next generation firewall 5.8.0 addendum...8 mcafee next generation firewall 5.8.0 addendum grouping...

Addendum

McAfee Next Generation Firewall 5.8.0

COPYRIGHTCopyright © 2014 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, PolicyLab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource,VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Othernames and brands may be claimed as the property of others.

Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Next Generation Firewall 5.8.0 Addendum

http://mcafee.com

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Usability improvements 7Centralized management of global system settings . . . . . . . . . . . . . . . . . . . . . 7Enable and modify password policy settings in the Management Client . . . . . . . . . . . . . 8Grouping Category elements with Category Tag elements . . . . . . . . . . . . . . . . . . 9

Create a Category Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Add a Category to a group using a Category Tag . . . . . . . . . . . . . . . . . . . 9Filter elements by Category Tag . . . . . . . . . . . . . . . . . . . . . . . . . 10

Type-ahead search improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Engine Editor and how it works . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Edit engine configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Routing configuration improvements . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Default routes created automatically . . . . . . . . . . . . . . . . . . . . . . . 13View the default route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Add a default route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Add routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Query routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2 Policy and inspection improvements 17Automatic rules and how they work . . . . . . . . . . . . . . . . . . . . . . . . . . 17Configure settings for Automatic rules . . . . . . . . . . . . . . . . . . . . . . . . . 17Template name and description updates . . . . . . . . . . . . . . . . . . . . . . . . 18File filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Restrict file types with file filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Improved handling of TCP protocols . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3 McAfee NGFW integration with other McAfee products 25Integrate McAfee GTI file reputation with McAfee NGFW . . . . . . . . . . . . . . . . . . 25Integrate an Advanced Threat Defense server with McAfee NGFW . . . . . . . . . . . . . . 26Integrate McAfee ePO with McAfee NGFW . . . . . . . . . . . . . . . . . . . . . . . . 27Query McAfee ePO information in logs . . . . . . . . . . . . . . . . . . . . . . . . . 28Integrate McAfee Logon Collector with McAfee NGFW . . . . . . . . . . . . . . . . . . . 29

4 VPN configuration improvements 31Simpler VPN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Define Mobile VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32SSL VPN support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Set up the SSL VPN Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Customize the look and feel of the SSL VPN Portal . . . . . . . . . . . . . . . . . 38Select SSL cryptographic algorithms for the SSL VPN . . . . . . . . . . . . . . . . 39Monitor SSL VPN connections . . . . . . . . . . . . . . . . . . . . . . . . . . 40

McAfee Next Generation Firewall 5.8.0 Addendum 3

5 McAfee NGFW configuration improvements 41Aggregate multiple interfaces on McAfee NGFW in the Firewall/VPN role . . . . . . . . . . . . 41Automatically test link status of aggregated links in load-balancing mode . . . . . . . . . . . 42Local Manager and alternative installation options . . . . . . . . . . . . . . . . . . . . 42Language selection in the Management Client . . . . . . . . . . . . . . . . . . . . . . 43Change the default language of the Management Client . . . . . . . . . . . . . . . . . . 43

Index 45

Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

ConventionsThis guide uses these typographical conventions and icons.

Book title, term,emphasis

Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized.

User input, code,message

Commands and other text that the user types; a code sample; a displayedmessage.

Interface text Words from the product interface like options, menus, buttons, and dialogboxes.

Hypertext blue A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing anoption.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.


Find product documentationAfter a product is released, information about the product is entered into the McAfee online KnowledgeCenter.

Task1 Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center.

2 Enter a product name, select a version, then click Search to display a list of documents.

PrefaceFind product documentation


http://support.mcafee.com

1 Usability improvements

The usability of the Management Client has been improved. The new Engine Editor makes it easier tomanage all engine configuration information, and new tools make routing configuration faster andmore intuitive.

Contents Centralized management of global system settings Enable and modify password policy settings in the Management Client Grouping Category elements with Category Tag elements Type-ahead search improvements Engine Editor and how it works Edit engine configuration Routing configuration improvements

Centralized management of global system settingsUse the new Global System Properties dialog box to centrally manage global system settings and configurepassword policy settings. Most of the settings in this dialog box were previously available in differentdialog boxes in the Management Client.

Unless otherwise specified, all tasks in this guide are done in the Management Client.

Access the Global System Properties dialog box by selecting File | System Tools | Global System Properties. You canonly modify the settings when you are logged on to the Shared Domain.

The dialog box has three tabs:

• The Updates tab contains settings related to updates, upgrades, and licenses. In McAfee® NextGeneration Firewall (McAfee NGFW) 5.7, the tab was included in the Management Server Properties dialogbox. Only administrators with Manage Updates and Upgrades permissions can modify thesesettings. For more information, see the Configuring Automatic Updates and Engine Upgradeschapter in the McAfee SMC Administrator's Guide, version 5.7.

• The Password Policy tab contains settings for password strength, password expiration, failed logons,and actions related to temporary and long-term inactivity. In McAfee NGFW 5.7, the passwordpolicy settings were defined in the SGConfiguration.txt file and the settings were shown in theEnforce Password Settings dialog box. Only administrators with Manage Administrator permissions canmodify these settings. For more information, see Enable and modify password policy settings in theManagement Client.

• The McAfee GTI tab contains an option for authorizing McAfee® Global Threat Intelligence™ (McAfeeGTI) usage. Only administrators with Unrestricted Permissions can enable McAfee GTI. For moreinformation, see McAfee NGFW integration with McAfee GTI file reputation.

See also Integrate McAfee GTI file reputation with McAfee NGFW on page 25

1


Enable and modify password policy settings in the ManagementClient

The configuration of password policy settings has been moved to the Global System Properties dialog box.You no longer have to edit values in the SGConfiguration.txt file.

If you have previously modified the default settings in the SGConfiguration.txt file, the modifiedsettings are automatically taken to use on the Password Policy tab. Any further modifications you maketo the SGConfiguration.txt file after this migration have no effect.

TaskFor option definitions, press F1 or click Help in the interface.

1 Select File | System Tools | Global System Properties.

You must be logged on to the Shared Domain to modify the settings in the Global System Propertiesdialog box.

2 Click the Password Policy tab.

3 Select Enforce Password Settings for All the Administrators and Web Portal Users.

4 Modify the values in the following fields as required.

Table 1-1 Password policy settings

Option Definition

Password Reuse Limit The number of previous passwords that an administrator cannot reuse.The default is 4.

Inactivity Delay Before ScreenLock (Minutes)

The number of minutes after which an administrator who is idle isautomatically logged off. The default is 15 minutes. Setting the value tozero minutes disables the screen lock for administrators.

Inactivity Delay BeforeDisabling Account (Days)

The maximum number of days an administrator account can be inactivebefore it is disabled. The default is 90 days.

Minimum Number of Charactersin Password

The minimum number of characters an administrator password mustcontain. The default is 7 characters.

Password Validity (Days) The number of days after which administrator passwords expire andmust be changed. The default is 90 days.

Maximum Number of FailedLogon Attempts BeforeLock-Out

The maximum number of failed logon attempts before an administratoraccount is locked. The default is 6 attempts.

Lock-Out Duration (Minutes) The duration (in minutes) for which the administrator account is lockedwhen the maximum number of failed logon attempts is reached. Thedefault is 30 minutes.

Both Letters and NumbersRequired in Password

Defines whether administrator passwords must contain both letters andnumbers. By default, this option is selected.

Enforce Single GUI Connection Defines whether an administrator can open only a single session at atime to the Management Client or to the Web Portal. By default, thisoption is selected. When the option is selected, only a single logon peraccount is allowed.

5 Click OK.

1 Usability improvementsEnable and modify password policy settings in the Management Client


Grouping Category elements with Category Tag elementsIf you have a large number of custom Category elements in the SMC, you can group the Categories byusing Category Tag elements. Category Tags can also be used to filter elements in Management Clientviews.

The Category Tag is a new type of element in the Security Management Center (SMC). After you havecreated a Category Tag, you can select that Category Tag for a Category. You can also arrangeCategory Tags into groups by selecting a parent Category Tag for Category Tag elements.

When Category Filters are available, Category tags can be used as filtering criteria in the ManagementClient.

For more information on Categories and Category Filters, see the Using Categories chapter in theMcAfee SMC Administrator's Guide, version 5.7.

Create a Category TagCreate a Category Tag that can be used for grouping Category elements and filtering elements invarious Management Client views.


