McAfee Firewall Enterprise ePolicy Orchestrator...

Integration Guide

McAfee® Firewall Enterprise ePolicy Orchestrator® Extensionversion 5.2.1

2 McAfee© Firewall Enterprise ePolicy Orchestrator© Extension 5.2.1 Integration Guide

COPYRIGHTCopyright © 2011 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSMcAfee®, the McAfee logo, Avert, ePO, ePolicy Orchestrator, Foundstone, GroupShield, IntruShield, LinuxShield, MAX (McAfee SecurityAlliance Exchange), NetShield, PortalShield, Preventsys, SecureOS, SecurityAlliance, SiteAdvisor, SmartFilter, Total Protection, TrustedSource, Type Enforcement, VirusScan, and WebShield are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

Contents

About this guide 5Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Find product information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

1 Introduction 7About McAfee Firewall Enterprise ePolicy Orchestrator Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Managed products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Firewall Enterprise overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Control Center overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Firewall Profiler overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

How the Firewall Enterprise ePolicy Orchestrator Extension works . . . . . . . . . . . . . . . . . . . . . . . . . . .8

2 Firewall Enterprise ePolicy Orchestrator Extension setup 9Setup overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Download and install the Firewall Enterprise ePolicy Orchestrator Extension . . . . . . . . . . . . . . . . . . . .9

Download the Firewall Enterprise ePolicy Orchestrator Extension . . . . . . . . . . . . . . . . . . . . . . . . .9Install the Firewall Enterprise ePolicy Orchestrator Extension . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Needed permission sets and users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Create a permission set for Firewall Enterprise or Control Center access to ePolicy Orchestrator . . . . .10Create a user account for access to ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Create a permission set that allows users to view firewall data . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Create a user that can view firewall data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

3 Firewall Enterprise setup 15Configure Firewall Enterprise appliances for ePolicy Orchestrator reporting . . . . . . . . . . . . . . . . . . . .15Configure managed firewalls for ePolicy Orchestrator reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Troubleshooting Firewall Enterprise to ePolicy Orchestrator communication . . . . . . . . . . . . . . . . . . .16

4 Control Center setup 19Setup overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Configure Control Center for ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Register Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Control Center Management Servers, High Availability (HA), and the ePolicy Orchestrator platform 21Add a Control Center Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21Delete a Control Center Management Server from the ePolicy Orchestrator server . . . . . . . . . . . .22

5 Firewall Profiler setup 23Setup overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Create a user account on Firewall Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Register Firewall Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Add a Firewall Profiler server to the ePolicy Orchestrator server . . . . . . . . . . . . . . . . . . . . . . . . .24Delete a Firewall Profiler server from the ePolicy Orchestrator server . . . . . . . . . . . . . . . . . . . . .24

Configure Firewall Profiler to retrieve host information from ePolicy Orchestrator . . . . . . . . . . . . . . .25

McAfee© Firewall Enterprise ePolicy Orchestrator© Extension 5.2.1 Integration Guide 3

Contents

6 Firewall data 27View Firewall Enterprise and Control Center data in the ePolicy Orchestrator console . . . . . . . . . . . . .27

View internal host activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27View firewall resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28View firewall statuses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29View Firewall Profiler events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29View all firewalls managed by a Control Center Management Server . . . . . . . . . . . . . . . . . . . . . .30View all firewalls monitored by a Firewall Profiler server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Change how ePolicy Orchestrator displays firewall data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Change Firewall Profiler event sources and destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Change data refresh settings and host retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

View ePolicy Orchestrator Host Data reports from the Control Center Client application . . . . . . . . . . .33View ePolicy Orchestrator Host Data reports from Firewall Profiler . . . . . . . . . . . . . . . . . . . . . . . . . .33

7 Queries 35Firewall Enterprise ePolicy Orchestrator Extension queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Firewall Enterprise Report queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Generate a Firewall Enterprise Report query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36Firewall Profiler Report queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36Generate a Firewall Profiler Report query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38Control Center queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38Generate a Control Center query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

8 Issues and tickets 41Create Firewall Profiler issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Create a change event issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41Create a risk event issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Use Profiler Firewall tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42Create an event ticket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42Associate a ticket with an issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

9 Automatic responses 43Firewall Profiler event responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43Create an automatic response for Firewall Profiler events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Describe the rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43Set filters for the rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44Set thresholds for the rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45Configure the actions for the rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45Review and save the rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

Index 47


About this guideThe McAfee Firewall Enterprise ePolicy Orchestrator Extension Integration Guide describes the features and capabilities of McAfee® Firewall Enterprise ePolicy Orchestrator® Extension (hereinafter Firewall Enterprise ePolicy Orchestrator Extension) version 5.2.1 for McAfee® ePolicy Orchestrator® (hereinafter ePolicy Orchestrator). For information about additional ePolicy Orchestrator software functionality that is not covered in this guide, see the ePolicy Orchestrator product documentation or click ? in the ePolicy Orchestrator console.

AudienceThis guide is intended for network and security administrators. It assumes familiarity with ePolicy Orchestrator and additionally with UNIX and Windows operating systems, system administration, the Internet, networks, and related terminology.

ConventionsThe following table lists the text conventions used in this guide.

Note: The IP addresses, screen captures, and graphics used within this document are for illustration purposes only. They are not intended to represent a complete or appropriate configuration for your specific needs. Features may be enabled in screen captures to make them clear; however, not all features are appropriate or desirable for your setup.

Table i-1 Conventions

Convention DescriptionCourier bold Identifies commands and key words you type at a system prompt

Note: A backslash (\) signals a command that does not fit on the same line. Type the command as shown, ignoring the backslash.

Courier italic Indicates a placeholder for text you type

<Courier italic> When enclosed in angle brackets (< >), identifies optional text

nnn.nnn.nnn.nnn Indicates a placeholder for an IP address you type

Courier plain Used to show text that appears on a computer screen

Plain text italics Identifies the names of files and directoriesUsed for emphasis (for example, when introducing a new term)

Plain text bold Identifies buttons, field names, and tabs that require user interaction

[ ] Signals conditional or optional text and instructions (for example, instructions that pertain only to a specific configuration)

Caution: Signals be careful—in this situation, you might do something that could result in the loss of data or an unpredictable outcome.

Note: Used for a helpful suggestion or a reference to material not covered elsewhere in the guide

Security Alert: Identifies information that is critical for maintaining product integrity or security

Tip: Indicates time-saving actions; may help you solve a problem


Find product information

Find product informationYou can find additional information at the following locations:Table i-2 Locations of product information

Information LocationUser documentation 1 Go to the McAfee Technical Support ServicePortal at mysupport.mcafee.com.

2 Under Self Service, click Product Documentation.3 Select a Product, then select a Version.4 Select a product document.

KnowledgeBase Go to the McAfee Technical Support ServicePortal at mysupport.mcafee.com.• Click Search the KnowledgeBase for answers to your product questions.• Click Browse the KnowledgeBase for articles listed by product and version.

Help Help is built into ePolicy Orchestrator. Click ? in the ePolicy Orchestrator console.

Product updates Go to the McAfee Downloads page at www.mcafee.com/us/downloads to download the latest extensions.

Known issues 1 Visit mysupport.mcafee.com.2 Log on with your user ID and password. The ServicePortal homepage appears with a

welcome message at the top.• If you do not have an account but have received a grant number:

• In the User Login section, click New User.• Complete the information and follow the prompts to set up your account.

• If you do not have an account or grant number, contact Customer Service.3 In the Self Service section, click Search the KnowledgeBase. The KnowledgeBase

welcome page appears.4 In the Ask a Question section, type KB73549, then click Ask. The KnowledgeBase

article appears with any known issues.


http://mysupport.mcafee.com


http://www.mcafee.com/us/downloads


1 Introduction

ContentsAbout McAfee Firewall Enterprise ePolicy Orchestrator Extension

Managed products

How the Firewall Enterprise ePolicy Orchestrator Extension works

About McAfee Firewall Enterprise ePolicy Orchestrator ExtensionMcAfee® Firewall Enterprise ePolicy Orchestrator® Extension (hereinafter Firewall Enterprise ePolicy Orchestrator Extension) version 5.2.1 provides communication between McAfee® ePolicy Orchestrator® (hereinafter ePolicy Orchestrator) and McAfee® Firewall Enterprise (hereinafter Firewall Enterprise), McAfee® Firewall Enterprise Control Center (hereinafter Control Center), or McAfee® Firewall Profiler (hereinafter Firewall Profiler).

In ePolicy Orchestrator, you can view top-level data about multiple firewalls, or you can drill down to view data about an individual firewall, the Control Center that manages it, or the Firewall Profiler that monitors it. You can also view resource and statistical dashboards across multiple firewalls. These dashboards are presented in a graphical format, which allows you to click within the graph to display more specific information.

Control Center or Firewall Profiler can display information retrieved from the ePolicy Orchestrator server about hosts that are referenced in a policy, or hosts that are passing traffic through Firewall Enterprise appliances.

Managed productsThe Firewall Enterprise ePolicy Orchestrator Extension supports Firewall Enterprise, Control Center, and Firewall Profiler. To find the latest information on the McAfee firewall products and versions that Firewall Enterprise ePolicy Orchestrator Extension supports, refer to KnowledgeBase article KB67462.

Firewall Enterprise overviewFirewall Enterprise appliances are designed to protect organization information technology infrastructure by keeping out unauthorized users, code, and applications, both internally and externally.

ePolicy Orchestrator and Firewall Enterprise appliances share information about protected hosts and firewall versions.

