mcafee smc installation guide - forcepoint · installing additional management servers . . . 34 ......

McAfee SMCInstallation Guide 5.7

Secur i ty Management Center

Legal InformationThe use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the McAfee website:http://www.mcafee.com/us/about/legal/license-agreements.aspx

Revision: SGMIG_20140325

2

http://www.mcafee.com/us/about/legal/license-agreements.aspx

TABLE OF CONTENTS

INTRODUCTION

CHAPTER 1Using SMC Documentation. . . . . . . . . . . . . . . . 7

How to Use This Guide . . . . . . . . . . . . . . . . . . 8Typographical Conventions . . . . . . . . . . . . . . 8

Documentation Available . . . . . . . . . . . . . . . . . 9Product Documentation. . . . . . . . . . . . . . . . . 9Support Documentation . . . . . . . . . . . . . . . . 10System Requirements. . . . . . . . . . . . . . . . . . 10Supported Features . . . . . . . . . . . . . . . . . . . 10

Contact Information . . . . . . . . . . . . . . . . . . . . 10

CHAPTER 2Planning the SMC Installation . . . . . . . . . . . . . 11

McAfee NGFW Solution . . . . . . . . . . . . . . . . . . 12Overview of the Installation Procedure . . . . . . . 13Important to Know Before Installation . . . . . . . 14

Supported Platforms. . . . . . . . . . . . . . . . . . . 14Date and Time Settings . . . . . . . . . . . . . . . . 14Hosts File . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Obtaining Installation Files . . . . . . . . . . . . . . . 15Downloading the Installation Files . . . . . . . . . 15Checking File Integrity . . . . . . . . . . . . . . . . . . 15Creating the Installation DVD. . . . . . . . . . . . . 15

Obtaining License Files . . . . . . . . . . . . . . . . . . 16

INSTALLING THE SECURITYMANAGEMENT CENTER

CHAPTER 3Installing the Security Management Center. . . . 19

Getting Started with SMC Installation. . . . . . . . 20Installing on Linux . . . . . . . . . . . . . . . . . . . . 20Configuration Overview . . . . . . . . . . . . . . . . . 20

Installing Security Management CenterComponents . . . . . . . . . . . . . . . . . . . . . . . . . 21

Installing a Management Server . . . . . . . . . . 22Installing a Log Server . . . . . . . . . . . . . . . . . 24Installing a Web Portal Server . . . . . . . . . . . . 24Installing an Authentication Server. . . . . . . . . 25Installing in Demo Mode . . . . . . . . . . . . . . . . 26Finishing the Installation . . . . . . . . . . . . . . . . 26

Starting the SMC After Installation . . . . . . . . . . 27

Starting the Management Server. . . . . . . . . . 27Starting the Management Client . . . . . . . . . . 27Logging in to the Security Management Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Accepting the Management Server Certificate 28Installing Licenses . . . . . . . . . . . . . . . . . . . . 29Binding Management Server POL-Bound Licenses to Servers . . . . . . . . . . . . . . . . . . . 30Starting the Log Server, Web Portal Server, and Authentication Server . . . . . . . . . . . . . . 30Starting Servers Manually. . . . . . . . . . . . . . . 31If the Log Server, Web Portal Server, or Authentication Server Fails to Start . . . . . . . . 31Generating Server Certificates . . . . . . . . . . . 32

After the Security Management Centeris Installed . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configuring Additional Management Servers . . 34

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Installing Licenses for Additional Management Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Installing Additional Management Servers . . . 34Applying the Authentication Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . 36

Non-Graphical Installation . . . . . . . . . . . . . . . . 37Configuring the Management Server in a Non-Graphical Installation. . . . . . . . . . . . . . . 38Configuring the Log Server in a Non-Graphical Installation . . . . . . . . . . . . . . . . . . 40Configuring the Web Portal Server in a Non-Graphical Installation . . . . . . . . . . . . . . . . . . 41Configuring the Authentication Server in a Non-Graphical Installation. . . . . . . . . . . . . . . 41

CHAPTER 4Distributing Management ClientsThrough Web Start . . . . . . . . . . . . . . . . . . . . . 43

Getting Started with Web Start Distribution . . . 44Distributing Management Clients From the SMC Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Distributing Management ClientsFrom a Separate Server . . . . . . . . . . . . . . . . . 45Accessing the Web Start Management Clients . 46

CHAPTER 5Configuring NAT Addressesfor SMC Components . . . . . . . . . . . . . . . . . . . 47

Getting Started with Configuring NAT Addresses for SMC Components . . . . . . . . . . . . . . . . . . . 48

Configuration Overview . . . . . . . . . . . . . . . . . 49

3Table of Contents

Defining Locations . . . . . . . . . . . . . . . . . . . . . 49Adding SMC Server Contact Addresses . . . . . . 50Setting the Management Client’s Location . . . . 51

MAINTENANCE

CHAPTER 6Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Getting Started with Upgrading the SMC. . . . . . 56Configuration Overview . . . . . . . . . . . . . . . . . 56

Upgrading Licenses . . . . . . . . . . . . . . . . . . . . 57Upgrading Licenses Manually . . . . . . . . . . . . 57Installing Licenses . . . . . . . . . . . . . . . . . . . . 58

Upgrading the Security Management Center . . . 59Synchronizing Management Databases . . . . . 61

CHAPTER 7Uninstalling the Security Management Center . . 63

Overview to Uninstallingthe Security Management Center . . . . . . . . . . . 64Uninstalling in Windows . . . . . . . . . . . . . . . . . 64Uninstalling in Linux . . . . . . . . . . . . . . . . . . . . 64

APPENDICES

APPENDIX ACommand Line Tools . . . . . . . . . . . . . . . . . . . . 67

Security Management Center Commands . . . . . 68NGFW Engine Commands . . . . . . . . . . . . . . . . 79Server Pool Monitoring Agent Commands . . . . . 87

APPENDIX BDefault Communication Ports. . . . . . . . . . . . . . 89

Security Management Center Ports . . . . . . . . . 90Security Engine Ports . . . . . . . . . . . . . . . . . . . 93

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

4 Table of Contents

5

INTRODUCTION

In this section:

Using SMC Documentation - 7

Planning the SMC Installation - 11

CHAPTER 1

USING SMC DOCUMENTATION

This chapter describes how to use the McAfee SMC Installation Guide and lists other available documentation. It also provides directions for obtaining technical support and giving feedback.

The following sections are included:

How to Use This Guide (page 8)Documentation Available (page 9)Contact Information (page 10)

7

How to Use This Guide

The McAfee SMC Installation Guide is intended for the administrators who install the McAfee® Security Management Center (SMC). It describes the installation step by step. The chapters in this guide are organized in the general order you should follow when installing the system.

Most tasks are explained using illustrations that include explanations on the steps you need to complete in each corresponding view in your own environment. The explanations that accompany the illustrations are numbered when the illustration contains more than one step.

Typographical ConventionsThe following conventions are used throughout the documentation:

We use the following ways to indicate important or additional information:

Tip – Tips provide additional helpful information, such as alternative ways to complete steps.

Example Examples present a concrete scenario that clarifies the points made in the adjacent text.

Table 1.1 Typographical Conventions

Formatting Informative Uses

User Interface textText you see in the User Interface (buttons, menus, etc.) and any other interaction with the user interface are in bold-face.

References, termsCross-references and first use of acronyms and terms are in italics.

Command lineFile names, directories, and text displayed on the screen are monospaced.

User input User input on screen is in monospaced bold-face.

Command parameters Command parameter names are in monospaced italics.

Note – Notes prevent commonly-made mistakes by pointing out important points.

Caution – Cautions prevent breaches of security, information loss, or system downtime. Cautions always contain critical information that you must observe.

8 Chapter 1 Using SMC Documentation

Documentation Available

SMC documentation is divided into two main categories: Product Documentation and Support Documentation (page 10). Each SMC product has a separate set of manuals.

Product DocumentationThe table below lists the available product documentation.

PDF guides are available at https://www.stonesoft.com/en/customer_care/documentation/current/. The McAfee SMC Administrator’s Guide, and the Reference Guides and Installation Guides for McAfee Security Management Center, McAfee Firewall/VPN, McAfee IPS, and McAfee Layer 2 Firewall are also available as PDFs on the Security Management Center DVD.

Table 1.2 Product Documentation

Guide Description

Reference Guide

Explains the operation and features of the SMC comprehensively. Demonstrates the general workflow and provides example scenarios for each feature area. Available as separate guides for McAfee Security Management Center and McAfee Firewall/VPN, and as a combined guide for McAfee IPS and McAfee Layer 2 Firewall.

Installation Guide

Instructions for planning, installing, and upgrading the SMC. Available as separate guides for McAfee Security Management Center and McAfee Firewall/VPN, and as a combined guide for McAfee IPS and McAfee Layer 2 Firewall.

Online Help

Describes how to configure and manage the system step-by-step. Accessible through the Help menu and by using the Help button or the F1 key in any window or dialog. Available in the Management Client and the Web Portal. An HTML-based system is available in the SSL VPN Administrator through help links and icons.

Administrator’s Guide

Describes how to configure and manage the system step-by-step. Available as a combined guide for McAfee Firewall/VPN, McAfee IPS, and McAfee Layer 2 Firewall, and as separate guides for the SSL VPN and the IPsec VPN Client.

User’s GuideInstructions for end-users. Available for the IPsec VPN Client and the Web Portal.

Appliance Installation GuideInstructions for physically installing and maintaining McAfee NGFW appliances (rack mounting, cabling, etc.). Available for all McAfee NGFW appliances.

9Documentation Available

https://www.stonesoft.com/en/customer_care/documentation/current/

https://www.stonesoft.com/en/customer_care/documentation/current/

Support DocumentationThe McAfee support documentation provides additional and late-breaking technical information. These technical documents support the SMC guide books, for example, by giving further examples on specific configuration scenarios.

The latest technical documentation is available athttp://www.stonesoft.com/en/customer_care/support/.

System RequirementsThe system requirements for running the McAfee Security Management Center can be found in the Security Management Center Release Notes available athttp://www.stonesoft.com/en/customer_care/kb/.

Supported FeaturesNot all features are supported on all platforms. See the Appliance Software Support Table for more information.

Contact Information

For general information about SMC products, visit our web site at http://www.mcafee.com/.

10 Chapter 1 Using SMC Documentation

http://www.stonesoft.com/en/customer_care/kb/

https://my.stonesoft.com/support/search.do?product=StoneGate&search=appliance software support

https://my.stonesoft.com/support/document.do?product=StoneGate&docid=3927

http://www.mcafee.com/

http://www.stonesoft.com/en/customer_care/support/

CHAPTER 2

PLANNING THE SMC INSTALLATION

This chapter provides important information to take into account before the McAfee Security Management Center installation can begin. It also includes an overview to the installation process.


McAfee NGFW Solution (page 12)Overview of the Installation Procedure (page 13)Important to Know Before Installation (page 14)Obtaining Installation Files (page 15)Obtaining License Files (page 16)

11

McAfee NGFW Solution

The system consists of one or more NGFW engines, the Security Management Center, and Management Client(s). The Management Server, Log Server, and one or more Management Clients are always included in the installation. The type and number of optional components and engines varies according to environment and depends on your licenses.

Illustration 2.1 SMC Components

The Security Management Center consists of the following standard components:

• The Management Server.• One or more Log Servers.

The Management Client is a single unified tool that is used for all configuration and monitoring tasks related to the whole system. You can install an unlimited number of Management Clients.

Optionally, and for a separate license fee, you can also have:

• One or more additional Management Servers. Only one Management Server is active at a time. The additional Management Servers function as standby Management Servers.

• One or more Web Portal Servers for Web Portal users.• One Authentication Server for end-user authentication.• SSL VPN gateways that you can optionally connect to the Security Management Center. This

allows you to monitor the status of SSL VPN appliances and to view SSL VPN logs in the Management Client.

The Security Management Center components can be installed separately on different machines or on the same machine, depending on your requirements.

NGFW Engines (Security Engines)

Management Server

Log Server

Web Portal Server

Authentication Server

Management Client

Web Portal

12 Chapter 2 Planning the SMC Installation

The Security Management Center can manage several NGFW engines (Security Engines). See the McAfee SMC Reference Guide, McAfee NGFW Reference Guide for Firewall/VPN Role, and the McAfee NGFW Reference Guide for IPS and Layer 2 Firewall Roles for general information on the Security Management Center and NGFW engines.

Overview of the Installation Procedure

1. Install and configure the Security Management Center and a Management Client. See Installing the Security Management Center (page 19).

2. (Optional) Set up Management Client distribution through Java Web Start for automatic installation and upgrade. See Distributing Management Clients Through Web Start (page 43).

3. If network address translation (NAT) is applied to communications between system components, define contact addresses. See Configuring NAT Addresses for SMC Components (page 47).

The chapters and sections of this guide proceed in the order outlined above.

Once you have installed the Security Management Center components and the Management Client, and configured the communications between the system components, you can proceed to configuring and installing the Firewall/VPN, IPS, and Layer 2 Firewall engines. See the McAfee NGFW Installation Guide for Firewall/VPN Role, and the McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles for information on installing the engines.

13Overview of the Installation Procedure

Important to Know Before Installation

Consult the McAfee SMC Reference Guide, the McAfee NGFW Reference Guide for Firewall/VPN Role, or the McAfee NGFW Reference Guide for IPS and Layer 2 Firewall Roles if you need more detailed background information on the operation of the system than what is offered in this chapter.

Supported PlatformsThe Release Notes list the basic requirements for installation. For information on supported and certified hardware, search for the version-specific Hardware Requirements on the technical documentation web page at http://www.stonesoft.com/en/customer_care/kb/.

Date and Time SettingsMake sure that the Date, Time, and Time zone settings are correct on any computer you will use as a platform for any Security Management Center component, including the workstations used for the Management Client. The time settings of the engines do not need to be adjusted, as they are automatically synchronized with the Management Server’s time setting. For this operation, the time is converted to UTC time according to the Management Server’s time zone setting. The SMC always uses UTC internally.

Hosts FileDue to a restriction of the Java platform, the Management Server and Log Server hostnames must be resolvable on the computer running the Management Client (even if running on the same computer as the servers) to ensure good performance.

To ensure that the hostnames can be resolved, you can add the IP address-hostname pairs to the local hosts file on the client computer:

• In Windows: \%SystemRoot%\system32\drivers\etc\hosts• In Linux: /etc/hosts




Obtaining Installation Files

Depending on your order, you may have received ready-made installation DVDs for the Security Management Center. Otherwise, download the installation files from the McAfee web site.

Downloading the Installation Files

To download the installation files1. Go to https://my.stonesoft.com/download.

