XC Cluster Administration Guide Revision A. McAfee Network Security Platform 9.1

Size: px

Start display at page:

Download "XC Cluster Administration Guide Revision A. McAfee Network Security Platform 9.1"

Candace Cobb
5 years ago
Views:

1 XC Cluster Administration Guide Revision A McAfee Network Security Platform 9.1

2 COPYRIGHT Copyright 2017 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

3 Contents Preface 7 About this guide Audience Conventions Find product documentation What's in this guide Overview 9 XC-240 load balancer M-8000XC Sensors XC clustering mechanism 11 Port configuration In-line mode Span mode Tap mode Sensor redundancy (N+1) XC-240 high availability Sensor failure detection CRC forwarding Jumbo packet forwarding Link fault detect XC cluster management McAfee Network Threat Behavior Analysis support SNMP v3 support Manager Disaster Recovery (MDR) Modes of operation XC-240 high availability XC-240 standalone Set up the XC-240 load balancer 25 XC-240 key features XC-240 physical description Front panel Rear panel Install XC Usage restrictions Safety measures Unpack and inspect XC Position the XC Connect power to XC Install the power supply Remove the power supply Turn on the XC Turn off the XC McAfee Network Security Platform 9.1 XC Cluster Administration Guide 3

4 Contents Install the Small Form-factor Pluggable (SFP+) modules Install an SFP+ module Remove an SFP+ module Connect the XC-240 cables Connect the cable to the Console port Connect the cable to the management port Connect the cable to the monitoring port Connect the cable to the Sensor ports Connect cables for in-line fail-close mode Connect cables for in-line fail-open mode Connect cables for tap mode Connect cables for SPAN or hub mode Configure the XC-240 device Log on to the command line interface Change the logon password Assign a new IP address, netmask, and gateway IP address Define the mode of operation Enable SNMP Set up the M-8000XC Sensors 37 Cable the NTBA appliance XC clustering in the McAfee Network Security Manager 39 Create XC clusters Add XC-240 load balancers Add M-8000XC Sensors Add XC Clusters Manage XC clusters Edit an XC Cluster Delete an XC Cluster View details of an XC cluster Configure XC-240 Monitoring and Sensor ports Configure M-8000XC Sensors Port clustering Reports Performance statistics and alert data Update XC cluster configuration Manage NTBA devices XC-240 command line interface commands 55 bypass capture config export, import date device help history ha set ha config_resync ha show image inet6_ping lbg logout pg set pg show McAfee Network Security Platform 9.1 XC Cluster Administration Guide

5 Contents ping port set port show snmp stats sysip syslog system time upgrade user util show quit or exit ! Limitations 75 8 Troubleshooting tips 77 9 Technical specifications 79 Index 81 McAfee Network Security Platform 9.1 XC Cluster Administration Guide 5

6 Contents 6 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

Preface This guide provides the information you need to configure, use, and maintain your McAfee product.

guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience.

Users People who use the computer where the software is running and can access some or all of its features. Conventions This guide uses these typographical conventions and icons.

7 Preface This guide provides the information you need to configure, use, and maintain your McAfee product. Contents About this guide Find product documentation What's in this guide About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Users People who use the computer where the software is running and can access some or all of its features. Conventions This guide uses these typographical conventions and icons. Italic Bold Monospace Narrow Bold Title of a book, chapter, or topic; a new term; emphasis Text that is emphasized Commands and other text that the user types; a code sample; a displayed message Words from the product interface like options, menus, buttons, and dialog boxes Hypertext blue A link to a topic or to an external website Note: Extra information to emphasize a point, remind the reader of something, or provide an alternative method Tip: Best practice information Caution: Important advice to protect your computer system, software installation, network, business, or data Warning: Critical advice to prevent bodily harm when using a hardware product McAfee Network Security Platform 9.1 XC Cluster Administration Guide 7

8 Preface Find product documentation Find product documentation On the ServicePortal, you can find information about a released product, including product documentation, technical articles, and more. Task 1 Go to the ServicePortal at and click the Knowledge Center tab. 2 In the Knowledge Base pane under Content Source, click Product Documentation. 3 Select a product and version, then click Search to display a list of documents. What's in this guide This guide contains information necessary to setup the XC cluster. This information includes guiding you through cabling, configuring and troubleshooting the XC cluster. See the Related Documents section for a list of other product documentation that covers topics ranging from planning and deployment to best practices for your environment. 8 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

9 1 Overview 1 An XC Cluster in McAfee Network Security Platform, comprising of an XC-240 Load Balancer and M-8000XC Sensors, functions like a single virtual Sensor. The XC Cluster handles traffic at wire-speed, efficiently inspects, detects, and prevents intrusions, misuse, denial of service (DoS) attacks, and distributed denial of service (DDoS) attacks with a high degree of accuracy. It enables high traffic loads to be processed by distributing the traffic flow to multiple Sensors to avoid congestion providing a maximum throughput of 80 Gbps. XC Clusters also support High Availability deployment monitoring traffic with no loss of session state or degradation of protection level. An XC Cluster can be configured in both the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) modes. XC Clusters are flexible enough to adapt to the security needs of any enterprise environment. When deployed at key network access points, they provide real-time monitoring on high traffic loads to detect malicious activity and respond to the malicious activity as configured by the administrator. After deployed, XC Clusters are configured and managed through the command line and the McAfee Network Security Manager (Manager). For more information on the M-8000XC Sensors, see the McAfee Network Security Platform M-8000XC Sensor Product Guide. Contents XC-240 load balancer M-8000XC Sensors XC-240 load balancer The McAfee Network Security Platform XC-240 Load Balancer device is a high performance traffic access device for load balancing. It enables high traffic loads on 10 GB links to be processed by distributing the traffic to multiple Sensors. It also increases visibility by providing remote monitoring (RMON) statistics for the traffic flowing through each of its ports. The XC-240 is the ideal solution for load balancing traffic at 10 Gbps. The XC-240 device consists of 24 ports. 16 Monitoring ports are configured to receive traffic from the Network. These ports are labeled on the device as 8 port pairs; 1A and 1B, 2A and 2B, 3A and 3B, 4A and 4B, 5A and 5B, 6A and 6B, 7A and 7B, 8A and 8B. 8 Sensor ports to be connected to M-8000XC Sensors. These ports are labeled on the device in the series; S1, S2, S3, S4, S5, S6, S7, S8. When deployed in the High Availability mode, Port S8 is reserved for connecting the secondary XC-240. Fiber SPF+ modules are installed in the ports. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 9

10 1 Overview M-8000XC Sensors The XC-240 consists of a Management port which is used for communication with the Manager server and a Console port, which is used to set up and configure the XC-240 using the Command Line Interface. The XC-240 provides dual power supplies. The XC-240 can be configured to load balance traffic in the in-line fail-open, in-line fail-close, span or tap modes by distributing traffic to multiple Sensors. See also Set up the XC-240 load balancer on page 3 Modes of operation on page 17 M-8000XC Sensors The primary function of an M-8000XC Sensor is to analyze traffic on selected network segments and to respond when an attack is detected. The Sensor examines the header and data portion of every network packet, looking for patterns and behavior in the network traffic that indicate malicious activity. The Sensor examines packets according to user-configured policies, or rule sets, which determine what attacks to watch for, and how to respond with countermeasures if an attack is detected. If an attack is detected, a Sensor responds according to its configured policy. Sensor can perform many types of attack responses, including generating alerts and packet logs, resetting TCP connections, scrubbing malicious packets, and even blocking attack packets entirely before they reach the intended target. The XC-240 is connected to any 10G monitoring port of the M-8000XC Sensor. For more information on the M-8000XC Sensors, see the McAfee Network Security Platform M-8000XC Sensor Product Guide. For more information on the features and functions of the Sensors, see the McAfee Network Security Platform customer documentation. See also Set up the M-8000XC Sensors on page 4 10 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

2 XC 2 clustering mechanism Figure 2-1 A typical XC Cluster configuration The front panel of the XC-240 Load Balancer consists of 16 Network Monitoring ports.