Control Center overviewControl Center is an enterprise-class management tool for creating and applying security policies across multiple firewalls. Use Control Center to remotely manage, maintain, and monitor firewalls for one or more domains.


IntroductionHow the Firewall Enterprise ePolicy Orchestrator Extension works1

ePolicy Orchestrator and Control Center share data about hosts, firewalls, and the Control Center Management Server. Control Center displays information about hosts, whereas ePolicy Orchestrator displays health and status information about firewalls and the Control Center Management Server.

See the McAfee Firewall Enterprise Control Center Product Guide for more information.

Firewall Profiler overviewFirewall Profiler is a network appliance that takes feeds from Firewall Enterprise appliances and instantly analyzes this information to provide true visibility into the impact of firewall rules on the network. Firewall Profiler complements Control Center for management and dramatically reduces troubleshooting efforts related to firewalls.

ePolicy Orchestrator and Firewall Profiler share data about hosts, firewalls, and the Profiler server.

See the McAfee Firewall Profiler Product Guide for more information.

How the Firewall Enterprise ePolicy Orchestrator Extension worksUse ePolicy Orchestrator to poll and monitor firewall data from one or more Firewall Enterprise appliances, Firewall Profiler servers, or Control Center Management Servers. View host data from ePolicy Orchestrator from the Control Center Client application or the Firewall Profiler web interface.

Firewall Enterprise appliances at version 8.2.1 or later can be configured to send information directly to the ePolicy Orchestrator server. Information on registered firewalls can be viewed on ePolicy Orchestrator dashboards.

On the Control Center, an ePolicy Orchestrator user is created and communication parameters are specified so that the Control Center Management Server can communicate information to the ePolicy Orchestrator server. After each Control Center Management Server is registered in ePolicy Orchestrator, administrators can view data about managed firewalls.

ePolicy Orchestrator communication parameters are specified on the Firewall Profiler server, allowing the two servers to pass information back and forth. After a Firewall Profiler server is registered in ePolicy Orchestrator, administrators can view data about Firewall Profiler events occurring on monitored firewalls.


2 Firewall Enterprise ePolicy Orchestrator Extension setup

ContentsSetup overview

Download and install the Firewall Enterprise ePolicy Orchestrator Extension

Needed permission sets and users

Create a permission set for Firewall Enterprise or Control Center access to ePolicy Orchestrator

Create a user account for access to ePolicy Orchestrator

Create a permission set that allows users to view firewall data

Create a user that can view firewall data

Setup overviewTo complete the configuration of ePolicy Orchestrator so that you can view firewall data from within ePolicy Orchestrator, you must perform the following tasks:

1 Download and install the Firewall Enterprise ePolicy Orchestrator Extension.

2 Configure permission sets and users to allow Firewall Enterprise appliances, Control Center Management Servers, or Firewall Profiler servers to communicate with ePolicy Orchestrator.

3 Configure a permission set that allows access to Firewall Enterprise Extension functionality, and assign this permission set to one or more ePolicy Orchestrator users.

Download and install the Firewall Enterprise ePolicy Orchestrator Extension

Use the tasks in this section to download and install the Firewall Enterprise ePolicy Orchestrator Extension onto your ePolicy Orchestrator server.

Download the Firewall Enterprise ePolicy Orchestrator ExtensionUse this task to download the Firewall Enterprise ePolicy Orchestrator Extension to the ePolicy Orchestrator server.

Before you beginKnow your grant number.

Task1 In a web browser, navigate to www.mcafee.com/us/downloads.

2 Provide your grant number, then navigate to the appropriate product and version.

3 Download the McAfee Firewall Enterprise ePolicy Orchestrator Extension (.zip) file.


http://www.mcafee.com/us/downloads

Firewall Enterprise ePolicy Orchestrator Extension setupNeeded permission sets and users2

Install the Firewall Enterprise ePolicy Orchestrator ExtensionUse this task to install the Firewall Enterprise ePolicy Orchestrator Extension from your download location onto your ePolicy Orchestrator server.

Before you begin• Make sure the ePolicy Orchestrator server that you intend to use to monitor your firewalls is at version

4.6 or later.

Note: You must uninstall Firewall Enterprise ePolicy Orchestrator Extension version 5.0.0 before upgrading ePolicy Orchestrator from version 4.5 to version 4.6.

• Make sure you have downloaded the Firewall Enterprise ePolicy Orchestrator Extension from the McAfee downloads website and have saved it to a location that is accessible by the ePolicy Orchestrator server.

TaskFor option definitions, click ? in the ePolicy Orchestrator console.

1 Log on to ePolicy Orchestrator.

2 In the ePolicy Orchestrator console, select Menu | Software | Extensions.

3 At the bottom of the Extensions pane on the left side of the Extensions page, click Install Extension. The Install Extension window appears.

4 Browse to the Firewall Enterprise ePolicy Orchestrator Extension .zip file you downloaded from the McAfee downloads page.

5 Click Open to select the file, then click OK to proceed with the selection.

6 Click OK to install the extension.

Needed permission sets and usersFirewall Enterprise appliances, Control Center Management Servers, and Firewall Profiler servers require user credentials to authenticate with ePolicy Orchestrator.

For Firewall Enterprise and Control Center, creating user credentials is a two-part process:

1 Create a permission set that allows data transmission.

2 Create a new user with that permission set.

For Firewall Profiler, no special permission set is required.

In addition to the appliance or server user credentials, you must create a permission set that allows ePolicy Orchestrator users to view firewall data and assign this permission set to one or more users.

See also



Create a permission set that allows users to view firewall data

Create a user that can view firewall data


Use this procedure to create a permission set for these user accounts.


Firewall Enterprise ePolicy Orchestrator Extension setupCreate a user account for access to ePolicy Orchestrator 2

Before you begin• Make sure that you have downloaded and installed the Firewall Enterprise ePolicy Orchestrator

Extension on your ePolicy Orchestrator server.

• You must be an ePolicy Orchestrator global administrator to perform this task.


1 In the ePolicy Orchestrator console, select Menu | User Management | Permission Sets.

2 At the bottom of the Permission Sets page, click New. The New Permission Set page appears.

3 Enter a name for the permission set, then click Save.

4 Make sure that this permission set name is selected in the left pane of the Permission Sets page.

5 Scroll down to the McAfee Firewall Enterprise setting and click Edit. The Edit Permission Set page appears.

6 Enable communication.

• For Control Center Management Server user accounts, select Provide host information to a remote Firewall Enterprise Control Center.

• For Firewall Enterprise appliance user accounts, select Permit data exchange with Firewall Enterprise systems.

7 Click Save.

Create a user account for access to ePolicy OrchestratorCreate a user account to enable communication with ePolicy Orchestrator.





1 In the ePolicy Orchestrator console, select Menu | User management | Users.

2 Do one of the following:

• To edit an existing user, select the user name on the left and click Edit at the bottom of the Users page. The Edit User user_name page appears. Skip to Step 4.

• To add a new user, in the lower left corner of the Users page, click New User. The New User page appears. Go to the next step.

3 Type a unique name for this user in the User name field.

4 Select the checkbox for the permission set you created in the Permission sets field.

5 Specify values in the other fields as needed.

6 Click Save. If you added a new user, this user is added to the list of users on the Users page. If you edited an existing user, your changes are saved and you are returned to the Users page.


Firewall Enterprise ePolicy Orchestrator Extension setupCreate a permission set that allows users to view firewall data2

Create a permission set that allows users to view firewall dataYou can edit existing permission sets or add new sets to provide access to the information provided by the Firewall Enterprise ePolicy Orchestrator Extension. McAfee recommends creating at least one general permission set for use by any user that needs to view Firewall Enterprise ePolicy Orchestrator Extension data.

The following permissions can be added to existing permission sets to provide Firewall Enterprise ePolicy Orchestrator Extension functionality to ePolicy Orchestrator users:

• Audit log — View and purge audit log files.

• Dashboards — Use public dashboards, and edit and create personal dashboards.

• Extensions — Install and remove extensions.

• McAfee Firewall Enterprise — View and manage firewalls.

• Queries — Use and edit public queries, and edit and create personal queries.

• Registered servers — Use, create, and edit registered servers.





1 In the ePolicy Orchestrator console, select Menu | User Management | Permission Sets.


• To edit an existing permission set, select the permission set in the list on the left. Skip to Step 6.

• To create a new permission set, in the lower left corner of the Permission Sets page, click New Permission Set. The New Permission Set page appears. Go to the next step.

3 Specify a name for the permission set and select the users the set is assigned to.

4 Click Save.

5 In the Permission Sets page, select the new permission set from the Permission Sets list. The details for the selected permission set are displayed on the right.

6 To view all of the information that the Firewall Enterprise ePolicy Orchestrator Extension provides about the Firewall Enterprise appliances, Control Center Management Servers, and Firewall Profiler servers, configure the following settings. For most settings, higher levels of access are optional.

a For each setting that is listed, scroll to the setting and click Edit. The Edit Permission Set page for that setting appears.

b When you have finished editing the setting, click Save.

Note: You can also add these settings to an existing permission set to provide access to the Firewall Enterprise ePolicy Orchestrator Extension information.

• Audit log — No permissions is the default setting. To change the setting, select one of the following options:

• View audit log

• View and purge audit log


Firewall Enterprise ePolicy Orchestrator Extension setupCreate a permission set that allows users to view firewall data 2

• Dashboards — No permissions is the default setting. To change the setting, select one of the following options:

Note: To work with the Firewall Enterprise ePolicy Orchestrator Extension, you must select at least the Use public dashboards setting, although higher settings are also allowed.

