A

McAfee SMC

dministrator s Guide 5.7

Secur i ty Management Center

NGFW Engines

2Legal InformationThe use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the McAfee website:http://www.mcafee.com/us/about/legal/license-agreements.aspxRevision: SGAG_20140326

TABLE OF CONTENTS

GETTING STARTED

CHAPTER 1Using SMC Documentation. . . . . . . . . . . . . . . . 25

Using This Documentation. . . . . . . . . . . . . . . . 26Typo

DocumProd

UsSupSystSup

Conta

CHAPTENew in

ChangElemLog

En

ChangElemImpMcA

ChangImpPass

NotesMcATerm

CHAPTEUsing t

OvervRearrBookm

ManCreaCreaAdd

ChangUsing

UsinSea

Using the DNS Search . . . . . . . . . . . . . . . . . 47Creating Host Elements Based on DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Searching for Duplicate IP Addresses . . . . . . 49Searching for Unused Elements . . . . . . . . . . 493Table of Contents

graphical Conventions . . . . . . . . . . . . . . 26

entation Available . . . . . . . . . . . . . . . . . 27uct Documentation. . . . . . . . . . . . . . . . . 27ing Online Help Locally . . . . . . . . . . . . . . 28port Documentation . . . . . . . . . . . . . . . . 28em Requirements. . . . . . . . . . . . . . . . . . 28ported Features . . . . . . . . . . . . . . . . . . . 29ct Information . . . . . . . . . . . . . . . . . . . . 29

R 2 This Release . . . . . . . . . . . . . . . . . . . . . 31

es in SMC 5.7. . . . . . . . . . . . . . . . . . . . 32ent-Based NAT . . . . . . . . . . . . . . . . . . . 32

and Audit Data Forwarding to McAfee terprise Security Manager . . . . . . . . . . . . 32

es in Firewall/VPN 5.7 . . . . . . . . . . . . . . 33ent-Based NAT . . . . . . . . . . . . . . . . . . . 33

roved Botnet Detection . . . . . . . . . . . . . . 33fee Anti-Virus . . . . . . . . . . . . . . . . . . . . . 33

es in IPS and Layer 2 Firewalls 5.7 . . . . . 34roved Botnet Detection . . . . . . . . . . . . . . 34ive Firewall Mode for Layer 2 Firewalls. . . 34

for Upgrading Users . . . . . . . . . . . . . . . 35fee Anti-Virus . . . . . . . . . . . . . . . . . . . . . 35inology Changes for Rebranding . . . . . . . 35

R 3he Management Client. . . . . . . . . . . . . . 37

iew to the Management Client . . . . . . . . . 38anging the General Layout . . . . . . . . . . . . 42

arking Views . . . . . . . . . . . . . . . . . . . . 43aging Bookmarks . . . . . . . . . . . . . . . . . . 43ting New Bookmarks . . . . . . . . . . . . . . . 43ting New Bookmark Folders . . . . . . . . . . 44

ing Bookmarks to the Toolbar. . . . . . . . . . 44ing the Startup View . . . . . . . . . . . . . . . 45 the Search Features . . . . . . . . . . . . . . . 45g Basic Element Search . . . . . . . . . . . . . 45rching for Element References . . . . . . . . . 46

Searching for Users . . . . . . . . . . . . . . . . . . . 50Searching the Trash . . . . . . . . . . . . . . . . . . . 51

Using Type-Ahead Search . . . . . . . . . . . . . . . . 51Saving Elements, Log Data, Reports, and Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

PDF Output Settings. . . . . . . . . . . . . . . . . . . 52Adding Style Templates for PDF Output . . . . . 53Managing PDF Style Templates . . . . . . . . . . . 54

Sending Messages to Other Administrators . . . 54Enabling or Disabling Administrator Messaging . . . . . . . . . . . . . . . . . . . . . . . . . 54Sending Messages to Other Administrators . . 55

Adding Custom Commands to Element Menus . 55Creating a Tools Profile. . . . . . . . . . . . . . . . . 55Attaching a Tools Profile to an Element . . . . . 56

CHAPTER 4Setting up the System . . . . . . . . . . . . . . . . . . . 57

Getting Started with the Security Management Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Getting Started with the Firewall . . . . . . . . . . . 59Getting Started with the IPS . . . . . . . . . . . . . . 60Getting Started with the Layer 2 Firewall . . . . . 61

CHAPTER 5Configuring System Communications . . . . . . . . 63

Getting Started with System Communications . 64Defining Locations . . . . . . . . . . . . . . . . . . . . . 66Defining Contact IP Addresses . . . . . . . . . . . . 67

Defining Engine Location . . . . . . . . . . . . . . . 67Defining Contact Addresses for a Single Engine or a Cluster Virtual IP Address . . . . . . 68Defining Contact Addresses for Node Dedicated IP Addresses . . . . . . . . . . . . . . . . 69Defining Contact Addresses for an IPS Cluster or a Layer 2 Firewall Cluster . . . . . . . 69Defining Server Contact Addresses . . . . . . . . 70Defining Contact Addresses for a User Agent . 71Defining a Contact Address for an External VPN Gateway End-Point. . . . . . . . . . . . . . . . . 72

Selecting the Management Client Location. . . . 73Configuring Multi-Link System Communications 73

4CHAPTER 6Managing Elements . . . . . . . . . . . . . . . . . . . . . 75

Exporting, Importing, and Restoring Elements. . 76Exporting Elements. . . . . . . . . . . . . . . . . . . . 76

Exporting Selected Elements . . . . . . . . . . . . 77Exporting All Elements . . . . . . . . . . . . . . . . 77

Importing Elements . . . . . . . . . . . . . . . . . . . 78Creating a CSV File or a TSV File . . . . . . . . . 78Im

ResReSnRePo

ResLockinMovin

ResDele

UsingCon

CreaSeleActivActivDomFilte

MONI

CHAPTEMonito

GettinMonit

DefaSystView

EleViewInfoComMon

ReaEngiRepElemNod

NetLink Status Colors . . . . . . . . . . . . . . . . . 99VPN Status Colors . . . . . . . . . . . . . . . . . . . . 100Connectivity Status Colors . . . . . . . . . . . . . . 100

Creating Overviews. . . . . . . . . . . . . . . . . . . . . 101Creating a New Overview . . . . . . . . . . . . . . . 101Adding a New System Summary Section to an Overview. . . . . . . . . . . . . . . . . . . . . . . . . 102Adding a New Statistics Section to an Table of Contents

porting Elements From a File . . . . . . . . . . 79toring Elements From Policy Snapshots . . 80storing All Elements From a Policy apshot. . . . . . . . . . . . . . . . . . . . . . . . . . 80storing Selected Elements From a licy Snapshot . . . . . . . . . . . . . . . . . . . . . 82toring Elements From Element Snapshots. 83g and Unlocking Elements . . . . . . . . . . . 84g Elements to the Trash . . . . . . . . . . . . . 84toring Elements From the Trash . . . . . . . . 85ting Elements From the Trash . . . . . . . . . 86 Categories . . . . . . . . . . . . . . . . . . . . . . 87figuration Overview . . . . . . . . . . . . . . . . . 87

ting New Categories . . . . . . . . . . . . . . . . 87cting Categories for Elements . . . . . . . . . 88ating Category Filters . . . . . . . . . . . . . . . 88ating the Default Category Filters for ains . . . . . . . . . . . . . . . . . . . . . . . . . . . 89ring With Several Categories . . . . . . . . . . 89

TORING

R 7ring the System. . . . . . . . . . . . . . . . . . . 93

g Started with System Monitoring . . . . . . 94oring the System Status . . . . . . . . . . . . . 94ult Arrangement of System Status View. . 95em Summary . . . . . . . . . . . . . . . . . . . . . 96ing System Status for a Selected ment. . . . . . . . . . . . . . . . . . . . . . . . . . . 96ing Appliance Configuration Status . . . . . 96

Panel . . . . . . . . . . . . . . . . . . . . . . . . . . 96mands for Monitoring Components . . . . . 96itoring Menu . . . . . . . . . . . . . . . . . . . . . 97

ding Component Statuses . . . . . . . . . . . . 97ne Hardware Malfunction Icons . . . . . . . . 98lication Malfunction Icon . . . . . . . . . . . . . 98ent Status Colors . . . . . . . . . . . . . . . . . 98

e Status Colors . . . . . . . . . . . . . . . . . . . 99

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Creating a New Statistics Section . . . . . . . . . 104Selecting Statistical Items . . . . . . . . . . . . . . 105Setting Thresholds for Monitored Items . . . . . 107

Monitoring Connections, Blacklists, VPN SAs, Users, and Routing . . . . . . . . . . . . . . . . . . . . 108

Checking Connections, Blacklists, VPN SAs, Users, and Routing . . . . . . . . . . . . . . . . . . . 108Saving Snapshots of Connections, Blacklists, VPN SAs, Users, and Routing . . . . . . . . . . . . 110Exporting Snapshots of Connections, Blacklists, VPN SAs, Users, and Routing . . . . 111Viewing Snapshots of Connections, Blacklists, VPN SAs, Users, and Routing . . . . 112Comparing Snapshots of Connections, Blacklists, VPN SAs, Users, and Routing . . . . 113

Viewing and Comparing Element Snapshots . . . 115Monitoring Connections on a Map . . . . . . . . . . 116

Defining a New Geolocation . . . . . . . . . . . . . 116Setting a Geolocation for an Element. . . . . . . 117Viewing Geolocation Elements in the System Status View. . . . . . . . . . . . . . . . . . . . . . . . . 117Viewing Geolocations and IP Addresses in Google Maps . . . . . . . . . . . . . . . . . . . . . . . . 117

Viewing Geolocation Element Locations in Overviews and Reports. . . . . . . . . . . . . . . . 117Viewing IP Address Locations in the Logs View . . . . . . . . . . . . . . . . . . . . . . . . . 118Viewing IP Address Locations from the Whois Information Dialog . . . . . . . . . . . . . . 118

Monitoring Configurations and Policies . . . . . . 118Monitoring Administrator Actions. . . . . . . . . . . 119Monitoring Task Execution . . . . . . . . . . . . . . . 119Taking a Traffic Capture . . . . . . . . . . . . . . . . . 120Checking Maintenance Contract Information . . 122

Viewing Maintenance Contract Information. . . 122Fetching Maintenance Contract Information . . 122

Checking When Internal Certificates or Internal CAs Expire. . . . . . . . . . . . . . . . . . . . . . . . . . . 123

CHAPTER 8Monitoring Third-Party Devices . . . . . . . . . . . . 125

Getting Started with Third-Party Device Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Configuration Overview . . . . . . . . . . . . . . . . . 126

Converting Logs From External Devices . . . . . . 127Creating a Logging Profile Element. . . . . . . . . 128Defining Ordered Field Logging Patterns . . . . . 130DefiAdd

