolution can take a long time. Antivirus Patch This report displays information about the current anti-virus engine version number for the selected firewall. Version Information Report presentation is by Name and Value. ARP Table The Address Resolution Protocol (ARP) is a TCP/IP protocol that is used to convert an IP address into a physical address. To obtain a physical address, a host broadcasts an ARP request onto the TCP/IP network. The host on the network that has the IP address in the request then replies with its physical hardware address. This report displays the system's Internet-to-Ethernet address translation table that is used by ARP. Report presentation is by Name and Value. Parameter Name Parameter Value Use Do Not Resolve Checkbox Creates a report that displays IP addresses, rather than host Names and domain names. Name resolution can be time-consuming. If there are network problems (for example, if the DNS server is unavailable), name resolution can take a long time. Authentication - This report displays information about the current authentication failures by user name and by the number of Locked Out Users failures for the selected firewall. Report Presentation is by User Name and Number of Failures. Options include: • Flushing all of the authentication failures • Flushing those failures for selected multiple users • Flushing only those failures for a selected individual user Blackholed IPs This report displays information about the suspect or untrustworthy IP addresses that have attempted to access and infiltrate the selected firewall. These IP addresses are segregated and quarantined. Report presentation is by IP, Burb and Expire Time. Cluster Status This report displays information about the network cluster for the selected firewall. Report presentation is by Node, HA Mode, IP Address, State, and Status. Current Passport This report displays information about the current users that are logged into the selected firewall by using Users Passport, which provides the user authentication process. Report presentation is by Name, External Group, Authenticator, IP Address, Issued, and Last Used. Options include: • Revoking all passports • Revoking passports for individual users Disk Utilization This report displays information about the disk space consumption for each file system for the selected firewall. Report presentation is by File System, Total Size, Used, Available, Percent Used, and Mounted On. Enrolled Hosts This report displays information about the current enrolled hosts for the selected firewall. The information includes the associated license type (either Limited or Unlimited) and the IP Address. Report presentation is by IP Address. Options include: • Removing the IP host from the enrolled list Geo-Location This report displays information about the Geo-Location object for the selected firewall. Version Report presentation is by Version. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 621
- 622. Reporting Table 22 Reports and associated parameters (continued) Report Name Description and Optional Parameters Interface NIC This report displays information about the status of each NIC or NIC group for the selected firewall. Status Report presentation is by Interface Name, IP Address, Burb, Active NIC, Active Speed, Enabled, Up, and Connected. IPS Signature This report displays information about the current IPS (Intrusion Prevention System) Signature file version Version number for the selected firewall. Report presentation is by Version. License Status This report displays license information about one or more firewalls. Report presentation is by SecureOS, Support, VPN, Failover, Strong Crypto (Cryptography), Anti-Virus, Anti-Spam, IPS, SSL Decryption, IPS Signature, and Promotion. Network Interface This report displays information about all of the initialized network interfaces for the selected firewall. Configuration Report presentation is by interface. Network Interface This report displays a summary of the activity on each network interface for the selected firewall. Information Statistics includes local and remote addresses, send and receive queue sizes (in bytes), protocol, and the internal state of the protocol. Report presentation is by Name, Mtu, Network, Address, Ipkts, Ierrs, Opkts, Oerrs, and Collisions. Network Protocol This report displays information about the network traffic that is organized by the various protocols (TCP, UDP, Statistics IP, ICMP, IGMP, and TCP Extensions) that are used by the network packets. This report also displays routing statistics. The protocol determines the following information: • The type of error checking to be used • The data compression method, if any • The way that the sending firewall will indicate that it has finished sending a message • The way that the receiving firewall will indicate that it has received a message Quality of Service This report displays information about the Quality of Service profiles and queues that are assigned to Status interfaces. In the Profiles section, presentation is by Name and Queues. In the Queues section, presentation is by Name, Bandwidth, Priority, and Profile. Routing Statistics This report displays a summary of the routing activity for the selected firewall. See Network Protocol Statistics above. Routing Table This report displays the system routing table, including cloned routes for the Internet Protocol Version 4 (IPv4). The routing table displays the available routes and indicates the associated status. Each route consists of a destination host or network and a gateway to use for forwarding packets. This table displays the way that the packets are being routed. Packets that are being sent to the IP address that is named in the Destination column are actually being sent to the IP address that is displayed in the Gateway column. Report presentation is by Destination, Gateway, Flags, Refs, Use, Burb, Netif, and Expire. Parameter Name Parameter Value Use Do Not Resolve Checkbox Select the checkbox to suppress resolving destination and Names gateway names. Name resolution can be time-consuming. If there are network problems (for example, if the DNS server is unavailable), name resolution can take a long time. Running Processes This report displays the processes that are currently running and the system resources that they are consuming for the selected firewall. Report presentation is by Process, CPU%, Process Size, and Resident Memory. Service Status This report displays configuration and status information for all of the services that are enabled on a specific firewall. For more information about this report, see Displaying system information for the Control Center Management Server on page 638. Report presentation is by Status, Service, Agent, Burbs, Ports, and Active Rules. SSH Known Host This report displays a list of the strong and weak trust associations that are present on the selected firewall. Associations Report presentation is by Trust Level, IP Address, Port, Key Type, Fingerprint, Last Modified, and Key Value. Static Routing This report displays the active status of all of the IPv4 and IPv6 (if enabled on a 7.0.1 version or later firewall) Status routes for the selected firewall and also the failover routes if failover routes have been configured. Report presentation information varies, depending on the status (for example, a route failover has occurred). For IPv4 or IPv6 firewall routes, presentation is by Internet Destination, Gateway, Flags, Burb, and Netif. For failover routes, presentation is by Route, Gateway, Burb, Netif, and Status. 622 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 623. Reporting Table 22 Reports and associated parameters (continued) Report Name Description and Optional Parameters System Vital This report displays the system resources and the load factor placed on them by the current system processes Statistics for the selected firewall. The Load Average information is presented by CPU, Real Memory, Virtual Memory, Disk Use, and Load Average for the last minute, 5 minutes or 15 minutes. Report presentation is by Name and Value. VPN Status This report displays the active status of all of the VPNs for a selected firewall. Report presentation is by Name and Status. Generating firewall reports Use this report window to request a firewall-specific report. Note that the title of this window changes, depending on the name of the report that you are requesting by right-clicking a firewall, cluster, cluster member, or device group object and then selecting the report from the Firewall Reports menu. For example, if you select Running Processes from the Firewall Reports right-click menu, the Running Processes window is displayed. There are currently more than 70 different reports that can be generated. For more information about reports, report options, and reporting in general, see Firewall reports on page 619. The following example is the Service Status window because Service Status was selected from the menu. Figure 270 Service Status window (because the Service Status menu option was selected) Accessing this window 1 In the Configuration Tool or the Reporting and Monitoring Tool, select the Firewalls group bar. 2 Depending on the object for which you want to generate the report, select the Firewalls node, the Clusters node, or the Device Groups node. The list of available firewalls, clusters, and device groups are displayed, respectively. 3 [For cluster member reports only] Select the cluster node that contains the cluster member for which you want to generate a report. 4 Right-click the object for which you want to generate the report. Select Firewall Reports and then the name of the report that you want to generate. The report window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 623
- 624. Firewall audit reports Fields and buttons • Firewall — Specify the specific firewall about which the report will be generated. You can select several firewalls in certain report windows for certain reports that provide aggregate information. The default value is the firewall that you right-clicked in the Firewalls group. To select the values for this list: a Click the down arrow. The list of values is displayed, along with a Find field and button. b If you do not need to filter the list, go to the next step. To filter the list of values, in the Find field, specify a value or a partial value or an internal value (as in part of an IP address if you are working with objects that reference them) and click Find. Only those values that match your find criteria are displayed. c Select the checkbox of each value that you want to add to this field and click the down arrow to close the drop-down display. If you have selected more than one value, they are displayed in a comma-delimited list in this field. • Wait for Report — [Available for reports that are being generated in the Reporting and Monitoring Tool only] Determines whether to wait until the resulting report has been generated and displayed before any other actions can occur. Reports can be viewed synchronously (whereby no other operations can occur until the report is generated and displayed) or asynchronously (whereby you request the report and view the results at some other time). The default value is selected. • Parameter Name — Specify the name of any additional parameter that can alter the scope of the report. Some reports require an input parameter to complete the request, while other reports use parameters as optional reporting criteria. For more information about any required or optional parameters that are associated with a specific report, see Firewall reports on page 619. • Parameter Value — Specify the parameter value that might be required, depending on the specific report that is being requested. Parameters can take several forms, depending on the report. A parameter can be a checkbox that you can optionally select, or it can be a data field entry. For more information about any required or optional parameters that are associated with a specific report, see Firewall reports on page 619. • Request Report — Submit the report request based on the supplied parameters (if any) and options. • Close — Close the window without generating the report. Firewall audit reports Audit reports are generated from the data that is collected in the audit log files for each firewall in your configuration. To enable audit reports to be generated by using the Reporting and Monitoring Tool, the audit archive files or encrypted audit archive files from each firewall must be placed in defined locations on the Control Center Management Server. The Management Server contains a base directory in which all audit data is stored. Within this base directory, a directory is created for each firewall that is being managed by the Control Center. The audit archive files are placed in the directory that corresponds to the Control Center on which they were generated. Information about enabling the firewalls to place audit log data on the Management Server is provided in the Offbox Settings area on the Firewall window in the Configuration Tool. Caution: Log files grow very quickly and can consume vast amounts of disk space on the Management Server. Ensure that you manage your system resources by archiving or purging your audit log files on a regular basis. The base directory that is created on the Management Server for the log files is /opt/security/var/gccserver/auditlogs. A separate sub-directory is created for each firewall object that is created in your configuration. 624 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 625. Firewall audit reports McAfee Firewall Enterprise Audit Report content Each audit report consists of a chronologically ordered sequence of audit records for a single firewall or multiple firewalls over a user-specified period of time. (For information, see Configuring and generating audit reports for one or more firewalls on page 625.) Each audit record is a standardized representation of an audit event. Audit events are notable occurrences in network traffic and system activity on the appliance. For example, an audit event records when a network session is terminated, an infected file is discovered, or a new process is created. The audit reports that are created from the log files are highly configurable and offer the flexibility to be customized to obtain reports that provide the most useful information for your organization and network configuration. To view details about a particular event in the audit report, you can double-click that event in the McAfee Firewall Enterprise Audit Report window. The Audit Report Event Viewer window is displayed, in which you view the details of this event and you can also view other events by using the Previous and Next buttons. For more information about this window, see Viewing event-specific audit information on page 635. Although the audit reports generated by firewalls are different and the foundation data from which the reports are derived is different, they both can be useful tools that can be used to perform many different functions. Configuring and generating audit reports for one or more firewalls Use the McAfee Firewall Enterprise Audit Report window to configure the parameters for an audit report and to generate the report for a single firewall or multiple firewalls. In addition to viewing all of the audit events for the configured parameters, from this window, you can view detailed information about a specific audit event by double-clicking the event in the report to display the data in the Audit Report Event Viewer window. For more information, see Viewing event-specific audit information on page 635. Figure 271 McAfee Firewall Enterprise Audit Report window for report generation McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 625
- 626. Firewall audit reports Accessing this window 1 In the Configuration Tool or in the Reporting and Monitoring Tool, select the Firewalls group bar. 2 You can run this report for firewalls or cluster members. For firewalls, select the Firewalls node to expand the list of firewalls. or For cluster members, select the Clusters node to expand the list of clusters. Then select the cluster that contains the member for which you want to run this report. 3 Right-click the firewall or cluster member for which to run this report and select Audit Report. The McAfee Firewall Enterprise Audit Report window is displayed. Alternately, you can perform the following steps to access this window: 1 In the Configuration Tool, select the Monitor group bar. 2 Double-click Audit Report. The McAfee Firewall Enterprise Audit Report window is displayed. Fields and buttons This window has the following fields and buttons: • Select time range — Use the fields in this area to configure the start and stop times for the time on the client at which this report will be run. A best practice is to use a network to synchronize the time for all firewalls. Without this synchronization, the time on individual firewalls may vary beyond time zone (for example, one firewall might be at 9:30, another at 9:37, and another at 9:25). For an archived audit report, such a variance affects the amount of data that is included. The following fields are available: • (Select time range) — Specify the start and end time. If you select Custom Time Range as the value, you can specify your own start time and end time. Otherwise, select a predetermined period of time from this list. • Start time — [Available only if Custom Time Range was the value selected in the Select time range list] Specify the firewall start date and time for the audit archive. Click the down arrow and then select the day from the calendar. • End time — [Available only if Custom Time Range was the value that was selected in the Select time range list] Specify the firewall end date and time for the audit archive. Click the down arrow and then select the day from the calendar. • Select audit source — Use the fields in this area to specify the information that this report will access. The following fields are available: • Managed firewall — Select this option to specify that the report will be generated for a single firewall. The Control Center Management Server connects directly to the firewall and generates the report by using the audit archives that are available on the firewall. Note: This audit report retrieves a maximum of 24 megabytes of data, which is approximately 20,000 events. • Imported audit — Select this option to specify that the report will be generated based on an existing archived audit for the selected firewall or firewalls. Note: You must have already configured audit files to be exported from the firewall or firewalls to the Control Center. Configure this in the Audit Export area of the Offbox Settings area in the Firewall window for each individual firewall. See Firewall window: Offbox Settings area on page 174. When you select this option, a graph is displayed at the bottom of the report, visually indicating the following information: • The segments of time are displayed horizontally for the time range that you specified. 626 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 627. Firewall audit reports • A color-coded bar graph is displayed for each selected firewall that indicates the number of events that have occurred across the time range. If you had selected multiple firewalls, each firewall would be displayed in a different color in the graph. • The total number of audit events in this time range for each firewall is listed in the key for each firewall. Note: This audit report retrieves a maximum of 24 megabytes of data, which is approximately 20,000 events. Also data for up to six firewalls can be displayed at one time. If you select more than six firewalls, the data for the firewalls will not be displayed in graph format. • Import new audit — Issue a request to the selected firewall or firewalls to send new imported audit information. Click OK on the informational message. • Audit — The following options are available from the Audit menu option at the top of this window: • Close — Close this window. • Generate — Generate an audit report with the information that has been configured on this window. This is the same as the Generate Audit button on the toolbar. • Import new audit — Issue a request to the Control Center Management Server to import all of the log files that have not already been imported for the selected firewall or firewalls only. Click OK on the informational message. This is the same as the Import new audit button at the bottom of this window. • Create filter — Displays the Audit Filter window, in which you can define parameters for filtering the audit data so that you can respond to audit events of particular interest to your site in an effective way. For more information, see Configuring filters for audit reports on page 632. • Filters: User-generated — Select a user-defined filter by clicking the down arrow and selecting one from the list. This populates the filter (blank) field in the middle of the toolbar with the actual filter syntax and generates the report. • Pre-generated — Select a pre-defined filter by clicking the down arrow and selecting one from the list. This populates the filter (blank) field in the middle of the toolbar with the actual filter syntax and generates the report. Use the following tables to view lists of predefined filters and descriptions of the event types that each filter audits. For the most commonly used audit filters, see Table 23 on page 627. For the more advanced filters, see Table 24 on page 628. Table 23 Common predefined audit filters Audit types Description All Audit Detects all attack and system events, regardless of type. Attack All Detects attack events of all severities. This option also detects all severities of application defense violation attacks, buffer overflow attacks, DOS attacks, general attacks, policy violation attacks, protocol violation attacks, virus attacks, and spam attacks. Attack Severe Detects severe attacks. This option also detects severe application defense violation attacks, buffer overflow attacks, DOS attacks, general attacks, policy violation attacks, protocol violation attacks, virus attacks, and spam attacks. Config Change Detects when the configuration of the firewall changes. System All Detects the system events of all severities, including power failures, hardware and software failures, failover events, license expiration, host license exceeded, log overflows, and IPsec errors. TrustedSource Detects attacks identified as spam by TrustedSource. VPN Detects VPN audit events. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 627
- 628. Firewall audit reports Table 24 Advanced predefined audit filters Audit types Description Access Control List Detects all ACL audit events. ACL Allow Detects when a connection is allowed by a rule in the active policy. ACL Deny Detects when a connection is denied by a rule in the active policy. Application Defense Detects attacks of all severities that violate active policy defined by application Violation All defenses. This attack category includes mime and keyword filter failure attacks. Application Defense Detects when severe attacks violate active policy defined by application defenses, Violation Severe including mime and keyword filter reject audits. Severe attacks indicate that something is occurring that an administrator should know. Buffer Overflow Attack Detects attempted buffer overflow attacks targeted at systems protected by the firewall. Denied Authentication Detects when a user attempts to authenticate and specifies invalid data. For example, if a user is required to specify a password and specified it incorrectly, the denied auth event would log the event. DOS All Detects Denial of Service attacks of all severities. This attack category also detects all severities of TCP SYN attacks and proxy flood attacks. DOS Severe Detects severe Denial of Service attacks. This attack category also detects TCP SYN attacks and proxy flood attacks. Severe attacks indicate that something is occurring about which an administrator should know. Error Detects all system events identified as AUDIT_T_ERROR in the audit stream. General Attack All Detects general attacks of all severities that do not fall into the predefined categories. General Attack Severe Detects severe general attacks that do not fall into the predefined categories. Severe attacks indicate that something is occurring about which an administrator should know. HA Failover Detects when a failover IP address changes because a High Availability cluster failed over to its secondary/standby. Hardware Software Detects some hardware failures, such as RAID, hard drive, and AMIR monitor Failure failures. Host License Exceeded Detects when the number of hosts protected by the firewall exceeds the number of licensed hosts. IPFilter Deny Detects when a connection is denied by the active IP filter policy. IPsec Error Detects when traffic generates IPsec errors. Keyword Filter Failure Detects when an SMTP mail message is rejected due to a configured keyword filter. License Expiration Detects when a licensed feature is about to expire. Log Overflow Detects when the log partition is close to filling up. Network Probe Detects network probe attacks, which occur any time that a user attempts to connect or send a message to a TCP or UDP port when the security policy does not include a service that is expecting to receive traffic on that port. Note: The firewall does not blackhole netprobe attacks because they are likely to be Denial of Service attacks from spoofed source addresses. Network Traffic Detects all connections that successfully pass through the firewall. Not Config Change Detects all attack and system events that are not configuration changes. Policy Violation All Detects attacks of all severities that violate the active policy. This attack category also detects all severities of failed authentication attacks, ACL and IP filter deny attacks, and Type Enforcement error attacks. Policy Violation Severe Detects severe attacks that violate the active policy. This attack category also detects failed authentication attacks, ACL and IP filter deny attacks, and Type Enforcement error attacks. Severe attacks indicate that something is occurring about which an administrator should know. Power Failure Detects that a UPS power failure occurred. Profiler Update Failure Detects a failure to send a policy update to the McAfee Firewall Profiler. Protocol Violation All Detects attacks of all severities that violate protocol compliance. 628 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 629. Firewall audit reports Table 24 Advanced predefined audit filters (continued) Audit types Description Protocol Violation Severe Detects severe attacks that violate proxy protocols (HTTP, Telnet, FTP, and so on). Severe attacks indicate that something is occurring about which an administrator should know. Proxy Flood Detects potential connection attack attempts. A connection attack is defined as one or more addresses that launch numerous proxy connection attempts to try and flood the system. When NSS receives more connection attempts than it can handle for a proxy, new connections to that proxy are briefly delayed (to allow the proxy to “catch up”), and the attack is audited. Signature IPS Intrusion Detects all attacks that are identified by the signature-based IPS. This category All detects attacks that were denied, dropped, or rejected, as well as suspected attacks that were allowed, but were audited by IPS. Signature IPS Intrusion Detects attacks that are identified by the signature-based IPS where the attacker Blackholed was blackholed. Signature IPS Intrusion Detects attacks that are identified by the signature-based IPS where the offending deny network session was dropped or rejected, or the attacker was blackholed. Spam Detects attacks of all severities that are spam. Spam Severe Detects severe attacks that are spam. Syslog Detects all audit attacks and system events that were created via syslog. System Critical Detects all critical system events, including power failures, hardware failures, critical software failures, and failover events. Critical system events indicate a component or subsystem stopped working, that the system is going down (expectedly or unexpectedly), or that the system is not expected to work again without intervention. System Critical And Detects critical and severe system events including power failures, hardware failures, Severe critical and severe software failures, failover events, license expiration, log overflows, and IPsec errors. Critical system events indicate a component or subsystem stopped working, that the system is going down (expectedly or unexpectedly), or that the system is not expected to work again without intervention. Severe attacks indicate that something is occurring about which an administrator should know. TCP SYN Attack Detects a possible attempt to overrun the firewall with connection attempts. Type Enforcement Detects when there is a Type Enforcement violation because an unauthorized user or process attempted to perform an illegal operation. UPS System Shutdown Detects when UPS has directed the firewall to shut itself down. Virus Detects attacks of all severities that are viruses. Virus severe Detects severe attacks that are viruses. • (filter area) — This area is used in several different ways. It displays the expression if you selected a pre-generated filter or defined a new filter in the Audit Filter window. You can also edit the expression in this area. • Generate Audit — Select this toolbar tool to generate the audit data. A status bar to the right of the Save filter tool indicates the progress of the report generation. Note: Your report will be truncated if there is more than 24 megabytes of data. However, you will be notified with a message if this occurs. Adjust your filter so that you can view all of the data that you want to see and click this tool again. • Save filter — Displays the Audit Filter window, in which you can save the filter that you specified in the (filter area) field in the toolbar as a user-generated filter McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 629