1 Select Configuration | Configuration | Administration.

2 Expand Other Elements.

3 Right-click Categories and select New | Category Tag.

4 In the Name field, enter a name to easily identify the Category Tag.

5 (Optional) Organize the Category Tags into groups.

a To select a parent Category Tag, click Add.

b To create a new parent Category Tag, click the Tools icon and select New | Category Tag.

6 Click OK.

Add a Category to a group using a Category TagAdd Categories to groups using Category Tags for easier management of categorized elements.


1 Select Configuration | Configuration | Administration.

2 Expand Other Elements.

3 Right-click Categories and select New | Category to create a new Category, or right-click an existingCategory to open the Category properties.

4 Select a Category Tag for the Category.

a To select a category, click Add.

b To create a new Category Tag, click the Tools icon and select New | Category Tag.

5 Click OK.

Usability improvementsGrouping Category elements with Category Tag elements 1


Filter elements by Category TagUse Category Tags to filter categorized elements in different Management Client views.


1 If the Category Filter selection is not visible in the toolbar, select View | Layout | Category Filter Toolbar.

2 Select a Category Tag from the Category Filter menu to filter elements by Category Tag.

If the Category Tag you need is not listed, select Other and navigate to the Category Tag.

The elements in the view are filtered to only show elements in Categories that have the selectedCategory Tag.

Type-ahead search improvementsThe type-ahead search that is available in most Management Client views is now easier to find. Inpolicy editing views, the search also takes active Category Filters into account.

The type-ahead search field has been moved to the top of the view in all element list views, tableviews, and tree views where it can be used. You can activate the search by typing the search term inthe correct view. You can also use the new Search icon in the toolbar to activate the type-ahead search.

In policy editing views, when you edit policy cells and have a Category Filter activated in the view,only search results that match the Category Filter are displayed.

Engine Editor and how it worksThe Engine Editor combines all engine configuration information into one view that is easy to accessand navigate. You can quickly save and validate all changes using the common Engine Editor toolbar.

You can use the Engine Editor to configure the following settings:

• General and advanced engine properties

• Interface configuration

• Routing and antispoofing

• Engine add-ons

• The engine's policy

• Virtual private networks (VPNs) in which the Firewall engine is used as a gateway

Most of these settings were previously found in various views and dialog boxes in the ManagementClient, or on different tabs in the engine properties dialog box.

The Engine Editor contains the following sections:

• General — General engine settings. Replaces the General tab in the engine properties. Forconfiguration instructions, see the Creating and Modifying Engine Elements chapter in the McAfeeSMC Administrator's Guide, version 5.7.

• Interfaces — Interface configuration. Replaces the Interfaces tab in the engine properties. Also containssettings related to loopback interfaces and ARP entries. For configuration instructions, see theNetwork Interface Configuration chapter in the McAfee SMC Administrator's Guide, version 5.7.

1 Usability improvementsType-ahead search improvements


• Routing — Routing and antispoofing configuration. Replaces the Routing view and the Antispoofing view.Also contains settings related to policy routing and multicast routing. For information about routingimprovements in McAfee NGFW 5.8, see Routing configuration improvements and Routing tools andhow they work. For general information about configuring routing and antispoofing, see theConfiguring Routing chapter in the McAfee SMC Administrator's Guide, version 5.7.

• Add-Ons — Settings related to engine add-ons. Replaces the Add-Ons tab in the engine properties.Also contains settings on McAfee GTI file reputation and the McAfee® Advanced Threat Defenseserver, which are new in 5.8.

• For instructions on configuring add-ons, see the Add-on Features chapter in the McAfee SMCAdministrator's Guide, version 5.7.

• For instructions on configuring McAfee GTI, see Integrate McAfee GTI file reputation with McAfeeNGFW.

• For instructions on configuring the Advanced Threat Defense server, see Integrate a McAfeeAdvanced Threat Defense server with McAfee NGFW.

• Policies — Information about the Security Policy used on the engine and settings related toelement-based NAT and Aliases. Also contains settings for Automatic rules, which is a new featurein 5.8.

• For instructions on configuring element-based NAT, see the Element-Based NAT chapter in theMcAfee SMC Administrator's Guide, version 5.7.

• For instructions on configuring settings for Automatic rules, see Configure settings for Automaticrules.

• For instructions on configuring Aliases, see the Alias Translations for Engines chapter in theMcAfee SMC Administrator's Guide, version 5.7.

• VPN (Firewalls only) — Settings related to the engine's VPN configuration and SSL VPNconfiguration. For configuration instructions, see Configure VPN settings in the Engine Editor.

• Advanced Settings — Advanced engine settings (Traffic Handling, SYN Rate Limits, Log Handling, ScanDetection, DoS Protection, Idle Timeouts, and Tunneling). Replaces the Advanced tab in the engineproperties. For configuration instructions, see the Advanced Engine Settings chapter in the McAfeeSMC Administrator's Guide, version 5.7.

Access the Engine Editor to edit or view an engine configuration:

• Edit an engine configuration by right-clicking an engine element and selecting Edit. For moreinformation, see Edit engine configuration.

• View an engine configuration by right-clicking an engine element and selecting Preview.Double-clicking an engine also opens the engine configuration in preview mode.

You can use the common Engine Editor toolbar to save configuration updates:

• Use the Save icon to save changes.

• Use the Validate icon to validate all the changes that have been made to engine settings.

• Use the Save and Refresh icon to save changes and refresh a policy on the engine.

The Save and Save and Refresh actions include engine validation, so you cannot save an incorrectconfiguration.

See also Routing configuration improvements on page 13Configure settings for Automatic rules on page 17

Usability improvementsEngine Editor and how it works 1


Edit engine configurationSelect an engine element to edit and access all configuration information for that engine in one view.


1 In the System Status view, right-click an engine element and select Edit <element type>.

The Engine Editor opens.

2 Use the navigation pane on the left to find the settings that you want to edit.

3 Edit the configuration information as required.

• For more information about the new tools in the Routing view, see Routing tools and how theywork.

• For instructions on configuring McAfee GTI, see Integrate McAfee GTI file reputation with McAfeeNGFW.

• For instructions on configuring the Advanced Threat Defense server, see Integrate a McAfeeAdvanced Threat Defense server with McAfee NGFW .

• For instructions on configuring settings related to Automatic rules, see Configure settings forAutomatic rules.

• For instructions on configuring VPN settings, see Configure VPN settings in the Engine Editor.

• For other configuration instructions, see the McAfee SMC Administrator's Guide, version 5.7. SeeEngine Editor and how it works for information about individual chapters that explain thesettings in the Engine Editor.

4 Select one of the following:

• To validate the changes, click the Tools icon in the toolbar and select Validate.

• To validate and save the changes, click the Save icon in the toolbar.

• To validate and save the changes and refresh the security policy on the engine, click the Save andRefresh icon in the toolbar.

Validation issues are displayed in the Issues pane. Double-click an issue to return to the section inwhich the issue can be fixed.

See also View the default route on page 13Add a default route on page 14Add routes on page 14Query routes on page 14Configure settings for Automatic rules on page 17Integrate McAfee GTI file reputation with McAfee NGFW on page 25Integrate an Advanced Threat Defense server with McAfee NGFW on page 26Integrate McAfee Logon Collector with McAfee NGFW on page 29Define Mobile VPNs on page 32Set up the SSL VPN Portal on page 34

1 Usability improvementsEdit engine configuration


Routing configuration improvementsYou can now access the Routing view through the Engine Editor like other engine configurationinformation. New routing tools enable you to view and configure routes more easily.

The Routing view and the Antispoofing view can no longer be accessed through the Configuration menu. Toaccess the Routing view in the Engine Editor, right-click an engine element in the System Status view,select Edit, and navigate to Routing.

The Routing view has been split into two display modes:

• Traditional tree view

• Simple table view (IPv4 and IPv6 routes are shown in separate tables.)

You can switch between the display modes using the Display Mode menu at the top of the view.

A new Routing Tools pane has been added to the bottom of the Routing view to make routing configurationeasier and more intuitive. The Routing Tools pane has three tabs:

• Default Route — View and create default routes.

• Add Route — Create new routes.

• Query Route — Search for routes.

See also View the default route on page 13Add a default route on page 14Add routes on page 14Query routes on page 14

Default routes created automaticallyA new setting enables the automatic creation of default routes for interfaces with dynamic IPaddresses on single engines.

