McAfee FIREWALL 2.1-GETTING STARTED Guida di Installazione

McAfee NGFW Installation Guidefor IPS and Layer 2 Firewall Roles 5.7NGFW Engine in the IPS and Layer 2 Firewall Roles

10Chapter 1 Using SMC DocumentationHow to Use This GuideThe McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles is intended for adminis

100Chapter 11 Installing the Engine on Other PlatformsStarting the InstallationBefore you start installing the engines, make sure you have the initia

101Installing the Engine on a Virtualization PlatformInstalling the Engine on a Virtualization PlatformThe IPS or Layer 2 Firewall engine can be insta

102Chapter 11 Installing the Engine on Other PlatformsConfiguring the Engine Automatically with a USB StickThe automatic configuration is primarily i

103Configuring the Engine in the Engine Configuration WizardConfiguring the Engine in the Engine Configuration WizardIf you have stored the configurat

104Chapter 11 Installing the Engine on Other PlatformsConfiguring the Operating System Settings To set the keyboard layout1. Highlight the entry fie

105Configuring the Engine in the Engine Configuration WizardConfiguring the Network InterfacesThe Engine Configuration Wizard can automatically detect

106Chapter 11 Installing the Engine on Other PlatformsMapping the Physical Interfaces to Interface IDs To map the Physical Interfaces to Interface I

107Configuring the Engine in the Engine Configuration WizardContacting the Management ServerThe Prepare for Management Contact page opens. If the init

108Chapter 11 Installing the Engine on Other Platforms• If you see a “connection refused” error message, ensure that the one-time password is correct

109Installing the Engine in Expert ModePartitioning the Hard Disk ManuallyTypically, you need five partitions for the IPS or Layer 2 Firewall as expla

11Documentation AvailableDocumentation AvailableSMC documentation is divided into two main categories: Product Documentation and Support Documentation

110Chapter 11 Installing the Engine on Other PlatformsAllocating PartitionsAfter partitioning the hard disk, the partitions are allocated for the eng

111UPGRADINGIn this section:Upgrading - 113

112

113CHAPTER 12UPGRADINGThis chapter explains how to upgrade your IPS engines, Layer 2 Firewalls, and Master Engines. When there is a new version of the

114Chapter 12 UpgradingGetting Started With UpgradingHow Engine Upgrades WorkThe primary way to upgrade engines is a remote upgrade through the Manag

115Getting Started With UpgradingTo check the current engine software version, select the engine in the System Status view. The engine version is disp

116Chapter 12 Upgrading7. Compare the displayed output to the checksum on the web site. To prepare a downloaded .zip file for a remote upgrade1. Log

117Upgrading or Generating LicensesUpgrading or Generating LicensesWhen you installed the engine software for the first time, you installed licenses t

118Chapter 12 Upgrading5. Select the location at which to save the license file in the dialog that opens. You areprompted to request a license upgrad

119Upgrading Engines RemotelyUpgrading Engines RemotelyYou can upgrade the engines through the Management Server by importing the upgrade package manu

12Chapter 1 Using SMC DocumentationSupport DocumentationThe McAfee support documentation provides additional and late-breaking technical information.

120Chapter 12 UpgradingUpgrading Legacy IPS EnginesPrior to version 5.4, IPS engines consisted either of separate Sensor and Analyzer engines, or com

121Upgrading Legacy IPS Engines6. Make sure None is selected for the Analyzer.7. Click OK. The conversion begins.8. Refresh the policy of the upgraded

122Chapter 12 UpgradingUpgrading Engines LocallyIt is also possible to upgrade the engines on the engine command line as described in this section. U

123Upgrading Engines LocallyUpgrading From a .zip FileFollow the instructions below if you want to use a .zip file to upgrade the engine software loca

124Chapter 12 Upgrading

125APPENDICESIn this section:Command Line Tools - 127Default Communication Ports - 149Example Network Scenario - 157Index - 163

126

127APPENDIX ACOMMAND LINE TOOLSThis appendix describes the command line tools for McAfee Security Management Center and the NGFW engines.The following

128Appendix A Command Line ToolsSecurity Management Center CommandsSecurity Management Center commands include commands for the Management Server, Lo

129Security Management Center CommandssgArchiveExport(continued)Host specifies the address of the Management Server. If the parameter is not defined,

13PREPARING FORINSTALLATIONIn this section:Planning the Installation - 15Installing Licenses - 23Configuring NAT Addresses - 27

130Appendix A Command Line ToolssgBackupLogSrv[pwd=<password>][path=<destpath>][nodiskcheck][comment=<comment>][nofsstorage][-h | -

