Transcription
Product GuideRevision AMcAfee Firewall Enterprise 8.3.2
COPYRIGHTCopyright 2013 McAfee, Inc. Do not copy without permission.TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore,Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TotalProtection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States andother countries. Other names and brands may be claimed as the property of others.Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.2McAfee Firewall Enterprise 8.3.2Product Guide
ContentsPreface17About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Introduction to Firewall Enterprise1717171819Features of Firewall Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . .Networking elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .IPv4 and IPv6 support . . . . . . . . . . . . . . . . . . . . . . . . . . . . .DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How to control access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .McAfee AppPrism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .User-based policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Protection from attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . .Attack responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Network defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Encrypted content inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Global Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Web reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Geo-Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Virus protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartFilter web filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . g and setup2Planning27Planning your setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Renaming default zones . . . . . . . . . . . . . . . . . . . . . . . . . . . .Deployment options . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Initial active policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Additional administration route . . . . . . . . . . . . . . . . . . . . . . . . .Administrator information . . . . . . . . . . . . . . . . . . . . . . . . . . .Control Center management . . . . . . . . . . . . . . . . . . . . . . . . . .Integration Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Quick Start Wizard Response Form . . . . . . . . . . . . . . . . . . . . . . . . . . .1. License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . .2. Control Center Management . . . . . . . . . . . . . . . . . . . . . . . . .3. Initial Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. Host name and Network Location . . . . . . . . . . . . . . . . . . . . . . .McAfee Firewall Enterprise 8.3.227282937394040414242434343Product Guide3
Contents5. Network information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446. Additional Administration Route . . . . . . . . . . . . . . . . . . . . . . . . 447. Administrator Information . . . . . . . . . . . . . . . . . . . . . . . . . . 453Installation and configuration47Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Install the Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure Firewall Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Set up the hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Run the Quick Start Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . .Apply the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure using other methods . . . . . . . . . . . . . . . . . . . . . . . . . . . .How to use the Admin Console default settings . . . . . . . . . . . . . . . . . . .How to use a locally attached terminal . . . . . . . . . . . . . . . . . . . . . .How to use a locally attached management system . . . . . . . . . . . . . . . . .4Startup4748495050515151545659What the Admin Console does . . . . . . . . . . . . . . . . . . . . . . . . . . . .Navigating through the Admin Console . . . . . . . . . . . . . . . . . . . . . .Add a firewall and connect . . . . . . . . . . . . . . . . . . . . . . . . . . .Disconnect from a firewall . . . . . . . . . . . . . . . . . . . . . . . . . . .Activating the license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Verify a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Manually activate a license . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure the license tabs . . . . . . . . . . . . . . . . . . . . . . . . . . .Complete post-setup tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .595960616162626466Policy5Policy overview71Types of rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .What access control rules do . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Types of access control rules . . . . . . . . . . . . . . . . . . . . . . . . . .Access control rule elements . . . . . . . . . . . . . . . . . . . . . . . . . .Logic of SSL rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Types of SSL rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SSL rule elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Interaction between rule types . . . . . . . . . . . . . . . . . . . . . . . . . . . .Rule order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Rule placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Scenario for ordering access control rules . . . . . . . . . . . . . . . . . . . . .6Network objects and time periods87Types of network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Manage network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Manage netgroup membership . . . . . . . . . . . . . . . . . . . . . . . . . . . .Manage time periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Identity ng users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Passive identity validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Active identity validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Active Passport configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 95Authenticator configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 99User password management . . . . . . . . . . . . . . . . . . . . . . . . . . 103Users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1054McAfee Firewall Enterprise 8.3.2Product Guide