• Use public dashboards

• Use public dashboards; create and edit personal dashboards

• Use public dashboards; create and edit personal dashboards; make personal dashboards public

• Extensions — Select the Install and remove extensions checkbox to install and remove extensions. This checkbox is deselected by default.

Note: You must have this setting selected in order to install and remove extensions. However, this setting is optional for viewing Firewall Enterprise ePolicy Orchestrator Extension data in the ePolicy Orchestrator console.

• McAfee Firewall Enterprise — No permissions is the default setting. To change the setting, select one of the following options:

Note: To work with the Firewall Enterprise ePolicy Orchestrator Extension, you must select at least the View McAfee Firewall Enterprise Control Center managed firewalls or the Permit data exchange with Firewall Enterprise systems setting, although higher settings are also allowed.

• View McAfee Firewall Enterprise Control Center managed firewalls

• Manage and view McAfee Firewall Enterprise Control Center servers and firewalls

• Provide host information to a remote Firewall Enterprise Control Center — McAfee recommends selecting this checkbox only for the unique permission set that is assigned to Control Center Management Server user accounts. You should not select this checkbox for other permission sets.

• Permit data exchange with Firewall Enterprise systems — Select this checkbox for the unique permission set that is assigned to Firewall Enterprise appliance user accounts.

Note: Do not select this checkbox for other permission sets.

• Queries — No permissions is the default setting. To change the setting, select one of the following options:

Note: To work with the Firewall Enterprise ePolicy Orchestrator Extension, you must select at least the Use public queries setting, although higher settings are also allowed.

• Use public queries

• Use public queries; create and edit personal queries

• Use public queries; create and edit personal queries; make personal queries public

• Registered servers — No permissions is the default setting. To change the setting, select one of the following options:

• Use registered servers

• Create and edit registered servers

7 Add or edit any additional permission settings as needed.


Firewall Enterprise ePolicy Orchestrator Extension setupCreate a user that can view firewall data2

Create a user that can view firewall dataYou can edit existing users or create new users so that you can provide them with access to the Firewall Enterprise ePolicy Orchestrator Extension data. This is accomplished by associating the user with one or more permission sets that provide this access. You can specify the permission set or sets in the User page or you can specify the User field of the Permission Settings page. This section describes the way to assign the permission set to the user.

Before you beginMake sure that you have downloaded and installed the Firewall Enterprise ePolicy Orchestrator Extension on your ePolicy Orchestrator server. Also, you must be an ePolicy Orchestrator global administrator to perform this task.


1 In the ePolicy Orchestrator console, select Menu | User management | Users.


• To edit an existing user, select the user name on the left and click Edit at the bottom of the Users page. The Edit User user_name page appears. Skip to Step 4.

• To add a new user, in the lower left corner of the Users page, click New User. The New User page appears. Go to the next step.

3 Type a unique name for this user in the User name field.

4 Select the checkbox for the permission set that allows users to view firewall data, and for any other permission set you want to assign to the user in the Permission sets field.

5 Specify values in the other fields as needed.

6 Click Save. If you added a new user, this user is added to the list of users on the Users page. If you edited an existing user, your changes are saved and you are returned to the Users page.


Firewall Enterprise setupConfigure Firewall Enterprise appliances for ePolicy Orchestrator reporting 3

3 Firewall Enterprise setup

ContentsConfigure Firewall Enterprise appliances for ePolicy Orchestrator reporting

Configure managed firewalls for ePolicy Orchestrator reporting

Troubleshooting Firewall Enterprise to ePolicy Orchestrator communication

Configure Firewall Enterprise appliances for ePolicy Orchestrator reporting

Configure data transmission from Firewall Enterprise to ePolicy Orchestrator.

Note: The firewall must be at version 8.2.1 or later.

1 Set up ePolicy Orchestrator using the getting started instructions in the McAfee ePolicy Orchestrator Product Guide.

2 Install Firewall Enterprise ePO Extension 5.2.1 on the ePolicy Orchestrator server using the instructions in the McAfee Firewall Enterprise ePO Extension 5.2.1 Integration Guide.

3 Set up Firewall Enterprise to transmit data to ePolicy Orchestrator.

a From the Firewall Enterprise Admin Console, select Monitor | ePolicy Orchestrator. The ePolicy Orchestrator window appears.

b Complete the following fields to configure the contact information for connections to the ePolicy Orchestrator server:

• IP Address — Type the IP address of the ePolicy Orchestrator server. To find the IP address associated with a host name, use the DNS Lookup window.

Note: Do not use an IPv6 address.

• Port — Type the ePolicy Orchestrator Client-to-server authenticated communication port that ePolicy Orchestrator is listening on for connections. Standard deployments of ePolicy Orchestrator use port 8444.

• User name — Type the user name of an ePolicy Orchestrator user configured on the ePolicy Orchestrator server.

• Password — Type the password of the ePolicy Orchestrator user specified in the User name field.

• Confirm password — Type the password again.

c Click Save.

d Configure the Certificate Authority (CA) to use for validating the certificate that the ePolicy Orchestrator server presents during a connection.

• Self-signed certificate — If ePolicy Orchestrator uses a self-signed certificate, click Retrieve ePO root cert to retrieve the root certificate from the ePolicy Orchestrator server. Then, select ePO Server Certificate Authority from the Cert authority drop-down list.

• CA certificate — If ePolicy Orchestrator uses a certificate that has been signed by a CA, select the CA from the Cert authority drop-down list.

e Click Save.


Firewall Enterprise setupConfigure managed firewalls for ePolicy Orchestrator reporting3

f Select the Enable communication with ePO checkbox.

g Click Save.

Configure managed firewalls for ePolicy Orchestrator reportingUse the Control Center Client application to set up a managed firewall to pass information to ePolicy Orchestrator.

1 Create an ePolicy Orchestrator settings object.

a From the Control Center Client application, click Policy. The Policy icon page appears.

b On the Firewall Settings tab, right-click ePolicy Orchestrator, then select Add Object. The ePolicy Orchestrator window appears.

c Enter a name and description for the ePolicy Orchestrator settings object.

d Select Enabled.

e Enter the IP address of the ePolicy Orchestrator server.

f Enter the user name and password used to communicate with the ePolicy Orchestrator server.

g Click Retrieve ePO root certificate. The ePO root certificate is added to and selected in the CA certificate list.

h Click OK.

The new ePolicy Orchestrator settings object appears on the Firewall Settings tab under the ePolicy Orchestrator node.

2 Apply the ePolicy Orchestrator settings object to a managed firewall.

a In the Policy area, double-click the firewall. The Firewall window appears.

b Click Offbox. The Offbox area appears.

c In the ePolicy Orchestrator section, from the Configuration drop-down list, select the ePolicy Orchestrator settings object you created in step 1.

d Click OK. The Firewall window closes.

e Click Apply. The Apply Configuration window appears.

f Select the firewall, then click OK. The ePolicy Orchestrator settings are applied to the firewall.

The firewall sends information to the ePolicy Orchestrator server. Firewall details can be viewed on the ePolicy Orchestrator dashboards.

Troubleshooting Firewall Enterprise to ePolicy Orchestrator communication

Perform the following troubleshooting steps if communication is failing from Firewall Enterprise to ePolicy Orchestrator:

1 Ensure you have installed Firewall Enterprise ePO Extension 5.2.1 on the ePolicy Orchestrator server.

2 Ensure the user configured on the ePolicy Orchestrator server has been assigned a permission set with the Permit data exchange with Firewall Enterprise systems option selected.

3 Verify connectivity from the firewall to the ePolicy Orchestrator server using ping. You can perform a ping in the Firewall Enterprise Admin Console in the Tools | Ping host area.


Firewall Enterprise setupTroubleshooting Firewall Enterprise to ePolicy Orchestrator communication 3

4 Make sure the user name the Firewall Enterprise appliance uses to communicate with the ePolicy Orchestrator server is accurate.

From the Firewall Enterprise command line, enter the following command.

cf epo q

The command returns the user name the firewall uses for ePO communication, and the IP address and port of the ePolicy Orchestrator server. For example:

epo set cert_authority=EpoRootCert_192_168_254_200_8444 enabled=on \

user=AuthorizedUser address=192.168.254.200 password='*****' port=8444


Firewall Enterprise setupTroubleshooting Firewall Enterprise to ePolicy Orchestrator communication3


4 Control Center setup


Configure Control Center for ePolicy Orchestrator

Register Control Center

Setup overviewConfiguring Control Center for ePolicy Orchestrator communication is a three step process.

For each Control Center that will communicate with ePolicy Orchestrator, you must perform the following tasks:

1 In the Control Center Client application, configure the Control Center for ePolicy Orchestrator.

2 In ePolicy Orchestrator, create a user account for the Control Center.

3 In ePolicy Orchestrator, register the Control Center.

Configure Control Center for ePolicy OrchestratorUse the ePolicy Orchestrator Settings window to configure the Control Center Management Server to communicate with the ePolicy Orchestrator server.

Note: You can create only one user with the ePolicy Orchestrator role.