- 630. Firewall audit reports Audit report results After you generate the audit report, the report data is displayed and additional fields and buttons are available. The following graphic illustrates a generated audit report. Figure 272 McAfee Firewall Enterprise Audit Report window after report generation Fields and buttons after report generation This window now has the following fields and buttons after a report has been generated: • Find functionality (and the buttons and fields that comprise this functionality) Because your list of objects (where objects refers to the entity for which you are searching) could potentially be very long, you can quickly retrieve only those objects that meet certain filter constraints by using the Find filtering mechanism. a In the Find or Search field, specify a term that matches a selection for any value displayed in the browser. b Click the down arrow to select the display for the search results (Highlight matching <objects> [where <objects> is the entity for which you are searching] or Only display matching <objects> [where <objects> is the entity for which you are searching]). c Click Find or press Enter. The results are displayed. If you had selected the highlight option, all objects that match the value in the Search field are highlighted in yellow. If you selected the other value, you will see only those objects that matched your search criteria. d Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and view all of the objects again, click (Clear Find Results). • Hide details — Displays a summary of the selected audit event at the bottom of this window. Conversely, click Show details to hide this display so that you can view more events on the window. • Export… — Displays the Save Audit Output File window, in which you can save this audit event data in any of the three following formats to a location that you choose: • XML (.xml) • Text (.txt) • SEF (.sef) 630 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 631. Firewall audit reports • Settings — Displays the McAfee Firewall Enterprise Audit Report: Color Settings window, in which you can configure the colors that are used on the McAfee Firewall Enterprise Audit Report window. For more information, see Configuring on-screen color schemes for the audit records on page 636. • Time — [Read-only] Displays the date and time on the client at which this audit event occurred. Note: You can view detailed information about a specific audit event by double-clicking it in the report. The Audit Report Event Viewer window is displayed. For more information, see Viewing event-specific audit information on page 635. • Firewall — [Read-only] Displays the fully qualified domain name (FQDN) of the firewall against which this event occurred. • Syslog — [Read-only] Displays the number that represents the priority of the audit event. The following values are available: • 0 — Emergencies • 1 — Alerts • 2 — Critical • 3 — Errors • 4 — Warnings • 5 — Notifications • 6 — Informational • 7 — Debugging • Type — [Read-only] Displays the type code that identifies the type of problem to which this event can be associated. • Command — [Read-only] Displays the process name to which this event is attached (for example, acld or monitord). • Source IP — [Read-only] Displays the IP address of the source of the audit event. This information can originate from any IP-attached source (for example, the Control Center Management Server that is using a firewall as a proxy or the firewall that is sending information to itself by using a localhost). If the firewall for which you have generated data is version 7.0.1.02 or later and you have configured the McAfee Firewall Enterprise ePO Extension, you can right-click in this field and retrieve host data from the ePolicy Orchestrator server. For more information, see ePolicy Orchestrator settings on page 132. • Source Burb — [Read-only] Displays the name of the burb for the device that is identified in the Source IP column. • Source Port — [Read-only] Displays the port that was used to send the audit event by the device that is specified in the Source IP column. • Dest IP — [Read-only] Displays the IP address of the of the destination device of the audit event. If the firewall for which you have generated data is version 7.0.1.02 or later and you have configured the McAfee Firewall Enterprise ePO Extension, you can right-click in this field and retrieve host data from the ePolicy Orchestrator server. For more information, see ePolicy Orchestrator settings on page 132. • Dest Burb — [Read-only] Displays the name of the burb for the device that is identified in the Dest IP column. • Dest Port — [Read-only] Displays the port that was used to receive the audit event. • Information — [Read-only] Displays additional information about the audit event. Sometimes, this can be the filter that was used to generate the event. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 631
- 632. Firewall audit reports • (text area at the bottom of this window) — [Read-only] Displays the data for the column of a selected row in the report results table. Configuring filters for audit reports Use the Audit Filter window to define parameters for filtering the audit data so that you can respond to audit events of particular interest to your site in an effective way. You can select from a list of available filters for IPS attack responses and system responses or define a custom audit filter. Filters are used to configure IPS attack responses and system responses. firewall IPS attack responses and system event responses allow you to monitor your network for abnormal and potentially threatening activities. They define criteria that determine how the firewall will react when audit events matching the filter expression occur (for example, defining the number of times that an event must occur within a specified time frame before a response is triggered). When the firewall encounters audit activity that matches the criteria, it can respond by triggering alerts through E-mail and SNMP traps or by blackholing, or ignoring, traffic from suspect hosts for a specified period of time. For additional information, refer to the following related topics: • Viewing IPS attack responses on page 608 • Configuring system responses on page 613 Figure 273 Audit Filter window Accessing this window 1 In the Configuration Tool, select the Monitor group bar. 2 Double-click the Audit Filters node in the tree. The Audit Filter window is displayed. 632 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 633. Firewall audit reports Fields and buttons This window has the following fields and buttons: • Name — Specify a name for the audit filter. • Description — Provide information about the function of the audit filter. • Characteristics — Use the fields in this area to define the type of filter and the SNMP trap number. The following fields are available: • Filter Type — Specify the type of audit event to filter. The following values are available: • IPS Attack Responses — Indicates that the audit filter is for responses to audit events that indicate a possible attack (for example, Type Enforcement violations, proxy floods). • System Responses — Indicates that the audit filter is for responses to audit events that indicate significant system events (for example, license failures, log overflow issues). • SNMP Trap Number — Specify the SNMP trap number to be associated with the audit filter. Use this field when you want to send an alert message when an audit event occurs. If this value is 0, no trap is sent. The default value is 0. • Search Available Filters — Search the list of available filters in the Available Filters list for a particular type of attack or event (for example, attack or license event). Only those filters that match the search criteria that you specify will be displayed in this list. • Available Filters — Specify one or more of the pre-defined audit filters. Select the checkbox associated with the audit filter(s) of interest. Right-click the Available Filters heading to access an option to select or unselect all filters. A filter expression based on your selections will be visible in the Filter Expression text area at the bottom of this window. • Source — Use the fields in this area to refine the filter by specifying particular source burbs and IP addresses. The following fields are available: • Burb — Filter audit events to include events that are generated by the selected source burb(s). Select the checkbox for the burb or burbs that you want to include. The default value is <None>. • IP address(es) — Filter audit events to include events that are generated by the source IP addresses and subnets that you specify. • Destination — Use the fields in this area to refine the filter by specifying particular destination burbs and IP addresses. the following fields are available: • Burb — Filter audit events to include events that are generated by the selected destination burb(s). Select the checkbox for the burb or burbs that you want to include. The default value is <None>. • IP address(es) — Filter audit events to include events that are generated by the destination IP addresses and subnets that you specify. • Others — Use the field in this area to specify the service or services that you want to include. The following field is available: • Service — Refine the filter by selecting particular services. Select the checkbox associated with the service(s) of interest. The default value is <None>. • Extra Criteria — Use the fields in this area to specify additional criteria for filtering audit data. The following fields are available: • Expression Type — Specify the type of expression (for example, an event facility, type, or category; a SACAP expression; or data fields). The default value is <None>. • Expression — Specify an expression associated with the selected type. The default value is <None>. • Value — Specify a value associated with a selected data field expression (for example, Lloyd for username). McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 633
- 634. Firewall audit reports To build an expression to filter all login records for a user named Lloyd, for example, specify the following criteria: Table 25 Sample filter expression Expression Type Expression Value Facility Codes AUDIT_F_LOGIN Data Fields username Lloyd The expression that you build will be visible in the Filter Expression text area. • Filter Expression — Select this checkbox to edit the filter expression that you have created through your selections on the window. This checkbox is cleared by default. Only when you select this checkbox is your expression displayed in this area. • OK — Save the changes to this attack response. • Cancel — Close this window without saving any changes. Filter syntax Use the following syntax when building expressions: • Identify a filter by using either single quotes (') or double quotes ("). All examples shown below use single quotes. • Express “and” using either and or &&. • Express “or” using either or or ||. • Express "not" using either not or !. A filter should include the following components: • The type or facility that you want to search for, using one of these formats: • The Name format (AUDIT_T_TYPE as in AUDIT_T_ATTACK, AUDIT_F_FACILITY as in AUDIT_F_LOGIN) • The Short Message format (attack, login) • The Short Message format prepended with classification indicator (t_attack, f_login) Note: This last format appears in audit records and is useful when copying or pasting directly from audit output. • Additional fields to further specify the audit results; fields can be separated by Boolean operators (and, or, not) and grouped by parentheses Example This filter expression: dest_burb external and (src_ip 10.69.101.34 or src_ip 10.69.101.36) returns this audit record: Aug 22 02:02:20 2008 CDT f_ping_proxy a_proxy t_nettraffic p_major pid: 3728 ruid: 0 euid: 0 pgid: 3728 logid: 0 cmd: 'pingp' domain: Ping edomain: Ping hostname: mixer.ext.b.test event: proxy traffic end service_name: ping netsessid: 48ad640e000e0151 srcip: 10.69.101.34 srcburb: internal protocol: 1 dstip: 10.66.6.22 dstburb: external bytes_written_to_client: 83079240 bytes_written_to_server: 83087396 acl_id: Internet Services cache_hit: 1 request_status: 0 start_time: Thu Aug 21 07:48:14 2008 634 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 635. Firewall audit reports A source IP address of 10.69.101.34 and an external destination burb match the filter expression. Viewing event-specific audit information Use the Audit Report Event Viewer window to view detailed information about a specific event from the McAfee Firewall Enterprise Audit Report window. You can also display this information in either a grid or text format and you can copy this data to the Clipboard. Figure 274 Audit Report Event Viewer window Accessing this window 1 In the Configuration Tool or the Reporting and Monitoring Tool, select the Firewalls group bar. 2 In the tree, select the Firewalls node to expand the list of firewalls. 3 Right-click the firewall for which to run this report and click Audit Report. The McAfee Firewall Enterprise Audit Report window is displayed. 4 Select your report parameters and filters and click Generate Audit. The report data is generated. 5 Double-click the row of the audit event for which you want to view more information. The Audit Report Event Viewer is displayed for this event. Fields and buttons This window has the following fields and buttons: • Field — [Read-only] Displays the name of a field in this audit event record. • Value — [Read-only] Displays the value for this field in the audit event record. • Show Details — Display additional fields in this audit event record. To hide these details after you have shown them, click Hide Details. • Copy — Save a copy of this audit event record to the Clipboard. • Show ASCII — Change the display of this information to a text format. To revert to the table format, click Show Grid. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 635
- 636. Firewall audit reports • Previous — Display information about the previous audit event record in the McAfee Firewall Enterprise Audit Report window. You can click through the earlier audit event records in this way, without having to go back to McAfee Firewall Enterprise Audit Report window. • Next — Display information about the next audit event record in the McAfee Firewall Enterprise Audit Report window. You can click through the later audit event records in this way, without having to go back to McAfee Firewall Enterprise Audit Report window. • Close — Close this window and return to the McAfee Firewall Enterprise Audit Report window. Configuring on-screen color schemes for the audit records Use the McAfee Firewall Enterprise Audit Report: Color Settings window to adjust the on-screen color settings for your McAfee Firewall Enterprise Audit Report display. You can do this to make certain types of records for easily recognized or for other organizational reasons. You can adjust the colors for each event severity level. Figure 275 McAfee Firewall Enterprise Audit Report: Color Settings window Accessing this window 1 If you have already generated a McAfee Firewall Enterprise audit report, skip to step 5. or In the Configuration Tool or the Reporting and Monitoring Tool, select the Firewalls group bar. 2 In the tree, select Firewalls to expand the list of firewalls. 3 Right-click the firewall for which to run this report and click Audit Report. The McAfee Firewall Enterprise Audit Report window is displayed. 4 Select your report parameters and filters and click Generate. The report data is generated. 5 Click Settings. The McAfee Firewall Enterprise Audit Report: Color Settings window is displayed for this event. 636 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 637. Firewall audit reports Fields and buttons This window has the following fields and buttons: • Color Settings — Use the fields in this area to specify the color to be used for the various levels of audit data severity. Select one of the following fields. • System — [Read-only] Indicates the system colors as they pertain to the severity levels. You cannot edit these settings on this window. You can change your system settings in the Control Panel. • Minimal — [Read-only] Indicates the color that will be used for the text only in the McAfee Firewall Enterprise Audit Report window. You cannot edit these settings. • Fully defined — [Read-only] Indicates the combination of colors that will be used for the background of the row and the text in that row. You cannot edit these settings. If you want to use different combinations, select the Custom option. • Custom — Indicates the combination of colors that will be used for the background of the row and the text in that row. Initially, the Color settings values are used as the basis for the Custom settings. However, you can edit these settings to create your own custom combinations. • Severity — [Read-only] Displays the severity levels for the types of alerts that are displayed in the McAfee Firewall Enterprise Audit Report window, along with a severity number. The lower the number; the higher the severity. • Background Color — [Read-only] Displays the colors that are used for the background of each severity level for each color setting. • Text Color — [Read-only] Displays the colors that are used for the text in each severity level for each color setting. • Example— [Read-only] Displays a preview of the color combination as displayed or defined in the Background Color and Text Color columns. • OK — Save the settings on this window and, on closing, implements the changes in the McAfee Firewall Enterprise Audit Report window. • Cancel — Close this window without saving or implementing any changes in the McAfee Firewall Enterprise Audit Report window. Creating customized color settings for the data in the McAfee Firewall Enterprise Audit Report window This procedure assumes that you have already generated audit data in the McAfee Firewall Enterprise Audit Report window. If you have not yet done this, see Configuring and generating audit reports for one or more firewalls on page 625. 1 In the McAfee Firewall Enterprise Audit Report window, click Settings. The McAfee Firewall Enterprise Audit Report: Color Settings window is displayed. 2 Select Custom. 3 Click the table cell for the background color or text color for the severity type that you want to modify. The Color window is displayed. 4 Select a basic color or click Define Custom Colors >> to create a custom color. 5 If you are selecting a basic color, go to the next step. or For a custom color, click in the color display on the right for the color that you want to add. You can also move the slider up or down to adjust the settings of this selection. When you see that the color that you want is displayed in the Color|Solid box, click Add to Custom Colors. 6 Click OK. 7 Repeat steps 3–6 for each table cell that you want to edit. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 637
- 638. Firewall audit reports 8 When you have finished, click OK to update the McAfee Firewall Enterprise Audit Report with these color settings changes. Displaying system information for the Control Center Management Server Use the System Information page to display information about the Control Center Management Server. Figure 276 System Information page Accessing this page In the Configuration Tool or in the Reporting and Monitoring Tool, from the Reports menu, select System Information. The System Information page is displayed. Fields and buttons This page has the following fields and buttons: • (Expand Default) — Revert to the default display on this report. • (Expand All) — Expand all of the nodes on this report. For this report, there is only one (Interface) node. • (Collapse All) — Close all of the nodes on this report. For this report, there is only one (Interface) node. • Interface — [Read-only] Displays the interface IP address. • broadcast — [Read-only] Displays the broadcast IP address. • mac — [Read-only] Displays the manufacturer-assigned Media Access Control (MAC) address of the network interface card. • mask — [Read-only] Displays the subnet mask. • name — [Read-only] Displays the system-assigned name of the network interface. 638 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 639. Firewall audit reports • type — [Read-only] Displays the type of network. • host name — [Read-only] Displays the name of the host. • Control Center version — [Read-only] Displays the Control Center version that is currently installed. • high availability — [Read-only] Displays whether the High Availability (HA) feature is configured on this interface. • HA stand-by — [Read-only] [Available only if high availability is set to yes] Displays the host name of the standby or backup Management Server in an HA configuration. • logging level — [Read-only] Displays the logging level that has been set for the Management Server. One of the following levels will be displayed. This ranges from the highest level of logging to the lowest (as in most inclusive): OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, and ALL where FINE is the default value. You can set this level in the Server Property Editor window. • configured administrators — [Read-only] Displays the number of administrators who are currently configured to access this Control Center Management Server. • logged in administrators — [Read-only] Displays the name and IP address of the administrators who are currently logged into the Control Center. • operating system — [Read-only] Displays the operating system on the Management Server. • machine type — [Read-only] Displays information about the hardware architecture and microprocessor. • number of processors — [Read-only] Displays the number of processors on the Management Server. • processor type — [Read-only] Displays the type of processor on the Management Server. • processor speed — [Read-only] Displays the speed of the processor on the machine. • total memory — [Read-only] Displays the total amount of system memory in kilobytes. • available memory — [Read-only] Displays the amount of free system memory in kilobytes. • total swap — [Read-only] Displays the total amount of swap space in kilobytes. • available swap — [Read-only] Displays the amount of available swap space in kilobytes. • total disk space for logs — [Read-only] Displays the total amount of disk space that is available for log files in kilobytes. • available disk space for logs — [Read-only] Displays the amount of available disk space for log files in kilobytes. • available disk space for backups — [Read-only] Displays the amount of available disk space for backup configuration files in kilobytes. • total disk space for audit data — [Read-only] Displays the total amount of disk space that is available for audit data files in kilobytes. • available disk space for audit data — [Read-only] Displays the amount of available disk space for audit data files in kilobytes. • total disk space for database — [Read-only] Displays the total amount of disk space that is available for the Management Server database in kilobytes. • available disk space for database — [Read-only] Displays the amount of available disk space for the Management Server database in kilobytes. • character encoding — [Read-only] Displays the name of the character value mapping to a graphical character set. • locale — [Read-only] Displays the name of a set of parameters that define the language and regional preferences for the user interface. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 639
- 640. Firewall audit reports • time zone — [Read-only] Displays the name of the time zone in which the Control Center Management Server operates. • current time (local) — [Read-only] Displays the current time as represented in the local time zone. • current time (GMT) — [Read-only] Displays the current time as represented in Greenwich Mean Time (GMT). • last boot time — [Read-only] Displays the time at which the Management Server was last started. • system up time — [Read-only] Displays the length of the time that the Management Server has been running since the last start. • Save — Save a copy of the report to a file in HTML format. • Print — Print a copy of the report. Selecting the criteria for the firewall policy report Use the Policy Report window to select the firewall for which you want to run this report about the security policy that has been defined and implemented. You can generate a firewall-dependent policy report now or you can schedule the report at a later time as a one-time event or on a recurring basis. Note: If you want to view the policy report in HTML format, you must wait for it. You cannot schedule an HTML version of this report. Figure 277 Policy Report window Accessing this window In the Reporting and Monitoring Tool, from the Reports menu, select Policy. or In the Configuration Tool, select the Monitor group bar and double-click Policy Report. or 1 In the Configuration Tool, select the Firewalls group bar. Select the Firewalls, Clusters, or Device Groups node. 2 Right-click a firewall, cluster, or device group object, respectively, and select Policy Report. The Policy Report window is displayed. 640 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 641. Firewall audit reports Fields and buttons This window has the following fields and buttons: • Device — Specify the subject firewall. Select the pre-defined value from the list. • Wait for Report — Determines whether to wait for the report to be run. The default value is cleared, which indicates that the report will be generated in the background. If you select this checkbox, configure the other settings and then click Request Report. This window remains open while the report is generated. You cannot do anything else in this application until the report has been completed. If you clear this checkbox, configure the other settings and then click Request Report. This window is closed while the report runs. You can then continue to perform other tasks in this application. • (Progress Bar) — Displays a graphic progress representation of the Policy report generation process. • Schedule Policy Report — Determines whether the Policy report is to be immediately generated or whether it will be generated according to the schedule that is defined in the Schedule Report or Schedule areas of this window. The default value is selected, which indicates that the report will be generated immediately. • Schedule Report — Use the fields in this area to schedule the Policy report to be generated at a specific time, possibly more than once, and in a specific format for the output. • Run at — Specify the start time of the Policy report generation process in hours and minutes (hh:mm). • Timeout (min) — Specify the amount of time (in minutes) that the report should take to be generated. If the report has not completed in this time frame, it will be stopped. The time frame is calculated to start at the time that was specified in the Run at field. Then add the number of minutes that were specified in this field and that is the target time that is used. • Report type — Specify the output format of the file that is generated for the Policy report. The following values are available: • HTML — Indicates that the report will be generated to a HyperText Markup Language (HTML) file. This is the default value. Also, HTML will always be selected because it is the format that is used to view the report in the Reporting and Monitoring Tool. • XML — Indicates that the report will be generated to an XML file. • TAB — Indicates that the report will be generated to a tab-delimited file. • Send Results To — Use the field in this area to specify one or more e-mail addresses to which the generated Policy report will be sent. • Email Address — Specify one or more e-mail addresses to which the generated report will be sent. If you schedule the report, you must specify at least one e-mail address. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 641
- 642. Firewall audit reports • Frequency — Use the field in this area to specify the frequency at which the policy report should be generated. The following field is available: • Perform this report — Specify the frequency at which the policy report should be generated. The following values are available: • One time — Indicates that the report should be generated only on the date (Run on date field value) and at the time (Run at field value) that is specified. This is the default value. • Daily — Indicates that the report should be generated on a daily basis at an interval that you specify in the Every n days field. • Weekly — Indicates that the report should be generated on a weekly basis at an interval that you specify in the Every n weeks field. You can also specify the day or days during the week that the report should be generated. • Monthly — Indicates that the report should be generated on a monthly basis at an interval that you specify in the Schedule area. • Schedule — The fields in this area change, depending on the selection that you make in the Perform this report field. Any one of the following fields are displayed: • Run on date — [Available only when One time is the value in the Perform this report field] Specify the specific date that the report should be generated. This date is in day, month, date, year format. Click the down arrow to select the date from the calendar. • Every n days — [Available only when Daily is the value in the Perform this report field] Specify the daily interval at which this report is generated. For example, if you select 3 for the days, the report will be generated every three days at the time that you specified in the Run at field. • Every n weeks — [Available only when Weekly is the value in the Perform this report field] Specify the weekly interval at which this report is generated. You can further define the frequency by selecting the day or days of the week on which the report will be generated. For example, if you select 2 for the weeks and Tuesday and Wednesday for the days, this report is generated every two weeks on Tuesday and Thursday of that week. • Day n of the month — [Available only when Monthly is the value in the Perform this report field] Specify the monthly interval at which this report is generated. Specify a specific date in the month in this field. If you want to specify a specific week and day of the month, use the The week day field. The checkboxes that indicate the specific months also apply to this field. For example, if you select 12 for this value and leave all of the months selected, this report will be generated on the 12th day of each month. • The week day — [Available only when Monthly is the value in the Perform this report field] Specify the week of the month and day of the month at which this report is generated. The checkboxes that indicate the specific months also apply to this field. For example, if you select second for the week and Wednesday for the month and clear all of the month checkboxes except for July and August, this report will be generated every second Wednesday in the months of July and August only. • Months — [Available only when Monthly is the value in the Perform this report field] Specify the month or months when this report will be generated. All of the months are selected by default. • Request Report or Schedule Report — The name on this button changes, depending on whether you are waiting for the report to be generated (Request Report) or you are scheduling the report (Schedule Report). If you are waiting for the report, the report is immediately generated when you click this button. If you are scheduling this report for a later time, the report is scheduled and the window is closed. • Close — Close this window without generating a report or scheduling a report. 642 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 643. Firewall audit reports Viewing information about the security policy for firewalls Use the Policy Report page to view the security policy that has been defined and implemented. Figure 278 Policy Report page Accessing this page In the Reporting and Monitoring Tool, from the Reports menu, select Policy. or In the Configuration Tool, select the Monitor group bar and double-click Policy Report. or 1 In the Configuration Tool, select the Firewalls group bar. Select the Firewalls, Clusters, or Device Groups node. 2 Right-click a firewall, cluster, or device group object, respectively, and select Policy Report. The Policy Report window is displayed. 3 Configure the settings and click Request Report or Schedule Report if you are not immediately generating the report. 4 If you selected the Wait for Report checkbox, the report is displayed in the work area. or If you selected the Schedule Policy Report checkbox, when the report is generated, it is displayed in the Reports group bar. Double-click the report node in the tree. The Policy Report page is displayed. Navigational buttons The Policy Report page has the following buttons: • (Expand All) — Expand all of the collapsed sections and headings in the report. • (Collapse All) — Close all of the expanded sections and headings in the report. • Save — Save this report as an HTML page with the destination path and file name that you specify. • Print — Immediately send this report to the printer. Note that the report that is sent to the printer is exactly the view that you currently have on your report. If sections or headings are collapsed, the sub-headings will not be printed. You must open the sections and headings for the details that you want to print. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 643