The IP Address Properties dialog box for dynamic IP addresses contains a new Automatic Default Route option.Selecting this option enables the automatic creation of a default route for the interface. You no longerhave to manually create a Router element for the interface and drag-and-drop a Network elementunder it.

The Automatic Default Route option is selected by default for new interfaces with dynamic IP addresses.Only single Firewalls, Single IPS engines, and Single Layer 2 Firewalls can have dynamic IP addresses.

View the default routeUse the Show Default Route function to quickly check which route is currently set as the default route.



2 Browse to Routing.

3 In the Routing Tools pane, click the Default Route tab, then click the Show Default Route to show the currentdefault route or default routes for the engine.

The default routes are highlighted.

Usability improvementsRouting configuration improvements 1


Add a default routeUse the Default Route tab of the Routing Tools pane to define a new default route.




3 In the Routing Tools pane, click the Default Route tab.

4 In the Gateway field, enter an IP address. You can also double-click the field and select a gatewaydevice for the route.

5 Click Add.

The default route is added to the configuration.

6 Click the Save icon in the toolbar to save and validate changes.

Add routesUse the Add Route tab of the Routing Tools pane to add new routes.




3 In the Routing Tools pane, click the Add Route tab.

4 In the Destination field, enter an IP address. You can also double-click the field and select adestination device.

5 In the Gateway field, enter an IP address. You can also double-click the field and select a gatewaydevice.

6 Click Add.

The route is added to the configuration.

7 Click the Save icon in the toolbar to save and validate changes.

Query routesUse the Query Route tab of the Routing Tools pane to find routes.




3 In the Routing Tools pane, click the Query Route tab.

4 (Optional, NetLinks only) In the Source field, enter an IP address. You can also double-click the fieldto select a source device.

1 Usability improvementsRouting configuration improvements


5 In the Destination field, enter an IP address. You can also double-click the field to select thedestination device.

6 Click Query.

The route that matches the search criteria is shown.

Usability improvementsRouting configuration improvements 1


1 Usability improvementsRouting configuration improvements


2 Policy and inspection improvements

Policy improvements make the configuration of rules easier and more intuitive. Improvements toinspection improve inspection performance and coverage.

Contents Automatic rules and how they work Configure settings for Automatic rules Template name and description updates File filtering Restrict file types with file filtering Improved handling of TCP protocols

Automatic rules and how they workWhen you enable a feature that requires that traffic between certain components is allowed, rulesallowing the traffic are automatically created.

Automatic rules are created for traffic to and from the engine, never for traffic that passes through theengine. Some features require more specific control over what traffic is allowed between specificcomponents, and in those cases you still have to configure Access rules manually.

Automatic rules are not visible in rule tables, but you can view a summary of currently used Automaticrules in the Automatic Rules section of the Engine Editor. You can also modify certain settings forAutomatic rules in the Engine Editor. For more information, see Configure settings for Automatic rules.

Automatic rules are only created if the policy that is installed on the engine contains the AutomaticRules Insert Point. The default Template Policies in the Management Client already contain this insertpoint, so no further action is needed for Automatic rules to be created if you base your TemplatePolicies and Security Policies on the recommended default Template Policies.

If you create a Template Policy that is not based on a default Template Policy, you must add theAutomatic Rules Insert Point manually. To do this, open the Template Policy for editing, right-click theID cell of any rule, and select Add Automatic Rules Insert Point. You can add the Automatic Rules Insert Pointanywhere in the Template Policy.

Configure settings for Automatic rulesView a summary of Automatic rules and manage related settings in the Engine Editor.

Before you beginThe Template Policy used on the engine must contain the Automatic Rules Insert Point. Formore information, see Automatic rules and how they work.

2


In the Automatic Rules section of the Engine Editor, you can set the log level and possible Alertelement for Automatic rules. For more information on log levels and Alert elements, see the EditingPolicies chapter in the McAfee SMC Administrator's Guide, version 5.7. For Firewalls, Virtual Firewalls,and Master Engines, you can also define whether traffic from the engine to authentication ports isallowed.



2 Browse to Policies | Automatic Rules in the navigation pane on the left.

3 (Firewalls, Virtual Firewalls, and Master Engines only) For the Allow Traffic to Authentication Ports setting,select Yes or No.

By default, traffic to authentication ports is allowed.

4 Using the Log Level for Automatic Rules menu, set the log level for Automatic rules to None, Alert, Essential,Stored, or Transient.

By default, logging is set to None.

5 (Optional, only if Log Level for Automatic Rulesis set to Alert) Using the Alert menu, select the Alertelement to use.

6 Click the Save icon in the Engine Editor toolbar to save changes.

Template name and description updatesThe default Inspection Policies are now called Inspection Templates. They also have new descriptionsthat help you select the correct template.

The default Inspection Policies on which you can base customized Inspection Policies have beenrenamed:

• The High-Security Inspection Policy is now called High-Security Inspection Template.

• The Medium-Security Inspection Policy is now called Medium-Security Inspection Template.

All the Inspection Templates now also have helpful descriptions that explain the typical uses of eachtemplate. Hover over the template to see the description.

File filteringMonitoring and restricting what data is sent out is an important part of data loss prevention (DLP). Filefiltering allows you to restrict the file types that are allowed in and out through the firewall, and toapply malware detection to files.

Rules for file filtering are defined in the File Filtering Policy. Whenever a file transfer operation isdetected, the traffic is checked against the File Filtering Policy. The first rule that matches the filetransfer operation is applied. If no matching rule is found, the file transfer is allowed.

The rules in the File Filtering Policy allow you to define rule-specific options for malware detection. Themethods are listed here in the order in which scanning is done. The following malware detectionmethods are supported:

2 Policy and inspection improvementsTemplate name and description updates


• McAfee GTI file reputation (Requires enabling McAfee GTI File Reputation and authorizing the useof the McAfee GTI service)

• Anti-Virus

• McAfee Advanced Threat Defense (Requires integration with a McAfee Advanced Threat Defenseserver)

File filtering does not require a separate license. However, file filtering is only available for protocolsfor which the engine can do deep inspection. If a particular protocol is not included in the engine'sdeep inspection license, file filtering is not available for that protocol.

The following changes affect existing McAfee NGFW installations:

• The Anti-Virus option, which was previously part of Access rule Allow Action Options, have been moved tothe new File Filtering Policy.

• There is a new File Filtering option in the Access rule Allow Action Options. This option replaces theprevious Anti-Virus option.

See also Integrate McAfee GTI file reputation with McAfee NGFW on page 25Integrate an Advanced Threat Defense server with McAfee NGFW on page 26

Restrict file types with file filteringConfigure file filtering if you want to restrict the file types that are allowed through the firewall, and toapply malware detection to files.

You must configure the following malware detection methods before you can use them for file filtering.

Malware detectionmethod

Explanation

McAfee GTI file reputationscan

You must integrate the McAfee NGFW with McAfee GTI file reputationservices.

Anti-virus You must enable Anti-Virus in the engine properties. For completeinstructions, see Edit engine configuration and the Add-On Featureschapter of the McAfee SMC Administrator's Guide, version 5.7.

McAfee Advanced ThreatDefense file reputation scan

You must integrate the McAfee NGFW with a McAfee ATD server.


1 Create a File Filtering Policy.

a Select Configuration | Configuration | Security Engine.

The Security Engine Configuration view opens.

b Right-click Policies and select New | File Filtering Policy.

The File Filtering Policy Properties dialog box opens.

c In the Name field, enter a unique name for the File Filtering Policy.

d Click OK.

The File Filtering Policy opens for editing.

Policy and inspection improvementsRestrict file types with file filtering 2


2 Add rules to the File Filtering Policy.

a Right-click the last row in an empty policy and select Add Rule, or right-click the ID cell of anexisting rule and select Add Rule Before or Add Rule After.

b Drag and drop elements from the Resources pane to the Source and Destination cells or define sourceand destination criteria.

For complete instructions, see the Editing Policies chapter of the McAfee SMC Administrator'sGuide, version 5.7.

The Source and Destination fields are the source and destination of the file transfer, not the sourceand destination of the connection.

A client in the internal network downloads a file from a web server on the Internet. The sourceis the web server that served the file. The destination is the client computer.

c Drag and drop File Type Situations from the Resources pane to the File Type cell.

3 Right-click the Action cell and select one of the following.

Action Explanation

Allow The file transfer is allowed without malware detection scanning.

By default, compressed files are decompressed and the contents are matched against theFile Filtering Policy again.