DeVaDeTim

ValidMonit

ImpCrea

ActivaConfigChangMonitActivaMonit

CHAPTEBrowsi

GettinOveOpe

DefaToolDetaStatLog

BrowsViewFilte

SpView

VieArc

UsinCreEd

AnaSortSaviEntr

Viewing Snapshots of Log, Alert, and Audit Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Browsing Log Entries on a Timeline . . . . . . . . 157Viewing Temporary Log Entries . . . . . . . . . . . 157Checking Whois Records for IP Addresses in Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Changing How Data Entries Are Displayed . . . . 159Increasing and Decreasing Text Size in Data Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1595Table of Contents

ning Key-Value Pair Logging Patterns . . . . 132ing Field Resolvers . . . . . . . . . . . . . . . . . 133fining a Field Resolver for Multiple lues. . . . . . . . . . . . . . . . . . . . . . . . . . . . 134fining a Field Resolver for Date and e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134ating a Logging Profile . . . . . . . . . . . . . . 135oring the Status of Third-Party Devices . . . 136orting MIBs. . . . . . . . . . . . . . . . . . . . . . . 137ting a Probing Profile . . . . . . . . . . . . . . . 137ting Monitoring of a Third-Party Device . . . 139uring a Third-Party Device for Monitoring . 140ing the Ports for Third-Party Device oring . . . . . . . . . . . . . . . . . . . . . . . . . . . 141ting or Deactivating Third-Party oring Alerts . . . . . . . . . . . . . . . . . . . . . . 142

R 9ng Logged Data . . . . . . . . . . . . . . . . . . . 143

g Started with the Logs View. . . . . . . . . . 144rview . . . . . . . . . . . . . . . . . . . . . . . . . . . 144ning the Logs View . . . . . . . . . . . . . . . . . 144

ult (Records) Arrangement, Panels, and s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145ils Arrangement . . . . . . . . . . . . . . . . . . . 147istics Arrangement . . . . . . . . . . . . . . . . . 148Analysis Arrangement . . . . . . . . . . . . . . . 150ing Log Data . . . . . . . . . . . . . . . . . . . . . 151ing Log Entry Details in the Side Panel . . 151ring Logs in the Logs View. . . . . . . . . . . . 152ecifying Filters for a Query . . . . . . . . . . . . 152ing Logs From Specific Components . . . . 153wing Logs From Specific Servers and hive Folders. . . . . . . . . . . . . . . . . . . . . . 154g Log Data Contexts. . . . . . . . . . . . . . . . 154ating a New Log Data Context. . . . . . . . . 154

iting a Log Data Context . . . . . . . . . . . . . 155lyzing Logs, Alerts, and Audit Entries . . . . 155ing Log Entries . . . . . . . . . . . . . . . . . . . . 156ng Snapshots of Log, Alert, and Audit ies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Changing the Time Zone for Log Browsing . . . 159Changing Data Columns in the Log Entry Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Selecting Options for Logs View . . . . . . . . . . 160

Exporting Data from the Logs View . . . . . . . . . 161Exporting Extracts of Log Data . . . . . . . . . . . 161Exporting IPS Traffic Recordings . . . . . . . . . . 162Attaching Logs to Incident Cases . . . . . . . . . 163

Creating Rules From Logs . . . . . . . . . . . . . . . . 163

CHAPTER 10Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Getting Started with Reports. . . . . . . . . . . . . . 166Configuration Overview . . . . . . . . . . . . . . . . . 166

Creating and Modifying Report Designs . . . . . . 167Modifying Report Designs. . . . . . . . . . . . . . . 168Creating New Report Designs . . . . . . . . . . . . 168Creating and Modifying Report Sections . . . . 169

Modifying Report Sections . . . . . . . . . . . . . 170Creating New Report Sections. . . . . . . . . . . 171

Creating and Modifying Report Items . . . . . . . 171Creating Report Items . . . . . . . . . . . . . . . . 172Modifying Report Items . . . . . . . . . . . . . . . 172

Generating and Viewing Reports . . . . . . . . . . . 173Generating a Report. . . . . . . . . . . . . . . . . . . 173

Defining the Report Task . . . . . . . . . . . . . . 174Selecting Data Sources . . . . . . . . . . . . . . . 175

Canceling Ongoing Report Tasks . . . . . . . . . . 175Viewing Reports. . . . . . . . . . . . . . . . . . . . . . 176Changing the Properties of Generated Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Exporting Reports . . . . . . . . . . . . . . . . . . . . . 177Exporting a Report as a PDF File . . . . . . . . . . 177Exporting a Report as an HTML File. . . . . . . . 178E-Mailing Reports. . . . . . . . . . . . . . . . . . . . . 178

Creating a System Audit Report. . . . . . . . . . . . 178

6CHAPTER 11Filtering Data . . . . . . . . . . . . . . . . . . . . . . . . . 179

Getting Started with Filtering Data . . . . . . . . . . 180Defining Filters . . . . . . . . . . . . . . . . . . . . . . . . 181

Basics of Constructing Filters . . . . . . . . . . . . 181Creating and Editing Local Filters. . . . . . . . . . 183Saving Local Filters. . . . . . . . . . . . . . . . . . . . 186Creating and Editing Filter Elements. . . . . . . . 188AddFilte

OrganCreaCha

CHAPTEWorkin

GettinCon

CreatDefinAddin

InseCreaAdd

ArranConne

ConCon

CreatSpeCrea

ViewinAdjuCollElemZoom

PrintinExpor

CHAPTEInciden

GettinCon

CreatSettinAttach

AttaCas

Attaching Policy Snapshots to Incident Cases 209Attaching Memos to Incident Cases . . . . . . . 210Attaching Files to Incident Cases . . . . . . . . . 210

Adding Players to Incident Cases. . . . . . . . . . . 211Adding Journal Entries to Incident Cases . . . . . 211Working With Existing Incident Cases. . . . . . . . 212

Opening an Incident Case for Editing . . . . . . . 212Changing the Priority of an Incident Case. . . . 212Table of Contents

ing and Modifying Filtering Criteria in rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188izing Filter Elements . . . . . . . . . . . . . . . . 190ting New Filter Tags . . . . . . . . . . . . . . . . 190

nging the Tag of a Filter . . . . . . . . . . . . . . 191

R 12g With Diagrams . . . . . . . . . . . . . . . . . . 193

g Started with Diagrams . . . . . . . . . . . . . 194figuration Overview . . . . . . . . . . . . . . . . . 194

ing Diagrams . . . . . . . . . . . . . . . . . . . . . 195ing the Diagram Background . . . . . . . . . . 196g Elements to Diagrams . . . . . . . . . . . . . 197rting New Elements Manually . . . . . . . . . 197ting Diagrams from Configured Elements . 197

ing Text Comments to a Diagram . . . . . . . 198ging Elements in Diagrams . . . . . . . . . . . 199cting Elements in Diagrams . . . . . . . . . . 199

necting Elements Automatically . . . . . . . . 199necting Elements Manually . . . . . . . . . . . 200ing Links Between Diagrams . . . . . . . . . . 200cifying a Parent Diagram . . . . . . . . . . . . . 200ting Links from One Diagram to Another. . 201g Diagrams . . . . . . . . . . . . . . . . . . . . . . 201sting the Element Details in Diagrams . . . 201apsing and Expanding Groups of ents in Diagrams. . . . . . . . . . . . . . . . . . 202ing and Navigating Diagrams . . . . . . . . . 202

g Diagrams . . . . . . . . . . . . . . . . . . . . . . 203ting Diagrams as Images . . . . . . . . . . . . 203

R 13t Cases . . . . . . . . . . . . . . . . . . . . . . . . . 205

g Started with Incident Cases . . . . . . . . . 206figuration Overview . . . . . . . . . . . . . . . . . 206

ing a New Incident Case . . . . . . . . . . . . . 207g an Incident Context . . . . . . . . . . . . . . . 207ing Data to Incident Cases . . . . . . . . . . . 208

ching Logs and Audit Entries to Incident es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Changing the State of an Incident Case . . . . . 212Checking Incident History . . . . . . . . . . . . . . . 213

CONTROLLING ENGINES

CHAPTER 14Controlling Engine Operation. . . . . . . . . . . . . . 217

Commanding Engines Remotely . . . . . . . . . . . 218Turning Engines Online . . . . . . . . . . . . . . . . . 218Turning Engines Offline . . . . . . . . . . . . . . . . . 219Setting Nodes to Standby . . . . . . . . . . . . . . . 219Rebooting Nodes . . . . . . . . . . . . . . . . . . . . . 220Refreshing the Currently Installed Policy . . . . 220Backing up and Restoring Dynamic Routing Configurations . . . . . . . . . . . . . . . . . . . . . . . 221Removing Virtual Security Engines from a Master Engine . . . . . . . . . . . . . . . . . . . . . . . 221

Commanding Engines Locally . . . . . . . . . . . . . 222Setting Engine Options . . . . . . . . . . . . . . . . . . 222

Enabling or Disabling Engine Status Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . 222Enabling or Disabling Firewall/VPN Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . 222Disabling or Enabling User Database Replication . . . . . . . . . . . . . . . . . . . . . . . . . 223Enabling or Disabling Status Surveillance . . . 223Enabling or Disabling SSH Access to the Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224Changing the Engine Password . . . . . . . . . . . 224

Changing NetLink State Manually . . . . . . . . . . 225Disabling or Enabling Cluster Nodes . . . . . . . . 225

Disabling Cluster Nodes Temporarily . . . . . . . 225Re-Enabling Disabled Cluster Nodes . . . . . . . 226

Editing Engine Configurations . . . . . . . . . . . . . 226

CHAPTER 15Stopping Traffic Manually . . . . . . . . . . . . . . . . 227

Terminating Connections Manually. . . . . . . . . . 228Blacklisting Connections Manually. . . . . . . . . . 228

CHAPTER 16Working on the Engine Command Line . . . . . . . 231

Getting Started with the Engine Command Line. 232Accessing the Engine Command Line . . . . . . . . 232Reconfiguring Basic Engine Settings . . . . . . . . 233Creating Engine Scripts . . . . . . . . . . . . . . . . . . 234Restoring a Previous Configuration Manually. . . 235Configuring Dynamic Routing . . . . . . . . . . . . . . 235Sendi

SMC

CHAPTEConfig

GettinEnginConfigUpgra

CHAPTEAdmin

GettinCon

DefinContr

DefiDefi

DefinCreaDefiDefiAccoResView

CustoDefinAdmin

EnaDefi

ChangAutheMethoDisab

DeleDefin

CHAPTEAlert E

GettinCon

Creating Alerts. . . . . . . . . . . . . . . . . . . . . . . . 262Defining Custom Alerts. . . . . . . . . . . . . . . . . 262Defining What Triggers an Alert . . . . . . . . . . . 263

Configuring Notifications for Alerts . . . . . . . . . 263Defining Alert Chains . . . . . . . . . . . . . . . . . . . 266

Creating and Modifying Alert Chains . . . . . . . 266Editing Alert Chains . . . . . . . . . . . . . . . . . . . 266