2. Enter your license code or log in using an existing user account.

3. Download the .iso image files or the installation .zip file.

Checking File IntegrityBefore installing the SMC from downloaded files, check that the installation files have not become corrupt or been modified. Using corrupt files may cause problems at any stage of the installation and use of the system. File integrity is checked by generating an MD5 or SHA-1 file checksum of the downloaded files and by comparing the checksum with the checksum on the download page at the McAfee web site.

Windows does not have MD5 or SHA-1 checksum tools by default, but there are several third-party programs available.

To check the MD5 or SHA-1 file checksum1. Look up the correct checksum at https://my.stonesoft.com/download.do.

2. Change to the directory that contains the file(s) to be checked.

3. Generate a checksum of the file using the command md5sum filename or sha1sumfilename, where filename is the name of the installation file.

4. Compare the displayed output to the checksum on the web site. They must match.

Creating the Installation DVDOnce you have checked the integrity of the installation files, create the installation DVD from the files. Use a DVD-burning application that can correctly read and burn the DVD-structure stored in the .iso images. If the end result is a DVD file with the original .iso file on it, the DVD cannot be used for installation.

Caution – Do not use files that have invalid checksums. If downloading the files again does not help, contact McAfee Support to resolve the issue.

What’s Next? If you downloaded the installation files as a .zip file, unzip the contents at the

installation location and proceed to Obtaining License Files (page 16). Otherwise, continue by Creating the Installation DVD (page 15).

15Obtaining Installation Files

https://my.stonesoft.com/download/

https://my.stonesoft.com/download.do

Obtaining License Files

You must generate license files and install them after the installation to bring your system fully operational. Each Management Server, Log Server, Web Portal Server, and Authentication Server must have its own license. However, a Management Server license that includes the high availability features is a combined license for all the Management Servers and must list the IP addresses of all the Management Servers. The Authentication Server license defines the maximum number of RADIUS clients (excluding other SMC components) that can use the authentication methods provided by the Authentication Server, and the maximum number of named users for user linking in the Authentication Server’s user database.

You must also generate and install licenses for any Firewall, IPS, and Layer 2 Firewall engines, and SSL VPN gateways in order to make them operational.

For more information on licenses, see the McAfee SMC Administrator’s Guide or the Management Client Online Help.

To generate a new license1. Go to the License Center at https://my.stonesoft.com/managelicense.do.

2. Enter the Management Server proof-of-license (POL) code and click Submit. The licensepage opens.

3. Click Register. The license generation page opens.

4. Enter the IP addresses of the SMC components.

5. Enter the Management Server’s proof-of-license code for the engines you want to license.• Information on the Management Server’s POL is included in the e-mail regarding licenses

that was earlier sent to you. This information is later shown in the Licenses branch of the Administration Configuration view in the Management Client.

6. Click Submit Request. The license file is sent to you shortly afterward and will then beavailable for download on the license page.

All licenses include the highest version for which they are valid. Automatic upgrade and installation of licenses is enabled by default. If you have disabled automatic license upgrades, you must upgrade the licenses when you upgrade to a new major release of the software.


https://my.stonesoft.com/managelicense.do

INSTALLING THE SECURITY

MANAGEMENT CENTER

In this section:

Installing the Security Management Center - 19

Distributing Management Clients Through Web Start - 43

Configuring NAT Addresses for SMC Components - 47

17

CHAPTER 3

INSTALLING THE SECURITY MANAGEMENT CENTER

This chapter gives instructions on how to install the Security Management Center on Windows and Linux platforms.


Getting Started with SMC Installation (page 20)Installing Security Management Center Components (page 21)Starting the SMC After Installation (page 27)After the Security Management Center is Installed (page 33)Configuring Additional Management Servers (page 34)Non-Graphical Installation (page 37)

19

Getting Started with SMC Installation

You are ready to start the Security Management Center installation when you have obtained and verified the installation files. See Obtaining Installation Files (page 15) for more information on these tasks.

Log in to the system where you are installing the Security Management Center with the correct administrative rights. In Windows, you must log in with administrator rights. In Linux you must log in as root.

During the installation, certificates can be generated for the SMC server components. The certificates are needed for authentication in establishing the secure encrypted communication channel between system components.

We recommend installing a Management Client on the system on which you install the Management Server. After this, further Management Clients can be installed locally by running the Security Management Center installer or be made available through Java Web Start (see Distributing Management Clients Through Web Start (page 43)), which eliminates the need to update all Management Clients individually at each version upgrade. The Management Client has no configurable parameters.

Installing on LinuxThe installation creates sgadmin user and group accounts. If there is a pre-existing sgadmin account, the installation fails. All the shell scripts are owned by sgadmin and can be executed either by root or the sgadmin user. The shell scripts are executed with sgadmin privileges. After the installation, the sgadmin account is disabled. The sgadmin account is deleted at uninstallation.

Configuration Overview1. Install the Security Management Center. See Installing Security Management Center

Components (page 21). If you are installing components on separate servers, install the Management Server as the first component.

2. Start the Security Management Center. See Starting the SMC After Installation (page 27).

3. (Optional) Install additional Management Server(s). See Configuring Additional Management Servers (page 34).

Caution – Make sure that the operating system version you plan to install on is supported. The supported platforms for running the Security Management Center are listed in the Security Management Center Release Notes.

Caution – Do not install the Security Management Center on a McAfee NGFW appliance.

20 Chapter 3 Installing the Security Management Center


Installing Security Management Center Components

For obtaining, verifying, and preparing the installation files, see Obtaining Installation Files (page 15).

This section guides you through a Security Management Center installation in a graphical user interface. For command line installation in Linux, see Non-Graphical Installation (page 37).

To start the installation1. Start the installation in one of the following ways:

•From a .zip file: unzip the file and run setup.exe on Windows or setup.sh on Linux.•From a DVD: insert the installation DVD and run the setup executable from the DVD:

2. When the Installation Wizard shows the Introduction screen, click Next to start theinstallation. The License Agreement appears.•You can click Cancel at any time to exit the Installation Wizard.•You can click Previous at any time to go back.

3. Indicate that you agree to the license agreement and click Next.

4. (Optional) Click Choose to browse to a different installation folder. This folder is for theapplication. Log Servers can have a separate data storage location.

5. Click Next.

6. Select where to create shortcuts. These shortcuts can be used to manually startcomponents and to run some maintenance tasks.

7. Click Next.

Operating System Path to Executable

Windows 32-bit \McAfee_SMC_Installer\Windows\setup.exe

Windows 64-bit \McAfee_SMC_Installer\Windows-x64\setup.exe

Linux 32-bit /McAfee_SMC_Installer/Linux/setup.sh

Linux 64-bit /McAfee_SMC_Installer/Linux-x64/setup.sh

Note – If the DVD is not automatically mounted in Linux, mount the DVD with “mount /dev/cdrom /mnt/cdrom”.

Note – We do not recommend selecting C:\Program Files\McAfee\Security Management Center as the installation directory in Windows. Selecting C:\Program Files\McAfee\Security Management as the installation directory creates an additional C:\ProgramData\McAfee\Security Management Center folder, which duplicates some of the folders in the installation directory. Some of the program data is also stored in the C:\ProgramData\McAfee\Security Management Center folder.

21Installing Security Management Center Components

8. Select the installation type:•Typical installs all Security Management Center components except the Web Portal

Server or the Authentication Server.•Management Client Only installation is meant for administrators’ workstations.•Demo Mode installation is meant for evaluating the SMC in a simulated environment.•Custom installation allows you to select components one by one.

9. Click Next.

10.(Custom installation only) Select the components that you want to install and click Next.

Installing a Management Server

To configure the Management Server installation1. Select the Management Server’s IP address. The Management Server’s license must be

generated using this IP address.

2. Enter the Log Server IP Address to which this Management Server sends its log data.

3. (Optional) Select Enable and Configure Web Start Server if you want the ManagementServer to distribute the Management Client through Java Web Start.

4. (Optional) Select 256-bit Security Strength if you want to use 256-bit encryption forcommunication between the Management Server and the engines. This requires all enginesto be version 5.5 or higher.

5. Leave Install as a Service selected to make the Management Server start automatically.

6. (256-Bit Security Strength only) Click Next. A warning about the compatibility of 256-bitsecurity strength is displayed.• If you did not select Enable and Configure Web Start Server, proceed to Step 9.

7. (Web Start Server only) Click Next. You are prompted to configure the Web Start Server.

Note – Make sure you have a license for any separately licensed components before installing them. The Web Portal Server and Authentication Server are not included in standard Security Management Center licenses.

What’s Next? For Demo Mode installations, proceed to Installing in Demo Mode (page 26). Otherwise, proceed to the next applicable section according to the components you are

installing:• Installing a Management Server.• Installing a Log Server (page 24).• Installing a Web Portal Server (page 24).• Installing an Authentication Server (page 25).

Caution – Engines with versions lower than 5.5 and SSL VPN gateways cannot communicate with the SMC when 256-bit encryption is used for the communication between the Management Server and the engines.


8. (Web Start Server only) Configure the Web Start Server settings as explained in the tablebelow:

9. Click Next. You are prompted to create a superuser account.

10.Enter a User Name.

11.Enter and confirm the Password.

12.Click Next.

Table 3.1 Web Start Server Settings

Setting Description

Port

Enter the TCP Port Number that the service listens to. By default, the standard HTTP port 80 is used on Windows and 8080 on Linux (which does not allow the use of reserved ports for this type of service).Note! Make sure the listening port is not in use on the server. For ports reserved for Security Management Center services, see Default Communication Ports (page 89).

Host Name (Optional)Enter the Host Name that the Web Start service uses. Leave the field blank to allow requests to any of the server’s host names.

Note – This is the only account that can log in after the installation.

What’s Next? Proceed to the next applicable section according to the components you are installing:

• Installing a Log Server (page 24).• Installing a Web Portal Server (page 24).• Installing an Authentication Server (page 25).•Finishing the Installation (page 26).


Installing a Log Server

To configure the Log Server installation1. Select the Log Server’s IP address. If IP address binding is used, the Log Server’s license

must be generated with this IP address as the binding.

2. Enter the IP address(es) of the Management Server(s) that control this Log Server.

3. If the components are installed on different machines and the Management Server is notreachable at the moment, deselect Certify the Log Server During the Installation to avoidconnection attempts after installation. Certifying is mandatory for running the Log Server.

4. Leave Install as a Service selected to make the Log Server start automatically.

5. Click Next.

6. (Optional) Click Choose to browse to a different storage folder for log data. Remotelocations are not suitable for active storage, as quick and reliable access is required.

7. Click Next.

Installing a Web Portal Server

To configure the Web Portal Server installation1. Select the Web Portal Server’s IP address. If IP address binding is used, the Web Portal

Server’s license must be generated with this IP address as the binding.

2. Enter the IP address(es) of the Management Server(s) that control this Web Portal Server.

3. If the components are installed on different machines and the Web Portal Server is notreachable at the moment, deselect Certify the Web Portal Server During the Installationto avoid connection attempts after installation. Certifying is mandatory for running the WebPortal Server.

4. Enter the IP address of the Log Server to which this Web Portal Server sends its log data.

5. Leave Install as a Service selected to make the Web Portal Server start automatically.

6. Click Next.


• Installing a Web Portal Server.• Installing an Authentication Server (page 25).•Finishing the Installation (page 26).

Note – Make sure you have a license for the Web Portal Server before installing it. The Web Portal Server is an optional component and is not included in standard Security Management Center licenses. You can use the Previous button to return to component selection.


• Installing an Authentication Server (page 25).•Finishing the Installation (page 26).


Installing an Authentication Server

If you are installing a single node Authentication Server on a different computer than the Management Server, or you are installing an Authentication Server cluster, you must define the Authentication Server element and install the correct licenses in the Management Client before installing the Authentication Server node(s). See Integrating Authentication Server Services in the McAfee SMC Administrator’s Guide or the Management Client Online Help.

To configure the Authentication Server installation1. Select the Authentication Server’s IP address.

2. Enter the IP address(es) of the Management Server(s) that control this AuthenticationServer.

3. If you are installing the components on different machines and the Management Server isnot reachable at the moment, deselect Certify the Authentication Server During theInstallation to avoid connection attempts after installation. Certifying is mandatory forrunning the Authentication Server and for installing the second node of a cluster.

4. Enter the IP address of the Log Server to which this Authentication Server sends its logdata.

5. Leave Install as a Service selected to make the Authentication Server start automatically.

6. Click Next.

Note – Make sure you have a license for the Authentication Server before installing it. The Authentication Server is an optional component and is not included in standard Security Management Center licenses. You can use the Previous button to return to component selection.

What’s Next? Proceed to Finishing the Installation (page 26).


Installing in Demo ModeThe Demo Mode installation creates a simulated network environment for evaluation.

To install in Demo Mode1. Select the type of demo to install:

•Use a standard backup to simulate a preconfigured environment.•Select your own backup file to create the simulation based on your own backup.

2. (Custom backup file only) Click Choose and browse to the location of the backup file.

3. Click Next. A description of the Demo Mode installation is displayed.

4. Click Next. The Pre-Installation Summary is displayed.

5. Click Install. The installation starts.

6. When the installation finishes, click Next.

7. Click Done to close the installer. The Security Management Center starts up automaticallyin the background.

Finishing the InstallationThis is the last chance to cancel or make changes by clicking Previous.

To finish the installation1. Check that the information in the Pre-Installation Summary is correct and click Install to

install the selected components.•Depending on the options you selected, you may be prompted to generate certificates

during the installation. If this happens, see To generate a certificate for an SMC server (page 32).

2. Click Done to close the installer.

Note – Demo Mode installation is for evaluation only. A Security Management Center in Demo Mode cannot be used with any traffic inspection engines and cannot be upgraded.

What’s Next? The simulated environment is now ready for testing. Proceed to Logging in to the

Security Management Center (page 28).

Caution – If you are installing any server components as a service on a Windows system, make sure the Services window is closed before you proceed.

Note – If any Log Server, Web Portal Server, or Authentication Server certificate was not retrieved during the installation, a certificate must be retrieved manually before the server can be started. See To manually certify a Server (page 32).


Starting the SMC After Installation

Proceed through the listed sections in order to start the Security Management Center for the first time:

1. Starting the Management Server

2. Starting the Management Client

3. Logging in to the Security Management Center (page 28)

4. Installing Licenses (page 29)

5. Binding Management Server POL-Bound Licenses to Servers (page 30)

6. Starting the Log Server, Web Portal Server, and Authentication Server (page 30)

Starting the Management ServerIf the Management Server has been installed as a service, it should start automatically both after the installation and during the operating system boot process. In Windows, the McAfee NGFW Management Server service is controlled in the Services window, which can be found in the Windows Control Panel under the Administrative Tools category.

