nsp admin domain configuration 5.1

8/3/2019 NSP Admin Domain Configuration 5.1

1/52

Administrative Domain Configuration Guiderevision 4.0

McAfee

Network ProtectionIndustry-leading network security solutions

McAfee Network Security PlatformNetwork Security Managerversion 5.1


2/52

COPYRIGHT

Copyright 2001 - 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into

any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or aff iliate companies.

TRADEMARKS

ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),

ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION

THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA),

NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN,

VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, W EBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or

its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks

herein are the sole property of their respective owners.

LICENSE AND PATENT INFORMATIONLicense Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTHTHE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGINGOR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITEFROM WHICH YOU DOWNLOADED THE SOFTW ARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALLTHE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions

This product includes or may include:

* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by

Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses

which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for

any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such

software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software

program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by

Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by

Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at

www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. *

Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin,

Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by

Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the

University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,

California 95054, U.S.A., (C) 2003. * Sof tware copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by

Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted

by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Sof tware copyrighted by Graham

Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Sof tware copyrighted by the Python

Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman

Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone

Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab

(http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of

California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall for use in the mod_ssl project (http://www.modssl.org/). * Software

copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001,

2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *

Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software

copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See

http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor ([email protected]), (C) 2001, 2002. * Software copyrighted by

Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Jrvi ([email protected]), (C) 1999, 2000. *

Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen

Cleary ([email protected]), (C) 2000. * Software copyrighted by Housemarque Oy , (C) 2001. * Software copyrighted by Paul Moore, (C)

1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter

Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. *

Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by

Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software

copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C)

2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software

contributed to Berkeley by Chris Torek.

Issued APRIL 2009 / Administrative Domain Configuration Guide700-1806-00/ 4.0 - English
http://www.openssl.org/http://www.apache.org/http://www.apache.org/licenses/LICENSE-2.0.txthttp://www.python.org/http://www.extreme.indiana.edu/mailto:[email protected]://www.modssl.org/http://www.boost.org/libs/bind/bind.htmlhttp://www.boost.org/mailto:[email protected]:[email protected]:[email protected]://www.housemarque.com/http://www.housemarque.com/mailto:[email protected]:[email protected]:[email protected]://www.boost.org/http://www.boost.org/libs/bind/bind.htmlhttp://www.modssl.org/mailto:[email protected]://www.extreme.indiana.edu/http://www.python.org/http://www.apache.org/licenses/LICENSE-2.0.txthttp://www.apache.org/http://www.openssl.org/


3/52

Contents

Preface .......................................................................................................... ivIntroducing McAfee Network Security Platform.............................................................................ivAbout this guide.............................................................................................................................ivAudience ....................................................................................................................................... vConventions used in this guide ..................................................................................................... vRelated documentation .................................................................................................................viContacting Technical Support ......................................................................................................viiChapter 1 Configuring administrative domains......................................... 1Child domains............... ................ ................ ................ ................ ................ ................ ................. 1Chapter 2 Configuring and managing admin domains ............................. 4Viewing the details of an admin domain........................................................................................ 4Managing admin domains ............................................................................................................. 4

Creating an admin domain .....................................................................................................4Editing child domain configurations............................................................................................... 8

Changing the root admin domain name.................................................................................9Deleting an admin domain........................................................................................................... 10Chapter 3 Managing users and user roles ............................................... 11Managing users........................................................................................................................... 11

Adding a user ................ ................ ................ ................ ................ ................ ................ .......12Editing users ........................................................................................................................14Changing the default administrator ......................................................................................14Deleting users ......................................................................................................................14

Defining roles .............................................................................................................................. 15Super User Privileges ..........................................................................................................16Managing user roles.............................................................................................................16Assigning a role to a user in a domain.................................................................................17Creating custom roles ................................................................................................................. 18

Viewing your user account information ....................................................................................... 24Chapter 4 Managing system information logs......................................... 25Viewing and exporting Manager activity log ................................................................................ 25

Viewing log information........................................................................................................26Exporting log information .....................................................................................................27

Generating a user activity audit................................................................................................... 27Managing long running processes .............................................................................................. 29

Viewing long running processes ..........................................................................................30Viewing messages from McAfee................................................................................................. 31Chapter 5 Setting up fault notifications.................................................... 33Viewing fault notification details .................................................................................................. 34Forwarding faults to an SNMP server ......................................................................................... 34Modifying or deleting SNMP forwarder settings...................................................................36Forwarding faults to a Syslog server...........................................................................................37Managing fault notification........................................................................................................... 40Sending alerts to an email or pager ............................................................................................ 40Specifying script parameters for fault notification........................................................................ 43Index............................................................................................................. 45

iii


4/52

McAfee Network Security Platform 5.1 Preface

PrefaceThis preface provides a brief introduction to the product, discusses the information in thisdocument, and explains how this document is organized. It also provides information suchas the supporting documents for this guide and how to contact McAfee Technical Support.

Introducing McAfee Network Security Platform

McAfeeNetwork Security Platform [formerly McAfee IntruShield] delivers the mostcomprehensive, accurate, and scalable Network Access Control (NAC) and networkIntrusion Prevention System (IPS) for mission-critical enterprise, carrier, and serviceprovider networks, while providing unmatched protection against spyware and known,zero-day, and encrypted attacks.

McAfee Network Security Platform combines real-time detection and prevention to providethe most comprehensive and effective network IPS in the market.

What do you want to do?

Learn more about McAfee Network Security Platform components.

Learn how to Get Started.

Learn about the Home page and interaction with the Manager interface.

About this guide

TheAdministrative Domain Configuration Guide provides conceptual and procedural informationon how to use the McAfee Network Security Manager [formerly McAfee IntruShieldSecurity Manager] to maintain admin domains and other related setups. Note that thisguide explains admin domains at a high level. For admin domain concepts, see GettingStarted Guide.

The following are some of the tasks discussed in this Guide:

Managing the root and child admin domains in your Network Security Platforminstallation.

Managing the Alert Filters for an admin domain.

Managing alert and fault notification setup for an admin domain.

Managing the users in an admin domain.

Configuring TACACS+ servers for the McAfee Network Security Sensors [formerlyMcAfee IntruShield Sensors] in an admin domain.

Managing NMS users and IP addresses for the McAfee Network Security Sensors(Sensors) in an admin domain.

This guide explains how to perform the above-mentioned tasks using the Configurationpage of McAfeeNetwork Security Manager (Manager). For a detailed description of the

iv


5/52


Configuration page and information on how to use this page, see Manager Configuration BasicsGuide.

Audience

This guide is intended for use by network technicians and maintenance personnelresponsible for installing, configuring, and maintaining Manager and Sensors, but is notnecessarily familiar with IPS-related tasks, the relationship between tasks, or thecommands necessary to perform particular tasks.

Conventions used in this guide

This document uses the following typographical conventions:

Convention Example

Terms that identify fields, buttons,tabs, options, selections, andcommands on the User Interface(UI) are shown in Arial Narrow boldfont.

The Service field on the Properties tab specifies thename of the requested service.

Menu or action group selectionsare indicated using a right anglebracket.

Select My Company > Admin Domain > Summary.

