McAfee NGFW Installation Guide for IPS and Layer 2 Fir ewall Roles 5.
Legal Information The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the McAfee website: http://www.mcafee.com/us/about/legal/license-agreements.
TABLE OF CONTENTS I NTRODUCTION C ONFIGURING E NGINES CHAPTER 1 CHAPTER 5 Using SMC Documentation. . . . . . . . . . . . . . . . 9 How to Use This Guide . . . . . . . . . . . . . . . . . . Documentation Available . . . . . . . . . . . . . . . . . Product Documentation. . . . . . . . . . . . . . . . . Support Documentation . . . . . . . . . . . . . . . . System Requirements. . . . . . . . . . . . . . . . . . Supported Features . . . . . . . . . . . . . . . . . . . Contact Information . . . . . . . . . .
CHAPTER 7 CHAPTER 10 Configuring Master Engines and Virtual IPS Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Configuration Overview . . . . . . . . . . . . . . . . . . Adding a Master Engine Element . . . . . . . . . . . Adding Nodes to a Master Engine . . . . . . . . . . Adding a Virtual Resource Element . . . . . . . . . Adding Physical Interfaces for Master Engines . Adding VLAN Interfaces for Master Engines . . . Adding IPv4 Addresses for Master Engines . . . .
U PGRADING CHAPTER 12 Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Getting Started With Upgrading . . . . . . . . . . . . Configuration Overview . . . . . . . . . . . . . . . . . Obtaining Installation Files . . . . . . . . . . . . . . Upgrading or Generating Licenses . . . . . . . . . . Upgrading Licenses Under One Proof Code . . . Upgrading Licenses Under Multiple Proof Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing Licenses . . . . . . . . . . . . . .
Table of Contents
I NTRODUCTION In this section: Using SMC Documentation - 9 7
C H A P TE R 1 USING SMC DOCUMENTATION This chapter describes how to use the McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles and lists other available documentation. It also provides directions for obtaining technical support and giving feedback.
How to Use This Guide The McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles is intended for administrators who install the McAfee®Next Generation Firewall (NGFW) in the IPS and Layer 2 Firewall roles. It describes the installation step by step. The chapters in this guide are organized in the general order you should follow when installing the system.
Documentation Available SMC documentation is divided into two main categories: Product Documentation and Support Documentation (page 12). Each SMC product has a separate set of manuals. Product Documentation The table below lists the available product documentation. Table 1.2 Product Documentation Guide Description Reference Guide Explains the operation and features of the SMC comprehensively. Demonstrates the general workflow and provides example scenarios for each feature area.
Support Documentation The McAfee support documentation provides additional and late-breaking technical information. These technical documents support the SMC guide books, for example, by giving further examples on specific configuration scenarios. The latest technical documentation is available http://www.stonesoft.com/en/customer_care/ support/. System Requirements The certified platforms for running McAfee NGFW engine software can be found at the product pages at http://www.stonesoft.
P REPARING FOR I NSTALLATION In this section: Planning the Installation - 15 Installing Licenses - 23 Configuring NAT Addresses - 27 13
C H A P TE R 2 PLANNING THE I NSTALLATION This chapter provides important information to take into account before the installation can begin. The chapter also includes an overview to the installation process.
Introduction to McAfee IPS and Layer 2 Firewall A McAfee IPS or Layer 2 Firewall system consists of the McAfee Security Management Center (SMC) and one or more IPS engines and/or Layer 2 Firewall engines, and one or more Master Engines, Virtual IPS engines and/or Virtual Layer 2 Firewall engines. IPS engines, Layer 2 Firewalls, Virtual IPS engines, and Virtual Layer 2 Firewalls pick up network traffic, inspect it, and create event data for further processing by the Log Server.
Table 2.1 Installation Modes for IPS Engines and Layer 2 Firewalls (Continued) NGFW Role Layer 2 Firewall (cont.) Mode Description Passive Inline In a passive inline installation, the traffic flows through the Layer 2 Firewall, but the Layer 2 Firewall is configured to only log connections. A Layer 2 Firewall in Passive Firewall mode can send blacklisting requests to other Layer 2 Firewalls, IPS engines, or Firewalls, but it cannot enforce blacklisting requests from other components.
Overview to the Installation Procedure 1. Check the surrounding network environment as explained in Capture Interfaces (page 19). 2. Install licenses for the engines. See Installing Licenses (page 23). 3. If network address translation (NAT) is applied to communications between SMC components and the engines, define Contact Addresses. See Configuring NAT Addresses (page 27). 4. Define the IPS and/or Layer 2 Firewall element(s) in the Management Client.
Important to Know Before Installation Before you start the installation, you need to carefully plan the site that you are going to install. Consult the McAfee NGFW Reference Guide for IPS and Layer 2 Firewall Roles if you need more detailed background information on the operation of the system than what is offered in this chapter. Supported Platforms IPS engines and Layer 2 Firewalls can be run on the following general types of platforms: • Purpose-built McAfee NGFW appliances.
Switch SPAN Ports A Switched Port Analyzer (SPAN) port is used for capturing network traffic to a defined port on a switch. This is also known as port mirroring. The capturing is done passively, so it does not interfere with the traffic. An IPS engine’s or Layer 2 Firewall’s Capture Interface can be connected directly to a SPAN port of a switch. All the traffic to be monitored must be copied to this SPAN port.
Illustration 2.2 Correct Cable Types for Single Layer 2 Firewalls Switch Switch Straight cable Crossover cable Straight cable Single Layer 2 Firewall Straight cable Switch Host/Firewall For more information on cabling for IPS engines and Layer 2 Firewalls, see the McAfee NGFW Reference Guide for IPS and Layer 2 Firewall Roles. Speed And Duplex Mismatched speed and duplex settings are a frequent source of networking problems.
Chapter 2 Planning the Installation
C H A P TE R 3 INSTALLING LICENSES This chapter instructs how to generate and install licenses for IPS engines, Layer 2 Firewalls, and Master Engines.
Getting Started with IPS and Layer 2 Firewall Licenses Each IPS engine, Layer 2 Firewall, and Master Engine must have its own license. IPS engines may use a Security Engine Node license or an IPS-specific license. Layer 2 Firewalls and Master Engines always use a Security Engine Node license. The correct type of license for each engine is generated based on your Management Server proof-of-license (POL) code or the appliance proof-of-serial (POS) code.
Configuration Overview The following steps are needed for installing licenses for IPS engines, Layer 2 Firewall engines, and Master Engines. 1. Generate the licenses. See Generating New Licenses. 2. Install the licenses in the Management Client. See Installing Licenses (page 26). Generating New Licenses You generate the licenses based on your Management Server POL code, or the appliance POS code. Evaluation licenses are also available. Note – Evaluation license requests may need manual processing.