Defining Alert Policies. . . . . . . . . . . . . . . . . . . 2697Table of Contents

ng Commands to Virtual Security Engines 236

CONFIGURATION

R 17uring Automatic Software Updates . . . . . 239

g Started with Automatic Updates and e Upgrades . . . . . . . . . . . . . . . . . . . . . . 240uring Automatic Updates and Engine des . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

R 18istrator Accounts . . . . . . . . . . . . . . . . . . 243

g Started with Administrator Accounts . . . 244figuration Overview . . . . . . . . . . . . . . . . . 244

ing Administrator Roles and Access ol Lists . . . . . . . . . . . . . . . . . . . . . . . . . 245ning Administrator Roles . . . . . . . . . . . . . 245ning Access Control Lists . . . . . . . . . . . . 247ing Administrator Accounts . . . . . . . . . . . 248ting a New Administrator Element . . . . . . 248ning Administrator Permissions . . . . . . . . 249ning Rights for Restricted Administrator unts . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

tricting the Logs an Administrator Can . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251mizing Log Colors. . . . . . . . . . . . . . . . . . 252ing Password and Login Settings for istrators . . . . . . . . . . . . . . . . . . . . . . . . 253

bling Enforcement of Password Settings . . 253ning Password Policy Settings . . . . . . . . . 254ing Administrator Passwords . . . . . . . . . 255nticating Administrators Using RADIUS ds . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256ling Administrator Accounts. . . . . . . . . . . 257ting Administrator Accounts . . . . . . . . . . 258

ing API Client Accounts . . . . . . . . . . . . . . 258

R 19scalation . . . . . . . . . . . . . . . . . . . . . . . . 259

g Started With Alert Escalation . . . . . . . . 260figuration Overview . . . . . . . . . . . . . . . . . 261

Creating and Modifying Alert Policies . . . . . . . 269Editing Alert Policy Rules . . . . . . . . . . . . . . . 269

Installing Alert Policies . . . . . . . . . . . . . . . . . . 270Acknowledging Alerts . . . . . . . . . . . . . . . . . . . 270Using Custom Scripts for Alert Escalation . . . . 272Creating SMTP Server Elements . . . . . . . . . . . 273 Testing Alerts . . . . . . . . . . . . . . . . . . . . . . . . 275

CHAPTER 20Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Getting Started with Domains . . . . . . . . . . . . . 278Configuration Overview . . . . . . . . . . . . . . . . . 278

Creating Domains . . . . . . . . . . . . . . . . . . . . . 279Defining a Domain Logo . . . . . . . . . . . . . . . . 280Importing a New Domain Logo . . . . . . . . . . . 280

Logging in to a Domain. . . . . . . . . . . . . . . . . . 281Logging out of all Domains . . . . . . . . . . . . . . . 282Moving Elements Between Domains . . . . . . . . 282Using the Domain Overview . . . . . . . . . . . . . . 283Deleting Domains . . . . . . . . . . . . . . . . . . . . . 284

CHAPTER 21Setting up the Web Portal . . . . . . . . . . . . . . . . 285

Getting Started with Web Portal Access . . . . . . 286Configuration Overview . . . . . . . . . . . . . . . . . 286

Defining Web Portal Server Settings . . . . . . . . 287Activating HTTPS on the Web Portal Server. . . . 288Allowing Web Portal Connections. . . . . . . . . . . 289Defining Web Portal User Accounts . . . . . . . . . 290

Granting Engines to a Web Portal User . . . . . 291Selecting Policy Permissions for a Web Portal User . . . . . . . . . . . . . . . . . . . . . . . . . 291Selecting Log Browsing Permissions for a Web Portal User. . . . . . . . . . . . . . . . . . . . . . 292Selecting Report Data Permissions for a Web Portal User. . . . . . . . . . . . . . . . . . . . . . 292

Customizing the Web Portal . . . . . . . . . . . . . . 293Adding a New Web Portal Language. . . . . . . . 293

Importing a Web Portal Language File through the Management Client . . . . . . . . . 293

8Enabling or Disabling a Web Portal Localization . . . . . . . . . . . . . . . . . . . . . . . . . 293Customizing the Look of the Web Portal . . . . . 294

Writing Announcements to Web Portal Users . . 295

CHAPTER 22Distributing Management Clients Through Web Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Getting Started with Web Start Distribution. . . . 298Con

ActivaServeDistriAcces

CHAPTEConfig

ModifSelecConfigDevic

DefiCreaMon

ForwaDefiEnato MCreaExte

ChangForwa

DefiCreathe

Certif

CHAPTEConfig

AboutInstal

Con

DefiElemInstManCreaManInstSoft

InstalCon

Creating Additional Log Server Elements . . . . 323Installing Licenses for Additional Log Servers. 324Creating Access Rules for Additional Log Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324Installing Additional Log Server Software . . . . 325

Changing the Active Management Server . . . . . 326Disabling and Enabling Automatic Database Replication . . . . . . . . . . . . . . . . . . . . . . . . . . 327Table of Contents

figuration Overview . . . . . . . . . . . . . . . . . 298

ting Web Start on the Management r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299buting Web Start from External Servers . . 300sing the Web Start Management Clients . 301

R 23uring the Log Server . . . . . . . . . . . . . . . 303

ying a Log Server Element. . . . . . . . . . . . 304ting Backup Log Servers . . . . . . . . . . . . . 305uring a Log Server to Monitor Third-Party

es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306ning Monitoring Rules on a Log Server . . . 306ting an Access Rule Allowing Third-Party itoring . . . . . . . . . . . . . . . . . . . . . . . . . . 307rding Log Data to External Hosts . . . . . . . 308ning Log Forwarding Rules . . . . . . . . . . . . 308bling Logging for Traffic That You Want onitor . . . . . . . . . . . . . . . . . . . . . . . . . . 310ting an Access Rule Allowing Traffic to rnal Hosts . . . . . . . . . . . . . . . . . . . . . . . 311ing Log Server Configuration Parameters . 312rding Log Data to Syslog . . . . . . . . . . . . . 314ning General Syslog Settings . . . . . . . . . . 314ting an Access Rule Allowing Traffic to

Syslog Server . . . . . . . . . . . . . . . . . . . . . 316ying the Log Server . . . . . . . . . . . . . . . . . 316

R 24uring Additional SMC Servers . . . . . . . . . 317

Additional SMC Servers . . . . . . . . . . . . . 318ling Additional Management Servers . . . . 318figuration Overview . . . . . . . . . . . . . . . . . 318

ning Additional Management Server ents . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

alling Licenses for Additional agement Servers . . . . . . . . . . . . . . . . . . 320ting Access Rules for Additional agement Servers . . . . . . . . . . . . . . . . . . 320alling Additional Management Server ware . . . . . . . . . . . . . . . . . . . . . . . . . . . 321ling Additional Log Servers . . . . . . . . . . . 322figuration Overview . . . . . . . . . . . . . . . . . 322

Synchronizing Management Databases Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

CHAPTER 25Reconfiguring the SMC and Engines. . . . . . . . . 329

Modifying a Management Server Element . . . . 330Enabling SMC API on the Management Server . 331Forwarding Audit Data to External Hosts. . . . . . 331

Defining Audit Forwarding Rules . . . . . . . . . . 332Creating an Access Rule Allowing Traffic to External Hosts . . . . . . . . . . . . . . . . . . . . . . . 333

Changing the Management Database Password . . . . . . . . . . . . . . . . . . . . . . . . . . . 333Changing the Management Platform . . . . . . . . 334Changing SMC IP Addressing . . . . . . . . . . . . . 335

Changing the Management Server IP Address 335Changing the Log Server IP Address . . . . . . . 336Changing IP Addresses of Combined Management/Log Servers . . . . . . . . . . . . . . 337

Creating a New Internal ECDSA Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Enabling 256-bit Security Strength for Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

If Configuration Changes Prevent Managing the Engines . . . . . . . . . . . . . . . . . . . . . . . . . . 341Changing the Role of Security Engines. . . . . . . 341

Preparing to Change the Security Engine Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342Clearing the Existing Engine Configuration . . . 342Reconfiguring the Engine . . . . . . . . . . . . . . . 343

ENGINE ELEMENT CONFIGURATION

CHAPTER 26Creating and Modifying Engine Elements . . . . . 347

Getting Started with Engine Elements . . . . . . . 348Configuration Overview . . . . . . . . . . . . . . . . . 348

Creating New Engine Elements . . . . . . . . . . . . 349Creating a New Single Firewall Element . . . . . 350Creating Multiple Single Firewall Elements . . . 351

Defining Interfaces for Multiple Single Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 353Defining Routing for Multiple Single Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 354Adding NAT Definitions for Multiple Single Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 354Selecting Additional Configuration Options for Multiple Single Firewalls. . . . . . . . . . . . . 355Defining Tester Settings for Multiple Single Firewalls . . . . . . . . . . . . . . . . . . . . . 355DeFirDeFirDeSinDeforUpIniSeSeFir

CreaCrea

DeCluAdFirSefor

CreaCreaCreaElemCreaElemCreaDup

ModifModElemModOncConClus

Preto Coa FAcCo

ConClus

Converting a Single Layer 2 Firewall to a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379Adding a Node to a Cluster . . . . . . . . . . . . . . 380Changing Engine Control IP Address . . . . . . . 381

Changing Engine Control Address Within the Same Network . . . . . . . . . . . . . . . . . . . 381Changing Firewall Control Address to a Different Network. . . . . . . . . . . . . . . . . . . . 382

Editing Single Firewall Properties. . . . . . . . . . . 3839Table of Contents

fining Permissions for Multiple Single ewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 356fining Add-Ons for Multiple Single ewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 356fining Advanced Settings for Multiple gle Firewalls . . . . . . . . . . . . . . . . . . . . . 357fining Internal VPN Gateway End-Points Multiple Single Firewalls. . . . . . . . . . . . . 358loading the Multiple Single Firewall tial Configuration to the Installation rver . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359lecting a Policy to Install on the ewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 360ting a New Firewall Cluster Element. . . . . 361ting Multiple Firewall Cluster Elements . . 362fining Interfaces for Multiple Firewall sters. . . . . . . . . . . . . . . . . . . . . . . . . . . 363

ding NAT Definitions for Multiple ewall Clusters. . . . . . . . . . . . . . . . . . . . . 364lecting Additional Configuration Options Multiple Firewall Clusters . . . . . . . . . . . . 365ting a New Single IPS Element . . . . . . . . 366ting a New IPS Cluster Element. . . . . . . . 367ting a New Single Layer 2 Firewall ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368ting a New Layer 2 Firewall Cluster ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369ting a New SSL VPN Gateway Element . . . 370licating an Existing Engine Element . . . . . 371ying Existing Engine Elements . . . . . . . . . 371ifying the Properties of Single Engine ents . . . . . . . . . . . . . . . . . . . . . . . . . . . 372ifying Properties of Several Engines at e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372verting a Single Firewall to a Firewall ter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373paring for Converting a Single Firewall a Firewall Cluster . . . . . . . . . . . . . . . . . . 374nverting a Single Firewall Element to irewall Cluster . . . . . . . . . . . . . . . . . . . . 374tivating the Clustered Configuration After nversion. . . . . . . . . . . . . . . . . . . . . . . . . 377verting a Single IPS Engine to an IPS ter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Editing Firewall Cluster Properties . . . . . . . . . . 384Editing Single IPS Engine Properties . . . . . . . . 385Editing IPS Cluster Properties . . . . . . . . . . . . . 386Editing Single Layer 2 Firewall Properties . . . . . 387Editing Layer 2 Firewall Cluster Properties . . . . 388Adjusting the Global Contact Policy for Single Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389About Engine Time Synchronization . . . . . . . . . 390