If the Management Server is installed as a service and has successfully started, proceed to Starting the Management Client. Otherwise, start the Management Server manually as explained below.

To start a Management Server that is not installed as a service• In Windows, use the shortcut icon in the location you selected during installation or run the

script <installation directory>/bin/sgStartMgtSrv.bat.• In Linux, run the script <installation directory>/bin/sgStartMgtSrv.sh.

Starting the Management Client

To start a locally installed Management Client• In Windows, use the shortcut icon in the location you selected during installation or run the

script <installation directory>/bin/sgClient.bat.• In Linux, run the script <installation directory>/bin/sgClient.sh. A graphical

environment is needed for the Management Client.

What’s Next? Logging in to the Security Management Center (page 28)

27Starting the SMC After Installation

Logging in to the Security Management CenterThe Management Client connects to the Management Server and to Log Servers. See Default Communication Ports (page 89) for a list of the ports used.

In Demo Mode, use the following credentials to log in to one of the default scenarios:

• User Name: demo• Password: demo• Server Address: 127.0.0.1

To log in to the Security Management Center1. Type in the user name and password for the Administrator you defined during the

Management Server installation.

2. Enter the Management Server’s IP address or DNS name. • If you connect to the Management Server from an external network, the Management

Server’s IP address may be translated using NAT.

3. Leave Remember Server Address selected if you want the Management Client to add theaddress permanently in the Server Address list.

4. Click Login.

Tip – You can access the Management Client Online Help in the Login window or any other window in the Management Client by pressing the F1 key.

Accepting the Management Server CertificateA certificate dialog is displayed when the Management Client contacts any Management Server for the first time. As a precaution, you can make sure that the communication really is with your Management Server by checking the Certificate Authority fingerprint as explained below.

To check the Certificate Authority fingerprint1. View the Management Server fingerprint on the Management Server:

• In Windows, use the shortcut icon in the location you selected during installation (default: Start→Programs→McAfee Security Management Center→Show Fingerprint) or run the script <installation directory>/bin/sgShowFingerPrint.bat.

• In Linux, run the script <installation directory>/bin/sgShowFingerPrint.sh.

2. If the fingerprint matches, click Accept. The Management Client opens.


Installing LicensesThe Security Management Center servers require licenses to become operational. To obtain licenses, see Obtaining License Files (page 16). You can install licenses even before the components are installed.

If you do not have a valid Management Server license, you are notified with a message when you log in. If the message appears after licensing, make sure the licensed IP addresses are correct and active on the server when the Management Server service starts up.

To install licenses through the License Information message Click Continue and select the license file(s) in the dialog that opens.

To install licenses1. Select File→System Tools→Install Licenses. A file browser dialog opens.

2. Select the license files and click Install.

To check that the licenses were installed correctly1. Select Configuration→Configuration→Administration. The Administration Configuration

view opens.

2. Expand the Licenses branch and select All Licenses.

3. Check that all licenses you installed are listed here.

What’s Next? If the message is not shown, install the licenses as explained below. Otherwise, proceed to the task To check that the licenses were installed correctly

(page 29).

What’s Next? If you have Log Server, Web Portal Server, or Authentication Server licenses that are

bound to the Management Server’s POL code, proceed to Binding Management Server POL-Bound Licenses to Servers (page 30).

Otherwise, continue by Starting the Log Server, Web Portal Server, and Authentication Server (page 30).


Binding Management Server POL-Bound Licenses to ServersYou must bind Management Server POL-bound licenses for Log Servers, Authentication Servers, and Web Portal Servers to specific Server elements.

To bind a Management Server POL-bound license to a server1. Select Configuration→Configuration→Administration. The Administration Configuration

view opens.

2. Browse to LicensesServers. Installed licenses appear in the right panel.

3. Right-click a Management Server POL-bound license and select Bind. The Select LicenseBinding dialog opens.

4. Select the correct server from the list.

5. Click Select. The license is now bound to the selected Log Server, Web Portal Server, orAuthentication Server element.• If you bound the license to an incorrect element, right-click the license and select Unbind.

Starting the Log Server, Web Portal Server, and Authentication ServerIf the Log Server, Web Portal Server, and Authentication Server have been installed as a service, the servers are started automatically during the operating system boot process. However, if the operating system is rebooted and the servers do not yet have a license, you may need to start them as explained here.

• If you installed the Log Server, Web Portal Server, or Authentication Server as a service, you can start or stop the server manually in Windows through the Services window.

• In other cases, you can start the Log Server, Web Portal Server, or Authentication Server manually as explained in Starting Servers Manually (page 31).

Note – The license is permanently bound to the Log Server, Web Portal Server, or Authentication Server when the server is started for the first time. A permanently bound license cannot be re-bound to a different Log Server, Web Portal Server, or Authentication Server without re-licensing or deleting the Log Server, Web Portal Server, or Authentication Server element that the license is bound to. Until you do that, the unbound license is shown as Retained.


Starting Servers ManuallyTo start the Log Server, Web Portal Server, or Authentication Server manually, run the scripts in a console window. Read the console messages for information on the progress. Closing the console stops the service.

To start the Log Server, Web Portal Server, or Authentication Server manually Run one of the following scripts in Windows or in Linux depending on the server type:

If the Log Server, Web Portal Server, or Authentication Server Fails to StartIf the Log Server, Web Portal Server, or Authentication Server does not start automatically as a service, do the following:

1. Try starting the server manually as explained in the previous section to see if there is some error displayed on the console.

2. Check that licenses are correctly bound to components as explained in the tasks To check that the licenses were installed correctly (page 29) and To bind a Management Server POL-bound license to a server (page 30).

3. Make sure that the server has a valid certificate for secure system communications. If there are certificate-related problems or problems you are not able to identify, try (re)generating the certificate as explained below.

Server Type Windows Script Linux Script

Log Server<installation directory>/bin/sgStartLogSrv.bat

<installation directory>/bin/sgStartLogSrv.sh

Web Portal Server

<installation directory>/bin/sgStartWebPortalServer.bat

<installation directory>/bin/sgStartWebPortalServer.sh


<installation directory>/bin/sgStartAuthSrv.bat

<installation directory>/bin/sgStartAuthSrv.sh

What’s Next? If you have started all servers successfully, proceed to After the Security Management

Center is Installed (page 33). If you have trouble starting the server, see If the Log Server, Web Portal Server, or

Authentication Server Fails to Start (page 31).


Generating Server Certificates

To manually certify a Server Run one of the following scripts in Windows or in Linux depending on the server type:

To generate a certificate for an SMC server1. Enter the user name and password for the account you created during the Management

Server installation (other accounts with unrestricted permissions can also be used).

2. Click Accept to accept the certificate fingerprint of the Management Server’s CertificateAuthority. As a precaution, you can make sure that the communication really is with yourManagement Server as explained in To check the Certificate Authority fingerprint (page 28).The Server Selection dialog opens.

3. (Log Server or Web Portal Server only) Identify the component that you want to certify:• If the server element that represents the component is listed, select it.• If the name of a server element is followed by “recommended”, this means that the

component ID of the server element matches the ID of the component that you are certifying. It is strongly suggested that you select the recommended server element.

• If the correct server element is not listed, select Create a New Log Server or Create a New Web Portal Server and enter a Name. This name is shown in the Management Client.

Note – If the Management Server is not running, see Starting the Management Server (page 27).

Server Type Windows Script Linux Script

Log Server<installation directory>/bin/sgCertifyLogSrv.bat

<installation directory>/bin/sgCertifyLogSrv.sh

Web Portal Server

<installation directory>/bin/sgCertifyWebPortalServer.bat

<installation directory>/bin/sgCertifyWebPortalServer.sh


<installation directory>/bin/sgCertifyAuthSrv.bat

<installation directory>/bin/sgCertifyAuthSrv.sh

Caution – If a server element is shown as “recommended” it is strongly suggested that you select it when you are certifying the component. Selecting a server element that is not the recommended server element may cause serious problems (for example, the server’s log data or the monitoring status of the server is displayed incorrectly).


4. (Authentication Server only) Identify the component that you want to certify:• If the server element that represents the component is listed, select it.• If the correct server element is not listed, select Create a New Authentication Server

and enter a Name. This name is shown in the Management Client.

• If you are installing the second node of an existing Authentication Server, select Create a New Authentication Server Node in an Existing Cluster and select the Authentication Server to which you want to add the node.

5. Click OK.

After the Security Management Center is Installed

• If you want to install an additional Management Server, proceed to Configuring Additional Management Servers.

• If you configured in the Installation Wizard that the Management Server can distribute Management Clients through Java Web Start and you want to test Web Start distribution, proceed to Accessing the Web Start Management Clients (page 46).

• If you want to enable that administrators can install Management Clients through Web Start or you want to modify the Web Start Server settings, proceed to Distributing Management Clients Through Web Start (page 43).

• If NAT is applied to communications between any SMC components, proceed to Configuring NAT Addresses for SMC Components (page 47).

• If you installed an Authentication Server, continue by Applying the Authentication Server Configuration (page 36).

• Otherwise, you are ready to configure the Firewall, IPS, and Layer 2 Firewall element(s) in the Management Client. The elements must be configured before installing the physical engines. See the McAfee NGFW Installation Guide for Firewall/VPN Role and the McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles for more information.

Caution – If a server element is shown as “recommended” it is strongly suggested that you select it when you are certifying the component. Selecting a server element that is not the recommended server element may cause serious problems (for example, the server’s log data or the monitoring status of the server is displayed incorrectly).

What’s Next? Start the Log Server, Web Portal Server, and Authentication Server as described in

Starting the Log Server, Web Portal Server, and Authentication Server (page 30), then proceed to After the Security Management Center is Installed (page 33).

The Authentication Server installation is complete. Proceed to After the Security Management Center is Installed (page 33).

33After the Security Management Center is Installed

Configuring Additional Management Servers

You can optionally install one or more additional Management Servers. This requires a special Management Server license for multiple Management Servers. Only one Management Server at a time can be used as an active Management Server to configure and manage the system. Additional Management Servers allow controlling the system without delays and without loss of configuration information if the active Management Server is damaged, loses power, or becomes otherwise unusable. Configuration data is automatically replicated between the Management Servers.

This section guides you through the installation using a graphical user interface. For command line installation, see Non-Graphical Installation (page 37).

Overview1. If you have not yet installed a license for the additional Management Server(s), install the

license. See Installing Licenses for Additional Management Servers.

2. Install the additional Management Server(s) using the Installation Wizard. See Installing Additional Management Servers (page 34).

Installing Licenses for Additional Management ServersTo use additional Management Servers, you must have a special Management Server license that lists the IP addresses of all the Management Servers within the same SMC. You must install the license in the Management Client before installing the additional Management Server(s).

If you do not yet have the license, generate the license at the McAfee web site after receiving the Proof-of-License (see Obtaining License Files (page 16)), and then install the license as described in Installing Licenses (page 29).

Installing Additional Management Servers

To install an additional Management Server1. Start the installation in one of the following ways:









2. Proceed according to the instructions in the Installation Wizard until you are prompted toselect which components you want to install.

3. If you also want to install a Log Server and a local Management Client on this computer,leave Typical selected and click Next. Otherwise, select Custom, select the componentsyou want to install and click Next.

4. Select the IP address of the Management Server from the list or type it in.•This must be the IP address defined for the corresponding Management Server element.•The Management Server’s license must be generated using this IP address.

5. Enter the IP address of the Log Server to which the Management Server sends its log data.

6. Select Install as an Additional Management Server for High Availability.

7. (Optional) Select Enable and Configure Web Start Server if you want the ManagementServer to distribute the Management Client through Java Web Start.

8. (Optional) Select 256-bit Security Strength if all of the other Management Server(s) use256-bit encryption for communication between the Management Server and the engines.This requires all engines to be version 5.5 or higher.

9. Leave Install as a Service selected to make the Management Server start automatically.

10.Click Next and follow the instructions to start the installation. A login prompt forReplication opens.

11.Log in using an unrestricted administrator account. The Management Server Selectiondialog opens.

12.Select the correct Management Server from the list or select Create a new ManagementServer and enter the name of the Management Server element you are creating.

13.Click OK. The databases are synchronized.

Repeat the steps above as necessary to install other additional Management Servers.

Note – We do not recommend selecting C:\Program Files\McAfee\Security Management Center as the installation directory in Windows. Selecting C:\Program Files\McAfee\Security Management as the installation directory creates an additional C:\ProgramData\McAfee\Security Management Center folder, which duplicates some of the folders in the installation directory. Some of the program data is also stored in the C:\ProgramData\McAfee\Security Management Center folder.

Caution – Select this option only if all of the other Management Server(s) use 256-bit encryption. Engines with versions lower than 5.5 and SSL VPN gateways cannot communicate with the SMC when 256-bit encryption is used for the communication between the Management Server and the engines.

Note – If the synchronization fails, run the sgOnlineReplication script on the additional Management Server when connectivity is restored.

35Configuring Additional Management Servers

If there is a Firewall or Layer 2 Firewall between the first Management Server you installed and the additional Management Server(s), you must add rules that allow the communications between the servers when you define your Firewall or Layer 2 Firewall Policy.

Applying the Authentication Server ConfigurationTo make the Authentication Server operational, you must apply the configuration.

To apply the Authentication Server configuration1. Expand Servers in the System Status view.

2. Right-click the Authentication Server and select Apply Configuration. A progress dialogopens.

3. Click Close when the operation finishes.

What’s Next? If you did not configure the Web Start Server through the Installation Wizard when you

installed the first Management Server and you want to allow administrators to install Management Clients through Web Start, continue to Distributing Management Clients Through Web Start (page 43).

If NAT is applied to communications between any SMC components, proceed to Configuring NAT Addresses for SMC Components (page 47).

Otherwise, you are ready to configure the Firewall, IPS, and Layer 2 Firewall element(s) in the Management Client. The elements must be configured before installing the physical engines. See the McAfee NGFW Installation Guide for Firewall/VPN Role and the McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles for more information.

Note – If you are installing a cluster of Authentication Server nodes, apply the configuration only after creating and installing all nodes. Once the configuration has been applied to a single Authentication Server, the server cannot be converted into a cluster.

What’s Next? Continue the configuration of the Authentication Server in the Management Client. See

the McAfee SMC Administrator’s Guide or the Management Client Online Help.


Non-Graphical Installation

In Linux, the Security Management Center can also be installed on the command line. Before installing, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking File Integrity (page 15).