Procedures are presented as aseries of numbered steps.

1. In the Resource Tree, select NAC Settings.

Names of keys on the keyboard

are denoted using UPPER CASE.

Press ENTER.

Text such as syntax, keywords,and values that you must typeexactly are denoted usingCourier New font.

Type: setup and then press ENTER.

Variable information that you musttype based on your specificsituation or environment is shownin italics.

Type: Sensor-IP-addressand then pressENTER.

Parameters that you must supplyare shown enclosed in anglebrackets.

set Sensor ip

Information that you must readbefore beginning a procedure orthat alerts you to negativeconsequences of certain actions,such as loss of data is denotedusing this notation.

Caution:

v


6/52


Convention Example

Information that you must read toprevent injury, accidents fromcontact with electricity, or otherserious consequences is denotedusing this notation.

Warning:

Notes that provide related, butnon-critical, information aredenoted using this notation.

Note:

Related documentation

The following documents and on-line help are companions to this guide. Refer to Quick Tourfor more information on these guides.

Quick Tour

Manager Installation Guide

4.1 to 5.1 Upgrade Guide

Getting Started Guide

IPS Deployment Guide

Manager Configuration Basics Guide

Manager Server Configuration Guide

Sensor CLI Guide

Sensor Configuration Guide

IPS Configuration Guide

NAC Configuration Guide

Integration Guide

System Status Monitoring Guide

Reports Guide

User-Defined Signatures Guide

Central Manager Administrator's Guide

Best Practices Guide

Troubleshooting Guide

I-1200 Sensor Product Guide



I-3000 Sensor Product Guide I-4000 Sensor Product Guide


M-8000 Sensor Product Guide


M-3050/M-4050 Sensor Product Guide


vi


7/52


M-1250/M-1450 Sensor Product Guide

N-450 Sensor Product Guide

Gigabit Optical Fail-Open Bypass Kit Guide

Gigabit Copper Fail-Open Bypass Kit Guide

Special Topics GuideIn-line Sensor Deployment

Special Topics GuideSensor High Availability

Special Topics GuideVirtualization

Special Topics GuideDenial-of-Service

Contacting Technical Support

If you have any questions, contact McAfee for assistance:

Online

Contact McAfee Technical Support http://mysupport.mcafee.com.

Registered customers can obtain up-to-date documentation, technical bulletins, and quicktips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can alsoresolve technical issues with the online case submit, software downloads, and signatureupdates.

Phone

Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7Technical Support is available for customers with Gold or Platinum service contracts.Global phone contact numbers can be found at McAfee Contact Informationhttp://www.mcafee.com/us/about/contact/index.html page.

Note: McAfee requires that you provide your GRANT ID and the serial number ofyour system when opening a ticket with Technical Support. You will be provided witha user name and password for the online case submission.

vii
http://mysupport.mcafee.com/http://www.mcafee.com/us/about/contact/index.htmlhttp://www.mcafee.com/us/about/contact/index.htmlhttp://mysupport.mcafee.com/


8/52

C H A P T E R 1

Configuring administrative domainsAn administrative domain, or admin domain for short, is an organizational tool usedspecifically to group McAfee Network Security Platform [formerly McAfee IntruShield]resources so that you can delegate resource management to specific McAfee NetworkSecurity Platform users. An admin domain can contain other admin domains, Devices, andDevice interfaces.

Administrative domains enable enterprises to create a central authority that is responsiblefor the overall Network Security Platform system, and to allow the central authority todelegate day-to-day security operations to the appropriate entities, such as business units,geographic regions, and individual security personnel.

The top level admin domain is called the root admin domain. Users with Super User

access to the root admin domain have complete control over the entire administrativedomain and all resources within it, including any child domains, and thus all securityresources in the system. To delegate management functions to entities within yourorganization, you would create a sub domain (of the root or other parent domain)representing each entity or department. These sub-domains are called child admindomainsor child domains.

In McAfee Network Security Manager [formerly McAfee IntruShield Security Manager],the functions that you can perform at the admin domain level are as follows:

Configuring and managing admin domains (on page 4): enables you to view details ofadmin domains and create child admin domain

Managing users and user roles: (on page 11) enables the creation of users for variousadministrative functions

Viewing system information logs: (on page 25) enables a privileged admin to createaudits and logs to view system information

Setting up fault notifications: (on page 33) allows you to send system fault informationto third-party machines such as SNMP servers and Syslog servers.

Figure 1: Admin Domain tab

Child domains

Creating child domains enables you to delegate, monitor, and/or configure the McAfeeNetwork Security Sensors [formerly McAfee IntruShieldSensors] in that sub-domain toentities more familiar with the sub-domains environment. You are not required tosubdivide your admin domains into child domains; however, if you want to delegate

1


9/52

McAfee Network Security Platform 5.1 Configuring administrative domains

responsibilities for managing Network Security Platform resources among multipleindividuals within your organization, you do so by creating child domains. To delegateresponsibilities, you create child admin domains and user accounts, giving each user arolethat defines how the user can interact with the resources in the child admin domain.

For example, suppose you manage three McAfee Network Security Sensors (Sensors).You can create a child domain and allocate a single port (1A) from one of your Sensors tothat domain. You can create a user and assign that person a Super User role in only thatdomain; that user has no role in the root domain, and therefore cannot see or configureroot domain resources. The child domains Super User has been delegated fullmanagement responsibilities for the allocated interface.

Note: For more information on roles, see Roles (on page 15).

A users role determines his/her view of the Resource Tree; only resources the user ispermitted to view are displayed in the tree. In the figure below, if a user is a Super User ofthe HR admin domain, the Resource Tree shows the HR domain at the top of the tree andall of its children; it does not display the root admin domain nor any other child domains ofthe root.

A child admin domain, such as HR, in left side of the figure below, can have other childadmin domains created within, as seen with the child domain HR SF. Any domain with childdomains is a parent; thus, a child domain can be a parent to other child domains. Whenyou create a child domain you can enable or disable it to be a parent for other domains(enabled by default). The root can always have child domains.

Figure 2: Root and Child Domains - Super User View

2


10/52

McAfee Network Security Platform 5.1 Configuring administrative domains

Item Description

1 Root admin domain, parent domain of HR and QA

2 Child domain of My Company, parent of HR SF

3 Child domain of HR

4 Child domain of My Company

You configure admin domain node names, including that of the root, during domaincreation. In the previous example, the HR and QA admin domains were created under theroot domain; HR SF was created under the HR domain node.

It is important to understand the relationship between parent and child admin domainsbecause child admin domains inherit policiesfrom parent admin domains, and usersinherit the same privileges in the child domains as enabled by their rolesin the parentdomain.

Note: Throughout this guide, named admin domain instances are represented asAdmin-Domain-Name > . In the above figure, the root Admin-Domain-Name is MyCompany, which is the default root admin-Domain-Name.

3


11/52

C H A P T E R 2

Configuring and managing admin domainsThe functions that you can perform under Admin Domain are as follows:

View details of admin domains

Create/edit/delete admin domains

Viewing the details of an admin domain

The Summary action displays the currently configured information for the selected admindomain. To edit the admin domain information, see Editing child domain configurations (on

page 8).

