test upload

McAfee Firewall Enterprise Control
®

Center (CommandCenter™)
Administration Guide
version 4.0.0.04

COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any
means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE, LINUXSHIELD,
MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS,
PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL
PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other
countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the
sole property of their respective owners.

LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE
ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE
AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN
THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A
FULL REFUND.

License Attributions
This product includes software developed by Inferno Nettverk A/S, Norway. Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002 Inferno Nettverk A/S,
Norway. All rights reserved.
This product includes software developed by Todd C. Miller. Copyright (c) 1996 Todd C. Miller <Todd.Miller@courtesan.com> All rights reserved.
This product includes software developed by the University of California, Berkeley and its contributors. Copyright (c) 1983, 1988, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved.
This product includes software developed by Red Hat, Inc. Copyright Red Hat, Inc., 1998, 1999, 2001, 2002.
This product includes software developed by Julianne F. Haugh. Copyright 1988 - 1997, Julianne F. Haugh. All rights reserved.
This product includes software developed by Info-ZIP. Copyright (c) 1990-2004 Info-ZIP. All rights reserved.
This product includes software developed by the Apache Software Foundation http://www.apache.org. Copyright (c) 1999, 2000 The Apache Software
Foundation. All rights reserved.
This product includes software developed by Computing Services at Carnegie Mellon University (http://www.cmu.edu/computing/). Copyright (c) 2000
Carnegie Mellon University. All rights reserved.
This product includes software developed by Ian F. Darwin and others. Copyright (c) Ian F. Darwin 1986, 1987, 1989, 1990, 1991, 1992, 1994, 1995.
This product includes software developed by Silicon Graphics, Inc. Copyright (c) 1991-1997. Portions by Sam Leffler. Copyright (c) 1988-1997.
This product includes software developed by Purdue Research Foundation, West Lafayette, Indiana 47907. Copyright 2002. All rights reserved. Portions
by Victor A. Abell
This product includes software developed by Thomas E. Dickey <dickey@invisible-island.net>. Copyright 1997-2002, 2003. All Rights Reserved.
This product includes software developed by David L. Mills. Copyright (c) David L. Mills 1992-2001.
This product includes software developed by University of Cambridge. Copyright (c) 1997-2001 University of Cambridge;
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
This product contains db4 software - Portions distributed by Sleepycat Software. Copyright (c) 1990-2001 Sleepycat Software, and by The President and
Fellows of Harvard University, copyright (c) 1995, 1996. All rights reserved.
This product includes software developed by Keith Packard. Copyright © 2001,2003.
This product includes krb5 software developed by the Massachusetts Institute of Technology, Copyright (c) 1985-2001.
This product includes libjpeg software developed by Thomas G. Lane, Copyright (C) 1991-1998. All Rights Reserved. This software is based in part on the
work of the Independent JPEG Group.
This product includes libradius software developed by Juniper Networks, Inc., Copyright 1998. All rights reserved.
This product includes LInux LOader (LILO) software developed in part by Werner Almesberger, Copyright 1992-1998. Portions by John Coffman, Copyright
1999-2005. All rights reserved.
This product includes software developed by The OpenSSL Project for use in the OpenSSL Toolkit. (http:// www.openssl.org) Copyright © 1998-2006. The
toolkit includes cryptographic software written by Eric Young (eay@cryptsoft.com). Copyright (c) 1995-1998. This product includes software written by Tim
Hudson (tjh@cryptsoft.com) Copyright (c) 1993-2001 Spread Concepts LLC. All rights reserved.
This product includes software developed by The XFree86 Project, Inc. (http://www.xfree86.org/) and its contributors. Copyright (C) 1994-2004 The
XFree86 Project, Inc. All rights reserved.
Part of the software embedded in this product is gSOAP software. Portions created by gSOAP are Copyright (C) 2001-2004 Robert A. van Engelen, Genivia
Inc. All Rights Reserved.
This product includes software developed by Internet Systems Consortium, Inc. Copyright © 2004-2006 Internet Systems Consortium, Inc. ("ISC").
Copyright © 1996-2003 Internet Software Consortium.
This product includes software developed by Jython Developers. Copyright © 2000-2007 Jython Developers. All rights reserved.
This product contains certain other third party software which include the following additional terms:
Redistribution and use in source and binary forms of the above listed software, with or without modification, are permitted provided that the following
conditions are met:
1 Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2 Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3 Neither the name of the author may be used to endorse or promote products derived from this software without specific prior written permission.