Allow After The specified malware detection scans are applied to the file. If the file meets therequirements specified in the rule action options, the file transfer is allowed. Otherwise,the file is discarded.

Discard The file transfer is discarded without sending an ICMP error message or TCP reset to thesource.

This action cannot be applied to traffic picked up through Capture Interfaces on an IPSengine or Layer 2 Firewall.

4 If you selected Allow and you want to disable the decompression and rematching of compressedfiles, double-click the Action cell and deselect Decompress Archives and Rematch Content.

When you disable the decompression and rematching of compressed files, all files that are includedin the compressed file are allowed without malware detection scanning if the compressed file isallowed.

2 Policy and inspection improvementsRestrict file types with file filtering


5 If you selected Allow After, select options for malware detection scans.

Option Setting Explanation

GTI File ReputationScan

Allow if filereputation isbetter than:

A checksum of the file is sent to the McAfee GTI cloud to bescanned. A file reputation score is returned. The file is allowedwithout other malware detection scans if the reputation score ishigher than the value you specify. The file is discarded if the filereputation score is lower than the value you specify. Otherwise,the next malware detection scan starts.

Discard if filereputation isworse than:

Anti-Virus Scan The file is scanned for viruses by the McAfee NGFW. If the file isinfected, it is discarded. If the file is not infected, the nextmalware detection scan starts.

ATD File ReputationScan

Allow if filereputation isbetter than:

The file is sent to an integrated Advanced Threat Defense serverto be scanned. A file reputation score is returned. The file isallowed if the reputation score is higher than the value youspecify. The file is discarded if the file reputation score is lowerthan the value you specify.Discard if file

reputation isworse than:

Spooling Level None Traffic is not buffered. Traffic is allowed through before malwaredetection scans are completed. This minimizes the delay totraffic, but it does not block malware. The Spooling Level option isignored for Capture Interfaces and when Connection Termination is set toOnly Log Connection for the engine.

Low Only the last packet of the streaming connection is buffered untilmalware scans are completed. The other packets of theconnection are allowed through before malware scans arecompleted. For SMTP traffic, selecting this option has the sameeffect as High.

Medium Part of the streaming connection is buffered until malware scansare completed. For SMTP traffic, selecting this option has thesame effect as High.

High Traffic is buffered until all malware scans are completed. Thisprovides the highest level of security, but it can delay traffic.

Log Level None Does not create any log entry when malware is detected orblocked.

Stored Creates a log entry that is stored on the Log Server whenmalware is detected or blocked.

Alert Triggers an alert when malware is detected or blocked.

Default action whenno file scanningmethods areavailable

Discard File Files are discarded if none of the file scanning methods areavailable.

Allow File Files are allowed without malware detection scanning if none ofthe file scanning methods are available.

Action when a filescanning method isnot available

Ignore If one of the file scanning methods is not available, that filescanning method is skipped.

Block Files are blocked if one of the file scanning methods is notavailable.

6 To save the File Filtering Policy, click the Save icon in the toolbar.

7 Edit the Firewall, IPS, or Layer 2 Firewall Policy.

Policy and inspection improvementsRestrict file types with file filtering 2


For complete instructions, see the Editing Policies chapter of the McAfee SMC Administrator'sGuide, version 5.7.

a Enable File Filtering in the action options of individual Access rules or add a rule with the Continueaction to set defaults for file filtering.

b Select the File Filtering Policy on the Inspection tab.

If there is no custom File Filtering Policy, the default File Filtering Policy is used. The default FileFiltering Policy contains the following rule.

ID Source Destination File Type Action

1 External Internal Media File Allow

Rematch Archive Content: on

2 External Internal ANY Allow After

Anti-Virus: Defined in Engine; File Reputation: Defined inEngine; ATD: Defined in Engine

8 To save and install the Firewall, IPS, or Layer 2 Firewall Policy, click the Save and Install icon in thetoolbar.

See also Integrate McAfee GTI file reputation with McAfee NGFW on page 25Integrate an Advanced Threat Defense server with McAfee NGFW on page 26

Improved handling of TCP protocolsTCP protocol handling has been updated to improve performance and inspection coverage.Improved TCP protocol handling provides the following new capabilities:

• Ability to modify stream data of connections, for example, for traffic normalization

• More efficient inspection when TCP payload modification is required

• More efficient inspection when data must be cached until inspection is completed; this improves theperformance of TLS inspection, URL filtering, file filtering, Anti-Virus, and Anti-Spam

• Better detection coverage of Advanced Evasions

Due to improved TCP protocol handling, the following enhancements have been made to existingfeatures:

• Anti-Spam is now supported on McAfee NGFW in the IPS and Layer 2 Firewall roles.

• Anti-Virus is now supported on McAfee NGFW in the IPS and Layer 2 Firewall roles.

• TLS inspection for server protection can now be used with Capture Interfaces on McAfee NGFW inthe IPS and Layer 2 Firewall roles. TLS inspection for client protection still requires InlineInterfaces.

• User Responses are now supported on McAfee NGFW in the Layer 2 Firewall role.


• TCP Situation elements that previously contained options for controlling TCP inspection can now beused only for logging. The TCP situations now have no configurable options.

• The Anti-Virus_Virus-Found Situation element has been replaced by the File_Malware-BlockedSituation element.

2 Policy and inspection improvementsImproved handling of TCP protocols


• The engine now automatically switches between active stream handling and transparent packetforwarding according to the configured functions and received packets. The legacy Strict TCP Modefor Deep Inspection option still appears in the Engine Editor for backward compatibility, but theoption has no effect.

• McAfee NGFW in all roles checks the validity of packets to protect the engine from processinginvalid packets, which can be harmful to the McAfee NGFW. Depending on the action in theInspection Policy McAfee NGFW in the IPS and Layer 2 Firewall roles can either terminate invalidpackets or bypass the traffic without processing the invalid packets. For self-protection reasons,McAfee NGFW in the Firewall/VPN role always terminates invalid packets without establishing aconnection.

• Configuring logging options for the Invalid Packet Situation Type in the Inspection Policy nowenables logging for all McAfee NGFW roles. Logging for the Firewall/VPN role could previously onlybe enabled by selecting the Packet Filter diagnostic mode in the Firewall/VPN diagnostics for theengine. More detailed information is now available in the Firewall logs when invalid packets aredetected and terminated.

Invalid Packet Situations are always log rate limited.

• Additional Situations, such as the TCP_Segment-SYN-No-Options Situation and the Invalid PacketDoS Situation Type, might also be detected while checking the validity of packets. You canconfigure the action and logging for traffic that matches the additional Situations in the InspectionPolicy for all McAfee NGFW roles.

Unless you need to select a different action, you should terminate invalid packets to prevent theMcAfee NGFW from processing them.

Policy and inspection improvementsImproved handling of TCP protocols 2


2 Policy and inspection improvementsImproved handling of TCP protocols


3 McAfee NGFW integration with otherMcAfee products

Integrating the McAfee NGFW with the other McAfee products in your environment improvesinspection, user identification, and monitoring.

Contents Integrate McAfee GTI file reputation with McAfee NGFW Integrate an Advanced Threat Defense server with McAfee NGFW Integrate McAfee ePO with McAfee NGFW Query McAfee ePO information in logs Integrate McAfee Logon Collector with McAfee NGFW

Integrate McAfee GTI file reputation with McAfee NGFWIntegrating McAfee NGFW with McAfee Global Threat Intelligence file reputation services improves themalware detection coverage of McAfee NGFW when you use file filtering.

The McAfee GTI database contains malicious file classifications. McAfee GTI file reputation scansexecutables and PDF documents and compares them against the McAfee GTI database. Integrationwith McAfee GTI file reputation allows access control based on the scan results. McAfee GTI filereputation scan is one of the malware detection methods that can be used as part of the file filteringfeature.

Use of McAfee GTI file reputation does not require a separate license. However, McAfee GTI filereputation is only available for protocols for which the McAfee NGFW can do deep inspection orAnti-Virus. If a particular protocol is not included in the engine's deep inspection or Anti-Virus license,McAfee GTI file reputation is not available for that protocol.

Only a hash of the file is sent to the McAfee GTI cloud. No other data or telemetry information is sent tothe McAfee GTI cloud.


1 Authorize the use of McAfee GTI in the Management Client.

a Select File | System Tools | Global System Properties to open the Global System Properties dialog box.

b Click the McAfee GTI tab.

c Select Authorize McAfee GTI usage.