Note: In the IPS modeand IPS with NAC mode, two additional fields are displayedin the Summary page-- Default IPS Policy, Default Reconnaissance Policy.

Managing admin domains

You can use the Admin Domains action to:

Create an admin domain (on page 4)

Editing child admin domain configurations (on page 8)

Change the root admin domain name (on page 9)

Delete an admin domain (on page 10)

Creating an admin domain

The procedure for creating an admin domain is the same for a domain created under theroot or a domain created under a child of the root, and so on. You can create up to fourlevels of child domains under an admin domain. During child domain creation, you have theoption of delegating McAfee Network Security Sensor (Sensor) interfaces from the parentfor management by the child.

If you do not want at this time to allocate interfaces or allow Sensor addition, you mayenable these options later. See Editing child admin domain configurations (on page 8).

4


12/52

McAfee Network Security Platform 5.1 Configuring and managing admin domains

To create an admin domain

1 From the Resource Tree, select the domain to which you want to add a child domainand then click Admin Domains.

Figure 3: Admin Domains List

2 ClickAdd.3 Type the required information. The red asterisks (*) denote required fields.

Figure 4: Add Admin Domain Dialog

5


13/52


Field Description

Admin Domain Name Enter a unique name for identifying thedomain. For an enterprise, naming yourdomain after the specific network segment,

department, or building is suggested: HR,Finance, Bldg1, Bldg1-Floor2.

Contact Person Name Enter the name of the person responsible forthe domain. This person should be someonewho can be reached in case of emergency orother domain questions.

Email Address The email address of the Contact Person.

The following fields set restrictions on the child admin domain being created:

Field Description

Child Admin Domains

Allowed

If you select this check box, the administrator

of the domain you are currently creating cancreate child admin domains for the domain.

If you create a child admin domain anddisallow the creation of further child admindomains, the new child domain cannot haveits own children due to rule inheritance.

Add Sensor Allowed If you select this check box, the administratorof the domain you are currently creating canadd, edit, or delete physical Sensors.Otherwise, the domain is only permittedinterface or sub-interface resources asallocated in Step5.

If you create a child admin domain and

disallow the adding of physical Sensors, anychildren of the new child domain are alsodisallowed from adding physical Sensors dueto rule inheritance.

6


14/52


4 For the IPS mode and IPS with NAC mode, two additional fields are displayed --Default IPS Policy and Default Reconnaissance Policy.

Field Description

Default IPS Policy Sets the default IPS Policy to be inherited by

child admin domain resources. Severalpre-configured policies are provided thatencompass different network environments.

Default ReconnaissancePolicy

Sets the default Reconnaissance policy tobe inherited by child admin domains.

5 Click Save.

Figure 5: Unallocated Interface List

6 Select a Sensor from the drop-down list to allocate interfaces/sub-interfaces to the childdomain. You can allocate interfaces/sub-interfaces from one or more Sensors.

7 Select an interface/sub-interface from the chosen Sensor.

8 ClickAllocate. You may only select one interface from one Sensor at a time.

Note: VLAN and CIDR VIDS are not supported on N-450 Sensors.For CIDR and VLAN interfaces, you can allocate one or more IDs to a child admindomain. For CIDR, you can allocate CIDR IP addresses that you have not alreadyentered into the interface, as long as these addresses are within the CIDR networkaddress you specified. For example in the following figure, you could allocate192.168.0.0/24, or you could enter an address such as 192.168.0.1 at IP Address and aMask Length of 32, click Add To List , then Add to allocate this division of interface 3B tothe new domain.

Note 1: The CIDR IP address field now enables you to enter IPv4 addresses in4 different fields separated with dots. You can enter the IP address value in thecorresponding fields.

Note 2: The maximum value in each field is 255. If you enter ., you are tabbedto next field.

7


15/52


Note 3: Only numerical values between 09 are allowed. Special charactersare not allowed. Pressing tab after the last field tabs you to select mask field.

Figure 6: Allocate CIDR Blocks Dialog

9 Repeat until you have allocated all the interfaces you require.

Note: When viewing the new domain node in the Resource Tree, theSensor_Name node(s) is not available for configuration, just the allocatedinterface/sub-interface node(s).

10 Click Finish in the Unallocated Interface List page. The child admin domain youcreated appears at the bottom of the resource list of the domain in which it wascreated.

Editing child domain configurationsYou can use the Admin Domains action to do the following:

Edit the details of a selected domain.

Note: The root is the only domain that can be edited from its own node. All childnodes under the root must be edited directly from the parent domain where thechild was created.

Allocate or remove interfaces to/from an existing child domain:

You can allocate additional Sensor interfaces from the parent to the child. You havean opportunity to allocate interfaces to a child domain during child domain creation.However, if in the time after creating a child domain you decide to allocate moreinterfaces to the child, you must perform that task from the parent admin domainwhere the child was created.

You can revoke (that is, remove) interfaces from the child admin domain. This mustbe performed from the parent domain where the child was created. Revoking aninterface brings the interface back under full control of the parent domain; the childdomain can then no longer configure the revoked interface.

8


16/52


To edit a domains details or allocate/revoke more interfaces to an existingchild admin domain

1 Select the appropriate (named) parent domain by navigating toAdmin-Domain-Name >Admin Domain > Admin Domains .

Figure 7: Admin Domains Tab

2 Select the child domain to be edited from the parents Admin Domains List table.

3 Click Edit.

4 Change any of the general information fields that require updating/editing in the EditAdmin Domain page.

5 Click Next.

Figure 8: Unallocated Interface List

6 Do one of the following:

Select a Sensor and an interface and then click Allocate to allocate moreinterfaces to the child domain.

Select an already allocated interface and click Revoke to remove theinterface(s) from the child domain.

7 Click Finish.

Changing the root admin domain name

You can customize some of the settings of your root domain, including the name thatappears in the Resource tree and subsequent system configuration navigations.Customizing the admin domain name enables you to more properly name the environmentthat is being protected.

9


17/52


1 Select My Company > Admin Domain > Admin Domains.

2 Select the root admin domain (My Company) from the Admin Domains List page in theMcAfee Network Security Manager (Manager). For McAfee Network SecurityCentral Manager (Central Manager) there is only one admin domain, whose details

are displayed.3 Click Edit.

4 Clear the Admin Domain Name and type your new domain name.

5 Clear the Contact Person Name and type a name. This typically would be the Super User.

6 Clear the Email Address and type a new email address.

7 Optionally, change the fields that require updating/editing.

8 Click Save. In the Resource Tree, the root domain name changes from MyCompany tothe name you provided.

Deleting an admin domain

To delete an existing admin domain, do the following:

1 SelectAdmin-Domain-Name > Admin Domain > Ad min Domains .

2 Select an admin domain from the Admin Domains List page.

3 Click Delete and then click OK to confirm.

Note: An admin domain with resources such as Sensors and interfaces cannot bedeleted until all resources have been removed.

10


18/52

C H A P T E R 3

Managing users and user rolesMcAfeeNetwork Security Platform enables creation of users for various administrativefunctions. This enables selected entities (users/groups/business units) to manage specificdomain resources.