ContentsCreate a firewall user . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create a firewall user group . . . . . . . . . . . . . . . . . . . . . . . . . .Create an external group . . . . . . . . . . . . . . . . . . . . . . . . . . .Create a McAfee Logon Collector user . . . . . . . . . . . . . . . . . . . . . .Create a McAfee Logon Collector group . . . . . . . . . . . . . . . . . . . . .Create a McAfee Logon Collector distribution list . . . . . . . . . . . . . . . . . .Modify a firewall user or user group . . . . . . . . . . . . . . . . . . . . . . .View where a user or group is being used . . . . . . . . . . . . . . . . . . . .Rename a user or group . . . . . . . . . . . . . . . . . . . . . . . . . . .Delete a user or group . . . . . . . . . . . . . . . . . . . . . . . . . . . .Filter the list by type . . . . . . . . . . . . . . . . . . . . . . . . . . . .Search for a user or group in the list . . . . . . . . . . . . . . . . . . . . . .8Content inspection111Methods of content inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure IPS inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How IPS inspection works . . . . . . . . . . . . . . . . . . . . . . . . . . .Verify that your firewall is licensed for IPS . . . . . . . . . . . . . . . . . . . .Download IPS signatures and enable automatic signature updates . . . . . . . . . .Configuring a response mapping . . . . . . . . . . . . . . . . . . . . . . . .Configuring a signature group . . . . . . . . . . . . . . . . . . . . . . . . .Managing signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Adding IPS inspection to access control rules . . . . . . . . . . . . . . . . . . .Configuring virus scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure global virus scanning properties . . . . . . . . . . . . . . . . . . . .Configure virus scanning signature updates . . . . . . . . . . . . . . . . . . .Enable virus scanning on an access control rule . . . . . . . . . . . . . . . . . .How Global Threat Intelligence works . . . . . . . . . . . . . . . . . . . . . . . . .Deployment considerations . . . . . . . . . . . . . . . . . . . . . . . . . .Using Global Threat Intelligence in access control rules . . . . . . . . . . . . . . .Using Global Threat Intelligence with sendmail . . . . . . . . . . . . . . . . . .Configure Global Threat Intelligence settings . . . . . . . . . . . . . . . . . . .Benefits of SmartFilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartFilter management options . . . . . . . . . . . . . . . . . . . . . . . .Manage SmartFilter using the firewall Admin Console . . . . . . . . . . . . . . . .Manage SmartFilter using the SmartFilter Administration Console . . . . . . . . . . .Enable SmartFilter on an access control rule . . . . . . . . . . . . . . . . . . .9McAfee 7128129133133135139141143How McAfee EIA works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Benefits of McAfee EIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Understanding file reputation in the firewall audit . . . . . . . . . . . . . . . . . . . .Configure certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Generate the firewall certificate . . . . . . . . . . . . . . . . . . . . . . . .Sign the firewall certificate and export the CA certificate . . . . . . . . . . . . . .Load the certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure certificates using SCEP . . . . . . . . . . . . . . . . . . . . . . . .Configure McAfee EIA settings on Firewall Enterprise . . . . . . . . . . . . . . . . . . .Authentication options . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure authentication and certificate settings . . . . . . . . . . . . . . . . . .Firewall Enterprise discovery options . . . . . . . . . . . . . . . . . . . . . .Configure agent discovery . . . . . . . . . . . . . . . . . . . . . . . . . .Configure the executable file reputation capability . . . . . . . . . . . . . . . . .Modify advanced firewall settings . . . . . . . . . . . . . . . . . . . . . . . .Create an explicit McAfee EIA communication rule . . . . . . . . . . . . . . . . .View active hosts connected to Firewall Enterprise . . . . . . . . . . . . . . . . . . . .McAfee Firewall Enterprise 148148149150151152152153153154154157157158Product Guide5
ContentsView connected hosts using the Admin Console . . . . . . . . . . . . . . . . . . 158View connected hosts using the command line interface . . . . . . . . . . . . . . 159View related firewall audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15910Applications161Using applications in policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Applications in access control rules . . . . . . . . . . . . . . . . . . . . . . .How applications are identified . . . . . . . . . . . . . . . . . . . . . . . . .Typical Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Manage applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Manage application groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Updating application signatures on an isolated network . . . . . . . . . . . . . . . . . .11Application Defenses173Understanding Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . .Application Defense types . . . . . . . . . . . . . . . . . . . . . . . . . . .Application Defense profiles . . . . . . . . . . . . . . . . . . . . . . . . . .Application Defense groups . . . . . . . . . . . . . . . . . . . . . . . . . .How the Generic Application Defense profile works . . . . . . . . . . . . . . . . . . . .Expected Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . .Passing traffic transparently and non-transparently . . . . . . . . . . . . . . . .Configuring packet filters . . . . . . . . . . . . . . . . . . . . . . . . . . .Stateful packet inspection . . . . . . . . . . . . . . . . . . . . . . . . . . .Virus scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create a virus/spyware rule . . . . . . . . . . . . . . . . . . . . . . . . . .Configure the default filtering action . . . . . . . . . . . . . . . . . . . . . .Managing Application Defense groups . . . . . . . . . . . . . . . . . . . . . . . . .Create an Application Defense group . . . . . . . . . . . . . . . . . . . . . .Modify an Application Defense group . . . . . . . . . . . . . . . . . . . . . .Rename an Application Defense group . . . . . . . . . . . . . . . . . . . . . .Delete an Application Defense group . . . . . . . . . . . . . . . . . . . . . .Make a group the default Application Defense group . . . . . . . . . . . . . . . .View which access control rules are using an Application Defense group . . . . . . . .Duplicate an Application Defense group . . . . . . . . . . . . . . . . . . . . .Create or modify an Application Defense profile . . . . . . . . . . . . . . . . . .Managing Application Defense profiles . . . . . . . . . . . . . . . . . . . . . . . . .Create a new Application Defense profile . . . . . . . . . . . . . . . . . . . . .Duplicate an existing Application Defense profile . . . . . . . . . . . . . . . . .Modify an existing Application Defense profile . . . . . . . . . . . . . . . . . . .Rename an existing Application Defense profile . . . . . . . . . . . . . . . . . .Delete an existing Application Defense profile . . . . . . . . . . . . . . . . . . .View the Application Defense groups in which an Application Defense profile is used . . .[Generic only] Configure Expected Connections . . . . . . . . . . . . . . . . . .[HTTP only] Configure URL translation rules . . . . . . . . . . . . . . . . . . .[Mail (Sendmail) only] Configure sendmail properties . . . . . . . . . . . . . . .[SSH only] Configure SSH known hosts . . . . . . . . . . . . . . . . . . . . .12Access control rulesCreating and managing access control rules . . . . . . . . . . .Configuring access control rules . . . . . . . . . . . . . . . .Configuring access control rule attributes . . . . . . . . .Select elements using the browse pane for access control rulesCreate an access control rule . . . . . . . . . . . . . .Examine how access control rules overlap . . . . . . . . . . . .Create access control rules and groups . . . . . . . . . . . . .Modify access control rules and groups . . . . . . . . . . . . .6McAfee Firewall Enterprise Product Guide
ContentsArrange access control rules and groups . . . . . . . . . . . . . . . . . . . . . . . . 198View access control rules and groups . . . . . . . . . . . . . . . . . . . . . . . . . 199Modify general settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19913SSL rules201Configuring SSL rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configuring SSL rule attributes . . . . . . . . . . . . . . . . . . . . . . . . .Select elements using the browse pane for SSL rules . . . . . . . . . . . . . . . .Create an SSL rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Duplicate an SSL rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Modify SSL rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Arrange SSL rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .View SSL rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure which columns are displayed . . . . . . . . . . . . . . . . . . . . . . . .14Policy in action209Working with policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Allowing a custom application . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create a custom application based on MySQL . . . . . . . . . . . . . . . . . . .Use the custom application in an access control rule . . . . . . . . . . . . . . . .Allowing inbound access to internal servers . . . . . . . . . . . . . . . . . . . . . . .Redirecting based on application . . . . . . . . . . . . . . . . . . . . . . . .Redirecting HTTP based on URL . . . . . . . . . . . . . . . . . . . . . . . .Allowing outbound web access . . . . . . . . . . . . . . . . . . . . . . . . . . . .Allow HTTP and pass-through SSL (including HTTPS) . . . . . . . . . . . . . . . .Allow HTTP only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Allow pass-through SSL only . . . . . . . . . . . . . . . . . . . . . . . . .Allowing IPv6 network flows through the firewall . . . . . . . . . . . . . . . . . . . .Allow HTTP over IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . .Allow SSH over IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure IPv4-to-IPv6 translation for HTTP . . . . . . . . . . . . . . . . . . . . . .Create a Generic Application Defense profile for IPv4 to IPv6 translation . . . . . . . .Create an HTTP A
View connected hosts using the Admin Console .158 View connected hosts using the command line interface .159 View related firewall audit.159