131Security Management Center CommandssgCertifyLogSrv[host=<Management Server Address[\Domain]>]Contacts the Management Server and creates a new

132Appendix A Command Line ToolssgChangeMgtIPOnMgtSrv <IP address>Changes the Management Server’s IP address in the local configuration to the

133Security Management Center CommandssgHA [host=<Management Server Address[\Domain]>][login=<login name>][pass=<password>][master=&

134Appendix A Command Line ToolssgImportExportUser[host=<Management Server Address[\Domain]>][login=<login name>][pass=<password>]a

135Security Management Center CommandssgOnlineReplication[login=<login name>][pass=<password>][active-server=<name of active Management

136Appendix A Command Line ToolssgRestoreAuthBackup[-pwd=<password>][-backup=<backup file name>][-nodiskcheck][-h|-help]Restores the Auth

137Security Management Center CommandssgStartMgtSrv Starts the Management Server and its database. sgStartWebPortalSrv Starts the Web Portal Server.sg

138Appendix A Command Line ToolssgTextBrowser[host=<Management Server address[\Domain]>][login=<login name>][pass=<password>][forma

139NGFW Engine CommandsNGFW Engine CommandsThe commands in the following two tables can be run on the command line on Firewall, Layer 2 Firewall, IPS

14

140Appendix A Command Line Toolssg-blacklist show [-v] [-f FILENAME] |add [[-i FILENAME] | [src IP_ADDRESS/MASK] [src6 IPv6_ADDRESS/PREFIX][dst IP_AD

141NGFW Engine Commandssg-blacklist (continued)Firewall, Layer 2 Firewall, IPSAdd/Del Parameters:Enter at least one parameter. The default value is us

142Appendix A Command Line Toolssg-clear-allFirewall, Layer 2 Firewall, IPSNote! Use this only if you want to clear all configuration information fro

143NGFW Engine Commandssg-dynamic-routing [start][stop][restart][force-reload][backup <file>][restore <file>][sample-config][route-table][

144Appendix A Command Line Toolssg-raid[-status] [-add] [-re-add] [-force] [-help]Firewall, Layer 2 Firewall, IPSConfigures a new hard drive. This co

145NGFW Engine Commandssg-toggle-activeSHA1 SIZE |--force [--debug]Firewall, Layer 2 Firewall, IPSSwitches the engine between the active and the inact

146Appendix A Command Line ToolsThe table below lists some general Linux operating system commands that may be useful in running your engines. Some c

147Server Pool Monitoring Agent CommandsServer Pool Monitoring Agent CommandsYou can test and monitor the Server Pool Monitoring Agents on the command

148Appendix A Command Line Toolssgmon [status|info|proto][-p port] [-t timeout] [-a id]hostSends a UDP query to the specified host and waits for a re

149APPENDIX BDEFAULT COMMUNICATION PORTSThis chapter lists the default ports used in connections between SMC components and the default ports SMC comp

15CHAPTER 2PLANNING THE INSTALLATIONThis chapter provides important information to take into account before the installation can begin. The chapter al

150Appendix B Default Communication PortsSecurity Management Center PortsThe illustrations below present an overview to the most important default po

151Security Management Center PortsThe table below lists all default ports SMC uses internally and with external components. Many of these ports can b

152Appendix B Default Communication PortsManagement Server3021/TCPLog Server, Web Portal ServerSystem communications certificate request/renewal.SG L

153Security Engine PortsSecurity Engine PortsThe illustrations below present an overview to the most important default ports used in communications be

154Appendix B Default Communication PortsThe table below lists all default ports the Security Engines use internally and with external components. Ma

155Security Engine PortsFirewall, Layer 2 Firewall, IPS, Master Engine4987/TCPManagement ServerManagement Server commands and policy upload.SG Command

156Appendix B Default Communication PortsRPC server111/UDP, 111/TCPFirewall, Master EngineRPC number resolve.SUNRPC (UDP), Sun RPC (TCP)Server Pool M

157APPENDIX CEXAMPLE NETWORK SCENARIOTo give you a better understanding of how McAfee IPS fits into a network, this section outlines a network with IP

158Appendix C Example Network ScenarioOverview of the Example NetworkTwo example IPS installations are described in this guide: • an IPS cluster in t

159Example Headquarters Intranet NetworkExample Headquarters Intranet NetworkIllustration C.2 Example Headquarters Intranet NetworkHQ IPS ClusterIn t

16Chapter 2 Planning the InstallationIntroduction to McAfee IPS and Layer 2 FirewallA McAfee IPS or Layer 2 Firewall system consists of the McAfee Se

160Appendix C Example Network ScenarioExample Headquarters Management NetworkIllustration C.3 Example Headquarters Management NetworkHQ FirewallThe

161Example Headquarters DMZ NetworkExample Headquarters DMZ NetworkIllustration C.4 Example Headquarters DMZ NetworkDMZ IPSIn the example scenario, t

162Appendix C Example Network Scenario

163IndexINDEXAAdvanced Configuration and Power Interface (ACPI), 98analyzers, removing after upgrade, 121Automatic Power Management (APM), 98BBIOS set

164Index IPS installation modes, 16IPS policiescustomized high-security inspection IPS policy, 92default IPS policy, 92IPS template policies, 92Llaye

165Indexreset interfaces, 40, 49transferring initial configuration to engines, 87typographical conventions, 10Uupgrading, 113–123engine locally, 122en

Copyright © 2014 McAfee, Inc. Do not copy without permission.McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its

17Example Network ScenarioThe main features of McAfee IPS and Layer 2 Firewall include:• Multiple detection methods: misuse detection uses fingerprint

18Chapter 2 Planning the InstallationOverview to the Installation Procedure1. Check the surrounding network environment as explained in Capture Inter

19Important to Know Before InstallationImportant to Know Before InstallationBefore you start the installation, you need to carefully plan the site tha

2Legal InformationThe use of the products described in these materials is subject to the then current end-user license agreement, which can be found a

20Chapter 2 Planning the InstallationSwitch SPAN PortsA Switched Port Analyzer (SPAN) port is used for capturing network traffic to a defined port on

21Important to Know Before InstallationIllustration 2.2 Correct Cable Types for Single Layer 2 FirewallsFor more information on cabling for IPS engin

22Chapter 2 Planning the Installation

23CHAPTER 3INSTALLING LICENSESThis chapter instructs how to generate and install licenses for IPS engines, Layer 2 Firewalls, and Master Engines.The f

24Chapter 3 Installing LicensesGetting Started with IPS and Layer 2 Firewall LicensesEach IPS engine, Layer 2 Firewall, and Master Engine must have i

25Generating New LicensesConfiguration OverviewThe following steps are needed for installing licenses for IPS engines, Layer 2 Firewall engines, and M

26Chapter 3 Installing LicensesInstalling LicensesTo install licenses, the license files must be available to the computer you use to run the Managem

27CHAPTER 4CONFIGURING NAT ADDRESSESThis chapter contains the steps needed to configure Locations and contact addresses when a NAT (network address tr

28Chapter 4 Configuring NAT AddressesGetting Started with NAT AddressesIf there is network address translation (NAT) between communicating SMC compon

29Defining LocationsConfiguration OverviewTo add contact addresses, proceed as follows:1. Define Location element(s). See Defining Locations.2. Define

3Table of ContentsTABLE OF CONTENTSINTRODUCTIONCHAPTER 1Using SMC Documentation. . . . . . . . . . . . . . . . 9How to Use This Guide . . . . . . . .

30Chapter 4 Configuring NAT AddressesAdding SMC Server Contact AddressesThe Management Server and the Log Server can have more than one contact addre

31CONFIGURING ENGINESIn this section:Defining IPS Engines - 33Defining Layer 2 Firewalls - 43Configuring Master Engines and Virtual IPS Engines - 53Co

32

33CHAPTER 5DEFINING IPS ENGINESThis chapter contains the steps needed to complete the IPS engine configuration that prepares the SMC for IPS engine in

34Chapter 5 Defining IPS EnginesGetting Started with Defining IPS EnginesThe IPS engine elements are a tool for configuring nearly all aspects of you

35Defining System Communication Interfaces for IPS EnginesDefining System Communication Interfaces for IPS EnginesEach IPS engine needs at least one i

36Chapter 5 Defining IPS EnginesDefining IP Addresses To define an IP address for a single IPS1. Right-click a Physical Interface or a VLAN Interfac

37Setting Interface Options for IPS EnginesSetting Interface Options for IPS EnginesInterface options allow you to select which interfaces are used fo

38Chapter 5 Defining IPS EnginesDefining Traffic Inspection Interfaces for IPS EnginesIPS engines pick up passing network traffic for inspection in r

39Defining Traffic Inspection Interfaces for IPS EnginesDefining Logical InterfacesA Logical Interface is used in the IPS policies and the traffic ins

4Table of ContentsCHAPTER 7Configuring Master Engines and Virtual IPS Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Configura