User management in the McAfee Network Security Platform environment consists ofcreating users and granting them privileges. Network security requires careful planningwhen creating users to ensure the integrity of the environment. All users must authenticateat McAfee Network Security Manager (Manager) login prior to performing anyactivities.The username and password is securely stored in the database with matching privilegerules. A class of user privileges, termed roles, determines the authorized activities of thevarious users in the system. Once a user logs in, Manager makes available activitiesbased on the role. For more on roles, see Roles (on page 15). Roles promote the integrityof security configuration by not allowing universal access to every security resourcedeployed in the system.

Figure 9: The Users Tab

The User tab has the following actions:

Manage Users (on page 11): Create, edit, and delete users. Manage Roles (on page 16): Assign roles to users within an existing admin domain.

Manage My Account (on page 24): View the account information for the logged inuser.

Managing users

The Manage Users action enables the creation, editing, and deletion of users. The followingsubsections describe these functions:

Adding a user (on page 12): Add a new user.

Editing users (on page 14): Edit a previously created user entry.

Changing the default administrator super user username/password (on page 14): Editthe default system username and password for system protection.

11


19/52

McAfee Network Security Platform 5.1 Managing users and user roles

Deleting users (on page 14): Delete a previously created user entry.

Figure 10: User List

Note: The User List only displays the users created within the current admindomain and any of its children. This list does not display users that were created in ahigher admin domain level even if an administrator has a role in that higher admindomain regardless of role. If a users name is not displayed, the viewing user needsto move to the admin domain level where the user was created in order toadminister that user. Admin domain viewing is role dependent.

Adding a user

To add a new user and optionally assign a domain role, do the following:

1 SelectAdmin-Domain-Name > Users > Users.

2 ClickAdd.3 Fill in the required fields. The Password must be a minimum of eight (8) characters in

length. Password parameters that can be used are as follow:

26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z)

10 digits: 0 1 2 3 4 5 6 7 8 9

32 symbols: ~ ` ! @ # $ % ^ & * ( ) _ + - = [ ] { } \ | ; : " ' , . < > ? /

Note: If RADIUS or LDAP (Active Directory) authentication is enabled, you mustalso select the type of authentication to use for this new user.

12


20/52


Figure 11: Add User Dialog

4 ForAuthentication Type choose one of the following (if available):

Local: authenticate locally on Manager

LDAP: authenticate using an LDAP server. If you select this option, also type theLDAP User DN (distinguished name).

Use the following format for the LDAP User DN:

uid=userName,ou=People,dc=DomainName,dc=com

If using Active Directory, use the following format:

[email protected]

cn=userName,ou=People,dc=DomainName,dc=com

Use a valid DN, as LDAP authentication may not operate correctly without a validDN. Consult with your system administrator to obtain the correct DN for yourLDAP server.

RADIUS: select one of the following RADIUS authentication protocols. If you selectthis option, also type a valid RADIUS ID, which will be used for authenticating yoursettings against the RADIUS server.

RADIUS using PAP (Password Authentication Protocol) RADIUS using the CHAP (Challenge Handshake Authentication Protocol) RADIUS using the EAP-MD5 (Extensible Authentication Protocol-MD5)

5 Click Save; click Cancel to abort.

6 Answer the following prompt: The user created does not have any role. Do you wishto assign role now? Click Ok to assign a role. Click Cancel to save the user without anassigned role. You may want to wait to assign a role to a user if you have not yetdetermined what tasks you want the user to perform.

Tip: For steps on assigning a domain role, see Assigning a role to a user in adomain (on page 17).

13
mailto:[email protected]:[email protected]


21/52


7 Click Done. A table displays all users with roles in the current domain.

8 Select Users > Users to view your newly added user.

Editing users

To edit an existing user, do the following:


2 Select a user.

3 Click Edit.

4 Type your changes in the appropriate fields.

5 Click Save.

Changing the default administrator

You can change the default Super User username and password by performing thefollowing steps:


2 Select the default Super User account from the User List table (Name: Administrator,Login ID: admin).

3 Click Edit.

4 (Optional) Type a new Login ID. This changes the name used for logging to Manager.

5 Type a new password at Password. This changes the password used for logging on toManager

6 Re-type the password at Confirm Password.

7 (Optional) Type a new User Name. This is simply for identification in the User Listtable.

8 Type a valid Email address.

9 (Optional) Type any other changes in the appropriate fields.

10 Click Save to keep these changes and eliminate the default (admin/admin123)combination.

Deleting users

To delete an existing user account, do the following:

1 SelectAdmin-Domain-Name > Users > Users.2 Select a user.

3 Click Delete. A pop-up with the following message appears: You are about topermanently delete this record. Do you wish to continue?

4 Click OK to delete the user record; click Cancel to abort.

14


22/52


Defining roles

A role is a group of actions that a user is allowed to perform within a given administrativedomain. Network Security Platform provides role-based authorization to the users.

Users authenticate themselves by logging into the Manager. For an admin domain, youcan create users and assign roles to the users in the Manager. You can also create usersin the child admin domains and assign roles to them.

The role privilege indicates the actions that are allowed for a user with assigned with theparticular role. Each role has role privileges with Read Write, or Read Only (RW or RO)permissions. For example, Reports RW allows the user with that role to have Read andWrite permissions for the Reports in the Manager.

Note that users created for an admin domain are specific to that domain. But roles can beassigned to the users across domains. That is, you can assign a role to a user in onedomain, and another role to the same user in the corresponding child domain.

The following table lists the various role types along with the corresponding roledescription.

Role Description

NAC Administrator Administer the Network Access Controlenvironment

IPS Administrator Administer the intrusion preventionenvironment

Guest Portal AccountManager

Administer local Guest Portal useraccounts

NOC Operator Monitor the security environment

Report Generator Run reports

Security Expert Administer the NAC and IPSenvironments

System Administrator Administer the Manager and the DeviceList

Super User Full rights. Super Users must managethemselves within the domain(s) theyreside.

No Role The user cannot log on to Manager. Thisis the state when a user is first createdbut is yet to be assigned any role.

Custom Roles

Custom roles can be created in the Manager, and assigned to users. For moreinformation, see Creating custom roles (on page 18).

15


23/52


Super User Privileges

Network Security Platform resources are governed by users with Super User access; aSuper User is capable of configuring every resource and function in the system. Each

shipped Manager is configured with one built-in Super User account, including a defaultpassword.

A Super User is only limited by domain boundaries. Only the Super Users created at theroot domain have full access; Super Users in a child domain only have Super Userprivileges in that domain and the subsequently added child domains.

Caution: The default Super User account username is admin and password isadmin123. We strongly recommend that you change the default Super User password forsecurity purposes. Refer to the steps in Changing the default administrator superuser username/password (on page 14).

A Super User can be defined at any level, and the role applies to the current domain andall of its children but not for its parent or sibling domains.

Managing user roles

The Roles action enables a user administrator to assign roles to users within an existingadmin domain. Adding a user to a domain requires the application of a role, or privilege,thus limiting a users configuration abilities. Refer to Roles (on page 15), for information onroles and role types.