CHAPTER 27Creating and Modifying Virtual Security Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Getting Started with Virtual Security Engines . . 392Configuration Overview . . . . . . . . . . . . . . . . . 393

Creating New Master Engine Elements. . . . . . . 394Creating New Virtual Resource Elements . . . . . 395Creating New Virtual Security Engines . . . . . . . 396

Creating New Virtual Firewalls . . . . . . . . . . . . 396Creating New Virtual IPS Engines . . . . . . . . . 397Creating New Virtual Layer 2 Firewalls . . . . . . 398

Modifying Existing Master Engines and Virtual Security Engines . . . . . . . . . . . . . . . . . . . . . . 399

Adding a Node to a Master Engine . . . . . . . . 399Editing Master Engine Properties . . . . . . . . . 400Editing Virtual Firewall Properties . . . . . . . . . 401Editing Virtual IPS Properties . . . . . . . . . . . . 402Editing Virtual Layer 2 Firewall Properties . . . 403Editing Virtual Resources . . . . . . . . . . . . . . . 404

Converting Existing Firewalls to Master Engines and Virtual Firewalls . . . . . . . . . . . . . 405

Defining Interfaces for Master Engines . . . . . 406Distributing Tunnel Interfaces to Virtual Security Engines . . . . . . . . . . . . . . . . . . . . . 407Distributing Internal VPN Gateways to Virtual Security Engines . . . . . . . . . . . . . . . . . . . . . 408Defining Routing for the Master Engine . . . . . 408Selecting Additional Configuration Options for Master Engines . . . . . . . . . . . . . . . . . . . . . . 408Editing Basic Information for Virtual Security Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

10

Editing Interfaces and Routing for Virtual Security Engines. . . . . . . . . . . . . . . . . . . . . . 409

Adding NAT Definitions for Virtual Security Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Selecting Additional Configuration Options for Virtual Security Engines . . . . . . . . . . . . . . 411Finishing the Convert Engine to Master Engine and Virtual Security Engines Wizard. . . 411

CHAPTER 28Networ

GettinCon

FirewaDefiEngiAddAddAddFirewDefiConInteConDefiFirewChaModDefiConfor FConAddConConAddConAddAddSettConFirew

AdFirAdFir

AboFirew

IPS EDefifor I

Adding VLAN Interfaces for IPS Engines . . . . . 452Configuring IP Addresses for IPS Engines. . . . 454

Configuring IP Addresses for Single IPS Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . 454Configuring IP Addresses for IPS Clusters . . 455

Defining Traffic Inspection Interfaces for IPS Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

Defining Logical Interfaces for IPS Engines and Layer 2 Firewalls . . . . . . . . . . . 456Table of Contents

k Interface Configuration . . . . . . . . . . . 413

g Started with Interface Configuration . . . 414figuration Overview . . . . . . . . . . . . . . . . . 415

ll Interface Configuration . . . . . . . . . . . . 416ning Physical Interfaces for Firewall nes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417ing VLAN Interfaces for Firewall Engines . . 420ing ADSL Interfaces for Single Firewalls . . 422ing Wireless Interfaces for Single alls . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

ning SSID Interfaces for Single Firewalls. . 425figuring Security Settings for SSID rfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 427figuring MAC Filtering for SSID Interfaces . 428ning Modem Interfaces for Single alls . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

nging or Removing the PIN Code of a em Interface . . . . . . . . . . . . . . . . . . . . . 430ning Tunnel Interfaces for Firewalls. . . . . . 431figuring Advanced Interface Properties irewalls . . . . . . . . . . . . . . . . . . . . . . . . . 432figuring Single Firewall IP Addresses. . . . . 435ing IPv4 Addresses for a Single Firewall . . 436figuring VRRP Settings for Single Firewalls 438figuring PPP Settings for Single Firewalls. . 439ing IPv6 Addresses for a Single Firewall . . 440figuring Firewall Cluster IP Addresses . . . . 441ing IPv4 Addresses for a Firewall Cluster. . 442ing IPv6 Addresses for a Firewall Cluster. . 443ing Interface Options for Firewalls . . . . . . 444figuring Loopback IP Addresses for alls . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

ding Loopback IP addresses for Single ewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 446ding Loopback IP Addresses for ewall Clusters. . . . . . . . . . . . . . . . . . . . . 447ut Using a Dynamic IP Address on a all Interface . . . . . . . . . . . . . . . . . . . . . 448

ngine Interface Configuration . . . . . . . . . . 449ning System Communication Interfaces PS Engines. . . . . . . . . . . . . . . . . . . . . . . 450

Defining Reset Interfaces for IPS Engines and Layer 2 Firewalls . . . . . . . . . . . . . . . . . 457Defining Capture Interfaces for IPS Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . 458Defining Inline Interfaces for IPS Engines. . . 459

Configuring Advanced Interface Properties for IPS Engines . . . . . . . . . . . . . . . . . . . . . . 462Setting Interface Options for IPS Engines. . . . 464

Layer 2 Firewall Interface Configuration . . . . . . 465Defining System Communication Interfaces for Layer 2 Firewalls . . . . . . . . . . . . . . . . . . . 466Configuring VLAN Interfaces for Layer 2 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . 468Configuring IP Addresses for Layer 2 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

Configuring IP Addresses for Single Layer 2 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . 470Configuring IP Addresses for Layer 2 Firewall Clusters . . . . . . . . . . . . . . . . . . . . 471

Defining Traffic Inspection Interfaces for Layer 2 Firewalls . . . . . . . . . . . . . . . . . . . . . 472

Defining Capture Interfaces for Layer 2 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 472Defining Inline Interfaces for Layer 2 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Configuring Advanced Interface Properties for Layer 2 Firewalls . . . . . . . . . . . . . . . . . . . 476Setting Interface Options for Layer 2 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

Master Engine Interface Configuration . . . . . . . 479Defining Physical Interfaces for Master Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . 480Defining System Communication Interfaces for Master Engines. . . . . . . . . . . . . . . . . . . . 480Defining Master Engine Physical Interfaces for Hosted Virtual Security Engine Communications . . . . . . . . . . . . . . . . . . . . . 483

Defining Master Engine Physical Interfaces for Hosted Virtual Firewalls . . . . . . . . . . . . . 483Defining Master Engine Physical Interfaces for Hosted Virtual IPS Engines . . . . . . . . . . 486Defining Master Engine Physical Interfaces for Hosted Virtual Layer 2 Firewalls . . . . . . . 488

Adding VLAN Interfaces for Master Engines . . 490

Adding VLAN Interfaces for Master Engine System Communications. . . . . . . . . . . . . . . . 490Adding VLAN Interfaces for Hosted Virtual Security Engine Communications . . . . . . . . . . 492Adding IPv4 Addresses for a Master Engine . . 494Configuring Advanced Interface Properties for Master Engines . . . . . . . . . . . . . . . . . . . . 495Setting Interface Options for Master Engines . 497Selecting a Virtual Resource for Multiple Mas

VirtuaModSecAddEngiDefiConAddAddConfor VSettAddFirew

ConfigActivaFirewa

CHAPTEConnec

Gettinthe S

Con

SavinEngin

CreaSavi

Conne

CHAPTEElemen

GettinCon

AddinModif

CHAPTEConfig

GettinCon

Speci

Adding Engine Tests . . . . . . . . . . . . . . . . . . . . 528Configuring Additional Test-Specific Settings. . . 530

Configuring Additional Settings for the External Test . . . . . . . . . . . . . . . . . . . . . . . 530Configuring Additional Settings for the File System Space Test . . . . . . . . . . . . . . . 530Configuring Additional Settings for the Free Swap Space Test . . . . . . . . . . . . . . . . 530Configuring Additional Settings for the 11Table of Contents

ter Engine Interfaces . . . . . . . . . . . . . . . 498l Security Engine Interface Configuration . 499ifying Physical Interfaces for Virtual urity Engines. . . . . . . . . . . . . . . . . . . . . . 499ing VLAN Interfaces for Virtual Security nes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502ning Tunnel Interfaces for Virtual Firewalls 504figuring Virtual Firewall IP Addresses . . . . 505ing IPv4 Addresses for Virtual Firewalls. . . 506ing IPv6 Addresses for Virtual Firewalls. . . 507figuring Advanced Interface Properties irtual Security Engines . . . . . . . . . . . . . . 508ing Interface Options for Virtual Firewalls . 510ing Loopback IP Addresses for Virtual

alls . . . . . . . . . . . . . . . . . . . . . . . . . . . 511uring Manual ARP Settings . . . . . . . . . . . 512ting the Internal DHCP Server on a ll Interface . . . . . . . . . . . . . . . . . . . . . . 513

R 29ting Engines to the SMC . . . . . . . . . . . . 515

g Started with Connecting Engines to MC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516figuration Overview . . . . . . . . . . . . . . . . . 517

g an Initial Configuration for Security es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517ting One-Time Passwords . . . . . . . . . . . . 518ng Initial Configuration Details . . . . . . . . . 519cting SSL VPN Gateways to the SMC. . . . 520

R 30t-Based NAT . . . . . . . . . . . . . . . . . . . . . 521

g Started with Element-Based NAT . . . . . 522figuration Overview . . . . . . . . . . . . . . . . . 522

g NAT Definitions . . . . . . . . . . . . . . . . . . 523ying or Removing NAT Definitions . . . . . . . 524

R 31uring the Engine Tester . . . . . . . . . . . . . 525

g Started with the Engine Tester . . . . . . . 526figuration Overview . . . . . . . . . . . . . . . . . 526

fying Global Engine Tester Settings . . . . . 527

Inline Pair Link Speed Test . . . . . . . . . . . . . 531Configuring Additional Settings for the Link Status Test . . . . . . . . . . . . . . . . . . . . 531Configuring Additional Settings for the Multiping Test . . . . . . . . . . . . . . . . . . . . . . 532

Checking Configured Engine Tests . . . . . . . . . . 533Removing Engine Tests. . . . . . . . . . . . . . . . . . 533Disabling or Enabling Configured Engine Tests . 534

Disabling or Enabling Individual Engine Tests . 534Disabling or Enabling All Custom Engine Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

CHAPTER 32Engine Permissions . . . . . . . . . . . . . . . . . . . . . 535

Getting Started with Engine Permissions . . . . . 536Configuration Overview . . . . . . . . . . . . . . . . . 536

Defining Administrator Permissions on Engines 536Selecting Permitted Policies for Engines . . . . . 537