You cannot register a Control Center Management Server with ePolicy Orchestrator until you have configured communication on the Control Center.

ePolicy Orchestrator requires a Control Center user with privileges to obtain and display health and status information from the Control Center about firewalls and the Control Center Management Server. When you create the ePolicy Orchestrator user, the user is automatically assigned the ePolicy Orchestrator role, which is available only to one ePolicy Orchestrator user. Additionally, the ePolicy Orchestrator user is allowed to access only the ePolicy Orchestrator configuration domain, in which read-only access to all firewall objects is allowed, but in which all other object access is denied. By default, this user has access to all of the firewalls. However, you can restrict this access on the Firewall Access List tab of the Control Center Administrator window.

Note: This information is also documented in the McAfee Firewall Enterprise Control Center Product Guide and in the Control Center Help.

Before you begin• Make sure that the Control Center Management Servers that ePolicy Orchestrator will communicate

with are at version 4.0.0.05 or later.

• You must be a Control Center administrator to perform this task. If you do not have these privileges, contact your Control Center administrator and have him or her perform this task.


Control Center setupConfigure Control Center for ePolicy Orchestrator4

TaskFor option definitions, press F1 in the Control Center Client application.

1 Log on to the Control Center Client application.

2 In the Client application navigation bar, select Control Center.

3 In the Control Center tree, expand the Settings node.

4 Double-click ePolicy Orchestrator. The ePolicy Orchestrator Settings window appears. Make sure that the ePO Reports tab is selected.

5 Complete the fields on the ePO Reports tab.

• Allow Control Center to retrieve reports from the ePO server — Select this checkbox. This checkbox determines whether the Control Center will be able to retrieve reports from the ePolicy Orchestrator server. This checkbox is deselected by default.

• ePO Server Information — Use the fields in this area to configure the settings that are required to access the ePolicy Orchestrator server. All of the fields in this area are required if the Allow Control Center to retrieve reports from the ePO server checkbox is selected.

• Hostname — Type the IP address or host name of the ePolicy Orchestrator server you want the Control Center to communicate with.

• Port — Specify the port that will be used to communicate with the ePolicy Orchestrator server. The default value is port 8443.

• Username — Type the user name that is required to access the ePolicy Orchestrator server.

• Password — Type the password for the ePolicy Orchestrator user name.

• Confirm password — Type the password again to confirm it.

6 Click the Control Center User tab.

7 Click Create User. The Control Center User Manager window appears.

8 Create a new user with the ePolicy Orchestrator role.

a Select the Account Enabled checkbox to enable the ePolicy Orchestrator user.

b Type a user name and password for the ePolicy Orchestrator user.

Note: Make note of this user name and password, because you will need to specify both values when you register this Control Center Management Server with the ePolicy Orchestrator server.

c On the Roles tab, select the ePolicy Orchestrator checkbox.

d Click OK. The ePolicy Orchestrator user appears on the Control Center User tab.


Control Center setupRegister Control Center 4

Register Control CenterThe Control Center Management Server provides information on managed appliances to ePolicy Orchestrator. Add, edit, and delete Control Center Management Servers on the Registered Servers page.

Control Center Management Servers, High Availability (HA), and the ePolicy Orchestrator platformIf you have the High Availability (HA) feature configured on one or more pairs of Control Center Management Servers, you should register only the primary Management Server of each pair of HA servers with the ePolicy Orchestrator server on the Registered Servers page.

If the primary Control Center Management Server fails, the ePolicy Orchestrator server will not automatically switch over to the backup (secondary) Management Server. You can monitor the connection failures by viewing the audit log (User Management | Audit Log). When you verify the failure in the audit log, you must manually edit the registered server information in the Registered Servers page by changing the IP address of the registered Control Center Management Server from the primary IP address to the IP address of the backup Management Server. You must also request a new client certificate from the backup Management Server.

Add a Control Center Management ServerYou must configure the Control Center Management Servers on the Registered Servers page before you can view information about the Firewall Enterprise appliances or the Control Center Management Server.

Note: Although there is information about the Registered Servers pages in the ePolicy Orchestrator console Help, there are specific fields that are unique to the Control Center Management Server. The following task describes these fields when you are adding a new Control Center Management Server to the ePolicy Orchestrator server.


1 In the ePolicy Orchestrator console, select Menu | Configuration | Registered Servers. The Registered Servers page appears.

2 In the lower left corner, click New Server. The Registered Server Builder page appears.

3 In the Server type field, select McAfee Firewall Enterprise Control Center.


Control Center setupRegister Control Center4

4 Specify a unique name and add any notes. Click Next. The Details page appears.

5 Specify the IP address or the name of the Control Center Management Server.

6 In the Control Center user name field, type the user name you set on the Control Center User tab of the ePolicy Orchestrator Settings window on the Control Center.

7 In the Control Center password fields, type the password you set on the Control Center.

8 In the Server web service port field, enter the port the Control Center Management Server uses for web traffic. The default is port 9005.

9 For the Certificate field, you can create a new, server-signed, client certificate.

a Make sure that the Control Center Management Server is running and that the Control Center user has been configured on it (in the ePolicy Orchestrator Settings window).

b Click Create New Certificate. The certificate from the Control Center Management Server appears.

c Confirm that the certificate identifies the registered Control Center Management Server.

10 Click Save.

Delete a Control Center Management Server from the ePolicy Orchestrator serverUse this task to remove a Control Center Management Server from ePolicy Orchestrator management.

Note: If you ever need to re-register this Control Center Management Server, you must re-acquire the client certificate. To do this, edit the server and click Create New Certificate on the Details page.


1 In the ePolicy Orchestrator console, select Menu | Configuration | Registered Servers.

2 In the Firewall Management group bar, select the Control Center Management Server to be deleted.

3 Click Actions, then click Delete.

4 Accept the change in the confirmation message that appears.


5 Firewall Profiler setup


Create a user account on Firewall Profiler

Register Firewall Profiler

Configure Firewall Profiler to retrieve host information from ePolicy Orchestrator

Setup overviewConfiguring Firewall Profiler for ePolicy Orchestrator communication is a two step process.

For each Firewall Profiler that will communicate with ePolicy Orchestrator, you must perform the following tasks:

1 In Firewall Profiler, create a user account that has Operator permissions.

2 In ePolicy Orchestrator, register the Firewall Profiler.

Create a user account on Firewall ProfilerYou must create a user account with the Operator user role. ePolicy Orchestrator uses the credentials for this account to authenticate with Firewall Profiler.

Before you beginMake sure the Firewall Profiler server that ePolicy Orchestrator will communicate with is at version 2.0 or later.

TaskFor option definitions, click the Help link in the Firewall Profiler web interface.

1 In Firewall Profiler, select Configuration | Users | Add User.

2 In the User name field, type a user name.

3 In the Password and Confirm Password fields, type a password for the user.

4 Select the Operator or the Operator and Administrator user roles.

5 Click Save. The new user appears in the Users List.


Firewall Profiler setupRegister Firewall Profiler5

Register Firewall ProfilerThe Firewall Profiler server provides the mechanism by which ePolicy Orchestrator communicates with Firewall Enterprise appliances. Add, edit, and delete Firewall Profiler servers on the Registered Servers page.

Add a Firewall Profiler server to the ePolicy Orchestrator serverYou must configure Firewall Profiler servers on the Registered Servers page before you can view information about the Firewall Enterprise appliances they monitor.

Note: Although there is information about the Registered Servers pages in the ePolicy Orchestrator console Help, there are specific fields that are unique to Firewall Profiler. The following task describes these fields when you are adding a new Firewall Profiler to the ePolicy Orchestrator server.


1 In the ePolicy Orchestrator console, select Menu | Configuration | Registered Servers. The Registered Servers page appears.

2 In the lower left corner, click New Server. The Registered Server Builder page appears.

3 In the Server type field, select McAfee Firewall Enterprise Profiler.

4 Specify a unique name and add any notes.

5 Click Next. The Details page appears.

6 Specify the IP address or the name of the Profiler server.

7 In the Firewall Profiler user name field, type the name of the user you created (the one with the Operator role).

8 In the Firewall Profiler password fields, type the password for this user.

9 In the HTTPS service port field, type the port the Firewall Profiler server uses to send and receive encrypted traffic. The default is port 443.

10 For the Certificate field, you can create a new, server-signed, client certificate.

a Make sure that the Profiler server is running.

b Click Create New Certificate. The certificate from the Profiler server appears.

c Confirm that the certificate identifies the registered Profiler server.

11 Click Save. The new server is added to the Registered Servers page.

Delete a Firewall Profiler server from the ePolicy Orchestrator serverUse this task to remove a Firewall Profiler server from ePolicy Orchestrator server management.

Note: If you ever need to re-register this Firewall Profiler server, you must re-acquire the client certificate. To do this, edit the server and click Create New Certificate on the Details page.


1 In the ePolicy Orchestrator console, select Menu | Configuration | Registered Servers.

2 In the Firewall Management group bar, select the Firewall Profiler server to be deleted.

3 Click Actions, then click Delete.

4 Accept the change in the confirmation message that appears.


Firewall Profiler setupConfigure Firewall Profiler to retrieve host information from ePolicy Orchestrator 5

© ©

Configure Firewall Profiler to retrieve host information from ePolicy Orchestrator

The Firewall Profiler can retrieve data from the ePolicy Orchestrator. The Firewall Profiler can display information it has retrieved from the ePolicy Orchestrator server about hosts that are referenced in a policy or hosts that are passing traffic through firewalls.

Note: This information is also documented in the McAfee Profiler Product Guide and in the Firewall Profiler Help.

Before you beginYou must have created a permission set and a user account for Firewall Profiler access to the ePolicy Orchestrator server.

TaskFor option definitions, click Help in the Firewall Profiler web interface.