Note: You must first create a user through the Users (on page 11) action beforeassigning a role.

Figure 12: The Roles Tab

16


24/52


Assigning a role to a user in a domain

A role determines the actions a user can perform in a given domain. Roles enabletask-specific actions to multiple users of your Network Security Platform security

environment. As your security implementation grows, utilizing multiple users to perform thevarious role-based tasks can facilitate security management.

A created user is not required to have a role. You can assign or remove a role to/from auser at any time. For more on roles, including role definitions, see Roles (on page 15).

Note: A user granted a role in a parent admin domain inherits the same role in anychild domains below the parent, unless the users role is altered in a child domain.

To assign a role to a user in a domain, do the following:

1 SelectAdmin-Domain-Name > Users > Roles.

2 Select a user in the User's Role table.

3 Click Edit.

4 View the users role assignment(s) for all applicable domains in the Role Detail table.If no role has been assigned, this field is empty.

Note 1: A user can have a different role in any or all admin domains regardlessof the admin domain in which the user was created. If the user is to be granteda role in an admin domain higher than the one where created, then theadministrator of that higher domain must assign that role. An administrator canonly grant or deny roles in the admin domains where he/she has that privilege.

5 Note 2: If a user has been allotted a Super user role at the parent and the childdomain, the user should select a domain from the home page at the time of login. Thehome page displays a drop-down above the menu bar in such cases.

6 Select the domain where the user is to have administration capabilities from theDomain Name drop-down list.

7 Select the role(s) you want the user to have.

8 ClickApply.

17


25/52


Figure 13: The Roles Tab - Edit

Creating custom roles

When you add a user in the Manager, you can assign the required custom role to the user.

The custom roles are listed in the Custom Roles tab in the Manager.

Note: Only users with 'Configure Admin User Accounts RW' role privilege can createusers or custom roles, assign custom roles to users, and modify the user accountsettings.

Users with 'Configure Admin User Accounts RO' role privilege can only view theusers, custom roles, or user accounts.

Adding new custom roles

Users with 'Configure Admin User Accounts RW' role privilege can add custom roles. Onceadded, the custom roles are listed along with default roles available for the users. Formore information on the default roles, see Defining roles (on page 15).

To add a custom role in the Manager, do the following:

18


26/52


1 From the Resource Tree, select Admin Domain > Users > Custom Roles.

Note: Custom Roles tab can be accessed only from the parent administrativedomain.

Figure 14: Custom Role Details Page

2 In Custom Role Details, the default roles are listed as per the Manager mode (IPS, NACor IPS with NACmode). Note that the default roles cannot be edited or deleted.

Role privileges

Role IPS mode NAC mode IPS with NAC mode

NACAdministrator

Nil Configure NAC SettingsRW Home

Operational Status RW

TA Summary DashboardNAC RW

TA Summary DashboardGeneral RW

TA Hosts RW

Reports NAC RW

Configure NAC Settings RWHome




TA Hosts RW

Reports NAC RW

19


27/52


Role privileges


IPSAdministrator

Configure IPS SettingsRW Home

Reports IPS RW


TA Summary DashboardIPS RW


TA Alerts RW

TA Hosts RW

Nil

Configure IPS Settings RWHome

Reports IPS RW


TA Summary Dashboard IPSRW


TA Alerts RW

TA Hosts RW

SystemAdministrator

Configure Admin DomainRW

Configure Admin UserAccounts RO

Configure Manager RW

Configure Integration RO

Configure Device List RW

Configure IPS Settings RO

Home

Reports IPS RW


TA Summary Dashboard

IPS ROTA Summary DashboardGeneral RO

TA Alerts RO

TA Hosts RO

Configure Admin DomainRW

Configure Admin UserAccounts RO




Configure NAC SettingsRO

Home

Reports NAC RW


TA Summary DashboardNAC RO

TA Summary DashboardGeneral RO

TA Alerts RO

TA Hosts RO

Configure Admin Domain RW

Configure Admin User

Accounts RO




Configure IPS Settings RO

Configure NAC Settings RO

Home

Reports IPS RW

Reports NAC RW


TA Summary Dashboard IPSRO



TA Alerts RO

TA Hosts RO

ReportGenerator

Reports IPS RW Reports NAC RW Reports IPS RW

Reports NAC RW

20


28/52


29/52


Role privileges


NOC Operator Home

Reports IPS ROOperational Status RO

TA Summary DashboardIPS RO


TA Alerts RO

TA Hosts RO

Home

Reports NAC ROOperational Status RO



TA Alerts RO

TA Hosts RO

Reports NAC RO

Home

Reports IPS ROReports NAC RO

Operational Status RO

TA Summary Dashboard IPSRO



TA Alerts RO

TA Hosts RO

Security Expert Configure Integration RW

Configure Device List RO

Configure IPS SettingsRW

Home

Reports IPS RW

Threat Analyzer RW


TA Summary DashboardIPS RW


TA Alerts RW

TA Hosts RW

TA Hosts RO

TA Hosts ForensicsePolicy Orchestrator

TA Hosts ForensicsFoundstone

Configure Integration RW


Configure NAC SettingsRW

Home

Reports NAC RW

Threat Analyzer RW




TA Alerts RW

TA Hosts RW

TA Hosts RO

TA Hosts ForensicsePolicy Orchestrator


Configure Integration RW


Configure IPS Settings RW

Configure NAC Settings RW

Home

Reports IPS RW

Reports NAC RW

Threat Analyzer RW


TA Summary Dashboard IPSRW



TA Alerts RW

TA Hosts RW

TA Hosts RO

TA Hosts Forensics ePolicyOrchestrator


No Role Nil Nil Nil

22


30/52


3 To create a new custom role, click Add.

Figure 15: Add Custom Role Page

Add Custom Role window is displayed.

4 Enter Role Name and Description.

5 Select and move the privileges that you want to assign to this new custom role, fromthe set of available privileges in Manager Privileges to Role Privileges. The Read, Write orOperate permissions (RO, RW, etc) for the privileges can be seen in the privilegename.

6 Select Save, to save the changes.

Assigning a custom role

To assign a custom role to a user, do the following:

23


31/52


1 From the Resource Tree, select Admin Domain > Users > Users.

2 SelectAdd, to add a user.

3 Enter the user information, and select Save.

4 A pop-up is displayed asking if you want to assign a role to this user. Select OK.

5 You are re-directed to Edit / View Role of Roles tab, where roles available by default aswell as the custom roles created are listed.

Figure 16: Edit / View Roles section

6 Select the custom role from the list.

7 Select Save, to save the changes. The assigned role is displayed in the Role Detailsection, in the same window.

Viewing your user account information

The My Account action displays the My Account page, which lists the account information forthe logged-in user. The navigation path for this page is Admin-Domain-Name > Users > MyAccount.

If you wish to change your information (password, address, and so forth), clear theappropriate field, type the new information, and click Save; click Cancel to exit without savingchanges.

24


32/52

C H A P T E R 4

Managing system information logsThe Logs tab enables a privileged admin to create audits and logs to view systeminformation either by user activity (on page 27) or general system information (on page25). Audits pull user-activity information from the database and system-activity informationfrom the log files (such as ems.log files), thus providing a beneficial resource for analysisand/or problem-solving.