Installing Licenses To install licenses, the license files must be available to the computer you use to run the Management Client. Note – You can install all of the licenses even though you have not yet defined all the elements the licenses will be bound to. To install licenses 1. Select File→System Tools→Install Licenses. 2. Select one or more license files in the dialog that opens and click Install. To check that the licenses were installed correctly 1.
C H A P TE R 4 CONFIGURING NAT ADDRESSES This chapter contains the steps needed to configure Locations and contact addresses when a NAT (network address translation) operation is applied to the communications between the Security Engine and other SMC components.
Getting Started with NAT Addresses If there is network address translation (NAT) between communicating SMC components, the translated IP address may have to be defined for system communications. All communications between the SMC components are presented as a table in Default Communication Ports (page 149). You use Location elements to configure SMC components for NAT. There is a Default Location to which all elements belong if you do not assign them a specific Location.
Configuration Overview To add contact addresses, proceed as follows: 1. Define Location element(s). See Defining Locations. 2. Define contact addresses for the Management Server and Log Server(s). See Adding SMC Server Contact Addresses (page 30). 3. Select the correct Location for the engines when you create the IPS and Layer 2 Firewall elements. See Defining IPS Engines (page 33) and Defining Layer 2 Firewalls (page 43).
Adding SMC Server Contact Addresses The Management Server and the Log Server can have more than one contact address for each Location. This allows you, for example, to define a contact address for each Internet link in a Multi-Link configuration for remotely managed components. To define the Management Server and Log Server contact addresses 1. Select Configuration→Configuration→Security Engine. The Security Engine Configuration view opens. 2. Expand the Network Elements branch and select Servers. 3.
C ONFIGURING E NGINES In this section: Defining IPS Engines - 33 Defining Layer 2 Firewalls - 43 Configuring Master Engines and Virtual IPS Engines - 53 Configuring Master Engines and Virtual Layer 2 Firewalls - 67 Saving the Initial Configuration - 83 Configuring Routing and Installing Policies - 89 31
C H A P TE R 5 DEFINING IPS ENGINES This chapter contains the steps needed to complete the IPS engine configuration that prepares the SMC for IPS engine installation. Very little configuration is done directly on the engines. Most of the configuration is done using the Management Client, so the engines cannot be successfully installed before defining them in the SMC as outlined in this chapter.
Getting Started with Defining IPS Engines The IPS engine elements are a tool for configuring nearly all aspects of your physical IPS components. An important part of the IPS engine elements are the interface definitions. There are two main categories of IPS engine interfaces: • Interfaces for system communications. These are used when the IPS engine is the source or the final destination of the communications (for example, in system communications between the IPS engine and the Management Server).
Defining System Communication Interfaces for IPS Engines Each IPS engine needs at least one interface for communicating with other SMC components. More than one system communication interface can be added to provide a primary and a backup interface for Management Server communications. Defining Physical Interfaces To define a Physical Interface 1. Switch to the Interfaces tab. 2. Right-click and select New Physical Interface. The Physical Interface Properties dialog opens. 3. Select the Interface ID. 4.
Defining IP Addresses To define an IP address for a single IPS 1. Right-click a Physical Interface or a VLAN Interface and select New→IPv4 Address. The IP Address Properties dialog opens. 2. Configure the IP address information. • Enter the IPv4 Address and Network Settings to define a static IP address. • Select the Dynamic option (top right) and the DHCP index if the interface gets its IP address from a DHCP server.
Setting Interface Options for IPS Engines Interface options allow you to select which interfaces are used for which types of system communications. To set the Interface Options 1. Click Options. The Interface Options dialog opens. 2. Select the Primary Control IP address for communications with the Management Server. 3. (Optional) Select a Backup Control IP address for Management Server contact (used if the Primary fails). 4.
Defining Traffic Inspection Interfaces for IPS Engines IPS engines pick up passing network traffic for inspection in real time. The traffic can either be captured for inspection through the engine’s Capture Interfaces, or it can be inspected as it flows through the engine’s Inline Interfaces. You can define both Capture Interfaces and Inline Interfaces for the same IPS engine. An IPS engine can actively filter only traffic that attempts to pass through its Inline Interfaces.
Defining Logical Interfaces A Logical Interface is used in the IPS policies and the traffic inspection process to represent a network segment. The SMC contains one default Logical Interface. A Logical Interface can represent any number or combination of interfaces and VLAN Interfaces, except that the same Logical Interface cannot be used to represent both Capture Interfaces and Inline Interfaces on the same IPS engine. The rules in the ready-made IPS Template match all Logical Interfaces.
Defining Reset Interfaces Reset Interfaces can deliver TCP resets and ICMP “destination unreachable” messages to interrupt communications picked up from Capture Interfaces when the communications trigger a response. VLANs are supported for sending resets, but the correct VLAN is selected automatically. An interface you want to use as the Reset Interface must not have any manually added VLAN configuration.
Repeat these steps to define any additional Capture Interfaces. What’s Next? To define Inline Interfaces, proceed to Defining Inline Interfaces. To define how an inline IPS engine handles traffic when the traffic load is too high, proceed to Bypassing Traffic on Overload (page 42). Otherwise, proceed to Finishing the Engine Configuration (page 42). Defining Inline Interfaces The number of Inline Interfaces you can have are limited by the license in use.
Bypassing Traffic on Overload By default, inline IPS engines inspect all connections. If the traffic load is too high for the inline IPS engine to inspect all the connections, some traffic may be dropped. Alternatively, inline IPS engines can dynamically reduce the number of inspected connections if the load is too high. This can improve performance in evaluation environments, but some traffic may pass through without any access control or inspection.
C H A P TE R 6 DEFINING LAYER 2 FIREWALLS This chapter contains the steps needed to complete the Layer 2 Firewall engine configuration that prepares the SMC for a McAfee Layer 2 Firewall engine installation. Very little configuration is done directly on the engines. Most of the configuration is done using the Management Client, so the engines cannot be successfully installed before defining them in the SMC as outlined in this chapter.
Getting Started with Defining Layer 2 Firewalls The Layer 2 Firewall engine elements are a tool for configuring nearly all aspects of your physical Layer 2 Firewall components. An important part of the Layer 2 Firewall engine elements are the interface definitions. There are three main categories of Layer 2 Firewall engine interfaces: • Normal Interfaces for system communications.
Defining System Communication Interfaces for Layer 2 Firewall Engines Each Layer 2 Firewall engine needs at least one interface for communicating with other SMC components. More than one system communication interface can be added to provide a primary and a backup interface for Management Server communications. Defining Physical Interfaces To define a Physical Interface 1. Switch to the Interfaces tab. 2. Right-click and select New Physical Interface. The Physical Interface Properties dialog opens. 3.
Defining IP Addresses To define an IP address for a Single Layer 2 Firewall 1. Right-click a Physical Interface or a VLAN Interface and select New→IPv4 Address. The IP Address Properties dialog opens. 2. Configure the IP address information. • Enter the IPv4 Address and Network Settings to define a static IP address. • Select the Dynamic option (top right) and the DHCP index if the interface gets its IP address from a DHCP server.
Setting Interface Options for Layer 2 Firewall Engines Interface options allow you to select which interfaces are used for which types of system communications. To set the Interface Options 1. Click Options. The Interface Options dialog opens. 2. Select the Primary Control IP address for communications with the Management Server. 3. (Optional) Select a Backup Control IP address for Management Server contact (used if the Primary fails). 4.
Defining Traffic Inspection Interfaces for Layer 2 Firewall Engines Layer 2 Firewalls pick up passing network traffic for inspection in real time. The traffic can either be captured for inspection through the engine’s Capture Interfaces, or it can be inspected as it flows through the engine’s Inline Interfaces. You can define both Capture Interfaces and Inline Interfaces for the same Layer 2 Firewall. A Layer 2 Firewall can actively filter only traffic that attempts to pass through its Inline Interfaces.
6. Click OK. Repeat these steps to define any additional Logical Interfaces. What’s Next? If you want to use Reset Interfaces together with Capture Interfaces, define the Reset Interfaces first. Proceed to Defining Reset Interfaces. To define Capture Interfaces, proceed to Defining Capture Interfaces (page 50). To define Inline Interfaces, proceed to Defining Inline Interfaces (page 51).
Defining Capture Interfaces Capture Interfaces listen to traffic that is not routed through the Layer 2 Firewall. You can have as many Capture Interfaces as there are available physical ports on the Layer 2 Firewall (there are no license restrictions regarding this interface type). External equipment must be set up to mirror traffic to the Capture Interface. You can connect a Capture Interface to a switch SPAN port. For more information, see Capture Interfaces (page 19). To define a Capture Interface 1.
Defining Inline Interfaces The number of Inline Interfaces you can have is limited by the license in use. One Inline Interface always comprises two Physical Interfaces, as the traffic is forwarded from one interface to the other. The allowed traffic passes through as if it was going through a network cable. The traffic you want to stop is dropped by the Layer 2 Firewall.
Chapter 6 Defining Layer 2 Firewalls
C H A P TE R 7 CONFIGURING MASTER ENGINES AND VIRTUAL IPS E NGINES This chapter contains the steps needed to complete the Master Engine and Virtual IPS engine configuration that prepares the SMC for a Master Engine and Virtual IPS engine installation. Very little configuration is done directly on the Master Engine. No installation or configuration is done on the Virtual IPS engines.
Configuration Overview Virtual IPS engines are logically-separate Virtual Security Engines that run as virtual engine instances on a physical engine device. A Master Engine is a physical engine device that provides resources for Virtual IPS engines. One physical Master Engine can support multiple Virtual IPS engines. Each Master Engine can support one Virtual Security Engine role (Firewall/VPN, IPS, or Layer 2 Firewall).
Adding a Master Engine Element To introduce a new Master Engine to the SMC, you must define a Master Engine element that stores the configuration information related to the Master Engine and Virtual IPS engines. This section covers the basic configuration of a Master Engine element. For information on all the options, see the McAfee SMC Administrator’s Guide or the Management Client Online Help. To create a Master Engine element 1. Select Configuration→Configuration→Security Engine.
Adding Nodes to a Master Engine The Master Engine properties have placeholders for two nodes when the element is created. A Master Engine can have up to 16 nodes. Add all the nodes you plan to install before you begin configuring the interfaces. To add a node to a Master Engine 1. Click Add Node. The Engine Node Properties dialog opens. 2. (Optional) Modify the Name. 3. Click OK. The node is added to the Master Engine.
Adding Physical Interfaces for Master Engines Master Engines can have two types of Physical Interfaces: interfaces for the Master Engine’s own communications, and interfaces that are used by the Virtual IPS engines hosted on the Master Engine. Physical Interfaces that are used for the Master Engine’s own communications must be defined as Normal Interfaces. Physical Interfaces that are used for hosted Virtual IPS communications must be defined as Capture or Inline Interfaces.
4. (Interface for hosted Virtual IPS engine communications only) Define the Physical Interface properties as explained in the table below. Table 7.2 Physical Interface Properties for Hosted Virtual IPS Engine Communications Options 58 Explanation Interface ID The Interface ID automatically maps to a Physical Interface of the same number during the initial configuration of the engine, but the mapping can be changed as necessary through the engine's command line interface.
Table 7.2 Physical Interface Properties for Hosted Virtual IPS Engine Communications (Continued) Options Explanation Virtual Engine Interface ID Select the Interface ID of the Physical Interface in the Virtual IPS engine that is associated with this interface. Second Interface ID (Inline Interface only) Select the second Interface ID of the Inline Interface in the Virtual IPS engine that is associated with this interface.
Adding VLAN Interfaces for Master Engines VLANs divide a single physical network link into several virtual links. The maximum number of VLANs for a single Physical Interface is 4094. The VLANs must also be defined in the configuration of the switch/router to which the interface is connected. Master Engines can have two types of VLAN Interfaces: interfaces for the Master Engine’s own communications, and interfaces that are used by the Virtual IPS engines hosted on the Master Engine.
Table 7.4 VLAN Interface Properties for Hosted Virtual IPS Engine Communications (Continued) Option Explanation Second VLAN ID (Optional, only if Physical Interface Type is Inline Interface) Enter a Second VLAN ID for the Inline Interface if you want to remap the Inline Interface. By default, this value is inherited from the first VLAN ID. We recommend that you keep the default value if you do not have a specific reason to change it. Virtual Resource The Virtual Resource associated with the interface.
5. Repeat from Step 2 to add further VLANs on the same or other Physical Interfaces. What’s Next? Add IP addresses to the VLAN Interfaces used for Master Engine communications as instructed in Adding IPv4 Addresses for Master Engines. Adding IPv4 Addresses for Master Engines You can add several IPv4 addresses to each Physical Interface that has been defined as a Normal Interface. You must add at least one IPv4 address to at least one Normal Interface. To add IPv4 addresses for a Master Engine 1.
Setting Global Interface Options for Master Engines The Interface Options dialog contains the settings for selecting which IP addresses are used in particular roles in system communications (for example, in communications between the Master Engine and the Management Server). Only IPv4 addresses are used in system communications. To set global interface options for a Master Engine 1. Click Options. The Interface Options dialog opens. 2. Select the interface options as explained in the table below. Table 7.
4. Click OK to close the Master Engine Properties. A Confirmation dialog opens. Click No. What’s Next? Adding a Virtual IPS Engine Element (page 64) Adding a Virtual IPS Engine Element This section covers the basic configuration of a Virtual IPS engine element. For information on all the options, see the McAfee SMC Administrator’s Guide or the Management Client Online Help. To create a Virtual IPS engine element 1. Select Configuration→Configuration→Security Engine.
Configuring Physical Interfaces for Virtual IPS Engines Physical Interfaces for Virtual IPS engines represent interfaces allocated to the Virtual IPS engine in the Master Engine. When you select the Virtual Resource for the Virtual IPS engine, Physical Interfaces are automatically created based on the interface configuration in the Master Engine properties. The number of Physical Interfaces depends on the number of interfaces allocated to the Virtual IPS engine in the Master Engine.
4. If your configuration requires you to change the Logical Interface from Default_Eth, select the Logical Interface in one of the following ways: • Select an existing Logical Interface from the list. • Select Other and browse to another Logical Interface. • Select New to create a new Logical Interface. 5. (Optional, only if Physical Interface Type is Inline Interface) Enter a VLAN ID for the Second Interface in the Inline Interface if you want to remap the Inline Interface.
C H A P TE R 8 CONFIGURING MASTER ENGINES AND VIRTUAL LAYER 2 FIREWALLS This chapter contains the steps needed to complete the Master Engine and Virtual Layer 2 Firewall configuration that prepares the Security Management Center for a Master Engine and Virtual Layer 2 Firewall installation. Very little configuration is done directly on the Master Engine. No installation or configuration is done on the Virtual Layer 2 Firewalls.
Configuration Overview Virtual Layer 2 Firewalls are logically-separate Virtual Security Engines that run as virtual engine instances on a physical engine device. A Master Engine is a physical engine device that provides resources for Virtual Security Engines. One physical Master Engine can support multiple Virtual Layer 2 Firewalls. Each Master Engine can support one Virtual Security Engine role (Firewall/VPN, IPS, or Layer 2 Firewall).
Adding a Master Engine Element To introduce a new Master Engine to the SMC, you must define a Master Engine element that stores the configuration information related to the Master Engine and Virtual Layer 2 Firewalls. This section covers the basic configuration of a Master Engine element. For information on all the options, see the McAfee SMC Administrator’s Guide or the Management Client Online Help. To create a Master Engine element 1. Select Configuration→Configuration→Security Engine.
Adding Nodes to a Master Engine The Master Engine properties have placeholders for two nodes when the element is created. A Master Engine can have up to 16 nodes. Add all the nodes you plan to install before you begin configuring the interfaces. To add a node to a Master Engine 1. Click Add Node. The Engine Node Properties dialog opens. 2. (Optional) Modify the Name. 3. Click OK. The node is added to the Master Engine.
Adding Physical Interfaces for Master Engines Master Engines can have two types of Physical Interfaces: interfaces for the Master Engine’s own communications, and interfaces that are used by the Virtual Layer 2 Firewalls hosted on the Master Engine. Physical Interfaces that are used for the Master Engine’s own communications must be defined as Normal Interfaces. Physical Interfaces that are used for hosted Virtual Layer 2 Firewall communications must be defined as Inline or Capture Interfaces.
4. (Interface for Hosted Virtual Layer 2 Firewall communications only) Define the Physical Interface properties as explained in the table below. Table 8.2 Physical Interface Properties for Hosted Virtual Layer 2 Firewall Communications Options 72 Explanation Interface ID The Interface ID automatically maps to a Physical Interface of the same number during the initial configuration of the engine, but the mapping can be changed as necessary through the engine’s command line interface.
Table 8.2 Physical Interface Properties for Hosted Virtual Layer 2 Firewall Communications (Continued) Options Explanation MTU (Optional) The MTU (maximum transmission unit) size for Virtual Layer 2 Firewalls that use this interface. Either enter a value between 400-65535 or select a common MTU value from the list. The default value (also the maximum standard MTU in Ethernet) is 1500.
Adding VLAN Interfaces for Master Engines VLANs divide a single physical network link into several virtual links. The maximum number of VLANs for a single Physical Interface is 4094. The VLANs must also be defined in the configuration of the switch/router to which the interface is connected. Master Engines can have two types of VLAN Interfaces: interfaces for the Master Engine’s own communications, and interfaces that are used by the Virtual Layer 2 Firewalls hosted on the Master Engine.
Table 8.4 VLAN Interface Properties for Hosted Virtual Layer 2 Firewall Communications (Continued) Option Explanation Second VLAN ID (Optional, only if Physical Interface Type is Inline Interface) Enter a Second VLAN ID for the Inline Interface if you want to remap the Inline Interface. By default, this value is inherited from the first VLAN ID. We recommend that you keep the default value if you do not have a specific reason to change it.
5. Repeat from Step 2 to add further VLANs on the same or other Physical Interfaces. What’s Next? Add IP addresses to the VLAN Interfaces used for Master Engine communications as instructed in Adding IPv4 Addresses for Master Engines. Adding IPv4 Addresses for Master Engines You can add several IPv4 addresses to each Physical Interface that has been defined as a Normal Interface. You must add at least one IPv4 address to at least one Normal Interface. To add IPv4 addresses for a Master Engine 1.
Setting Global Interface Options for Master Engines The Interface Options dialog contains the settings for selecting which IP addresses are used in particular roles in system communications (for example, in communications between the Master Engine and the Management Server). Only IPv4 addresses are used in system communications. To set global interface options for a Master Engine 1. Click Options. The Interface Options dialog opens. 2. Select the interface options as explained in the table below. Table 8.
4. Click OK to close the Master Engine Properties. A Confirmation dialog opens. Click No. What’s Next? Adding a Virtual Layer 2 Firewall Element Adding a Virtual Layer 2 Firewall Element This section covers the basic configuration of a Virtual Layer 2 Firewall. For information on all the options, see the McAfee SMC Administrator’s Guide or the Management Client Online Help. To create a Virtual Layer 2 Firewall element 1. Select Configuration→Configuration→Security Engine.
Configuring Physical Interfaces for Virtual Layer 2 Firewalls Physical Interfaces for Virtual Layer 2 Firewalls represent interfaces allocated to the Virtual Layer 2 Firewall in the Master Engine. When you select the Virtual Resource for the Virtual Layer 2 Firewall, Physical Interfaces are automatically created based on the interface configuration in the Master Engine properties.
Adding VLAN Interfaces for Virtual Layer 2 Firewalls VLAN Interfaces can only be added for Virtual Layer 2 Firewalls if the creation of VLAN Interfaces for Virtual Layer 2 Firewalls is enabled in the Master Engine Properties. VLANs divide a single physical network link into several virtual links. The maximum number of VLANs for a single Physical Interface is 4094. The VLANs must also be defined in the configuration of the switch/ router to which the interface is connected.
Binding Engine Licenses to Correct Elements Licenses are created based on the Management Server’s proof-of-license (POL) code or based on the appliance's proof-of-serial (POS) code. You must manually bind Management Server POLbound licenses to a specific Master Engine element. POS-bound appliance licenses are automatically bound to the correct Master Engine element when the engine is fully installed. Virtual Layer 2 Firewalls do not require a separate license.
Chapter 8 Configuring Master Engines and Virtual Layer 2 Firewalls
C H A P TE R 9 SAVING THE INITIAL CONFIGURATION This chapter explains how to save an IPS, Layer 2 Firewall, or Master Engine element configuration in the Security Management Center and how to transfer it to the physical engines. No initial configuration is needed for Virtual IPS engines or Virtual Layer 2 Firewalls.
Configuration Overview Once you have configured the IPS, Layer 2 Firewall, or Master Engine elements in the Management Client, you must transfer the configuration information to the physical engines. You must complete the following steps: 1. Save the initial configuration in the Management Client. See Saving the Initial Configuration. 2. Transfer the initial configuration to the physical engines. See Transferring the Initial Configuration to the Engines (page 87).
Preparing for Automatic Configuration To prepare for automatic configuration 1. (Optional) Select Enable SSH Daemon to allow remote access to the engine command line. • Enabling SSH in the initial configuration gives you remote command line access in case the configuration is imported correctly, but the engine fails to establish contact with the Management Server. • Once the engine is fully configured, SSH access can be set on or off using the Management Client.
Preparing for Configuration Using the Engine Configuration Wizard To prepare for configuration using the Engine Configuration Wizard 1. If you plan to enter the information manually, write down or copy the One-Time Password for each engine. Keep track of which password belongs to which engine node. 2. If you plan to enter the information manually, write down or copy the Management Server Addresses. 3.
Transferring the Initial Configuration to the Engines You are now ready to install the engine(s). The initial configuration is transferred to the engines during the installation. What’s Next? If you have a McAfee NGFW appliance, see the installation and initial configuration instructions in the Appliance Installation Guide that was delivered with the appliance.
Chapter 9 Saving the Initial Configuration
C HAPT ER 10 CONFIGURING ROUTING AND INSTALLING POLICIES After successfully installing the engines and establishing contact between the engine(s) and the Management Server, the engines are left in the initial configuration state. Now you must define basic routing and policies to be able to use the engines to inspect traffic. Both of these tasks are done using the Management Client.
Configuring Routing Routing is configured entirely through the Management Client. The routing information for IPS engines and Layer 2 Firewalls is only used for system communications. The inspected traffic is not routed. Inline Interfaces are always fixed as port pairs; traffic that enters through one port is automatically forwarded to the other port. Most often only one or two simple tasks are needed to define routing information for IPS and Layer 2 Firewall elements: • Define the default route.
Adding Next-Hop Routers You may need to define a default route in case the SMC (Management Servers and Log Servers) and other SMC components are not located on a directly connected network. Other routes may be needed in addition to the default route if one or more SMC components are not directly connected and cannot be reached through the default gateway.
Installing the Initial Policy To be able to inspect traffic, the engines must have a policy installed on them. Installing one of the predefined policies provides an easy way to begin using the system. You can then fine-tune the system as needed. The following table describes the default policy elements for IPS and Layer 2 Firewall engines. Table 10.
Table 10.1 Default Policy Elements for IPS and Layer 2 Firewall Engines (Continued) Element Type Default Element Name No Inspection Policy An Inspection Policy with a set of Inspection rules that do not enforce inspection. MediumSecurity Inspection Policy An Inspection Policy with a set of Inspection rules for detecting common threats. The Medium-Security Inspection Policy logs Situations categorized as Suspected Attacks but allows the traffic to pass.
To install a ready-made policy 1. Select Configuration→Configuration→Security Engine. The Security Engine Configuration view opens. 2. Expand the Policies branch and select IPS Policies or Layer 2 Firewall Policies. 3. Right-click one of the ready-made policies and select Install Policy. The Policy Upload Task Properties dialog opens. 4. Select the engine(s). 5. Click Add. The selected engines are added to the Target list. 6. Click OK. A new tab opens to show the progress of the policy installation. 7.
I NSTALLING E NGINES In this section: Installing the Engine on Other Platforms - 97 95
C HAPT ER 11 INSTALLING THE ENGINE ON OTHER PLATFORMS This chapter describes how to install IPS and Layer 2 Firewall engines on standard Intel or Intel-compatible platforms, or on a virtualization platform. To install Master Engines and Virtual IPS engines or Virtual Layer 2 Firewalls, see Configuring Master Engines and Virtual IPS Engines (page 53) or Configuring Master Engines and Virtual Layer 2 Firewalls (page 67).
Installing the Engine on Intel-Compatible Platforms McAfee NGFW appliances are delivered with pre-installed software. If you are using a McAfee NGFW appliance, configure the software as instructed in the Appliance Installation Guide delivered with the appliance. On other systems, the software is installed from DVDs. Depending on your order, you may have received ready-made McAfee Security Management Center and McAfee NGFW Engine DVDs.
Checking File Integrity Before installing the IPS or Layer 2 Firewall engine from downloaded files, check that the installation files have not become corrupt or been modified. Using corrupt files may cause problems at any stage of the installation and use of the system. File integrity is checked by generating an MD5 or SHA-1 file checksum of the downloaded files and by comparing the checksum with the checksum on the download page.
Starting the Installation Before you start installing the engines, make sure you have the initial configuration or a onetime password for management contact for each IPS and Layer 2 Firewall engine. These are generated in the SMC. See Saving the Initial Configuration (page 84) for more information. What you see on your screen during the installation may differ from the illustrations in this guide depending on your system configuration.
Installing the Engine on a Virtualization Platform The IPS or Layer 2 Firewall engine can be installed on virtualization platforms that support the deployment of Open Virtual Format (OVF) templates. The same NGFW software can be used in the Firewall/VPN role, IPS role, or Layer 2 Firewall role. The engine role is selected during the initial configuration of the engine. The following role-specific requirements and limitations apply when the engine is installed on a virtualization platform: Table 11.
Configuring the Engine Automatically with a USB Stick The automatic configuration is primarily intended to be used with McAfee NGFW appliances, and may not work in all environments when you use your own hardware. If the automatic configuration does not work, you can still run the Engine Configuration Wizard as explained in the next section and import or enter the information manually.
Configuring the Engine in the Engine Configuration Wizard If you have stored the configuration on a USB memory stick, you can import it to reduce the need for typing in information. See Saving the Initial Configuration (page 84) for more information about saving the initial configuration. To select the role and the configuration method 1. Highlight Role and press Enter to select the role for the Security Engine. 2. Highlight Layer 2 Firewall or IPS and press Enter.
Configuring the Operating System Settings To set the keyboard layout 1. Highlight the entry field for Keyboard Layout and press Enter. The Select Keyboard Layout dialog opens. 2. Highlight the correct layout and press Enter. Type the first letter to move forward more quickly. Tip – If the desired keyboard layout is not available, use the best-matching available layout, or select US_English. To set the engine’s timezone 1. Highlight the entry field for Local Timezone and press Enter. 2.
Configuring the Network Interfaces The Engine Configuration Wizard can automatically detect which network cards are in use. You can also add interfaces manually if necessary. If the list is not populated automatically, you can launch the autodetect as explained in the illustration below. To add the network interfaces Highlight Autodetect and press Enter. Check that the detected drivers are correct and that all interfaces have been detected.
Mapping the Physical Interfaces to Interface IDs To map the Physical Interfaces to Interface IDs 1. Change the IDs as necessary to define how Physical Interfaces are mapped to the Interface IDs you defined in the IPS or Layer 2 Firewall element. 2. If necessary, highlight the Media column and press Enter to match the speed/duplex settings to those used in each network. Tip – You can use the Sniff option to troubleshoot the network interfaces.
Contacting the Management Server The Prepare for Management Contact page opens. If the initial configuration was imported, most of this information is automatically filled in. Note – If there is an intermediate firewall between this engine and the Management Server, make sure that the intermediate firewall’s policy allows the initial contact and all subsequent communications. See Default Communication Ports (page 149) for a listing of the ports and protocols used.
• If you see a “connection refused” error message, ensure that the one-time password is correct and the Management Server IP address is reachable from the node. Save a new initial configuration if you are unsure about the password. • If there is a firewall between the engine and the Management Server or Log Server, make sure that the firewall’s policy allows the initial contact and the subsequent communications. See Default Communication Ports (page 149) for a list of the ports and protocols used.
Partitioning the Hard Disk Manually Typically, you need five partitions for the IPS or Layer 2 Firewall as explained in Table 11.2. The partitions are allocated in two phases. First, disk partitions are created and second, the partitions are allocated for their use purposes. Caution – Partitioning deletes all the existing data on the hard disk. To partition the hard disk 1. If you are asked whether you want to create an empty partition table, type y to continue. 2. When prompted, press Enter to continue.
Allocating Partitions After partitioning the hard disk, the partitions are allocated for the engine. To allocate the partitions 1. Check that the partition table is correct. Type yes to continue. 2. Using the partition numbers shown in the partition table, assign the partitions for the engine, for example: • For the engine root A partition, type 1. • For the engine root B partition, type 2. • For the swap partition, type 5. • For the data partition, type 6. • For the spool partition, type 7. 3.
U PGRADING In this section: Upgrading - 113 111
C HAPT ER 12 UPGRADING This chapter explains how to upgrade your IPS engines, Layer 2 Firewalls, and Master Engines. When there is a new version of the engine software, you should upgrade as soon as possible.
Getting Started With Upgrading How Engine Upgrades Work The primary way to upgrade engines is a remote upgrade through the Management Server. The upgrade package is imported on the Management Server manually or automatically. You can then apply it to selected engines through the Management Client. Alternatively, the upgrade can be done on the command line when it is more convenient (for example, for spare appliances in storage). The engines have two alternative partitions for the engine software.
To check the current engine software version, select the engine in the System Status view. The engine version is displayed on the General tab in the Info panel. If the Info panel is not shown, select View→Info. Before upgrading the engines, read the Release Notes for the new engine version. Configuration Overview The following steps are needed for upgrading the engines: 1. (If automatic download of engine upgrades is not enabled) Obtain the installation files and check the installation file integrity.
7. Compare the displayed output to the checksum on the web site. Caution – Do not use files that have invalid checksums. If downloading the files again does not help, contact McAfee support to resolve the issue. To prepare a downloaded .zip file for a remote upgrade 1. Log in to the Management Client and select File→Import→Import Engine Upgrades. 2. Select the engine upgrade (sg_engine_version_platform.zip) file and click Import.
Upgrading or Generating Licenses When you installed the engine software for the first time, you installed licenses that work with all versions of the engine up to that particular version. If the first two numbers in the old and the new versions are the same, the upgrade can be done without upgrading licenses (for example, when upgrading from 1.2.3 to 1.2.4).
5. Select the location at which to save the license file in the dialog that opens. You are prompted to request a license upgrade. 6. Click Yes. The McAfee web site opens. 7. Go to my.stonesoft.com/managelicense.do. 8. Enter the POL or POS code in the License Identification field and click Submit. The License Center page opens. 9. Click the Multi-Upgrade Licenses link on the right. The Upload Multi-Upgrade Licenses page opens. 10.
Upgrading Engines Remotely You can upgrade the engines through the Management Server by importing the upgrade package manually or automatically. You can then activate the upgrade package or you can transfer the upgrade package to the engine and activate it separately later, for example, during a break in service. You can also create a scheduled Task for the remote upgrade as instructed in the McAfee SMC Administrator’s Guide or in the Management Client Online Help.
Upgrading Legacy IPS Engines Prior to version 5.4, IPS engines consisted either of separate Sensor and Analyzer engines, or combined Sensor-Analyzer engines. In version 5.4, the Analyzer functionalities have been transferred to the Log Server and to the Security Engines, and the Analyzer is no longer used. Because of this change, additional steps are required for upgrading legacy Sensors, Sensor Clusters, and combined Sensor-Analyzers to version 5.4 or higher.
6. Make sure None is selected for the Analyzer. 7. Click OK. The conversion begins. 8. Refresh the policy of the upgraded engine to make sure any possible changes specific to the new software version are transferred to the engine. What’s Next? Upgrade any other legacy Sensor-Analyzers in the same way. Otherwise, the upgrade is complete. Removing Unused Analyzer Elements When you upgrade legacy Sensors or Sensor Clusters to version 5.
Upgrading Engines Locally It is also possible to upgrade the engines on the engine command line as described in this section. Upgrading locally requires a physical connection to the engine using a monitor and keyboard or a serial cable. During an IPS Cluster, Layer 2 Firewall Cluster, or Master Engine cluster upgrade, it is possible for the upgraded nodes to be online and operational side by side with the older version nodes.
Upgrading From a .zip File Follow the instructions below if you want to use a .zip file to upgrade the engine software locally on the engine command line. To upgrade the engine locally from a .zip file 1. Log in to the node as root with the password set for the engine (you can set the password through the Management Client). 2. Insert the USB stick or the DVD. 3. Run the command sg-reconfigure. The Engine Configuration Wizard opens. 4. Select Upgrade and press Enter. 5.
Chapter 12 Upgrading
A PPENDICES In this section: Command Line Tools - 127 Default Communication Ports - 149 Example Network Scenario - 157 Index - 163 125
APPENDIX A COMMAND LINE TOOLS This appendix describes the command line tools for McAfee Security Management Center and the NGFW engines. Note – Using the Management Client is the recommended configuration method, as most of the same tasks can be done through it.
Security Management Center Commands Security Management Center commands include commands for the Management Server, Log Server, Web Portal Server, and Authentication Server. Most of the commands are found in the /bin/ directory. In Windows, the command line tools are *.bat script files. In Linux, the files are *.sh scripts.
Table A.1 Security Management Center Command Line Tools (Continued) Command Description sgArchiveExport (continued) Host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used. login defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used. pass defines the password for the user account. format defines the file format for the output file.
Table A.1 Security Management Center Command Line Tools (Continued) Command Description sgBackupLogSrv [pwd=] [path=] [nodiskcheck] [comment=] [nofsstorage] [-h | --help] Creates a backup of Log Server configuration data. The backup file is stored in the /backups/ directory. Twice the size of log database is required on the destination drive. Otherwise, the operation fails. pwd entering a password enables encryption. path defines the destination path.
Table A.1 Security Management Center Command Line Tools (Continued) Command Description sgCertifyLogSrv [host=] Contacts the Management Server and creates a new certificate for the Log Server to allow secure communications with other SMC components. Renewing an existing certificate does not require changing the configuration of any other SMC components. host specifies the address of the Management Server.
Table A.1 Security Management Center Command Line Tools (Continued) Command Description sgChangeMgtIPOnMgtSrv Changes the Management Server’s IP address in the local configuration to the IP address you give as a parameter. Use this command if you change the Management Server’s IP address. Restart the Management Server service after running this command. sgClient Starts a locally installed Management Client. sgCreateAdmin Creates an unrestricted (superuser) administrator account.
Table A.1 Security Management Center Command Line Tools (Continued) Command Description sgHA [host=] [login=] [pass=] [master=] [-set-active] [-set-standby] [-check] [-retry] [-force] [-restart] [-h|-help|-?] Controls active and standby Management Servers. If you want to perform a full database synchronization, use the sgOnlineReplication command.
Table A.1 Security Management Center Command Line Tools (Continued) Command Description sgImportExportUser [host=] [login=] [pass=] action= file= [-h|-help|-?] Imports and exports a list of Users and User Groups in an LDIF file from/to a Management Server’s internal LDAP database. To import User Groups, all User Groups in the LDIF file must be directly under the stonegate top-level group (dc=stonegate).
Table A.1 Security Management Center Command Line Tools (Continued) Command Description sgOnlineReplication [login=] [pass=] [active-server=] [standby-server=] [standby-server-address=] [-nodisplay] [-h|-help|-?] Replicates the Management Server’s database from the active Management Server to an additional Management Server.
Table A.1 Security Management Center Command Line Tools (Continued) Command Description sgRestoreAuthBackup [-pwd=] [-backup=] [-nodiskcheck] [-h|-help] Restores the Authentication Server user information from a backup file in the /backups/ directory. Apply the Authentication Server’s configuration after this command. -pwd defines a password for encrypted backup. -backup defines a name for the backup file.
Table A.1 Security Management Center Command Line Tools (Continued) Command Description sgStartMgtSrv Starts the Management Server and its database. sgStartWebPortalSrv Starts the Web Portal Server. sgStopLogSrv Stops the Log Server. sgStopMgtSrv Stops the Management Server and its database. sgStopMgtDatabase Stops the Management Server’s database. There is usually no need to use this script. sgStopWebPortalSrv Stops the Web Portal Server.
Table A.1 Security Management Center Command Line Tools (Continued) Command sgTextBrowser [host=] [login=] [pass=] [format=] [o=
NGFW Engine Commands The commands in the following two tables can be run on the command line on Firewall, Layer 2 Firewall, IPS engines and/or Master Engines. Note – All command line tools that are available for single Security Engines are also available for Virtual Security Engines that have the same role. However, there is no direct access to the command line of Virtual Security Engines.
Table A.
Table A.2 NGFW Engine Command Line Tools (Continued) Command sg-blacklist (continued) sg-bootconfig [--primary-console =tty0|ttyS PORT,SPEED] [--secondary-console = [tty0|ttyS PORT,SPEED]] [--flavor=up|smp] [--initrd=yes|no] [--crashdump=yes|no|Y@X] [--append=kernel options] [--help] apply Engine Role Description Firewall, Layer 2 Firewall, IPS Add/Del Parameters: Enter at least one parameter. The default value is used for the parameters that you omit.
Table A.2 NGFW Engine Command Line Tools (Continued) Engine Role Description Firewall, Layer 2 Firewall, IPS Note! Use this only if you want to clear all configuration information from the engine. This command resets all configuration information from the engine. It does not remove the engine software. After using this command, you must reconfigure the engine using the sgreconfigure command.
Table A.2 NGFW Engine Command Line Tools (Continued) Command sg-dynamic-routing [start] [stop] [restart] [force-reload] [backup ] [restore ] [sample-config] [route-table] [info] sg-ipsec -d [-u | -si | -ck | -tri -ri | -ci ] sg-logger -f FACILITY_NUMBER -t TYPE_NUMBER [-e EVENT_NUMBER] [-i "INFO_STRING"] [-s] [-h] Engine Role Description Firewall start starts the Quagga routing suite.
Table A.2 NGFW Engine Command Line Tools (Continued) Engine Role Description Firewall, Layer 2 Firewall, IPS Configures a new hard drive. This command is only for McAfee NGFW appliances that support RAID (Redundant Array of Independent Disks) and have two hard drives. -status option displays the status of the hard drive. -add options adds a new empty hard drive. Use -add -force if you want to add a hard drive that already contains data and you want to overwrite it.
Table A.2 NGFW Engine Command Line Tools (Continued) Engine Role Description sg-toggle-active SHA1 SIZE | --force [--debug] Firewall, Layer 2 Firewall, IPS Switches the engine between the active and the inactive partition. This change takes effect when you reboot the engine. You can use this command, for example, if you have upgraded an engine and want to switch back to the earlier engine version. When you upgrade the engine, the active partition is switched.
Table A.2 NGFW Engine Command Line Tools (Continued) Command sginfo [-f] [-d] [-s] [-p] [--] [--help] Engine Role Description Firewall, Layer 2 Firewall, IPS Gathers system information you can send to McAfee support if you are having problems. Use this command only when instructed to do so by McAfee support. -f option forces sgInfo even if the configuration is encrypted. -d option includes core dumps in the sgInfo file. -s option includes slapcat output in the sgInfo file.
Server Pool Monitoring Agent Commands You can test and monitor the Server Pool Monitoring Agents on the command line with the commands described in the table below. Table A.4 Server Pool Monitoring Agent Commands Command Description agent [-v level] [-c path] [test [files]] [syntax [files]] (Windows only) Allows you to test different configurations before activating them. -v level Set the verbosity level. The default level is 5. Levels 6-8 are for debugging where available.
Table A.4 Server Pool Monitoring Agent Commands (Continued) Command Description sgmon [status|info|proto ] [-p port] [-t timeout] [-a id] host Sends a UDP query to the specified host and waits for a response until received, or until the timeout limit is reached. The request type can be defined as a parameter. If no parameter is given, status is requested. The commands are: status - query the status. info - query the agent version. proto - query the highest supported protocol version.
APPENDIX B DEFAULT COMMUNICATION PORTS This chapter lists the default ports used in connections between SMC components and the default ports SMC components use with external components.
Security Management Center Ports The illustrations below present an overview to the most important default ports used in communications between the Security Management Center (SMC) components and from the SMC to external services. See the table below for a complete list of default ports. Illustration B.1 Destination Ports for Basic Communications Within SMC Management Client Management Server Log Server TCP: 8902-8913 3021 (Log Server Certificate Request) 3023 TCP: 8914-8918 Illustration B.
The table below lists all default ports SMC uses internally and with external components. Many of these ports can be changed. The name of corresponding default Service elements are also included for your reference. For information on communications between SMC components and the engines, see the separate listings. Table B.
Table B.1 Security Management Center Default Ports (Continued) Listening Host Port/ Protocol Contacting Hosts Management Server 3021/TCP Log Server, Web Portal Server System communications certificate request/renewal. SG Log Initial Contact Management Server 89028913/TCP Management Client, Log Server, Web Portal Server Monitoring and control connections.
Security Engine Ports The illustrations below present an overview to the most important default ports used in communications between Security Engines and the SMC and between clustered Security Engine nodes. See the table below for a complete list of default ports for the engines. Note – Master Engines use the same default ports as clustered Security Engines. Virtual Security Engines do not communicate directly with other system components. Illustration B.
The table below lists all default ports the Security Engines use internally and with external components. Many of these ports can be changed. The name of corresponding default Service elements are also included for your reference. Table B.2 Security Engine and Master Engine Default Ports Listening Host Port/Protocol Contacting Hosts Service Description Service Element Name Anti-virus signature server 80/TCP Firewall Anti-virus signature update service.
Table B.2 Security Engine and Master Engine Default Ports (Continued) Listening Host Port/Protocol Contacting Hosts Service Description Service Element Name Firewall, Layer 2 Firewall, IPS, Master Engine 4987/TCP Management Server Management Server commands and policy upload. SG Commands Firewall, Layer 2 Firewall, IPS 8888/TCP Management Server Connection monitoring for engine versions 5.1 and lower.
Table B.2 Security Engine and Master Engine Default Ports (Continued) Listening Host Port/Protocol Contacting Hosts RPC server 111/UDP, 111/ TCP Firewall, Master Engine RPC number resolve. SUNRPC (UDP), Sun RPC (TCP) Server Pool Monitoring Agents 7777/UDP Firewall, Master Engine Polls to the servers’ Server Pool Monitoring Agents for availability and load information. SG Server Pool Monitoring SNMP server 162/UDP Firewall, Layer 2 Firewall, IPS, Master Engine SNMP traps from the engine.
APPENDIX C EXAMPLE NETWORK SCENARIO To give you a better understanding of how McAfee IPS fits into a network, this section outlines a network with IPS engines. All illustrations of the software configuration in the subsequent chapters are filled in according to this example scenario; this way, you can compare how the settings in the various dialogs relate to overall network structure whenever you like.
Overview of the Example Network Two example IPS installations are described in this guide: • an IPS cluster in the Headquarters Intranet network. • a single IPS in the Headquarters DMZ network. The network scenario for these installations is based on the example network in Illustration C.1. See the McAfee NGFW Reference Guide for IPS and Layer 2 Firewall Roles for more information on deploying the IPS components. Illustration C.1 Example Network Scenario HQ Intranet 172.16.1.0/24 HQ DMZ 192.168.1.
Example Headquarters Intranet Network Illustration C.2 Example Headquarters Intranet Network 10.42.1.42 10.42.1.41 SPAN Switch Node 2 Node 1 172.16.1.42 Headquarters Intranet HQ Firewall 172.16.1.1 172.16.1.41 Management Network HQ IPS Cluster In the example scenario, HQ IPS Cluster is an inline serial cluster located in the Headquarters network. The cluster consists of two IPS engine nodes: Node 1 and Node 2. Table C.
Example Headquarters Management Network Illustration C.3 Example Headquarters Management Network Management Server 192.168.10.200 192.168.10.1 HQ Firewall Switch 212.20.1.254 HQ Log Server 192.168.10.201 Internet HQ Firewall The HQ Firewall provides NAT for the Headquarters Management network. The HQ Firewall uses the following IP addresses with the Headquarters Management Network: • Internal: 192.168.10.1 • External: 212.20.1.254 SMC Servers Table C.
Example Headquarters DMZ Network Illustration C.4 Example Headquarters DMZ Network 192.168.1.41 DMZ Servers HQ Firewall 192.168.1.1 DMZ IPS In the example scenario, the DMZ IPS in the Headquarters DMZ network is a single inline IPS engine. Table C.3 Single IPS in the Example Scenario Network Interface Description Inline Interfaces The DMZ IPS is deployed in the path of traffic between the Firewall and the DMZ network switch. All the traffic flows through the IPS engine’s Inline Interface pair.
Appendix C Example Network Scenario
I N D EX example network scenario , A Advanced Configuration and Power Interface (ACPI) , analyzers, removing after upgrade , 121 Automatic Power Management (APM) , 98 B BIOS settings , 98 generating licenses , cabling , 20 capture interfaces , 40 capture mode for IPS engines, 16 for layer 2 firewalls, 16 checking engine version , 115 checking file integrity , 115 checksums , 99 command line tools , 127 commands for engines, 139 for log servers, 128 for management servers, 128 compatibility network d
IPS installation modes , 16 IPS policies customized high-security inspection IPS policy, default IPS policy, 92 IPS template policies , 92 L N layer 2 firewall engine interfaces capture interfaces, 50 inline interfaces, 51 interface options, 47 IP addresses, 46 logical interfaces, 48 physical interfaces, 45 system communication interfaces, 45 traffic inspection interfaces, 48 VLANs, 45 layer 2 firewall installation modes , 16 layer 2 firewall template policies layer 2 firewall inspection template, 92 lay
reset interfaces, 40, 49 transferring initial configuration to engines , typographical conventions , 10 87 U upgrading , 113–123 engine locally, 122 engine remotely, 119 licenses, 117–118 V virtual IPS engines , 64 defining, 64 defining VLAN IDs, 65 installation of, 16 physical interfaces for, 65 VLAN tagging for, 65 virtual layer 2 firewalls , 78 defining, 78 defining VLAN IDs, 80 installation of, 16 physical interfaces for, 79 VLAN tagging for, 80 virtual resources , 56, 70 virtual security engines c
Copyright © 2014 McAfee, Inc. Do not copy without permission. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.