To begin the non-graphical installation1. Start the installation in one of the following ways:

•From a .zip file: unzip the file and run setup.sh.•From a DVD: insert the installation DVD and run the setup executable from the DVD:

2. Run the command “./setup.sh -nodisplay” (the “-nodisplay” option can be omitted ifthere is no graphical environment running). The installer starts. You can use the followinggeneral commands at any point where the installer asks for your input:•Type back to return to the previous step.•Type quit to cancel the installation.

3. Press Enter to continue. The license agreement is displayed.

4. Press Enter to scroll through the license agreement and accept by typing Y. You areprompted to select the installation directory.

5. Press Enter to install in the default installation directory or specify a different directory andpress Enter to continue.• If you specify a different directory, you are prompted to confirm it.•A reminder to verify the hosts file is displayed.

6. Press Enter to continue. You are prompted to select the link location for shortcuts to themost commonly used command line tools.

7. Press Enter to create links in the default directory or select one of the other options andpress Enter to continue. You are prompted to select the type of installation.

8. Select the Install Set:•Press Enter to install all Security Management Center components except the Web Portal

Server.•Enter 2 and press Enter to install only the Management Client.•Press 3 and press Enter to install a simulated network environment for evaluation in

Demo Mode.•Press 4 and press Enter to install a custom selection of components.

Note – You need a graphical environment to use the Management Client. It cannot be run on the command line. Only the SMC server components can be run in a command line-only environment.





37Non-Graphical Installation

9. (Customized installation only) Enter a comma-separated list of numbers for the componentsyou want to select or deselect and press Enter.•Entering the number of a selected component deselects it.•Entering the number of a component that is not selected selects it.•By default, the Management Server, Log Server, and Management Client are selected.

Example To install only the Web Portal Server, type 1,2,3,4 and press Enter.

You are prompted to review and confirm the component selection.

10.Press Enter to continue.

Configuring the Management Server in a Non-Graphical Installation

To configure the Management Server in a non-graphical installation1. Press Enter to use the default IP address for the Management Server or enter a different IP

address and press Enter to continue. You are prompted to enter the IP address of the LogServer to which the Management Server sends its log data.

2. Press Enter to use the default IP address for the Log Server or enter a different IP addressand press Enter to continue. You are prompted to select whether to install the ManagementServer as an additional Management Server for high availability.

3. Type Y to install the Management Server as an additional Management Server for highavailability or N to install the Management Server as a stand-alone Management Server.

4. Press Enter to continue. You are prompted to select whether to enable and configure a WebStart Server.

5. Type Y to enable and configure Web Start or type N and proceed to Step 8.

6. (Web Start only) Enter the Host Name that the Web Start service uses or leave the optionblank to allow requests to any of the server’s host names. Press Enter to continue.

7. (Web Start only) Enter the TCP Port Number that the service listens to. By default, thestandard HTTP port 80 is used on Windows and 8080 on Linux (which does not allow theuse of reserved ports for this type of service).


•Configuring the Management Server in a Non-Graphical Installation•Configuring the Log Server in a Non-Graphical Installation (page 40)•Configuring the Web Portal Server in a Non-Graphical Installation (page 41)•Configuring the Authentication Server in a Non-Graphical Installation (page 41)

Note – Make sure the listening port is not in use on the server. For ports reserved for Security Management Center services, see Default Communication Ports (page 89).


8. Press Enter to continue. You are prompted to select whether to enable 256-bit securitystrength for communication between the Management Server and the engines. Thisrequires all engines to be version 5.5 or higher.

9. Type Y to enable 256-bit security strength or N to use the default security strength.

10.Press Enter to continue. You are prompted to select whether to install the ManagementServer as a service.

11.Type Y to install the Management Server as a service or N if you always want to start theManagement Server manually.

12.Press Enter to continue. If you enabled 256-bit security strength, a warning about thecompatibility of 256-bit security strength is displayed.

13.(256-Bit Security Strength only) Press Enter to continue or type back and start theManagement Server configuration again from Step 1 to disable 256-bit security strength.

Caution – Engines with versions lower than 5.5 and SSL VPN gateways cannot communicate with the SMC when 256-bit encryption is used for the communication between the Management Server and the engines.


•Configuring the Log Server in a Non-Graphical Installation (page 40)•Configuring the Web Portal Server in a Non-Graphical Installation (page 41)•Configuring the Authentication Server in a Non-Graphical Installation (page 41)

Otherwise, press Enter to start the installation. When the installation is finished, proceed to Starting the SMC After Installation (page 27).


Configuring the Log Server in a Non-Graphical Installation

To configure the Log Server in a non-graphical installation1. Press Enter to use the default IP address for the Log Server or enter a different IP address

and press Enter to continue. You are prompted to enter the IP address(es) of theManagement Server(s) that will control the Log Server.

2. Press Enter to use the default IP address for the Management Server or enter different IPaddress(es) and press Enter to continue. You are prompted to enter the port on which theLog Server will receive data.

3. Press Enter to use the default port or enter a different port and press Enter to continue. Youare prompted to select whether to install the Log Server as a service.

4. Type Y to install the Log Server as a service or N if you always want to start the Log Servermanually.

5. Press Enter to continue. You are prompted to select the directory for log files.

6. Press Enter to use the default directory or specify a different directory and press Enter tocontinue.


•Configuring the Web Portal Server in a Non-Graphical Installation (page 41)•Configuring the Authentication Server in a Non-Graphical Installation (page 41)

Otherwise, press Enter to start the installation. When the installation is finished, proceed to Starting the SMC After Installation (page 27).


Configuring the Web Portal Server in a Non-Graphical Installation

To configure the Web Portal Server in a non-graphical installation1. Press Enter to use the default IP address for the Web Portal Server or enter a different IP

address and press Enter to continue. You are prompted to enter the IP address(es) of theManagement Server(s) that will control the Web Portal Server.

2. Press Enter to use the default IP address for the Management Server or enter different IPaddress(es) and press Enter to continue. You are prompted to enter the IP address of theLog Server.

3. Press Enter to use the default IP address for the Log Server or enter a different IP addressand press Enter to continue. You are prompted to select whether to install the Web PortalServer as a service.

4. Type Y to install the Web Portal Server as a service or N if you always want to start the WebPortal Server manually.

5. Press Enter to continue.

Configuring the Authentication Server in a Non-Graphical Installation

To configure the Authentication Server in a non-graphical installation1. Press Enter to use the default IP address for the Authentication Server or enter a different

IP address and press Enter to continue. You are prompted to enter the IP address(es) of theManagement Server(s) that will control the Authentication Server.

2. Press Enter to use the default IP address for the Management Server or enter different IPaddress(es) and press Enter to continue. You are prompted to enter the IP address of theLog Server.

3. Press Enter to use the default IP address for the Log Server or enter a different IP addressand press Enter to continue. You are prompted to select whether to install theAuthentication Server as a service.

4. Type Y to install the Authentication Server as a service or N if you always want to start theAuthentication Server manually.

5. Press Enter to continue.

6. Press Enter to start the installation.

What’s Next? If you are installing an Authentication Server, continue by Configuring the Authentication

Server in a Non-Graphical Installation. Otherwise, press Enter to start the installation. When the installation is finished,

proceed to Starting the SMC After Installation (page 27).

What’s Next? When the installation is finished, proceed to Starting the SMC After Installation

(page 27).


CHAPTER 4

DISTRIBUTING MANAGEMENT CLIENTS

THROUGH WEB START

The Management Client can be distributed through Java Web Start. This eliminates the need for each administrator to upgrade their client when the SMC is upgraded to a new version (the version of the client must always match the version of the respective server).


Getting Started with Web Start Distribution (page 44)Distributing Management Clients From the SMC Servers (page 44)Distributing Management Clients From a Separate Server (page 45)Accessing the Web Start Management Clients (page 46)

43

Getting Started with Web Start Distribution

In addition to installing Management Clients on a local workstation, you can also distribute them through Java Web Start. Management Clients distributed with Web Start have the same set of features as clients installed on a local workstation, but when you upgrade, Web Start automatically downloads the new version when the user logs in to the Management Client through a web browser.

There are two ways to configure Web Start access:

• You can activate an internal web server on the Management Server (the server distributes only Web Start Management Clients). There is no need for manual installation or upgrade.

• You can use a separate web server or network drive for distributing the clients. You must install Web Start files manually and reinstall them at each SMC version upgrade.

Distributing Management Clients From the SMC Servers

This section guides you through the steps to take if you have not already configured the Web Start Server through the Installation Wizard, or if you want to configure additional settings for the Web Start Server. If you want to use a different server as a Web Start Server, see Distributing Management Clients From a Separate Server (page 45).

To enable a Web Start Server1. Select Monitoring→System Status. The System Status view opens.

2. Expand the Servers branch.

3. Right-click a Management Server and select Properties. The Properties dialog opens.

4. Switch to the Web Start tab.

5. Select Enable. The Web Start Server options are enabled.

6. (Optional) Enter the Host Name that the Web Start service uses.

7. (Optional) Enter the (TCP) Port Number that the service listens to.•By default, the standard HTTP port 80 is used on Windows and 8080 on Linux (which

does not allow the use of reserved ports for this type of service).

8. (Optional) If the Management Server has several addresses and you want to restrict accessto one address, specify the IP address to use in the Listen Only on Address field.

9. (Optional) Select Generate Server Logs if you want to log all file load events for furtheranalysis with external web statistics software.

What’s Next? Distributing Management Clients From the SMC Servers. Distributing Management Clients From a Separate Server (page 45).

Note – Make sure the listening port is not in use on the server. For ports reserved for Security Management Center services, see Default Communication Ports (page 89).

44 Chapter 4 Distributing Management Clients Through Web Start

10.Click OK.

Distributing Management Clients From a Separate Server

If you do not want to use the Management Server as a Web Start Server, you can put the Web Start package on a web server.

The Web Start package can also be put on a shared network drive. The path to the Web Start files, including the drive letter, must be the same for all administrators who use that particular version of the installation package. If the network drive paths vary, consider putting the package on a web server instead.

To install the Web Start package1. Browse to McAfee_SMC_Installer→Webstart on the installation DVD.

2. Copy all files and all directories from the Webstart directory on the installation DVD to thedirectory where you want the Web Start files to be served.

3. On the command line, change to the directory where the Web Start files are located on yourserver.

4. Run the Web Start setup script and give the URL or the path of the directory where the WebStart files are located on your server as the parameter:•Windows: cscript webstart_setup.vbs <web start directory>•Linux: run webstart_setup.sh <web start directory>

5. If necessary, modify the configuration of the web server to return the appropriate MIME typefor.jnlp files (application/x-java-jnlp-file). Consult the manual of your web serverfor instructions on how to configure the MIME type.

What’s Next? Test the Web Start Management Client as explained in Accessing the Web Start

Management Clients (page 46).

Note – You must delete the existing Web Start files and install a new Web Start package according to these instructions each time you upgrade the Security Management Center. Otherwise, any administrators who use Management Clients that are installed through Web Start are not able to log in.

Caution – The Web Start installation creates an index.html file in the installation directory. Any existing index.html file will be overwritten. We strongly recommend creating a new directory for the Web Start files.

Table 4.1 Example Web Start Paths

Installation on Example Web Start Directory

Web server http://www.example.com/webstart/

Network drive file://localhost/c:/webstart/

45Distributing Management Clients From a Separate Server

6. Delete the webstart_setup.vbs and webstart_setup.sh files from the directory.

Accessing the Web Start Management Clients

After the Web Start package is installed on a web server or a network drive or the Management Server has been enabled as a Web Start Server, the administrators can install the Management Client using the Web Start package.

To be able to use the Web Start Management Client, there must be a current version of Java Runtime Environment (JRE) installed (the required version is shown on the example login page provided).

To access the Web Start Management Clients1. Enter the Web Start download page address in your web browser

http://<server address>:<port>•:<port> is only needed if the server is configured to run on a different port from the HTTP

standard port 80.

2. Click the link for the Web Start Management Client.•Web Start automatically checks if the version on the server is already installed on your

local computer. If not, the new client is automatically installed on your computer. This is done each time the client is started this way, automatically upgrading your client installation whenever needed without any action from you.

•The client starts and displays the login dialog.

3. Log in with your account credentials.

Note – If Web Start access is required through the firewall, you must allow these connections in your firewall’s policy. They are not allowed by default.

What’s Next? If NAT is applied to communications between any system components, proceed to

Configuring NAT Addresses for SMC Components (page 47). Otherwise, you are ready to configure the Firewall, IPS, and Layer 2 Firewall element(s)

in the Management Client. You must configure the elements before installing the physical engines. See the McAfee NGFW Installation Guide for Firewall/VPN Role and the McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles for more information.

46 Chapter 4 Distributing Management Clients Through Web Start

CHAPTER 5

CONFIGURING NAT ADDRESSES

FOR SMC COMPONENTS

This chapter describes the steps needed to configure Locations and contact addresses when NAT (network address translation) is applied to the communications between any of the SMC components.


Getting Started with Configuring NAT Addresses for SMC Components (page 48)Defining Locations (page 49)Adding SMC Server Contact Addresses (page 50)Setting the Management Client’s Location (page 51)

47

Getting Started with Configuring NAT Addresses for SMC Components

If there is network address translation (NAT) between communicating SMC components, the translated IP address may have to be defined for system communications. All communications between the SMC components are presented as a table in Default Communication Ports (page 89).

You use Location elements to configure SMC components for NAT. There is a Default Location to which all elements belong if you do not assign them to a specific Location. If NAT is applied between two SMC components, you must separate them into different Locations and then add a contact address for the component that needs to be contacted.

You can define a Default contact address for contacting an SMC component (defined in the Properties dialog of the corresponding element). The component’s Default contact address is used in communications when SMC components that belong to another Location contact the component and the component has no contact address defined for its Location.

Illustration 5.1 An Example Scenario for Using Locations

In the example scenario above, the same Management Server and Log Server manage SMC components both at a company’s headquarters and at the branch office.

NAT could typically be applied at the following points:

• The firewall at the headquarters or an external router may provide the SMC servers external IP addresses on the Internet. The external addresses must be defined as contact addresses so that the SMC components at the branch offices can contact the servers across the Internet.

• The branch office firewall or an external router may provide external addresses for the SMC components at the branch office. In this case, the external IP addresses must also be defined as contact addresses so that the Management Server can contact the components.

When contact addresses are needed, it may be enough to define a single new Location element, for example, for the branch office, and to group the SMC components at the branch office into the “Branch Office” Location. The same Location element could also be used to group together SMC components at any other branch office when they connect to the SMC servers at the headquarters.

To be able to view logs, the administrators at the branch office must select the “Branch Office” Location in the Management Client.