Figure 17: User Activity Audit Tab

Viewing and exporting Manager activity log

The System Log action enables you to view and export system activity entries immediately inMcAfeeNetwork Security Manager (Manager) log file, named ems.log. By default, thisinformation includes performed actions, system faults, and debug data. You can customizethe log query to display only the data you want to see, such as debug data only orWarning-level faults only. Each log file is numbered incrementally for each megabyte ofrecorded data. The current log is seen in the McAfeeNetwork Security Platform directory

as ems.log. Previous logs increment with every one megabyte of data (ems.log.1,ems.log.2, etc.).

The following subsections describe these functions:

Viewing log information (on page 26)

Exporting log information (on page 27)

By default, the ems.log file is located at /ems.log.

Note 1: Only Super Users, System Administrators, and Security Experts can viewthe system log.

Note 2: Only ems.log files smaller than 4 MB can be viewed or exported from

Manager.

25


33/52

McAfee Network Security Platform 5.1 Managing system information logs

Viewing log information

1 SelectAdmin-Domain-Name > Logs > System Log .

2 Select a Log File Name.

Figure 18: Ems Log Viewer

3 Select the level of messages to display from one the following:

Field Description

ALL All actions performed/recorded by the system.This includes all of the topics that follow.

DEBUG Only debug information for the system.

INFO Only configuration information, such as whenan action is performed.

WARN Only system warning (high severity)information.

ERROR Only system error (medium severity)information.

FATAL Only crash/failure information.

Or

INFO ANDABOVE

Show INFO, WARN, ERROR, and FATAL. Thisrange is useful when more detailed logs,including information and warnings, are desired.

ERROR ANDABOVE

Show ERROR and FATAL. This range is usefulwhen only errors and crash information areneeded.

4 Select the desired range of dates. The Begin Date and End Date must be different times.

5 Type a value for the Number of Messages to Displ ay to limit the log output. The defaultvalue is 10.

6 Click View Messages to view the log.

26


34/52


Exporting log information

1 SelectAdmin-Domain-Name > Logs > System Log .

2 Select a Log File Name.

3 Click Export.

The ems.log file is copied to your system. The exported log file contains all messagesand is not filtered.

Generating a user activity audit

The User Activity Audit action enables the admin to view another users actions in themanagement system. An audit can help to determine what a user has done in order todetermine mistakes, overwriting, or other issues concerning user activity.

Note: Only messages belonging to the categories selected for audit in the Audit LogSetting window (Manager > Audit L og Setting) are displayed.

To create an audit to view a users activity, do the following:

1 SelectAdmin-Domain-Name > Logs > User Activ ity Audi t.

Figure 19: User Activity Report Configuration

27


35/52


2 Select whether or not to include audit data from all child domains of the currentdomain (Include Child Admin Domains).

3 Select a user to audit. The drop-down list displays the login IDs of the users currentlylogged in. (Select User(s) to Audi t:)

4 Select one or more Audit Categories . TheAudit Categories are displayed as per theconfigured Manager modes. The table below shows the Audit Categories available foreach Manager mode.

IPS Mode NAC Mode IPS with NAC mode

Admin Domain

User

Manager

Sensor

IPS Policy

Report

Update Server

Operational Status

Threat Analyzer

Unspecified

Admin Domain

User

Manager

Sensor

Report

Update Server

Operational Status

Threat Analyzer

NAC

Unspecified

Admin Domain

User

Manager

Sensor

IPS Policy

Report

Update Server

Operational Status

Threat Analyzer

NAC

Unspecified

5 Type the number of audit messages to show (Show x messages). The default is 10messages.

6 Select from one of the following time options:

Field Description

Up to Current Time Displays the requested number of most recent messages

Ending (All messagesbefore this date will bedisplayed)

Specify the date and time before which you want to seethe requested number of messages. That is, choosing thisoption displays the requested number of messagesstarting from this time and proceeding backwards.

Select MessagesBetween These Dates

Select the desired range of dates for activity by a user.

7 Click View Messages to start the audit. The following figure displays an audit result. Thefields are as follows:

Field Description

Include Child AdminDomains

All child domains of the current domain are included in theaudit or not

Actions performed by

User

The user being audited.

Audit Categories Audit categories selected while generating messages.

Start Time Specified audit start time.

End Time Specified audit end time.

Number of Actions Performed between Start Time and End Time.

28


36/52


Field Description

Date When action was performed.

Domain Which action was performed.

User Username

Category The audit category.

Action Performed action.

Result Status of performed action as either Success or Failure.

Description Component affected by action.

Figure 20: User Activity Audit Report

Managing long running processes

McAfee Network Security Platform helps you identify long running processes, includingin-progress activities within your active Manager. You can view/track scheduled processesas well as user initiated processes for activities. The long running processes that you canview in Manager are the ones that McAfee recommends you keep a track of.

If a long running activity includes several sub-activities, then Network Security Platformprovides an activity log for each of the sub-activities. For example, an activity like signatureupdate involves two long running sub-activities: downloading the signature set, andupdating the signature set on all McAfee Network Security Sensors (Sensor)s that havethe real time update enabled. These sub-activities are tracked separately and the statusfor each is displayed separately as well.

29


37/52


Network Security Platform identifies the following as long-running activities:

Signature set download from McAfee Update Server

Signature set update on all active Sensors

Sensor software download from McAfee Update Server Sensor software update on all Sensors

Cumulative policies update due to signature set download or editing of overridingrules

UDS Editor export to Manager

Report generation

Data Backup using Manager

Data Restore using Manager

Database dump transfer/import for an MDR pair

Database tuning using Manager

File maintenance

Alert archival using Manager

Archived alerts restore using Manager Alert data purge using Manager

Note: Note that Network Security Platform records the above mentioned activitiesfor both scheduled as well as user initiated processes.

Viewing long running processes

Select > Logs > Long Running Processes.

Note: The display of long running processes is governed by the admin domainownership. For example, if your Manager setup has a child admin domain, then

select > Logs > Long Running Processes to view the long runningprocesses for that child admin domain.

Network Security Platform logs the long running processes against the and the user who performs the activity. The result for each activity is displayedas Failure, "Success," or In Progress if still running. You can also view a summary ofthe activity in the Description field.

Once an activity is completed, the entry for that long running activity is removed from theLong Running Processes page and displayed under > Logs > UserActivity Audit page .

The information displayed on the User Activity Audit page is based on your searchcriterion. For more information on User Activity Audit Log, see Generating a User ActivitiesAudit (on page 27).

30


38/52


Viewing messages from McAfee

The Messages fro m McAfee action enables you to view any product or security-relatedmessages from McAfee. The messages can be related to operating system patches,

signature set releases, Manager software updates, Sensor software updates, and so on.Network Security Manager checks the Update Server for such messages every 15 minutesand displays messages that are relevant to the version of Manager and signature set thatyou are using. This feature ensures that all relevant messages from the Network SecurityPlatform support team reach you on time.