11 2 XC 2 clustering mechanism Figure 2-1 A typical XC Cluster configuration The front panel of the XC-240 Load Balancer consists of 16 Network Monitoring ports. These ports are connected to various network devices and act as access ports, receiving network traffic and directing it to the appropriate Sensor ports. There are 8 Sensor ports and each of these ports can be connected to (a maximum of 8) M-8000XC Sensors, the traffic is to be load balanced to. The Sensor ports act as trunk ports and the traffic flow is distributed over the connected Sensors. These ports are not configurable. The number of Sensors configured is determined by the aggregate throughput requirement. Port S8 is reserved for the secondary XC-240, when deployed in the High Availability mode. By default, the XC-24 is configured in the in-line fail-close mode. Consider the following example of traffic flow in the in-line fail-close mode: If switch A (source) is connected to port 1A of the XC-240 then switch B (destination) is connected to port 1B. The traffic is received on port 1A. The data packets are directed to a particular Sensor port (assume S2 in this case). After the Sensor inspects the data packet, based on the configured policies, it either drops the data packet or redirects it to port 1B of the XC-240 through the same Sensor port, that is, S2. The data packet is directed to the destination, Switch B, through port 1B. By default, the XC-240 allocates the ARP traffic to the first Sensor configured in the XC Cluster. Data packets with the same source and destination IP addresses are allocated to the same Sensor. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 11

12 2 XC clustering mechanism Port configuration Contents Port configuration Sensor redundancy (N+1) XC-240 high availability Sensor failure detection CRC forwarding Jumbo packet forwarding Link fault detect XC cluster management McAfee Network Threat Behavior Analysis support SNMP v3 support Manager Disaster Recovery (MDR) Modes of operation Port configuration In an XC Cluster, traffic can be monitored in the in-line fail-open, in-line fail-close, span or tap modes. Each of the monitoring port pair on the XC-240 can be configured to monitor traffic in either of these modes. By default, the XC-240 is deployed in the in-line fail-close mode. The ports can be configured through the Manager. For more information, see the McAfee Network Security Platform IPS Administration Guide. See also Set up the XC-240 load balancer on page 3 XC-240 command line interface commands on page 4 In-line mode This mode deploys the XC-240 directly in the network traffic path, inspecting all traffic at wire-speed as it passes through it. In-line mode enables you to run the XC-240 in a protection/prevention mode, where packet inspection is performed in real time, and intrusive packets can be dealt with immediately; you can actively drop malicious packets because the XC-240 is physically in the path of all network traffic. This enables you to actually prevent an attack from reaching its target. By default the XC-240 is configured in the in-line mode. The ports are configured in pairs (explained above) and can be fail-close or fail-open. In the in-line mode if one port is down, the peer port is also down. This ensures that if two external switches are connected to each other through an XC-240 port pair then the operational state of one switch is communicated to the other switch by the XC-240. For example, if switch A is connected to 1A and switch B is connected to 1B, when switch B goes down switch A can sense that its peer switch has gone down. This is true for in-line network ports which are administratively enabled. Fail-open and fail-close XC-240 ports deployed in in-line mode have the option of failing open or closed. The 10 gigabit optical monitoring ports on the XC-240 failing open allow traffic to continue to flow. Thus, even if the ports fail, the XC-240 does not become a bottleneck; however, monitoring ceases which may allow bad traffic to impact 12 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

13 XC clustering mechanism Sensor redundancy (N+1) 2 systems in your network. When ports are configured to fail closed, the XC-240 does not allow traffic to continue to flow, thus the failed ports become a bottleneck, stopping all traffic at the XC-240. The ports can be configured through the Manager. Active fail-open operation for the monitoring port pairs requires the use of an optional external Bypass Switch provided in the McAfee 10 gigabit Optical Active Fail-Open Bypass Kit (the Kit) for McAfee Network Security XC-240 device with standard 10 gigabit Small Form Factor Pluggable Module (XFP) monitoring ports. The Kit contains an Optical Bypass Switch and all the connecting components to connect the switch to the monitoring ports of the Sensor. During normal XC-240 in-line fail-open operation, the Active Fail-Open Kit sends a heartbeat signal to the monitoring port pair. If the Active Fail-Open Kit does not receive heart beat signals within its programmed interval, the Active Fail-Open kit removes the XC-240's monitoring port pair from the data path, providing continuous data flow. For setting up the fail-open kit and connecting it to the XC-240 device, see the McAfee Network Security Platform 10 GB optical Active Fail Open Bypass Kit guide. See also Configure XC-240 Monitoring and Sensor ports on page 46 Span mode This mode deploys the XC 240 in the IDS mode. The SPAN port on a network switch is designed specifically for security monitoring so that the XC-240 receives a copy of every single packet that is sent from one host to another through the switch. For example, data copies received on port 3A of the XC-240 are directed to a Sensor port (let's assume port S1). The SPAN mode is passive; the Sensor essentially sees malicious traffic as it passes. You cannot prevent attacks from reaching their target. You can issue response packets through the XC-240's response ports. The Monitoring port which receives the traffic acts as the response port. The SPAN port forwards all incoming and outgoing traffic within the switch to a predetermined port. Tap mode This mode deploys the XC-240 in the IDS mode. It works through installation of an external fiber tap or built-in internal taps. The monitoring ports are configured in pairs. For example, ports 1A and 1B are connected to the external tap. The tap is connected to the network devices. An XC 240 deployed in tap mode monitors the packet information. Like SPAN mode, Tap mode is passive; the Sensor essentially sees malicious traffic as it passes. You cannot prevent attacks from reaching their target. In the Tap mode you can issue response packets through the XC-240's response ports. The Monitoring port which receives the traffic acts as the response port. The XC-240 monitoring ports are configured in pairs. For example, if 1A is configured in in-line fail-open/in-line fail-close/span/tap mode then 1B would also work in the same mode. However, port pairs can be configured in different modes, for example if 1A and 1B are in span mode then 2A and 2B can be configured in the tap mode. Sensor redundancy (N+1) Sensor redundancy is supported in an XC Cluster. To configure redundancy, one of the Sensor ports on the XC-240 is configured as the spare port using the lbg command. The redundant standby Sensor is connected to the spare port. If one Sensor fails, the XC-240 diverts traffic to the standby Sensor, which continues to monitor the traffic. The spare port can be static, that is, when the failed Sensor recovers, it starts monitoring traffic and the active spare port becomes the spare port once again, or dynamic, that is, when the failed Sensor recovers the active spare port continues to monitor traffic and the port of the recovered Sensor becomes the spare port. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 13

14 2 XC clustering mechanism XC-240 high availability Sensor redundancy ensures that the network is always available even if the hardware fails. Redundancy reduces lapses in service to employees and customers that may lead to loss of productivity and revenue. XC Clusters are built to meet the needs of redundant networks. When running them in-line fail-open or in-line fail-close, the option is available to you to use one Sensor as standby. When traffic is diverted from the primary to the spare Sensor or vice versa, fault messages are generated in the Status page of the Manager. See also Modes of operation on page 17 XC-240 high availability XC Clusters support High Availability deployment, using a standby XC-240 device. The standby secondary XC-240 is connected to the primary XC-240 through port S8. If one XC-240 fails, the standby XC-240 continues to load balance and monitor the traffic with no loss of session state or degradation of protection level. See also Modes of operation on page 17 Sensor failure detection In an XC Cluster, the XC-240 detects Sensor failure on the following conditions: Link failure on the Sensor port XC-240 constantly monitors the links attached to the Sensors. If any links go down, XC-240 detects it as Sensor failure and either loops back the traffic or reallocates it to the standby Sensor, if available. When the failed Sensor comes back online, traffic allocation to it is resumed. In case of any Sensor link failure the Manager is informed and the port information on which the link fails is displayed. The heartbeat mechanism XC-240 sends heartbeat messages to the Sensor and expects a response. For each Sensor, XC-240 transmits Heartbeat packets out of each port. When a number of Heartbeat packets have gone missing, it is treated as Sensor failure. This may be due to over subscription or software failure. In case of any fault detected at the Sensor side an event is generated and displayed on the Manager. Heartbeat packets continue to be issued to the Sensor and when response is received again, the Sensor is considered up and traffic is returned to it. The XC-240 continues to monitor link failure and send heartbeats even after a failure, to detect when the Sensor comes up. See also Modes of operation on page 17 CRC forwarding The XC-240 forwards data packets with CRC errors to the Sensors. These packets are then handled as per Sensor configurations. By default, this feature is turned on; when turned off, the data packets are dropped by the XC McAfee Network Security Platform 9.1 XC Cluster Administration Guide

15 XC clustering mechanism Jumbo packet forwarding 2 Jumbo packet forwarding The XC-240 forwards jumbo packets ( packets longer than the Ethernet standard maximum length of 1,518 bytes) to the Sensors. These packets are then handled as per Sensor configurations. By default, this feature is turned on; when turned off, the jumbo packets are dropped by the XC-240. Packets with more than 15,680 bytes are passed to the monitoring ports truncated at 15,680 bytes. Packets with fewer than the 64 bytes, the minimum packet size supported under the Ethernet standards, have unpredictable handling; they may be passed, dropped, or passed with padding to no more than 64 bytes. Link fault detect The in-line fail-close and in-line fail-open port pairs on an XC-240 are configured for the Link Fault Detect (LFD) feature to ensure that faults on one side of a network link are reflected on the other side as well. With this feature, system resilience features like automatic activation of alternate paths are preserved. XC cluster management XC-240 and M-8000XC Sensors are configured and managed using a command line interface that will be familiar to most network administrators. The command line interface can be accessed locally over and RS232 serial link, or remotely using a secure SSH connection. Some of the XC-240 configurations can also be managed using the Manager. See also XC-240 command line interface commands on page 4 XC clustering in the McAfee Network Security Manager on page 4 McAfee Network Threat Behavior Analysis support The McAfee Network Threat Behavior Analysis Appliance (NTBA Appliance) provides a graphic configurable real-time view of network traffic. The NTBA appliance gathers NetFlow data from across users, applications, hosts, network devices, and stores them in an embedded database. You can see real-time data and a moving profile of applications, hosts, zones, and interface traffic. All this information is coalesced into the Attack Log of the Manager that can be drilled down for detailed information. Threat related events like host scans, port scans, worm attacks, new service / application, new host, suspicious connection, DoS, P2P, and spambots can be tracked based on user-defined policies. Real-time monitoring of network reduces the time needed to solve network related problems and helps in identifying threats. Questions like, why is our network slow, which application has the maximum download impact, are easily answered in a network that is monitored by the NTBA appliance. The NTBA appliance does effective malware monitoring by detecting unauthorized reconnaissance scanning by any infected laptops in the system that can spread worm traffic. The NTBA appliance detects unauthorized applications, rogue web servers, and peer-to-peer applications. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 15