3


2 Enable GTI File Reputation checks.

a In the System Status view, right-click an engine element and select Edit <element type>.

b Browse to Add-Ons | GTI File Reputation.

c Select Enable GTI File Reputation Checks.

d (Optional) Add one or more HTTP Proxies if the McAfee NGFW must use a proxy to connect tothe McAfee GTI cloud.

e Click the Save and Refresh icon in the Engine Editor toolbar to save the changes to theconfiguration and refresh the policy on the engine.

McAfee GTI file reputation scan can now be used for malware detection in the File Filtering Policy.

See also File filtering on page 18Restrict file types with file filtering on page 19

Integrate an Advanced Threat Defense server with McAfeeNGFW

Integrating McAfee NGFW with McAfee Advanced Threat Defense improves the malware detectioncoverage of McAfee NGFW when you use file filtering.

Advanced Threat Defense uses multiple techniques to scan files for malware detection. The AdvancedThreat Defense server returns the result of the scan as a file reputation. The Advanced Threat Defensescan is one of the malware detection methods that can be used as part of the file filtering feature.

Use of Advanced Threat Defense file reputation does not require a separate license. However,Advanced Threat Defense file reputation is only available for protocols for which the engine can dodeep inspection. If a particular protocol is not included in the engine's deep inspection license,Advanced Threat Defense file reputation is not available for that protocol.

Rules to allow communication with the Advanced Threat Defense server are automatically generatedbased on the McAfee NGFW engine configuration.


1 Create an ATD Server element.

a Select Configuration | Configuration | Security Engine.

The Security Engine Configuration view opens.

b Browse to Network Elements | Servers.

c Right-click Servers and select New | ATD Server.

d In the Name field, enter a unique name for the ATD Server element.

e In the IP Address field, enter the IPv4 address of the McAfee ATD server.

The Port field contains the port number for communication between the McAfee NGFW and theAdvanced Threat Defense server. The Control Port field contains the port number for communicationbetween the Management Server and the Advanced Threat Defense server. Do not change the Port orControl Port settings unless you must use different ports.

3 McAfee NGFW integration with other McAfee productsIntegrate an Advanced Threat Defense server with McAfee NGFW


2 Import the certificate from the Advanced Threat Defense server.

a Click Get ATD Certificate.

b In the User Name and Password fields, enter your credentials for connecting to the Advanced ThreatDefense server.

c Click OK.

The certificate is retrieved from the Advanced Threat Defense server.

3 Enable Advanced Threat Defense file reputation checks.

a Open the Engine Editor using the instructions in Edit engine configuration.

b Browse to Add-Ons | ATD File Reputation.

c Add one or more Advanced Threat Defense servers.

d Click the Save and Refresh icon in the Engine Editor toolbar to save the changes to theconfiguration and refresh the policy on the engine.

Advanced Threat Defense file reputation scan can now be used for malware detection in the File FilteringPolicy.

See also File filtering on page 18Restrict file types with file filtering on page 19

Integrate McAfee ePO with McAfee NGFWIntegrating McAfee NGFW with McAfee

®

ePolicy Orchestrator®

(McAfee ePO™

) improves the monitoringof client computers in the protected network.

McAfee ePO is a centralized management tool for McAfee endpoint solutions deployed on multiplehosts. Integrating an McAfee ePO server allows you to query information about client computers in theprotected network.


1 Create an ePO Server element.

a Select Configuration | Configuration | Security Engine to open the Security Engine Configuration view.

b Browse to Network Elements | Servers.

c Right-click Servers and select New | ePO Server.

d In the Name field, enter a unique name for the ePO Server element.

McAfee NGFW integration with other McAfee productsIntegrate McAfee ePO with McAfee NGFW 3


2 Complete the following fields to configure the contact information for connections to the McAfeeePO server.

Field Explanation

IPv4 Address The IPv4 address of the McAfee ePO server.

IPv6 Address (Optional) The IPv6 address of the McAfee ePO server.

You can enter both an IPv4 and an IPv6 address.

Authentication Login The McAfee ePO administrator user name.

Authentication Password The McAfee ePO administrator password.

3 Click OK.

You are prompted to initialize the SSL context trusted by the McAfee ePO server.

4 Click Yes.

Information about the certificate authority that signed the certificate for communication with theMcAfee ePO server is displayed.

5 Click OK.

Contact is established with the McAfee ePO server.

You can now query information about client computers in the protected network from the Logs view.

Query McAfee ePO information in logsQuery McAfee ePO information about IP addresses to get information about the hardware and softwareon client computers.

Before you beginA McAfee

®

Agent must be installed on the client computers.

You can query the following information about client computers:

• Hardware details

• Information about software that is running on the client computer, such as McAfee agents

• The status of McAfee endpoint protection products


1 Select Monitoring | Logs to open the Logs view.

2 Right-click an IP address in a log entry and select ePO Information on.

Information about the client computer is displayed in the dialog box that opens.

3 McAfee NGFW integration with other McAfee productsQuery McAfee ePO information in logs


Integrate McAfee Logon Collector with McAfee NGFWIntegrating McAfee NGFW with McAfee

®

Logon Collector improves user identification for access controlby user. This is an alternative to the Stonesoft User Agent.

Logon Collector monitors logon events to associate users with IP addresses. Integration with LogonCollector adds the following new features:

• High Availability using a primary and secondary Logon Collector server

• Support for multiple Active Directory (AD) domains

• Support for user and user group names that contain non-ASCII characters

• Monitoring of logon events from Microsoft Exchange Servers in addition to monitoring events fromthe domain controller (DC)

In version 5.8, both the MLC User Agent and the Stonesoft User Agent are supported. Only one type ofUser Agent can be used for each single engine or cluster.


1 In the Logon Collector installation, generate or export a certificate for communication with theLogon Collector.

For complete instructions, see the McAfee Logon Collector Administration Guide.

2 Save the certificate in a location that is accessible from the computer you use to run theManagement Client.

3 In the Management Client, create a Logon Collector element.

a Select Configuration | Configuration | Security Engine to open the Security Engine Configuration view.

b Browse to Other Elements | Engine Properties.

c Right-click User Agents and select New | Logon Collector.

d In the Name field, enter a unique name for the Logon Collector element.

e In the IP Address field, enter the IPv4 address of the primary Logon Collector server.

The Port field contains the port number for communication between the McAfee NGFW and the LogonCollector server. Do not change the port setting unless you must use a different port.

4 (Optional) Complete the following fields in the High Availability section configure the contactinformation for connections to a secondary Logon Collector server.

Field Explanation

IP Address The IPv4 address of the secondary Logon Collector server.

Port The port number for communication betweenMcAfee NGFW and the Logon Collectorserver.

The default port number is 61613. Use the default port number unless you must use adifferent port number.

5 Import the certificate for communication with the Logon Collector.

a On the Certificate tab, click Import.

b Select the certificate and click Open.

McAfee NGFW integration with other McAfee productsIntegrate McAfee Logon Collector with McAfee NGFW 3


6 Select Logon Collector for McAfee NGFW engines.


b Browse to Add-Ons | User Agent.

c In the User Agent list, select a Logon Collector.

If the Logon Collector that you want to use is not listed, select Other and select a LogonCollector.

d Click the Save and Refresh icon in the Engine Editor toolbar to save the changes to theconfiguration and refresh the policy on the engine.

7 Export an SMC certificate for communication with the Logon Collector.

a Select Configuration | Configuration | Administration to open the Administration Configuration view.

b Browse to Other Elements | Internal Certificate Authorities.

c Right-click the internal certificate authority and select Properties.

The Properties dialog box opens.

d On the Certificate tab, click Export.

e Save the certificate.

f Click Cancel to close the properties of the internal certificate authority.

g Import the certificate on the Logon Collector server.

For complete instructions, see the McAfee Logon Collector Administration Guide.

3 McAfee NGFW integration with other McAfee productsIntegrate McAfee Logon Collector with McAfee NGFW


4 VPN configuration improvements

Usability improvements in the VPN configuration make it easier and more intuitive to start using VPNs.The SSL VPN Portal provides secure browser-based access to HTTP-based services in the protectednetwork. SSL VPN tunneling enables the use of SSL VPN tunnels with the McAfee VPN Client solution.

Contents Simpler VPN configuration Define Mobile VPNs SSL VPN support

Simpler VPN configurationThe VPN configuration has been simplified to make it easier and more intuitive to start using VPNs.