1 Click Configuration | ePO.

2 Complete the fields on the ePO tab.

• ePO Server IP Address — Type the IP address of the ePolicy Orchestrator server with which this Firewall Profiler communicates.

• User Name — Type the user name with the appropriate rights to access the ePolicy Orchestrator server.

• Password — Type the password for the ePolicy Orchestrator user.

• Port — Type the port used to communicate with the ePolicy Orchestrator server.

3 Click Save.

Host information is displayed on the Event Analysis Summary page.

See also


View ePolicy Orchestrator Host Data reports from Firewall Profiler

McAfee Firewall Enterprise ePolicy Orchestrator Extension 5.2.1 Integration Guide 25

Firewall Profiler setupConfigure Firewall Profiler to retrieve host information from ePolicy Orchestrator5


6 Firewall data

ContentsView Firewall Enterprise and Control Center data in the ePolicy Orchestrator console

Change how ePolicy Orchestrator displays firewall data

View ePolicy Orchestrator Host Data reports from the Control Center Client application

View ePolicy Orchestrator Host Data reports from Firewall Profiler

View Firewall Enterprise and Control Center data in the ePolicy Orchestrator console

After communication has been established between firewalls, Firewall Profiler, Control Center, and the ePolicy Orchestrator server, and you have configured your users and permission sets, you can view firewall data in the ePolicy Orchestrator console.

The Firewall Enterprise ePolicy Orchestrator Extension provides several dashboards for quickly viewing firewall data:

• Firewall internal host mappings

• Firewall Resources

• Firewall Stats

• Profiler Events

See the McAfee ePolicy Orchestrator Product Guide for more information on working with dashboards.

Detailed information on managed and monitored firewalls can be accessed on the Enterprise Firewalls and Profiler Firewalls pages.

View internal host activityUse the Firewall internal host mappings dashboard to view information on protected hosts and firewall versions.

The Firewall internal host mappings dashboard displays the following chart-based queries.

Note: Do not edit or remove firewall queries.

Before you beginYou must have a registered Firewall Enterprise appliance communicating with ePolicy Orchestrator.

Table 6-1 Firewall internal host mappings dashboard — default queries

FWADDR: Firewall Internal Host Grouping query

FWADDR: Firewall Hit Count Grouping query

FWADDR: New Host Information query

FWADDR: Firewall Top 10 Internal Hosts query


Firewall dataView Firewall Enterprise and Control Center data in the ePolicy Orchestrator console6


1 In the ePolicy Orchestrator console, click Dashboards.

2 From the Dashboards drop-down list, select Firewall internal host mapping. The Firewall internal host mapping dashboard appears.

From the Firewall internal host mapping dashboard, you can do the following.

View firewall resourcesUse the Firewall Resources dashboard to quickly view information on the performance of managed firewalls, including memory use, proxy and VPN sessions, and data flow.

The Firewall Resources dashboard displays the following chart-based queries.

Note: You can edit the settings for the queries that produce these charts from the Queries page.

Before you beginYou must have a registered Control Center Management Server communicating with the ePolicy Orchestrator.



2 From the Dashboards drop-down list, select Firewall Resources. The Firewall Resources dashboard appears.

From the Firewall Resources dashboard, you can do the following.

Table 6-2 Firewall internal host mapping dashboard tasks

Task StepsExpand a report Click the drop-down menu arrow in the upper left corner of the report, then select Full

Screen.

View information about a specific firewall

Click a firewall on the report. Information on the specified firewall is displayed.

Table 6-3 Firewall Resources dashboard — default queries

FWCC: Firewall Physical Memory Usage

FWCC: Firewall Virtual Memory Usage

FWCC: Firewall CPU Usage FWCC: Firewall Disk Usage

FWCC: Firewall Filter Sessions

FWCC: Firewall Proxy Sessions

FWCC: Firewall Active VPN Sessions

FWCC: Firewall Idle VPN Sessions

FWCC: Firewall Inbound Data (Bytes)

FWCC: Firewall Inbound Data Rate (Bytes/Sec)

FWCC: Firewall Outbound Data (Bytes)

FWCC: Firewall Outbound Data Rate (Bytes/Sec)

Table 6-4 Firewall Resources dashboard tasks


Screen.

View information about a specific firewall

Select the firewall from the Firewall drop-down list on any report. All the queries on the dashboard display information about the selected firewall.

View details about a specific time period

1 Click the desired data point on a report. Information for the selected time period is displayed in a table.

2 Click a row in the table to view the McAfee Firewall Activity Details page for the firewall.


Firewall dataView Firewall Enterprise and Control Center data in the ePolicy Orchestrator console 6

View firewall statusesUse the Firewall Stats dashboard to quickly view status information about registered Control Center Management Servers and managed firewalls.

The Firewall Stats dashboard displays the following chart-based queries.

Tip: You can edit the settings for the queries that produce these charts from the Queries page.

Before you beginYou must have a registered Control Center Management Server communicating with the ePolicy Orchestrator.



2 Click the Firewall Stats tab. The Firewall Stats dashboard appears.

From the Firewall Stats dashboard, you can do the following.

View Firewall Profiler eventsUse the Profiler Events dashboard to quickly view status information on monitored firewalls.

The Profiler Events dashboard displays the following chart-based queries by default.

Table 6-5 Firewall Stats dashboard — default queries

FWCC: Firewall Enterprise Control CenterRun Statuses

FWCC: Firewall Run Statuses

FWCC: Firewall Versions FWCC: Alert Summary

Table 6-6 Firewall Stats dashboard tasks


Screen.

View details about Control Center Management Servers with a specific run status

Click a run status in the FWCC: Firewall Enterprise Control Center Run Statuses report. The McAfee Firewall Enterprise Control Centers Details page appears.Tip: Use the Previous and Next arrows to view details about other Control Centers with the same status.

View details about managed firewalls with a specific run status

1 Click a run status in the FWCC: Firewall Run Statuses report. The FWCC: Firewall Run Statuses page appears.

2 Click a firewall entry. The McAfee Firewalls Details page appears.Tip: Use the Previous and Next arrows to view details about other firewalls with the same status.

View details about managed firewalls running a specific software version

Click a software version in the FWCC: Firewall Versions report. The McAfee Firewalls Details page appears.Tip: Use the Previous and Next arrows to view details about other firewalls with the same software version.

View alert information about a specific firewall

Select the firewall from the Firewall drop-down list. All the queries on the dashboard display information about the selected firewall.

View details about alerts of a specific priority

Click an alert priority in the FWCC: Alert Summary report. The McAfee Firewall Alert Summary Details page appears.Tip: Use the Previous and Next arrows to view details about other alerts with the same priority.

Table 6-7 Profiler Events dashboard — default queries

Trend to Deny: Combined Trend to Allow: Combined Volume Increased: Combined

Increased Risk: Dest Reporter Decreased Risk: Dest Reporter High Risk: Dest Reporter


Firewall dataView Firewall Enterprise and Control Center data in the ePolicy Orchestrator console6

The results of other queries can be viewed by creating new Firewall Profiler dashboards. See the McAfee ePolicy Orchestrator Product Guide for more information on creating dashboards. The following queries are available (the value in angle brackets [<>] is set on the Profiler Preferences page).

Before you beginYou must have a registered Firewall Profiler server communicating with the ePolicy Orchestrator.


Note: This task can be performed from custom Firewall Profiler dashboards as well.


2 Click the Profiler Events tab. The Profiler Events dashboard appears.

From a Profiler dashboard, you can do the following.

View all firewalls managed by a Control Center Management ServerUse the Enterprise Firewalls page to view details about all the firewalls under Control Center Management.


In the ePolicy Orchestrator console, select Menu | Network | Firewalls. The Enterprise Firewalls page appears.

Table 6-8 Profiler Events dashboard — all possible queries

Trend to deny: Source <> Trend to deny: Destination <> Trend to deny: Combined

Trend to allow: Source <> Trend to allow: Destination <> Trend to allow: Combined

Increased Risk: Source <> Increased Risk: Destination <> Increased Risk: Combined

Decreased Risk: Source <> Decreased Risk: Destination <> Decreased Risk: Combined

High Risk: Source <> High Risk: Destination <> High Risk: Combined

Medium Risk: Source <> Medium Risk: Destination <> Medium Risk: Combined

Low Risk: Source <> Low Risk: Destination <> Low Risk: Combined

No Traffic: Source <> No Traffic: Destination <> No Traffic: Combined

Volume Increased: Source <> Volume Increased: Destination <> Volume Increased: Combined

Volume Decreased: Source <> Volume Decreased: Destination <> Volume Decreased: Combined

Table 6-9 Profiler dashboard tasks

Task StepsExpand a report Click the drop-down menu in the upper left corner of the report, then select Full screen.

View event information about a specific firewall

Select the firewall from the Firewall drop-down list on any report. All the queries on the dashboard display information about the selected firewall.

View details about an event

1 Click the desired event on a report. The corresponding Change Events or Risk Events page appears.

2 Click a row to see the Change Event Details or Risk Event Details page for the event.


Firewall dataView Firewall Enterprise and Control Center data in the ePolicy Orchestrator console 6

From the Enterprise Firewalls page, you can do the following.

View all firewalls monitored by a Firewall Profiler serverUse the Profiler Firewalls page to view details about the firewalls monitored by a Firewall Profiler server.


In the ePolicy Orchestrator console, select Menu | Network | Profiler Firewalls. The Profiler Firewalls page appears.