16 2 XC clustering mechanism SNMP v3 support Each NTBA appliance is physically connected to any 1 GB port of M-8000XC Sensor to receive NetFlows. Physically connected port of M-8000XC is configured as a NetFlow source. The XC-240 ports attached to traffic are configured as monitoring ports. NetFlow is generated for the traffic traversing through these ports. For more information on NTBA, see McAfee Network Security Platform NTBA Admininstration Guide. SNMP v3 support SNMP v3 is used to manage the XC-240 device through the Manager. The SNMPv3 user credentials are configured in the XC-240 using the snmp commands. The same credentials are configured in the Manager as well. The XC-240 implements the MIB objects that can be queried from Manager. The SNMPv3 traps are used to receive asynchronous faults and events from the XC-240, on the Manager. See also Enable SNMP on page 35 Manager Disaster Recovery (MDR) The MDR architecture incorporates Manager to Manager communication, where two Manager servers are deployed as part of the Network Security Platform XC Cluster. One host is configured as the Primary system; the other as the Secondary. Each uses the same major release Manager software with mirrored databases. A Load Balancer connected to an MDR pair maintains communication with both Managers at all times. The Primary Manager synchronizes data with the Secondary Manager every 15 minutes. However, the Primary and Secondary Managers receive system events from a Load Balancer independently, and store the events also independently. Load Balancer to Manager communication Load Balancers in the XC Cluster are MDR-aware. The Load balancer has to be configured with the IPs of both the Primary and the Secondary Managers. SNMP traps are to be created with information for both the Primary and the Secondary Managers. This is achieved by configuring the Secondary Manager's IP along with the port information using the snmp trap command. Once both the manager IPs are configured, the Load Balancer can be managed by the 'Active' manager. At the same time, the Load Balancer can send events to both the Managers. In case of HA, both the Load Balancers are configured individually with both the Managers IPs and port information. (In case of using MDR) While upgrading to a newer version, the existing traps will have to be deleted and new ones created with information on both the primary and secondary managers. 16 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

17 XC clustering mechanism Modes of operation 2 Manager to Manager communication Once each minute, the Primary and Secondary Managers exchange a "heartbeat" communication. This communication includes a byte of data specific to the health of the Manager in question. Manager receiving the heartbeat concludes that its peer has failed under two scenarios: One of the Network Security Platform XC Cluster subsystems reports a failure. A heartbeat has not been received within the Downtime Before Switchover interval (configured using the Manage Pair Configuration action). For example, if the default interval is 5 minutes and the heartbeat is sent once a minute, the Secondary Manager takes control after five minutes of missed heartbeats. If the Secondary Manager becomes unavailable, the Primary remains active and logs the failure. If the Primary Manager becomes unavailable, the Secondary logs the event and becomes active. If both Managers are online but are unable to communicate with each other, the Secondary Manager queries each Load Balancer and becomes active only if more than half the Load Balancers cannot communicate with the Primary Manager. Data synchronization between the Primary and Secondary Manager occurs every 15 minutes. For more information on using and configuring MDR, see the McAfee Network Security Platform Manager Administration Guide. Modes of operation The XC Cluster supports various modes of operation. These modes can be configured manually on the XC-240 device using the lbg command, and primarily determine the XC Cluster behavior. The Network Security Platform and the M-8000XC Sensors are not affected by any change in these modes. The number of Sensors connected to the XC-240 is determined by the throughput requirement. By default, the XC Cluster is configured in the 60G N+1 mode. Port S8 is reserved for High Availability. The spare port is configurable. The following modes are supported: XC-240 High Availability This mode supports configuring a standby XC-240 through port S8. High Availability is implemented in the active/active mode and can support both 70G N and 60G N+1 modes. 60G N+1 - Configuration with Sensor redundancy This is the default mode and supports configuring a standby Sensor. One of the Sensor ports is configured as a spare port. The standby Sensor is connected to the spare port. This enables you to utilize 6 10 GB Sensor ports for active Sensors, providing a maximum throughput of 60 Gbps. 70G N - Configuration without Sensor redundancy This mode does not support a standby Sensor and enables you to utilize 7 10 GB Sensor ports for active Sensors, providing a maximum throughput of 70 Gbps. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 17

18 2 XC clustering mechanism Modes of operation XC-240 Standalone 80G N - Configuration without Sensor redundancy This mode does not support a standby Sensor and enables you to utilize 8 10 GB Sensor ports for active Sensors, providing a maximum throughput of 80 Gbps. 70G N+1 - Configuration with Sensor redundancy This mode supports configuring a standby Sensor. One of the Sensor ports is configured as a spare port. The standby Sensor is connected to the spare port. This enables you to utilize 7 10 GB Sensor ports for active Sensors, providing a maximum throughput of 70 Gbps. See also lbg on page 63 ha set on page 60 XC-240 high availability When you configure High Availability, you designate a primary and a secondary XC-240 load balancer. The XC-240 High Availability is implemented in the active/active mode. The secondary and primary XC-240 devices are connected using port S8. The M-8000XC Sensors connect to identical Sensor ports on both primary and secondary XC-240. For example, port 1A of an M-8000XC Sensor connects to port S1 on the primary XC-240; port 2A of the same M-8000XC connects to port S1 of the secondary XC-240. The network devices connect to identical monitoring ports on the primary and secondary XC-240 devices. Once the set up is complete, the primary and secondary XC-240 devices are configured identically. The devices are configured in the High Availability mode, using the ha set command. Set the High Availability mode to activeactive (by default, it is standalone) on both the devices. Set the role as secondary (by default, it is primary) on the secondary XC-240. When connected to the peer, the XC-240 participates in active/ active mode according to its role (primary or secondary). You can synchronize the configuration between the primary and secondary XC-240 devices either automatically or manually. When ha set autosync is enabled, the configuration is automatically synchronized between the primary and secondary XC 240 devices. The synchronization happens only when there is a configuration change in either of the devices, and not continuously. Use the ha config_resync command to resynchronize configuration between the primary and the secondary XC-240 devices manually. Configuration from the peer device is pulled and applied to the local device every time this command is executed by either the primary or secondary XC-240. During this operation, conflicting commands are blocked. The ha config_resync is also blocked. For more information, see the section XC-240 Command Line Interface. Use the ha show command to view the High Availability status. The XC Cluster configuration (number of Sensors ports to be configured and the mode of operation) is also done manually on both the devices using the lbg command. Both the primary and the secondary XC-240 devices are added in the XC Cluster through the Manager. In the High Availability mode, the M-8000XC Sensor receives traffic from the primary XC-240 on port 1A (considering the example given earlier in this section). When the primary XC-240 goes down, the High Availability state changes to hunting and the mode changes to standalone (view using the ha show command) and the Sensors receive the same traffic flow on port 2A from the secondary XC-240. In case of a mismatch in the configuration (lbg command) between the primary and secondary XC-240 devices, fault messages are generated in the Status page of the Manager. You are able to create a port cluster when you deploy load balancers in high availability mode. We explain creation of a port cluster for XC clusters in the section, Port clustering. 18 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

XC clustering mechanism Modes of operation 2 For general information about port clustering in IPS Sensors, refer to the Network Security Platform IPS Administration Guide.