Manager displays the release date and the message description of the relevant messagesin the Messages from McAfee window. The release date is the date on which the messagewas posted on the Update Server. You can acknowledge the messages that you havealready seen and they will not be listed again. The latest four unacknowledged messagesare displayed on the Network Security Platform home page as well. Click the View AllMessages link on the home page to navigate to the Messages from McAfee window whereall the unacknowledged messages are displayed.

Figure 21: Messages From Mcafee Window

Item Description

1 Messages from McAfee on Homepage

Note 1: Though all users can view the messages, only users with the role of SuperUser in the root Admin domain can acknowledge messages.

Note 2: Child Admin Domain users can view only the latest 4 messages.

Note 3: For Manager to be able to check the Update Server for messages, youshould have authenticated your credentials with the Update Server. For moreinformation on how to authenticate, see Setting authentication for communicationwith the Update Server.

To view all unacknowledged messages:

31


39/52


1 From the Resource Tree, select Root Admin Domain > Logs > Messages from McAfee.Alternatively, click the View All Messages link on the home page.

The Messages from McAfee window is displayed.

Figure 22: Viewing Messages from McAfee

2 To acknowledge a message, select it and click Acknowledge.

Note 1: Messages that are once acknowledged are not displayed again.

Note 2: You can acknowledge 10 messages at a time. The first 10 selectedmessages are acknowledged.

Note 3: The acknowledged messages are logged, and you can view this informationin the User Activity Log report. For information on this report, see Audit Report,Reports Guide.

32


40/52

C H A P T E R 5

Setting up fault notificationsMcAfeeNetwork Security Manager (Manager) can send system fault information tothird-party machines such as SNMP servers and syslog servers. You can also configureManager to notify youvia email, pager, or scriptfor system faults based on faultseverity. You can perform the following tasks with respect to fault notifications:

Viewing fault notification details (on page 34): View the configured parameters of allFault Notification actions.

Forwarding faults to an SNMP server (on page 34): Specify an SNMP server wheresystem faults will be sent upon occurrence.

Forwarding faults to a Syslog server (on page 37): Specify a syslog server wheresystem faults will be sent upon occurrence.

Managing fault notification (on page 40): Determine the breadth and detail of faultinformation that will be sent via email, pager, or script notification.

Specifying email or pager parameters for fault notification (on page 40): Enable emailor pager notifications for system faults, including fault message customization andnotification recipients.

Specifying script parameters for fault notification (on page 43): Enable scriptnotification for system faults, including fault message customization.

Figure 23: Path to Fault Notification Summary

33


41/52

McAfee Network Security Platform 5.1 Setting up fault notifications

Viewing fault notification details

The Summary action displays a summary of configured fault notification settings. Thesummary reflects configurations made within the other Fault Notification group actions.

Figure 24: Fault Notification Details

Forwarding faults to an SNMP server

The Fault Notification > SNMP Forwarderaction enables you to specify an SNMP server towhich system fault information will be sent from Manager. You can configure more thanone SNMP server to where you want to send fault messages. The SNMP Forwarder Listpage displays the SNMP servers that have been configured. The fields in this page aredescribed within the configuration steps that follow.

To configure an SNMP server to receive system faults from your Manager, do thefollowing:

34


42/52


1 SelectAdmin-Domain-Name > Fault Notification > SNMP Forwarder.

Figure 25: Enable SNMP forwarder page

2 Check Enable SNMP Forwarder(default is Yes) and clickApply.

3 ClickAdd.

Figure 26: Fault SNMP forwarder configuration

The Fault SNMP Forwarderwindow is displayed.

4 Fill in the following fields:

Field Description

Enable Domain

Notification

Current Admin Domain: Send notifications for alerts in the curren

domain. Always enabled for the current domain. All Child Admin Domain(s): Include alerts for all child domains of t

current domain.

Target Server IPAddress

IP address of the target SNMP server. This can be an IPv4 orIPv6 address.

35


43/52


Field Description

Target Port Target servers SNMP listening port. The standard port forSNMP, 162, is pre-filled in the field.

SNMP Version Version of SNMP running on the target SNMP server. Versionoptions are 1, 2c, and Both 1 and 2c, and 3.

Community String Type an SNMP community string to protect your NetworkSecurity Platform data. SNMP community strings authenticateaccess to Management Information Base (MIB) objects andfunctions as embedded passwords.

Forward Faults Choose the severity level for forwarding faults. The options areCritical, Error and above, Warning and above, and Informational andabove.

Choose the severity of alerts that will have informationforwarded. Limiting your alert severities to Critical or Error andabove is recommended for focused analysis.

The following fields appear only when SNMP Version 3 is selected.Authoritative EngineID

The authoritative (security) engineID used for SNMP version 3REQUEST messages.

Authentication Level: This specifies the authentication level and has the followingcategories:

No Authori zation, No Privileges: Uses a user name match forauthentication.

Authorization, No Privil eges: Provides authentication based onthe MD5 or SHA algorithms

Authorization, Privil eges : Provides authentication based on theMD5 or SHA algorithms. It also provides encryption in additioauthentication based on the DES or AES standards.

The following fields appear only when Authorization, No Privil eges orAuthorization andPrivileges is selected in Authentication Level.

Authentication Type The authentication protocol (MD5 or SHA) used forauthenticating SNMP version 3 messages.

AuthenticationPassword

The authentication pass phrase used for authenticating SNMPversion 3 messages.

Encryption Type The privacy protocol (DES or AES) used for encrypting SNMPversion 3 messages.

Privacy Password The privacy pass phrase used for encrypting SNMP version 3message.

5 Click Apply.

Modifying or deleting SNMP forwarder settings

To modify or delete SNMP Forwarder settings, do the following:

36


44/52


1 SelectAdmin-Domain-Name > Fault Noti fication > SNMP.

2 Select the configured SNMP server instance from the SNMP Forwarder List page.

3 Do one of the following:

a. To edit the settings, click Edit, modify the fields as required, and then click Apply.

b. To delete the settings, click Delete and then click OK to confirm the deletion.

Forwarding faults to a Syslog server

The Fault Notification > Syslog action enables the forwarding of Network Security Platformfaults to a syslog server. Syslog forwarding enables you to view the forwarded faults via athird-party syslog application. For syslog forwarding, the root domain and parent domainshave the option to include faults from all corresponding child domains.

To enable syslog forwarding for fault notification, do the following:

1 SelectAdmin-Domain-Name > Fault Notific ation > Syslog .

Figure 27: Fault Syslog Forwarder Configuration

The Fault Syslog Forwarderwindow is displayed.


Field Description

Enable Fault SyslogForwarder

Yes is enabled; No is disabled

Enable DomainNotification

Current Admin Domain: Send notifications for alerts in thecurrent domain. Always enabled for current domain.

All Child Domain(s): Include alerts for all child domains of thcurrent domain.

37


45/52


Field Description

Syslog Server (IPAddress OR HostName)

Type either the Host IP Address or Host Name of the syslogserver where alerts will be sent.

For Host IP address, you can enter either IPv4 or IPv6address.

Port Port on the target server which is authorized to receivesyslog messages. The standard port for syslog, 514, ispre-filled in the field.