In version 5.8, the VPN configuration process for the Mobile VPN (formerly client-to-gateway VPN) haschanged. Site-to-site VPNs between VPN gateways are still defined in the VPN editor in the same wayas before. Elements used in the VPN configuration for both Mobile VPNs and site-to-site VPNs can nowbe configured in the Engine Editor.

It is no longer necessary to create VPN Gateway elements to represent firewalls in VPNs. When newFirewall elements are created, or when engines that did not previously have Gateways defined areupgraded to version 5.8, the VPN Gateway element for the engine is automatically created. Firewallsthat already had Gateways defined before upgrading to version 5.8 retain the existing Gatewayconfiguration.

The names of the following VPN-related elements have changed in the Management Client and in thedocumentation.

Table 4-1 VPN terminology changes

Previous term New term

Client-to-Gateway VPN Mobile VPN

External Security Gateway element External VPN Gateway element

Gateway-to-Gateway VPN Site-to-site VPN

Internal Security Gateway element VPN Gateway element

IPsec VPN Client VPN Client

Overall Topology tab (in the VPN editor) Site-to-Site VPN tab

VPNs branch (in the VPN Configuration view) Policy-Based VPNs branch

VPN element Policy-Based VPN element

4



• The Mobile VPN configuration has been separated into its own tab in the VPN editor. Instead ofplacing the VPN Client element under a gateway, you now select the gateways that provide MobileVPN access on the new Mobile VPN tab.

• New VPN-related options in the Engine Editor allow you to configure elements used in the VPNconfiguration. You can now configure VPN Gateways, End-Points, Sites, VPN Client settings, TrustedCAs, and Gateway Settings for the engine in the Engine Editor. These elements can no longer beconfigured in the VPN Configuration view.

Table 4-2 VPN settings in the Engine Editor

Branch Explanation

End-Points The End-Points branch lists the IP addresses that are used when the firewall acts as agateway in a VPN. The endpoint IP addresses are automatically defined based on thefirewall's interface configuration. The endpoints are automatically selected based on thefirewall's routing. If the automatically defined settings meet your needs, there is noneed to edit the End-Points settings. To edit the settings, see the instructions in theDefining End-Points for Internal VPN Gateways section in the Configuring IPsec VPNschapter of the McAfee SMC Administrator's Guide, version 5.7.

SSL VPN Portal The SSL VPN Portal branch contains settings for using the firewall as an SSL VPN portal. Toedit the settings, see the instructions in Enable the SSL VPN Portal.

Sites The Sites branch contains the internal IP addresses that send or receive traffic throughthe VPN. The Site contents are automatically defined based on the firewall's routing. Ifthe automatically-defined settings meet your needs, there is no need to edit the Sitessettings. To edit the settings, see the instructions in the Defining Sites for VPNGateways section in the Configuring IPsec VPNs chapter of the McAfee SMCAdministrator's Guide, version 5.7.

VPN Client The VPN Client branch contains settings for VPN Clients in Mobile VPNs. To edit thesettings, see the instructions in Define Mobile VPNs.

Certificates The settings on the Certificates branch allow you to enable or disable automated RSAcertificate management for VPNs, and to restrict the trusted VPN certificate authorities.To edit the settings, see the instructions in the Configuring IPsec VPNs chapter and theManaging VPN Certificates chapter of the McAfee SMC Administrator's Guide, version5.7.

Advanced The Advanced branch contains settings for Gateways and VPN Client addressmanagement. These settings are not needed in the majority of VPNs. To edit thesettings, see the instructions in the following sections and chapters of the McAfee SMCAdministrator's Guide, version 5.7:• Advanced VPN Tuning section in the Reconfiguring Existing VPNs chapter.

• Managing VPN Client IP Addresses section in the VPN Client Settings chapter.

See also Enable the SSL VPN Portal on page 37

Define Mobile VPNsThe configuration logic for creating Mobile VPNs has changed. You can use both SSL VPN and IPsecVPN tunnels together in the Mobile VPN configuration in the same Policy-Based VPN.

4 VPN configuration improvementsDefine Mobile VPNs



1 Edit VPN Client settings in the Engine Editor.


The Engine Editor opens.

b Browse to VPN | VPN Client.

c (Optional) If you want to display a different name for the Gateway to Mobile VPN users, enterthe name in the Gateway Display Name field.

If you are upgrading to version 5.8 and you already have a Gateway element configured, thename of the existing Gateway element is shown in the Gateway Display Name field by default. If youare creating a new Gateway element, the name of the Firewall element is shown in the GatewayDisplay Name field by default.

d In the VPN Mode menu, select one of the following options:

• IPsec VPN — The Mobile VPN only supports IPsec VPN tunnels.

• SSL VPN — The Mobile VPN only supports SSL VPN tunnels.

• Both IPsec & SSL VPN — The Mobile VPN supports IPsec VPN and SSL VPN tunnels.

e (Optional, SSL VPN modes only) In the SSL Port field, enter the port for SSL VPN tunnels.

f (Optional, SSL VPN modes only) If you need to use a cryptographic suite that differs from thedefault cryptographic suite, in the TLS Cryptography Suite Set field, select a cryptographic suite.

See Select SSL cryptographic algorithms for the SSL VPN.

g (Optional, SSL VPN modes only) If you do not want to use the default authentication timeoutvalue (120 min), enter a time in minutes in the Authentication Timeout field.

h Edit the other settings in the VPN Client branch.

For complete instructions, see the VPN Client Settings chapter of the McAfee SMCAdministrator's Guide, version 5.7.

i (Optional) Edit the settings on the Advanced branch.

For complete instructions, see the Configuring IPsec VPNs chapter and the VPN Client Settingschapter of the McAfee SMC Administrator's Guide, version 5.7.

j Click the Save and Refresh icon in the Engine Editor toolbar to save the changes to theconfiguration and refresh the policy on the engine.

2 Create a new Policy-Based VPN or edit an existing Policy-Base VPN.

For complete instructions, see the Configuring IPsec VPNs chapter and the VPN Client Settingschapter of the McAfee SMC Administrator's Guide, version 5.7.

3 On the Mobile VPN tab, select one of the following options to define which VPN Gateways provideMobile VPN access:

• Only central Gateways from overall topology — Only the VPN Gateways in the Central Gateways list on theSite-to-Site VPN tab provide Mobile VPN access.

• All Gateways from overall topology — All VPN Gateways included in the VPN provide Mobile VPN access.

• Selected Gateways below — Only the VPN Gateways that you add to the Mobile VPN Gateways treeprovide Mobile VPN access.

VPN configuration improvementsDefine Mobile VPNs 4


4 If you selected Selected Gateways below, drag and drop one or more VPN Gateways to the Mobile VPNGateways tree.

5 Save the changes to the Policy-Based VPN.

See also Select SSL cryptographic algorithms for the SSL VPN on page 39

SSL VPN supportThe McAfee NGFW in the Firewall/VPN role now supports SSL VPNs. This is an alternative to the legacyStonesoft SSL VPN.

SSL VPNs use secure sockets layer (SSL) encryption to provide secure remote access. SSL VPNs allowauthenticated users to establish secure connections to internal HTTP-based services through astandard web browser or through a client application that allows direct network access.

Previously, SSL VPN features were provided by a separate SSL VPN gateway appliance. Earlier SSLVPN gateway appliances that have been integrated with the SMC are now represented by Legacy SSL VPNGateway elements. You can still monitor earlier SSL VPN gateways in the Management Client.

Access to HTTP-based services is now provided by the SSL VPN Portal. The SSL VPN Portal is anintegrated feature of the McAfee NGFW. It provides remote access to applications and information inthe protected network from standard web browsers. End users must authenticate to access the SSLVPN Portal web page. The SSL VPN Portal proxies end-user connections to HTTP-based services in theprotected network. The end user is never directly connected to the back-end services.

Encrypted connections to other services are provided by SSL VPN tunneling for the McAfee VPN Clientsolution. SSL VPN tunneling can be used with the McAfee VPN Client solution in Mobile VPNs. You canuse SSL VPN tunnels alone, IPsec tunnels alone, or both SSL VPN and IPsec tunnels together in thesame Policy-Based VPN.

See also Define Mobile VPNs on page 32

Set up the SSL VPN PortalThe SSL VPN Portal provides secure browser-based access to services in the protected network.

Tasks• Make services available in the SSL VPN Portal on page 35

SSL VPN Portal Services map external URLs to HTTP-based services in the protectednetwork.