19 XC clustering mechanism Modes of operation 2 For general information about port clustering in IPS Sensors, refer to the Network Security Platform IPS Administration Guide. Figure 2-2 Primary and secondary XC-240 devices in the High Availability mode Ensure that the primary and secondary XC-240 devices' software versions are the same. If not, the connection between the peer devices will not be established. If any one of the XC-240 devices detects a Sensor failure, it notifies its High Availability peer and both the devices declare the Sensor down. To change the High Availability role of the configured XC-240 device, for example, from primary to secondary and vice versa, the High Availability mode is to be changed from activeactive to standalone. Once the role is changed, the mode is to be reset to activeactive. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 19

2 XC clustering mechanism Modes of operation 60G N+1 Configuration with Sensor redundancy Figure 2-3 60G N+1 - Configuration with Sensor redundancy This is the default mode and allows you to connect

20 2 XC clustering mechanism Modes of operation 60G N+1 Configuration with Sensor redundancy Figure G N+1 - Configuration with Sensor redundancy This is the default mode and allows you to connect a maximum of 6 active Sensors and 1 standby Sensor for redundancy. One of the Sensor ports is configured as the spare port and is connected to the standby Sensor. In case of failure of any one of the active Sensors, the XC-240 diverts the traffic destined to the failed Sensor to the standby Sensor. Port S8 is reserved for connecting the standby XC-240. The Sensors connect to identical ports on both primary and secondary XC-240. When the failed Sensor recovers, XC-240 resumes the flow of traffic to the Sensor. The redundant Sensor is restored to the standby state. Consider the following example: Sensor ports S1-S6 are configured; S7 is configured as the static spare port. Sensor at port S2 fails, traffic for S2 is reallocated to S7. When S2 comes up again, traffic is reallocated to S2 and S7 goes back into the standby mode. If any one of the XC-240 devices detects a Sensor failure, it notifies its peer and both the devices declare the Sensor down. See also lbg on page 63 ha set on page McAfee Network Security Platform 9.1 XC Cluster Administration Guide

21 XC clustering mechanism Modes of operation 2 70G N Configuration without Sensor redundancy Figure G N - Configuration without Sensor redundancy This mode allows you to connect and configure a maximum of 7 active Sensors to the XC-240. Port S8 is reserved for connecting the standby XC-240. The Sensors connect to identical ports on both primary and secondary XC-240. The Network ports receive the traffic and distribute it to the connected Sensors. On failure of any Sensor, when configured in the in-line fail-open or in-line fail-close mode, the traffic designated to the failed Sensor is looped back. When the failed Sensor recovers, XC-240 resumes the flow of traffic to the Sensor. If any one of the XC-240 devices detects a Sensor failure, it notifies its peer and both the devices declare the Sensor down. Configure 70G N mode using the lbg command (example): lbg set ports=s1-s7 group=1 See also lbg on page 63 ha set on page 60 McAfee Network Security Platform 9.1 XC Cluster Administration Guide 21

2 XC clustering mechanism Modes of operation XC-240 standalone To switch to the standalone mode, make the following configuration changes: The default configuration is with High Availability support

22 2 XC clustering mechanism Modes of operation XC-240 standalone To switch to the standalone mode, make the following configuration changes: The default configuration is with High Availability support in the 60G N+1 mode; port S8 is reserved as the High Availability port. If you do not wish to operate in the High Availability mode, after installing the XC-240 Load Balancer image, use the lbg command, to configure port S8 in the lbg group. Example: lbg set ports=s1-s8 group=1. While operating in the High Availability mode, if you want to configure the standalone mode, use the ha set command to change the HA mode from activeactive to standalone. Port S8 can be configured to connect to a Sensor, using the lbg command. Ensure that you update the Manager based on your configurations. 80G N Configuration without Sensor redundancy Figure G N - Configuration without Sensor redundancy This mode allows you to connect and configure a maximum of 8 Sensors to the XC-240. The Network ports receive the traffic and distribute it to the connected Sensors. On failure of any Sensor, when configured in the in-line fail-open or in-line fail-close mode, the traffic designated to the failed Sensor is looped back. When the failed Sensor recovers, XC-240 resumes the flow of traffic to the Sensor. Configure 80G N mode using the lbg command (example): lbg set ports=s1-s8 group=1 See also lbg on page 63 ha set on page McAfee Network Security Platform 9.1 XC Cluster Administration Guide

XC clustering mechanism Modes of operation 2 70G N+1 Configuration with Sensor redundancy Figure 2-6 70G N+1 - Configuration with Sensor redundancy This mode allows you to connect and configure a

23 XC clustering mechanism Modes of operation 2 70G N+1 Configuration with Sensor redundancy Figure G N+1 - Configuration with Sensor redundancy This mode allows you to connect and configure a maximum of 7 active Sensors and 1 standby Sensor for redundancy. One of the Sensor ports is configured as the spare port and is connected to the standby Sensor. In case of failure of any one of the active Sensors, the XC-240 diverts the traffic destined to the failed Sensor to the standby Sensor. The Sensors connect to identical ports on both primary and secondary XC-240. When the failed Sensor recovers, XC-240 resumes the flow of traffic to the Sensor. The redundant Sensor is restored to the standby state. Consider the following example: Sensor ports S1-S7 are configured; S8 is configured as the static spare port. Sensor at port S2 fails, traffic for S2 is reallocated to S8. When S2 comes up again, traffic is reallocated to S2 and S8 goes back into the standby mode. If any one of the XC-240 devices detects a Sensor failure, it notifies its peer and both the devices declare the Sensor down. If one Sensor fails, the configuration behaves like a 70G N configuration. Configure 70G N+1 mode using the lbg command (example): lbg set ports=s1-s7 spares= s7 group=1 See also lbg on page 63 ha set on page 60 McAfee Network Security Platform 9.1 XC Cluster Administration Guide 23

24 2 XC clustering mechanism Modes of operation 24 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

25 3 Set 3 up the XC-240 load balancer This section describes the steps to set up the XC-240 device. Contents XC-240 key features XC-240 physical description Install XC-240 Connect power to XC-240 Install the Small Form-factor Pluggable (SFP+) modules Connect the XC-240 cables Configure the XC-240 device XC-240 key features The XC-240 includes the following features: 16 SFP+ 10 gigabit Monitoring ports (fiber) 8 SFP+ 10 gigabit Sensor ports (fiber) 1 10/100/1000 Base-T Management port Dual power supply Front-mounted connectors for quick and easy installation LED indicators show link and activity status Configurable to load balance up to 7 M-8000XC Sensors XC-240 physical description The XC-240 enables high traffic loads on 10 gigabit links to be processed by distributing the traffic to multiple M-8000XC Sensors. It supports gigabit Ethernet monitoring ports and 8 10 gigabit Ethernet Sensor ports. Front panel The front panel of the XC-240 is equipped with the following components: Figure 3-1 XC-240 Front panel McAfee Network Security Platform 9.1 XC Cluster Administration Guide 25

26 3 Set up the XC-240 load balancer Install XC-240 Item Description 1 SFP+ 10 gigabit Ethernet Monitoring ports (16) 2 SFP + 10 gigabit Sensor ports (8) 3 RS-232 Console port (1) 4 10/100/1000 Management port (1) One RJ-45 10/100/1000 Management port, which is used for communication with the Manager server. One RS-232 Console port, which is used to set up and configure the XC-240 using the Command Line Interface. Sixteen small form-factor pluggable (SFP+) 10 gigabit Monitoring ports, which enable you to monitor Network traffic. The traffic is monitored in in-line fail-open, in-line fail-close, tap or span mode. The Monitoring interfaces of the XC-240 work in stealth mode, meaning they have no IP address and are not visible on the monitored segment. Eight small form-factor pluggable (SFP+) 10 gigabit Sensor ports, which are used to connect to the M-8000XC Sensors to be load balanced by the XC-240. Link and Activity LEDs Each port has a Link LED and an Activity LED located above the port. The Link LED illuminates when the port has established a good link. The Activity LED blinks when traffic is passing through the port. Rear panel The front panel of the XC-240 is equipped with the following components: Figure 3-2 XC-240 Rear panel Item Description 1 Power supply 1 2 Power supply 2 XC-240 is powered by two redundant power supplies. Either supply alone can power the device and the power supplies are hot-swappable, so you do not experience any monitoring down time if you should need to replace a power supply. Install XC-240 The XC-240 device needs to be installed following the details given in this section. Tasks Usage restrictions on page 27 Safety measures on page 27 Unpack and inspect XC-240 on page 27 Position the XC-240 on page McAfee Network Security Platform 9.1 XC Cluster Administration Guide