Internet

Headquarters Location Branch Office Location

Management/ Log Server

IPS IPSFirewall Firewall

Intranet Intranet

48 Chapter 5 Configuring NAT Addresses for SMC Components

Configuration Overview1. Define Location element(s). See Defining Locations.

2. Define contact addresses for the Management Server(s), Log Server(s), and the optional Authentication Server. See Adding SMC Server Contact Addresses (page 50).

3. Select the Location for your Management Client. See Setting the Management Client’s Location (page 51).

4. Select the Locations for Firewall, IPS, and Layer 2 Firewall engines when you create the engine elements. See the McAfee NGFW Installation Guide for Firewall/VPN Role and McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles.

Defining Locations

The first task is to group the SMC components into Location elements based on which components are on the same side of a NAT device. The elements that belong to the same Location element always use the primary IP address (defined in the Properties dialog of the element) when contacting each other.

To create a new Location element1. Select Configuration→Configuration→Administration. The Administration Configuration

view opens.

2. Expand the Other Elements branch.

3. Right-click Locations and select New Location. The Location Properties dialog opens.

4. Enter a Name.

5. Select the element(s) and click Add.

6. Click OK.

7. Repeat Steps 1-4 to create other Locations as necessary.

What’s Next? If your Management Server, Log Server, or Authentication Server needs a contact

address, proceed to Adding SMC Server Contact Addresses (page 50). Otherwise, you are ready to configure the Firewall, IPS, and Layer 2 Firewall element(s)

in the Management Client. You must configure the elements before installing the physical engines. See the McAfee NGFW Installation Guide for Firewall/VPN Role and the McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles for more information.

49Defining Locations

Adding SMC Server Contact Addresses

The Management Server and Log Server can have more than one contact address for each Location. If you have additional Management Servers or Log Servers, you must define two or more contact addresses per Location. Multiple contact addresses are required so that remote components can connect to a Management Server or a Log Server even if one of the Management Servers or Log Servers fails. You must also define two or more contact addresses per Location if you have configured Multi-Link, so that remote components can connect to the server(s) even if a NetLink goes down.

Each Authentication Server node can have a single contact address for each Location.

To define Management Server and Log Server contact addresses1. Right-click a server and select Properties. The Properties dialog for that server opens.

2. Select the Location of the server.

3. If necessary, edit the contact address(es).•A Default contact address is automatically entered based on the element properties.• If the server has multiple Default contact addresses, separate the addresses with

commas.• If necessary, click Exceptions to define other contact addresses for specific Locations

4. Click OK.

Repeat Steps 1-4 to define the contact addresses for other Management Servers or Log Servers as necessary.

Note – Elements that belong to the same Location element always use the primary IP address when contacting each other instead of any contact addresses. Elements that do not belong to a specific Location are considered to belong to the Default Location.


To define Authentication Server contact addresses1. Right-click the Authentication Server and select Properties. The Authentication Server

properties open.

2. Select the node for which you want to define contact addresses and click Edit. The NodeProperties dialog opens.

3. Select the Location of the node.

4. If necessary, edit the contact address(es).•A Default contact address is automatically entered based on the element properties.• If necessary, click Exceptions to define other contact addresses for specific Locations.

5. Repeat from Step 2 to define contact addresses for other Authentication Server nodes.

6. Click OK.

Setting the Management Client’s Location

When there is a NAT device between the Management Client and a Log Server, you must select the correct Location for your Management Client in the status bar at the bottom of the Management Client window to be able to view logs. You must select the Management Client Location separately in each administrative Domain if there are multiple Domains in your environment.

To select the Management Client’s Location Click the Default Location name in the status bar at the bottom of the window and select

the correct Location.

Note – Elements that belong to the same Location element always use the primary IP address when contacting each other instead of any contact addresses. Elements that do not belong to a specific Location are considered to belong to the Default Location.

What’s Next? If there is a NAT device between your Management Client and a Log Server, proceed to

Setting the Management Client’s Location (page 51). Otherwise, you are ready to configure the Security Engine element(s) in the

Management Client. You must configure the elements before installing the physical engines. See the McAfee NGFW Installation Guide for Firewall/VPN Role and the McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles for more information.

What’s Next? You are ready to configure the Security Engine element(s). See the McAfee NGFW

Installation Guide for Firewall/VPN Role and the McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles for more information.

51Setting the Management Client’s Location

MAINTENANCE

In this section:

Upgrading - 55

Uninstalling the Security Management Center - 63

53

CHAPTER 6

UPGRADING

This chapter explains how to upgrade the Security Management Center.


Getting Started with Upgrading the SMC (page 56)Upgrading Licenses (page 57)Upgrading the Security Management Center (page 59)

55

Getting Started with Upgrading the SMC

You can upgrade SMC components without uninstalling the previous version. It is important to upgrade the SMC components before upgrading the engines. An old SMC version may not be able to recognize the new version engines and may generate an invalid configuration for them. The Management Server can control several older versions of engines. See the Release Notes for version-specific compatibility information.

The NGFW engines do not require a continuous connection to the SMC and they continue to operate normally during the SMC upgrade. The engines temporarily store their logs locally if the Log Server is unavailable and then send them to the Log Server as it becomes available again.

For more detailed instructions, see the McAfee SMC Administrator’s Guide or the Management Client Online Help.

Before upgrading, read the Release Notes at www.stonesoft.com/en/customer_care/kb/.

Configuration Overview1. Obtain the installation files and check the installation file integrity as explained in

Downloading the Installation Files (page 15).

2. (If automatic license updates have been disabled) Update the licenses as explained in Upgrading Licenses (page 57).

3. Upgrade all components that work as parts of the same SMC as explained in Upgrading the Security Management Center (page 59).

4. Upgrade any locally installed Management Clients by running the Security Management Center installer and any Web Start distributions that are located on an external server as explained in Distributing Management Clients From a Separate Server (page 45).

Caution – All the SMC components (Management Server, Management Client, Log Server, the optional Web Portal Server, and the optional Authentication Server) must use the same software version to be able to work together. Plan ahead before upgrading the components. If you have multiple Management Servers and Log Servers, you must upgrade each server separately.

What’s Next? If the current licenses are valid for the new version, proceed to Upgrading the Security

Management Center (page 59). Otherwise, continue by Upgrading Licenses (page 57).

56 Chapter 6 Upgrading


www.stonesoft.com/en/customer_care/kb/

Upgrading Licenses

When you installed the SMC for the first time, you installed licenses that work with all versions up to that particular version. Each license indicates the highest version for which the license is valid, but the license is also valid for all lower software versions. You must upgrade the license if you upgrade a component to a new major release indicated by a change in the first two digits of the version number (for example, an upgrade from 1.2.3 to 1.3.0 or an upgrade from 1.2.3 to 2.0.0). If only the last number changes, the existing license is also valid for the higher software version.

If you do not need to upgrade licenses, proceed to Upgrading the Security Management Center (page 59).

Upgrading Licenses ManuallyYou can view, change, and download your current licenses at http://www.stonesoft.com/en/customer_care/licenses/ by logging in with your personal account (to view all licenses linked to that account) or by entering a proof-of-license (POL) or proof-of-serial (POS) code (to view information related to a particular license).

If automatic license upgrades have been enabled in the Management Server properties, your licenses are kept up-to-date automatically. Otherwise, you can upgrade licenses manually in the following ways:

• When you log in to the online License Center, you can upgrade the licenses for the displayed component(s) through the link provided and save the licenses as a file that you can install in the Security Management Center as explained in Installing Licenses (page 58).

• You can export information on licenses through the Management Client and use the resulting file to upgrade the licenses as explained below.

To upgrade licenses1. Select Configuration→Configuration→Administration. The Administration Configuration

view opens.

2. Expand the Licenses branch and browse to the type of Licenses that you want to upgrade.

3. Ctrl-select or Shift-select the licenses you want to upgrade.

4. Right-click one of the selected items and select Export License Info. The Save LicenseUpgrade Request dialog opens.

5. Select the location at which to save the license file in the dialog that opens. You areprompted to request a license upgrade.

6. Click Yes. The McAfee web site opens.

7. Go to https://my.stonesoft.com/managelicense.do.

8. Enter the POL or POS code in the License Identification field and click Submit. TheLicense Center page opens.

9. If you have only one license to upgrade, click Update under the license information.Otherwise, continue to Step 10.

10.Click the Multi-Upgrade Licenses link on the right. The Upload Multi-Upgrade Licensespage opens.

57Upgrading Licenses

http://www.stonesoft.com/en/customer_care/licenses/

http://www.stonesoft.com/en/customer_care/licenses/

https://my.stonesoft.com/managelicense.do

11.Enter any information needed for the upgrade request and select or upload the licensefile(s) to update.

12.Click Submit to upload the license request. A confirmation page opens, showing thedetails of your request.

The upgraded licenses are e-mailed to you in a .zip file.

Installing LicensesAfter you have upgraded the licenses as described above, install the license in the Management Client.

To install licenses1. Select File→System Tools→Install Licenses. The Install License File(s) dialog opens.

2. Select the license files and click Install.

3. Browse to Licenses→All Licenses in the Administration Configuration view.

4. Check that the licenses have now been correctly upgraded to the new version. When youonly upgrade the software version in the license, old licenses are automatically replaced.

What’s Next? Installing Licenses

What’s Next? Upgrading the Security Management Center (page 59)


Upgrading the Security Management Center

There is no need to uninstall the previous version. Upgrading from all older versions may not be possible without an intermediate upgrade. See the Release Notes for more information.

It is possible to revert automatically to the previous installation if the Security Management Center upgrade fails. The installer can also create a backup of the Management Server configuration. For more information on backups (such as the steps for restoring backups), refer to the McAfee SMC Administrator’s Guide or the Management Client Online Help.

The same installer works with all Security Management Center components, including locally installed Management Clients.

If you have multiple Management Servers or Log Servers, you can upgrade them in any order. Management Servers are automatically isolated from database replication during the upgrade. There is no need to explicitly isolate the Management Servers before upgrading.

To upgrade Security Management Center components1. Start the upgrade in one of the following ways:


2. Click Next in the Introduction screen of the Installation Wizard to start the upgrade. TheLicense Agreement appears.

3. Indicate that you accept the License Agreement and click Next to continue the installation.

4. Make sure the installation directory is correct for your installation and click Next.•All installed components must be upgraded at the same time. You can also install

additional components. See Installing the Security Management Center (page 19) for installation instructions.

5. (Management Server only, optional) Select Save Current Installation to save a copy of thecurrent installation that you can revert to at any time after the upgrade.

6. Click Next.







59Upgrading the Security Management Center


7. (Management Server and Authentication Server only) Select whether to back up the serverand click Next:•Select Yes to create a backup that can be used and viewed without a password. •Select Yes, encrypt the backup to create a password-protected backup. You are

prompted for the password as you confirm the selection.•Select No if you already have a recent backup of the Management Server or

Authentication Server.

8. Check that the information in the Pre-Installation Summary is correct and click Install. Theupgrade begins.

9. If you receive a notification that a Report of System Changes is available and you want toview the report, click the link in the notification. Otherwise, click Next.

10.Click Done to close the installer.

What’s Next? If you have multiple Log Servers, upgrade all of the Log Servers in the same way. If you have multiple Management Servers, upgrade all of the Management Servers and

proceed to Synchronizing Management Databases (page 61). If administrators have Management Clients installed locally, upgrade the Management

Clients by running the same Security Management Center installer on those hosts. If you are distributing Web Start Management Clients from an external server, install a

new Web Start package in the same way as the original installation. See Distributing Management Clients Through Web Start (page 43).

Otherwise, the Security Management Center upgrade is now complete. See the McAfee NGFW Installation Guide for Firewall/VPN Role and McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles if you are also upgrading engines.


Synchronizing Management DatabasesYou must synchronize the configuration information between all Management Servers through the Management Client after upgrading the Management Servers.

To synchronize management databases1. Connect to the active Management Server using the Management Client.

2. Select File→System Tools→Control Management Servers. The Control ManagementServers dialog opens.

3. If you are logged in to a different Management Server than the one that you are selectingfor replication, select the Location from which to send the command. This ensures that thecommand is sent to the correct Contact Address for the Management Server.

4. Right-click the Management Server and select Replication→Full Database Replication.You are prompted to confirm the replication.

5. Click Yes. All existing configurations on the additional Management Server are overwritten.

6. Click OK to acknowledge the completion of the synchronization and wait for theManagement Server to restart.•After the Management Server has restarted, its Replication Status is updated in the

Control Management Servers dialog.

7. If you need to synchronize more than one additional Management Server, repeat Step 4-Step 6 for each Management Server.

8. Click Close to close the Control Management Servers dialog.

61Upgrading the Security Management Center

CHAPTER 7

UNINSTALLING THE SECURITY MANAGEMENT CENTER

This chapter instructs how to uninstall the Security Management Center components.


Overview to Uninstalling the Security Management Center (page 64)Uninstalling in Windows (page 64)Uninstalling in Linux (page 64)

63

Overview to Uninstalling the Security Management Center

It is not possible to uninstall the Security Management Center components one by one. If you have several Security Management Center components installed on the same computer, all components are uninstalled. The sgadmin account is deleted during the uninstallation of the Security Management Center.

By default, the Security Management Center is installed in the following directories:

• Windows: C:\McAfee\Security Management Center• Linux: /usr/local/mcafee/security_management_center

There is a .stonegate directory in each user’s home directory in the operating system, which contains the Management Client configuration files. These files are not automatically deleted but can be removed manually after the uninstallation.

Uninstalling in Windows

To uninstall in Windows1. Launch the uninstaller in one of the following ways:

•Open the list of installed programs through the Windows Control Panel, right-click McAfee Security Management Center, and select Uninstall/Change.

•Alternatively, run the script <installation directory>\uninstall\ uninstall.bat

2. When the uninstaller opens, click Uninstall. All Security Management Center componentsare uninstalled.

Uninstalling in Linux

To uninstall in graphical mode1. Stop the Security Management Center components on the machine.

2. Run the script <installation directory>/uninstall/uninstall.sh

3. When the uninstaller starts, click Uninstall. All Security Management Center componentsare uninstalled.

To uninstall in non-graphical mode1. Stop the Security Management Center components on the machine.

2. Run the script <installation directory>/uninstall/uninstall.sh -nodisplay

Note – Back up the Management Server and the Log Server before uninstalling the Security Management Center if you want to preserve the stored data.

64 Chapter 7 Uninstalling the Security Management Center

65

APPENDICES

In this section:

Command Line Tools - 67

Default Communication Ports - 89

Index - 97

APPENDIX A

COMMAND LINE TOOLS

This appendix describes the command line tools for McAfee Security Management Center and the NGFW engines.