Table 6-10 Enterprise Firewalls page tasks

Task StepsRefresh firewall data Select Actions | Update.

View additional details about a specific firewall

Click a row in the table. The McAfee Firewalls Details page appears for the selected firewall.Use the left and right arrows at the bottom of the page to view details about other managed firewalls.

View blackholed IP addresses for selected firewalls

1 Select the checkboxes of the firewalls you want to see blackholed IP addresses for.2 Select Actions | Blackholed IPs.

The firewall - Blackholed IPs page appears, displaying the IP address, zone, and expire time for each IP address blackholed by one of the selected firewalls.

Click Close to return to the Enterprise Firewalls page.

View the cluster status of selected firewalls

1 Select the checkboxes of the firewalls you want to see the cluster status of.2 Select Actions | Cluster Status.

The firewall - Cluster Status page appears, displaying the node, High Availability mode, IP address, state, and status for the selected firewalls.


View the interfaces for selected firewalls

1 Select the checkboxes of the firewalls you want to see the interfaces of.2 Select Actions | Interfaces.

The firewall - Interfaces page appears, displaying the name, IP address, zone, active network interface card (NIC), active speed, and status of the interfaces of the selected firewalls.


View the routing tables for selected firewalls

1 Select the checkboxes of the firewalls you want to see routing tables for.2 Select Actions | Routing Table.

The firewall - Routing Table page appears, displaying the destination, gateway, flags, zone, network interfaces, and expire information for routes on the selected firewalls.


View signature versions for selected firewalls

1 Select the checkboxes of the firewalls you want to see signature versions for.2 Select Actions | Signature Versions.

The firewall - Signature Versions page appears, displaying the name and version of the signatures of the selected firewalls.


View the system load of selected firewalls

1 Select the checkboxes of the firewalls you want to see the system load of.2 Select Actions | System Load.

The firewall - System Load page appears, displaying the name and value for different load averages for the selected firewalls.


Export the Enterprise Firewalls table

1 Select Actions | Export Table. The Export window appears, providing configuration options for exporting the file.

2 Complete the fields.3 Click Export.

View the VPN tunnels of selected firewalls

1 Select the checkboxes of the firewalls you want to see the VPN tunnels of.2 Select Actions | VPN Tunnels. The firewall - VPN Tunnels page appears, displaying

the names and statuses for the VPN tunnels used by the firewalls.3 Click Close to return to the Enterprise Firewalls page.


Firewall dataChange how ePolicy Orchestrator displays firewall data6

From the Profiler Firewalls page, you can do the following.

Change how ePolicy Orchestrator displays firewall dataYou can configure how often firewall data is retrieved, how long the activity records are kept, and the source and destination of Firewall Profiler event data.

Change Firewall Profiler event sources and destinationsUse the Profiler Preferences page to configure source and destination settings for Firewall Profiler event data.

Source options include:

• Source Reporter

• Source Geography

• User Group

Destination options include:

• Destination Reporter

• Application

• Destination Geography

Before you beginYou must have a registered Firewall Profiler server communicating with the ePolicy Orchestrator.


1 In the ePolicy Orchestrator console, select Menu | Configuration | Profiler Preferences.

2 From the Combine drop-down list, select a Firewall Profiler event source.

3 From the With drop-down list, select a Firewall Profiler event destination.

4 Click Update. A confirmation message appears.

All Firewall Profiler queries use the selected parameters to group and display event data.

Change data refresh settings and host retentionUse the Edit Mcafee Firewall Enterprise page of the Server Settings window to configure how often Firewall Enterprise data displayed in ePolicy Orchestrator is refreshed and how long host records are retained.


Table 6-11 Profiler Firewalls page tasks

Task StepsView additional details about a specific firewall

Click a row in the table. The Profiler Firewalls Details page appears for the selected firewall.Tip: Use the Previous and Next arrows to view details about other monitored firewalls.

Export the Enterprise Firewalls table

1 Select Actions | Export Table. The Export window appears, providing configuration options for exporting the file.



Firewall dataView ePolicy Orchestrator Host Data reports from the Control Center Client application 6

1 In the ePolicy Orchestrator console, select Menu | Configuration | Server Settings.

2 From the Setting Categories list, select McAfee Firewall Enterprise. The Refresh interval and Activity record retention settings are displayed.

3 Click Edit. The Edit McAfee Firewall Enterprise page appears.

4 In the Refresh interval field, type the number of minutes to wait before refreshing health and status data.

5 In the Activity record retention field, type the number of hours to retain information in the firewall activity table.

6 In the Internal host records retention field, type the number of days to keep host records.

7 Click Save.

View ePolicy Orchestrator Host Data reports from the Control Center Client application

After you have configured the report communication on both the Control Center and the ePolicy Orchestrator server, you can view information about hosts in an ePolicy Orchestrator Host Data report that is available for a host in Control Center. This host data is maintained on the ePolicy Orchestrator server. To display data about a particular host, the host object must be managed by the ePolicy Orchestrator server.

Before you begin• The Firewall Enterprise ePolicy Orchestrator Extension must be installed on the ePolicy Orchestrator

server.

• You must configure settings for the ePolicy Orchestrator server in the ePolicy Orchestrator Settings window. This is to allow the Control Center to communicate with the ePolicy Orchestrator server.

• You must have selected the Allow Control Center to retrieve reports from the ePO server checkbox on the ePolicy Orchestrator Settings window.

TaskFor option definitions, press F1 in the Control Center Client application.

1 Log on to the Control Center Client application.

2 From the navigation bar, select Policy.

3 In the lower left corner of the window, click the Rule Objects tab.

4 Expand the Network Objects node.

5 Click the Policy group bar and then expand the Network Objects branch in the tree. The subnodes are displayed.

6 Expand the Hosts subnode. All of the defined host objects are displayed.

7 Right-click the object for which you want to view ePolicy Orchestrator server data and select Show ePO Data. The ePO Host Data page appears.

View ePolicy Orchestrator Host Data reports from Firewall ProfilerFirewall Profiler can display information it has retrieved from the ePolicy Orchestrator server about hosts that are referenced in a policy or hosts that are passing traffic through a Firewall Enterprise appliance. Host profile information for IP addresses is available on the Event Analysis details page. See the McAfee Firewall Profiler Product Guide for more information on viewing host profile information.


Firewall dataView ePolicy Orchestrator Host Data reports from Firewall Profiler6

Before you beginTo view this information, the following prerequisites must be met:

1 The Firewall Enterprise ePolicy Orchestrator Extension must be installed on the ePolicy Orchestrator server.

2 You must configure settings for the ePolicy Orchestrator server on the ePO tab.

TaskFor option definitions, click Help in the Firewall Profiler web interface.

1 Log on to the Firewall Profiler.

2 From the Live Data view selector, click the Event Analysis Summary selector. The Event Analysis Summary page appears.

3 Click the Details icon. The Event Analysis Details page appears.


7 Queries

ContentsFirewall Enterprise ePolicy Orchestrator Extension queries

Firewall Enterprise Report queries

Generate a Firewall Profiler Report query

Firewall Profiler Report queries

Generate a Firewall Profiler Report query

Control Center queries

Generate a Control Center query

Firewall Enterprise ePolicy Orchestrator Extension queriesSeveral queries are provided as part of the Firewall Enterprise ePolicy Orchestrator Extension. The results of Firewall Enterprise-specific queries can be viewed on the appropriate dashboards, or by running the queries on the Queries page. Each query that polls information from Firewall Enterprise appliances begins with the prefix FWADDR. Each query that polls information from a Control Center begins with the prefix FWCC. Queries that poll information from a Firewall Profiler begin with FWPro or Profiler Report.

See the McAfee ePolicy Orchestrator Product Guide for more information about working with queries.

Firewall Enterprise Report queriesThe following Firewall Enterprise queries are provided with the Firewall Enterprise ePolicy Orchestrator Extension.

Use the drop-down lists at the top of the report to run Firewall Enterprise Report queries for specific firewalls or for different time periods.

Table 7-1 Firewall Enterprise Report queries

Query Description

FWADDR: Firewall Details query

Displays firewall information.

FWADDR: Firewall Hit Count Grouping query

Displays firewalls by hit count.

FWADDR: Firewall Top 10 Internal Hosts query

Displays the internal hosts with the most traffic through the firewall.

FWADDR: Firewall Version Grouping query

Displays firewalls by software version.

FWADDR: New Host Information query

Displays new host information.


QueriesGenerate a Firewall Enterprise Report query7

Generate a Firewall Enterprise Report queryUse the Queries page to run a Firewall Enterprise Report query.


1 In the ePolicy Orchestrator console, select Queries & Reports. The Queries page appears.

2 Scroll down to the desired query, and click Run. The results of the query are displayed.

For Firewall Enterprise Report queries, you can perform the following action.

Firewall Profiler Report queriesThe following Firewall Profiler Report queries are provided with the Firewall Enterprise ePolicy Orchestrator Extension.

Table 7-2 Firewall Profiler Report query tasks

Task StepsExport report data 1 Select Options | Export Data. The Export window appears, providing configuration

options for exporting the file.2 Complete the fields.3 Click Export.

Table 7-3 Firewall Profiler Report queries

Query Description

FWPRO: Decreased Risk: Combined

Displays relationships with mitigated risk.

FWPRO: Decreased Risk: Destinations

Displays destinations with mitigated risk.

FWPRO: Decreased Risk: Sources

Displays sources with mitigated risk.

FWPRO: High Risk: Destinations

Displays destinations with high risk.