27 Set up the XC-240 load balancer Install XC Usage restrictions The following restrictions apply to the use and operation of an XC-240. You may not remove the outer shell of the XC-240. Doing so will invalidate your warranty. The XC-240 appliance is not a general purpose workstation. McAfee prohibits the use of the XC-240 appliance for anything other than the Load Balancing operation. McAfee prohibits the modification or installation of any hardware or software in the XC-240 appliance that is not part of the normal operation of Load Balancing. Safety measures Please read the following warnings before you install the XC-240 appliance. Failure to observe these safety warnings could result in serious physical injury. Read the installation instructions before you connect the system to its power source. To remove all power from the XC-240, unplug all power cords, including the redundant power cord. Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Before working on equipment that is connected to power lines, remove jewelry (including rings, necklaces, and watches). Metal objects will heat up when connected to power and ground and can cause serious burns or weld the metal object to the terminals. This equipment is intended to be grounded. Ensure that the host is connected to earth ground during normal use. Do not operate the system unless all cards, faceplates, front covers, and rear covers are in place. Blank faceplates and cover panels prevent exposure to hazardous voltages and currents inside the chassis, contain electromagnetic interference (EMI) that might disrupt other equipment, and direct the flow of cooling air through the chassis. To avoid electric shock, do not connect safety extra-low voltage (SELV) circuits to telephone-network voltage (TNV) circuits. LAN ports contain SELV circuits, and WAN ports contain TNV circuits. Some LAN and WAN ports both use RJ-45 connectors. Use caution when connecting cables. This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense Unpack and inspect XC-240 Carefully unpack the XC-240 device, power supplies, and all cables that are provided. XC- 240 is delivered with the following: (1) XC-240 device (2) Power cords (2) Cables, 3 Meter, RJ45, CAT 5e 4-Pair (1) DB9-to-RJ45 adapter for use with the command line interface McAfee Network Security Platform 9.1 XC Cluster Administration Guide 27

3 Set up the XC-240 load balancer Connect power to XC-240 (2) Set of rack mounting rails (2) Set of rack mounting ears (2) Printed Slide Rail Assembly Procedure (2) Printed Quick Start Guide (1)

28 3 Set up the XC-240 load balancer Connect power to XC-240 (2) Set of rack mounting rails (2) Set of rack mounting ears (2) Printed Slide Rail Assembly Procedure (2) Printed Quick Start Guide (1) Release Notes To unpack the XC-240, perform the following steps: Task 1 Open the crate. 2 Verify you have received all parts. These parts are listed on the packing list and in Contents of the XC-240 box. 3 Place the XC-240 box as close to the installation site as possible. 4 Position the box with the text upright. 5 Open the top flaps of the box. 6 Remove the accessory box within the XC-240 box. 7 Pull out the packing material surrounding the XC Remove the XC-240 from the anti-static bag. 9 Save the box and packing materials for later use in case you need to move or ship the XC-240. Position the XC-240 XC-240 is designed for mounting in a 19-inch rack, occupying one rack unit of height. Place the XC-240 in a physically secure location, close to the switches or routers it will be monitoring. Connect power to XC-240 A basic configuration of the XC-240 includes two hot swappable supply. The XC-240 is an AC model. Each of the modules have one handle for insertion or extraction from the unit as well as a release latch. Figure 3-3 Power supply unit 28 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

Set up the XC-240 load balancer Connect power to XC-240 3 Tasks Install the power supply on page 29 Remove the power supply on page 29 Turn on the XC-240 on page 30 Turn off the XC-240 on page 30

29 Set up the XC-240 load balancer Connect power to XC Tasks Install the power supply on page 29 Remove the power supply on page 29 Turn on the XC-240 on page 30 Turn off the XC-240 on page 30 Install the power supply To install a power supply in the XC-240: Task 1 Unpack the power supply from its shipping carton. 2 Remove the faceplate panel covering the power supply slot. The faceplate panel must remain in place unless a power supply is in the power supply slot. 3 Do not operate the XC-240 without the faceplate panel in place. 4 Place the power supply in the slot with the cable outlet facing front and on the left side of the faceplate. 5 Slide in the power supply until it makes contact with the backplane, then push firmly to mate the connectors solidly with the backplane. Figure 3-4 Power supply installation For true redundant operation with the optional redundant power supply, McAfee recommends that you plug each supply into a different power circuit. For optimal protection, use uninterruptable power sources. Remove the power supply To remove a power supply from the XC-240 (Optional-the power supplies are hot-swappable): Task 1 Unplug the power cable from its power source and remove the power cable from the power supply. 2 Put on an antistatic wrist or ankle strap. Attach the strap to a bare metal surface of the chassis. 3 Push the release latch inward toward the handle. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 29

30 3 Set up the XC-240 load balancer Install the Small Form-factor Pluggable (SFP+) modules 4 Squeeze the handle of the power supply and pull it out. 5 Use faceplate panels to protect unused slots from dust and reduce electromagnetic radiation. 6 Replace the mounting bracket. To avoid data interruption, do not turn off both power supplies when working in the in-line fail-open or in-line fail-close mode, or the XC-240 shuts down and all data traffic stops. Turn off only the power supply you are replacing. To remove all power from the XC-240, unplug all power cords. Turn on the XC-240 Do not attempt to turn on the XC-240 device until you have installed it, made all necessary network connections, and connected the power cable to the power supply. Task 1 Connect one of the supplied power cable to the XC-240 power supply. 2 Install a power supply clip over it to keep the AC power cord from accidently being unplugged from the power connector. 3 Plug the other end of the cable into a power source. 4 Push the power switch to activate power. The switch illuminates to indicate that power is active. 5 Repeat Steps 1 to 4 to connect the other power supply on the rear panel. Turn off the XC-240 McAfee recommends that you use the logout, exit, or quit command line interface command to halt the XC-240 before turning it off. Push the module's power switch to deactivate power. Install the Small Form-factor Pluggable (SFP+) modules The XC-240 uses fiber-optic connectors for its ports. The connector type is a Small Form-factor Pluggable (SFP+) fiber optic connector. The SFP+ module is a protocol-independant, compact, optical receiver, which allows for greater port density than the standard GBIC. This module operates at varying speeds for up to 10 gigabit per second on SONET/ SDH, Fibre Channel, gigabit Ethernet and other applications. The SFP+ module operates in multimode. Additionally, this module transmits on a 850-nanometer wavelength. Figure 3-5 SFP+ module 30 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

Set up the XC-240 load balancer Install the Small Form-factor Pluggable (SFP+) modules 3 SFP+ transceiver modules are bundled along with the XC-240 appliance.

31 Set up the XC-240 load balancer Install the Small Form-factor Pluggable (SFP+) modules 3 SFP+ transceiver modules are bundled along with the XC-240 appliance. Install them as desired in the SFP+ slots in the appliance. For each module, remove the temporary plug from the SFP+ slot and insert the module until it clicks into place. Unused ports do not need to be populated with transceiver modules. These installation instructions provide information for installing an SFP+ module that uses a bail clasp for securing the module in place in the XC-240. For ease of installation, insert the module in the XC-240 while it is powered down. To prevent eye damage, do not stare into open laser apertures. Tasks Install an SFP+ module on page 31 Remove an SFP+ module on page 31 Install an SFP+ module To install a module with a bail clasp, follow these steps: Task 1 Remove the module from its protective packaging. 2 Locate the label on the module and ensure that the alignment groove is down. For SFP+ modules, turn the module so that its label is on top. 3 Grip the sides of the module with your thumb and fore-finger and insert module into the module socket. Modules are keyed to prevent incorrect insertion. Figure 3-6 Install an SFP+ module Remove an SFP+ module If you are removing a module, follow these steps: Task 1 Disconnect the network fiber-optic cable from the module. 2 Release the module from the slot by pulling the bail clasp out of its locked position. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 31

32 3 Set up the XC-240 load balancer Connect the XC-240 cables 3 Slide the module out of the slot. 4 Insert the module plug into the module optical bore for protection. Connect the XC-240 cables Follow the steps outlined in this chapter to connect the cables to the various ports on your XC-240 device. Tasks Connect the cable to the Console port on page 32 Connect the cable to the management port on page 32 Connect the cable to the monitoring port on page 32 Connect the cable to the Sensor ports on page 32 Connect cables for in-line fail-close mode on page 33 Connect cables for in-line fail-open mode on page 33 Connect cables for tap mode on page 33 Connect cables for SPAN or hub mode on page 34 Connect the cable to the Console port The Console port is used for setting up and configuring the XC-240. Task 1 Plug the RS232 RJ45 cable supplied in the XC-240 box into the Console port. 2 Connect the other end of the Console port cable directly to a COM port of the PC or terminal server you will be using to configure the XC-240 (for example, a PC running correctly configured Windows Hyperterminal software). RJ45 to DB9 adapter has been provided. You must connect directly to the console for initial configuration. Connect the cable to the management port The Management port is used for communication with the Manager server. Task 1 Plug a Category 5e Ethernet cable in the Management port of XC Plug the other end of the cable into a network device (switch, router, hub etc.) which in turn connects to the manager server. Connect the cable to the monitoring port Connect to the network devices you will be monitoring using the XC-240 monitoring ports. You can deploy XC-240 in the operating modes shown in the following table. Cabling instructions for the XC-240 monitoring ports are shown on the pages indicated. Connect the cable to the Sensor ports The Sensor ports are used to connect to the M-8000XC Sensors to be load balanced by the XC McAfee Network Security Platform 9.1 XC Cluster Administration Guide