Facilities Standard syslog prioritization value. The choices are asfollows:

Security/authorization (code 4)

Security/authorization (code 10)

Log audit (note 1)

Log alert (note 1)

Clock daemon (note 2)

Local user 0 (local0) Local user 1 (local1)

Local user 2 (local2)






Severity Mapping You can map each fault severity (Informational, Error, Warning,and Critical) to one of the standard syslog severities listedbelow (default severity mappings are noted inparentheses):

Emergency: system is unusable Alert: action must be taken immediately

Critical: (HIGH) critical conditions

Error: error conditions

Warning: (MEDIUM) warning conditions

Notice: (LOW) normal but significant condition

Informational: (INFORMATIONAL) informational message

Debug: debug-level messages

Forward Faults Select the severity of the faults that you want to beforwarded to the syslog server. The options are:

Critical: only Critical faults

Error and above: both Error and Critical faults

Warning and above: Warning, Error, and Critical faults Informational and above: all faults

1 ClickApply.

Note: You must click Apply before you will be able to customize the messageformat sent to your syslog server.

38


46/52


2 Select the Message Preference to send as the syslog forwarding message. The choicesare:

System Default: the default message is a quick summary of a fault with two fields foreasy recognition: Attack Name and Attack Severity. A default message reads:

Attack $IV_ATTACK_NAME$ ($IV_ATTACK_SEVERITY$) Customized: create a custom message. To create a custom message, do the

following:

i. Click Edit to create a custom message.ii. Type a message and select (click) the parameters for the desired alert

identification format. The following figure displays a custom message. Youcan type custom text in the Message field as well as click one or more of theprovided elements below the field box.

iii. Click Save when finished to return to the Fault Syslog Forwarder page. TheCustomized button is automatically selected after you have customized theMessage Preference.

Figure 28: Customize Syslog Forwarder Messages

Item Description

1 Custom typed text

2 Selected token

Caution: For syslog information to appear correctly, ensure that you use thedollar-sign ($) delimiter immediately before and after each element. Example:$ATTACK_TIME$

3 ClickApply.

39


47/52


Managing fault notification

The Manage Fault Notificatio n action enables you to determine the breadth and detail of faultinformation that will be sent via email, pager, or script. You can configure a suppression

time ( Hysteresis) within which faults are held pending Acknowledge or Delete actionsorautomatic clearing events from the sourcewithin Operational Status.

Figure 29: Fault Notification Settings

To manage fault notification details, do the following:

1 SelectAdmin-Domain-Name > Fault Notificati on > Fault Notif ication Management.


Enable Domain Notifi cation

Current Admin Domain: send only faults for the current domain. This isalways selected for the current domain.

All Child Admin Domain(s): send faults for all child domains of the currentdomain.

Delegated Sensor Faults: If the McAfeeNetwork Security Sensor (Sensor) interfaceshave been delegated to a child domain, faults can be set to display by the Admin

domain in which the delegated interface resides, rather than by the domain wherethe Sensor is controlled.

Sensor Level: faults based on Sensor-domain relationship. Interface Level: faults based on interface-domain relationship.

Hysteresis Time: the amount of time to suppress system faults before forwarding.

Note: Hysteresis can only be set within the root admin domain.

3 ClickApply.

Sending alerts to an email or pager

Users can be alerted by email or email pager when a fault occurs that matches a specified

severity.

Note 1: You must also identify a mail server for email notifications. For moreinformation, see Specifying a mail server for notifications, Manager Server Configu rationGuide.

40


48/52


Note 2: Email and pager notifications are configured per admin domain.

Figure 30: Pager Notification Settings

To enable email or pager fault notification, do the following:

1 SelectAdmin-Domain-Name > Fault Notific ation > Email orAdmin-Domain-Name > Fault Notific ation> Pager.

2 Select the enabled status (Enabled System Fault Notificatio n). Yes is enabled; No isdisabled.

3 Select a fault Severity Level to be notified of:

Field Description

Informational andabove

Notifies for allfaults.

Warning and above Notifies for Warning, Error, and Critical faults.

Error and above Notifies for Error and Critical faults.

Critical Notifies only for Critical faults.

4 Select a Message Preference. The message preference is a preset response sent withthe notification with information pertaining to the fault.

System Default: The system default message provides the notified admin with themost basic fault details so that an immediate response can be made. Detailsinclude the fault type (severity) and the component source. The subject line of thedefault message contains the fault name.

Note: You cannot edit the System Default message.

41


49/52


Customized: Type a message and select (click) the parameters for the desired attackidentification format. The following figure displays a custom message. You can typecustom text in the Subject field or Body section, as well as click one or more of theprovided elements at Subject Line Content or Body Text to add to the description. Whenyou are finished formatting your message template, click Save. The Customized buttonis selected if you have customized the message.

Figure 31: Customize Email Notification Messages Window

Item Description

1 Custom typed text

2 Selected tokens

5 ClickApply to save your notification settings.

6 Specify the email or email pager address of the intended recipient(s).

7 Scroll to the bottom of the Email or Page Notification Settin gs page.

Figure 32: Pager Fault Notification Mailing List

a. ClickAdd.

b. Type an email address or email pager address.

c. Click Save when complete.

d. Repeat steps a through d to add additional recipient addresses.

42


50/52


Specifying script parameters for fault notificationUsers can be alerted via executed script when a system fault occurs that matches aconfigured severity.

Note: Script notifications are configured per admin domain.

Figure 33: Script Notification Settings

To enable alert notification by script, do the following:

1 SelectAdmin-Domain-Name > Fault Notification > Scrip t .

2 Select the enabled status (Enable System Fault Notif ication). Yes is enabled; No is disabled.

3 Select a Severity to be notified of:

Field Description

Informational and above Notifies for allfaults.

Warning and above Notifies for Warning, Error, and Critical faults.

Error and above Notifies for Error and Critical faults.

Critical Notifies only for Critical faults.

4 Configure a Message Preference. The message preference is a preset response sent withthe notification with information pertaining to the fault.

Customized: Type a message and select (click) the parameters for the desired attackidentification format. For a script notification, do the following.

43


51/52


iv. Click Edit.v. Type a name for the script at Script Name.

vi. For the Body section, type the text and select the token fields for the attackinformation you want to see.

vii. Click Save to return to the notification form. The Customized button is selectedand the script name you entered is displayed in the Script NotificationsSettings page. The script is saved to your installation directory at: \temp\scripts\0\.The script file name is appended with .bat.

5 ClickApply to save your notification settings.

44


52/52

Index

A admin domains

overview; .............................................................1

Root Admin Domain; ...........................................4

Alert Filter Editor ......................................................4

authorization...........................................................18

Cchild domains ...........................................................4

Working with child domains.....................9, 10, 11

custom roles.....................................................16, 19

F fault notifications ....................................................36

Llog information........................................................27

long running processes....................................32, 33

Rroles

types of..............................................................18

root admin domain .................................................10

SSuper User privileges.............................................17

Syslog forwarder ....................................................40

system information logs .........................................27

U user activity audit ...................................................29

users ......................................................................15

nsp admin domain configuration 5.1

Documents