• Allow access to services using the SSL VPN Portal on page 36The SSL VPN Portal Policy defines which services are available in the SSL VPN Portal andwhich users can access the services.

• Enable the SSL VPN Portal on page 37Enable the SSL VPN Portal to make the SSL VPN Portal available through one or morefirewalls.

4 VPN configuration improvementsSSL VPN support


Make services available in the SSL VPN PortalSSL VPN Portal Services map external URLs to HTTP-based services in the protected network.

SSL VPN Portal Service elements contain settings that define how the internal URLs of the HTTP-basedservices are translated to external URLs. URL translation ensures that all traffic to registered webresource hosts is routed through the SSL VPN. End users access SSL VPN Portal Services through theSSL VPN Portal, or directly in a web browser using bookmarks.


1 Select Configuration | Configuration | VPN.

The VPN Configuration view opens.

2 Create a new SSL VPN Portal Service element.

a Expand the Other Elements branch.

b Right-click SSL VPN Portal Services and select New SSL VPN Portal Service.

c In the Name field, enter a unique name.

The name must only contain letters, numbers, dashes (-), and underscores (_).The name cannotcontain spaces.

3 In the Routing Method list, select one of the following:

• URL Rewrite — A URL prefix that corresponds to a service in the protected network is added to theURL.

Incoming connections are routed to the service in the protected network based on the URLprefix. HTTP responses from the servers in the protected network are rewritten to change theoutgoing URLs. This does not require any additional DNS entries.

• DNS Mapping — Incoming connections to the SSL VPN Portal are translated to an internal hostrunning on a specific port.

This requires a DNS entry for each service in the protected network.

4 If you selected URL Rewrite, to define URL translation, configure the following settings:

• External URL Prefix — Enter a forward slash (/) followed by a unique prefix.

• Internal URL — Enter the URL of the service in the protected network.

5 If you selected DNS Mapping, to define URL translation, configure the following settings:

• External URL — Enter the URL where users access the service.

• Internal URL — Enter the URL of the service in the protected network.

• Server Credential — Click Select and select a Server Credentials element or create a new ServerCredentials element.

For complete instructions, see in the Setting up TLS Inspection chapter of the McAfee SMCAdministrator's Guide, version 5.7

• Rewrite HTML — Deselect this option if you do not want to rewrite URLs in the HTML content.

By default, the SSL VPN Portal searches the HTML content of the service and rewrites URLs sothat traffic is routed through the SSL VPN.

VPN configuration improvementsSSL VPN support 4


6 (Optional) Below the Alternative Hosts field, click Add and enter one or more additional host names orIP addresses at which the server can be contacted.

7 On the Look & Feel tab, configure the following settings to make the service available in the SSL VPNPortal:

• Title — Enter the title that is displayed for the service on the SSL VPN Portal web page.

• Visible in Portal — Deselect this option if you do not want a link to the service to appear on the SSLVPN Portal web page.

• Start page — Enter a forward slash (/) followed by a path to the page to open when the userconnects to the service.

• Icon — (Optional) If you do not want the use the default .png icon for the service on the SSLVPN Portal, click Browse and navigate to the .png file you want to use.

• Description — (Optional) Enter a description that is displayed for the service on the SSL VPN Portalweb page.

8 Click OK.

You are now ready to define which users are allowed to access the services.

Allow access to services using the SSL VPN PortalThe SSL VPN Portal Policy defines which services are available in the SSL VPN Portal and which userscan access the services.

Before you beginCreate SSL VPN Portal Service elements. See Make services available in the SSL VPNPortal.

The SSL VPN Portal Policy contains rules that define which users can use each SSL VPN Portal Service,and the authentication requirements for accessing the SSL VPN Portal Services.



2 Create a new SSL VPN Portal Policy.

a Right-click SSL VPN Portal Policies and select New SSL VPN Portal Policy.

The SSL VPN Portal Policy Properties dialog box opens.

b In the Name field, enter a unique name.

c Click OK.

The SSL VPN Portal Policy opens for editing in a new tab.

3 Add rules in one of the following ways:

• Right-click the last row of an empty policy and select Add Rule.

• Right-click the ID cell of an existing rule and select Add Rule Before or Add Rule After.

4 Drag and drop one or more SSL VPN Service elements from the Resources pane to the Web Service cell.



5 Drag and drop one or more User or User Group elements from the Resources pane to the Authenticationcell.

6 Save the SSL VPN Portal Policy.

You can now select the SSL VPN Portal Policy for an SSL VPN Portal element.

Enable the SSL VPN PortalEnable the SSL VPN Portal to make the SSL VPN Portal available through one or more firewalls.

Before you beginCreate an SSL VPN Portal Policy. See Allow access to services using the SSL VPN Portal.




2 Right-click SSL VPN Portals and select New SSL VPN Portal.

The SSL VPN Portal Properties dialog box opens.

3 In the Name field, enter a unique name.

The name must only contain letters, numbers, dashes (-), and underscores (_).The name cannotcontain spaces.

4 Next to the SSL VPN Portal Policy field, click Select and select an SSL VPN Portal Policy.

5 Below the Hostnames field, click Add and add one or more host names.

Host names allow users to access services provided by the SSL VPN Portal using domain names aswell as IP addresses in the URL.

6 Below the Credentials field, click Select and select a Server Credentials element or create a new ServerCredentials element.

For complete instructions, see the Setting up TLS Inspection chapter of the McAfee SMCAdministrator's Guide, version 5.7.

7 Click the Look & Feel tab.

8 In the Title field, enter a title for the SSL VPN Portal.

9 (Optional) In the Favicon field, click Browse to navigate to the .ico file that you want to use for theSSL VPN Portal.

10 (Optional) In the Customization menu, select the SSL VPN Portal Page element that defines thecustomized look of the SSL VPN Portal.

See Customize the look and feel of the SSL VPN Portal.

11 Click the Target Engine tab.

12 Select one or more firewalls that use the SSL VPN Portal.

The SSL VPN Portal is now available through the selected firewall or firewalls.



13 (Optional) Edit SSL VPN Portal settings in the Engine Editor.

If the default settings meet your needs, there is no need to edit the SSL VPN Portal settings.


b Browse to VPN | SSL VPN Portal in the navigation pane on the left.

c Select the versions of SSL and TLS that are allowed for connections to the SSL VPN Portal usingthe Allowed SSL/TLS Versions options.

d If you have a specific need to use a cryptographic suite that differs from the defaultcryptographic suite, in the TLS Cryptography Suite Set field, select a cryptographic suite.

See Select SSL cryptographic algorithms for the SSL VPN.

e Click the Save and Refresh icon in the Engine Editor toolbar to save the changes to theconfiguration and refresh the policy on the engine.

See also Select SSL cryptographic algorithms for the SSL VPN on page 39

Customize the look and feel of the SSL VPN PortalYou can optionally customize the look and feel of the SSL VPN Portal web page to match the look andfeel of your organization.

Before you beginCustomizing the SSL VPN Portal web pages requires you to manually edit HTML and CSSfiles. Familiarity with HTML and CSS is required.

You can customize graphics, styles, and fonts. You can also change the layout of the content, and editthe text that is shown on the SSL VPN Portal web page.

The services in the SSL VPN Portal web page are displayed dynamically based on what a user is allowedto access in each session. Customization does not restrict which services are available to users. Use SSLVPN Portal Policies to define which resources each user can access.


1 Use SCP to transfer the default sslvpnrwp.zip file from the /data/config/policy/latest/sslvpnrwpdirectory on the engine to the computer where you use the Management Client.

2 Decompress the sslvpnrwp.zip file.

3 Customize the contents.

• To customize graphics, save your custom graphics in the images directory. The .png and .gif fileformats are supported.

• To customize styles, edit the .css files in the css directory.

• To customize fonts, replace the .woff file in the fonts directory with your custom file.

• To customize layout of the content or the text that is shown on the SSL VPN Portal web pages,edit the HTML files. If you replaced or renamed files in the images, css, or fonts directories,update the HTML files to reference the new file names.



4 Compress the customized files and save the .zip file on the computer where you use theManagement Client.

5 Import the customized files.

a In the Management Client, select Configuration | Configuration | VPN.


b Expand the Other Elements branch.

c Right-click SSL VPN Portal Pages and select New SSL VPN Portal Page.

d In the Name field, give the SSL Portal Page element a name to easily identify it.

e In the ZIP File field, click Browse and navigate to the .zip file that contains the customized files.

f Click OK.