33 Set up the XC-240 load balancer Connect the XC-240 cables 3 Task 1 Plug the fiber cable appropriate for use with the SFP+ module into the Sensor port of the XC Connect the other end of the fiber cable used in Step 1 to a 10 G monitoring port, for example, port 1A of the M-8000XC Sensor. Connect cables for in-line fail-close mode To connect an XC-240 device in an in-line fail-close mode, perform the following steps: Task 1 Plug the cable appropriate for use with your gigabit Ethernet into one of the ports labeled xa (for example, 1A). 2 Plug another cable into the peer of the port used in Step 1. This port will be labeled xb (for example, 1B). 3 Connect the other end of each cable to the network devices that you want to monitor. (For example, if you plan to monitor traffic between a switch and a router, connect the cable connected to 1A to the switch and the one connected to 1B to the router. Connect cables for in-line fail-open mode To connect an XC-240 device in an in-line fail-open mode using the 10 gigabit Optical Active Fail-Open Bypass Kit (kit), perform the following steps: Task 1 Plug an inside network cable connector into the Network port labeled A on the Bypass Switch. 2 Plug the other end of this cable into the corresponding network device. 3 Plug an outside network cable into the Network port labeled B on the Bypass Switch 4 Plug the other end of this cable into the corresponding network device. 5 Plug a LC fiber cable (inside) into a network port of XC Plug the other end of the cable into the monitoring port labeled 1 on the Optical Bypass Switch. 7 Plug a LC fiber cable (outside) into the corresponding peer port. (For example, if you used 1A in step 5, plug the cable into port 1B). 8 Plug the other end of the cable into the monitoring port labeled 2 on the Optical Bypass Switch. With this cable configuration, XC-240 monitoring port 1A views traffic as originating inside the network, and port 1B views traffic as originating outside the network. Note that this configuration (1A = outside, 1B = inside) must match the port configuration specified for this XC-240 in the Manager, and that the ports must be enabled. Connect cables for tap mode The XC-240 device's gigabit Ethernet ports must be used with a 3rd party external 10 GB tap. External tap mode requires a port pair (for example, 1A and 1B). McAfee Network Security Platform 9.1 XC Cluster Administration Guide 33

34 3 Set up the XC-240 load balancer Configure the XC-240 device To connect the XC-240 to the devices you want to monitor in external tap mode: Task 1 Plug the cable appropriate for use with your gigabit Ethernet port into one of the ports labeled xa (for example, 1A). 2 Plug another cable into into the peer of the port used in Step 1. This port will be labeled xb (for example, 1B). 3 Connect the other end of each cable to the tap. 4 Connect the network devices that you want to monitor to the tap. Connect cables for SPAN or hub mode When you monitor in SPAN or hub mode, you do not need to use a port pair. You can use single ports. To connect an XC-240 to a SPAN port or hub, plug an LC fiber-optic or RJ45 cable into one of the modules and connect the other end of the cable to the SPAN port or the hub. Configure the XC-240 device Log on to the XC-240 using the terminal connected to the Console port. This section describes the basic configurations to be done to get the XC-240 device up and running. When the device is configured through the command line interface, it needs to be configured in the Manager. Log on to the command line interface Each XC-240 maintains a list of accounts for users authorized to access that particular device. To logon to the command line interface, perform the following steps: Task 1 Type the user name at the logon prompt. The default user name is admin. 2 Type the password. The default password is admin123. For security, the password is not displayed as you type it. The Help command is automatically executed and the command line interface prompt is displayed. Change the logon password McAfee strongly recommends that you change the logon password from the default to provide security against unauthorized access. To change the logon password, type user mod name=admin pw=<new password> priv=2, where <new-password> is the new password. The password is changed. Assign a new IP address, netmask, and gateway IP address To assign a new IP address, netmask, and gateway IP address to XC McAfee Network Security Platform 9.1 XC Cluster Administration Guide

35 Set up the XC-240 load balancer Configure the XC-240 device 3 Task 1 Type sysip show. The current IP address, netmask, and gateway IP address are displayed. 2 To configure an IPv4 address, type sysip set ipaddr=<ip address> mask=<netmask> gw=<gateway>. The IP address, netmask, and gateway IP address are made pending, where <ip address> is the IPv4 address for XC-240, <netmask> is the netmask, and <gateway> is the IP address of the gateway. To configure an IPv6 address, type sysip inet6_set ipaddr=<ip address> prefixlen=<prefix length>, where <ip address> is the IPv6 address for XC Type sysip show. Verify that the displayed values are the desired ones. 4 Type sysip commit to activate the new IP address. Define the mode of operation The lbg command indicates the number of Sensors configured and the mode of operation. By default, the XC Cluster is configured with High Availability support in the 60G N+1 mode. Port S8 is reserved for the peer XC-240 device. Task 1 View the number of Sensor ports to be load balanced and the status of these ports. At the prompt, type: lbg show. The ports are down if they are displayed in braces, example, (s1),(s2),(s3),(s4),(s5),(s6) spares: (s7). The ports are up if they are not displayed in braces, example, s1,s2,s3,s4,s5,s6 spares: s7. 2 Configure the mode of operation for the XC-240. At the prompt, type lbg set ports. While using the lbg command, ensure that the Sensor ports being configured match with the Sensors connected to the XC-240. Enable SNMP The SNMP agent is disabled by default. To enable and configure the SNMP agent: Task 1 At the prompt, type snmp set admin=<enable>. 2 To add the Manager IP to the XC-240, at the prompt type snmp trap_add name=<snmp user configured on the NSM while adding the XC-240> authproto=<authentication protocol> authpass=<authentication password> privproto=<privacy protocol> privpass=<privacy password> access=<rw> ip=<ip of the Manager> port=<4169> admin=<enable> Example: snmp trap_add name=nsmuser type=v3 ip= port=4169 authproto=sha authpass=admin123 privproto=aes privpass=test123 admin=enable access=rw. 3 To save and load the configurations, execute the snmp commit command. 4 To view the current SNMP server configurations, at the prompt type, snmp show. 5 To view the SNMP user configurations, at the prompt type snmp user_show. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 35

36 3 Set up the XC-240 load balancer Configure the XC-240 device 36 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

4 Set 4 up the M-8000XC Sensors The M-8000XC Sensors are connected to the XC-240 Load Balancer device. Traffic is load balanced to the connected Sensors.

37 4 Set 4 up the M-8000XC Sensors The M-8000XC Sensors are connected to the XC-240 Load Balancer device. Traffic is load balanced to the connected Sensors. These Sensors cannot be used as standalone Sensors. They can used as part of the XC Cluster only. 1 Plug the cable appropriate for use with your SFP+ module into a 10G monitoring port, for example, port 1A. 2 Connect the other end of the cable to a Sensor port on the XC-240 Load Balancer. The existing M-8000XC devices need to be upgraded to M-8000XC. Contact the McAfee Technical Support Personnel. Figure 4-1 M-8000XC connected to XC-240 An M-8000XC Sensor includes the following features: GbE XFP Dual power supply Hot-swappable SFP/XFP modules 1 10/100/1000 Base-T Management port 16 SFP ports (10/100/1000 copper or 1 GbE fiber) 6 Fan units that are field-replaceable For detailed setup information of the M-8000XC Sensors, refer to the McAfee Network Security Platform M-8000XC Sensor Product Guide and McAfee Network Security Platform M-8000XC Quick Start Guide. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 37

38 4 Set up the M-8000XC Sensors Cable the NTBA appliance Cable the NTBA appliance Task 1 Plug the cable appropriate for use with the SFP+ module into one of the 1 GB port of the M-8000XC Sensor. 2 Connect the other end of the cable used in Step 1 to a monitoring port of the NTBA appliance. For detailed information on setting up the NTBA appliance, see the McAfee Network Security Platform NTBA Appliance T-500 Quick Start Guide. 38 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

39 5 5 XC clustering in the McAfee Network Security Manager This section discusses the configuration instructions for managing XC Clusters using the Manager. Contents Create XC clusters Manage XC clusters Create XC clusters The Manager provides the ability to add an XC Cluster, that includes 1 XC-240 Load Balancer device and a maximum of 8 M-8000XC Sensors. These are the member devices of an XC Cluster. All M-8000XC Sensors added to the XC Cluster need to have the first 3 digits of Sensor software version identical. After the XC Cluster is created, majority of the Sensor features can be configured at the XC Cluster level. For more information, see the McAfee Network Security Platform Installation Guide. Tasks Add XC-240 load balancers on page 39 Add M-8000XC Sensors on page 40 Add XC Clusters on page 41 Add XC-240 load balancers When an XC-240 Load Balancer device is added to the Manager, the device configurations are read and displayed by the Manager. Subsequently, whenever specific configuration changes are done on the physical device, faults are sent to the Manager. These faults are displayed in the Status page. Based on these fault details, appropriate configuration changes need to be done in the Manager. You need to ensure that configurations on the XC-240 device and Manager are identical. This is a manual procedure. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 39

5 XC clustering in the McAfee Network Security Manager Create XC clusters To add an XC-240 to Manager, do the following: Task 1 Select Devices <Admin Domain> Global Add and Remove Devices.

