McAfee Next Generation Firewall 5 PDF Free Download

2y ago

63 Views

1 Downloads

2.22 MB

227 Pages

Report/dmca

Download PDF

Transcription

Installation GuideRevision BMcAfee Next Generation Firewall 5.10

COPYRIGHTCopyright 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.comTRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.2McAfee Next Generation Firewall 5.10Installation Guide

ContentsPreface9Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Introduction to McAfee Next Generation Firewall (McAfeeNGFW)1Introduction to McAfee NGFW13McAfee NGFW system components . . . . . . . . . . . . . . . . . . . . . . . . . . .Security Management Center (SMC) . . . . . . . . . . . . . . . . . . . . . . . . . .McAfee NGFW engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .McAfee NGFW in the Firewall/VPN role . . . . . . . . . . . . . . . . . . . . . .McAfee NGFW in the IPS and Layer 2 Firewall roles . . . . . . . . . . . . . . . . .Master Engines and Virtual Security Engines . . . . . . . . . . . . . . . . . . . .2Preparing for installation13141415151617Supported platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Supported platforms for SMC deployment . . . . . . . . . . . . . . . . . . . . .Supported platforms for McAfee NGFW engine deployment . . . . . . . . . . . . . .Deploying McAfee NGFW engines in the Amazon Web Services cloud . . . . . . . . . .Running McAfee NGFW engines as Master Engines . . . . . . . . . . . . . . . . .Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Heartbeat connection and state synchronization for clusters . . . . . . . . . . . . .Hardware for Firewall Cluster nodes . . . . . . . . . . . . . . . . . . . . . . .Deployment options for McAfee NGFW in the IPS and Layer 2 Firewall roles . . . . . . . . . .Cable connection guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cable connection guidelines for SMC Appliance . . . . . . . . . . . . . . . . . . .Cable connection guidelines for Firewalls . . . . . . . . . . . . . . . . . . . . .Cable connection guidelines for IPS and Layer 2 Firewalls . . . . . . . . . . . . . .Speed and duplex settings for McAfee NGFW engines . . . . . . . . . . . . . . . . . . .Obtain installation files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Download installation files . . . . . . . . . . . . . . . . . . . . . . . . . . .Check file integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create an installation DVD . . . . . . . . . . . . . . . . . . . . . . . . . . .Licensing McAfee NGFW system components . . . . . . . . . . . . . . . . . . . . . . .Types of licenses for McAfee NGFW engines . . . . . . . . . . . . . . . . . . . .Obtain license files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ity Management Center (SMC) deployment3Installing the SMC33SMC installation options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33McAfee Next Generation Firewall 5.10Installation Guide3

ContentsRequirements for running SMC on third-party hardware . . . . . . . . . . . . . . .Security considerations for SMC deployment . . . . . . . . . . . . . . . . . . . .Basic system settings for the SMC components . . . . . . . . . . . . . . . . . . .Installing on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SMC installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . .Install SMC components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Start the SMC installation . . . . . . . . . . . . . . . . . . . . . . . . . . .Install a Management Server . . . . . . . . . . . . . . . . . . . . . . . . . .Install a Log Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Install a Web Portal Server . . . . . . . . . . . . . . . . . . . . . . . . . . .Finish the SMC installation . . . . . . . . . . . . . . . . . . . . . . . . . . .Install the SMC in Demo Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . .Install the SMC from the command line . . . . . . . . . . . . . . . . . . . . . . . . .Start the SMC installation on the command line . . . . . . . . . . . . . . . . . .Configure the Management Server from the command line . . . . . . . . . . . . . .Configure the Log Server from the command line . . . . . . . . . . . . . . . . . .Configure the Web Portal Server from the command line . . . . . . . . . . . . . . .Install the SMC Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Start the SMC after installation . . . . . . . . . . . . . . . . . . . . . . . . . . . .Start the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . .Start the Management Client . . . . . . . . . . . . . . . . . . . . . . . . . .Log on to the SMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Accept the Management Server certificate . . . . . . . . . . . . . . . . . . . . .Install licenses for SMC servers . . . . . . . . . . . . . . . . . . . . . . . . .Bind Management Server POL-bound licenses to servers . . . . . . . . . . . . . . .Start SMC servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Generate SMC server certificates . . . . . . . . . . . . . . . . . . . . . . . .Post-installation SMC configurations . . . . . . . . . . . . . . . . . . . . . . . . . .4Configuring the 95051515253Configuring NAT addresses for SMC components . . . . . . . . . . . . . . . . . . . . .Add Location elements . . . . . . . . . . . . . . . . . . . . . . . . . . . .Add SMC Server contact addresses . . . . . . . . . . . . . . . . . . . . . . .Set the Management Client location . . . . . . . . . . . . . . . . . . . . . . .Add Management Servers for high availability . . . . . . . . . . . . . . . . . . . . . .Distribute Management Clients through Web Start . . . . . . . . . . . . . . . . . . . .Distribute Management Clients from SMC servers . . . . . . . . . . . . . . . . . .Distribute Management Clients from a separate server . . . . . . . . . . . . . . . .5354555556575859McAfee NGFW engine deployment5Configuring McAfee NGFW for the Firewall/VPN role63Install licenses for McAfee NGFW engines . . . . . . . . . . . . . . . . . . . . . . . .Configuring Single Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Types of interfaces for Single Firewalls . . . . . . . . . . . . . . . . . . . . . .Add Single Firewall elements . . . . . . . . . . . . . . . . . . . . . . . . . .Add physical interfaces to Single Firewalls . . . . . . . . . . . . . . . . . . . . .Add VLAN interfaces to Single Firewalls . . . . . . . . . . . . . . . . . . . . . .Add ADSL Interfaces to Single Firewalls . . . . . . . . . . . . . . . . . . . . . .Add wireless interfaces to Single Firewalls . . . . . . . . . . . . . . . . . . . . .Add SSID Interfaces to Single Firewalls . . . . . . . . . . . . . . . . . . . . . .Add Switches to Single Firewalls . . . . . . . . . . . . . . . . . . . . . . . . .Add Port Group Interfaces to Single Firewalls . . . . . . . . . . . . . . . . . . .Add IP addresses for Single Firewall interfaces . . . . . . . . . . . . . . . . . . .Add Modem Interfaces to Single Firewalls . . . . . . . . . . . . . . . . . . . . .Select system communication roles for Single Firewall interfaces . . . . . . . . . . .4McAfee Next Generation Firewall 5.106364646566676768697071717576Installation Guide

ContentsBind engine licenses to Single Firewall elements . . . . . . . . . . . . . . . . . .Configuring Firewall Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Types of interfaces for Firewall Clusters . . . . . . . . . . . . . . . . . . . . . .Operating modes for Firewall Cluster interfaces . . . . . . . . . . . . . . . . . .Add Firewall Cluster elements . . . . . . . . . . . . . . . . . . . . . . . . . .Add nodes to Firewall Clusters . . . . . . . . . . . . . . . . . . . . . . . . .Add physical interfaces to Firewall Clusters . . . . . . . . . . . . . . . . . . . .Add VLAN Interfaces to Firewall Clusters . . . . . . . . . . . . . . . . . . . . .Add IP addresses for Firewall Cluster interfaces . . . . . . . . . . . . . . . . . .Select system communication roles for Firewall Cluster interfaces . . . . . . . . . . .Add manual ARP entries for Firewall Clusters . . . . . . . . . . . . . . . . . . .Bind engine licenses to Firewall Cluster elements . . . . . . . . . . . . . . . . . .6Configuring McAfee NGFW for the IPS role87Configuring IPS engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Add IPS elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Add system communication interfaces to IPS engines . . . . . . . . . . . . . . . .Add traffic inspection interfaces to IPS engines . . . . . . . . . . . . . . . . . . .Bind engine licenses to IPS elements . . . . . . . . . . . . . . . . . . . . . . . . . .7Configuring McAfee NGFW for the Layer 2 Firewall role101102102108112Configuring McAfee NGFW engines as Master Engines and Virtual Security Engines113Master Engine and Virtual Security Engine configuration overview . . . . . . . . . . . . . .Add Master Engine elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Add nodes to Master Engines . . . . . . . . . . . . . . . . . . . . . . . . .Create Virtual Resource elements . . . . . . . . . . . . . . . . . . . . . . . .Add physical interfaces to Master Engines . . . . . . . . . . . . . . . . . . . .Add VLAN interfaces to Master Engines . . . . . . . . . . . . . . . . . . . . .Add IPv4 and IPv6 addresses to Master Engine interfaces . . . . . . . . . . . . . .Select system communication roles for Master Engine interfaces . . . . . . . . . . .Bind Master Engine licenses to Master Engine elements . . . . . . . . . . . . . . .Add Virtual Firewall elements . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configuring physical interfaces for Virtual Firewalls . . . . . . . . . . . . . . . . .Add VLAN interfaces to Virtual Security Engine interfaces . . . . . . . . . . . . . .Add IP addresses for Virtual Firewalls . . . . . . . . . . . . . . . . . . . . . .Select additional options for Virtual Firewall interfaces . . . . . . . . . . . . . . .Add Virtual IPS elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configuring physical interfaces for Virtual IPS engines . . . . . . . . . . . . . . .Add Virtual Layer 2 Firewall elements . . . . . . . . . . . . . . . . . . . . . . . . .Configuring Physical Interfaces for Virtual Layer 2 Firewalls . . . . . . . . . . . . .98788889498101Configuring Layer 2 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . .Add Layer 2 Firewall elements . . . . . . . . . . . . . . . . . . . . . . . . .Add system communications interfaces to Layer 2 Firewalls . . . . . . . . . . . . .Add traffic inspection interfaces to Layer 2 Firewalls . . . . . . . . . . . . . . . .Bind engine licenses to Layer 2 Firewall elements . . . . . . . . . . . . . . . . . . . .8777777787979808181848586Configuring McAfee NGFW engine software127Options for initial configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .Using plug and play configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .Prepare for plug and play configuration . . . . . . . . . . . . . . . . . . . . .Configure McAfee NGFW engine software using plug and play configuration . . . . . . .If plug and play configuration fails . . . . . . . . . . . . . . . . . . . . . . .Using automatic configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .Prepare for automatic configuration . . . . . . . . . . . . . . . . . . . . . . .McAfee Next Generation Firewall 25125126127128128129130130130Installation Guide5

ContentsConfigure McAfee NGFW engine software using automatic configuration . . . . . . . .Configure McAfee NGFW engine software with the McAfee NGFW Configuration Wizard . . . . .Prepare for McAfee NGFW Configuration Wizard configuration . . . . . . . . . . . .Start the McAfee NGFW Configuration Wizard . . . . . . . . . . . . . . . . . . .Configure operating system settings . . . . . . . . . . . . . . . . . . . . . .Configure the network interfaces . . . . . . . . . . . . . . . . . . . . . . . .Contact the Management Server . . . . . . . . . . . . . . . . . . . . . . . .10McAfee NGFW engine post-installation tasks132132133134135136137139Configuring routing and basic policies . . . . . . . . . . . . . . . . . . . . . . . . .Configuring routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Defining basic policies for firewalls . . . . . . . . . . . . . . . . . . . . . . .Installing the initial policy for IPS engines and Layer 2 Firewalls . . . . . . . . . . .Install a ready-made policy for IPS engines and Layer 2 Firewalls . . . . . . . . . . .Monitor and command McAfee NGFW engines . . . . . . . . . . . . . . . . . . . . . .139139143145147147Maintenance11Maintaining the SMC151Upgrading the SMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Upgrading licenses for SMC components . . . . . . . . . . . . . . . . . . . . . 152Upgrade SMC servers . . . . . . . . . . . . . . . . . . . . . . . . . . . .153Synchronize databases between active Management Server and additional Management Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154Uninstall the SMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Uninstall the SMC in Windows . . . . . . . . . . . . . . . . . . . . . . . . . 156Uninstall the SMC in Linux . . . . . . . . . . . . . . . . . . . . . . . . . .15612Upgrading McAfee NGFW engines157How engine upgrades work . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Obtain McAfee NGFW engine upgrade files . . . . . . . . . . . . . . . . . . . . . . .Upgrading or generating licenses for McAfee NGFW engines . . . . . . . . . . . . . . . .Upgrade licenses under one proof code . . . . . . . . . . . . . . . . . . . . .Upgrade licenses with multiple proof codes . . . . . . . . . . . . . . . . . . . .Check licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Upgrade engines remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Upgrade engines locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Upgrade from an installation DVD . . . . . . . . . . . . . . . . . . . . . . .Upgrade from a .zip file . . . . . . . . . . . . . . . . . . . . . . . . . . . .ADefault communication ports167Security Management Center ports . . . . . . . . . . . . . . . . . . . . . . . . . .McAfee NGFW engine ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . .BCommand line ty Management Center commands . . . . . . . . . . . . . . . . . . . . . . . . 175McAfee NGFW engine commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Server Pool Monitoring Agent commands . . . . . . . . . . . . . . . . . . . . . . . . 198CInstalling McAfee NGFW engines on a virtualization platform199Hardware requirements for installing McAfee NGFW engines on a virtualization platform . . . . . 199Install McAfee NGFW engine using an .iso file . . . . . . . . . . . . . . . . . . . . . . 200Install McAfee NGFW engine using a VMDK image . . . . . . . . . . . . . . . . . . . . 201DInstalling McAfee NGFW engines on third-party hardware203Hardware requirements for installing McAfee NGFW engines on third-party hardware . . . . . . 2036McAfee Next Generation Firewall 5.10Installation Guide

ContentsNetwork interface cards . . . . . . . . . . . . . . . . . . . . . . . . . . .Hardware drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Start the McAfee NGFW engine installation on third-party hardware . . . . . . . . . . . . .Install McAfee NGFW in expert mode . . . . . . . . . . . . . . . . . . . . . . . . .Partition the hard disk in expert mode . . . . . . . . . . . . . . . . . . . . . .Allocate partitions in expert mode . . . . . . . . . . . . . . . . . . . . . . .EExample network (Firewall/VPN)211Example Firewall Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Example Single Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Example headquarters management network . . . . . . . . . . . . . . . . . . . . . .HQ firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SMC Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .FExample network (IPS)Cluster installation worksheet instructionsMcAfee Next Generation Firewall 5.10217218218219219221Cluster installation worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . .Index212214214215215217Example network overview (IPS) . . . . . . . . . . . . . . . . . . . . . . . . . . .Example headquarters intranet network . . . . . . . . . . . . . . . . . . . . . . . .HQ IPS Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Example headquarters DMZ network . . . . . . . . . . . . . . . . . . . . . . . . .DMZ IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .G204204208208209209221223Installation Guide7

Contents8McAfee Next Generation Firewall 5.10Installation Guide

PrefaceThis guide provides the information you need to work with your McAfee product.ContentsAudienceConventionsFind product documentationAudienceMcAfee documentation is carefully researched and written for the target audience.The information in this guide is intended primarily for: Administrators — People who implement and enforce the company's security program. Users — People who use the computer where the software is running and can access some or all ofits features.ConventionsThis guide uses these typographical conventions and icons.Book title, term,emphasisTitle of a book, chapter, or topic; a new term; emphasis.BoldText that is strongly emphasized.User input, code,messageCommands and other text that the user types; a code sample; a displayedmessage.Interface textWords from the product interface like options, menus, buttons, and dialogboxes.Hypertext blueA link to a topic or to an external website.Note: Additional information, like an alternate method of accessing anoption.Tip: Suggestions and recommendations.Important/Caution: V

1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab. 2 In the Knowledge Base pane under Content Source, click Product Documentation. 3 Select a product and version, then click Search to display a list of documents. Preface Find product documentation 1