CHAPTER 33Alias Translations for Engines . . . . . . . . . . . . . 539

Getting Started with Alias Translations. . . . . . . 540Defining Alias Translation Values . . . . . . . . . . . 541

Adding Alias Translation Values . . . . . . . . . . . 541Removing Alias Translation Values. . . . . . . . . 541

CHAPTER 34Add-on Features . . . . . . . . . . . . . . . . . . . . . . . 543

Getting Started with Add-On Features . . . . . . . 544Editing Add-On Settings . . . . . . . . . . . . . . . . . 544Configuring Anti-Virus Settings . . . . . . . . . . . . 545

Manually Updating the Anti-Virus Database . . 546Checking the Status of the Anti-Virus Database . . . . . . . . . . . . . . . . . . . . . . . . . . 546Enabling the Anti-Virus Feature . . . . . . . . . . . 547

Configuring Anti-Spam Settings . . . . . . . . . . . . 548Defining General Anti-Spam Settings . . . . . . . 549Defining Scoring Settings for Anti-Spam . . . . . 550Defining Spam Filtering Rules . . . . . . . . . . . . 551Defining DNSBL Settings . . . . . . . . . . . . . . . 553Modifying Advanced Anti-Spam Settings. . . . . 554Modifying Anti-Spam Settings Elements . . . . . 555

12

CHAPTER 35Advanced Engine Settings . . . . . . . . . . . . . . . . 557

Getting Started with Advanced Engine Settings . 558Adjusting Firewall System Parameters . . . . . . . 559Adjusting Firewall Traffic Handling Parameters. . 560Adjusting Firewall Clustering Options . . . . . . . . 563

Adjusting General Firewall Clustering Options . 563Tuning the Firewall Load-Balancing Filter . . . . . 565

MaLoAd

AdjusAdjusParamAdjusAdjusAdjusParamAdjusAdjusAdjusParamAdjus

AdjuOptiTuniFilte

MaBaAdEn

AdjusParam

AdjuAdjuFirew

AdjusHand

AdjuParaAdjuFirew

ConfigSettinConfigConfigConfigConfig

CHAPTER 36Setting up SNMP for Engines . . . . . . . . . . . . . 601

Getting Started with SNMP Configuration . . . . . 602Configuring SNMP Version 1 or 2c . . . . . . . . . . 602Configuring SNMP Version 3 . . . . . . . . . . . . . . 603Configuring What Triggers SNMP Traps. . . . . . . 604Activating the SNMP Agent on Engines. . . . . . . 605Table of Contents

nually Tuning the Firewall ad-Balancing Filter. . . . . . . . . . . . . . . . . . 565ding Firewall Load-Balancing Filter Entries. 566ting IPS Engine System Parameters . . . . . 567ting IPS Engine Traffic Handling eters . . . . . . . . . . . . . . . . . . . . . . . . . . 569

ting IPS Clustering Options . . . . . . . . . . . 572ting Layer 2 Firewall System Parameters. . 573ting Layer 2 Firewall Traffic Handling eters . . . . . . . . . . . . . . . . . . . . . . . . . . 575

ting Layer 2 Firewall Clustering Options . . 578ting Master Engine System Parameters . . 580ting Master Engine Traffic Handling eters . . . . . . . . . . . . . . . . . . . . . . . . . . 581

ting Master Engine Clustering Options . . . 583sting General Master Engine Clustering ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583ng the Master Engine Load-Balancing r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586nually Tuning the Master Engine Load-lancing Filter . . . . . . . . . . . . . . . . . . . . . 586ding Master Engine Load-Balancing Filter tries. . . . . . . . . . . . . . . . . . . . . . . . . . . . 587ting Virtual Security Engine System eters . . . . . . . . . . . . . . . . . . . . . . . . . . 588sting Virtual Firewall System Parameters . 588sting Virtual IPS and Virtual Layer 2 all System Parameters . . . . . . . . . . . . . 589

ting Virtual Security Engine Traffic ling Parameters. . . . . . . . . . . . . . . . . . . . 590sting Virtual Firewall Traffic Handling meters . . . . . . . . . . . . . . . . . . . . . . . . . 590sting Virtual IPS and Virtual Layer 2 all Traffic Handling Parameters . . . . . . . . 592uring Inspection of Tunneled Traffic . . . . . 594g Connection Timeouts. . . . . . . . . . . . . . 595uring Default SYN Rate Limits . . . . . . . . 596uring Default Log Handling Settings . . . . 597uring Default DoS Protection Settings . . . 598uring Default Scan Detection Settings . . . 600

ROUTING

CHAPTER 37Configuring Routing . . . . . . . . . . . . . . . . . . . . 609

Getting Started with Routing . . . . . . . . . . . . . . 610Configuration Overview . . . . . . . . . . . . . . . . . 611

Adding Routes for Firewalls. . . . . . . . . . . . . . . 612Defining a Single-Link Route for a Firewall . . . 612Routing DHCP Messages . . . . . . . . . . . . . . . 613

Defining a DHCP Server . . . . . . . . . . . . . . . 613Enabling DHCP Relay . . . . . . . . . . . . . . . . . 614Activating the DHCP Relay Sub-policy. . . . . . 615

Routing Multicast Traffic . . . . . . . . . . . . . . . . 615Defining Static Multicast . . . . . . . . . . . . . . 616Defining IGMP-Based Multicast Forwarding. . 617

Defining Policy Routing . . . . . . . . . . . . . . . . . 618Adding Routes for Master Engines. . . . . . . . . . 619

Defining a Single-Link Route for a Master Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620

Adding Routes for Virtual Firewalls . . . . . . . . . 621Defining a Single-Link Route for a Virtual Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621

Defining a Multi-Link Route . . . . . . . . . . . . . . . 622Creating NetLinks . . . . . . . . . . . . . . . . . . . . 622Adding a Multi-Link Route . . . . . . . . . . . . . . . 624

Defining Routing for the Route-Based VPN . . . . 625Adding Routes for IPS Engines and Layer 2 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626Removing Routes . . . . . . . . . . . . . . . . . . . . . . 627Modifying Antispoofing . . . . . . . . . . . . . . . . . . 627

Deactivating Antispoofing for an IP Address/Interface Pair . . . . . . . . . . . . . . . . . . . . . . . . 628Activating Antispoofing for Routable IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . 629

Checking Routes . . . . . . . . . . . . . . . . . . . . . . 629

CHAPTER 38Outbound Traffic Management . . . . . . . . . . . . . 631

Getting Started with Outbound Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . 632

Configuration Overview . . . . . . . . . . . . . . . . . 633

Configuring Outbound Multi-Link Settings . . . . . 633Creating an Outbound Multi-Link Element . . . . 634Selecting NetLinks for an Outbound MultDefi

CreatMonitMana

CHAPTEInboun

GettinMana

Con

DefinCreaDefiAddCon

InstalUninsConfig

EditEdit

EdOpSeMoExEdMoExEdAgMo

EnablEnterDNS SCreatBalanConfig

Con

ImpDefi

Defining the Dynamic DNS Update Information . . . . . . . . . . . . . . . . . . . . . . . . . 666Defining a Dynamic DNS Rule . . . . . . . . . . . . 666

Monitoring and Testing Monitoring Agents . . . . 667

TRAFFIC INSPECTION POLICIES

CHAPTER 40Creating and Managing Policy Elements . . . . . . 67113Table of Contents

i-Link . . . . . . . . . . . . . . . . . . . . . . . . . . . 634ning Destination Cache Settings . . . . . . . 635ing Outbound Load-Balancing NAT Rules . . 636oring And Testing Outbound Traffic gement . . . . . . . . . . . . . . . . . . . . . . . . . 637

R 39d Traffic Management . . . . . . . . . . . . . . 639

g Started with Inbound Traffic gement . . . . . . . . . . . . . . . . . . . . . . . . . 640figuration Overview . . . . . . . . . . . . . . . . . 641

ing a Server Pool. . . . . . . . . . . . . . . . . . . 642ting a New Server Pool Element . . . . . . . 642ning External Address(es) of Server Pool . 643ing Server Pool Members. . . . . . . . . . . . . 644figuring Server Availability Monitoring . . . . 645ling Monitoring Agents . . . . . . . . . . . . . . 646talling Monitoring Agents. . . . . . . . . . . . . 647uring Monitoring Agents . . . . . . . . . . . . . 648

ing sgagent.local.conf . . . . . . . . . . . . . . . 648ing sgagent.conf . . . . . . . . . . . . . . . . . . . 649iting the sgagent.conf Statement Section . 650tions in the sgagent.conf Statement ction . . . . . . . . . . . . . . . . . . . . . . . . . . . 651nitoring Agent Statement Configuration

amples. . . . . . . . . . . . . . . . . . . . . . . . . . 652iting the sgagent.conf Test Section . . . . . 654nitoring Agent Test Configuration

amples. . . . . . . . . . . . . . . . . . . . . . . . . . 656iting Internal Tests for Monitoring ents. . . . . . . . . . . . . . . . . . . . . . . . . . . . 657nitoring Agent Internal Test Examples . . . 659ing Monitoring Agents . . . . . . . . . . . . . . . 662ing Server Pool IP Addresses on Your erver . . . . . . . . . . . . . . . . . . . . . . . . . . 662

ing Access Rules for Inbound Load cing. . . . . . . . . . . . . . . . . . . . . . . . . . . . 663uring Dynamic DNS Updates. . . . . . . . . . 664

figuration Overview . . . . . . . . . . . . . . . . . 664

roving DDNS Security. . . . . . . . . . . . . . . . 664ning an External DNS Server . . . . . . . . . . 665

Getting Started with Policies . . . . . . . . . . . . . . 672Default Policy Elements . . . . . . . . . . . . . . . . 672Configuration Overview . . . . . . . . . . . . . . . . . 674

Creating a New Template Policy or a Policy . . . . 675Creating a New Sub-Policy. . . . . . . . . . . . . . . . 676

Creating a New Empty Sub-Policy. . . . . . . . . . 676Converting Existing Rules into a Sub-Policy. . . 677

Installing Policies . . . . . . . . . . . . . . . . . . . . . . 678Tracking Policy Changes . . . . . . . . . . . . . . . . . 679

Checking the Currently Installed Policy. . . . . . 679Previewing the Currently Installed Policy. . . . . 679Checking and Comparing Policy Versions . . . . 680

Viewing Policy Snapshots . . . . . . . . . . . . . . 680Comparing Two Policy Snapshots . . . . . . . . 680

Checking for Untransferred Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 681

Moving the Policy Under a Different Template . . 681Deleting Policies, Templates, and Sub-Policies . 682

CHAPTER 41Editing Policies . . . . . . . . . . . . . . . . . . . . . . . . 683

Getting Started with Editing the Rules in Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684Using the Policy Editing View. . . . . . . . . . . . . . 685

Editing Rule Tables. . . . . . . . . . . . . . . . . . . . 687Editing Rule Cells. . . . . . . . . . . . . . . . . . . . . 688Defining Source, Destination, and Service

Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . 689Adding Comments in Policies . . . . . . . . . . . . 690Reading Rule Identifiers . . . . . . . . . . . . . . . . 690Naming Rules . . . . . . . . . . . . . . . . . . . . . . . 690

Searching in Rules . . . . . . . . . . . . . . . . . . . . 691Finding Unused Rules in Firewall Policies (Hit Counters) . . . . . . . . . . . . . . . . . . . . . . . . . . 692

Adding Insert Points in Policy Templates . . . . . 693Editing Ethernet Rules . . . . . . . . . . . . . . . . . . 693

Defining Logging Options for Ethernet Rules. . 695Defining a MAC Address for Ethernet Rules . . 696

14

Editing Access Rules. . . . . . . . . . . . . . . . . . . . 696Defining What Traffic an Access Rule Matches . . . . . . . . . . . . . . . . . . . . . . . . . . . 697Defining What Action an Access Rule Takes . . 699Defining Access Rule Action Options . . . . . . . 701

Defining Apply Blacklist Action Options. . . . . 701Defining Discard Action Options. . . . . . . . . . 702Defining Refuse Action Options . . . . . . . . . . 703DeDeDeAcDeOpDeAc

DefiDefiOpti

EditinAddDefiOve

DeDeOp

OvePackNAT

ExaRuExaRuExaRuExaDe

EditinMod

AdRe

AddDeMaDeTaDeExcDeExcDe

Exception Rules. . . . . . . . . . . . . . . . . . . . . 739Defining Logging Options for Inspection Rules and Exceptions. . . . . . . . . . . . . . . . . . 741

Defining Logging Options for Inspection Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741Defining Logging Options for Exception Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743

Importing Snort Rules Libraries. . . . . . . . . . . 744Limiting the Time when a Rule Is Active . . . . . . 748Table of Contents

fining Jump Action Options . . . . . . . . . . . 704fining Firewall Allow Action Options . . . . . 704fining Continue Action Options in cess Rules . . . . . . . . . . . . . . . . . . . . . . . 709fining Firewall Use IPsec VPN Action tions . . . . . . . . . . . . . . . . . . . . . . . . . . . 710fining IPS and Layer 2 Firewall Allow tion Options . . . . . . . . . . . . . . . . . . . . . . 711ning Access Rule Logging Options . . . . . . 715ning Firewall Access Rule Authentication ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718g Firewall NAT Rules . . . . . . . . . . . . . . . . 719ing a NAT Rule . . . . . . . . . . . . . . . . . . . . 720ning What Traffic a NAT Rule Matches. . . . 720rwriting the Source Address in Packets . . . 722fining Static Source Translation Options . . 723fining Dynamic Source Translation tions . . . . . . . . . . . . . . . . . . . . . . . . . . . 724rwriting the Destination Address in ets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725

Rule Examples. . . . . . . . . . . . . . . . . . . . 726mple of a Static Source Translation

le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726mple of a Dynamic Source Translation

le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727mple of a Destination Translation

le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729mple of a Combined Source and

stination Translation Rule . . . . . . . . . . . . 730g Inspection Policies. . . . . . . . . . . . . . . . 731ifying the Inspection Rules Tree . . . . . . . . 732ding Situations to the Rules Tree . . . . . . . 734moving Overrides From the Rules Tree . . . 734ing Exceptions to the Inspection Policy . . . 734fining What Traffic an Exception Rule tches . . . . . . . . . . . . . . . . . . . . . . . . . . 735fining What Action an Exception Rule kes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736fining Continue Action Options in eption Rules . . . . . . . . . . . . . . . . . . . . . 737fining Permit Action Options in eption Rules . . . . . . . . . . . . . . . . . . . . . 737fining Terminate Action Options in

Validating Rules Automatically. . . . . . . . . . . . . 749Overriding Default Validation Options for Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750Viewing Policy Validation Issues . . . . . . . . . . 751Disabling a Validation Warning for a Rule . . . . 752Excluding Rules from Policy Validation . . . . . . 752

Changing Default Rules . . . . . . . . . . . . . . . . . 752

CHAPTER 42Defining IP Addresses . . . . . . . . . . . . . . . . . . . 753

Getting Started with Defining IP Addresses . . . 754Defining IP Addresses as Elements . . . . . . . . . 755

Defining Address Range Elements. . . . . . . . . 755Defining Alias Elements . . . . . . . . . . . . . . . . 756Defining Domain Name Elements . . . . . . . . . 757Defining Expression Elements. . . . . . . . . . . . 758Defining Group Elements . . . . . . . . . . . . . . . 760Defining Host Elements . . . . . . . . . . . . . . . . 761Defining Network Elements. . . . . . . . . . . . . . 762Defining Router Elements . . . . . . . . . . . . . . . 763Defining Zone Elements . . . . . . . . . . . . . . . . 765

Using Feature-Specific Elements in Policies . . . 766

CHAPTER 43Defining Network Services . . . . . . . . . . . . . . . . 769

Getting Started with Services . . . . . . . . . . . . . 770Configuration Overview . . . . . . . . . . . . . . . . . 770

Defining Services . . . . . . . . . . . . . . . . . . . . . . 771Defining a New IP-Based Service . . . . . . . . . . 771Defining a New Ethernet Service . . . . . . . . . . 773Grouping Services . . . . . . . . . . . . . . . . . . . . 774

Using Protocol Elements. . . . . . . . . . . . . . . . . 775Defining Protocol Parameters . . . . . . . . . . . . . 775

Defining DNS Protocol Parameters . . . . . . . . 776Defining FTP Protocol Parameters . . . . . . . . . 777Defining GRE Protocol Parameters. . . . . . . . . 778Defining H323 Protocol Parameters. . . . . . . . 779Defining HTTP/HTTPS Protocol Parameters . . 780Defining IPv4 Encapsulation Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 781

Defining IPv6 Encapsulation Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 782Defining MSRPC Protocol Parameters. . . . . . . 782Defining NetBIOS Protocol Parameters . . . . . . 784Defining Oracle Protocol Parameters . . . . . . . 784Defining RTSP Protocol Parameters . . . . . . . . 785Defining Shell (RSH) Protocol Parameters. . . . 786Defining SIP Protocol Parameters. . . . . . . . . . 786DefiDefiDefiDefiDefi

CHAPTEDefinin

GettinCon

CreatDefin

DefiDefinSitua

ConConConConCon

DefinCreaAddAddRem

WorkiCreaAsso

CHAPTEWorkin

GettinCon

CreatCreatDetec

OveDefiLogg

CHAPTER 46Defining User Responses . . . . . . . . . . . . . . . . . 815

Getting Started with User Responses . . . . . . . 816Configuration Overview . . . . . . . . . . . . . . . . . 816

Creating User Responses . . . . . . . . . . . . . . . . 816Defining User Response Entries . . . . . . . . . . . 817

CHAPTER 47Quality of Service (QoS) . . . . . . . . . . . . . . . . . 81915Table of Contents

ning SMTP Protocol Parameters . . . . . . . . 787ning SSH Protocol Parameters . . . . . . . . . 788ning SunRPC Protocol Options . . . . . . . . . 788ning TCP Proxy Protocol Parameters . . . . . 790ning TFTP Protocol Parameters. . . . . . . . . 791

R 44g Situations . . . . . . . . . . . . . . . . . . . . . 793

g Started With Situations . . . . . . . . . . . . 794figuration Overview . . . . . . . . . . . . . . . . . 795

ing New Situation Elements . . . . . . . . . . . 796ing Context Options for Situations . . . . . . 797ning HTTP URL Filter Options . . . . . . . . . . 798ing Context Options for Correlation tions . . . . . . . . . . . . . . . . . . . . . . . . . . . 799figuring Compress Contexts . . . . . . . . . . . 800figuring Count Contexts . . . . . . . . . . . . . . 801figuring Group Contexts . . . . . . . . . . . . . . 802figuring Match Contexts. . . . . . . . . . . . . . 803figuring Sequence Contexts . . . . . . . . . . . 803ing Tags for Situations. . . . . . . . . . . . . . . 804ting a New Tag . . . . . . . . . . . . . . . . . . . . 804

ing Tags to One Situation at a Time . . . . . 804ing Tags to Several Situations at Once . . . 805oving Tags from Situations . . . . . . . . . . . 805ng With Vulnerabilities. . . . . . . . . . . . . . . 806ting New Vulnerability Elements . . . . . . . 806ciating Vulnerabilities With Situations . . . 807

R 45g With Applications . . . . . . . . . . . . . . . . 809

g Started With Applications. . . . . . . . . . . 810figuration Overview . . . . . . . . . . . . . . . . . 810

ing TLS Matches. . . . . . . . . . . . . . . . . . . 811ing Access Rules for Application tion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812rriding Application Properties in Service nitions . . . . . . . . . . . . . . . . . . . . . . . . . . 813ing Application Use . . . . . . . . . . . . . . . . 814

Getting Started with QoS . . . . . . . . . . . . . . . . 820Configuration Overview . . . . . . . . . . . . . . . . . 822

Creating QoS Classes . . . . . . . . . . . . . . . . . . 823Defining QoS Policies . . . . . . . . . . . . . . . . . . . 824

Creating New QoS Policies . . . . . . . . . . . . . . 824Editing QoS Rules . . . . . . . . . . . . . . . . . . . . 824Editing DSCP Match/Mark Rules . . . . . . . . . . 826

Matching QoS Rules to Network Traffic . . . . . . 827

CHAPTER 48Filtering URLs. . . . . . . . . . . . . . . . . . . . . . . . . 829

Getting Started with URL Filtering . . . . . . . . . . 830Configuration Overview . . . . . . . . . . . . . . . . . 831

Blacklisting or Whitelisting Web URLs Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832Creating URL Filtering Rules . . . . . . . . . . . . . . 833

CHAPTER 49Setting up TLS Inspection . . . . . . . . . . . . . . . . 835

Getting Started with TLS inspection. . . . . . . . . 836Configuration Overview . . . . . . . . . . . . . . . . . 837

Configuring Server Protection . . . . . . . . . . . . . 838Configuring Client Protection . . . . . . . . . . . . . . 839

Creating Client Protection Certificate Authority Elements . . . . . . . . . . . . . . . . . . . . 839Importing a Private Key and Signing Certificate for Client Protection . . . . . . . . . . . 840Generating a Private Key and Signing Certificate for Client Protection . . . . . . . . . . . 841Exporting a Client Protection CA Certificate . . 842

Defining Trusted Certificate Authorities for TLS Inspection. . . . . . . . . . . . . . . . . . . . . . . . 842

Creating Trusted Certificate Authority Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . 843Importing a Trusted Certificate Authority Certificate for TLS inspection . . . . . . . . . . . . 843

Excluding Connections from TLS Inspection . . . 844Globally Excluding Domains From Decryption . 844Excluding Domains from Inspection of HTTPS Traffic . . . . . . . . . . . . . . . . . . . . . . . . 845