40 5 XC clustering in the McAfee Network Security Manager Create XC clusters To add an XC-240 to Manager, do the following: Task 1 Select Devices <Admin Domain> Global Add and Remove Devices. 2 Click New. The Add New Device page is displayed. Figure 5-1 Add a new XC-240 Load Balancer 3 Type the Device Name. The Name must begin with a letter. The length of the Name is not configurable. 4 Select the Device Type as Load Balancer. 5 Enter the XC-240 IP address. 6 Enter the following SNMP v3 user credentials to interact with the XC-240 device: SNMPv3 User Authentication Password Privacy Password The characters that can be used while creating passwords are as follows: 3-64 alpha-numeric characters: upper and lower case (a,b,c,...z and A, B, C,...Z) and 10 digits: symbols: ~ # $ % ^ & * ( ) _ + - = [ ] { } \ ; : " ',. < >? / The SNMP v3 credentials should be the same as those configured in the command line. 7 Add the Contact Information and Location. Two XC-240 devices cannot be added with the same name. Add M-8000XC Sensors A maximum of 8 M-8000XC Sensors can be added to the XC Cluster. 40 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

XC clustering in the McAfee Network Security Manager Create XC clusters 5 To add a Sensor to Manager, do the following: Task 1 Select Devices Admin Domain Global Add and Remove Devices. 2 Click New.

41 XC clustering in the McAfee Network Security Manager Create XC clusters 5 To add a Sensor to Manager, do the following: Task 1 Select Devices Admin Domain Global Add and Remove Devices. 2 Click New. The Add New Device page is displayed. Figure 5-2 Add a new M-8000XC Sensor 3 Type the Device Name. The name must begin with a letter. The length of the name is not configurable. 4 Select the Device Type as IPS Sensor. 5 Enter the Shared Secret (repeat at Confirm Shared Secret). The shared secret must be a minimum of 8 characters in length: the length of the shared secret is not configurable. The shared secret cannot start with an exclamation mark nor have any spaces. The characters that can be used while creating a shared secret are as follows: 26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z) 10 digits: symbols: ~ # $ % ^ & * ( ) _ + - = [ ] { } \ ; : " ',. < >? / The exact, case-sensitive Device Name and Shared Secret must also be entered on the device command line interface during physical installation and initialization. If not, the device will not be able to register itself with the Manager. 6 Select the Updating Mode as Online or Offline. Online is the default mode. Devices with Online update mode will have the signature set/software directly pushed to the devices. Devices for which you want the signature set/software to be manually pushed can be done by selecting the update mode as Offline. 7 Type the Contact Information and Location. 8 Click Save to begin the Manager-device handshake process. Add XC Clusters To add an XC Cluster, you need to include an existing XC-240 and existing M-8000XC Sensors. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 41

42 5 XC clustering in the McAfee Network Security Manager Manage XC clusters To add an XC Cluster to Manager, do the following: Task 1 Select Devices <Admin Domain> Global XC Clusters. 2 Click New. The Add New XC Cluster page is displayed. 3 Enter the Cluster Name. 4 Select the Load Balancer Logic. For the High Availability mode, select Double Load Balancer Solution, else select Single Load Balancer Solution. 5 Select the XC-240 Primary Load Balancer and Secondary Load Balancer (only if you select the Double Load Balancer Solution in step 4.) to be included in the XC Cluster. 6 Select the Template Device (software version). The template device is the device whose existing configuration should be used as a starting point for the new XC Cluster's initial configuration. The template device's configuration will be copied to all other member devices, replacing their existing configuration. 7 Select the Additional Member Devices. Additional member devices can be dynamically added and removed from an XC Cluster. 8 Click Save. Sensors and XC-240 devices added in one XC Cluster cannot be added in another XC Cluster. Manage XC clusters The XC Cluster can be managed through a series of tasks. Tasks Edit an XC Cluster on page 43 Delete an XC Cluster on page 44 View details of an XC cluster on page 45 Configure XC-240 Monitoring and Sensor ports on page 46 Configure M-8000XC Sensors on page 49 Port clustering on page 50 Reports on page 51 Performance statistics and alert data on page 51 Update XC cluster configuration on page 51 Manage NTBA devices on page McAfee Network Security Platform 9.1 XC Cluster Administration Guide

XC clustering in the McAfee Network Security Manager Manage XC clusters 5 Edit an XC Cluster To edit an XC Cluster, do the following: Task 1 Select Devices <Admin Domain> Global XC Clusters.

43 XC clustering in the McAfee Network Security Manager Manage XC clusters 5 Edit an XC Cluster To edit an XC Cluster, do the following: Task 1 Select Devices <Admin Domain> Global XC Clusters. The list of XC Clusters is displayed. Select the one to be edited. Figure 5-3 Edit an XC Cluster 2 Click Edit. You can only edit the field Additional Member XCs. When edited, click Save. The Load Balancer Logic cannot be modified. You need to create a new XC Cluster, if there is a change of mode from High Availability to standalone or vice versa. To edit the member devices of the XC Custer, that is XC-240 and M-8000XCs, do the following: a Select Devices <Admin Domain> Global Add and Remove Devices. b c d e Select the device. Click Edit. Make the required changes. Click Save to save the changes; click Cancel to abort. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 43

Devices. The list of XC Cluster is displayed. Select the one to be deleted. 2 Click Delete. The XC Cluster can be deleted if there are no member devices in it.

44 5 XC clustering in the McAfee Network Security Manager Manage XC clusters You can edit all the parameters except Device Type. Figure 5-4 Edit an XC-240 Load Balancer Figure 5-5 Edit an M-8000XC Sensor Delete an XC Cluster To delete the XC Cluster, do the following: Task 1 Select Devices <Admin Domain> Global Add and Remove Devices. The list of XC Cluster is displayed. Select the one to be deleted. 2 Click Delete. The XC Cluster can be deleted if there are no member devices in it. To delete member devices, do the following: a Select Devices <Admin Domain> Global Add and Remove Devices. b c Select the device. Click Delete. Do not delete the device from the Manager if you plan to generate reports with data specific to the device. If the device is in the middle of active communication with the database, deleting the device may not be successful (the device still appears in the Resource Tree). If you experience this problem, check your device to make sure communication to the Manager is quiet, then re-attempt the delete action. While removing and adding the Sensor into an XC cluster, refresh the Manager page. 44 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

XC Cluster, Select Devices <Admin Domain> Devices <Device Name>

Figure 5-6 XC Cluster summary Figure 5-7 XC-240 summary Figure

45 XC clustering in the McAfee Network Security Manager Manage XC clusters 5 View details of an XC cluster To view details of the XC Cluster, Select Devices <Admin Domain> Devices <Device Name> Summary. The Summary page is displayed. Figure 5-6 XC Cluster summary Figure 5-7 XC-240 summary Figure 5-8 M-8000XC summary McAfee Network Security Platform 9.1 XC Cluster Administration Guide 45

5 XC clustering in the McAfee Network Security Manager Manage XC clusters Configure XC-240 Monitoring and Sensor ports The Physical Ports action enables you to view/edit the parameters of the

46 5 XC clustering in the McAfee Network Security Manager Manage XC clusters Configure XC-240 Monitoring and Sensor ports The Physical Ports action enables you to view/edit the parameters of the monitoring and Sensor ports on the XC-240. Monitoring port configuration allows you to change deployment modes, or indicate whether you are using McAfee certified modules, enable/disable ports, and choose the path for device responses. The port settings are pushed to the XC-240 device using Deploy Pending Changes. Figure 5-9 Configure XC-240 ports Tasks Configure monitoring ports on page 46 Change a monitoring port from single port to a port pair mode on page 48 Change a monitoring interface from external tap to in-line (and vice versa) on page 48 Configure Sensor ports on page 49 Configure monitoring ports Configuration of monitoring ports enables you to set the operating mode of your ports, change port speeds, and/or choose the corresponding response port for device action. 46 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

XC clustering in the McAfee Network Security Manager Manage XC clusters 5 To view or configure settings for the 10 Gbps monitoring ports, do the following: Task 1 Select Devices <Admin Domain>

47 XC clustering in the McAfee Network Security Manager Manage XC clusters 5 To view or configure settings for the 10 Gbps monitoring ports, do the following: Task 1 Select Devices <Admin Domain> Devices <Device_Name> Physical Ports. 2 Double-click a numbered 10 Gbps port (which includes 1A through 8B) from 10 Gbps Monitoring Ports. A side panel window displays current port settings. Figure 5-10 Configure monitoring ports 3 Select the State as either Enable (on) or Disable (off). Accordingly the Link status in the main window displays Up (on) or Down (off). If your Link displays as Down and your State is Enabled, there may be a problem. Check the Link for more information. 4 Select a Mode from the following: Your device cabling must match the selected mode for correct system functionality. Improper deployment may result in system faults, including missed attacks and system failure. In-line Fail-Open Active In-line Fail-Closed In-line Fail-open and In-line Fail-closed are determined by the port cabling method. Fail-open operation for GE ports requires use of the optional Bypass Switch provided in the gigabit Optical Fail-Open Bypass Kit (sold separately). You should not select the In-line Fail-Open option if the optional external Bypass Switch is not present. Tap Ports can be configured in the Tap mode. This requires an external tap to be connected to the monitoring ports. SPAN or Hub If a port is functioning as part of a port pair, the peer port is listed. For example, if port 1A is configured for Tap mode, port 1B is listed as the Peer Port. All ports are wirematched internally with a single peer, for example 1A-1B make up a port pair. However, 1A-2B cannot be a port pair. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 47