Security Management Center Commands (page 68)NGFW Engine Commands (page 79)Server Pool Monitoring Agent Commands (page 87)

Note – Using the Management Client is the recommended configuration method, as most of the same tasks can be done through it.

67

Security Management Center Commands

Security Management Center commands include commands for the Management Server, Log Server, Web Portal Server, and Authentication Server. Most of the commands are found in the <installation directory>/bin/ directory. In Windows, the command line tools are *.bat script files. In Linux, the files are *.sh scripts.

Commands that require parameters must be run through the command line (cmd.exe in Windows). Commands that do not require parameters can alternatively be run through a graphical user interface, and may be added as shortcuts during installation.

Note – If you installed the Management Server in the C:\Program Files\McAfee\Security Management Center directory in Windows, some of the program data is stored in the C:\ProgramData\McAfee\Security Management Center directory. Command line tools may be found in the C:\Program Files\McAfee\Security Management Center\bin and/or the C:\ProgramData\McAfee\Security Management Center\bin directory.

Caution – login and password parameters are optional. Giving them as Command Line parameters may pose a security vulnerability. Do not enter login and password information unless explicitly prompted to do so by a Command Line tool.

Table A.1 Security Management Center Command Line Tools

Command Description

sgArchiveExport

[host=<Management Server Address[\Domain]>] [login=<login name>] [pass=<password>] [format=<exporter format: CSV or XML>] i=<input files and/or directories>[o=<output file name>] [f=<filter file name>] [e=<filter expression>] [-h | -help | -?] [-v]

Displays or exports logs from archive. This command is only available on the Log Server. The operation checks privileges for the supplied administrator account from the Management Server to prevent unauthorized access to the logs.Enclose details in double quotes if they contain spaces.

68 Appendix A Command Line Tools

sgArchiveExport

(continued)

Host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.login defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used.pass defines the password for the user account.format defines the file format for the output file. If this parameter is not defined, the XML format is used.i defines the source from which the logs will be exported. Can be a folder or a file. The processing recurses into subfolders.o defines the destination file where the logs will be exported. If this parameter is not defined, the output is displayed on screen.f defines a file that contains the filtering criteria you want to use for filtering the log data. You can export log filters individually in the Management Client through Tools→Save for Command Line Tools in the filter’s right-click menu.e allows you to type in a filter expression manually (using the same syntax as exported filter files).-h, -help, or -? displays information on using the script.-v displays verbose output on the command execution.Example (exports logs from one full day to a file using a filter):sgArchiveExport login=admin pass=abc123i=c:/mcafee/security_management_center/data/archive/firewall/year2011/month12/./sgB.day01/ f=c:/mcafee/security_management_center/export/MyExportedFilter.flp format=CSV o=MyExportedLogs.csv

sgBackupAuthSrv

[pwd=<password>][path=<destpath>][nodiskcheck][comment=<comment>][-h | --help]

Creates a backup of Authentication Server user information. The backup file is stored in the <installation directory>/backups/ directory. Backing up the Authentication only backs up Users, not the configuration of the Authentication Server. The Authentication Server configuration is included in the Management Server backup.pwd enables encryption.path defines the destination path.nodiskcheck ignores free disk check before creating the backup.comment allows you to enter a comment for the backup. The maximum length of a comment is 60 characters.-h or --help displays information on using the script.Also see sgRestoreAuthBackup.

Table A.1 Security Management Center Command Line Tools (Continued)

Command Description

69Security Management Center Commands

sgBackupLogSrv

[pwd=<password>][path=<destpath>][nodiskcheck][comment=<comment>][nofsstorage][-h | --help]

Creates a backup of Log Server configuration data. The backup file is stored in the <installation directory>/backups/ directory. Twice the size of log database is required on the destination drive. Otherwise, the operation fails.pwd entering a password enables encryption.path defines the destination path.nodiskcheck ignores free disk check before creating the backup.comment allows you to enter a comment for the backup. The maximum length of a comment is 60 characters.nofsstorage creates a backup only of the log server configuration without the log data.-h or --help displays information on using the script.Also see sgRestoreLogBackup.

sgBackupMgtSrv

[pwd=<password>][path=<destpath>][nodiskcheck][comment=<comment>][-h | --help]

Creates a complete backup of the Management Server (including both the local configuration and the stored information in the configuration database). The backup file is stored in the <installation directory>/backups/ directory. Twice the size of the Management Server database is required on the destination drive. Otherwise, the operation fails.pwd entering a password enables encryption.path defines the destination path.nodiskcheck ignores free disk check before creating the backup.comment allows you to enter a comment for the backup. The maximum length of a comment is 60 characters.-h or --help displays information on using the script.Also see sgRestoreMgtBackup and sgRecoverMgtDatabase.

sgCertifyAuthSrv

Contacts the Management Server and creates a new certificate for the Authentication Server to allow secure communications with other SMC components. Renewing an existing certificate does not require changing the configuration of any other SMC components.


Command Description


sgCertifyLogSrv[host=<Management Server Address[\Domain]>]

Contacts the Management Server and creates a new certificate for the Log Server to allow secure communications with other SMC components. Renewing an existing certificate does not require changing the configuration of any other SMC components.host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.Domain specifies the administrative Domain the Log Server belongs to if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.The Log Server needs to be shut down before running this command. Restart the server after running this command.

sgCertifyMgtSrv

Creates a new certificate for the Management Server to allow secure communications between the SMC components. Renewing an existing certificate does not require changes on any other SMC components.The Management Server needs to be shut down before running this command. Restart the server after running this command.

sgCertifyWebPortalSrv

[host=<Management Server Address[\Domain]>]

Contacts the Management Server and creates a new certificate for the Web Portal Server to allow secure communications with other SMC components. Renewing an existing certificate does not require changing the configuration of any other SMC components.host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.Domain specifies the administrative Domain the Web Portal Server belongs to if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.The Web Portal Server needs to be shut down before running this command. Restart the server after running this command.

sgChangeMgtIPOnAuthSrv <IP address>

Changes the Management Server’s IP address in the Authentication Server’s local configuration to the IP address you give as a parameter. Use this command if you change the Management Server’s IP address. Restart the Authentication Server after running this command.

sgChangeMgtIPOnLogSrv <IP address>

Changes the Management Server’s IP address in the Log Server’s local configuration to the IP address you give as a parameter. Use this command if you change the Management Server’s IP address.Restart the Log Server service after running this command.


Command Description


sgChangeMgtIPOnMgtSrv <IP address>

Changes the Management Server’s IP address in the local configuration to the IP address you give as a parameter. Use this command if you change the Management Server’s IP address.Restart the Management Server service after running this command.

sgClient Starts a locally installed Management Client.

sgCreateAdminCreates an unrestricted (superuser) administrator account.The Management Server needs to be stopped before running this command.

sgExport [host=<Management Server Address[\Domain]>] [login=<login name>][pass=<password>]file=<file path and name>[type=<all|nw|ips|sv|rb|al> [name= <element name 1, element name 2, ...>][recursion][-system][-h | -help | -?]

Exports elements stored on the Management Server to an XML file.Enclose details in double quotes if they contain spaces.host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.login defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used.pass defines the password for the user account.file defines the name and location of the export ZIP file.type specifies which types of elements are included in the export file: all for all exportable elementsnw for network elementsips for IPS elementssv for servicesrb for security policiesal for alertsvpn for VPN elements.name allows you to specify by name the element(s) that you want to export.recursion includes referenced elements in the export, for example, the network elements used in a policy that you export.-system includes any system elements that are referenced by the other elements in the export.-h, -help, or -? displays information on using the script.


Command Description


sgHA [host=<Management Server Address[\Domain]>][login=<login name>][pass=<password>][master=<Management Server used as master server for the operation>][-set-active][-set-standby][-check][-retry][-force][-restart][-h|-help|-?]

Controls active and standby Management Servers. If you want to perform a full database synchronization, use the sgOnlineReplication command.host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.login defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used.pass defines the password for the user account.master defines the Management Server used as a master Management Server for the operation.-set-active activates and locks all administrative Domains.-set-standby deactivates and unlocks all administrative Domains.-check checks that the Management Server’s database is in sync with the master Management Server.-retry retries replication if this has been stopped due to a recoverable error.-force enforces the operation even if all Management Servers are not in sync. Note that using this option may cause instability if used carelessly.-restart restarts the specified Management Server.-h, -help, or -? displays information on using the script.

sgImport [host=<Management Server Address[\Domain]>][login=<login name>][pass=<password>]file=<file path and name>[-replace_all][-h|-help|-?]

Imports Management Server database elements from an XML file. When importing, existing (non-default) elements are overwritten if both the name and type match.host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.login defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used.pass defines the password for the user account.file defines the ZIP file whose contents you want to import.-replace_all ignores all conflicts by replacing all existing elements with new ones. -h, -help, or -? displays information on using the script.


Command Description


sgImportExportUser

[host=<Management Server Address[\Domain]>][login=<login name>][pass=<password>]action=<import|export>file=<file path and name>[-h|-help|-?]

Imports and exports a list of Users and User Groups in an LDIF file from/to a Management Server’s internal LDAP database. To import User Groups, all User Groups in the LDIF file must be directly under the stonegate top-level group (dc=stonegate).The user information in the export file is stored as plaintext. Handle the file securely.host specifies the address of the Management Server. If the parameter is not defined, the loopback address (localhost) is used.Domain specifies the administrative Domain for this operation if the system is divided into administrative Domains. If the Domain is not specified, the Shared Domain is used.login defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used.pass defines the password for the user account.action defines whether users are imported or exported.file defines the file that is used for the operation.Example: sgImportExportUser login=admin pass=abc123 action=export file=c:\temp\exportedusers.ldif

-h, -help, or -? displays information on using the script.

sgInfo

SG_ROOT_DIRFILENAME[fast][-nolog][-client][-h|-help|-?]

Creates a ZIP file that contains copies of configuration files and the system trace files. The resulting ZIP file is stored in the logged in user’s home directory. The file location is displayed on the last line of screen output. Provide the generated file to support for troubleshooting purposes.SG_ROOT_DIR Security Management Center installation directory.FILENAME name of output file.-nolog extended log server information is NOT collected.-client collects traces only from the Management Client.-h, -help, or -? displays information on using the script.


Command Description


sgOnlineReplication

[login=<login name>][pass=<password>][active-server=<name of active Management Server>][standby-server=<name of additional Management Server>][standby-server-address=<IP address of additional Management Server>][-nodisplay][-h|-help|-?]

Replicates the Management Server’s database from the active Management Server to an additional Management Server. The Management Server to which the database is replicated must be shut down before running this command. Restart the Management Server after running this command.Note! Use this script to replicate the database only if the additional Management Server’s configuration has been corrupted, the additional Management Server’s certificate has expired, or in new SMC installations if the automatic database replication between the Management Servers has not succeeded. Otherwise, synchronize the database through the Management Client. See the McAfee SMC Administrator’s Guide for more information.login defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used.pass defines the password for the user account.active-server option specifies the IP address of the active Management Server from which the Management database is replicated. standby-server option specifies the name of the additional Management Server to which the Management database is replicated.standby-server-address option specifies the IP address of the additional Management Server to which the Management database is replicated.-nodisplay sets a text only console.-h, -help, or -? displays information on using the script.

sgReinitializeLogServer

Note! This script is located in <installation directory>/bin/install.Creates a new Log Server configuration if the configuration file has been lost.

sgRestoreArchive <ARCHIVE_DIR>

Restores logs from archive files to the Log Server. This command is available only on the Log Server. ARCHIVE_DIR is the number of the archive directory (0 – 31) from where the logs will be restored. By default, only archive directory 0 is defined. The archive directories can be defined in the <installation directory>/data/LogServerConfiguration.txt file: ARCHIVE_DIR_xx=PATH.


Command Description


sgRestoreAuthBackup

[-pwd=<password>][-backup=<backup file name>][-nodiskcheck][-h|-help]

Restores the Authentication Server user information from a backup file in the <installation directory>/backups/ directory.Apply the Authentication Server’s configuration after this command.-pwd defines a password for encrypted backup.-backup defines a name for the backup file.-nodiskcheck ignores free disk check before backup restoration.-h or -help displays information on using the script.

sgRestoreLogBackup

[-pwd=<password>][-backup=<backup file name>][-nodiskcheck][-overwrite-syslog-template][-h|-help]

Restores the Log Server (logs and/or configuration files) from a backup file in the <installation directory>/backups/ directory.Apply the Authentication Server’s configuration after this command.-pwd defines a password for encrypted backup.-backup defines a name for the backup file.-nodiskcheck ignores free disk check before backup restoration.-overwrite-syslog-template overwrites a syslog template file if found in the backup.-h or -help displays information on using the script.

sgRestoreMgtBackup

[-pwd=<password>][-backup=<backup file name>][-nodiskcheck][-h|-help]

Restores the Management Server (database and/or configuration files) from a backup file in the <installation directory>/backups/ directory.-pwd defines a password for encrypted backup.-backup defines a name for the backup file.-nodiskcheck ignores free disk check before backup restoration.-h or -help displays information on using the script.

sgRevert

Note! This script is located in <installation directory>/bin/uninstall.Reverts to the previous installation saved during the upgrade process. The previous installation can be restored at any time, even after a successful upgrade.

sgShowFingerPrintDisplays the CA certificate’s fingerprint on the Management Server.

sgStartAuthSrv Starts the Authentication Server.

sgStartLogSrv Starts the Log Server and its database.

sgStartMgtDatabaseStarts the Management Server’s database. There is usually no need to use this script.


Command Description


sgStartMgtSrv Starts the Management Server and its database.

sgStartWebPortalSrv Starts the Web Portal Server.

sgStopLogSrv Stops the Log Server.

sgStopMgtSrv Stops the Management Server and its database.

sgStopMgtDatabaseStops the Management Server’s database. There is usually no need to use this script.

sgStopWebPortalSrv Stops the Web Portal Server.

sgStopRemoteMgtSrv

[host=<Management Server Host Name>] [login=<login name>][pass=<password>][-h|-help|-?]

Stops the Management Server service when run without arguments. To stop a remote Management Server service, provide the arguments to connect to the Management Server.host is the Management Server’s host name if not localhost.login is an SMC administrator account for the login.pass is the password for the administrator account.-h, -help, or -? displays information on using the script.


Command Description


sgTextBrowser

[host=<Management Server address[\Domain]>][login=<login name>][pass=<password>][format=<CSV|XML>][o=<output file>][f=<filter file> ][e=<filter expression> ] [m=<current|stored>][limit=<maximum number of unique records to fetch>]

[-h|-help|-?]