FWPRO: High Risk Relationships

Displays relationships with high risk.

FWPRO: High Risk: Sources Displays sources with high risk.

FWPRO: Increased Risk: Combined

Displays relationships with new risk.

FWPRO: Increased Risk: Destinations

Displays destinations with new risk.

FWPRO: Increased Risk: Sources

Displays sources with new risk.

FWPRO: Low Risk: Destinations

Displays destinations with low risk.

FWPRO: Low Risk: Relationships

Displays relationships with low risk.

FWPRO: Low Risk: Sources Displays sources with low risk.

FWPRO: Medium Risk: Destinations

Displays destinations with medium risk.

FWPRO: Medium Risk: Relationships

Displays relationships with medium risk.

FWPRO: Medium Risk: Sources

Displays sources with medium risk.

FWPRO: No Traffic: Combined

Displays relationships with no activity.


QueriesFirewall Profiler Report queries 7

Use the drop-down lists at the top of the report to run Firewall Profiler Report queries for specific firewalls or for different time periods.

FWPRO: No Traffic: Destinations

Displays destinations with no activity.

FWPRO: No Traffic: Sources Displays sources with no activity.

FWPRO: Trend to Allow: Combined

Displays relationships with increased allowed activity.

FWPRO: Trend to Allow: Destinations

Displays destinations with increased allowed activity.

FWPRO: Trend to Allow: Sources

Displays sources with increased allowed activity.

FWPRO: Trend to Deny: Combined

Displays relationships with increased denied activity.

FWPRO: Trend to Deny: Destinations

Displays destinations with increased denied activity.

FWPRO: Trend to Deny: Sources

Displays sources with increased denied activity.

FWPRO: Volume Decreased: Combined

Displays relationships with reduced activity.

FWPRO: Volume Decreased: Destinations

Displays destinations with reduced activity.

FWPRO: Volume Decreased: Sources

Displays sources with reduced activity.

FWPRO: Volume Increased: Combined

Displays relationships with increased activity.

FWPRO: Volume Increased: Destinations

Displays destinations with increased activity.

FWPRO: Volume Increased: Sources

Displays sources with increased activity.

Profiler Report – Attack Events, Total Firewall Events

Compares the number of attack events to the overall number of events on the monitored firewalls.

Profiler Report – Exposure by category

Displays the number of exposure events for each firewall by exposure category.

Profiler Report – Protection by category

Displays the number of events protected against by category for each monitored firewall.

Profiler Report – Protection percentage

Compares the number of exposure events to the percentage of protection by category for each monitored firewall.

Table 7-3 Firewall Profiler Report queries (continued)

Query Description


QueriesGenerate a Firewall Profiler Report query7

Generate a Firewall Profiler Report queryUse the Queries page to run a Firewall Profiler Report query.


1 In the ePolicy Orchestrator console, click Queries & Reports. The Queries page appears.

2 Scroll down to the desired query, and click Run. The results of the query appear.

For Firewall Profiler Report queries, you can perform the following actions.

Control Center queriesThe following Control Center queries are provided with the Firewall Enterprise ePolicy Orchestrator Extension..

Table 7-4 Firewall Profiler Report query tasks

Task StepsGenerate a report for a specific firewall

Select the firewall from the Generate a report of drop-down list. The results of the query are updated to reflect your selection.

Change the time interval used in the report

Select a different time interval from the displaying data in interval of drop-down list. The results of the query are updated to reflect your selection.

Export report data 1 Select Options | Export Data. The Export window appears, providing configuration options for exporting the file.


Table 7-5 Control Center queries

Query Description

FWCC: Active Firewall VPN Sessions

Displays the average number of active VPN sessions taking place on managed firewalls by hour.

FWCC: Alert Summary Displays the total number of alerts on managed firewalls by type.

FWCC: Firewall CPU Usage Displays the average CPU use of managed firewalls by hour.

FWCC: Firewall Disk Usage Displays the average disk use percentage of managed firewalls by hour.

FWCC: Firewall Enterprise Control Center Run Statuses

Displays the number of Control Center Management Servers organized according to run status.

FWCC: Firewall Filter Sessions

Displays the average number of filter sessions for managed firewalls by hour.

FWCC: Firewall Physical Memory Usage

Displays the average percentage of physical memory used by managed firewalls by hour.

FWCC: Firewall Proxy Sessions

Displays the average number of proxy sessions for managed firewalls by hour.

FWCC: Firewall Run Statuses Displays the number of managed firewalls according to run status of each firewall.

FWCC: Firewall Versions Displays the number of managed firewalls according to the version of each firewall.

FWCC: Firewall Virtual Memory Usage

Displays the average percentage of virtual memory used by managed firewall by hour.

FWCC: Idle Firewall VPN Sessions

Displays the average number of idle VPN session for managed firewalls by hour.

FWCC: Inbound Data Rate Through Firewall (Bytes/Sec)

Displays the average inbound data rate for managed firewalls in bytes per second by hour.

FWCC: Inbound Data Through Firewall (Bytes)

Displays the average amount inbound data for managed firewalls in bytes by hour.


QueriesGenerate a Control Center query 7

Generate a Control Center queryUse the Queries page to run a Control Center query.


1 In the ePolicy Orchestrator console, select Queries & Reports. The Queries page appears.

2 Scroll down to the desired query, and click Run.

The results of the query are displayed. For Control Center queries, you can perform the following actions.

FWCC: Outbound Data Rate Through Firewall (Bytes/Sec)

Displays the average outbound data rate for managed firewalls in bytes per second by hour.

FWCC: Outbound Data Through Firewall (Bytes)

Displays the average outbound data rate for managed firewalls in bytes per second by hour.

Table 7-5 Control Center queries (continued)

Query Description

Table 7-6 Control Center query tasks

Task StepsView details about a specific time period

Click the desired data point on a report. Information for the selected time period is displayed in a table.Click a row in the table to view the McAfee Firewall Activity Details page for the firewall.

[FWCC Alert Summary only] View details about alerts

Click an alert priority in the FWCC: Alert Summary report. The McAfee Firewall Alert Summary Details page appears.Use the left and right arrows at the bottom of the page to view details about other alerts with the same priority.

[FWCC: Firewall Enterprise Control Center Run Statuses only] View details about Control Center Management Servers

Click a run status in the FWCC: Firewall Enterprise Control Center Run Statuses report. The McAfee Firewall Enterprise Control Centers Details page appears.Use the left and right arrows at the bottom of the page to view details about other Control Centers with the same status.

[FWCC: Firewall Run Statuses and FWCC: Versions only] View details about managed firewalls

Click a run status in the FWCC: Firewall Run Statuses report. The McAfee Firewalls Details page appears.Use the left and right arrows at the bottom of the page to view details about other firewalls with the same status.

Export report data 1 Select Options | Export Data. The Export window appears, providing configuration options for exporting the file.



QueriesGenerate a Control Center query7


8 Issues and tickets

ContentsCreate Firewall Profiler issues

Use Profiler Firewall tickets

Create Firewall Profiler issuesYou can create issues for Firewall Profiler events. You can assign issues a type of Profiler Change Event or Profiler Risk Event to quickly distinguish them from other issues.

See the McAfee ePolicy Orchestrator Product Guide for more information about creating and using issues.

Create a change event issueUse this task to manually create a change event issue.


1 Select Menu | Automation | Issues, then select Actions | New Issue.

2 In the New Issue dialog box, select Profiler Change Events Issue from the Create issue of type drop-down list, then click OK. The New Issue page appears.

3 Complete the fields for the new issue.

4 Click Save. The new issue appears at the top of the Issues page.

Create a risk event issueUse this task to manually create a risk event issue.


1 Select Menu | Automation | Issues, then select Actions | New Issue.

2 In the New Issue dialog box, select Profiler Risk Events Issue from the Create issue of type drop-down list, then click OK. The New Issue page appears.

3 Complete the fields for the new issue.

4 Click Save. The new issue appears at the top of the Issues page.


Issues and ticketsUse Profiler Firewall tickets8

Use Profiler Firewall ticketsIf you have a separate ticketing system, you can create tickets for Firewall Profiler events. Any time a ticket is created, a ticketed issue is created automatically.

See the McAfee ePolicy Orchestrator Product Guide for more information about creating and using tickets.

Create an event ticketUse this task to create a Firewall Profiler change event or risk event ticket.


1 From the Risk Events or Change Events page, select the checkbox next to the event you want to create a ticket for.

2 Select Actions | Create Ticket. The Create Ticket pop-up window appears. A message on the window informs you whether or not an open ticket exists for the event.

3 Click OK. The ticket is created and the ticketed issue can be viewed on the Issues page.

Associate a ticket with an issueUse this task to assign a ticket to an issue that has already been created.

Before you beginMake sure you have integrated a ticketing server.


1 Select Menu | Automation | Issues.

2 Select the checkbox next to the issue you want to assign a ticket to. If you want to assign tickets to several issues at once, you can select multiple checkboxes.

3 Select Actions | Assign Ticket. The Add Ticket pop-up window appears.

4 Click OK. A ticket is assigned to all the selected issues that do not already have a ticket assigned.


9 Automatic responses

ContentsFirewall Profiler event responses

Create an automatic response for Firewall Profiler events

Firewall Profiler event responsesYou can create automatic responses rules for Firewall Profiler change and risk events.

See the McAfee ePolicy Orchestrator Product Guide for more information about creating and using automatic responses.

Create an automatic response for Firewall Profiler eventsUse this procedure to create an automatic response rule that specifies a change event or risk event. This procedure leads you through each page of the Response Builder wizard. This procedure includes the following tasks:

• Describe the rule

• Set filters for the rule

• Set thresholds for the rule

• Configure the actions for the rule

• Review and save the rule

Describe the ruleBegin creating a rule. The Description page of the Response Builder wizard allows you to:

• Name and describe the rule.

• Specify the language used by the response.

• Specify the event type and group that triggers this response.

• Enable or disable the rule.


Automatic responsesCreate an automatic response for Firewall Profiler events9


1 Select Menu | Automation | Automatic Responses.


• Click New Response

• Click Actions | New Response

• Click Edit next to an existing rule.

The Response Builder wizard opens.

3 On the Description page, type a unique name and any notes for the rule.

Note: Rule names on each server must be unique. For example, if one user creates a rule named Emergency Alert, no other user (including global administrators) can create a rule with that name.

4 From the Language menu, select the language the rule uses.

5 From the Event group drop-down list, select Profiler Events.

6 From the Event type drop-down list, select the Firewall Profiler event type (change event or risk event) that will trigger this response.

7 Next to Status, select the Enabled or Disabled radio button.

8 Click Next. The Filter page appears.

Set filters for the ruleSet the filters for the response rule on the Filters page of the Response Builder wizard.


1 From the Available Properties list, select the desired property, then specify the value to filter the response result.

Note: Available Properties depend on the event type and event group selected on the Description page of the Response Builder wizard.

2 Click Next. The Aggregation page appears.


Automatic responsesCreate an automatic response for Firewall Profiler events 9

Set thresholds for the ruleDefine when the event triggers the rule on the Aggregation page of the Response Builder wizard.

A rule’s thresholds are a combination of aggregation, throttling, and grouping.


1 Next to Aggregation, select whether to Trigger this response for every event, or to Trigger this response if multiple events occur within a defined amount of time. If you select the latter, define the amount of time in minutes, hours, or days.

If you selected Trigger this response if multiple events occur within, you can choose to trigger a response when the specified conditions are met. These conditions are any combination of:

• When the number of distinct values for an event property is at least a certain value — This condition is used when a distinct value of occurrence of event property is selected.

• When the number of events is at least — Type a defined number of events.

You can select one or both options. For example, you can set the rule to trigger this response if the distinct value of occurrence of event property selected exceeds 300, or when the number of events exceeds 3,000, whichever threshold is crossed first.

2 Next to Grouping, select whether to group the aggregated events. If you select to group the aggregated events, specify the property of event on which they are grouped.

3 As needed, next to Throttling, select At most, trigger this response once every and define an amount of time that must be passed before this rule can send notification messages again. The amount of time can be defined in minutes, hours, or days.

4 Click Next. The Action page appears.

Configure the actions for the ruleConfigure the responses that are triggered by the rule on the Responses page of the Response Builder wizard.

You can configure the rule to trigger multiple actions by using the + and - buttons, located next to the drop-down list for the type of notification.


1 If you want the notification message to be sent as an email or text pager message, select Send Email from the drop-down list.

a Next to Recipients, click ... and select the recipients for the message. This list of available recipients is taken from Contacts (Menu | User Management | Contacts).

Alternatively, you can manually type email addresses, separated by a comma.

b Select the importance of the notification email.

c Type the subject of the message.

Optionally, you can insert any of the available variables directly into the subject.

d Type any text that you want to appear in the body of the message.

Optionally, you can insert any of the available variables directly into the body.

e Click Next if finished, or click + to add another notification.


Automatic responsesCreate an automatic response for Firewall Profiler events9

2 If you want the notification message to be sent as an SNMP trap, select Send SNMP Trap from the drop-down list.

a Select the desired SNMP server from the drop-down list.

b Select the type of value that you want to send in the SNMP trap. Options are:

• Value

• Number of Distinct Values

• List of Distinct Values

• List of All Values

Note: Some events do not include this information. If a selection you make is not represented, the information is not available in the event file.

c Click Next if finished, or click + to add another notification.

3 If you want the notification to run an external command, select Run External Command from the drop-down list.

a Select the desired registered executables, then type any arguments for the command.

b Click Next if finished, or click + to add another notification.

4 If you want the notification to create an issue, select Create issue from the drop-down list.

a Select the type of issue that you want to create.

b Type a unique name and any notes for the issue. Optionally, you can insert any of the available variables directly into the name and description.

c Select the state, priority, severity, and resolution for the issue from the respective drop-down lists.

d Type the name of the assignee in the text box.

e Click Next if finished, or click + to add another notification.

5 If you want the notification to run a scheduled task, select Execute Scheduled Task from the drop-down list.

a Select the task that you want to run from the Task to execute drop-down list.

b Click Next if finished, or click + to add another notification.

Review and save the ruleOn the Summary page, verify the information, then click Save.

The automatic response is added to the Automatic Responses page.


Index

Aalerts

displaying for firewalls and Control Center Management Servers 29, 39

displaying totals for each firewall or Control Center Management Server 29, 39

audit logsconfiguring access in permission sets 12

automatic responses 43

CControl Center

overview 7

setting up for ePolicy Orchestrator 19

viewing managed firewalls 30

Control Center Management Serversconfiguring access in permission sets 13

deleting from ePolicy Orchestrator 22

display run status 29, 39

displaying alerts in ePolicy Orchestrator 29, 39

displaying information about 29, 39

registering High Availability (HA) servers with ePolicy Orchestrator 21

registering with ePolicy Orchestrator 21

re-installing on ePolicy Orchestrator 21, 22

Ddashboards 27

configuring access in permission sets 12

Firewall internal host mapping 27

Firewall Resources 28

Firewall Stats 29

personal 12

Profiler Events 29

public 12

datachanging host retention period 32

changing refresh rate 32

EePO Extension

overview 7

using with Control Center 8using with Firewall Enterprise 8

using with Firewall Profiler 8using with McAfee Firewall Profiler 7

ePolicy Orchestratoradding Control Center Management Servers 21

configuring Control Center for 19

configuring Firewall Profiler for 25

deleting Control Center Management Servers 22

deleting Firewall Profiler servers 24

downloading the Firewall Enterprise ePO Extension 9

installation prerequisites 10

installing the Firewall Enterprise ePO Extension 10

registering the primary HA Management Server 21

setup overview 9

user 19

eventschanging sources and destinations 32

creating tickets for Firewall Profiler 42

viewing Firewall Profiler 29

extensionsconfiguring installation and deletion access in permission sets 13

FFirewall Enterprise 7

configuring for ePolicy Orchestrator communication 15

troubleshooting ePolicy Orchestrator communication 16

Firewall Enterprise ePO Extensiondownloading 9

Firewall internal host mapping dashboard 27

Firewall Profiler 8adding to ePolicy Orchestrator 24

changing event sources and destinations 32

creating a user account for ePolicy Orchestrator 23

creating event issues 41

registering with ePolicy Orchestrator 24

setting up for ePolicy Orchestrator 23

viewing events 29

viewing monitored firewalls 31

Firewall Profiler serversdeleting from ePolicy Orchestrator 24

Firewall Resources dashboard 28

Firewall Stats dashboard 29

Firewall Enterprise ePO Extensioninstalling 10

firewalls 7


configuring for ePolicy Orchestrator communication 15

displaying alerts in ePolicy Orchestrator 29, 39

troubleshooting ePolicy Orchestrator communication 16

viewing Control Center managed 30

viewing data 27

viewing details about 29, 39

viewing Firewall Profiler monitored 31


Index

viewing host data 27

viewing resource data 28

viewing statuses 29

viewing versions 29

HHA Management Servers

registering the primary server with ePolicy Orchestrator 21

viewing failover information 21

High Availability Management Serverssee HA Management Servers

host objectsviewing ePO Data reports in Control Center 33

viewing ePO Data reports in Firewall Profiler 33

Iissues

assigning tickets to 42

creating Firewall Profiler change event 41

creating Firewall Profiler event 41

creating Firewall Profiler risk event 41

MMcAfee Firewall Enterprise Control Center

see Control CenterMcAfee Firewall Enterprise ePO Extension

see Firewall Enterprise ePO ExtensionMcAfee Firewall Profiler

using with the ePO Extension 7

Ppermission sets

configuring audit log access 12

configuring Control Center Management Server access 13

configuring dashboard access 12

configuring extension installation and deletion access 13

configuring firewall access 13

configuring for general access 12

configuring for the Control Center and Firewall Profiler user account 10

configuring query access 13

configuring registered server access 13

Profiler Events dashboard 29

Profiler serversre-installing on ePolicy Orchestrator 24

Qqueries


Control Center 38

Firewall Enterprise Report 35

Firewall Profiler Report 36

generating Control Center 39

generating Firewall Enterprise Report 36

generating Firewall Profiler Report 38

personal 13

public 13

viewing Firewall Enterprise ePO Extension 35

Rregistered servers


run statusdisplaying for Control Center Management Servers 29, 39

displaying for firewalls 29, 39

Ttickets

assigning to issues 42

creating Firewall Profiler event 42

Firewall Profiler event 42

Uusers

configuring for data access 14

creating a Firewall Profiler user account for ePolicy Orchestrator 23

creating the Control Center and Firewall Profiler user account 11

Vviewing firewall data 27

viewing Firewall Profiler events 29


Index


700-3683A00

McAfee Firewall Enterprise ePolicy Orchestrator...

Documents

Transcript of McAfee Firewall Enterprise ePolicy Orchestrator...