You can now select the customized SSL VPN Portal Page element in the properties of an SSL VPNPortal element.


Select SSL cryptographic algorithms for the SSL VPNIf you need to change the SSL cryptographic algorithms that are supported by the SSL VPN Portal, youcan create a TLS Cryptography Suite Set element to define which cryptographic algorithms areallowed.

The default NIST (SP 800-52) Compatible SSL Cryptographic Algorithms element allows SSLcryptographic algorithms that are compatible with the following standard: NIST SP 800-52 Rev. 1Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS)Implementations. If the default SSL cryptographic algorithms meet your needs, there is no need tocreate a custom TLS Cryptography Suite Set element.




2 Expand the Other Elements branch.

3 Right-click TLS Cryptography Suite Sets and select New TLS Cryptography Suite Set.

4 In the Name field, give the TLS Cryptography Suite Set element a name to easily identify it.

5 Select one or more SSL cryptographic algorithms.

SSL cryptographic algorithms in the Common section are compatible with SSL 3.0, TLS 1.0, TLS 1.1,and TLS 1.2. SSL cryptographic algorithms in the TLS 1.2 Only section are only compatible with TLS1.2.

6 Click OK.

You can now select the custom TLS Cryptography Suite Set element in the Engine Editor.




Monitor SSL VPN connectionsUse the SSL VPN Monitoring view to check the status of SSL VPN sessions and to terminate SSL VPNsessions.

Before you beginThe SSL VPN Portal must be configured and enabled.


1 Right-click the Firewall element for which you want to view SSL VPN sessions and select Monitoring |SSL VPNs.

The SSL VPN Monitoring view opens.

2 Browse the data.

For complete instructions, see the Monitoring Connections, Blacklists, VPN SAs, Users, and Routingsection of the Monitoring the System chapter of the McAfee SMC Administrator's Guide, version5.7.

See also Set up the SSL VPN Portal on page 34



5 McAfee NGFW configurationimprovements

Configuration improvements include additional aggregated link interfaces, new hardware support forappliances without the Local Manager, and new language options in the Management Client.

Contents Aggregate multiple interfaces on McAfee NGFW in the Firewall/VPN role Automatically test link status of aggregated links in load-balancing mode Local Manager and alternative installation options Language selection in the Management Client Change the default language of the Management Client

Aggregate multiple interfaces on McAfee NGFW in theFirewall/VPN role

It was previously possible to create aggregated link interfaces with two links. It is now possible tocombine up to eight links in an aggregated link interface in load-balancing mode.

Link aggregation combines multiple physical network interfaces on the McAfee NGFW in theFirewall/VPN role into a single logical interface. Aggregated links can be used in two ways:

• In high-availability mode, only the first interface in the aggregated link is actively used. The nextinterface becomes active only if the first interface fails.

• In load-balancing mode, all of the interfaces in the aggregated link are actively used andconnections are automatically balanced between the interfaces.

You can only aggregate more than two interfaces in load-balancing mode.



2 Browse to Interfaces in the navigation pane on the left.

3 Add a physical interface.

For complete instructions, see the Firewall Interface Configuration section of the Network InterfaceConfiguration chapter of the McAfee SMC Administrator's Guide, version 5.7.

4 From the Type list, select Aggregated Link in Load-Balancing Mode.

5


5 Add one or more additional interfaces:

a Next to the Additional Interfaces list, click Add.

b In the Interface ID list, select an interface number.

c Click OK.

6 Click the Save and Refresh icon in the Engine Editor toolbar to save the changes to the configurationand refresh the policy on the engine.

Automatically test link status of aggregated links in load-balancing mode

You can now automatically test the link status of aggregated links in load-balancing mode in moredetail.

Before you beginYou must have aggregated link interfaces on McAfee NGFW in the Firewall/VPN role.

The Link Status test checks whether a network port reports the link as up or down. When you use theLink Status test for aggregated links in load-balancing mode, you can specify what percentage of theaggregated links must be down for the test to be considered failed.

Only the first interface ID that belongs to an aggregated link is shown in the list of interfaces. However,the Link Status test checks the status of all interfaces in the aggregated link.



2 Browse to General | Engine Tester in the navigation pane on the left.

3 Add a Link Status test.

For complete instructions, see the Configuring the Engine Tester chapter of the McAfee SMCAdministrator's Guide, version 5.7.

4 Select the percentage of aggregated links that must be down for the test to be considered failed.

5 Click the Save and Refresh icon in the Engine Editor toolbar to save the changes to the configurationand refresh the policy on the engine.

Local Manager and alternative installation optionsThe 64-bit McAfee NGFW software image without the Local Manager provides 64-bit support for smallMcAfee NGFW appliances. It also reduces the disk space needed for installation on your own hardwareif you do not need the Local Manager.The Local Manager is a standalone, browser-based interface for configuring and monitoring McAfeeNGFW appliances. The standard 64-bit McAfee NGFW software image includes the Local Managercomponent. The 64-bit McAfee NGFW software image without the Local Manager is pre-installed onsome small McAfee NGFW appliance models. You can also install the 64-bit McAfee NGFW softwareimage without the Local Manager on your own hardware if you do not need the Local Manager.

The 64-bit McAfee NGFW software image without the Local Manager provides the following benefits:

5 McAfee NGFW configuration improvementsAutomatically test link status of aggregated links in load-balancing mode


• Less disk space is needed for installation.

• Downloading and installing upgrades is faster.

Language selection in the Management ClientAdministrators can now set the language of the Management Client to English or Japanese.

During a local installation of the SMC, administrators can set the default language of the ManagementClient to English or Japanese in the installation wizard. Users can select English or Japanese in thelogon dialog box when logging on to the Management Client locally or using Web Start.

After installation, administrators can change the default language by editing the locale.properties file.

Change the default language of the Management ClientAdministrators can change the default language of the Management Client manually after installation.

Task1 Locate the locale.properties file in the <user>/.stonegate/user_locale folder.

2 Change the smc.locale.default setting in the locale.properties file to the language you want:

• smc.locale.default=ja for Japanese

• smc.locale.default=en for English

3 Save changes to the locale.properties file.

McAfee NGFW configuration improvementsLanguage selection in the Management Client 5


5 McAfee NGFW configuration improvementsChange the default language of the Management Client


Index

Aabout this guide 5access control 25, 29

active stream handling 22

aggregated links 41, 42

alert element 17

anti-spam 22

anti-virus 22

authentication ports 17

Bbrowser-based access 37

Ccategories 9category

filters 10

tags 9, 10

category tag 9client computer 27, 28

conventions and icons used in this guide 5CSS files 38

Ddata loss prevention 18

documentationproduct-specific, finding 6typographical conventions and icons 5

domain controller 29

Eelements

category tag 9custom category 9filtering 9filtering elements 10

endpoint protection products 28

engineelement 12

traffic 17

engine editor toolbar 10

Ffile

filtering 18, 25, 26

reputation 25, 26

types 18, 19

Gglobal system settings 7

Hhigh availability 29

high-availability 41

HTML files 38

Iinspection templates 18

Llanguage 43

licenses 7link status test 42

load-balancing 41, 42

local manager 42

log level 17

logging 22

logon events 29

Mmalicious file classifications 25

malware detection 18, 19, 25

malware detection methods 26

McAfee Advanced Threat Defense 26

McAfee Agent 28

McAfee ePO 27, 28

McAfee GTI 7, 25

McAfee Logon Collector 29

McAfee ServicePortal, accessing 6Microsoft Exchange Servers 29

mobile VPNs 32

monitoring events 29


Nnetwork interfaces 41

non-ASCII characters 29

Ppassword policy 7, 8permissions

manage updates and upgrades 7unrestricted 7

Rroutes 13

rulesaccess 17

automatic 17

file filtering 18

SServicePortal, finding product documentation 6SGConfiguration.txt file 8shared domain 8situations 22

small appliances 42

software image 42

SSL VPNcryptographic algorithm 39

SSL VPN (continued)gateways 34

portal policy and rules 36

portal services 35

sessions 40

tunneling 34

TTCP protocol handling 22

technical support, finding product information 6template policy 17

TLS inspection 22

transparent packet forwarding 22

type-ahead search 10

Uupdates 7upgrades 7user agent 29

user identification 29

user responses 22

VVPN, configuration 31

Index


next generation firewall 5.8.0 addendum...8 mcafee next generation firewall 5.8.0 addendum grouping...

Documents