Displays or exports current or stored logs. This command is available on the Log Server.Enclose the file and filter names in double quotes if they contain spaces.host defines the address of the Management Server used for checking the login information. If this parameter is not defined, Management Server is expected to be on the same host where the script is run. If Domains are in use, you can specify the Domain the Log Server belongs to. If domain is not specified, the Shared Domain is used.login defines the username for the account that is used for this export. If this parameter is not defined, the username root is used.pass defines the password for the user account used for this operation.format defines the file format for the output file. If this parameter is not defined, the XML format is used.o defines the destination output file where the logs will be exported. If this parameter is not defined, the output is displayed on screen.f defines the exported filter file that you want to use for filtering the log data.e defines the filter that you want to use for filtering the log data. Type the name as shown in the Management Client. m defines whether you want to view or export logs as they arrive on the Log Server (current) or logs stored in the active storage directory (stored). If this option is not defined, the current logs are used.limit defines the maximum number of unique records to be fetched. The default value is unlimited.-h, -help, or -? displays information on using the script.


Command Description


NGFW Engine Commands

The commands in the following two tables can be run on the command line on Firewall, Layer 2 Firewall, IPS engines and/or Master Engines.

Note – All command line tools that are available for single Security Engines are also available for Virtual Security Engines that have the same role. However, there is no direct access to the command line of Virtual Security Engines. Commands to Virtual Security Engines must be sent from the command line of the Master Engine using the se-virtual-engine command.

Table A.2 NGFW Engine Command Line Tools

Command Engine Role Description

avdbfetch

[--dbzip=<path to zip file>][--proxy=<proxy address>][--proxy-pass=<proxy password>][--proxy-user=<proxy user>][--url=<url path>]

Firewall

If the separately-licensed anti-virus feature is enabled on a Firewall, use this command to manually update the anti-virus database.--dbzip defines the location of the locally-stored database zip file. This option can be used when there is not an internet connection and you have manually copied the database to a folder on the engine. This parameter does not need to be defined if the zip file is stored in /var/tmp.--proxy defines the address of an HTTP proxy if one is required to connect to the database mirror.--proxy-pass defines the password (if required) for the HTTP proxy.--proxy-user defines the username (if required) for the HTTP proxy.--url defines the address of the database mirror. If not specified, the default address is http://update.nai.com/Products/CommonUpdater.

79NGFW Engine Commands

sg-blacklist show [-v] [-f FILENAME] |add [

[-i FILENAME] | [src IP_ADDRESS/MASK] [src6 IPv6_ADDRESS/PREFIX][dst IP_ADDRESS/MASK][dst6 IPv6_ADDRESS/PREFIX][proto {tcp|udp|icmp|NUM}] [srcport PORT{-PORT}][dstport PORT{-PORT}][duration NUM]] |del [

[-i FILENAME] | [src IP_ADDRESS/MASK] [src6 IPv6_ADDRESS/PREFIX][dst IP_ADDRESS/MASK][dst6 IPv6_ADDRESS/PREFIX][proto {tcp|udp|icmp|NUM}] [srcport PORT{-PORT}][dstport PORT{-PORT}][duration NUM]] |iddel NODE_ID ID |flush

Firewall, Layer 2 Firewall, IPS

Used to view, add, or delete active blacklist entries. The blacklist is applied as defined in Access Rules.Commands:show displays the current active blacklist entries in format: engine node ID | blacklist entry ID | (internal) | entry creation time | (internal) | address and port match | originally set duration | (internal) | (internal). Use the -f option to specify a storage file to view (/data/blacklist/db_<number>). The -v option adds operation’s details to the output.add creates a new blacklist entry. Enter the parameters (see below) or use the -i option to import parameters from a file.del deletes the first matching blacklist entry. Enter the parameters (see below) or use the -i option to import parameters from a file.iddel NODE_ID ID removes one specific blacklist entry on one specific engine. NODE_ID is the engine’s ID, ID is the blacklist entry’s ID (as shown by the show command).flush deletes all blacklist entries.

Table A.2 NGFW Engine Command Line Tools (Continued)



sg-blacklist (continued)


Add/Del Parameters:Enter at least one parameter. The default value is used for the parameters that you omit. You can also save parameters in a text file; each line in the file is read as one blacklist entry.src IP_ADDRESS/MASK defines the source IP address and netmask to match. Matches any IP address by default.src6 IPv6_ADDRESS/PREFIX defines the source IPv6 and prefix length to match. Matches any IPv6 address by default.dst IP_ADDRESS/MASK defines the destination IP address and netmask to match. Matches any IP address by default.dst6 IPv6_ADDRESS/PREFIX defines the destination IPv6 address and prefix length to match. Matches any IPv6 address by default.proto {tcp|udp|icmp|NUM} defines the protocol to match by name or protocol number. Matches all IP traffic by default.srcport PORT[-PORT] defines the TCP/UDP source port or range to match. Matches any port by default.dstport PORT[-PORT] defines the TCP/UDP destination port or range to match. Matches any port by default.duration NUM defines in seconds how long the entry is kept. Default is 0, which cuts current connections, but is not kept.Examples:sg-blacklist add src 192.168.0.2/32 proto tcp dstport 80 duration 60 sg-blacklist add -i myblacklist.txt sg-blacklist del dst 192.168.1.0/24 proto 47

sg-bootconfig

[--primary-console=tty0|ttyS PORT,SPEED][--secondary-console= [tty0|ttyS PORT,SPEED]][--flavor=up|smp][--initrd=yes|no][--crashdump=yes|no|Y@X][--append=kernel options][--help]apply


Used to edit boot command parameters for future bootups.--primary-console=tty0|ttyS PORT,SPEED parameter defines the terminal settings for the primary console.--secondary-console= [tty0|ttyS PORT,SPEED] parameter defines the terminal settings for the secondary console.--flavor=up|smp [-kdb] parameter defines whether the kernel is uniprocessor or multiprocessor.--initrd=yes|no parameter defines whether Ramdisk is enabled or disabled.--crashdump=yes|no|Y@X parameter defines whether kernel crashdump is enabled or disabled, and how much memory is allocated to the crash dump kernel (Y). The default is 24M. X must always be 16M.--append=kernel options parameter defines any other boot options to add to the configuration.--help parameter displays usage information.apply command applies the specified configuration options.




sg-clear-all


Note! Use this only if you want to clear all configuration information from the engine.This command resets all configuration information from the engine. It does not remove the engine software. After using this command, you must reconfigure the engine using the sg-reconfigure command.

sg-cluster

[-v <virtual engine ID>]

[status [-c SECONDS]]

[versions]

[online]

[lock-online]

[offline]

[lock-offline]

[standby]

[safe-offline]

[force-offline]


Used to display or change the status of the node.-v <virtual engine ID> (Master Engine only) option specifies the ID of the Virtual Security Engine on which to execute the command.status [-c SECONDS] command displays cluster status. When -c SECONDS is used, status is shown continuously with the specified number of seconds between updates.version command displays the engine software versions of the nodes in the cluster.online command sends the node online.lock-online command sends the node online and keeps it online even if another process tries to change its state.offline command sends the node offline.lock-offline command sends the node offline and keeps it offline even if another process tries to change its state.standby command sets an active node to standby.safe-offline command sets the node to offline only if there is another online node.force-offline command sets the node online regardless of state or any limitations. Also sets all other nodes offline.

sg-contact-mgmt


Used for establishing a trust relationship with the Management Server as part of engine installation or reconfiguration (see sg-reconfigure below). The engine contacts the Management Server using the one-time password created when the engine’s initial configuration is saved.




sg-dynamic-routing [start][stop][restart][force-reload][backup <file>][restore <file>][sample-config][route-table][info]

Firewall

start starts the Quagga routing suite.stop stops the Quagga routing suite and flushes all routes made by zebra.restart restarts the Quagga routing suite.force-reload forces reload of the saved configuration.backup <file> backs up the current configuration to a compressed file.restore <file> restores the configuration from the specified file.sample-config creates a basic configuration for Quagga.route-table prints the current routing table.info displays the help information for the sg-dynamic-routing command, and detailed information about Quagga suite configuration with vtysh.

sg-ipsec -d

[-u <username[@domain]> |-si <session id> |-ck <ike cookie> |-tri <transform id>-ri <remote ip> |-ci <connection id>]

Firewall

Deletes VPN-related information (use vpninfo command to view the information). Option -d (for delete) is mandatory.-u deletes the VPN session of the named VPN client user. You can enter the user account in the form <username@domain> if there are several user storage locations (LDAP domains).-si deletes the VPN session of a VPN client user based on session identifier.-ck deletes the IKE SA (Phase one security association) based on IKE cookie.-tri deletes the IPSEC SAs (Phase two security associations) for both communication directions based on transform identifier.-ri deletes all SAs related to a remote IP address in gateway-to-gateway VPNs.-ci deletes all SAs related to a connection identifier in gateway-to-gateway VPNs.

sg-logger

-f FACILITY_NUMBER -t TYPE_NUMBER

[-e EVENT_NUMBER] [-i "INFO_STRING"][-s] [-h]


Used in scripts to create log messages with the specified properties.-f FACILITY_NUMBER parameter defines the facility for the log message.-t TYPE_NUMBER parameter defines the type for the log message.-e EVENT_NUMBER parameter defines the log event for the log message. The default is 0 (H2A_LOG_EVENT_UNDEFINED).-i "INFO_STRING" parameter defines the information string for the log message.-s parameter dumps information on option numbers to stdout-h parameter displays usage information.




sg-raid

[-status] [-add] [-re-add] [-force] [-help]


Configures a new hard drive. This command is only for McAfee NGFW appliances that support RAID (Redundant Array of Independent Disks) and have two hard drives.-status option displays the status of the hard drive.-add options adds a new empty hard drive. Use -add -force if you want to add a hard drive that already contains data and you want to overwrite it.-re-add adds a hard drive that is already partitioned. This command prompts for the drive and partition for each degraded array. Use -re-add -force if you want to check all the arrays.-help option option displays usage information.

sg-reconfigure

[--boot][--maybe-contact][--no-shutdown]


Used for reconfiguring the node manually.--boot option applies bootup behavior. Do not use this option unless you have a specific need to do so.--maybe-contact option contacts the Management Server if requested. This option is only available on firewall engines.--no-shutdown option allows you to make limited configuration changes on the node without shutting it down. Some changes may not be applied until the node is rebooted.

sg-selftest [-d] [-h] FirewallRuns cryptography tests on the engine.-d option runs the tests in debug mode.-h option displays usage information.

sg-status [-l] [-h]


Displays information on the engine’s status.-l option displays all available information on engine status.-h option displays usage information.




sg-toggle-activeSHA1 SIZE |--force [--debug]


Switches the engine between the active and the inactive partition. This change takes effect when you reboot the engine.You can use this command, for example, if you have upgraded an engine and want to switch back to the earlier engine version. When you upgrade the engine, the active partition is switched. The earlier configuration remains on the inactive partition. To see the currently active (and inactive) partition, see the directory listing of /var/run/stonegate (ls -l /var/run/stonegate).The SHA1 SIZE option is used to verify the signature of the inactive partition before changing it to active. If you downgrade the engine, check the checksum and the size of the earlier upgrade package by extracting the signature and size files from the sg_engine_[version.build]_i386.zip file.--debug option reboots the engine with the debug kernel.--force option switches the active configuration without first verifying the signature of the inactive partition.

sg-upgrade FirewallUpgrades the node by rebooting from the installation DVD. Alternatively, the node can be upgraded remotely using the Management Client.

sg-version


Displays the software version and build number for the node.

se-virtual-engine

-l | --list

-v <virtual engine ID>

-e | --enter

-E “<command [options]>”

-h | --help

Firewall (Master Engine only)

Used to send commands to Virtual Firewalls from the command line of the Master Engine. All commands that can be used for the Firewall role can also be used for Virtual Firewalls.-l or --list list the active Virtual Security Engines.- v <virtual engine ID> specifies the ID of the Virtual Security Engine on which to execute the command.-e or --enter enters the command shell for the Virtual Security Engine specified with the -v option. To exit the command shell, type exit.-E “<command [options]>” executes the specified command on the Virtual Security Engine specified with the -v option.-h or --help shows the help message for the se-virtual-engine command.




The table below lists some general Linux operating system commands that may be useful in running your engines. Some commands can be stopped by pressing Ctrl+c.

sginfo

[-f] [-d] [-s] [-p] [--] [--help]


Gathers system information you can send to McAfee support if you are having problems. Use this command only when instructed to do so by McAfee support.-f option forces sgInfo even if the configuration is encrypted.-d option includes core dumps in the sgInfo file.-s option includes slapcat output in the sgInfo file.-p option includes passwords in the sgInfo file (by default passwords are erased from the output).-- option creates the sgInfo file without displaying the progress--help option displays usage information.



Table A.3 General Command Line Tools on Engines

Command Description

dmesg Shows system logs and other information. Use the -h option to see usage.

halt Shuts down the system.

ipDisplays IP address information. Type the command without options to see usage. Example: type ip addr for basic information on all interfaces.

ping Tests connectivity with ICMP echo requests. Type the command without options to see usage.

ps Reports the status of running processes.

reboot Reboots the system.

scp Secure copy. Type the command without options to see usage.

sftp Secure FTP. Type the command without options to see usage.

sshSSH client (for opening a terminal connection to other hosts). Type the command without options to see usage.

tcpdumpGives information on network traffic. Use the -h option to see usage. You can also analyze network traffic by creating tcpdump files from the Management Client with the Traffic Capture feature. See the McAfee SMC Administrator’s Guide for more information.

top Displays the top CPU processes taking most processor time. Use the -h option to see usage.

tracerouteTraces the route packets take to the specified destination. Type the command without options to see usage.

vpninfoDisplays VPN information and allows you to issue some basic commands. Type the command without options to see usage.


Server Pool Monitoring Agent Commands

You can test and monitor the Server Pool Monitoring Agents on the command line with the commands described in the table below.