- 644. Firewall license reports Content summary The report provides information regarding configuration of the following entities: • Policy • Network • Monitor • Maintenance Policy Use the Policy section of the report to view a table of all of the rules that are defined on the firewall. It also includes a section for the elements that comprise these rules: services, network objects, authenticators, and time periods. Also defined here are the defenses for the application and the network defenses, IPS translation rules, the IPS definitions for response mappings, signature groups, and signature updates. In the several sections, you can select (click) objects that are displayed in blue and go directly to the location in this report that contains more information about those objects. Network Use the Network section of the report to view a table of the defined interfaces, burb configurations, VPN definitions and client address pools for the VPN configuration, DNS definitions, Quality of Service profiles and queues, and static route definitions. Monitor Use the Monitor section of the report to view a table of the defined audit management exports, audit settings, audit filters, audit e-mails, IPS attack responses, and system responses. Maintenance Use the Maintenance section of the report to view tables of the defined administrator accounts, certificates and key management, Control Center, date and time, FIPS, hardware acceleration, license, software management and server settings. The Servers section includes the defined server population and definition entries for daemond, servers, cron, and acld. Firewall license reports The functions and capabilities of each firewall are controlled by the installed licenses. Use the License Report page to view the status of each license for the selected firewall. Selecting the firewall for the license report Use the License Report Manager window to select the firewall for which you will generate the report. Figure 279 License Report Manager window 644 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 645. Firewall license reports Accessing this window 1 In the Configuration Tool, select the Monitor group bar and double-click License Report. The License Report Manager window is displayed. or In the Reporting and Monitoring Tool, select the Firewalls group bar and select the Firewalls node to display the tree. or In the Configuration Tool, select the Firewalls group bar and then select the Firewalls, Clusters, or Device Groups node to display the tree. 2 Right-click the firewall, cluster, or device group for which you want to generate this report and select License Report. The License Report Manager window is displayed. Fields and buttons This window has the following fields and buttons: • Firewall — Specify the firewall for which you want to generate this report. Click the down arrow to display the list of available firewalls. Use the Find field or button to limit your list of displayed firewalls. Then select one or more firewalls against which to generate this report. • Generate Report — Generate the report for the selected firewall or firewalls. The report page is displayed. • Cancel — Close this window without generating the report. Viewing the status of all of the licenses for a firewall Use the License Report page to view license information about one or more firewalls. You also can configure the report to display only those licenses that will expire in a certain timeframe. You can filter the data that is displayed in this report at the column level. The first row in the table consists of lists in which you select the filter criteria. Figure 280 License Report page Accessing this page 1 In the Configuration Tool, select the Monitor group bar and double-click License Report. The License Report Manager window is displayed. or In the Reporting and Monitoring Tool, select the Firewalls group bar and select the Firewalls node to display the tree. or In the Configuration Tool, select the Firewalls group bar and then select the Firewalls, Clusters, or Device Groups node to display the tree. 2 Right-click the firewall, cluster, or device group for which you want to generate this report and select License Report. The License Report Manager window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 645
- 646. Firewall license reports 3 In the Firewalls field, click the down arrow to select one or more firewalls for which you want to generate this report. You can also use the Find field to narrow the list of displayed firewalls that are available for selection. 4 Click Generate Report. If you selected only one firewall, the License Report for the selected firewall. If you selected multiple firewalls, the License Report for Multiple Firewalls page is displayed. Each firewall is displayed on a separate row in the report. Fields and buttons This page has the following fields and buttons: • Expires in — Specify a timeframe within which to view potential license expirations for one or more firewalls. For example, if you select the next 15 days and none of the licenses for the selected firewall or firewalls expires within the next 15 days, no data is displayed on this report. The default value is <Show all>. • (Clear Find Results) — Click this button to revert to the <Show All> condition so that you can view all of the license information again. Use this after you have filtered your report data by selecting a timeframe in the Expires in list. • Filter row (first row in the table) — For each column, you can specify the filter that you want to apply to the data for this column. The following options are available for each column: • (All) — Indicates that no filtering is to be performed on this column. All records are displayed, unless a particular record is filtered out by the criteria set in a different column. • (Empty) — Indicates that column filtering is performed on records that do not have data in this column. The records that have data are not displayed, regardless of the settings in any other column. • Displayed_column_value — Indicates that column filtering is performed on records that match the value or values in this column. The data in the list for each column is different, depending on the values that are displayed for that column. There is one entry in this list for each unique value that is displayed in this column. • Report-specific column names — Except for the Firewall column, which displays the name or names of the firewalls that have been selected for this report, the following columns display license status information in this table: • SecureOS • Support • VPN • Failover • Strong Crypto (Cryptography) • Anti-Virus • Anti-Spam • IPS • SSL Decryption • IPS Signature • Promotion • Generated on — [Read-only] Displays the time at which and date on which this report was generated. • Refresh — Update this report with the latest information and clear any applied filters. • Print — The Print window is displayed, in which you configure the settings to print this report. • Print Preview — The Print preview window is displayed, in which you can view the report before printing. 646 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 647. 9 Configuration Tool - Maintenance Contents Maintenance Firewall maintenance Control Center maintenance Maintenance Use the options in the Maintenance group bar section of the Configuration Tool to maintain multiple firewalls and security policies for a distributed homogeneous or heterogeneous configuration. • Firewall maintenance — Specify the following parameters for the individual McAfee Firewall Enterprise: • Device control — Re-initialize, reboot, and provide an orderly shutdown of selected firewalls in the Device Control window. You can also terminate active sessions and security associations for user-selected firewalls. For more information, see Managing firewall shutdown and suspension states and other maintenance settings on page 656. • License firewall — Specify and manage firewall licenses by using the Firewall License window. For more information, see Viewing and managing firewall licenses on page 658. • Control Center maintenance — Specify the following parameters for the McAfee Firewall Enterprise Control Center Management Server: • Server logs — View various types of server logs in the Server Logs window. For more information, see Viewing Management Server logs on page 663. • Server properties editor — View and edit Control Center Management Server properties and add new properties in the Server Property Editor window. For more information, see Configuring Management Server properties on page 664. • Firewall audit export settings — Export firewall audit log files that were written to the Control Center Management Server to a remote location. For more information, see Exporting firewall audit files that are stored on the Control Center on page 667. • Backup configuration — Create a backup file of the Control Center Management Server data or replace an existing backup file in the Backup Control Center System window. For more information, see Creating backup files of your Management Server data by using the GUI on page 123. • Restore configuration — Restore a previously saved system backup file to the Management Server, modify an existing backup name or description, or delete a system backup file in the Restore System from Backup window. For more information, see Restoring the Management Server configuration files from a backup file on page 126. or Manage Versions — [Available only if you have enabled configuration domains] Create, modify, delete, and activate versions of a configuration domain. For more information, see Managing versions of configuration domains on page 99. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 647
- 648. Firewall maintenance Firewall maintenance The Control Center Client Suite includes several interfaces that allow you to manage objects and settings at the firewall level in the Control Center. The following topics are provided: • Viewing object usage on page 648 • Locking configuration objects on page 649 • Managing unused objects on the Control Center Management Server on page 651 • Merging objects on page 652 • Setting the date and time on a firewall on page 655 • Managing firewall shutdown and suspension states and other maintenance settings on page 656 • Viewing and managing firewall licenses on page 658 Viewing object usage Use the Usage of object_name Object window to display all of the other objects in which this object is either used or referenced. This is extremely helpful when you attempt to delete an object, only to receive a message that it is being referenced by another object. When you view the references in this window, you can go directly to those objects and edit them accordingly by double-clicking the object in the tree on the left. After you have edited all of these references, you can then delete this object. You can also export this data to a file in comma-delimited (CSV) format. Figure 281 Usage of object_name Object window (where, in this example, the storm firewall usage is displayed) Accessing this window In the Configuration Tool, right-click any object and select Show Usage. The Usage of object_name Object window is displayed, where object_name is the actual name of the object on which you right-clicked. Fields and buttons This window has the following fields and buttons: • (Object tree) — This tree on the left side of this window displays the object types as nodes, along with the number of objects that are referenced. The subnodes are the names of the objects that are referenced. Click an object name to view the properties and values for that object in the right side of this window. You can edit this object by double-clicking it to display the object window that contains information about the selected object. For example, if you double-clicked an administrator in the tree, the Firewall User Manager - Administrators window is displayed. 648 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 649. Firewall maintenance • Property — [Read-only] Displays the name of the properties in the table for the selected object in the tree. These properties are representative fields from the object window. • Value — [Read-only] Displays the values that are defined for the properties in the table. These values are the values of the fields in the object window for the respective properties. • Export — Export the data in this window to a comma-delimited (CSV) file. • Close — Close this window. Locking configuration objects Use the Locking Manager to lock all objects of a particular type or to unlock objects. The lock includes all existing objects as well as new objects that you create. You can, for example, lock objects that are of the type Networks, which means that you are locking the set of Networks objects. Multiple Control Center users can be logged onto the same Management Server by using multiple Client Suite clients. This means that, at any given time, multiple users can be making simultaneous changes. To alleviate the possibility of contention, the Control Center provides a mechanism to lock selected objects (for example, address ranges, networks, rules) so that other Control Center users cannot simultaneously add, modify, or delete those types of objects. When you or another user locks a set of objects, the lock status is indicated in the Objects toolbar by highlighting on the name of the object type using a red or blue color. If you have locked a set of objects, the name of the object type is highlighted in green (for example, Networks ). If another user has locked CVP Policy a set of objects, the name of the object type is highlighted in red (for example, Networks ). CVP Policy The lock that you obtain for a set of objects is temporary; you can activate or unlock the lock at any time. If you do not remove the lock, the lock will be removed automatically when you log out of all client GUIs that you have logged onto or when all of your server sessions expire. Note: Locks are assigned based on a user name; locks are not assigned based on the server session to which you have logged on. This means that explicit locking and unlocking status is reflected in all clients that a user is logged onto. If a user is logged into more than one client, any active locking status is retained until he logs out of every client (or until all sessions expire). Figure 282 Locking Manager window Accessing this window In the Configuration Tool, from the Configuration menu, select Locking Manager…. The Locking Manager window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 649
- 650. Firewall maintenance Fields and buttons This window has the following fields and buttons: • Lock all objects — Determines whether all objects are locked. If you select this checkbox, you are the only user who can add, modify, or delete Control Center objects. If you want to control object locking for select objects, but not all object types, do not select this checkbox. Instead, select the individual object types in the Object Type column. • Object Type — Determines whether a particular set of objects is locked by a Control Center user. This list contains all of the object types that can be locked. Select the object types for which you want to control. If an object name is selected, that set of objects has already been locked by the user who is listed in the Locked By field. If an object name is not selected, that set of objects is not locked. • Locked By — [Read-only] Displays the name of the Control Center user who has locked the set of objects identified by Object Type. Note: During certain operations, individual objects or sets of objects may be automatically locked by the Control Center. These operations include saving an object's configuration, retrieving a firewall's configuration, and applying a configuration to one or more firewalls. When the operation finishes, the Control Center removes the locks. • OK — Save the changes that were made in this window. • Cancel — Close this window without saving any changes. Locking objects Use the Locking Manager window to lock one or more sets of Control Center objects to prevent multiple users from accessing and changing the same objects. Locking a set of objects ensures that no other Control Center user can add, modify, or delete objects of that type. For more information, see Firewall maintenance on page 648. 1 In the Configuration Tool, from the Configuration menu, select Locking Manager. The Locking Manager window is displayed. 2 Select the checkbox next to all of the objects to be locked. 3 [Optional] Select the Lock all objects checkbox to lock all objects. 4 Click OK to obtain the locks. 650 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 651. Firewall maintenance Managing unused objects on the Control Center Management Server Use the Unused Objects page to display a list of objects that are not currently used in the Control Center. This list contains only those objects to which you have access and system objects are not included. You can edit an object in the list by double-clicking it to display it in its respective object window. You can also delete the object by right-clicking it in the list and selecting Remove Object. Figure 283 Unused Objects page for filter services objects Accessing this page 1 In the Configuration Tool, from the Reports menu, select Unused Objects. The Unused Objects page is displayed. 2 To display the objects, click Generate. The retrieval process might take some time. The report is then displayed with the list of unused objects. Note that the more objects you include in the filter, the longer the report will take to generate. Fields and buttons This page has the following fields and buttons: • The total number of unused objects is — [Read-only and is displayed after you have clicked Generate] Displays the number of unused objects that are listed in this report. There are potentially two different totals that can be displayed on this page: • The total number of unused objects for the configuration domain to which you are currently logged in • [Only if you do not have access to view all of the objects in the current domain] The total number of unused objects to which you have access. (This would be a subset of the other total.) • Export — Save this report data to a comma-delimited (CSV) file. • Filter — Specify the object type on which you want to filter the displayed results. The following values are available: • All Objects — Include all objects in the display. • Filter Services — Include only filter service objects in the display. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 651
- 652. Firewall maintenance • Proxy Services —Include only proxy service objects in the display. • Hosts — Include only host objects in the display. • Signature Groups — Include only signature group objects in the display. • Time Periods — Include only time period objects in the display. • All other objects — Include only those object types that are not listed above in the display. • Find — Because your list of objects (where objects refers to the entity for which you are searching) could potentially be very long, you can quickly retrieve only those objects that meet certain filter constraints by using the Find filtering mechanism. a In the Find or Search field, specify a term that matches a selection for any value displayed in the browser. b Click the down arrow to select the display for the search results (Highlight matching <objects> [where <objects> is the entity for which you are searching] or Only display matching <objects> [where <objects> is the entity for which you are searching]). c Click Find or press Enter. The results are displayed. If you had selected the highlight option, all objects that match the value in the Search field are highlighted in yellow. If you selected the other value, you will see only those objects that matched your search criteria. d Click Find Next to move through the matches. To remove the filtered list or the yellow highlight and view all of the objects again, click (Clear Find Results). • Delete selected rows — Delete the rows in the table that you have selected. Press Ctrl+click to highlight multiple rows. If you have accidentally highlighted an object that you do not want to delete, click (Clear Find Results) to clear the selection highlight from all of the matching objects and start your selection process again. When you are ready to delete these objects, click the Delete selected rows button. You can also delete individual rows by clicking x (Delete) at the end of the row to be deleted. • Type — [Read-only] Displays the type of object for this row. You can edit this object by double-clicking it. This object data is displayed in the appropriate object window. For example, if you double-clicked an administrator object, the Firewall User Manager - Administrators window is displayed. • Name — [Read-only] Displays the name of this object. • Description — [Read-only] Displays the description for this object. • Delete — Click x (Delete) in the row to be deleted. Merging objects Use the Merge Objects wizard to analyze and combine your network objects, services, system responses, IPS responses, and HTTP, HTPS, SMTP, and group application defenses.that share elements. The wizard will scan your list of objects and identify the objects with common elements. You can then combine them into a single object. Only objects within the same configuration domain can be merged, unless they are in the shared domain. The shared domain object will always become the master object and the other objects will be deleted after the merge completes. The common elements that are used to identify these objects are the same elements that are used in the retrieve process to identify similar objects that are distinguished by name only. Requirements for using this wizard To use this wizard, you must have the following permissions: 1 You must be assigned a role that includes View, Update, and Remove access for the Merge Objects wizard. 2 You must also be assigned a role that includes the ability to View, Update, and Remove access for all objects. 652 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 653. Firewall maintenance 3 You must also be assigned a role that includes the ability to View, Update, and remove privileged objects to merge privileged objects. Accessing this wizard In the Configuration Tool, from the Configuration menu, select Merge Objects Wizard. The Merge Objects Wizard is displayed. Step 1 of 3 - Description 1 View the users who are currently logged into this Management Server in the Logged in users field. 2 Select an object type to be scanned in the Choose an object type field: • <None> • Hosts • Networks • Address Ranges • Net Groups • Proxy Services • Filter Services • IPS Attack Responses • System Responses • SMTP Application Defenses • HTTP Application Defenses • HTTPS Application Defenses • Application Defense Groups 3 Click Next > to begin the analysis of the selected object type. If there are no objects that could be merged, a message displays and you cannot advance in the wizard unless you select another object type that does have objects that could be merged. If there are objects that could be merged, the next page is displayed. Step 2 of 3 - Merge objects page 1 Select the groups to be merged in the table at the top of the page. The following fields are available on this page: • Merge objects — This table contains the merge object groups. A merge object group includes the individual objects that are candidates for being merged to form the merge object that is displayed at the top of the group. The following options are available on the right-click menu for any row in this table: Merge all (automatically selects all of the checkboxes in this table) and Clear all (clears all of the checkboxes in this table). The following fields are available in this table: • Find — Because your list of objects could potentially be very long, you can quickly highlight only those objects that meet certain filter constraints by using the Find filtering mechanism. This functionality searches the properties in the first table (List of duplicate entries) and also searches by object name (the Name column) in the second table ( List of objects to merge for duplicate entry (n)). a In the Find field, specify a term that matches a selection for any value displayed in the list. b Click Find or press Enter. The results are highlighted in yellow in the table. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 653
- 654. Firewall maintenance Click Find Next to move through the matches. To remove the yellow highlight from the selected values, click (Clear Find Results). • List of duplicate entries — Use the rows in this table to determine the duplicate objects to be merged. The following fields are available: • (Numbers) — [Read-only] Displays the number for this row. When this row is highlighted, the List of objects to merge for duplicate entry area displays this row number in parentheses (). • Use — Determines whether the object group will be merged. This checkbox is cleared by default. If you select the checkbox, the objects in this object group will be merged. • (Remaining fields) — [Read-only] The remaining fields are object type-specific. For example, if you were searching for duplicate hosts, you will see the Address and Hostname fields. 2 Use the List of objects to merge for duplicate entry (n) area (where n is the number of the row selected in the List of duplicate entries table) to determine the action to perform on each object in the selected group. The following columns are available in this table: Note: Objects that are shared are indicated with a pink highlight ( ). These objects must always be the master object and they cannot be merged into any other objects. • Action — Specify the action to perform on each member of the group. You must select one master object (Keep) to which the other selected objects (Delete) will be merged and subsequently deleted after the merge has completed. You can also specify individual objects that will not be included in the merge process (Do not merge). In addition to these actions, the following options are available from the right-click menu from any row in this table: • View — Displays the object editor window for this object type. For example, if you select a Host object, the Network Object Manager window is displayed. • Show usage — Displays the Usage of object_name Object window, in which you can view all of the other objects in which this object is either used or referenced. • Name — [Read-only] Displays the name of the merge object. 3 After you have made your selections in both tables, click Next > to continue to the next page. Step 3 of 3 - Summary page The Summary page displays the following lists: the master objects to be preserved are displayed in bold text on the left, the objects to be deleted as a result of the merger are displayed in bold text in the middle, and the objects to be ignored are displayed on the right. The following actions are available: • Click Export summary to export this information to a comma-delimited (.csv) file. • Click < Back if the information on this page is not acceptable. Make changes and then click Next > again to return to the Summary page. • Click Cancel to exit the wizard without making any merges. • Click Finish if the information is acceptable and you want to continue with the merge. A confirmation message is displayed, indicating that the Management Server updates have been completed and that the system will refresh all of the data. • Click OK. The objects are merged and the Merge Objects wizard is closed. 654 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 655. Firewall maintenance Setting the date and time on a firewall Use the Set Date and Time window to set the date and time on the firewalls that are selected on the Device Control window. Figure 284 Set Date and Time window Accessing this window 1 In the Configuration Tool, select the Maintenance group bar. 2 In the Firewall Maintenance tree, double-click the Device Control node. The Device Control window is displayed. 3 Select at least one of the firewalls in the Firewalls list. 4 In the Control Actions list, select Set date and time and then click Proceed. A warning message is displayed, indicating that the selected device or devices are about to have their date and time values reset. 5 Click OK. The Set Date and Time window is displayed. Fields and buttons This window has the following fields and buttons: • Date — Use the field features to open a calendar so that you can select a date to assign to the firewalls that were selected on the Device Control window. The date can also be manually specified. • Time (24-hour) — Use the field features to assign a time to the firewalls that were selected on the Device Control window. The time can also be manually specified. Note: There is no provision to set the time zone for a firewall by using this feature. The time zone configured on the firewall during installation is used. Ensure that all the firewalls selected on the Device Control window reside in the identical time zone and date before applying any changes. Also, you must use the 24-hour clock format. • OK — Save the changes that were made in this window. • Cancel — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 655