Issued April 2009 / McAfee Firewall Enterprise Control Center (CommandCenter ) software version 4.0.0.04
® ™

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL LICENSORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes or may include some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL)
or other similar software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and
have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary
format that the source code also be made available to those users. For any such software, the source code is made available in a designated directory
created by installation of the Software or designated internet page. If any Free Software licenses require that McAfee provide rights to use, copy or modify
a software program that are broader than the rights granted in the McAfee End User License Agreement, then such rights shall take precedence over the
rights and restrictions herein.

® ™

® ™

Contents

About this Document 11

1 Introduction 13
About the McAfee Firewall Enterprise Control Center (CommandCenter) . . . . . . . . . . . . . . . . . . . . . . . . . 13
Features of the Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
About the Client Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Administration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Configuration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Reporting and Monitoring Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Software Updates Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2 Administrator Basics 19
Managing the McAfee Firewall Enterprise Control Center (CommandCenter) Management Server . . . . . . . 19
Configuring the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Logging into the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Managing configuration data for the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Backing up configuration data for the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Restoring configuration data to the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Disaster recovery restoration for Management Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Restoring a standalone Management Server that has failed completely . . . . . . . . . . . . . . . . . . . . . . . 34
Restoring a primary Management Server that has failed completely and that is
part of a high availability (HA) pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Restoring a backup Management Server that has failed completely and that is
part of a high availability (HA) pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Restoring both Management Servers in a high availability (HA) pair that have failed completely . . . . . . 37
Adding firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Adding firewalls by using rapid deployment registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Adding firewalls by using manual registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Managing firewall interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Routed mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Transparent (bridged) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Navigating the Control Center user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Administration Tool main window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Configuration Tool main window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Reporting and Monitoring Tool main window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Software Updates Tool main window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Administration Tool menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Configuration Tool menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Reporting and Monitoring Tool menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Software Updates Tool menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Customizing a toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Administration Tool toolbars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Configuration Tool toolbars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Reporting and Monitoring Tool toolbars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Software Updates Tool toolbars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

3 Administration Tool 79
Administration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Control Center users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Configuring Control Center users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Changing user passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Control Center roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Managing roles for Control Center users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configuration domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Activating configuration domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 5

Configuring configuration domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Moving a firewall or cluster from one configuration domain to another . . . . . . . . . . . . . . . . . . . . . . . 96
Changing from one configuration domain to another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Configuration domain version management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuration domain version management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Managing versions of configuration domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Audit data management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Managing audit trail information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Configuring change tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Control Center Management Server licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Managing Control Center licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Configuring common license information for the Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Configuring Control Center network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
System settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Configuring system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Viewing the status of your backup Management Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Creating backup files of your Management Server data by using the GUI . . . . . . . . . . . . . . . . . . . . 123
Restoring the Management Server configuration files from a backup file . . . . . . . . . . . . . . . . . . . . . 126
Uploading a backup configuration file from the Client to the Management Server . . . . . . . . . . . . . . . 128
Changing login information for remote system backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Setting the date and time on the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Restarting the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
ePolicy Orchestrator settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Configuring access to the ePolicy Orchestrator server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Viewing ePolicy Orchestrator host data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
High Availability (HA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
How High Availability (HA) works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
HA configuration and status support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Configuring the High Availability (HA) feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Removing the High Availability (HA) configuration feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Configuring Control Center user authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Control Center Authentication Configuration window: Authentication Servers tab . . . . . . . . . . . . . . . 150
Configuring external authentication servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