16

Activating TLS Inspection . . . . . . . . . . . . . . . . 846Activating TLS Inspection on the Engine . . . . . 846Defining a Custom HTTPS Service . . . . . . . . . 847Creating Access Rules for TLS inspection . . . . 847

CHAPTER 50External Content Inspection. . . . . . . . . . . . . . . 849

Getting Started with External Content Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . 850

Con

DefinDefin

CreaDefiRed

DefinDefin

CHAPTEBlackli

GettinCon

EnablConfig

DefiAuto

AdDe

Black

USER

CHAPTESetting

GettinCon

IntegrConDireDefiDefiAddConAddDefi

EnablDefiConCrea

Selecting User Agents for Security Engines . . 879Generating a Certificate for a User Agent . . . . 879Allowing Communication With the User Agent. 880Installing User Agents . . . . . . . . . . . . . . . . . 880

Defining User Accounts . . . . . . . . . . . . . . . . . 881Defining User Groups . . . . . . . . . . . . . . . . . . 882Defining Users. . . . . . . . . . . . . . . . . . . . . . . 882Linking Authentication Server Users to Table of Contents

figuration Overview . . . . . . . . . . . . . . . . . 850

ing a Content Inspection Server Element . 851ing a Service for CIS Redirection . . . . . . . 852ting a Service for CIS Redirection . . . . . . 852ning Protocol Parameters for CIS irection . . . . . . . . . . . . . . . . . . . . . . . . . 852ing Access Rules for CIS Redirection . . . . 853ing NAT Rules for CIS Redirection . . . . . . . 854

R 51sting IP Addresses . . . . . . . . . . . . . . . . . 855

g Started with Blacklisting . . . . . . . . . . . 856figuration Overview . . . . . . . . . . . . . . . . . 856

ing Blacklist Enforcement . . . . . . . . . . . . 857uring Automatic Blacklisting . . . . . . . . . . 858

ning Which Traffic is Blacklisted matically . . . . . . . . . . . . . . . . . . . . . . . . 858ding a Rule for Automatic Blacklisting. . . . 858fining Blacklisting Rule Action Options . . . 859listing Traffic Manually. . . . . . . . . . . . . . . 860

S AND AUTHENTICATION

R 52 up Directory Servers. . . . . . . . . . . . . . . 863

g Started with Directory Servers . . . . . . . 864figuration Overview . . . . . . . . . . . . . . . . . 865

ating External Directory Servers. . . . . . . . 866figuring Schema Files on External ctory Servers . . . . . . . . . . . . . . . . . . . . . 867ning Active Directory Server Elements . . . 868ning LDAP Server Elements . . . . . . . . . . . 870ing LDAP Object Classes . . . . . . . . . . . . . 872figuring LDAP Attribute Mapping . . . . . . . . 872ing Authentication Methods . . . . . . . . . . . 874ning LDAP Domains. . . . . . . . . . . . . . . . . 875ing Access Control by User . . . . . . . . . . . 876ning the Active Directory Domain trollers for Access Control by User . . . . . . 877ting User Agent Elements . . . . . . . . . . . . 878

External Directories . . . . . . . . . . . . . . . . . . . 885Selecting Domain Nodes for User Linking . . 885Creating and Linking Authentication Server User Accounts . . . . . . . . . . . . . . . . . . . . . . 886

Managing User Information . . . . . . . . . . . . . . . 888Adding or Removing Users From User Groups. 888Importing and Exporting User Information . . . 888

Importing Users from an LDIF File . . . . . . . . 888Exporting Users to an LDIF File . . . . . . . . . . 889

Changing User Passwords . . . . . . . . . . . . . . 889Clearing the Authentication Settings of a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890Resetting Local User Database on Firewalls. . 890Setting User Database Replication to Firewalls and Master Engines On or Off . . . . . 890

CHAPTER 53Setting up User Authentication . . . . . . . . . . . . 891

Getting Started with User Authentication . . . . . 892Configuration Overview . . . . . . . . . . . . . . . . . 893

Integrating External Authentication Services. . . 894Defining RADIUS or TACACS+ Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894Defining Authentication Methods for External Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896

Integrating Authentication Server Services . . . . 897Defining Authentication Server Elements . . . . 898Defining Authentication Server Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 899Defining Authentication Server RADIUS Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903Defining Authentication Server Notification Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . 904Enabling Federated Authentication With the Authentication Server . . . . . . . . . . . . . . . . . . 906Enabling RADIUS Accounting With the Authentication Server . . . . . . . . . . . . . . . . . . 906Enabling Web Services With the Authentication Server . . . . . . . . . . . . . . . . . . 906

Defining IPv4 Access Rules for Authentication . 907

Enabling Browser-Based User Authentication . . 908Creating and Signing HTTPS Certificates for Browser-Based User Authentication . . . . . . . . 909Defining IPv4 Access Rules for Browser-Based User Authentication . . . . . . . . 910Enabling Redirection of Unauthenticated HTTP Connections . . . . . . . . . . . . . . . . . . . . 911

Authenticating to a Firewall or Virtual Firewall . . 912Customizing the HTML Pages Profile for Brows

ExpoCusImp

Monit

VIRT

CHAPTEBasic P

GettinConfigConfigFirewa

CreaConCreaCrea

ConfigGatew

CreaConCreaConDefiConCreaCreaCrea

ConfigManConCreaConAdd3. . CreaCreaCrea

Config

Creating Gateway Elements for VPN Configuration 4 . . . . . . . . . . . . . . . . . . . . . . 935Creating a VPN Element for VPN Configuration 4 . . . . . . . . . . . . . . . . . . . . . . 936Defining Site Properties for VPN Configuration 4 . . . . . . . . . . . . . . . . . . . . . . 936Creating Rules for VPN Configuration 4 . . . . . 937

CHAPTER 55Configuring IPsec VPNs . . . . . . . . . . . . . . . . . 93917Table of Contents

er-Based User Authentication . . . . . . . . . 913rting the Default HTML Pages Profile . . . . 913

tomizing the Default HTML Pages . . . . . . . 914orting the Custom HTML Pages . . . . . . . . 914oring and Testing User Authentication . . . 915

UAL PRIVATE NETWORKS

R 54olicy-Based VPN Configurations . . . . . . 919

g Started With Basic Policy-Based VPN uration . . . . . . . . . . . . . . . . . . . . . . . . . 920uration 1: Basic VPN Between McAfee ll/VPN Engines . . . . . . . . . . . . . . . . . . . 921ting Gateway Elements for

figuration 1 . . . . . . . . . . . . . . . . . . . . . . 921ting a VPN Element for Configuration 1 . . 922ting Rules for VPN Configuration 1 . . . . . 923uration 2: Basic VPN With a Partner ay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924ting an Internal Gateway Element for

figuration 2 . . . . . . . . . . . . . . . . . . . . . . 924ting an External Gateway Element for

figuration 2 . . . . . . . . . . . . . . . . . . . . . . 925ning a Site for External Gateway in figuration 2 . . . . . . . . . . . . . . . . . . . . . . 926ting a VPN Profile for Configuration 2. . . . 926ting a VPN Element for Configuration 2 . . 928ting Rules for Configuration 2 . . . . . . . . . 929uration 3: Basic VPN for Remote Clients . 930aging VPN Client Addresses in figuration 3 . . . . . . . . . . . . . . . . . . . . . . 930ting Gateway Elements for

figuration 3 . . . . . . . . . . . . . . . . . . . . . . 931ing VPN Client Settings for Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931ting a VPN Element for Configuration 3 . . 932ting Users for VPN Configuration 3 . . . . . 933ting Rules for VPN Configuration 3 . . . . . 933uration 4: Basic VPN Hub. . . . . . . . . . . . 935

Getting Started With IPsec VPNs . . . . . . . . . . . 940Configuration Overview . . . . . . . . . . . . . . . . . 941

Configuring IPsec VPNs . . . . . . . . . . . . . . . . 942Defining Gateway Profiles . . . . . . . . . . . . . . . . 943

Defining a Custom Gateway Profile . . . . . . . . 943Defining VPN Gateways. . . . . . . . . . . . . . . . . . 944

Creating a New VPN Gateway Element . . . . . . 945Defining End-Points for Internal VPN Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . 946Defining End-Points for External VPN Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . 948Defining Trusted CAs for a Gateway . . . . . . . . 950Defining Gateway-Specific VPN Client Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 951

Defining Sites for VPN Gateways . . . . . . . . . . . 953Disabling or Re-Enabling Automatic VPN Site Management . . . . . . . . . . . . . . . . . . . . . . . . 954Adjusting Automatic VPN Site Management . . 955Adding a New VPN Site. . . . . . . . . . . . . . . . . 955Defining Protected Networks for VPN Sites. . . 956Adjusting VPN-Specific Site Settings . . . . . . . 957Disabling a VPN Site Temporarily in All VPNs . 958Removing a VPN Site Permanently from All VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 958

Defining VPN Profiles . . . . . . . . . . . . . . . . . . . 959Creating a New VPN Profile . . . . . . . . . . . . . . 959Modifying an Existing VPN Profile. . . . . . . . . . 960Defining IKE SA Settings for a VPN . . . . . . . . 961Defining IPsec SA Settings for a VPN. . . . . . . 963Defining VPN Client Settings . . . . . . . . . . . . . 965Defining Trusted CAs for a VPN . . . . . . . . . . . 967

Defining Policy-Based VPNs. . . . . . . . . . . . . . . 968Creating a New VPN Element . . . . . . . . . . . . 968Modifying an Existing VPN Element . . . . . . . . 969Defining VPN Topology for Policy-Based VPNs . 969Defining VPN Tunnel Settings for Policy-Based VPNs . . . . . . . . . . . . . . . . . . . . 971Editing VPN Link Modes in Policy-Based VPNs 973Creating Rules for Policy-Based VPNs . . . . . . 974

18

Creating Rules for Gateway Connections in Policy-Based VPNs . . . . . . . . . . . . . . . . . . . . 975Creating Rules for VPN Client Connections in Policy-Based VPNs . . . . . . . . . . . . . . . . . . 976Creating Forwarding Rules on Hub Gateways for Policy-Based VPNs . . . . . . . . . . . . . . . . . . 977Preventing Other Access Rules from Matching Policy-Based VPN Traffic . . . . . . . . . 979Creating NAT Rules for Policy-Based VPN Traff

EditinSeleRouDefiUsin

Monit

CHAPTEManag

GettinCon

DefinCreatSelecAuthoCreat

CreaReqSignInte

UploaRenewExporInternImporCheckCheckExpire

CHAPTEReconf

AddinConfig

ActivTranComTranVPN

AddinChangExisti

Giving VPN Access to Additional Hosts. . . . . . . 1006Routing Internet Traffic Through Policy-Based VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006Redirecting Traffic Between VPN Tunnels . . . . . 1007Renewing or Generating Pre-Shared Keys . . . . . 1008