40Chapter 5 Defining IPS EnginesDefining Reset InterfacesReset Interfaces can deliver TCP resets and ICMP “destination unreachable” messages to inter

41Defining Traffic Inspection Interfaces for IPS EnginesRepeat these steps to define any additional Capture Interfaces.Defining Inline InterfacesThe n

42Chapter 5 Defining IPS EnginesBypassing Traffic on OverloadBy default, inline IPS engines inspect all connections. If the traffic load is too high

43CHAPTER 6DEFINING LAYER 2 FIREWALLSThis chapter contains the steps needed to complete the Layer 2 Firewall engine configuration that prepares the SM

44Chapter 6 Defining Layer 2 FirewallsGetting Started with Defining Layer 2 FirewallsThe Layer 2 Firewall engine elements are a tool for configuring

45Defining System Communication Interfaces for Layer 2 Firewall EnginesDefining System Communication Interfaces for Layer 2 Firewall EnginesEach Layer

46Chapter 6 Defining Layer 2 FirewallsDefining IP Addresses To define an IP address for a Single Layer 2 Firewall1. Right-click a Physical Interface

47Setting Interface Options for Layer 2 Firewall EnginesSetting Interface Options for Layer 2 Firewall EnginesInterface options allow you to select wh

48Chapter 6 Defining Layer 2 FirewallsDefining Traffic Inspection Interfaces for Layer 2 Firewall EnginesLayer 2 Firewalls pick up passing network tr

49Defining Traffic Inspection Interfaces for Layer 2 Firewall Engines6. Click OK.Repeat these steps to define any additional Logical Interfaces.Defini

5Table of ContentsUPGRADINGCHAPTER 12Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Getting Started With Upgrading . . . . . .

50Chapter 6 Defining Layer 2 FirewallsDefining Capture InterfacesCapture Interfaces listen to traffic that is not routed through the Layer 2 Firewall

51Finishing the Engine ConfigurationDefining Inline InterfacesThe number of Inline Interfaces you can have is limited by the license in use. One Inlin

52Chapter 6 Defining Layer 2 Firewalls

53CHAPTER 7CONFIGURING MASTER ENGINESAND VIRTUAL IPS ENGINESThis chapter contains the steps needed to complete the Master Engine and Virtual IPS engin

54Chapter 7 Configuring Master Engines and Virtual IPS EnginesConfiguration OverviewVirtual IPS engines are logically-separate Virtual Security Engin

55Adding a Master Engine ElementAdding a Master Engine ElementTo introduce a new Master Engine to the SMC, you must define a Master Engine element tha

56Chapter 7 Configuring Master Engines and Virtual IPS EnginesAdding Nodes to a Master EngineThe Master Engine properties have placeholders for two n

57Adding Physical Interfaces for Master EnginesAdding Physical Interfaces for Master EnginesMaster Engines can have two types of Physical Interfaces:

58Chapter 7 Configuring Master Engines and Virtual IPS Engines4. (Interface for hosted Virtual IPS engine communications only) Define the Physical In

59Adding Physical Interfaces for Master Engines5. Click OK. The Physical Interface is added to the interface list.6. Repeat from Step 2 to add any oth

6Table of Contents

60Chapter 7 Configuring Master Engines and Virtual IPS EnginesAdding VLAN Interfaces for Master EnginesVLANs divide a single physical network link in

61Adding VLAN Interfaces for Master Engines4. Click OK. The specified VLAN ID is added to the Physical Interface.Second VLAN ID(Optional, only if Phys

62Chapter 7 Configuring Master Engines and Virtual IPS Engines5. Repeat from Step 2 to add further VLANs on the same or other Physical Interfaces.Add

63Setting Global Interface Options for Master EnginesSetting Global Interface Options for Master EnginesThe Interface Options dialog contains the sett

64Chapter 7 Configuring Master Engines and Virtual IPS Engines4. Click OK to close the Master Engine Properties. A Confirmation dialog opens. Click N

65Configuring Physical Interfaces for Virtual IPS EnginesConfiguring Physical Interfaces for Virtual IPS EnginesPhysical Interfaces for Virtual IPS en

66Chapter 7 Configuring Master Engines and Virtual IPS Engines4. If your configuration requires you to change the Logical Interface from Default_Eth,

67CHAPTER 8CONFIGURING MASTER ENGINESAND VIRTUAL LAYER 2 FIREWALLSThis chapter contains the steps needed to complete the Master Engine and Virtual Lay

68Chapter 8 Configuring Master Engines and Virtual Layer 2 FirewallsConfiguration OverviewVirtual Layer 2 Firewalls are logically-separate Virtual Se

69Adding a Master Engine ElementAdding a Master Engine ElementTo introduce a new Master Engine to the SMC, you must define a Master Engine element tha

7INTRODUCTIONIn this section:Using SMC Documentation - 9

70Chapter 8 Configuring Master Engines and Virtual Layer 2 FirewallsAdding Nodes to a Master EngineThe Master Engine properties have placeholders for

71Adding Physical Interfaces for Master EnginesAdding Physical Interfaces for Master EnginesMaster Engines can have two types of Physical Interfaces:

72Chapter 8 Configuring Master Engines and Virtual Layer 2 Firewalls4. (Interface for Hosted Virtual Layer 2 Firewall communications only) Define the

73Adding Physical Interfaces for Master Engines5. Click OK. The Physical Interface is added to the interface list.6. Repeat from Step 2 to add any oth

74Chapter 8 Configuring Master Engines and Virtual Layer 2 FirewallsAdding VLAN Interfaces for Master EnginesVLANs divide a single physical network l

75Adding VLAN Interfaces for Master Engines4. Click OK. The specified VLAN ID is added to the Physical Interface.Second VLAN ID(Optional, only if Phys

76Chapter 8 Configuring Master Engines and Virtual Layer 2 Firewalls5. Repeat from Step 2 to add further VLANs on the same or other Physical Interfac

77Setting Global Interface Options for Master EnginesSetting Global Interface Options for Master EnginesThe Interface Options dialog contains the sett

78Chapter 8 Configuring Master Engines and Virtual Layer 2 Firewalls4. Click OK to close the Master Engine Properties. A Confirmation dialog opens. C

79Configuring Physical Interfaces for Virtual Layer 2 FirewallsConfiguring Physical Interfaces for Virtual Layer 2 FirewallsPhysical Interfaces for Vi

8

80Chapter 8 Configuring Master Engines and Virtual Layer 2 FirewallsAdding VLAN Interfaces for Virtual Layer 2 FirewallsVLAN Interfaces can only be a

81Binding Engine Licenses to Correct ElementsBinding Engine Licenses to Correct ElementsLicenses are created based on the Management Server’s proof-of

82Chapter 8 Configuring Master Engines and Virtual Layer 2 Firewalls

83CHAPTER 9SAVING THE INITIAL CONFIGURATIONThis chapter explains how to save an IPS, Layer 2 Firewall, or Master Engine element configuration in the S

84Chapter 9 Saving the Initial ConfigurationConfiguration OverviewOnce you have configured the IPS, Layer 2 Firewall, or Master Engine elements in th

85Saving the Initial ConfigurationPreparing for Automatic Configuration To prepare for automatic configuration1. (Optional) Select Enable SSH Daemon

86Chapter 9 Saving the Initial ConfigurationPreparing for Configuration Using the Engine Configuration Wizard To prepare for configuration using the

87Transferring the Initial Configuration to the EnginesTransferring the Initial Configuration to the EnginesYou are now ready to install the engine(s)

88Chapter 9 Saving the Initial Configuration

89CHAPTER 10CONFIGURING ROUTING AND INSTALLING POLICIESAfter successfully installing the engines and establishing contact between the engine(s) and th

9CHAPTER 1USING SMC DOCUMENTATIONThis chapter describes how to use the McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles and lists oth

90Chapter 10 Configuring Routing and Installing PoliciesConfiguring RoutingRouting is configured entirely through the Management Client. The routing

91Configuring RoutingAdding Next-Hop RoutersYou may need to define a default route in case the SMC (Management Servers and Log Servers) and other SMC

92Chapter 10 Configuring Routing and Installing PoliciesInstalling the Initial PolicyTo be able to inspect traffic, the engines must have a policy in

93Installing the Initial PolicyThe default policy elements are introduced when you import and activate a recent dynamic update package (for example, d

94Chapter 10 Configuring Routing and Installing Policies To install a ready-made policy1. Select Configuration→Configuration→Security Engine. The Se

95INSTALLING ENGINESIn this section:Installing the Engine on Other Platforms - 97

96

97CHAPTER 11INSTALLING THE ENGINE ON OTHER PLATFORMSThis chapter describes how to install IPS and Layer 2 Firewall engines on standard Intel or Intel-

98Chapter 11 Installing the Engine on Other PlatformsInstalling the Engine on Intel-Compatible PlatformsMcAfee NGFW appliances are delivered with pre

99Installing the Engine on Intel-Compatible PlatformsChecking File IntegrityBefore installing the IPS or Layer 2 Firewall engine from downloaded files