4 Configuration Tool Overview 153
Configuration Tool . . . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Configuration Tool operations . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Configurable objects . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Viewing details about objects . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

5 Configuration Tool - Firewalls 163
Firewall objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 163
McAfee Firewall Enterprise (Sidewinder) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 164
Registering your firewalls by using the rapid deployment option . . . . . . . . . . . . . . . . .. .. ... . . . . 164
Registering a firewall manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 166
Retrieving firewall components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 168
Configuring settings for a standalone firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 169
Configuring the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 170
Firewall window-related tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 204
Converting network objects in rules for the IPv6 protocol . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 204
Deleting firewall objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 213
McAfee Firewall Enterprise (Sidewinder) clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 215
Managing clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 215
Configuring, promoting and demoting cluster objects and cluster nodes . . . . . . . . . . .. .. ... . . . . 216
Overview of configuring a cluster on the McAfee Firewall Enterprise Admin Console . . .. .. ... . . . . 225
Adding a cluster that was created on the McAfee Firewall Enterprise Admin Console . . .. .. ... . . . . 226
Configuring configuration information for a cluster . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 228
Modifying cluster interface properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 253
Configuring configuration data for a cluster member . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 255
Device groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 261
Configuring groups of related device objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . 261

6 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide

6 Configuration Tool - Firewall Settings 263
Firewall settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Common (global) settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Configuring common (global) settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Audit export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Configuring audit archive settings for a firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
McAfee Firewall Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Configuring McAfee Firewall Profiler settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Firewall Reporter / Syslog settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Configuring the exportation of audit data to a McAfee Firewall Reporter or to
designated syslog servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 274
Network defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 278
Configuring network defense audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 279
Managing servers and service configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 291
Viewing and managing IPS signatures by using the IPS Signature Browser . . . . . . . . . . . .. .. .. . . . . . 302
TrustedSource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 304
Configuring TrustedSource settings for rules and mail filtering . . . . . . . . . . . . . . . . . .. .. .. . . . . . 305
Virus scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 308
Configuring virus scanning properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 308
Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 310
Creating Quality of Service profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 311
DNS zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 312
Configuring DNS zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 315
Scheduled jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 322
Scheduling jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 322
Third-party updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 326
Configuring third-party update schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 326
Software update package status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 331
Establishing a schedule to check for software updates . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . 331

7 Configuration Tool - Policy 333
Policy objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Configuring endpoints (network objects) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Creating adaptive endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Creating Geo-Location objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Configuring burbs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Configuring groups of burb objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Configuring groups of endpoint objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Importing network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Configuring proxy services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Configuring filter services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Configuring service groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Configuring HTTP application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Configuring HTTPS application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Configuring Mail (Sendmail) application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Configuring Mail (SMTP proxy) application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Configuring Citrix application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Configuring FTP application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Configuring IIOP application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Configuring T120 application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Configuring H.323 application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Configuring Oracle application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Configuring MS SQL application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Configuring SOCKS application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Configuring SNMP application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Configuring SIP application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Configuring SSH application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Configuring Packet Filter application defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Configuring application defense groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418


IPS inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 419
Configuring IPS response mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 420
Configuring IPS signature groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 421
Authentication services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 424
Configuring password authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 426
Configuring passport authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 428
Configuring RADIUS authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 431
Configuring Safeword authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 435
Configuring Windows Domain authenticators . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 438
Configuring iPlanet authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 440
Configuring Active Directory authenticators . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 445
Configuring OpenLDAP authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 450
Configuring custom LDAP authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 455
Configuring CAC authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 459
Firewall users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 461
Firewall administrators, users, user groups, and external groups . . . . . . . . . . .. ... .. .. . . . . . . . 461
Configuring firewall users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 462
Configuring firewall administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 464
Configuring firewall user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 468
Configuring external firewall groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 469
Time periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 470
Managing time periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 470
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 471
Configuration features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 472
Components and considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 474
Client configurations and XAUTH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 475
Creating VPN channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 475
Managing firewall certificates for VPN gateways . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 481
Configuring VPN gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 482
Configuring VPN peer objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 484
Building Star, Mesh, and remote access VPN communities . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 491
Creating a network configuration for a VPN client . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 507
Defining fixed addresses for VPN clients . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 510
Adding a VPN client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 511
CA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 512
Managing certificate names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 514
Creating certificates or importing them into the certificate database . . . . . . . . .. ... .. .. . . . . . . . 515
Importing certificates into the known certificates database . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 518
Exporting certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 519
Loading certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 522
Managing remote certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 523
Bypassing IPsec policy evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 525
Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 527
How rules work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 527
Rule management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 528
Creating, viewing, or modifying rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 528
Configuring columns to display on the Rules page . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 532
Configuring rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 533
Configuring default settings for creating rules . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 540
Replacing objects in rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 541
Verifying the objects to be replaced in your rules . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 543
Filtering rules to display on the Rules page . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 545
Loading and managing previously saved rule filters . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 549
Displaying filtered rules on the Rules page . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 550
Configuring groups of rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 551
Merging rules with common elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 552
Deleting duplicate rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 556
Viewing configuration information for duplicate rules . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 558
URL translation rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 559
Viewing your URL translation rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 559
Configuring URL translation rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 560
Alert processing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 563
Viewing alert processing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . 564


Modifying pre-defined alert processing rules ....... .. ... .. ... .. . . . . . . . . . . . . . . . . . . . . . 565
Assigning priority levels to alerts . . . . . . . . ....... .. ... .. ... .. . . . . . . . . . . . . . . . . . . . . . 567
SSH known hosts . . . . . . . . . . . . . . . . . . . . . . ....... .. ... .. ... .. . . . . . . . . . . . . . . . . . . . . . 568
Configuring strong known host associations . ....... .. ... .. ... .. . . . . . . . . . . . . . . . . . . . . . 569
Creating strong SSH known host keys . . . . . ....... .. ... .. ... .. . . . . . . . . . . . . . . . . . . . . . 570
Configuring host associations . . . . . . . . . . . ....... .. ... .. ... .. . . . . . . . . . . . . . . . . . . . . . 571

8 Configuration Tool - Monitor 573
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Firewall configuration management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Viewing the overall status of your firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Viewing the status of a specific firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Configuring settings for the Firewall Status page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Viewing configuration information about each firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
Validating firewall configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Troubleshooting validation configuration warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Applying firewall configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Troubleshooting apply configuration warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
Viewing the status of Apply Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Reviewing your configured firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Comparing impacts of proposed configuration changes for a firewall . . . . . . . . . . . . . . . . . . . . . . . . 595
Configuring compliance report settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Viewing the compliance status of the current firewall configuration . . . . . . . . . . . . . . . . . . . . . . . . . 597
Viewing your firewall enrollment (deployment) status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
Configuring the firewall for usage inside the Control Center Client . . . . . . . . . . . . . . . . . . . . . . . . . 599
Viewing real-time Web data for your network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Viewing services and managing service agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Viewing details about a firewall service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Configuring alert notification for e-mail accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Configuring blackholes for suspected hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Viewing IPS attack responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
Configuring IPS attack responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Viewing system responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Configuring system responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
Audit trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Viewing audit trail information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Configuring a custom audit trail filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Audit archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Firewall reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Viewing firewall report data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Generating firewall reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Firewall audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Configuring and generating audit reports for one or more firewalls . . . . . . . . . . . . . . . . . . . . . . . . . 625
Configuring filters for audit reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Viewing event-specific audit information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Configuring on-screen color schemes for the audit records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Displaying system information for the Control Center Management Server . . . . . . . . . . . . . . . . . . . 638
Selecting the criteria for the firewall policy report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Viewing information about the security policy for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
Firewall license reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Selecting the firewall for the license report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Viewing the status of all of the licenses for a firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645

9 Configuration Tool - Maintenance 647
Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . 647
Firewall maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . 648
Viewing object usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . 648
Locking configuration objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . 649
Managing unused objects on the Control Center Management Server .. .. .. . . . . . . . . . . . . . . . . . 651
Merging objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . 652
Setting the date and time on a firewall . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . 655


Managing firewall shutdown and suspension states and other maintenance settings . . . . . . . . . . . . . 656
Viewing and managing firewall licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
Control Center maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
Viewing Management Server logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Configuring Management Server properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
Exporting firewall audit files that are stored on the Control Center . . . . . . . . . . . . . . . . . . . . . . . . . 667
Customizing the Configuration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669

10 Reporting and Monitoring Tool 671
Reporting and Monitoring Tool . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 671
Viewing the properties of a firewall . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 672
Investigating alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 673
Column data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 674
Mapping sound files to alarms . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 676
Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 677
Managing alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 678
Viewing events for a specific alert . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 682
Configuring the columns on the Event Browser window . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 683
Viewing additional event information . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 684
Configuring columns for the Alert Browser page . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 685
Filtering the alerts to be displayed in the Alert Browser . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 686
Secure Alerts Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 686
Functionality of the Secure Alerts Server . . . . . . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 687
Viewing Secure Alerts Server status information . . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 687
Firewall reports in the Reporting and Monitoring Tool . . . . . . . . . .. ... .. .. ... .. ... . . . . . . . . . . . 689

11 Software Updates Tool 691
Software Updates Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 691
Automatically identify updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 691
Configuring update download settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 692
Downloading and applying Management Server updates . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 693
Installing software and firmware updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 697
Managing updates for a firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 699
Scheduling device software updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 703
Backing up and restoring firewall configurations . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 704
Confirming a configuration backup of one or more firewalls . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 708
Storing software and firmware updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 709
Manually downloading software updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . 711

Index 715


About this Document

This Administration Guide leads you through planning and configuration of your initial Firewall Enterprise
Control Center (CommandCenter) Management Server. It also covers basic post-installation tasks for
integrating a new firewall into your network. While problems are not anticipated, this guide also includes
troubleshooting tips.
This guide is for anyone assigned to initially set up a McAfee Firewall Enterprise Control Center Management
Server. It assumes that you are familiar with McAfee Firewall Enterprise (Sidewinder) devices. It also
assumes you are familiar with networks and network terminology.
You can find additional information at the following locations:
• Online help — Online help is built into the Control Center. Click F1.
• Manuals — View product manuals at mysupport.mcafee.com.

• Knowledge Base — Visit the Knowledge Base at mysupport.mcafee.com. You’ll find helpful articles,
troubleshooting tips and commands, and the latest documentation.

The following table lists the various documentation resources for Control Center administrators:

Table 1 Summary of Control Center documentation
Document Description
Firewall Enterprise Control Leads you through your initial firewall configuration. Includes instructions for configuring
Center (CommandCenter) and installing the High Availability (HA) Management Server and registering firewalls.
Setup Guide
Firewall Enterprise Control Provides an introduction to Control Center and includes reference information and
Center (CommandCenter) procedures for using the Control Center Client Suite to centrally define and manage the
Administration Guide enterprise security policies for the firewall.
McAfee Firewall Enterprise Complete administration information on all of the firewall functions and features. You
(Sidewinder) should read this guide if your Control Center enterprise includes firewalls.
Administration Guide
Online help Online help is built into Control Center Client Suite programs and the Control Center
Initialization tool.
Knowledge Base Supplemental information for all other Control Center documentation. Articles include
helpful troubleshooting tips and commands. All manuals and application notes are also
posted here.
The Knowledge Base is located at mysupport.mcafee.com.

Any time that there is a reference to a “firewall”, this is always the McAfee Firewall Enterprise. Additionally,
refer to Table 2 for a list of the text conventions that are used in this document.

Table 2 Conventions
Convention Description
Courier bold Indicates commands and key words that you specify at a system prompt.
Note: A backslash () indicates a command that does not fit on the same line. Specify
the command as shown, ignoring the backslash.
Courier italic Indicates a placeholder for text that you specify.
<Courier italic> When enclosed in angle brackets (< >), this indicates optional text.
nnn.nnn.nnn.nnn Indicates a placeholder for an IP address that you specify.

Courier plain Indicates text that is displayed on a computer screen.
Plain text italics Indicates the names of files and directories.
Also used for emphasis (for example, when introducing a new term).


Table 2 Conventions (continued)
Convention Description
Plain text bold Identifies buttons, field names, and tabs that require user interaction.
[ ] Indicates conditional or optional text and instructions (for example, instructions that pertain
only to a specific configuration).
Caution Indicates that you must be careful. In this situation, you might do something that could result
in the loss of data or in an unpredictable outcome.
Note Indicates a helpful suggestion or a reference to material that is not covered elsewhere in this
documentation.
Security Alert Indicates information that is critical for maintaining product integrity or security.
Tip Indicates time-saving actions. It also might help you solve a problem.

Note: The IP addresses, screen captures, and graphics that are used within this document are for illustration
purposes only. They are not intended to represent a complete or appropriate configuration for your specific
needs. Features might be configured in screen captures because of contingency displays. However, not all
features are appropriate or desirable for your setup.

Additionally, many of the windows and pages in the Client tools have tables that can be edited. The first
column of a table that can be edited can display different symbols, depending on the action being taken. In
the help files, this is listed as the Edit column. The following example shows the symbols, along with their
descriptions. For the remainder of the help files, only a verbal description of the symbol will be used.
• Edit — This column identifies the edit status of the row in the table. The following icons can be displayed:

• [blank] — Indicates an existing line with associated values that is not the currently selected line.

• — (Pencil) Indicates that this row is the one that is being edited.

• — Indicates that you are creating a new row or entry.

• — Indicates that this row is currently selected and it contains previously specified values.


1 Introduction

Contents
About the McAfee Firewall Enterprise Control Center (CommandCenter)
About the Client Suite

The Control Center is an enterprise-class management tool for creating and applying security policies
across multiple firewalls. Network administrators can remotely manage, maintain, and monitor firewalls for
one or more domains.
The Control Center consists of the following entities:
• Control Center Client Suite — a set of tools that resides on a desktop computer that is running a
Windows operating system. The tools provide the graphical user interfaces (GUIs) to configure, manage,
®

and monitor supported firewalls and to perform Control Center administrative tasks. For more
information, see About the Client Suite on page 15.

• Control Center Management Server — a hardened Linux platform that provides the firewall
®

management and monitoring capabilities that are required to centrally implement security policy. It
manages the framework for secure communication between the server, Client Suite, and supported
firewalls. The Control Center Management Server requires at least one installation of the Control Center
Client Suite.

• At least one firewall in a heterogeneous network of security devices that exist in a single domain.

• One or more domains that represent a complete, inclusive network security policy.
Figure 1 Basic Control Center Management Server environment

Control Center
Client Suite Managed firewall
(Windows) Control Center
Management Server

R Managed firewall

Managed firewall

Client application: Control Center Managed firewalls:
Client Suite tools connect Management Server: The configuration and
to the Control Center All firewall management is initialization is similar to
Management Server to accomplished through a standalone firewalls. Then push
create, edit, and deploy connection to the Control policy from the Control Center
policy to the managed Center. Management Server to each
firewalls. firewall.

The Client Suite and tiers of firewalls securely communicate with the Management Server by using SOAP
over HTTPS. SSL, using Client Certificates generated by the built-in Certificate Authority, is used to encrypt
and authenticate the client/server communication.



You can also implement Control Center Management Servers in a High Availability (HA) configuration, in
which one Management Server actively manages the registered firewalls, while another Management
Server acts as a standby or backup. If the active Management Server fails, the management responsibilities
can be switched to the standby or backup Management Server. For more information about this, see High
Availability (HA) on page 136.

Features of the Control Center
The Control Center is the central security appliance management solution from McAfee. It provides the
foundation for a suite of products that is used to:
• Define and distribute rules to hundreds of firewalls.

• Share configuration data among firewalls.

• Configure Virtual Private Network (VPN) connectivity.

• Implement and selectively activate multiple security policies.

• Manage software releases on all of your firewalls.

• Simplify routine administrative tasks.

• Manage ongoing changes to your security policies.

The Control Center supports the following features and functionality:
• Object-based design — Using an object-based configuration technique, objects can be defined once and
can be reused anywhere that the object is needed. Network objects represent one example of this
implementation. Network objects include firewalls and device groups, hosts, networks, address ranges,
interfaces, and endpoint groups. These objects are used when you define rules. Over time, hundreds of
rules can be defined by using these objects. If the properties of a network object must be changed, you
have to update the object once. The resulting changes will propagate wherever that object is used.

• Auditing of object management events and archiving of audit tracking data — The Control Center
has an audit tracking and archive management feature that can be configured to monitor object changes
and purge or archive audit tracking data. The auditing data contains information about the requested
operation performed, time, date and user name. This information can be displayed or printed using the
Audit Trail report. Because the audit tracking table grows without bounds and consumes disk space, you
also have the option to periodically remove the data from the database or archive it to another location.
This is true for both Control Center audit data and audit data that is currently stored on the Management
Server that was retrieved from one or more firewalls.
• Configuration domains — Use configuration domains to partition your managed firewalls into separate
collections of objects and configuration data. Each collection is independent of any other collection, and
changes to one collection do not affect the others. For more information, see Configuration domains on
page 92.

• Rule set queries — Because firewall configurations often require numerous rules, the Control Center can
produce views of these rules as a subset of the rules. This added convenience helps to manage and
validate the many rules that are stored in the Control Center database.

• Firewall configuration retrieval — After a firewall has been added to the list of managed firewalls, you
can use the Firewall Retrieval Options window to choose the configuration components to be retrieved and
stored as Control Center objects. You can select all components or limit your selection to specific
components. This feature saves time and effort when you are performing the initial setup to manage a
firewall.

• Policy validation and reports — After making configuration changes and before applying them, you can
determine whether firewall configurations in the Control Center database are valid. You can view a report
that shows the status of the validation process and a report that details the differences between the
current and proposed firewall configurations.



• Configuration status report — After the configuration has been propagated to one or more firewalls, a
status report is produced to list warnings or errors that may have occurred.

• Certificate Authority (CA) framework — A built-in CA framework lets you quickly issue certificates for
the various architectural components. A built-in CA saves time when using SSL with client certificates.

• Simultaneous, multiple users — The Control Center provides a locking mechanism that accommodates
simultaneous use of the Control Center Client Tools by multiple users. Administrators have the option of
locking entire object trees or allowing the system to lock individual objects on a first-come, first-served
basis. This approach allows single-user environments to function without explicit locking.

• High Availability (HA) feature — You can configure redundant Management Servers by using the High
Availability Server Configuration (HA) feature. The HA feature uses a multi-server configuration to
continue Control Center Management Server functions if the active Management Server fails. For more
information, see High Availability (HA) on page 136.

• Apply Configuration enhancements — The Apply Configuration window includes a checkbox that
determines whether the network is automatically re-initialized when configuration changes are applied to
a firewall. If the network is not re-initialized automatically, the Client displays all of the firewalls that need
to be re-initialized in the Configuration Status report. In addition, the apply mechanism on the firewall
supports the running of a script after the apply operation has been completed. The apply process also
supports the listing files that are to be excluded from management.

The McAfee Firewall Enterprise Control Center Client Suite is the suite of tools that provides the user
interfaces for task-grouped operations of the Control Center. Each tool encapsulates related operations to
deliver the functionality required by Control Center users.

Administration Tool
The Administration Tool aggregates the McAfee Firewall Enterprise Control Center administrative functions
into a single tool.
You can accomplish the following tasks by using the features and functions of the Administration Tool:
• Control Center users — You can create and manage the unique Control Center user names and
passwords that are used to authenticate user access to the Control Center Management Server. For more
information, see Control Center users on page 81.
• Control Center roles — After a user is defined, he or she is assigned a role that determines the tasks
that he or she is allowed to perform. Although a default set of roles has been pre-defined, you can create
additional user-defined roles that can be assigned to Control Center users. For more information, see
Control Center roles on page 89.

• Configuration domains — Activate the configuration domains option to segregate configuration data
views and management into multiple domains. The operation and configuration data associated with a
configuration domain is accessible only when the specific domain is selected during the login process. All
other configuration data is obscured and cannot be acted upon or seen. If configuration domains are
activated, configuration domain versions and version management can be accessed from the
Administration Tool, as well as from the Configuration tool. For more information about configuring and
managing configuration domains, see Configuration domains on page 92. For more information about
versions and version management for configuration domains, see Configuration domain version
management on page 97.



• Audit Trail — The Control Center can track when firewalls, endpoints, services, rules, alert processing
rules, and many other objects are updated, added, or removed by Control Center users. You can define
the actions that are to be tracked, the objects that are to be tracked, the archiving (or not) of the tracked
data, and a way to view and filter the tracked data. For more information, see Audit data management
on page 100.
Note: Do not confuse the Control Center Audit Trail that provides a record of actions performed by Control
Center users with security firewall-specific audit reports.

• Control Center license — You can manage the Control Center license by selecting License from the
System menu. For more information, see Control Center Management Server licensing on page 104.

• System settings — You can manage specific Control Center system settings in the Administration Tool.
These settings include: defining the default login disclaimer information that is posted in the login window
for each tool in the Client Suite, the failed login lockout settings, and the default application time-out
period. For more information, see Configuring system settings on page 121.

• Alternate authentication — Use the Administration Tool to configure the way that Control Center users
authenticate with the Management Server. The Control Center supports an internal authentication
mechanism, as well as LDAP and RADIUS for off-box authentication. For more information, see
Authentication on page 145.

• Management Server backup and restore operations — Use the Administration Tool (and the
Configuration Tool under certain circumstances) to manage the backup and restoration of the Control
Center configuration and the operational data. A full system backup can be requested and an FTP off-box
location can be specified. For more information, see Managing configuration data for the Management
Server on page 23.

• Backup server status — If the High Availability (HA) Management Server Configuration option is used,
you can view the status condition of the backup Management Servers in the Backup Server Status page.
For more information, see Viewing the status of your backup Management Servers on page 122.

Configuration Tool
Use the Configuration Tool to define, configure, and maintain multiple firewalls and security policies for a
distributed homogeneous or heterogeneous configuration of firewalls.
You can accomplish the following tasks by using the features and functions of the Configuration Tool:
• Create configurable objects — The components that comprise a security policy include a set of
configurable objects that defines the characteristics of the building blocks that are used to implement the
security policy. Use this object model of defined objects to share characteristics, options, and
functionality, instead of having to provide raw configuration information for each aspect of an
implemented security policy. Use the Configuration Tool to retrieve, create, and manage configurable
object characteristics. For more information, see Configurable objects on page 154.

• Manage configurable objects — After configurable objects have been defined or retrieved, you can
edit, validate, and apply changes to the configured object. You can manage the implemented security
policy across all of the supported firewalls in your configuration. For more information, see Firewall
configuration management on page 574.

• Create and manage rules — Rules provide the network security mechanism that controls the flow of
data into and out of the internal network. They specify the network communications protocols that can
be used to transfer packets, the hosts and networks to and from which packets can travel, and the time
periods during which the rules can be applied. Rules are created by the system administrator and should
reflect the internal network site's security policy. You can retrieve, create, and manage rules in the
Configuration Tool. For more information, see Creating, viewing, or modifying rules on page 528.


test upload

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie test upload

Ähnlich wie test upload (20)

test upload