- 656. Firewall maintenance Managing firewall shutdown and suspension states and other maintenance settings Use the Device Control window to manage firewalls. Use this interface to initiate various shutdown or suspend states to the selected firewalls and to manage other areas, such as resetting default gateways or requesting management control of a firewall, and so on. Some of these options are not applicable to all supported firewall versions. For several of these actions, you can generate a report after you click Proceed. The name of the report is included in the description of the control action option. To view how to generate these reports, see Generating firewall reports on page 623. Figure 285 Device Control window Accessing this window 1 In the Configuration Tool, select the Maintenance group bar. 2 Beneath the Firewall Maintenance node, double-click the Device Control sub-node. The Device Control window is displayed. Fields and buttons This window has the following fields and buttons: • Firewalls — Displays all of the configured firewalls. Select one or more firewalls on which the subsequent operation will be performed. • Control Actions — Specify the action to be taken on the selected firewalls. The following options are available: • System shutdown/reboot — Reboot the selected firewalls. • Halt system for power down — Stop the selected firewalls so that they can be powered down. • Set date and time — Displays the Set Date and Time window, in which you can modify the system clock on the selected firewalls. For more information about this window, see Setting the date and time on a firewall on page 655. • Export latest audit files — Initiate an audit export of the latest audit files, in accordance with the export configuration of the selected firewalls. “Latest” indicates those audit files that have been saved, but have not yet been sent from the firewall to the Management Server. • Export all audit files — Initiate an audit export of all of the audit files, including those files that might have already been exported, in accordance with the audit export configuration of the selected firewalls. 656 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 657. Firewall maintenance • Export most recent audit events to Control Center — Initiate an audit export of the most recent audit events, in accordance with the audit export configuration of the selected firewalls. “Most recent” indicates those audit events that have occurred since the last audit file was saved. • Cleanup audit report — Remove any created files that still remain from a failed audit report. • Revert default gateway to the primary default gateway — Change the default gateway back to the primary default route settings as configured. This attempts a route failover to the original default route. • Download and install most recent Geo-Location updates — Initiate a download and installation of the most recent Geo-Location updates to the selected firewalls. To view the latest information after you have taken this action, refer to the Geo-Location Version report. • Download and install most recent IPS signatures — Initiate a download and installation of the most recent IPS Signatures to the selected firewalls. To view the latest information after you have taken this action, refer to the IPS Signature Version report. • Download and install most recent antivirus signatures — Initiate a download and installation of the most recent antivirus signatures to the selected firewalls. To view the latest information after you have taken this action, refer to the Antivirus Patch Version Information report. • Request management control — Request that management control for the selected firewalls be granted to this Management Server. Note: For this action to be successful, this Management Server must be registered on the selected firewalls. • Resynchronize policy to McAfee Firewall Profiler — Initiate a command to the firewall to send its policy configuration file to the McAfee Firewall Profiler. This is for those situations in which the connection between the firewall and the McAfee Firewall Profiler has been lost for a period of time. • Proceed — Initiate the action that you have selected in the Control Actions field on the selected firewalls. • Close — Close this window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 657
- 658. Firewall maintenance Viewing and managing firewall licenses Use the Firewall License window to view and manage firewall licenses. Figure 286 Firewall License window Accessing this window In the Configuration Tool, from the System menu, select License Firewall.... The Firewall License window is displayed. Fields and buttons This window has the following fields and buttons: • Firewall — Specify the name of the firewall as defined when the firewall was configured. • Copy From Default — Copy information specified on the Common License Information window tab. • OK — Save changes that are made on all of the tabs on this window. • Cancel — Close this window without saving any changes. Tabs This window has the following tabs: • Firewall — Specify information about the firewall that you want to license. For more information, see Firewall License window: Firewall tab on page 659. • Contact — Specify information about the administrator for the specified firewall. For more information, see Firewall License window: Contact tab on page 660. • Company — Specify information about the company that has purchased the specified firewall. For more information, see Firewall License window: Company tab on page 661. 658 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 659. Firewall maintenance Firewall License window: Firewall tab Use the Firewall tab of the Firewall License window to specify the information about the firewall that is required to obtain a license. To view the fields on this tab, see Figure 286 on page 658. Accessing this tab 1 In the Configuration Tool, from the System menu, select License Firewall.... The Firewall License window is displayed. 2 Make sure that the Firewall tab is selected. Fields and buttons This tab has the following fields and buttons: • Firewall ID — [Read-only] Displays the Firewall ID for the firewall. • Firewall version — [Read-only] Displays the version and patch level of the firewall (for example, McAfee Firewall Enterprise 7.0.1.00). • Serial number — Specify the 16-digit alphanumeric serial number for the specified firewall. The serial number is located on the firewall Activation Certificate. You must include the dashes when specifying the serial number in this field. • Activation URL — Displays the URL for the McAfee Web site to which the licensing information is submitted. • Import Key — If do not have access to the Internet from the firewall or your local network, you cannot use the URL displayed in the Activation URL field to submit your data. Use this button to import an activation key that you have obtained using another method and have saved to a file. • Activate Firewall — Submit the information required to obtain an activation key from the McAfee licensing Web site. Tabs The Firewall tab has the following tabs: • Activation Key • Features Activation Key tab The Activation Key tab displays the activation key that has been obtained from McAfee Corporation for the specified firewall. Features tab The Features tab displays the features that are available for the specified firewall and the licensing status of each feature. This tab has the following field and buttons: • Feature Name — Displays the features that are available for the firewall. • License Status — Displays the current licensing status associated with each feature. • Expiration — Displays the expiration date for the feature. • Refresh — Update the table display. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 659
- 660. Firewall maintenance Firewall License window: Contact tab Use the Contact tab of the Firewall License window to provide information that is needed to communicate with the administrator of the specified firewall. Note: If you have used the Common License Information window of the Administration Tool to specify contact and company information applicable to the specified firewall, click Copy from Default to specify the information that is required to complete this tab. Figure 287 Firewall License window: Contact tab Accessing this tab 1 In the Configuration Tool, from the System menu, select License Firewall.... The Firewall License window is displayed. 2 Select the Contact tab. Fields and buttons This tab has the following fields and buttons. Field names that are enclosed in parentheses are optional. • First Name — Specify the first name of the administrator. • Last Name — Specify the last name of the administrator. • Email — Specify the E-mail address of the administrator. • Primary Phone — Specify the telephone number for contacting the administrator. The area code must be included. • (Alternate Phone) — Specify a secondary telephone number for contacting the administrator. • (Fax) — Specify a fax number for communicating with the administrator. • (Job Title) — Specify the administrator's job title. • (Purchased From) — Specify the name of the company from which the firewall has been purchased. • (Comment) — Provide miscellaneous information about the site. 660 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 661. Firewall maintenance Firewall License window: Company tab Use the Company tab of the Firewall License window to provide information about the company that has purchased the specified firewall. Note: If you have used the Common License Information window of the Administration Tool to specify contact and company information applicable to the specified firewall, click Copy from Default to specify the information that is required to complete this tab. Figure 288 Firewall License window: Company tab Accessing this tab 1 In the Configuration Tool, from the System menu, select License Firewall.... The Firewall License window is displayed. 2 Select the Company tab. Fields and buttons This tab has the following fields and buttons: • Company Name — Specify the name of the company that has purchased the firewall. • Industry Classification — Select the classification that most closely matches the industry in which your company is involved (for example, Government, Manufacturing, Transportation). Tabs This tab has the following tabs: • Company Address • Billing Address Company Address tab The Company Address tab has the following fields: • Address — Specify the company's street address. • City — Specify the city in which the company is located. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 661
- 662. Control Center maintenance • State/Province — Specify a state in the US, Washington D.C., or the keyword Other.... If Other... is selected, the following field is displayed: • State/Province (Non-US) — Specify the name of a state or province outside the US. • Postal (zip) Code — Specify the ZIP code for a US company or the alpha-numeric postal code for a company outside the US. • Country — Specify the country in which the company is located. Billing Address tab The Billing Address tab has the following fields and buttons. Note: If the information for the billing address is the same as that provided for the company address, click Copy From Company Address to specify the information that is required to complete this tab. • Address — Specify the street address for the company's billing. • City — Specify the city for the company's billing. • State/Province — Specify a state in the US, Washington D.C., or the keyword Other... for the company's billing. If Other... is selected, the following field is displayed: • State/Province (Non-US) — Specify the name of a state or province outside the US. • Postal (zip) Code — Specify the ZIP code for a US company or the alpha-numeric postal code for a company outside the US for the company's billing. • Country — Specify the country for the company's billing. • Clear — Clear the displayed values. Control Center maintenance You can manage the following Control Center Management Server objects from the Maintenance group bar of the Configuration Tool: • Server logs — See Viewing Management Server logs on page 663. • Server properties — See Configuring Management Server properties on page 664. • Firewall audit export settings — See Exporting firewall audit files that are stored on the Control Center on page 667. • Backing up configuration files — See Creating backup files of your Management Server data by using the GUI on page 123. • Restoring configuration files — See Restoring the Management Server configuration files from a backup file on page 126. 662 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 663. Control Center maintenance Viewing Management Server logs Use the Server Logs window to view various types of server logs. The tree displayed to the left shows the log groups and the associated logs, while the content window displays the selected log information. Figure 289 Server Logs window Accessing this window In the Configuration Tool, Administration Tool, Reporting and Monitoring Tool and the Software Updates Tool, from the System menu, select Server Logs. The Server Logs window is displayed. Additionally, in the Configuration Tool, you can access this window by performing the following steps: 1 Select the Maintenance group bar. 2 Beneath the Control Center Maintenance node, double-click the Server Logs sub-node. The Server Logs window is displayed. Fields and buttons This window has the following fields and buttons: • Refresh — Reload the Server Log list that is displayed in the tree on the left. • Find — Find matches in the log content area with the text that you have specified. The previous search strings are stored until the Server Logs window is displayed. • Export — Export the displayed log content, in plain text format, to a local platform. • Close — Close this window. • Show all lines — Specify the number of lines to be displayed at one time. Some of these values are pre-set (for example, Show all lines, Show last 50 lines, or Show last 100 lines) or you can select Select number of lines to define a number of your choice. When specifying the latter, click Show to display the result. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 663
- 664. Control Center maintenance Configuring Management Server properties Use the Server Property Editor window to display and edit Control Center Management Server properties and add new properties. After editing any existing value or introducing a new property, the Control Center Management server must be restarted for these changes to take effect. Note: When you restart the server to invoke any change made to the server properties, only the server application (Tomcat) will be restarted, not the server device hardware. Figure 290 Server Property Editor window Accessing this window 1 In the Configuration Tool, select the Maintenance group bar. 2 Beneath the Control Center Maintenance node, double-click the Server Properties Editor sub-node. The Server Property Editor window is displayed. or In the Configuration Tool and in the Administration Tool, from the System menu, select Server Property Editor. The Server Property Editor window is displayed. Fields and buttons This window has the following fields and buttons: • Property — [Read-only] Displays the property name. The following properties are displayed: • management.server.version — [Read-only] Displays the version of the Management Server. • logging.level — Specify the level of log information. Values range from the lowest level (INFO) to the highest level (ALL). The default value is FINE. The following values are available: • INFO • CONFIG • FINE (This is the default value.) • FINER • FINEST • ALL 664 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 665. Control Center maintenance • logging.console — Determines whether logging data should be sent to the console. The default value is selected. • compliance.grace.period — Specify the maximum number of minutes after the scheduled time of the compliance report to actually run the compliance report. This is used if the Management Server is down when a compliance report is scheduled to be run and the server comes back up within this specified timeframe. The default value is 20 minutes. • compliance.stored.days — Specify the number of days of stored compliance reports to keep. All reports that are older than this value will be deleted. The default value is 30. • compliance.report.path — Specify the location at which saved compliance reports are stored. • apply.allEndpoints — Determines whether all network objects in the Control Center will be applied to a firewall. If this checkbox is selected, all objects will be applied. If this checkbox is cleared, only those network objects that are used in the firewall’s configuration will be applied. The default value is cleared. • apply.allServices — Determines whether all proxy and filter services will be applied. If this checkbox is cleared, only those proxy and filter services that are used in this firewall’s configuration will be applied, plus the pre-defined proxy services. If this checkbox is selected, all defined services will be applied. The default value is cleared. • apply.allTimePeriods — Determines whether all time period objects in the Control Center will be applied to a firewall. If this checkbox is selected, all time period objects will be applied. If this checkbox is cleared, only those time period objects that are used in the firewall’s configuration will be applied. The default value is selected. • apply.restart — Determines whether, after a restart of the firewall, the Management Server will attempt to re-apply a firewalll's configuration if the last attempt to apply the configuration failed because the firewall was down. The default value is selected. • apply.lpsDefaults — Determines whether the default IPS signature groups and response mappings should be applied to a firewall, even if they are not being used. The default value is selected. • ips.UpdateSignatureCategories — Determines whether, when the Management Server receives a new IPS update package from the firewall, in addition to updating the list of IPS signatures, the Management Server will also update the configuration of the default IPS signature groups. The default value is selected. • processing.rules.file.path — Specify the location at which the alert processing rules configuration file is stored. The default value is /usr/local/common/dcserver/conf/rules_template.xml. • processing.rules.email.sender — Specify the e-mail account from which the alert e-mail messages will be sent. The default value is alerter. • priority.mappings.file.path — Specify the location of the file in which the Control Center priority mappings are stored. The default value is /usr/local/common/dcserver/conf/priorityMapping.properties. • update.history.file.path — Specify the location of the file in which the Management Server stores the history of updates that have been applied. The default value is /usr/local/tomcat/webapps/cm/WEB-INF/updates/update_history.txt. • update.package.path — Specify the directory in which the Control Center updates are stored. The default value is /usr/local/tomcat/webapps/cm/WEB-INF/updates/. • update.auto — Determines whether the Management Server will automatically update the firewall ccmd packages if they are determined to be out of date. The default value is selected. • installed.updates.path — Specify the location of the file in which the Management Server stores the list of updates that have been installed for this release. The default value is /usr/local/tomcat/webapps/cm/WEB-INF/updates/installed_updates.txt. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 665
- 666. Control Center maintenance • backup.auditlogs — Determines whether. the audit log files will be backed up when a backup is performed. The default value is cleared. • backup.dbbackups — Determines whether the database files will be backed up when a backup is performed. The default value is cleared. • ccqsize — Specify the number of concurrent configurations that the Management Server will build during an apply or validate. The default value is 15. • msqsize — Specify the number of concurrent messages that the Management Server will send out to managed firewalls. The default value is 15. • firewall.sweep — Specify the frequency (in minutes) that the Management Server will check for unresponsive firewalls. Firewalls that have not sent an updated status in the specified number of minutes will be considered to be down. The default value is 5. • session.timeout — Specify the number of minutes to wait before the Management Server will clear out an inactive client session. The default value is 15. • debug.retainRetrieveXml — Determines whether the Management Server should retain configuration bundles that have been obtained from a firewall during a retrieve. The default value is selected. • license.url.cc — Specify the default URL that is used to obtain a Control Center license. The default value is https://ssl.securecomputing.com/cgi-bin/cc-activation.cgi. • license.url.sw — Specify the default URL that is used to obtain a firewall license. The default value is https://ssl.securecomputing.com/cgi-bin/sidewinder-activation.cgi. • license.backupurl.cc — Specify the backup URL to use to obtain a Control Center license if the primary URL is unresponsive. The default value is https://66.45.10.76/cgi-bin/cc-activation.cgi. • license.backupurl.sw — Specify the backup URL to use to obtain a firewall license if the primary URL is unresponsive. The default value is https://66.45.10.76/cgi-bin/sidewinder-activation.cgi. • hdd.size.threshold — Specify the threshold of the percentage of used hard drive space before an alert is generated based on Management Server disk space. The default value is 80. • update.nodename.interval — Specify the frequency (in hours) that a task is run to ensure that the firewall status table has the correct nodename information for each firewall. The default value is 6. • audit.export.cron — Specify the time at which the audit export will occur. By default, it occurs nightly at 2:30 AM. However, you can use this property to override that setting. For more information about the values for this property, see Exporting firewall audit files that are stored on the Control Center on page 667. The default value is 0 30 2 * * ? *. • Value — [Read-only] Displays the value of the associated property name. • OK — Save the changes that were made on this window. • Cancel — Close this window without saving any changes. • Add — Displays the Add New Property window, in which new properties can be defined. 666 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 667. Control Center maintenance Exporting firewall audit files that are stored on the Control Center Use the Export Settings for Control Center Firewall Audit Files window to export firewall audit log files that were written to the Control Center Management Server to a remote location. With this window, you can also configure a different export setting for each configuration domain. Although you configure the events that trigger the exportation in this window, the actual default exportation of this information occurs at 2:30 AM, Management Server time, unless you have edited the audit.export.cron property in the Server Property Editor window. If you edit this property value, the exportation will occur at the time that you specify. Refer to the following table for the components of the audit.export.cron property. It consists of the following fields, separated by spaces. You can also use the asterisk (*) or wildcard character in any field and the question mark (?) character, which is an inclusive character, can be used in the Day Of Month and Day Of Week fields only. Table 26 Fields for the audit.export.cron property Field number Field name Allowed values 1 Seconds 0–59 2 Minutes 0–59 3 Hours 0–23 4 Day Of Month 1–319 5 Month 1–12 6 Day Of Week 1–7 7 Year (optional) empty or 1970–2099 For example, the following string indicates that the backup would occur at 2:30 AM every day of the week: 0 30 2 * * ? * Figure 291 Export Settings for Control Center Audit Files window McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 667
- 668. Control Center maintenance Accessing this window 1 In the Configuration Tool, select the Maintenance group bar. 2 Beneath the Control Center Maintenance node, double-click the Firewall Audit Export Settings sub-node. The Export Settings for Control Center Firewall Audit Files window is displayed. Fields and buttons This window has the following fields and buttons: • Enable export of Firewall audit files from Control Center to a remote location. — Determines whether to establish the parameters in this window to trigger an export of existing firewall audit files to a remote location. The default value is cleared. If you select this checkbox and the criteria is met and the files are exported, the audit files are deleted from the Control Center Management Server after the export is successful. • Retention Settings — Use the fields in this area to determine the conditions for exporting the audit files. The following fields are available: • Export audit files that are older than n days — Determines whether to set a date condition for exportation—that is, that files would be exported after a certain number of days that they have been stored on the Control Center Management Server. If you select this checkbox. you must also configure the number of days for this condition. The default value is cleared. • Limit the combined size of all of the audit files — Determines whether to set a file size condition for exportation—that is, that files would be exported after a certain combined file size limit is reached. If you select this checkbox, you must also configure the other fields in this group to define this condition: • Size limit — Indicates the number for the combined size of all of the audit files from firewalls that are stored on the Management Server. The default value is 0. • Unit — Indicates the measurement unit for the value that was specified in the Size Limit field. The available values are MB and GB. The default value is MB. • Current Partition Usage — [Read-only] Use the fields in this area to view existing information about the size of the partition on the Management Server that contains all of the firewall audit log files. The three fields indicate the amount of space that is currently used by audit log files (Used), the amount of space that is available for additional log files (Available), and the percentage of space in the partition that is currently being used (Percentage Used). In the Used and Available fields, the following abbreviations are used: M = MB, K = KB, G = GB, and B = bytes. • Remote Location — Use the fields in this area to specify information about the target remote location so that the audit log files can be successfully exported. The following fields are available: • Export using — Specify the type of file transfer to be used for this export. The following values are available: • SCP — Indicates that Secure Copy (SCP) is used for the transfer. This is the default value. • FTP — Indicates that File Transfer Protocol (FTP) is used for the file transfer. • FTPS — Indicates that File Transfer Protocol Secure (FTPS) is used for the file transfer. • Username — Specify the user name that will be used to authenticate with the remote location for this file transfer. • Password — Specify the password that will be used to authenticate with the remote location for this file transfer. • Hostname — Specify the hostname of the remote location for this file transfer. 668 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 669. Control Center maintenance • Port — Specify the port that will be used for this file transfer. The default value for this field is determined by the value that you have selected in the Export using field. The following default values are displayed, according to protocol: • For SCP, the default value is 22. • For FTP, the default value is 21. • For FTPS, the default value is 990. • Directory — Specify the remote directory that will be used for this file transfer. • (Informational message) — [Read-only] The text in this message changes, depending on whether you have selected the first checkbox in this window. If you select the first window, make sure that you read this message. • OK — Save the export settings that you have configured. Note again, that the actual export will not occur until 2:30 AM or the values that is specified in the audit.export.cron property of the Server Property Editor window. Audit files will be deleted after they have been successfully transferred. • Cancel — Close this window without saving any export settings. No export will occur. Customizing the Configuration Tool Use the Configuration Tool Startup Options window to configure the appearance of Configuration Tool when it is started. It allows the administrator to configure which windows to initially load when the tool is opened and has an optional feature to open the tool with the configuration that existed when the tool was closed. Figure 292 Configuration Tool Startup Options window Accessing this window In the Configuration Tool, from the System menu, select Startup Options. The Configuration Tool Startup Options window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 669
- 670. Control Center maintenance Fields and buttons This window has the following fields and buttons: • Save layout on exit — Determine whether to open the Configuration Tool in the same configuration that it was in when it was closed. The docking state is not preserved. Selecting this option disables the Windows loaded at startup list. • Windows loaded at startup — Displays the windows that are open and the order in which they are opened and are presented in the work area of the Configuration Tool when it is initially started. • Windows Available at startup — Displays the windows that are not opened or displayed in the work area of the Configuration Tool when it is initially started. • (Navigational buttons) — Use these buttons to add or subtract, and sequence the windows that are opened at startup. • — Move selected items in Windows Available at startup column to the Windows loaded at startup column. • — Move selected items in Windows loaded at startup column to the Windows Available at startup column. • — Move selected items in Windows loaded at startup column up one row. • — Move selected items in Windows loaded at startup column down one row. • Object Details settings — Use the options in this area to determine whether the Object Details information will be displayed as a tab page (Launch as a tab page) or in a docked state (Launch in docked state). Select the startup option for this information. • OK — Save changes that were made in this window. • Cancel — Close this window without saving any changes. • Restore Default — Determines whether to restore the default configuration. 670 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 671. 10 Reporting and Monitoring Tool Contents Reporting and Monitoring Tool Alerts Secure Alerts Server Firewall reports in the Reporting and Monitoring Tool Reporting and Monitoring Tool The Reporting and Monitoring Tool aggregates all of the McAfee Firewall Enterprise (Sidewinder) monitoring and reporting functions of the McAfee Firewall Enterprise Control Center into a single tool. The main purpose of the Reporting and Monitoring Tool is to provide a way to centrally monitor alert activity and to generate reports for multiple firewalls. Use the features and functions of the Reporting and Monitoring Tool to monitor the operational status of the supported firewalls, generate a wide range of reports, and manage a user-configurable set of alerts that are generated by the firewalls. Alert processing rules are managed by using the Configuration Tool. For more information, see Configuring IPS attack responses on page 609. The alert management functions and operations form the foundation of this tool. The primary focus of this tool is to identify alerts and use various interfaces and reports to investigate the causes and to correct the conditions of multiple firewalls from a central location. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 671
- 672. Reporting and Monitoring Tool Viewing the properties of a firewall Use the McAfee Firewall Enterprise Properties window to view configuration parameters that are associated with the selected firewall. These parameters are configured on the Firewall window in the Configuration Tool. For more information, see Configuring the firewall on page 170. Figure 293 McAfee Firewall Enterprise Properties window Accessing this window 1 In the Reporting and Monitoring Tool, select the Firewalls group bar. 2 Click the Firewalls node in the tree to expand the view of firewalls. 3 Right-click one of the defined firewall objects and select Properties. The McAfee Firewall Enterprise Properties window is displayed. Fields and buttons This window has the following fields and buttons: • Name — [Read-only] Displays the name of the firewall object as is appears in the list of firewalls in the Firewalls group bar. • Description — [Read-only] Displays information about the firewall and its configuration. • Node Name — [Read-only] Displays the host name by which the system identifies itself during network and login connections. • Configuration — [Read-only] Use this fields in this area to view information about the firewall and its location. The following fields are available: • Firewall Mgmt Address — [Read-only] Displays the IP address of the network interface on the firewall that the Control Center uses to manage the firewall. • Firewall Mgmt Port — [Read-only] Displays the port number that the firewall uses to communicate with the Control Center Management Server. • Version — [Read-only] Displays the version of software installed on the firewall. 672 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 673. Reporting and Monitoring Tool • Time Zone — [Read-only] Displays the time zone in which the firewall is located. • Location — [Read-only] Displays user-defined location information. • Contact — [Read-only] Displays the contact information for this firewall. The Administrator e-mail address will be displayed in this field. This is the e-mail address that was configured on and retrieved from the firewall. • Enable IPv6 — Not available on this window. • Management Servers — [Read-only] Use the fields in this area to view the Management Servers that manage this firewall. The following fields are available: • Host Name — [Read-only] Displays the fully qualified host name of the Management Server. • IP address — [Read-only] Displays the IP address that this firewall uses to reach the server. • Firewall Properties — [Read-only] Use this table to view user-defined category and value pairs. • Mail Configuration — Use the fields in this area to view information about the mail configuration for this firewall. The following fields are available: • SMTP Mode — [Read-only] The following values can be displayed: • Secure Split SMTP — Indicates to use the firewall-hosted sendmail servers. Select this option to take advantage of such sendmail features as header stripping, spam and fraud control, and mail routing. • Transparent — Indicates to pass mail by proxy through the firewall. Select this option to ensure that only the files that are necessary to send administrative messages will be configured. These include firewall-generated alerts, messages, and logs. • Internal SMTP Burb — [Read-only] Displays the burb in which your site's SMTP server resides. • Close — Close this window without saving any changes. Investigating alerts Often, the root cause of an alert is obvious as indicated by the content of the associated message. However, for those alerts that have been generated when the root cause or the corrective action is not self-evident, you can use the other resources in the Reporting and Monitoring Tool to investigate the cause and to correct the condition that generated the alert. You can accomplish the following tasks by using the features, functions, and reports in the Reporting and Monitoring Tool: • Browse alerts — The Alert Browser page provides a summary of firewall-generated alerts. Use this page to: • Visually examine a summary of each alert. • Sort and manage how the alerts are displayed. • Acknowledge alerts. • Clear, annotate and review the actions hat taken for each alert. • Review alert messages. • Determine the time at which an alert occurred so that you can investigate the activities that were logged when the alert occurred. For more information, see Alerts on page 677. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 673
- 674. Reporting and Monitoring Tool • Evaluate the status of the Secure Alerts Server — An integrated Secure Alerts Server collects the alerts, activities, and events that are generated by the supported firewalls, it normalizes the data, and it stores the data in the Secure Alerts Server database. This data becomes the source for the information that is displayed in the Alert Browser and in the Event Browser. Use the Secure Alerts Server Status page to view the status of the associated server. For more information, see Secure Alerts Server on page 686. • Determine firewall status — A comprehensive visual display of the operational status for all the supported firewalls is provided. The Firewall Status page lists firewall-specific status information for each supported firewall that is configured in your system. For more information, see Viewing the overall status of your firewalls on page 574. • Manage audit reports — Use the Reporting and Monitoring Tool to generate user-defined, firewall-specific audit reports based on the audit log data that is sent to the Management Server by each configured firewall. For more information, see Firewall audit reports on page 624. • Generate and view firewall-specific reports — Use the Reporting and Monitoring Tool to generate and display a variety of firewall-specific reports. For those reports that require it, you provide the report-specific parameters or options for the specific report that is being generated through the provided interface. For more information, see Firewall reports in the Reporting and Monitoring Tool on page 689 Column data This table lists the definitions for the various column headings when you are viewing alerts and events in the Reporting and Monitoring Tool. Each row in this table specifies the name that is used for the column heading, the view of the data that supports the heading entry, and a definition of the heading content. Table 27 Column heading definitions Column Heading View Description Name Ack Alert Browser Select this checkbox to acknowledge the associated alert. After an alert is acknowledged, you cannot revert its status. When an alert is acknowledged, you must annotate the alert record by using the Alert Browser page. Id Alert Browser Unique alert identifier assigned by the Secure Alerts Server. ID Event Browser Status Alert Browser Current status of the alert. The available values are: Open or Closed. Priority Alert Browser Priority that is assigned to the alert. There are five levels of priority, listed below from the highest value to the lowest value: Priority 1 Critical Red 2 High Orange 3 Low Yellow 4 Warning Green 5 Information <transparent> Name Alert Browser Name of the alert as defined by the sending firewall. Event Browser Event Type Alert Browser Type of event as defined by the sending firewall. Event Event Browser Count Alert Browser Number of alerts of this class for a specific firewall. Processing Rule Alert Browser Name of the alert processing rule. Alarm Alert Browser Name of the alert alarm. Alarm Sound Alert Browser Name of the alarm sound. Device Id Alert Browser Identification of the firewall. 674 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 675. Reporting and Monitoring Tool Table 27 Column heading definitions (continued) Column Heading View Description Name Type Event Browser Type of the alert as defined by the Secure Alerts Server. All alerts from each supported firewall are classified by using a class/type relationship. The class and type relationship information that is displayed as column data in the Alert Browser page and in the Event Browser window can be determined by using the hierarchy of class/type data relationships that are displayed in the Alert Filter window. Device Name Alert Browser Name that was assigned to the specific firewall when the firewall was configured or Local CC Server to represent the Management Server. Device Address Alert Browser Dotted decimal IP address for the firewall. Device Type Alert Browser Type of the firewall. Acknowledge Count Alert Browser Number of alerts that were acknowledged. Annotation Alert Browser Annotation message for that alert. Reason Alert Browser Information in the reason field for the alert. Event Browser Source Address Alert Browser Dotted decimal IP address of the originating node for the specific alert (if known). Event Browser Source Burb Alert Browser Associated source burb that is in use for the specific alert (if known). Event Browser Source Port Alert Browser Associated source port number that is in use for the specific alert (if known). Event Browser Destination Address Alert Browser Dotted decimal IP address of the destination node for the specific alert (if known). Event Browser Destination Burb Alert Browser Associated destination burb that is in use for the specific alert (if known). Event Browser Destination Port Alert Browser Associated destination port number that is in use for the specific alert (if known). Event Browser Attack Address Event Browser Dotted decimal IP address of the attack node for the specified alert (if known). Protocol Alert Browser Associated protocol that is in use for the specific alert (if known). Event Browser Interface Event Browser Associated interface that is in use for the specified alert (if known). User Alert Browser Associated user name for the specific alert (if known). Event Browser Message Alert Browser Associated message for the specific alert (if known). Event Browser Description Alert Browser Description of the alert. Duration Alert Browser Time, in milliseconds, between the First Time and Last Time. Start Time Alert Browser Time stamp for the first time that the alert was generated from the perspective of the local clock for the Secure Alerts Server. Stop Time Alert Browser Time stamp for the last time that the alert was generated from the perspective of the local clock for the Secure Alerts Server. Acknowledge Time Alert Browser Time stamp of the time that the alert was acknowledged from the perspective of the local clock for the Secure Alerts Server. Closed Time Alert Browser Time stamp that reflects the time at which the alert was closed. Last Update Time Alert Browser Time stamp that reflects the time at which the alert was last updated. Time Event Browser Time that the event occurred. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 675
- 676. Reporting and Monitoring Tool Mapping sound files to alarms Use the Alarm Sound Mappings window to select the sound that is mapped to the specified alarm sound. You can specify up to five different alarm sound options (1-5) and each one can be loaded with a sound file of your choice. Figure 294 Alarm Sound Mappings window Accessing this window In the Reporting and Monitoring Tool, from the View menu, click Alarm Sound Mapping. The Alarm Sound Mappings window is displayed. Fields and buttons This window has the following fields and buttons: • Alarm Sound 1 - 5 — Specify the possibility of five different alarm sounds. • Use Default — Specify the default sound file for the associated alarm sound. • Specify — Specify an alternate sound file to the file that is currently assigned to the associated alarm sound. • Browse — The Open window is displayed, in which you can search for the file that you want to use. • OK — Save the changes that were made on this window. • Cancel — Close this window without saving any changes. Mapping a sound to a given alarm sound 1 In the area for the alarm sound that you are mapping, click Use Default or Specify. 2 If you selected Use Default, skip to step 4. or If you selected Specify, specify the name of the alternate sound file. Go to step 4. or Click Browse to locate the desired sound file. 3 When you find the file, double-click it to insert the value into the Specify field. 4 Click OK to save your changes. 676 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 677. Alerts Alerts The Alert Browser page provides a summary of firewall-generated alerts that have been configured to send alerts to the Secure Alerts Server. (For more information, see Secure Alerts Server on page 686.) Use the Alert Browser page to visually examine a summary of each alert, sort and manage how the alerts are displayed, acknowledge and clear alerts, annotate and review actions taken for each alert, review alert messages, and determine the time at which an alert occurred so that you can investigate the activities that were logged during the same period of time. Each alert that is displayed in the Alert Browser represents a summary of similar events that are generated by the same firewall. The number of similar events is displayed in the Count field. (For more information about the content of the columns, see Column data on page 674.) The individual events that are associated with an alert can be viewed by using the Event Browser window. There are several different ways to access the individual events that are associated with an alert: • Highlight an alert and select (Events) • From the Options menu, select Events to display the Event Browser window • Click the Events button in the middle of the Event Browser page. You can then view the associated events. The main objective of the Alert Browser page is to allow you to quickly identify the alerts that are being generated by the configured firewalls, acknowledge them, annotate the corrective actions that are taken, resolve the problem, and clear the alert. Several interfaces are available to investigate and clear alerts. To help you understand how to manage alerts, you must first understand that alerts have three states: • Open — These are new alerts that have been identified for which no action has been taken. This is the initial state of all alerts as they are generated. • Acknowledged —These are alerts that have been acknowledged and that are in the process of being investigated and corrected. An alert can be acknowledged in any of the following ways: • Select the Ack checkbox on the Alert Browser page • Highlight one or more alerts and click ( (Ack) or From the Options menu, select Ack. • Select the Acknowledge checkbox on the Alert Browser page. • Cleared — These alerts have been acknowledged and corrected. An alert can be cleared by selecting the Clear button on the Alert Browser page, or by highlighting one or more alerts and clicking (Clear) or clicking Clear from the Options menu. If an open alert is cleared, the alert is automatically acknowledged. When an alert is cleared, a message is sent to the associated firewall to set the alert count to zero. This occurs only if the firewall is currently communicating with the Management Server. To manage alerts, you can activate any combination of the (Display Ack), (Display Open), or (Display Cleared) icons or options (from the Options menu) to view any combination of open, acknowledged, or cleared alerts at any time. Use (Columns) or click Columns from the Options menu to display the Column Selector window. Use this window to select the columns to display in the Alert Browser. (For more information about the displayed data, see Column data on page 674.) To further refine the alerts displayed on the Alert Browser page, use (Filters) or click Filter from the Options menu to display the Alert Filter window. Use this window to identify the firewalls, alert priorities, and or alert status conditions to include in the subsequent display of the alerts that are displayed in the Alert Browser. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 677
- 678. Alerts Because each alert that is displayed in the Alert Browser represents a summary of similar alerts that are generated by the same firewall, you might have to view all of the related events that are associated with an alert to determine the root cause. That is the purpose of the Event Browser window. To view the events associated with an alert, highlight one or more alerts in the Alert Browser and click (Events) or view their respective options in the Options menu. To investigate the cause of an alert, you can review the chronological activities that were recorded by the affected firewalls during a range of time around the time that the alert occurred. This is accomplished by noting specific information about the alert or selected alerts, such as: • Associated firewall • Date and time • Source and/or destination IP address Managing alerts Use the Alert Browser page to display a summary of the alerts that have been generated by the configured firewalls. (For more information, see Alerts on page 677.) The main objective is to allow you to: quickly identify the alerts that are being generated by the configured firewalls, acknowledge the alert, annotate the corrective actions that are taken, resolve the condition, and clear the alert. Each line in the Alert Browser page represents a summary of all of the similar alert events for that firewall. The number of similar alert events is indicated in the Count column. To view the associated events, highlight one or more alerts and click Events in the middle of the page or you can click Events in the Options menu or click (Events) from the toolbar. (For more information, see the Viewing events for a specific alert on page 682.) You can use each column title in the Alert Browser to sort the displayed alerts in ascending or descending order by clicking on the column headings. Each row that is associated with an alert is color-coded to provide a visual indication of the priority of the alert. Refer to the following table of the alert priority colors: Table 28 Alert priorities Alert Priority Color Description 1 Critical Red 2 High Orange 3 Low Yellow 4 Warning Green 5 Information <transparent> The first column in the table is the Row Number column. Click this column to highlight an alert. To highlight more than one alert, press Ctrl and then click or press Shift and then click again. 678 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 679. Alerts Figure 295 Alert Browser page Accessing this page In the toolbar of the Reporting and Monitoring Tool, click (the Alert Browser tool) or From the View menu, select Alert Browser. Tools and menu options This page has the following options that can be accessed as tools from the toolbar, as menu options from the Options menu, or as buttons directly on the page: • Columns — Select the columns of alert data that are to be displayed in the Alert Browser. The Column Selector window is displayed. For more information, see Configuring columns for the Alert Browser page on page 685. • Filters — Specify the alerts to be displayed in the Alert Browser. The Alert Filter window is displayed. For more information, see Filtering the alerts to be displayed in the Alert Browser on page 686. • Export Data — Export the selected data, in plain text format, to a local platform. The Export Alerts File window is displayed, in which you can specify the location and file name that are associated with the exported data. • Print — Print the selected alert data. The Print window is displayed, in which you can specify the printer name, the print range, and the number of copies. • Display Ack — Display the alerts that have been acknowledged. As a result of this selection, the associated checkbox is also selected in the Alert Filter window. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 679
- 680. Alerts • Display Cleared — Display the alerts that have been cleared. As a result of this selection, the associated checkbox is also selected in the Alert Filter window. • Display Open — Display the alerts that have not been acknowledged. As a result of this selection, the associated checkbox is also selected in the Alert Filter window. • Annotate — Determines whether to enable annotations. The Annotate window is displayed, in which you can record any comments about the associated alert. • Ack — Select the acknowledgement checkbox for this alert. This is a one-time activity for each alert and this action cannot be undone. The Annotate window is displayed, in which you can record any operator information to associate with the alert. To view alerts that have been acknowledged, click (Display Ack) on the toolbar or click Display Ack in the Options menu. If an alert is acknowledged and more alerts of the same type on the same firewall occur, the alert count is incremented and is displayed on the Alert Browser. • Clear — Clear the selected alerts. To view alerts that have been cleared, click (Display Cleared) on the toolbar or click Display Cleared in the Options menu. Cleared alerts will remain visible until they are removed from the system. A script is automatically run each night to remove the cleared alerts. The time that this script runs is user configurable. • Jump — Jump to a specified row number. The Jump To window is displayed, in which the selected row number is displayed. • Events — Display the events that are associated with the selected alerts. To view the events that are associated with an alert, click the row number column (first column) to highlight the alert (or to highlight more than one alert, press Ctrl and click or press Shift and click). Then click (Events) or click Events in the Options menu to display the Event Browser window. • Preview Pane — Horizontally split the view display in half. This results in the top half of the display showing the detailed description of the selected alert and the bottom half showing the list of alerts. • Alarm for Open — Display all events for Alarm Open only. • Alarm for Ack — Display all events for Alarm Acknowledge only. • Alert Update Summary — Select this checkbox to display the Alert Update Summary for the selected event. Fields and buttons This page has the following fields and buttons: • Columns at the top of the page — The columns that are displayed at any time are dependent on the columns that you select in the Column Selector window. For more information about the content of the columns, see Column data on page 674. • Alert Details tab — Use the fields on this tab to view more detailed information about the selected alert. • Alarm — [Read-only] Displays the name of the alert alarm. • Alarm Sound — [Read-only] Displays the name of the alarm sound. • Count — [Read-only] Displays the total count of the alerts of a particular kind. • Device Address — [Read-only] Displays the IP address of the firewall. • Device Id — [Read-only] Displays the identification of the firewall. • Device Name — [Read-only] Displays the name of the firewall. • Device Type — [Read-only] Displays the type of the firewall. • Duration — [Read-only] Displays the time, in milliseconds, between the start time and the stop time values. • Event Type — [Read-only] Displays the type of event as defined by the sending firewall. 680 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 681. Alerts • Id — [Read-only] Displays the unique identification that is assigned to this alert by the Secure Alerts Server. • Last Update Time — [Read-only] Displays the time stamp of the at which the alert information was last updated. • Message — [Read-only] Displays the associated message for the specific alert (if known). • Name — [Read-only] Displays the name of the activity as it is defined by the sending firewall. • Priority — [Read-only] Displays the priority that is assigned to the alert. There are five levels of priority, listed from highest to lowest: Table 29 Alert priorities Level Priority Color Description 1 Critical Red 2 High Orange 3 Low Yellow 4 Warning Green 5 Information <transparent> • Processing Rule — [Read-only] Displays the name of the alert processing rule. • Start Time — [Read-only] Displays the time stamp for the first time that the alert was generated from the perspective of the local clock for the Secure Alerts Server. • Status — [Read-only] Displays the status of the alert. • Stop Time — [Read-only] Displays the time stamp of the time at which the alert was acknowledged from the perspective of the local clock for the Secure Alerts Server. • User — [Read-only] Displays the integer that represents the user who caused the alert. • Event Details tab — Use the fields on this tab to view more detailed information about the events that are associated with the selected alert. • Category — Indicates a grouping of events as defined by the firewall, such as CCAlerts for the McAfee Firewall Enterprise Control Center Management Server and SystemInfo and Authentication for the firewalls. • Event — [Read-only] Displays the short description of the event. • ID — [Read-only] Displays the unique alert identifier that is assigned by the Secure Alerts Server. • Last Update Time — [Read-only] Displays the time stamp of the time at which the alert information was last updated. • Message — [Read-only] Displays the associated message for the specific alert (if known). • Name — [Read-only] Displays the name of the alert as it is defined by the sending firewall. • Reason — [Read-only] Displays the description of the reason that caused this event. • Time — [Read-only] Displays the time at which the event was generated that produced this alert. Accessing this window In the Reporting and Monitoring Tool, from the Options menu, select Ack, Clear, or Annotate. or When the Alert Browser page is displayed and an alert is highlighted, click (Ack), (Clear), or (Annotate) in the toolbar. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 681
- 682. Alerts Viewing events for a specific alert Use the Event Browser window to view all of the specified events that occurred on a firewall that are related to the class of the highlighted alert. (For more information, see Alerts on page 677.) Figure 296 Event Browser window Accessing this window In the Reporting and Monitoring Tool, from the Options menu, select Events. or When the Alert Browser page is displayed and an alert is highlighted, click (Events) in the toolbar. or Click Events in the middle of the Alert Browser page. Fields and buttons This window and list has the following fields and buttons: • Columns — Select the columns to be displayed in the Event Columns window. For information about the column content, see Column data on page 674. • Jump To — Quickly move the selected row in the current page of alerts in the Jump To window. By default, 1,000 events are displayed on each page. Use this button to quickly move to a specified row. • Navigation buttons — Use any of these buttons to quickly move between the pages of activities that have been delivered based on the specified activity filters. By default, each page displays 1,000 events. • Export — Export this data to a file in comma-delimited (CSV) format. The Save as window is displayed, in which you define the name of and destination for this file. • Print — Print the displayed list of events. • Close — Close the Event Browser window. • Column headings in the table — Sort the column data in ascending or descending order by clicking any column heading in this list. The results of this sort include only the events in the current page (1,000 entries by default). • Numbered column — View the event-specific information that is associated with the event by double-clicking the first column, which is the row number that is associated with each event that is displayed in the Event Browser window. The Event Message window is displayed, in which you can view this information. • Column data — Only those columns for which there are data will be displayed. For more information, see Column data on page 674. 682 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 683. Alerts Configuring the columns on the Event Browser window Use the Event Columns window to change the selection of columns that are currently displayed in the Event Browser window. Note that, unlike the Column Selector window for alert columns, these selections are not preserved for all events. Figure 297 Event Columns window Access this window In the Reporting and Monitoring Tool, in the Event Browser window, click Columns. Fields and buttons This window has the following fields and buttons: • Column name — Specify the column or columns that you want to appear in the subsequent display of events. Select the respective checkbox or checkboxes. For more information about the displayed data, see Column data on page 674. • OK — Confirm your changes and display the subsequent view of the Event Browser window. • Cancel — Close the window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 683
- 684. Alerts Viewing additional event information Use the Event Message window to view any additional information that is known about the selected event. Figure 298 Event Message window Accessing this window In the Reporting and Monitoring Tool, double-click a specific row number of an event that is displayed in the Event Browser window. The Event Message window is displayed. Fields and buttons This window has the following fields and buttons: • Event Name — [Read-only] Displays the name of the event that was selected in the Event Browser window. • Event Type — [Read-only] Displays the type of the alert as defined by the Secure Alerts Server. All alerts from each supported firewall are classified by using a class/type relationship. For more information about event types, see Column data on page 674. • Attribute — [Read-only] Displays a list of the event-specific attributes. You can change the sort order of this column by clicking the arrow at the end of the column heading. • Value — [Read-only] Displays the value associated with each event attribute. • Close — Close this window. Accessing this window In the Reporting and Monitoring Tool, from the Options menu when the Alert Browser page is displayed, click Jump or click (Jump) in the toolbar. or Click Jump to in the Event Browser window. 684 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 685. Alerts Configuring columns for the Alert Browser page Use the Column Selector window to select the columns to be displayed in the subsequent view of the alerts that are displayed in the Alert Browser. For more information, see Alerts on page 677. Figure 299 Column Selector window Accessing this window In the Reporting and Monitoring Tool, click (Columns) in the toolbar. or When the Alert Browser page is displayed, from the Options menu, select Columns. Fields and buttons This window has the following fields and buttons: • Column Name — Select the checkbox for each column that you want to be displayed in the subsequent display of the alerts. For more information about the displayed data, see Column data on page 674. • OK — Confirm your changes and display the subsequent view of the Alert Browser window. • Cancel — Close the window without saving any changes. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 685
- 686. Secure Alerts Server Filtering the alerts to be displayed in the Alert Browser Use the Alert Filter window to select the types of alerts to display in the Alert Browser. Figure 300 Alert Filter window Accessing this window In the Reporting and Monitoring Tool, when the Alert Browser page is displayed, click (Filters) in the toolbar. or From the Options menu, select Filters. Fields and buttons The Acknowledged, Cleared, and Open checkboxes on the Alert Filter window are directly related to the state of the (Display Ack), (Display Cleared), and (Display Open) tools in the Alert Browser toolbar, and the state of the Display Ack, Display Cleared, and Display Open options in the Options menu when the Alert Browser is displayed. Select any option or combination of options to select the associated options on the toolbar or Options menu. Select any combination of checkboxes to define the alerts that will be displayed in the subsequent Alert Browser page. Secure Alerts Server The Secure Alerts Server collects the configured alert and event activity that is recorded by each supported firewall, normalizes the data, and inserts it into the database that serves as the data resource for the Reporting and Monitoring Tool. This data becomes the foundation of the alerts, events, and activities that are accessed and viewed by using the various windows and pages in the Reporting and Monitoring Tool: • Alert Browser page — For more information, see Alerts on page 677. • Event Browser window — For more information, see Viewing events for a specific alert on page 682. This data is used to perform the following tasks: • Reconstruct system events. • Deter improper system use. • Assess and recover from damage. • Monitor problem areas. • Capture relevant information about system events. • Assign accountability. 686 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 687. Secure Alerts Server In the initial release of the Secure Alerts Server, you can view the status of the server and its service history. Functionality of the Secure Alerts Server The following steps describe the basic operation of the Secure Alerts Server. 1 To begin, the firewall must be added to the Control Center configuration by using the Configuration Tool. 2 Each supported firewall must be individually configured to log events and activities to the Secure Alerts Server. For more information, see Configuring IPS attack responses on page 609. You can configure the events that are logged so that you can tune your environment to report only those security events that make the most sense for your configuration. 3 The configured events and activities are sent to the Secure Alerts Server. The Secure Alerts Server normalizes the data and stores it in the Secure Alerts Server database. This database provides the storage foundation for all firewall events and activities collected from all the respective firewalls that are supported by the Secure Alerts Server. 4 After the normalized data is inserted into the database, it becomes immediately available to the Management Server and the Reporting and Monitoring Tool. 5 The Reporting and Monitoring Tool retrieves the security events from the Management Server. 6 The Reporting and Monitoring Tool interfaces are used to manage the subsequent data. These interfaces include: • Alert Browser page — For more information, see Alerts on page 677. • Event Browser window — For more information, see Viewing events for a specific alert on page 682. Viewing Secure Alerts Server status information Use the Secure Alerts Server Status page to view current and historical Secure Alerts Server status information. For more information, see Secure Alerts Server on page 686. Figure 301 Secure Alerts Server Status page Accessing this page In the Reporting and Monitoring Tool, click (Secure Alerts Servers) in the toolbar. or From the View menu, select Secure Alerts Servers. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 687
- 688. Secure Alerts Server Tables This page is divided into two tables: • Secure Alerts Server Status table The upper table displays the current status of the Secure Alerts Servers. • Secure Alerts Service History table The lower table displays the historical status of when the server was started and stopped. Fields and buttons This page has the following fields and buttons: • View — Use this right-click menu to select the way in which the Secure Alerts Server Status data is displayed. Right-click in the Secure Alerts Server Status table to display this option and click it. The following options are available: • Large Icons — Display the supported Secure Alerts Server data by using large icons. • Small Icons — Display the supported Secure Alerts Server data by using small icons. • List — Display the supported Secure Alerts Server data in list format. • Details — Display the supported Secure Alerts Server data in a detailed list format. This is the default value. Secure Alerts Server Status table This table has the following fields and buttons: Note: The field data is displayed only when Details is selected from the View right-click menu. • MM/DD/YYYY HH:MM:SS — [Read-only] Displays the time stamp that indicates the last time that the page data was refreshed. To force a refresh, click Refresh. • Status icon (first column) — [Read-only] Displays the status of the Secure Alerts Server the last time that the page data was refreshed: (red) indicates stopped.; (green) indicates running. When the Secure Alerts Server is stopped, none of the alert and event activity that is sent by the firewalls is processed. • Refresh — Force a refresh of the page. • Name — [Read-only] Displays the status icon and the name that is assigned to the Secure Alerts Server. The status icon displays the status of the Secure Alerts Server the last time that the page data was refreshed: (red) indicates stopped.; (green) indicates running. When the Secure Alerts Server is stopped, none of the alert and event activity that is sent by the firewalls is processed. The server name currently cannot be changed. The default name is Secure Alerts Server. • Location — [Read-only] Displays the location of the Secure Alerts Server. • Start Time — [Read-only] Displays a time stamp that indicates the time at which the Secure Alerts Server was started. • Last Update — [Read-only] Displays a time stamp that indicates the last time that the Secure Alerts Server sent its status message to the Management Server. • Status — [Read-only] Displays the current status of the Secure Alerts Server. 688 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 689. Firewall reports in the Reporting and Monitoring Tool Secure Alerts Service History table This table has the following fields and buttons: Note: No history data is displayed if the Secure Alerts Server has never been stopped. • Name — [Read-only] Displays the name that is assigned to the Secure Alerts Server. • Location — [Read-only] Displays the location of the Secure Alerts Server. • Start Time — [Read-only] Displays a time stamp that indicates the time at which the Secure Alerts Server was started. • Stop Time — [Read-only] Displays a time stamp that indicates the last time that the Secure Alerts Server wrote to the database. Firewall reports in the Reporting and Monitoring Tool The Control Center Reporting and Monitoring Tool has an interface to request a wide variety of firewall-specific reports. Although some firewalls share similar reports, each firewall can generate unique reports that provide insight into its operation and configuration. There are currently more than 70 different reports that can be generated. Most of these reports are presented in Reporting on page 619. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 689
- 690. Firewall reports in the Reporting and Monitoring Tool 690 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 691. 11 Software Updates Tool Contents Software Updates Tool Software Updates Tool Use the Software Updates tool to apply software and firmware updates to supported firewalls, and to store and manage the updates on the McAfee Firewall Enterprise Control Center Management Server. You can accomplish the following tasks by using the features and functions of the Software Updates Tool: • Install updates — Determine the current version of software or firmware that is installed on each firewall; install, uninstall, or roll back an update; schedule an update action for a particular date and time; view the status of an update action; and view the history of previously completed update actions. For more information, see Installing software and firmware updates on page 697. • Store updates — Download, manage, and store firewall software and firmware updates on the Management Server. Use the interface to identify the name of the update, the type of firewall to which the update applies, the release date, and its download status. You can also view an associated Readme file. For more information, see Storing software and firmware updates on page 709. • Back up firewall configuration — Back up and restore configurations for selected firewalls. You can do this both here, in the Software Updates Tool, and in the Configuration Tool. Use the saved configuration files to restore a default firewall configuration, to maintain a version of a working configuration before you make any configuration changes, or to recover from an unexpected loss of firewall configuration data. When you are installing software updates, this features is a convenience and a precaution. For more information, see Backing up and restoring firewall configurations on page 704. • Update settings — Enable the downloading of files by using a proxy server, configure auto-discovery settings for software updates, and control whether update packages that have been removed from the Management Server are displayed on the Store Updates page. For more information, see Configuring update download settings on page 692. • Update Control Center — Upload software updates to the Control Center Management Server and then install them. For more information, see Downloading and applying Management Server updates on page 693. Automatically identify updates The Software Updates Tool can automatically check for new updates to the supported firewalls. Use the Update Settings window to configure the Software Updates Tool to automatically check for new updates each time that the tool is started. In addition, an option to manually download updates is available when the Store Updates page is displayed. Supported firewalls Currently, the Software Updates Tool provides software management support for McAfee Firewall Enterprise (Sidewinder) devices that are configured with software version 7.0.0.6 or later. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 691
- 692. Software Updates Tool Configuring update download settings Use the Update Settings window to configure settings to download software and firmware updates for supported firewalls. You may specify settings for the following features: • Using a proxy server to download updates • Using an auto-discovery process to identify and download available updates • Displaying removed updates Figure 302 Update Settings window Accessing this window In the Software Updates Tool, from the View menu, select Update Settings. Fields and buttons This window has the following fields and buttons: • Proxy Server Settings — Use the fields in this area to determine whether a proxy server is used to connect to a specified download site. • Download Files Through a Proxy Server — Determines whether to connect to a download site through a proxy server. This checkbox is cleared by default. If you select this checkbox, the following fields are available: • Host — Specify the IP address or host name of the proxy server. • Port — Specify the port number of the proxy server. 692 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 693. Software Updates Tool • Auto-Discovery Settings — Use the fields in this area to identify the FTP or HTTP location from which the software and firmware updates are downloaded. If the FTP or HTTP auto-discovery site is not available to your Management Server and you want to configure an alternate location to use for the auto-discovery process, an auto-discovery file must be created by using a specific format. For more information, see Setting up an auto-discovery site on page 712. • Download Protocol — Specify the protocol that is used to transfer the updates from the auto-discovery location to the Management Server. The available values are FTP (default) and HTTP. • Download Site — Specify the host location from which the software and firmware updates are downloaded. Specify an IP address in dotted decimal format (for example, 168.26.232.1) or a fully qualified domain name (for example, the default value of ccupdate.securecomputing.com). If a non-standard port for the selected transfer protocol is used, annotate this entry with the port number in the following format: host:port. • Discovery File Path — Specify the path name to the auto-discovery file in the following format: dir/auto_discovery_file. The default value is: pub/commandcenter/autoDiscovery.xml • User Name — Specify the user name that is required to authenticate on the auto-discovery server. The default value for this field is anonymous. • Password — Specify the password that is required to authenticate on the auto-discovery server. The default value for this field is anonymous. • Auto-Discover New Updates on Startup — Determines whether to automatically check for new updates when the client application is started. This checkbox is selected by default. • Store Update Settings — Use the fields in this area to determine whether removed updates that have been removed are displayed on the Store Updates page. • Show removed updates — Determines whether to display updates that have been removed from the Management Server. This checkbox is cleared by default. Downloading and applying Management Server updates Use the Control Center Update window to obtain and apply a signed software update to the Control Center Management Server. Software updates include signed epatches, hot fixes, and patches. An epatch is an update that is provided directly by engineering to a specific customer. A hot fix is a customer-driven update to the Management Server software between updates. Note: If your Control Center Management Servers are running in High Availability (HA) mode, you must first stop the High Availability servers, then install the updates to the Control Center Management Server, and then re-start the High Availability servers. Updates are located at www.securecomputing.com/goto/updates. Update files can be downloaded directly to the Management Server by using FTP or HTTP, or they can be downloaded to the Microsoft Windows platform on which the Control Center Client Suite is installed and then uploaded to the Management Server. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 693
- 694. Software Updates Tool Figure 303 Control Center Update window Accessing this window In the Software Updates tool, from the View menu, select Control Center Update. The Control Center Update window is displayed. Tabs This window has the following tabs: • Upload to Server — Upload a software update to the Management Server directly from the Client Suite platform or upload a software update from a remote location by using FTP or HTTP. For more information, see Control Center Update window: Upload to Server tab on page 694. • Uploaded Packages — View the software updates that have been uploaded to the Control Center Management Server and apply the selected updates. For more information, see Control Center Update window: Uploaded Packages tab on page 696. Control Center Update window: Upload to Server tab Use the Upload to Server tab on the Control Center Update window to upload a software update to the Control Center Management Server directly from the Client Suite platform or upload a software update from a remote location by using FTP or HTTP. To view the fields on this tab, see Figure 303 on page 694. Accessing this tab 1 In the Software Updates Tool, from the View menu, select Control Center Update. The Control Center Update window is displayed. 2 Make sure that the Upload to Server tab is selected. 694 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 695. Software Updates Tool Fields and buttons This tab has the following fields and buttons: • Upload to Server from Client — Determines whether to upload a software update file from the Client Suite platform to the Management Server. When you select this option, the following field and button are available: • Upload file — Specify the name of the software update file to be uploaded. • Browse — Perform a search on the current platform for the software update file. • Upload to Server using FTP/HTTP — Determines whether to upload a specific software update file to the Management Server from a remote location. • Upload — [Available only if Upload to Server using FTP/HTTP is selected] Use the fields in this area to specify the remote location from which to upload a specific software update file. • Protocol — [Required] Specify the protocol to use for transferring the software update file from the corporate site to the Management Server. The following values are available: • FTP — File Transfer Protocol • HTTP — Hypertext Transfer Protocol The default value is FTP. • Server — Specify the host name of the server from which the update is to be uploaded. • Port — Specify the port on the remote server to use for this upload. • Directory — Specify the path for the update file. You must define this path relative to the location of the user of the Management Server This user is identified in the User name field. For example, if a user with a home directory of /home/username wants to download a file that is located on the Management Server at /var/tmp, the path is ../../var/tmp. • File — Specify the name of the software update file to be uploaded. • User name — [Applicable only if the value of the Protocol field is FTP] Specify the login name that was used to access the specified Management Server. • Password — [Applicable only if the value of the Protocol field is FTP] Specify the password that is associated with the login name that was used to access the specified Management Server. Data in this field is masked as it is specified. • Upload — Upload the software update and close this window. • Cancel — Close this window without saving any changes and without performing any upload. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 695
- 696. Software Updates Tool Control Center Update window: Uploaded Packages tab Use the Uploaded Packages tab on the Control Center Update window to view the software updates that have been uploaded and to select one of them to apply. Figure 304 Control Center Update window: Uploaded Packages tab Accessing this tab 1 In the Software Updates Tool, from the View menu, select Control Center Update. The Control Center Update window is displayed. 2 Select the Uploaded Packages tab. Fields and buttons This tab has the following fields and buttons: • Patch — Displays the names of the software update packages that have been uploaded to the Management Server. The packages are sorted by the date on which they were added. Select the radio button that is associated with the patch that you want to apply. Only one patch can be selected. • Build Number — [Read-only] Displays the build number of the software update package. • Status — [Read-only] Displays the status of the associated software update packages. The following values can be displayed: • Pending — Indicates that there is an update that has been uploaded that needs to be applied. • Applied — Indicates that the update was successfully applied. • Failed — Indicates that the apply was started; however, it failed. You can re-apply the update. • Invalid — Indicates that the selected update cannot be installed over the current applied hot fix, ePatch, or patch. • DependsOn — Indicates that the selected update has a dependency on another patch. It can be applied only after that patch has been applied. • Obsolete — Indicates that the selected update will make obsolete one of the components of the Control Center. This patch can be applied only from the command line by using the force (-f) command. Note: If the selected update makes more than one component obsolete, the status will be Invalid, not Obsolete. • Date of last modification — [Read-only] Displays the date that the status of the patch was last updated. 696 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 697. Software Updates Tool • Log — If the value of the Status column is Applied or Failed, click Display Log to view the related log file. The Server Logs window is displayed, in which you can view the entire log file or a selected number of lines. For more information about this window, see Viewing Management Server logs on page 663. • Apply — Apply the selected software update to the Management Server. If you select a package that has a Status value of Pending and click this button, the Management Server starts the selected software update and either logs you off of the client or reboots the machine. After the update has been applied, the value of the Status field is changed. Note: A software update whose version number is higher than the current version of the Management Server cannot be selected or applied. The Uploaded Packages tab verifies that the new update has a sequence number that is greater than the last update that was added. This ensures that an update is not installed if it is older than updates that are already on the machine. The following text is the format of the patches: Table 30 Tar file formats Tar file name File type Example [release version - 5 digits] Patch 40003.tar [release version - 5 digits] [E} ePatch 40003E01.tar [sequence number - 2 digits] [release version - 5 digits] [H} Hot fix 40003H01.tar [sequence number - 2 digits] • Current server version — [Read-only] Displays the currently installed version of the Control Center Management Server software. • Revalidate — Update the status of the package. Installing software and firmware updates Maintaining software and firmware updates to multiple firewalls in a heterogeneous environment can be a complex task. To provide the enterprise-class protection that is required by your security policies, installing and managing software and firmware updates to firewalls is not optional. To help simplify the process, use the Control Center Software Updates Tool to manage software and firmware updates for supported firewalls that are being managed by the Control Center. Before you begin to install the updates, you should back up the current configuration of the firewall that is going to be updated. To perform this activity, click (Firewall Configuration Backup) on the toolbar of the Software Updates Tool. For more information about this activity, see Backing up a firewall configuration on page 706 or Restoring a firewall configuration on page 707. Use the table on the Install Updates page to: • Determine the current software version that is installed on each supported firewall in the configuration. • Identify firewalls that require updates. • Select an update action to perform on selected firewalls. These actions include install, uninstall, and rollback. • Select an available software or firmware update. • Determine the status of the last applied update. • View and select the update packages to be installed, uninstalled, or rolled back and view the historical data that is associated with previous update actions. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 697
- 698. Software Updates Tool Figure 305 Install Updates page Accessing this page In the Software Updates Tool, from the View menu, select Install Updates. or In the Software Updates Tool, click (Install Updates) on the toolbar. Fields and buttons This page has the following table columns and buttons: • — Determines whether a row in the table is selected. When you select this checkbox, the Operations menu and related toolbar options are displayed for the selected firewall. • (Status icon) — Identifies the current status of the associated firewall: • (Not Running) — This firewall is not currently running. • (Running) — This firewall is currently running. • (Unknown) — The operational status of this firewall is currently unknown. • (Waiting) — The firewall is starting or performing a task. • Firewall type icon — Identifies the type of firewall that is associated with the row: • — (McAfee Firewall Enterprise) • Firewall — [Read-only] Displays the name of the firewall as defined when the firewall was configured. • Version — [Read-only] Displays the software version that is currently installed on the associated firewall. • Schedule Status — [Read-only] Displays the date and time for an action that has been scheduled. If a schedule is just being created, the field displays the status of the scheduling operation. • Action — [Read-only] Displays the type of action to be performed. The following values are available: • Install — Indicates that a single software update is to be installed. • Install Multiple — Indicates that multiple software updates are to be installed. • Uninstall — Indicates that a single software update is to be uninstalled. • Uninstall Multiple — Indicates that multiple software updates are to be uninstalled. • Rollback — Indicates that the firewall is to be restored to a previous state. A rollback reverts the firewall to the state just prior to installation of the software update. This value is available only after installation of a package that cannot be uninstalled. • Update — Specify the software update to install, uninstall, or roll back on the associated firewall. Click the down arrow to display all of the available updates. The following columns are displayed in this list: • Name — Displays the name of the software or firmware update and an icon to indicate the status of the update. The following icons are available: • (Not Downloaded) — This update has not been downloaded to the Management Server If an update with this status is identified to be installed on one or more firewalls, it is downloaded onto the Management Server first and then installed. • (Downloaded) — This update has already been downloaded to the Management Server. 698 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 699. Software Updates Tool • (In Progress) — This update is currently being downloaded to the Management Server. • Description — Displays a brief description of the software update. Note: If multiple firewalls are selected (that is, multiple rows are highlighted), when you select an update from the update field, the update will be selected for all applicable firewalls. If you click the Update Firewalls tool or click (Update Firewalls), the update will be applied to all of the highlighted firewalls to which it applies. • Last Update — [Read-only] Displays the name of the last software update that has been applied to the firewall by the Control Center. • Update Status — [Read-only] Displays the status of the last update applied to the associated firewall by the Control Center. The following values are available: • In Progress — Indicates that the update is in the process of being installed. • Completed — Indicates that the update has been successfully installed. • Failed — Indicates that the update operation failed. • Manage Firewall — Displays the Manage Firewall window, in which you can view and select the packages to be installed, uninstalled, or rolled back. You can also view a history of the update actions and status messages that have been performed on the associated firewall by the Control Center. When the Install Updates page is displayed, the following tools are available on the toolbar. They are also options on the Operations menu. To perform some of the following actions, you must select the row or rows to identify the firewalls to which the action applies. To select a firewall, select the checkbox in the first column. Then select the tool or menu option. • Update Firewalls — Perform the actions that you have specified on the firewalls that you have selected. You must have already selected an update action for all of the selected firewalls before you can click this tool or menu option. If you try to update a firewall with an update that has not been downloaded to the Management Server, the update will first be downloaded and saved on the Management Server. Then it will be installed on the applicable selected firewalls without you needing to take any additional action. Note: You cannot initiate a new update on a firewall while it has an update in the “In Progress” state. • Schedule Firewalls — Displays the Schedule Firewall Actions window. Use this window to set a date and time to perform actions that are related to one or more firewalls. You can also remove a schedule. • Clear Last Update — Clear the values of the Last Update and Update Status fields from the table. This information is not cleared from the Update History data. Use this tool or menu option to clear field values when an update is stuck in the “In Progress” state. • Update Firewall Status — Send a firewall status request to the selected firewalls. The resulting firewall status is displayed in a column on the left as an icon. • Refresh Grid — Refresh the contents of this table. Managing updates for a firewall Use the Manage Firewall window to perform the following functions: • View packages that are available for installation. • View and select packages that can be uninstalled. • Select rollback action and view package list after a rollback is done. • View a history of update operations and status messages that have been performed on the associated firewall. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 699
- 700. Software Updates Tool Figure 306 Manage Firewall window Accessing this window 1 In the Software Updates Tool, from the View menu, select Install Updates. or In the Software Updates Tool, click (Install Updates) on the toolbar. 2 Click Manage Firewall in the row of the firewall to be managed. The Manage Firewall window is displayed. Buttons This window has the following buttons: • Save — Save your changes, perform the selected actions, and close this window. • Cancel — Close this window without saving your changes or performing any actions. Tabs This window has the following tabs: • Packages — View and select software update packages that can be installed, uninstalled, or rolled back. For more information, see Manage Firewall window: Packages tab on page 701. • History — View a historical listing of all of the update actions and status messages that have been applied to the associated firewall by the Control Center. For more information, see Manage Firewall window: History tab on page 702. 700 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 701. Software Updates Tool Manage Firewall window: Packages tab Use the Packages tab on the Manage Firewall window to view and select software update packages that can be installed, uninstalled, or rolled back. To view the files on this tab, see Figure 306 on page 700. Accessing this tab 1 In the Software Updates Tool, from the View menu, select Install Updates. or In the Software Updates Tool, click (Install Updates) on the toolbar. 2 Click Manage Firewall in the row of the firewall to be managed. The Manage Firewall window is displayed. 3 Make sure that the Packages tab is selected. Fields and buttons This tab has the following fields and buttons. • Action — Specify the type of action to take for a selected update package. Information displayed on this tab varies according to the selected action. The following values are available: • Install — Select an associated update package for installation on the firewall. • Package Name — Displays the name of an update package. • Reboot — Indicates whether installation of the associated update package requires the firewall to be rebooted. • Dependencies — Displays the names of packages that must have been installed previously or that must be installed with the update package. • Obsoletes — Displays the names of packages that are rendered obsolete by the update package. • Uninstallable — Indicates whether the update package can be uninstalled. • Release Date — Displays the date when the update package was released. • Readme — Click View to display the Readme file that is associated with the update package. • Uninstall — Select an associated update package to be uninstalled from the firewall. • Package Name — Displays the name of an update package. • Required By — Displays the names of packages that require the update package to be installed. • Reboot — Indicates whether uninstalling the associated update package requires the firewall to be rebooted. • Uninstallable — Indicates whether the update package can be uninstalled. • Description — Provides information about the update package. • Rollback — Restore a firewall to a previous state. The fields and buttons that are associated with this action are available only if a rollback is possible. A rollback can be performed only when a package that is not removable has been installed. You are advised to consider the following information before you perform a rollback: • A rollback reverts the firewall to its state just prior to installation of the update package. • Changes that have been made to the firewall's configuration after the update package was installed will be lost. • A rollback is a recommended recovery option only for a short period of time after package installation. • A rollback always requires that the firewall is rebooted. • Perform Rollback — [Available only if a rollback is possible] Determines whether a rollback operation is performed. This checkbox is cleared by default. Select the checkbox to select a rollback operation. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 701
- 702. Software Updates Tool • Package Name — [Read-only] Displays the names of the packages to which the firewall system will be rolled back. • Status — [Read-only] Displays the date and time when the packages were installed or loaded on the firewall. Manage Firewall window: History tab Use the History tab on the Manage Firewall window to view a historical listing of all of the update actions and status messages that have been applied to the associated firewall by the Control Center. Figure 307 Manage Firewall window: History tab Accessing this tab 1 In the Software Updates Tool, from the View menu, select Install Updates. or In the Software Updates Tool, click (Install Updates) on the toolbar. 2 Click Manage Firewall in the row of the firewall to be managed. The Manage Firewall window is displayed. 3 Select the History tab. Fields and buttons This tab has the following columns and buttons: • Update Entry — [Read-only] Displays a description of the operation that has been performed (for example, downloading of an update package, scheduling of a firewall action, installation of an update package, or rollback completed). • Last Update Time — [Read-only] Displays the date and time on which and at which the associated update operation was performed. • Initiating User — [Read-only] Displays the name of the Control Center user who initiated the update operation. 702 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 703. Software Updates Tool • Status — [Read-only] Displays the status of the last update operation that was applied to the associated firewall by the Control Center. The following values are available: • In Progress — Indicates that the update operation is in the process of being completed. • Completed — Indicates that the update operation has been successfully completed. • Failed — Indicates that the update operation failed. • Details — Display a window that displays the details of the update operation. This could be the contents of an update installation log file or other similar data. Scheduling device software updates Use the Schedule Device Actions window to set a date and time for performing the following update actions on supported firewalls: • Install • Uninstall • Rollback In addition to scheduling updates, you can also perform these actions immediately. You also can unschedule previously scheduled actions. Note: You can access this window only if you have selected at least one row in the table on the Install Updates page and each selected row must have an update selected for it. Figure 308 Schedule Device Actions window Accessing this window 1 In the Software Updates Tool, from the View menu, select Install Updates. or In the Software Updates Tool, click (Install Updates) on the toolbar. 2 Make sure that you have selected at least one firewall and an action for it. 3 From the Operations menu, select Schedule Firewalls. or Click (Schedule Firewalls) in the toolbar. The Schedule Device Actions window is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 703
- 704. Software Updates Tool Fields and buttons This window has the following fields and buttons: • Schedule for — Specify the date and time at which to perform an install, uninstall, or rollback action on a firewall. • Unschedule All — Determines whether to unschedule all of the actions that have been scheduled. By default, this checkbox is not selected. • Perform Actions Now — Determines whether to perform the update actions immediately. If you select this checkbox, actions are performed as soon as you click OK. • Devices and Actions — Use this table to identify the firewalls and the types of actions to be performed on each one. The following columns are displayed: • — [Read-only] Denotes a McAfee Firewall Enterprise (Sidewinder), as indicated by the value of the Device Name field. • Device Name — [Read-only] Displays the fully qualified domain name (FQDN) of the firewall as it was configured on the Firewall window. • Version — [Read-only] Displays the version of the software that is currently installed on the associated firewall. • Action — [Read-only] Displays the action to be performed on the associated firewall. • Packages — [Read-only] Displays the names of the packages to which the associated action applies. • Current Schedule — [Read-only] Displays the date for any existing schedule that will be unscheduled. There is no value in this field if a schedule does not exist. • OK — Save the changes that were made in this window. • Cancel — Close this window without saving any changes. Backing up and restoring firewall configurations Use the Firewall Configuration Backup page to perform the following actions on the configuration file for a specified firewall: • Retrieve a backup firewall configuration file based on the current configuration of the selected firewall or firewalls and store it on the Management Server. • Restore a backup firewall configuration file. You can also use this page to maintain a version of a working configuration before you make any configuration changes or to recover from an unexpected loss of firewall configuration data. For more specific information about how to perform these actions, see the following procedures: • Backing up a firewall configuration on page 706 • Restoring a firewall configuration on page 707 Note: Save the current configuration of all firewalls before upgrading the software or firmware and before making changes to the configuration. 704 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 705. Software Updates Tool Figure 309 Firewall Configuration Backup page Accessing this page In the Software Updates Tool, click (Firewall Configuration Backup) on the toolbar. or In the Software Updates Tool, from the View menu, select Firewall Configuration Backup. or In the Configuration Tool, from the System menu, select Firewall Configuration Backup. The Firewall Configuration Backup page is displayed. Fields and buttons The Firewall Configuration Backup page has the following tabs: • Backup — Select one or more firewalls for which to create configuration backup files. For more information, see Firewall Configuration Backup page: Backup tab on page 705. • Restore — Select a firewall and a specific backup configuration file to use to restore on that firewall. For more information, see Firewall Configuration Backup page: Restore tab. Firewall Configuration Backup page: Backup tab Use the fields on the Backup tab of the Firewall Configuration Backup page to select one or more firewalls for which to create configuration backup files. To view the fields on this tab, see Figure 309 on page 705. Accessing this tab If the Firewall Configuration Backup page is already displayed, make sure that the Backup tab is selected. or In the Software Updates Tool, click (Firewall Configuration Backup) on the toolbar. or In the Software Updates Tool, from the View menu, select Firewall Configuration Backup. or In the Configuration Tool, from the System menu, select Firewall Configuration Backup. The Backup tab is displayed on the Firewall Configuration Backup page. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 705
- 706. Software Updates Tool Fields and buttons: • Firewall — Select one or more firewalls for backup of its or their configuration. • Description — [Read-only] Displays the description of the backup that was last performed on this firewall. For manual backups, this is the value that is specified on the Confirm Backup window. For more information, see Confirming a configuration backup of one or more firewalls on page 708. • Last Backup Date — [Read-only] Displays the timestamp that indicates the last time that the firewall was backed up. • Last Backup By — [Read-only] For manual backups, displays the name of the Control Center user who initiated the backup. For other backups, this field is left blank. • Create Backup(s) — Begin the backup process by displaying the Confirm Backup window, in which you can confirm your selections on the Backup tab. For more information about the Confirm Backup window, see Confirming a configuration backup of one or more firewalls on page 708. Backing up a firewall configuration 1 In the Software Updates Tool, from the View menu, select Firewall Configuration Backup. or In the Configuration Tool, from the System menu, select Firewall Configuration Backup. The Firewall Configuration Backup page is displayed in the work area. 2 To create a backup of the configuration data for selected firewalls, select the checkbox that is associated with each firewall. 3 Click Create Backup(s) to store a backup copy of the firewall configuration for the selected firewalls on the Management Server. The Confirm Backup window is displayed. 4 You can edit the description or accept the default value. Then click OK to confirm this backup. A message is displayed, indicating that this request has been sent to the firewall. After the backup is complete, the Description, Last Backup Date, and Last Backup By column values are updated on this tab. Firewall Configuration Backup page: Restore tab Use the Restore tab of the Firewall Configuration Backup page to select a firewall to which you will restore its configuration. This tab lists all of the backups that have been saved for the selected firewall, whether created as a scheduled job or manually on the Backup tab on this window. Any firewall configuration backup can be deleted from this tab. Note: Although manual backups (for example, backups created in the Backup tab on this window) can be deleted only on the Restore tab, scheduled backups or other backups are subject to the retention policies that are configured in the Scheduled Backup tab of the scheduled job that is associated with each firewall. Figure 310 Firewall Configuration Backup page: Restore tab 706 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 707. Software Updates Tool Accessing this tab 1 In the Software Updates Tool, click (Firewall Configuration Backup) on the toolbar. or In the Software Updates Tool, from the View menu, select Firewall Configuration Backup. or In the Configuration Tool, from the System menu, select Firewall Configuration Backup. The Backup tab is displayed on the Firewall Configuration Backup page. 2 Select the Restore tab. The Restore tab on the Firewall Configuration Backup page is displayed. Fields and buttons This tab has the following fields and buttons: • Firewall — Specify the firewall that you want to restore from the list of available firewalls. • Restore Backup — Restore a configuration backup for the selected firewall. • Type — [Read-only] Displays the nature of the backup file. The following values are possible: • Manual — Indicates that the configuration backup was performed on the Backup tab of the Firewall Configuration Backup page. • Scheduled — Indicates that the configuration backup was performed as a scheduled job that was originally configured on the Scheduled Jobs window. • Backup Date — [Read-only] Displays the date and time that this backup was completed. • Backup By — [Read-only] Displays the name of the user who created this backup. If this backup was created by a scheduled job, there is no value for this field. • Restore Date — [Read-only] Displays the timestamp that indicates the last time that the backup was restored to the firewall. • Description — [Read-only] Displays the description for this configuration backup file. • Delete — Click x (Delete) in the row to be deleted. This configuration backup file is deleted from the Management Server. Restoring a firewall configuration 1 In the Software Updates Tool, from the View menu, select Firewall Configuration Backup. or In the Configuration Tool, from the System menu, select Firewall Configuration Backup. The Firewall Configuration Backup page is displayed in the work area. 2 Select the Restore tab. 3 In the Firewall field, select the firewall to be restored. 4 In the table, select the row of the backup that you want to use for this restoration and click Restore Backup. A system warning is displayed, indicating that the restoration is about to occur. As a result of that, the firewall will be rebooted and a subsequent policy mismatch can occur. 5 Click OK. An information message is displayed, indicating that the restore request has been sent to the firewall. After the restore is complete, the Restore Date column value is updated with the current information. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 707
- 708. Software Updates Tool Confirming a configuration backup of one or more firewalls Use the Confirm Backup window to add a description for the manual configuration backup file or files (depending on the number of firewalls that you select) that you are about to create. This window also serves as an additional confirmation that you want to continue with the backup process. Figure 311 Confirm Backup window Accessing this window 1 In the Software Updates Tool, click (Firewall Configuration Backup) on the toolbar. or In the Software Updates Tool, from the View menu, select Firewall Configuration Backup. or In the Configuration Tool, from the System menu, select Firewall Configuration Backup. The Firewall Configuration Backup page is displayed. 2 On the Backup tab, select the firewall or firewalls for which you want to create configuration backup files and click Create Backup(s). The Confirm Backup window is displayed. Fields and buttons This window has the following fields and buttons: • Firewall — [Read-only] Displays the name of one firewall in each row that you selected on the Backup tab. • Description — Specify a description for this backup file. The default value is Manual backup. However, you can edit this value as needed. • OK — Displays a message, indicating that this request has been sent to the firewall. or If this message is suppressed (see Note below), the window is closed. Note: You can choose to hide this confirmation message by selecting Never display this warning again. • Cancel — Close this window and cancel the backup process. 708 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 709. Software Updates Tool Storing software and firmware updates Use the Store Updates page to identify, store, and manage firewall software and firmware updates on the Management Server. As updates become available for the firewalls that are configured in your environment, they can be downloaded from the FTP or HTTP auto-discovery location and stored on the Management Server. Use the Store Updates page to manage the download status and availability of the software and firmware updates. There are two ways to identify when new updates are available: • Automatically — Use the auto-discovery process when the Software Updates Tool is started. This feature is enabled by default on installation. However, it can also be configured in the Update Settings window. For more information, see Configuring update download settings on page 692. • Manually — In the Software Updates Tool toolbar, click Check For Updates or from the Operations menu, select Check For Updates when the Store Updates page is displayed. The Store Updates page displays all of the identified updates for firewalls that have been previously defined in your configuration, along with the status of the update. The Status column displays the disposition of the update on the Management Server.You can: • Determine whether the update is available on the Management Server. • Download an update and store it on the Management Server. • Check whether a download operation is still in progress or has failed. • Check whether a previously downloaded update has been deleted from the Management Server. If the status indicates that the update has not been downloaded, you can click Download Updates (from the toolbar or from the Operations menu) and store the update on the Management Server. The auto-discovery updates are downloaded from the FTP server to the Management Server by using parameters that are configured in the Update Settings window. You can also use the Manual Download window to download individual software and firmware updates manually to the Management Server from an alternate, user-defined location. If an FTP or HTTP auto-discovery site is not available to your Management Server, an alternate location to use for the auto-discovery process can be created. For more information, see Setting up an auto-discovery site on page 712. After the initial installation of the Control Center, the Software Updates Tool is automatically configured to use the auto-discovery process to check for new software and firmware updates each time that this tool is started. (For more information about automatically searching for new updates on startup, see Configuring update download settings on page 692.) You can also check for updates at any time by clicking Check For Updates (in the toolbar or from the Operations menu). Figure 312 Store Updates page Accessing this page In the Software Updates Tool, click (Store Updates) in the toolbar. or In the Software Updates Tool, from the View menu, select Store Updates. The Store Updates page is displayed. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 709
- 710. Software Updates Tool Fields and buttons This page has the following table columns: • Name — [Read-only] Displays the name of the software or firmware update. • Description — [Read-only] Displays a brief description of the software update. • Type — [Read-only] Displays the firewall to which the update applies. • Release Date — [Read-only] Displays the date on which the update was released. • Status — [Read-only] Displays the status of the update on the Management Server. The following values are available: • Not Downloaded — The update has been identified, but not downloaded. • Downloading onto Mgmt. Server — The update is currently being downloaded from the source destination to the Management Server. • Available on Mgmt. Server — The update has already been downloaded to the Management Server. • Download Failed — The download failed. • Unavailable — The update has been removed from the Management Server. • Readme — Click this button to display the readme file that is associated with the selected stored update in a default text reader. The following options are available as tools on the Software Updates Tool or as menu options from the Operations menu when the Store Updates page is displayed. To perform some of the following options, you must select one or more rows in the table to identify the firewalls to which the action applies. To select a row, click the far-left column to highlight the row. To highlight several rows at once, press Ctrl+click. • Check for Updates — Check for new updates from the defined, auto-discovery location. For more information about configuring the auto-discovery settings, see Configuring update download settings on page 692. • Download Updates — Download the associated update for each highlighted row from the location that is specified in the auto-discovery settings. For more information about configuring the auto-discovery settings, see Configuring update download settings on page 692. • Restart Download — Restart the download process if a problem or failure occurs when an update package is being transferred from the location at which updates are stored to the Management Server. • Remove Updates — Remove the associated update for each highlighted row from the Management Server. After an update has been removed from the Management Server, it will no longer be displayed in the Store Updates table unless you have selected the Show removed updates checkbox in the Update Settings window. • Manual Download — Specify how and where an update is to be downloaded from a location other than the one that was specified in the auto-discovery settings. Use this option to acquire an update and store it on the Management Server when there is no access to the McAfee FTP location. For information about how to configure this option, see Manually downloading software updates on page 711.F 710 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 711. Software Updates Tool Manually downloading software updates Use the Manual Download window to specify a location from which a specific update should be downloaded. Figure 313 Manual Download window Accessing this window In the Software Updates Tool, when the Store Updates page is displayed, click (Manual Download) in the toolbar. or In the Software Updates Tool, from the Operations menu when the Store Updates page is displayed, select Manual Download. The Manual Download window is displayed. Fields and buttons This window has the following fields and buttons: • Firewall Type — Specify the appropriate firewall type for the associated update. • Protocol — Specify the appropriate protocol to be used to download the software or firmware update from the file server that you specify in the Server field. • Server — Specify the file server from which the update is to be downloaded. Note: If the source file server is using a non-standard port for the selected download protocol (FTP or HTTP), specify the port to use in the following format: server:port, where server specifies the fully qualified domain name (FQDN) or IP address of the server and port specifies the non-standard port number for the selected protocol. • Directory — Specify the directory in which the update file is stored on the file server that you specified in the Server field. Note: If you have selected FTP as the value in the Protocol field, if your directory begins with a slash (/), this value will be interpreted as an absolute path. • File — Specify the name of the file to be downloaded. • User Name — Specify the user name to be used for authentication. • Password — Specify the password to be used for authentication. • OK — Save these changes and download the identified update to the Management Server. • Cancel — Close this window without downloading any data to the Management Server. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 711
- 712. Software Updates Tool Setting up an auto-discovery site If the FTP auto-discovery site is not available to your Management Server and you want to configure an alternate location to use for the auto-discovery process, an auto-discovery file must be created. This file must be in a specific XML format. The auto-discovery file is an XML file that describes the update packages. The following example displays the structure and content of an XML file for a firewall: <?xml version="1.0" encoding="UTF-8" ?> <CCAutoDiscovery> <packageSidewinder name="70000t01"> <Description>Install new OPS kernels</Description> <FilePath>SW/70000t01</FilePath> <ReleaseDate>02/27/2007</ReleaseDate> <Time>1172608996</Time> <OS>Sidewinder</OS> <Revision>7.0</Revision> <Version>7.0.0.00</Version> <Type>E-Patch</Type> <Flags>active uninstallable</Flags> <Requires>70000</Requires> <Readme>Install new OPS kernels and reboot</Readme> </packageSidewinder> <packageSidewinder name="70000t02"> <Description>Depends on 70000t01; installs new OPS kernels</Description> <FilePath>SW/70000t02</FilePath> <ReleaseDate>02/27/2007</ReleaseDate> <Time>1172609006</Time> <OS>Sidewinder</OS> <Revision>7.0</Revision> <Version>7.0.0.00</Version> <Type>E-Patch</Type> <Flags>inactive</Flags> <Requires>70000t01</Requires> <Readme>Depends on 70000t01; installs new kernel</Readme> </packageSidewinder> ... </CCAutoDiscovery> The tags that appear in the example file are described below: • <Description> — Contains Information about the update package. • <File Path> — Contains the relative path name of the update package. • <ReleaseDate> — Contains the release date of the update package in MM/DD/YYYY format, where MM denotes the month, DD the day, and YYYY the year. • <Time> — Contains the UNIX operating system time stamp for the update package's build date. ® 712 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 713. Software Updates Tool • <OS> — Contains the name of the operating system for the firewall. • <Revision> — Contains the release number for the main release (for example, 7.0). • <Version> — Contains the firewall version to which the update package is applicable (for example, 7.0.1). • <Type> — Contains the type of update package (for example, Patch, Hotfix, or E-Patch). • <Flags> — Contains one of the following values that indicates the status: active, active uninstallable, inactive. • <Requires> — Contains the names of other update packages on which this update package depends and that must be installed before this package or with this package. • <Readme> — Contains the text for the readme file. • <Obsoletes> — [Optional tag] Contains a wildcard value that is used to match the names of the packages that this update package will make obsolete. McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 713
- 714. Software Updates Tool 714 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 715. Index A FTP 396 actions H.323 402 configuring for user roles 92 HTTP 355 Active Internet Connections report 621 HTTPS 370 adaptive endpoints IIOP 400 creating 339 Mail (Sendmail) 382 address range objects Mail (SMTP proxy) 388 creating 337 MS SQL 404 address ranges Oracle 403 importing from a file 345 packet filter 415 addresses SIP 408 configuring for VPN peers 485 SNMP 406 Admin Console SOCKS 405 configuring settings for 300 SSH 409 administration guides 11 T120 401 Administration Tool 15 application timeout administrator domains 84 configuring settings for users 87 administrators apply configurations 589 configuring 464 configuring warning messages 591 displaying e-mail addresses 173 archives alarms exporting audit settings 268 mapping sounds 676 ARP audit data Alert Browser page 678 configuring output 286 alert processing rules 563 ARP Table report 621 modifying 565 associations viewing 564 managing strong and weak 571 alerts audit assigning priority levels 567 exporting archive settings 268 filtering 686 McAfee Firewall Reporter 273 managing 678 reports for firewalls 624 selecting columns for browser 685 audit data viewing events 682 filtering 617, 634 ALL FIREWALLS 541 viewing 615 alternate default routes audit events configuring 184 viewing 625, 635 for clusters 235 audit export settings for firewalls 180 configuring for clusters 231 analysis audit file backup time see McAfee Firewall Reporter customizing 667 anti-virus audit files configuring scanning properties for 308 exporting for firewalls to a remote location 667 scheduling signature updates 327 audit filters Antivirus Patch Version Information report 621 configuring 632 ANY_IPv4 network objects 204 pre-defined ANYWHERE network objects advanced 628 converting 204 common 627 application defenses 355 for IPS attack responses 611 Citrix 395 for system events 615 configuring groups 418 syntax 634 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 715
- 716. audit parameters database configuring for Packet Filter application defenses 417 command line 26 audit report 625 Management Servers 23 configuring color settings 636 automatic nightly 24 audit trail data 100 GUI 25 configuring backuptool command 26 actions to track 101 blackhole 420 archiving parameters 102 Blackholed IPs report 621 managing 101 blackholes 607 audit.export.cron property bridged interfaces configuring 667 see transparent interfaces 179 authentication bridged mode 41 configuring burb groups authentication servers for users 150 configuring 343 for users 146, 147 burbs for VPN peers 488, 493 configuring 341 internal for users 147 configuring groups 343 LDAP for users 148 C RADIUS for users 148 CA certificates 512, 513 services 424 exporting 519 Authentication - Locked Out Users report 621 importing 518 authentication servers loading 522 configuring external 151 managing names 514 configuring for users 150 CAC authenticators authenticators 424 configuring 459 CAC 459 categories configuring password 426 configuring for IPS signature groups 422 custom LDAP 455 Certificate Revocation List iPlanet 440 see CRL 512 OpenLDAP 450 certificate server settings passport 428 configuring RADIUS 431 for clusters 245 Safeword 435 for firewalls 196 Windows domain 438 certificates auto-discovery site 712 CA 513 B creating 515 backup configuration files exporting 519 creating by using the GUI 123 firewall 513 deleting 128 firewall server 513 editing 128 importing 515 restoring 128 importing CA 518 retrieving from a remote server 129 loading 522 backup files managing 481 creating managing names 514 for a single database 28 remote 513 for all databases 28 configuring 523 for full system restoration by using -k passphrase 29 supported file formats 512 managing versions for configuration domains 97 change tickets saving different versions for configuration domains 97 see tickets 103 backup server channel filtering role of 138 configuring for SSH application defenses 410 backup servers charts viewing the status 122 displaying for firewall status 583 backups Citrix application defenses confirming manual 708 configuring 395 716 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 717. client authentication promoting firewalls to 216 configuring for SSH application defenses 411 supported layer 2 modes 217 Client Suite 13 version requirements for 216 cluster members VLAN interface requirements 217 adding to a cluster node created on the McAfee Firewall color settings Enterprise Admin Console 225 configuring for McAfee Firewall Enterprise Audit Report 636 configuring 255 compliance report general settings 256 configuring settings 596 high availability parameters 260 configurable objects 154 interfaces 257 configuration domain access NICs and NIC groups 259 configuring users 83 creating to join a cluster 220 configuration domains 92 demoting activating 93 all in a cluster to a standalone firewall 224 administrator 84 one to a standalone firewall 223 configuring 95 Cluster Status report 621 configuring user access 83 cluster wizard managing backup file versions 97 see McAfee Firewall Enterprise Cluster Wizard 216 moving objects between 96 clusters 215 saving versions of backup files 97 adding shared 84 prerequisites for existing firewalls 216 switching between 96 adding clusters created on McAfee Firewall Enterprise Admin configuration files Console 226 backing up for firewalls 704 burb requirement for 216 creating by using the GUI 123 configuring editing sendmail for clusters 239 audit export settings 231 restoring certificate server settings 245 by using the GUI 30 cluster member nodes 255 for firewalls 704 configuration information 228 from a backup 126 DNS configuration for 240 Configuration Tool 16, 153 dynamic routes 238 configuring display options 669 general settings 229 configurations high availability parameters 233 applying for firewalls 589 interfaces 232 comparing for a firewall 595 McAfee Firewall Profiler 231 configuring for clusters 228 McAfee Firewall Reporter 231 validating for firewalls 586 miscellaneous settings 250 viewing for firewalls 584 network interfaces 253 configuring download settings 692 sendmail configuration files 239 content scanning synchronized features 215 configuring for HTTP application defenses 367 unique features 216 Control Center 13 creating Client Suite 13 on the McAfee Firewall Enterprise Admin Console 225 Management Servers 13 prerequisites for nodes from within Control Center 216 countries prerequisites from within Control Center 216 grouping into Geo-Location objects 340 single-node 216 CRL 512 two-node 216, 221 Current Passport Users report 621 heartbeat burb requirements 216 Custom LDAP authenticators interface requirement for 216 configuring 455 joining a firewall to an existing 220 load-sharing 215 D managing 215 dashboard 577 moving from one configuration domain to another 96 charts 577 no current IPv6 support 217 data replication 137 peer-to-peer (High Availability) 215 databases primary and backup 215 backing up from the command line 26, 28 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 717
- 718. restoring a single endpoints by using the command line 31 adaptive, creating 339 restoring all creating 337 by using the command line 31 Enrolled Hosts report 621 date and time epatches configuring for the Management Server 131 uploading to the Control Center 693 setting for firewalls 655 ePO default route failover see ePolicy Orchestrator 132 configuring 184 ePO Host Data report 135 configuring for clusters 235 ePolicy Orchestrator 132 device groups configuring configuring 261 the ePO server settings 132 DHCP servers users for 132 configuring relays 301 user 134 disaster recovery event analysis Management Servers 33 see also McAfee Firewall Reporter disclaimer information Event Browser window 682 customizing content 120 events Disk Utilization report 621 configuring columns in the browser 683 DNS 312 viewing 625, 635 configuring for alerts 682 for clusters 240 export settings for audit for firewalls 190 configuring for clusters 231 configuring transparent server objects 211 external authentication servers DNS servers configuring 151 configuring 116 external groups DNS zones 312 configuring 469 configuring 315 F configuring zone types 316 failover 138 docking pin 47, 48 filter services domain name system configuring 350 see DNS 313 filters domain objects FTP packet filter 351 creating 337 generic 351 domains 314 ICMP 351 administrator 94 managing for rules 549 configuration 92 protocol 351 shared 94 quick 550 downloads firewall configuring settings 692 exporting audit files to a remote location 667 performing manual 711 firewall certificates 513 dynamic routes exporting 519 configuring loading 522 for clusters 238 Firewall Enterprise Control Center (CommandCenter) for firewalls 187 see Control Center 13 E Firewall Reporter e-mail addresses see McAfee Firewall Reporter 273 administrator firewall status displaying 173 charts 578 embedded script filtering firewalls 163 configuring for HTTP applications defenses 367 adding encryption by manual registration 39 using on backup and restore configuration files 29 by rapid deployment registration 38 endpoint groups applying configurations 589 configuring 344 backing up configuration files 704 718 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 719. charts 577 viewing comparing proposed configuration changes 595 configurations 584 configuring 170 dashboard 577 activation URL license information 112 license reports 645 apply warning messages 591 properties 672 audit export 174 status of many 574 certificate server settings 196 status of one 577 company information for licenses 114 fixed addresses contact information for licenses 113 assigning to VPN clients 509 cryptographic settings for VPN communities 502 configuring for VPN clients 510 DNS 190 FTP application defenses dynamic routes 187 configuring 396 general settings 172 FTP command usage 397 global settings 264 scanning of transferred files 398 interfaces 175 FTP command usage license information 111 configuring for the FTP application defense 397 McAfee Firewall Profiler 174 FTP URLs McAfee Firewall Reporter 174 configuring for HTTP applications defenses 360 miscellaneous settings 201 full system backup 29 network interfaces 206 G NICs and NIC groups 177 gateway peers 473 sendmail configuration files 189 Geo-Location status 579 configuring 340 status chart display 583 scheduling updates 330 status display columns 580 Version report 621 status for health thresholds 581 global settings user access 85 configuring 264 validation warning messages groups 587 configuring view options by sorting 594 application defense 418 dashboard 577 for burbs 343 deleting 213 for endpoint objects 344 exporting certificates 519 for NICs 210 generating reports 623 services 353 loading certificates 522 creating for rules 551 managing 656 device objects 261 certificate names 514 external, configuring 469 licenses 658 users, configuring 468 moving from one configuration domain to another 96 GUI navigation registering shortcut keys 44 by rapid deployment 164 manually 166 H replacing in rules 541 H.323 application defenses reports 619 configuring 402 restoring configuration files 704 HA retrieving components of 168 see High Availability (HA) feature 136 setting date and time 655 health thresholds specifying report generation options 620 configuring for firewalls 581 validating configurations 586 heartbeat burbs verifying rule replacement 543 interface requirements 216 High Availability (HA) feature configuring on Management Servers 136 parameters for cluster members 260 parameters for clusters 233 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 719
- 720. determining the primary server 137 configuring failing over 138 for cluster members on firewalls 257 for clusters 215 for clusters 232, 253 High Availability Removal Wizard 143 for firewalls 175, 206 High Availability Setup Wizard 140 IPv6 recovering configuring for versions 7.0.1 and later with IPv6 enabled backup Management Server 36 206 both Management Servers 37 requirements for clusters 216 primary Management Server 35 routed 41 removing from single server of an HA pair 144 transparent 41 replication services for failing over 138 internal user authentication switching over 138 configuring 147 High Availability Removal Wizard 143 IP addresses High Availability Setup Wizard 140 configuring host objects for cluster members 256 creating 337 for clusters 229 hostnames for firewalls 172 importing from a file 345 importing from a file 345 hot fixes IP audit data uploading to the Control Center 693 configuring output 281 HTTP application defenses iPlanet authenticators configuring 355 configuring 440 connection properties 368 IPS content scanning 367 configuring signature groups 421 embedded script filtering 367 inspection 419 FTP URLs 360 scheduling signature updates 328 HTTP replies 363 IPS attack responses HTTP requests 361 configuring individual 609 HTTP URLs 358 pre-defined audit filters for 611 MIME types, viruses, and spyware 365 viewing 608 protocol enforcements 357 IPS response mappings Web content filtering 367 configuring 420 HTTP connection properties IPS Signature Browser 302 configuring for HTTP applications defenses 368 IPS signature groups HTTP replies configuring 421 configuring for HTTP applications defenses 363 categories 422 HTTP requests signatures 423 configuring for HTTP applications defenses 361 IPS Signature Version report 622 HTTP URLs IPsec configuring for HTTP applications defenses 358 bypassing policy evaluation for VPNs 525 HTTPS application defenses configuring audit data output 287 configuring 370 cryptographic properties 499 hybrid mode 41 IPv4 configuring objects in rules 542 I converting network objects in rules for IPv6 204 ICMP audit data IPv6 configuring output 284 configuring ICMP messages audit data for attacks 289 configuring for Packet Filter application defenses 417 interfaces for (versions 7.0.1 and later with IPv6 enabled) IIOP application defenses 206 configuring 400 messages for Packet Filter application defenses 417 Import Network Objects Wizard 345 objects in rules 542 Interface NIC Status report 622 static routes for firewalls 180 interfaces converting network objects in rules 204 cluster 232 ISAKMP servers configuring settings 297 720 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 721. J Management Servers 13 jobs adding scheduling 322 backup (standby) 21 primary 21 K backing up keys automatic nightly 24 adding for SSH known hosts 570 configuration data 23 Knowledge Base 11 GUI 25 L configuring LDAP user authentication administrator contact information for licenses 108 configuring 148 backup (standby) servers 20 License Report 645 company information for licenses 109 License Status report 622 for HA 136 licenses licenses 106 configuring network settings 115 activation URL information for firewalls 112 network settings for interfaces 118 administrator contact information for the Management network settings for NTP, DNS, and mail servers 116 Server 108 new primary or backup 20 company information for firewalls 114 properties 664 company information for the Management Server 109 server date and time 131 contact information for firewalls 113 server information for licenses 107 for firewalls 111 static routes for network settings 119 for Management Servers 106 creating backup configuration files by using the GUI 123 server information for the Management Server 107 deleting managing firewall 658 backup (standby) 21 selecting firewalls for reports 644 primary 21 viewing status of one or more firewalls 645 licensing 104 licensing automatic 104 Management Servers manual 104 license types 104 logging into 21 locked objects 649 recovering lockout backup of HA pair 36 configuring for users 120 both servers of HA pair 37 log files primary of HA pair 35 viewing Management Server 663 standalone 34 log in 21 removing 20 login information restarting 131 remote server restoring a backup retrieving backup configuration files from a remote server by using the command line 33 129 restoring configuration files 126 M restoring data 23 Mail (Sendmail) application defenses viewing configuring 382 log files 663 Mail (SMTP proxy) application defenses system information 638 configuring 388 the status of backup servers 122 general settings 389 manual registration mail headers 393 using to register firewalls 39 SMTP commands 391 McAfee Firewall Enterprise Admin Console mail headers see Admin Console 300 configuring in the application defense 393 McAfee Firewall Enterprise Audit Report 625 Mail servers configuring color settings 636 configuring 116 McAfee Firewall Enterprise Cluster Wizard maintenance see also clusters 216 scheduling 322 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 721
- 722. demoting verifying rule replacement 543 all cluster members to standalone firewalls 224 Network Protocol Statistics report 622 one cluster member to a standalone firewall 223 network settings using configuring to create a cluster with two firewalls 221 for NTP, DNS, and mail servers for the Management Server to create clusters 218 116 to create two-node clusters 221 for the Management Server 115 to join a firewall to a clusters 220 interfaces for the Management Server 118 to promote firewalls to clusters 218 static routes for the Management Server 119 McAfee Firewall Enterprise Control Center networks see Control Center 13 importing from a file 345 McAfee Firewall Profiler NIC groups configuring 272 configuring 210 for a cluster 231 for cluster members 259 on a firewall 174 for firewalls 177 McAfee Firewall Reporter 273 NICs configuring configuring communication settings for the server 599 for cluster members 259 for a cluster 231 for firewalls 177 on a firewall 174 configuring groups 210 viewing Web data 600 node names mesh communities 473 configuring Mesh VPN for cluster members 256 configuring for clusters 229 channels 475 for firewalls 172 communities 491 NTP burbs MIME types configuring 300 configuring for HTTP applications defenses 365 NTP servers monitoring configuring 116 using McAfee Firewall Reporter 273 burbs 300 MS SQL application defenses settings 299 configuring 404 O N object details 160 NAT 474 objects navigation assigning right-click menus 44 to clusters 250 Network Address Translation to firewalls 201 see NAT 474 configuring user access 91 network defenses 278 deleting unused 651 configuring 279 locking and unlocking 649 ARP audit output 286 managing unused 651 audit data for IPv6 attacks 289 merging entities with common elements 652 ICMP audit output 284 network 336 IP audit output 281 viewing usage of referenced 648 IPsec audit output 287 offbox settings TCP audit output 280 configuring UDP audit output 283 for a cluster 231 Network Interface Configuration report 622 for a firewall 174 Network Interface Statistics report 622 OpenLDAP authenticators network interfaces configuring 450 applying Quality of Service profiles 310 Oracle application defenses network objects 336 configuring 403 creating 337 P importing from a file 345 packages replacing in rules 541 monitoring availability 331 722 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 723. Packet Filter application defenses recovery configuring 415 backup Management Server of HA pair 36 request rates and audit parameters 417 both Management Servers of HA pair 37 types of ICMP and IPv6 messages 417 primary Management Server of HA pair 35 passport authenticators standalone Management Servers 34 configuring 428 redundant default routes password authenticators see alternate default routes 184, 235 configuring 426 redundant routes passwords see alternate default routes 180 changing 88 referenced objects peers showing usage of 648 configuring for VPN 484 registration Phase 1 cryptographic settings 496 using manual to register firewalls 39 Phase 2 cryptographic settings 498 using rapid deployment to register firewalls 38 policies remote access communities 473 viewing for the firewall 640, 643 Remote access VPN communities policy objects 333 configuring 491 Policy report 640, 643 remote certificates 513 ports configuring 523 configuring exporting 519 for cluster members 256 loading 522 for clusters 229 managing names 514 for firewalls 172 remote server prefixes retrieving backup configuration files 129 configuring for rules 540 Remote VPN channels primary server configuring 475 determining in High Availability 137 reporting role of 137 McAfee Firewall Reporter 273 primary servers Reporting and Monitoring Tool 17 configuring 20 reports removing 20 Active Internet Connections 621 priority levels aggregate 620 assigning to alerts 567 Antivirus Patch Version Information 621 profiles ARP Table 621 creating Quality of Service 311 Authentication - Locked Out Users 621 protocol enforcements Blackholed IPs 621 relaxing for HTTP applications defenses 357 Cluster Status 621 proxy services configuration compliance 597 configuring 348 configuring schedules for compliance report 596 Current Passport Users 621 Q deployment status 598 QoS Disk Utilization 621 see Quality of Service 310 displaying firewall-specific 620 Quality of Service 310 electing firewalls for the license report 644 apply a profile to a network interface 310 Enrolled Hosts 621 creating profiles 311 ePO Host Data 135 Quality of Service Status report 622 firewall audit 624 R firewalls 619 RADIUS authenticators generating firewall-specific 623 configuring 431 Geo-Location Version 621 RADIUS user authentication Interface NIC Status 622 configuring 148 IPS Signature Version 622 rapid deployment 164 License 645 using to register firewalls 38 License Status 622 Network Interface Configuration 622 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 723
- 724. Network Interface Statistics 622 routes Network Protocol Statistics 622 static 184 Policy 640, 643 for clusters 235 Quality of Service Status 622 for firewalls 180 Routing Statistics 622 Routing Statistics report 622 Routing Table 622 Routing Table report 622 Running Processes 622 rule objects Service Status 622 replacing 541 SSH Known Host Associations 622 verifying replacement 543 Static Routing Status 622 rules 527 System Information 638 alert processing 563 System Vital Statistics 623 configuring viewing firewall status 574 columns to display 532 viewing service status 601 default settings 540 viewing Web data by using McAfee Firewall Reporter 600 prefixes 540 VPN Status 623 time periods for 470 request rates URL translation 560 configuring for Packet Filter application defenses 417 creating 528, 533 response mappings groups 551 configuring IPS 420 deleting duplicate 556 responses disabling 533 configuring blackholes 607 editing 533 IPS attack filtering 545 configuring individual 609 display on the Rules page 550 viewing 608 functionality 527 system IPv4 objects 542 configuring individual 613 IPv6 objects 542 viewing 612 managing 528 restart filters 549 Management Server 131 merging 552 restorations modifying 528 configuration files alert processing 565 by using the GUI 30 replacing objects in 541 databases verifying objects to be replaced 543 by using the command line 31 viewing 528 Management Server backups alert processing 564 by using the command line 33 URL translation 559 single database Running Processes report 622 by using the command line 31 S retrieve SA lifetime 501 firewall components 168 Safeword authenticators right-click menus configuring 435 44 search 597 Road Warrior identities Secure Alerts Server 686 configuring for VPN peers 490 using 687 Road Warrior peers 473 viewing status 687 roles 89 sendmail configuration files assigning object access for users 91 configuring for firewalls 189 configuring editing for clusters 239 actions for 92 servers for users 84 configuring managing for users 90 for transparent DNS servers 211 rotating files 273 ISAKMP settings 297 routed mode 41 NTP settings 299 properties of 291 724 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 725. DHCP 301 SSH Known Host Associations report 622 service agents SSH known hosts 568 managing 601 adding keys 570 service groups configuring 569 configuring 353 managing associations 571 service objects SSH server connections replacing in rules 541 configuring for the SSH application defenses 414 verifying rule replacement 543 standby servers service status configuring 20 viewing details about 604 removing 20 Service Status report 622 star communities 473 services 346 Star VPN authentication 424 configuring burb, port, and listening information 604 channels 475 configuring communities 491 filter 350 static routes properties of 291 configuring proxy 348 for clusters 235 viewing information 601 for the Management Server network settings 119 shared domains 84 for version 7.0.1 and later firewalls with IPv6 enabled 180 shortcut keys 44 for version 7.0.1 firewalls without IPv6 enabled or 7.0.0.6 signature groups and 7.0.0.07 firewalls 184 configuring for IPS 422 Static Routing Status report 622 signatures status configuring for IPS signature groups 423 configuring managing IPS 302 for firewalls 579 scheduling health thresholds for firewalls 581 anti-virus updates 327 displaying IPS updates 328 charts for firewalls 583 SIP application defenses columns for firewalls 580 configuring 408 strong associations 571 SMTP commands switchover 138 configuring in the application defense 391 syntax SNMP application defenses filtering for audit data 634 configuring 406 syslog server SOCKS application defenses configuring 276 configuring 405 syslogd 273 software updates 692 system events downloading 711 pre-defined audit filters for 615 installing 697 System Information report 638 managing 699 system responses monitoring package availability 331 configuring individual 613 scheduling 703 viewing 612 storing 709 System Vital Statistics report 623 Software Updates Tool 17 T sound files T120 application defenses mapping to alarms 676 configuring 401 spyware TCP audit data configuring for HTTP application defenses 365 configuring output 280 SSH application defenses Third-party updates 326 configuring 409 scheduling advanced client options 412 for anti-virus signatures 327 channel filtering 410 for Geo-Location databases 330 client authentication 411 for IPS signatures 328 server connections 414 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 725
- 726. thresholds V configuring health for firewalls 581 validation tickets configuring starting and stopping 103 for firewalls 586 time periods warning messages 587 configuring 470 virus and spyware scanning time restrictions configuring for the FTP application defense 398 configuring for user access 86 virus scan 308 timeout settings configuring properties 308 configuring for users 87 viruses toolbars configuring for HTTP application defenses 365 customizing 70 VLANs transparent DNS servers interface requirements for clustering 217 configuring server objects for 211 VPN transparent interfaces adding communities 503 creating 179 assigning fixed addresses to clients 509 restrictions 179 bypassing IPsec policy evaluation 525 transparent mode 41 configuring TrustedSource 304 channels for 475 configuring settings 305 clients 507 community cryptographic settings 494 U community firewall cryptographic settings 502 UDP audit data community IPsec cryptographic settings 499 configuring output 283 community peer authentication 493 unused objects community Phase 1 cryptographic settings 496 managing 651 community Phase 2 cryptographic settings 498 updates community SA lifetime cryptographic settings 501 uploading to the Control Center 693 fixed addresses for clients 510 viewing downloaded 693 Mesh communities 491 URL translation rules 559 peers 484 configuring 560 remote access communities 491 viewing 559 Star communities 491 user authentication gateways 482 configuring VPN clients authentication servers 150 assigning fixed addresses 509 internal 147 configuring 507 LDAP 148 fixed addresses 510 RADIUS 148 VPN Communities 473 server options for users 147 mesh 473 Control Center 146 remote access 473 user groups star 473 configuring 468 VPN community users 81 adding 503 assigning object access by roles 91 configuring configuring 82 cryptographic settings 494 accounts for 462 firewall cryptographic settings 502 actions by using roles 92 IPsec cryptographic settings 499 configuration domain access 83 Mesh 491 firewall access 85 peer authentication 493 groups of 468 Phase 1 cryptographic settings 496 inactivity timeout settings 87 Phase 2 cryptographic settings 498 roles 84 remote access 491 time restrictions for access 86 SA lifetime cryptographic settings 501 locking out 120 Star 491 roles for 89 726 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 727. VPN gateways configuring 482 managing certificates for 481 VPN peers configuring 484 addresses 485 authentication 488 Road Warrior identities 490 VPN Status report 623 VPN wizard 475 W warning messages configuring for apply configurations 591 for validation 587 weak associations 571 Web content filtering configuring for HTTP applications defenses 367 Windows Domain configuring authenticators 438 Windows Domain authenticators configuring 438 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 727
- 728. 728 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
- 730. 700-1929-00A