Generating a New Pre-Shared Key Automatically . . . . . . . . . . . . . . . . . . . . . . . . 1008Renewing Pre-Shared Keys Manually . . . . . . . 1008Table of Contents

ic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979g the Route-Based VPN . . . . . . . . . . . . . . 980cting the Default Encryption for the te-Based VPN . . . . . . . . . . . . . . . . . . . . . 980ning Route-Based VPN Tunnels . . . . . . . . 981g the Route-Based VPN in Tunnel Mode . . 983oring VPNs. . . . . . . . . . . . . . . . . . . . . . . 985

R 56ing VPN Certificates . . . . . . . . . . . . . . . 987

g Started With VPN Certificates. . . . . . . . 988figuration Overview . . . . . . . . . . . . . . . . . 989

ing a VPN Certificate Authority . . . . . . . . . 989ing an Internal ECDSA CA for Gateways . . 991ting the Default Internal Certificate rity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 992ing and Signing VPN Certificates . . . . . . . 992ting a VPN Certificate or Certificate

uest for an Internal Gateway . . . . . . . . . . 992ing External Certificate Requests rnally . . . . . . . . . . . . . . . . . . . . . . . . . . . 994ding VPN Certificates Manually . . . . . . . . 995ing VPN Certificates . . . . . . . . . . . . . . . 995

ting the Certificate of VPN Gateways or al CAs for Gateways . . . . . . . . . . . . . . . . 997ting a VPN Gateway Certificate . . . . . . . . 998ing When Gateway Certificates Expire . . . 998ing When an Internal CA for Gateways s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999

R 57iguring Existing VPNs . . . . . . . . . . . . . . 1001

g or Removing Tunnels in a VPN. . . . . . . . 1002uring NAT Settings for an Existing VPN . . 1003ating NAT Traversal . . . . . . . . . . . . . . . . 1003slating Addresses of VPN munications Between Gateways . . . . . . . 1003slating Addresses in Traffic Inside a Tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . 1004g New Gateways to an Existing VPN . . . . . 1004ing Gateway IP Addressing in an

ng VPN. . . . . . . . . . . . . . . . . . . . . . . . . . 1005

Advanced VPN Tuning . . . . . . . . . . . . . . . . . . . 1009Defining a Custom Gateway Settings Element . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009

Adjusting MOBIKE Settings . . . . . . . . . . . . . 1009Adjusting Negotiation Retry Settings . . . . . . 1010Adjusting Certificate Cache Settings . . . . . . 1011

Assigning the Gateway Settings for a Firewall/VPN Engine . . . . . . . . . . . . . . . . . . . 1011

CHAPTER 58VPN Client Settings . . . . . . . . . . . . . . . . . . . . 1013

Getting Started With VPN Client Settings . . . . . 1014List of VPN Client Settings in the Management Client . . . . . . . . . . . . . . . . . . . . 1015Managing VPN Client IP Addresses . . . . . . . . . 1018

Configuring NAT Pool for VPN Clients . . . . . . . 1019Configuring Virtual IP Addressing for VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1019Configuring the Gateway for Virtual IP Address Clients . . . . . . . . . . . . . . . . . . . . . . 1020Allowing DHCP Relay in the Policy . . . . . . . . . 1021

Exporting VPN Client Configuration to a File . . . 1021

MAINTENANCE AND UPGRADES

CHAPTER 59Backing Up and Restoring System Configurations . . . . . . . . . . . . . . . . . . . . . . . . 1025

Getting Started with Backups . . . . . . . . . . . . . 1026Configuration Overview . . . . . . . . . . . . . . . . . 1027

Creating Backups. . . . . . . . . . . . . . . . . . . . . . 1027Storing Backup Files . . . . . . . . . . . . . . . . . . . 1028Restoring Backups . . . . . . . . . . . . . . . . . . . . . 1029

Restoring a Management Server Backup . . . . 1029Restoring a Log Server Backup . . . . . . . . . . . 1030Restoring an Authentication Server Backup . . 1031

Recovering from a Hardware Failure . . . . . . . . . 1032

CHAPTER 60Managing Log Data . . . . . . . . . . . . . . . . . . . . . 1033

Getting Started with Log Data Management . . . 1034Configuration Overview . . . . . . . . . . . . . . . . . 1034

Defining When Logs Are Generated . . . . . . . . . 1035Archiving Log Data . . . . . . . . . . . . . . . . . . . . . 1036

Creating an Archive Log Task . . . . . . . . . . . . . 1036Selecting Log Data for Archiving. . . . . . . . . . . 1036SeleLog

DeletCreaSeleSeleLogsPrunDisa

ExporCreaSeleSele

Viewi

CHAPTEManag

GettinCon

Task Creat

CreaCreaCreaandCreaCreaCrea

SchedStartiPausiCanceStopp

CHAPTEManag

GettinGeneUpgraChang

Installing Licenses . . . . . . . . . . . . . . . . . . . . . 1064Installing a License for an Unlicensed Component . . . . . . . . . . . . . . . . . . . . . . . . . 1064Replacing the License of a Previously Licensed Component . . . . . . . . . . . . . . . . . . 1065

Checking If All Components Are Licensed. . . . . 1066Checking License Validity and Status. . . . . . . . 1067

CHAPTER 63Upgrading the SMC . . . . . . . . . . . . . . . . . . . . . 106919Table of Contents

cting Operation Settings for Archiving Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 1037ing Log Data . . . . . . . . . . . . . . . . . . . . . . 1038ting a Delete Log Task . . . . . . . . . . . . . . 1038cting Data for Deleting Logs . . . . . . . . . . 1038cting Operation Settings for Deleting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039ing Log Data . . . . . . . . . . . . . . . . . . . . . 1040bling Pruning Filters . . . . . . . . . . . . . . . . 1041ting Log Data . . . . . . . . . . . . . . . . . . . . . 1041ting an Export Log Task . . . . . . . . . . . . . 1042cting Data for Log Export . . . . . . . . . . . . 1042cting Operation Settings for Log Export . . 1043

ng a History of Executed Log Tasks . . . . . 1044

R 61ing and Scheduling Tasks . . . . . . . . . . . . 1045

g Started with Tasks . . . . . . . . . . . . . . . 1046figuration Overview . . . . . . . . . . . . . . . . . 1046

Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047ing New Task Definitions . . . . . . . . . . . . . 1049ting Backup Tasks . . . . . . . . . . . . . . . . . 1049ting Refresh Policy Tasks . . . . . . . . . . . . 1050ting Refresh Policy on Master Engines

Virtual Security Engines Tasks. . . . . . . . . 1051ting Upload Policy Tasks . . . . . . . . . . . . . 1052ting Remote Upgrade Tasks . . . . . . . . . . 1053ting sgInfo Tasks . . . . . . . . . . . . . . . . . . 1054uling Tasks . . . . . . . . . . . . . . . . . . . . . . 1054

ng Tasks Manually . . . . . . . . . . . . . . . . . 1055ng the Scheduled Execution of a Task . . . 1055ling a Task Schedule . . . . . . . . . . . . . . . 1056ing Task Execution . . . . . . . . . . . . . . . . . 1056

R 62ing Licenses. . . . . . . . . . . . . . . . . . . . . . 1057

g Started with Licenses . . . . . . . . . . . . . 1058rating New Licenses . . . . . . . . . . . . . . . . 1061ding Licenses Manually . . . . . . . . . . . . . 1062ing License Binding Details . . . . . . . . . . 1063

Getting Started with Upgrading the SMC . . . . . 1070Configuration Overview . . . . . . . . . . . . . . . . . 1071

Obtaining the SMC Installation Files . . . . . . . . 1071Upgrading SMC Servers . . . . . . . . . . . . . . . . . 1072Default Installation Directories for SMC . . . . . . 1073

CHAPTER 64Upgrading the Engines . . . . . . . . . . . . . . . . . . 1075

Getting Started with Upgrading Engines . . . . . . 1076Configuration Overview . . . . . . . . . . . . . . . . . 1077

Obtaining Engine Upgrade Files . . . . . . . . . . . . 1077Upgrading Engines Remotely. . . . . . . . . . . . . . 1078Upgrading Legacy IPS Engines. . . . . . . . . . . . . 1080

Upgrading Sensors and Sensor Clusters to IPS Engines . . . . . . . . . . . . . . . . . . . . . . . . . 1080Upgrading a Legacy Sensor-Analyzer to a Single IPS Engine. . . . . . . . . . . . . . . . . . . . . 1081Removing Unused Analyzers . . . . . . . . . . . . . 1082

CHAPTER 65Manual Dynamic Updates. . . . . . . . . . . . . . . . . 1083

Getting Started with Manual Dynamic Updates . 1084Configuration Overview . . . . . . . . . . . . . . . . . 1084

Importing a Dynamic Update Package . . . . . . . 1085Activating a Dynamic Update Package . . . . . . . 1086

TROUBLESHOOTING

CHAPTER 66General Troubleshooting Tips . . . . . . . . . . . . . . 1089

If Your Problem Is Not Listed. . . . . . . . . . . . . . 1090Tools For Further Troubleshooting . . . . . . . . . . 1090

CHAPTER 67Troubleshooting Accounts and Passwords. . . . . 1091

Forgotten Passwords . . . . . . . . . . . . . . . . . . . 1092User Account Changes Have no Effect . . . . . . . 1093Creating an Emergency Administrator Account . 1093

20

CHAPTER 68Troubleshooting Alert, Log, and Error Messages 1095

Alert Log Messages . . . . . . . . . . . . . . . . . . . . 1096Certificate Authority Expired/Expiring Alerts . . 1096Certificate Expired/Expiring Alerts . . . . . . . . . 1096Log Spool Filling . . . . . . . . . . . . . . . . . . . . . . 1096Status Surveillance: Inoperative Security Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1096SystTestThro

Log MConConSetuConConIncoNATResNot ReqSpoIPse

Error ComPKIXPolicUne

CHAPTETrouble

UnderRepla

RenRen

DealinReverAutho

CHAPTETrouble

NodeError ErrorsProble

CHAPTETrouble

Troub

License Is Shown as Retained . . . . . . . . . . . . 1121License Is Shown as Unassigned . . . . . . . . . . 1121Throughput License Exceeded Alerts . . . . . . . . 1121

CHAPTER 72Troubleshooting Logging . . . . . . . . . . . . . . . . . 1123

Problems With Viewing Logs . . . . . . . . . . . . . . 1124Logs Are Filling up the Storage Space . . . . . . . 1125Log Server Does not Run . . . . . . . . . . . . . . . . 1126Table of Contents

em Alert . . . . . . . . . . . . . . . . . . . . . . . . 1097 Failed . . . . . . . . . . . . . . . . . . . . . . . . . . 1097ughput License Exceeded . . . . . . . . . . . . 1097essages . . . . . . . . . . . . . . . . . . . . . . . . 1098

nection Closed/Reset by Client/Server. . . 1098nection Removed During Connection p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098

nection State Might Be Too Large. . . . . . . 1099nection Timeout . . . . . . . . . . . . . . . . . . . 1100mplete Connection Closed . . . . . . . . . . . 1101 Balance: Remote Host Does Not pond . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101a Valid SYN Packet .