Table A.4 Server Pool Monitoring Agent Commands

Command Description

agent[-v level]

[-c path]

[test [files]][syntax [files]]

(Windows only) Allows you to test different configurations before activating them.-v level Set the verbosity level. The default level is 5. Levels 6-8 are for debugging where available.-c path Use the specified path as the first search directory for the configuration.test [files]Run in the test mode - status queries do not receive a response. If you specify the files, they are used for reading the configuration instead of the default files. The output is directed to syslog or eventlog instead of the console where the command was run unless you use the -d option.syntax [files]

Check the syntax in the configuration file. If no files are specified, the default configuration files are checked.

sgagentd [-d] [-v level]

[-c path]

[test [files]][syntax [files]]

(Linux only) Allows you to test different configurations before activating them.-d Don’t Fork as a daemon. All log messages are printed to stdout or stderr only.-v level Set the verbosity level. The default level is 5. Levels 6-8 are for debugging where available.-c path Use the specified path as the first search directory for the configuration.test [files]Run in the test mode - status queries do not receive a response. If you specify the files, they are used for reading the configuration instead of the default files. The output is directed to syslog or eventlog instead of the console where the command was run unless you use the -d option.syntax [files]

Check the syntax in the configuration file. If no files are specified, the default configuration files are checked. The output is directed to syslog or eventlog instead of the console where the command was run unless you use the -d option.

87Server Pool Monitoring Agent Commands

sgmon [status|info|proto][-p port] [-t timeout]

[-a id]host

Sends a UDP query to the specified host and waits for a response until received, or until the timeout limit is reached.The request type can be defined as a parameter. If no parameter is given, status is requested. The commands are:status - query the status.info - query the agent version.proto - query the highest supported protocol version.-p port Connect to the specified port instead of the default port.-t timeout Set the timeout (in seconds) to wait for a response.-a id Acknowledge the received log messages up to the specified id. Each response message has an id, and you may acknowledge more than one message at a given time by using the id parameter. Note that messages acknowledged by sgmon will no longer appear in the firewall logs.host The IP address of the host to connect to. To get the status locally, you may give localhost as the host argument. This parameter is mandatory.

Table A.4 Server Pool Monitoring Agent Commands (Continued)

Command Description


APPENDIX B

DEFAULT COMMUNICATION PORTS

This chapter lists the default ports used in connections between SMC components and the default ports SMC components use with external components.


Security Management Center Ports (page 90)Security Engine Ports (page 93)

89

Security Management Center Ports

The illustrations below present an overview to the most important default ports used in communications between the Security Management Center (SMC) components and from the SMC to external services. See the table below for a complete list of default ports.

Illustration B.1 Destination Ports for Basic Communications Within SMC

Illustration B.2 Default Destination Ports for Optional SMC Components and Features

TCP:8914-8918

Log Server Management Server

TCP:8902-8913

3021 (Log Server Certificate Request)

3023

Management Client

Management Server

McAfee’s Update Service

External LDAP Server

External RADIUS Server

TCP:443

TCP:389

UDP:1812

Additional Management Server

Log Server

Web Portal Server

TCP:8902-8913,

8916, 8917, 3023+ 3021

(Certificate Request)

TCP:302089168917

TCP:89038907

TCP:8902-8913

Monitored Third-Party

Components

UDP:161

TCP, UDP:162/5162514/5514Win/Linux)

TCP: 8925 - 8929


TCP:8907+ 3021 (Certificate Request)

TCP:3020

90 Appendix B Default Communication Ports

The table below lists all default ports SMC uses internally and with external components. Many of these ports can be changed. The name of corresponding default Service elements are also included for your reference. For information on communications between SMC components and the engines, see the separate listings.

Table B.1 Security Management Center Default Ports

Listening Host

Port/Protocol

Contacting Hosts Service Description Service Element

Name

Additional Management Servers

8902- 8913/TCP

Management Server

Database replication (push) to the additional Management Server.

SG Control


8925-8929/TCP

Management Server

Security Management Server commands to Authentication Server.

SG Authentication Commands

Authentication Server node

8988-8989/TCP

Authentication Server node

Data synchronization between Authentication Server nodes.

SG Authentication Sync

DNS server53/UDP,53/TCP

Management Client, Management Server, Log Server

DNS queries. DNS (UDP)

LDAP server 389/TCPManagement Server

External LDAP queries for display/editing in the Management Client.

LDAP (TCP)

Log Server162/UDP,5162/UDP

Monitored third-party components

SNMPv1 trap reception from third-party components. Port 162 is used if installed on Windows, port 5162 if installed on Linux.

SNMP (UDP)

Log Server

514/TCP, 514/UDP, 5514/TCP, 5514/UDP


Syslog reception from third-party components. Port 514 is used if installed on Windows, port 5514 if installed on Linux.

Syslog (UDP)[Partial match]

Log Server 2055/UDPMonitored third-party components

NetFlow or IPFIX reception from third-party components. Port 2055 is used in both Windows and Linux.

NetFlow (UDP)

Log Server 3020/TCP

Authentication Server, Log Server,Web Portal Server,Security Engines

Alert sending from the Authentication Server, Log Server, and Web Portal Server.Log and alert messages; monitoring of blacklists, connections, status, and statistics from Security Engines.

SG Log

Log Server8914-8918/TCP

Management Client

Log browsing. SG Data Browsing

Log Server8916-8917/TCP

Web Portal Server Log browsing.SG Data Browsing (Web Portal Server)

91Security Management Center Ports

Management Server

3021/TCPLog Server, Web Portal Server

System communications certificate request/renewal.

SG Log Initial Contact

Management Server

8902-8913/TCP

Management Client, Log Server, Web Portal Server

Monitoring and control connections. SG Control

Management Server

3023/TCP

Additional Management Servers, Log Server, Web Portal Server

Log Server and Web Portal Server status monitoring.Status information from an additional Management Server to the active Management Server.

SG Status Monitoring

Management Server

8903, 8907/TCP

Additional Management Servers

Database replication (pull) to the additional Management Server.

SG Control

Management Server

8907/TCPAuthentication Server

Status monitoring. SG Control


161/UDP Log ServerSNMP status probing to external IP addresses.

SNMP (UDP)

RADIUS server 1812/UDPManagement Server

RADIUS authentication requests for administrator logins. The default ports can be modified in the properties of the RADIUS Server element.

RADIUS (Authentication)

SMC servers 443/TCPManagement Server

Update packages, engine upgrades, and licenses from update-pool.stonesoft.com and smc-pool.stonesoft.com.

HTTPS

Syslog server514/UDP, 5514/UDP

Log Server

Log data forwarding to syslog servers. The default ports can be modified in the LogServerConfiguration.txt file.

Syslog (UDP)[Partial match]

Third-party components

2055/UDP Log ServerNetFlow or IPFIX forwarding to third-party components. Port 2055 is used in both Windows and Linux.

NetFlow (UDP)

Table B.1 Security Management Center Default Ports (Continued)

Listening Host

Port/Protocol

Contacting Hosts Service Description Service Element

Name


Security Engine Ports

The illustrations below present an overview to the most important default ports used in communications between Security Engines and the SMC and between clustered Security Engine nodes. See the table below for a complete list of default ports for the engines.

Illustration B.3 Destination Ports for Basic Security Engine Communications

Illustration B.4 Default Destination Ports for Security Engine Service Communications

Note – Master Engines use the same default ports as clustered Security Engines. Virtual Security Engines do not communicate directly with other system components.

Other Node(s) in the ClusterLog Server Security Engine /

Master Engine

Management Server

TCP:

3020TCP:636

495049878888

Or none*TCP:30213023

8906*

*Single engines with “Node-initiated Contact to Management Server” selected.

TCP:300230033010

UDP:30003001

Multicast(Heartbeat interfaces)

Server Pool*

DNS Server

LDAP Server* RADIUS Server* TACACS+ Server*

DHCP Server* SNMP Server

RPCServer*

Security Engine /Master Engine

VPN Clients*

VPNGateways*UDP:

50027464500

UDP:68

UDP:161UDP:

67UDP:162

TCP, UDP:111

UDP:7777

TCP:389636

UDP:18121645

TCP, UDP:53

TCP:49

UDP:500

4500 UDP:500

27464500

User Agent*

TCP:16661

* Engines in the Firewall/VPN role.

93Security Engine Ports

The table below lists all default ports the Security Engines use internally and with external components. Many of these ports can be changed. The name of corresponding default Service elements are also included for your reference.

Table B.2 Security Engine and Master Engine Default Ports

Listening Host Port/Protocol Contacting

Hosts Service Description Service Element Name

Anti-virus signature server

80/TCP Firewall Anti-virus signature update service. HTTP


8925-8929/TCP

Firewall, Master Engine

User directory and authentication services.

LDAP (TCP), RADIUS (Authentication)

BrightCloud Server

2316/TCPFirewall, Layer 2 Firewall, IPS, Master Engine

BrightCloud URL filtering update service.

BrightCloud update

DHCP server 67/UDP FirewallRelayed DHCP requests and requests from a firewall that uses dynamic IP address.

BOOTPS (UDP)

DNS server53/UDP, 53/TCP


Dynamic DNS updates. DNS (TCP)

Firewall 67/UDP Any DHCP relay on firewall engine. BOOTPS (UDP)

Firewall 68/UDP DHCP server Replies to DHCP requests. BOOTPC (UDP)


500/UDPVPN clients, VPN gateways

VPN negotiations, VPN traffic. ISAKMP (UDP)


636/TCPManagement Server

Internal user database replication. LDAPS (TCP)


2543/TCP AnyUser authentication (Telnet) for Access rules.

SG User Authentication

Firewall 2746/UDPMcAfee VPN gateways

UDP encapsulated VPN traffic (engine versions 5.1 and lower).

SG UDP Encapsulation


4500/UDPVPN client, VPN gateways

VPN traffic using NAT-traversal. NAT-T

Firewall Cluster Node, Master Engine cluster node

3000-3001/UDP3002-3003, 3010/TCP

Firewall Cluster Node, Master Engine cluster node

Heartbeat and state synchronization between clustered Firewalls.

SG State Sync (Multicast), SG State Sync (Unicast), SG Data Sync

Firewall, Layer 2 Firewall, IPS, Master Engine


Remote upgrade.SG Remote Upgrade




Management Server commands and policy upload.

SG Commands



Connection monitoring for engine versions 5.1 and lower.

SG Legacy Monitoring


15000/TCPManagement Server, Log Server

Blacklist entries. SG Blacklisting


161/UDP SNMP server SNMP monitoring. SNMP (UDP)

IPS Cluster Node

3000-3001/UDP3002-3003, 3010/TCP

IPS Cluster Node

Heartbeat and state synchronization between clustered IPS engines.


LDAP server 389/TCPFirewall, Master Engine

External LDAP queries, including StartTLS connections.

LDAP (TCP)

Layer 2 Firewall Cluster Node

3000-3001/UDP3002-3003, 3010/TCP

Layer 2 Firewall Cluster Node

Heartbeat and state synchronization between clustered Layer 2 Firewalls.


Log Server 3020/TCPFirewall, Layer 2 Firewall, IPS, Master Engine

Log and alert messages; monitoring of blacklists, connections, status, and statistics.

SG Log

Management Server


System communications certificate request/renewal (initial contact).

SG Initial Contact

Management Server


Monitoring (status) connection.SG Status Monitoring

Management Server

8906/TCPFirewall, Layer 2 Firewall, IPS

Management connection for single engines with “Node-Initiated Contact to Management Server” selected.

SG Dynamic Control

RADIUS server1812, 1645/UDP


RADIUS authentication requests.RADIUS (Authentication), RADIUS (Old)

Table B.2 Security Engine and Master Engine Default Ports (Continued)



95Security Engine Ports

RPC server111/UDP, 111/TCP


RPC number resolve.SUNRPC (UDP), Sun RPC (TCP)

Server Pool Monitoring Agents

7777/UDPFirewall, Master Engine

Polls to the servers’ Server Pool Monitoring Agents for availability and load information.

SG Server Pool Monitoring

SNMP server 162/UDPFirewall, Layer 2 Firewall, IPS, Master Engine

SNMP traps from the engine. SNMP Trap (UDP)

TACACS+ server 49/TCPFirewall, Master Engine

TACACS+ authentication requests. TACACS (TCP)

User Agent 16661/TCPFirewall, Master Engine

Queries for matching Users and User Groups with IP addresses.

SG Engine to User Agent

VPN gateways

500/UDP, 2746/UDP (McAfee gateways only), or 4500 UDP.


VPN traffic. Ports 2746 and 4500 may be used depending on encapsulation options.

ISAKMP (UDP)

Table B.2 Security Engine and Master Engine Default Ports (Continued)




INDEX

Aadditional management servers, 34–36authentication servers

contact addresses for, 50installing, 25

Bbinding licenses, 30

Cchecksums, 15command line installation

see non-graphical installationcommand line tools, 67commands

for engines, 79for log servers, 68for management servers, 68

compatibility with different platforms, 14contact addresses, 47–51

exceptions, 50–51contact information, 10

Ddatabase user accounts, 22date and time settings, 14demo mode

installing in, 26documentation

support documentation, 10

Eexceptions to contact addresses, 50–51

Ffile integrity, 15fingerprints

of certificate authorities, 28of certificates, 28, 76

firewallscommands for, 79

Ggenerating server certificates, 32

Hhardware requirements, 10hosts files, 14

Iinstallation files, 15

creating DVDs of, 15integrity of files, 15IPS engines

commands for, 79

Jjava web start, 43–46

Llayer 2 firewalls

commands for, 79licenses, 16

binding, 30checking, 29, 58installing, 29, 58retained, 30upgrading, 16, 57–58

linux for security management center, 20locations, 47–51log servers

contact addresses for, 50installing, 24starting, 30

Mmanagement clients

configuration files for, 64installing, 20, 43–46installing using web start, 44–46logging in, 28setting locations, 51starting, 27web start management clients, 46

management serverscontact addresses for, 50database user accounts, 22installing, 22–23POL-bound licenses, 30starting, 27

master enginescommands for, 79

mcafee NGFW solution, 12MD5 checksums, 15

NNAT (network address translation), 47–51

locations, 47–51non-graphical installation, 37–41

97Index

Ooverview of the installation, 13

Pplanning installation, 11–16platforms supported, 14ports, 89

Rrelease notes, 10requirements for hardware, 10retained licenses, 30

Ssecurity management center

components, 12installing, 19–41upgrading, 59

serversadditional management servers, 34–36authentication servers, 25certifying, 32log servers, 24management servers, 22–23starting manually, 31web portal servers, 24

sgadmin user accounts, 20SHA-1 checksums, 15starting

log servers, 30management clients, 27management servers, 27servers manually, 31web portal servers, 30

supported platforms, 14system architecture, 12system requirements, 10

Ttypographical conventions, 8

Uuninstalling, 63–64upgrading, 55–60

licenses, 57–58security management center, 59

Vvirtual security engines

commands for, 79

Wweb portal servers

installing, 24starting, 30

web start, 43–46enabling web start servers, 44–45

web start filescreating manually, 45–46

98 Index

Copyright © 2014 McAfee, Inc. Do not copy without permission.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.

mcafee smc installation guide - forcepoint · installing additional management servers . . . 34 ......

Documents