48 5 XC clustering in the McAfee Network Security Manager Manage XC clusters 5 Select the area of your network where the current port is connected: Inside Network (internal) or Outside Network (external) your network. This step applies to Tap or In-line modes only. 6 Click Save to save changes. A confirmation page is displayed. 7 Download the changes to your device by updating the configuration of your device. Change a monitoring port from single port to a port pair mode You must disable both ports required for port pair operation when changing the operating mode from SPAN or Hub Mode to a port pair (Tap or In-line) mode, device monitoring ports are configured by default to operate in SPAN or Hub mode. Changing from one port pair mode to another port pair mode does not require disabling of ports. To change your monitoring from single port to port pair, do the following: Task 1 Select Devices <Admin Domain> Devices <Device_Name> Physical Ports. 2 Select a port from the virtual device, for example, 1A. A window on the right displays current port settings. 3 Click Save. 4 Select the peer port, for example, 1B. 5 Select Tap (Port Pair) or an In-line (Port Pair) mode as the Mode. The peer port, 1A, is noted in the dialog. 6 In the State field, click Enable. 7 Configure your port settings. 8 Click Save. 9 Select port 1A to verify the State reads Enabled and the Mode matches your new setting. 10 Click Save. 11 Download the changes to your device by updating the configuration of the device. Change a monitoring interface from external tap to in-line (and vice versa) If you decide to change your monitoring configuration from External Tap mode to In-line mode, or you want to change from In-line Mode back to External Tap mode, perform the following steps: Task 1 Disconnect the segments from the external tap and connect the segments appropriately to your device port pair. If going from an In-line mode to External Tap mode, disconnect the segments from the device and connect the segments appropriately to the external tap and device ports. 2 Select Devices <Admin Domain> Devices <Device_Name> Physical Ports using Manager s Configuration page. 3 Select a port from the virtual device, for example, 1A. A window on the right displays current port settings. 48 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

XC clustering in the McAfee Network Security Manager Manage XC clusters 5 4 Select an In-line (Port Pair) mode as the Mode. Select Tap as the Mode if going from In-line to External Tap mode.

49 XC clustering in the McAfee Network Security Manager Manage XC clusters 5 4 Select an In-line (Port Pair) mode as the Mode. Select Tap as the Mode if going from In-line to External Tap mode. 5 Configure port settings. 6 Click Save to close the window. 7 Download the changes to your device by updating the configuration of the device. Configure Sensor ports To configure your Sensor ports, perform the following steps: Task 1 Select Devices <Admin Domain> Devices <Device_Name> Physical Ports. 2 Double-click a numbered 10 Gbps port (which includes S1 through S8) from 10 Gbps Monitoring Ports. A side panel window displays current Sensor port settings. Figure 5-11 Configure Sensor Ports 3 Select the State as either Enable (On) or Disable (Off). For example, you need to Disable the port if you connect a new wire, then Enable it after re-connection. Depending on the State selected, the Link status in the main window displays Up (on) or Down (off). Link: Up (On) or Down (Off). If your port is enabled and State displays as Down, there is a problem. 4 Select the mode as Sensor Uplink. The Response Mode is not applicable. 5 Click Save to save your port changes. Configure M-8000XC Sensors To configure the M-8000XC Sensors to monitor traffic, see the McAfee Network Security Platform Installation Guide and the McAfee Network Security Platform IPS Administration Guide. The configuration update of a Sensor can be done only when used in an XC Cluster. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 49

5 XC clustering in the McAfee Network Security Manager Manage XC clusters Port clustering The interfaces of XC Cluster can be grouped into a Port Cluster.

You cluster ports when you want the traffic across multiple interfaces to be analyzed as if it were a single interface. Asymmetric networks are common in load balancing.

50 5 XC clustering in the McAfee Network Security Manager Manage XC clusters Port clustering The interfaces of XC Cluster can be grouped into a Port Cluster. The Port Cluster (Interface Groups) action enables multiple device ports to be grouped together for the effective monitoring of asymmetric environments. You cluster ports when you want the traffic across multiple interfaces to be analyzed as if it were a single interface. Asymmetric networks are common in load balancing. When configured, an interface group appears in the configuration page s Resource Tree as a single interface node (icon) under the Sensor where the ports are located. All of the ports that make up the interface are configured as one logical entity, keeping the configuration consistent. To configure a port cluster, select Devices <Admin Domain> Devices > <XC Cluster> Setup > Advanced > Port Clusters > and then click New. Figure 5-12 Add a port cluster The Template Member Port is the one whose configuration is retained and applied to the Port group, the existing configuration of all the member ports is discarded. Tasks Port Clustering in High Availability mode on page 50 Port Clustering in High Availability mode When you deploy XC Cluster load balancers in high availability, monitoring ports for both load balancers are consolidated in the Manager and displayed as one set. Any configuration applies to both XC Cluster load balancers. Figure 5-13 Port cluster for a high availability deployment 50 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

XC clustering in the McAfee Network Security Manager Manage XC clusters 5 For example, consider load balancers 1 and 2 deployed in high availability.

51 XC clustering in the McAfee Network Security Manager Manage XC clusters 5 For example, consider load balancers 1 and 2 deployed in high availability. Each of these load balancers has an individual set of monitoring ports, 1A thru 8B. In the Manager however, you will only see one set of ports, 1A thru 8B. You can select one of the port pairs (say 1A-1B) and create a port cluster for any of the ports depending on your network topology and requirement. In our illustration, we will only add 2A-2B and 3A-3B. Reports You can generate a range of reports for both the alert information reported to your Manager, as well as information pertaining to your XC Cluster configuration settings. Next Generation reports give you the alerting information pertaining to the XC Cluster and Traditional reports give you detailed configuration information on the XC Cluster. For more information see the document McAfee Network Security Platform Manager Administration Guide. Performance statistics and alert data The performance statistics of the XC Cluster is available in the Traffic Statistics page. The alert data is available in the Attack Log. Update XC cluster configuration Updating the configuration sends configuration changes, attack/signature updates, policy changes, and SSL key updates to the XC Cluster. Configuration updates refer to changes to device and interface/sub-interface configurations, such as port configuration, non-standard ports, interface traffic types, and configuration changes to the Sensor Appliance. Signature updates have new and/or modified signatures that can apply to the attacks enforced in a chosen policy. Policy changes update the device in case of a newly applied policy, or changes made to the current enforced policy. When configured in the High Availability mode the configurations of the primary XC-240 are also pushed to the secondary XC-240. To update the configuration of a specific device, do the following: Task 1 Click Devices <Admin Domain > Devices <Device Name> Deploy Pending Changes. Figure 5-14 Configuration update 2 View the update information. If changes have been made, the Configuration and Signature Set column is checked by default. 3 Check the SSL Key Update column in case SSL Key Update is required. 4 Check the Callback Detectors if callback detectors updates have to be updated to the Sensor. McAfee Network Security Platform 9.1 XC Cluster Administration Guide 51

5 XC clustering in the McAfee Network Security Manager Manage XC clusters 5 You will be able to check the GAM Updates only in the case of NS series Sensors or NTBA appliances. 6 Click Update.

52 5 XC clustering in the McAfee Network Security Manager Manage XC clusters 5 You will be able to check the GAM Updates only in the case of NS series Sensors or NTBA appliances. 6 Click Update. A pop-up window displays configuration download status. The configuration update and faults information is displayed in the Manager Status page. Automatic signature set download and push to XC cluster is supported. However, the first signature set push after the cluster is formed/updated is to be done manually. Manage NTBA devices The NTBA devices are managed through a series of tasks using the Manager. Tasks Add NTBA devices on page 52 Configure NTBA devices on page 53 Add NTBA devices To add an NTBA device to Manager, do the following: Task 1 Select Devices <Admin Domain> Global Add and Remove Devices. 2 Click New. The Add New Device page is displayed. Figure 5-15 Add a new NTBA appliance 3 Type the Device Name. The name must begin with a letter. The length of the name is not configurable. 4 Select the Device Type as NTBA Appliance. 5 Enter the Shared Secret (repeat at Confirm Shared Secret). 52 McAfee Network Security Platform 9.1 XC Cluster Administration Guide

McAfee Network Security Platform

Revision F McAfee Network Security Platform (NS3x00 Sensor Product Guide) COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator,