McAfee Firewall Enterprise epolicy Orchestrator Extension

Transcription

1 Integration Guide Revision A McAfee Firewall Enterprise epolicy Orchestrator Extension

2 COPYRIGHT Copyright 2012 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

3 Contents Preface 5 About this guide Audience Conventions Find product documentation Introduction 7 About McAfee Firewall Enterprise epolicy Orchestrator Extension Managed products Firewall Enterprise overview Control Center overview Firewall Profiler overview How the Firewall Enterprise epolicy Orchestrator Extension works Firewall Enterprise epolicy Orchestrator Extension setup 9 Setup overview Download and install the Firewall Enterprise epolicy Orchestrator Extension Download the Firewall Enterprise epolicy Orchestrator Extension Install the Firewall Enterprise epolicy Orchestrator Extension Needed permission sets and users Create a permission set for Firewall Enterprise or Control Center access to epolicy Orchestrator.. 11 Create a user account for access to epolicy Orchestrator Create a permission set that allows users to view firewall data Create a user that can view firewall data Firewall Enterprise setup 17 Configure Firewall Enterprise appliances for epolicy Orchestrator reporting Configure managed firewalls for epolicy Orchestrator reporting Troubleshooting Firewall Enterprise to epolicy Orchestrator communication Control Center setup 21 Setup overview Configure Control Center for epolicy Orchestrator Register Control Center Control Center Management Servers, High Availability (HA), and the epolicy Orchestrator platform Add a Control Center Management Server Delete a Control Center Management Server from the epolicy Orchestrator server Firewall Profiler setup 25 Setup overview Create a user account on Firewall Profiler Register Firewall Profiler Add a Firewall Profiler server to the epolicy Orchestrator server Delete a Firewall Profiler server from the epolicy Orchestrator server McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 3

4 Contents Configure Firewall Profiler to retrieve host information from epolicy Orchestrator Firewall data 29 Configure Network Integrity Agent settings Edit server settings Generate the integrated hosts report View the gateway status report View Firewall Enterprise and Control Center data in the epolicy Orchestrator console View internal host activity View firewall resources View firewall statuses View Firewall Profiler events View all firewalls managed by a Control Center Management Server View all firewalls monitored by a Firewall Profiler server Change how epolicy Orchestrator displays firewall data Change Firewall Profiler event sources and destinations Change data refresh settings and host retention View epolicy Orchestrator Host Data reports from the Control Center Client application View epolicy Orchestrator Host Data reports from Firewall Profiler Queries 41 Firewall Enterprise epolicy Orchestrator Extension queries Firewall Enterprise Report queries Generate a Firewall Profiler Report query Firewall Profiler Report queries Generate a Firewall Enterprise Report query Control Center queries Generate a Control Center query Issues and tickets 47 Create Firewall Profiler issues Create a change event issue Create a risk event issue Use Profiler Firewall tickets Create an event ticket Associate a ticket with an issue Automatic responses 49 Firewall Profiler event responses Create an automatic response for Firewall Profiler events Describe the rule Set filters for the rule Set thresholds for the rule Configure the actions for the rule Review and save the rule Index 53 4 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

5 Preface Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Users People who use the computer where the software is running and can access some or all of its features. Conventions This guide uses these typographical conventions and icons. Book title, term, emphasis Bold User input, code, message Interface text Hypertext blue Title of a book, chapter, or topic; a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; a code sample; a displayed message. Words from the product interface like options, menus, buttons, and dialog boxes. A link to a topic or to an external website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 5

6 Preface Find product documentation Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. 1 Go to the McAfee Technical Support ServicePortal at 2 Under Self Service, access the type of information you need: To access... User documentation Do this... 1 Click Product Documentation. 2 Select a product, then select a version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. 6 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

7 1 Introduction 1 Contents About McAfee Firewall Enterprise epolicy Orchestrator Extension Managed products How the Firewall Enterprise epolicy Orchestrator Extension works About McAfee Firewall Enterprise epolicy Orchestrator Extension McAfee Firewall Enterprise epolicy Orchestrator Extension (hereinafter Firewall Enterprise epolicy Orchestrator Extension) version provides communication between McAfee epolicy Orchestrator (hereinafter epolicy Orchestrator) and McAfee Firewall Enterprise (hereinafter Firewall Enterprise), McAfee Firewall Enterprise Control Center (hereinafter Control Center), or McAfee Firewall Profiler (hereinafter Firewall Profiler). In epolicy Orchestrator, you can view top level data about multiple firewalls, or you can drill down to view data about an individual firewall, the Control Center that manages it, or the Firewall Profiler that monitors it. You can also view resource and statistical dashboards across multiple firewalls. These dashboards are presented in a graphical format, which allows you to click within the graph to display more specific information. Control Center or Firewall Profiler can display information retrieved from the epolicy Orchestrator server about hosts that are referenced in a policy, or hosts that are passing traffic through Firewall Enterprise appliances. Managed products The Firewall Enterprise epolicy Orchestrator Extension supports Firewall Enterprise, Control Center, and Firewall Profiler. To find the latest information on the McAfee firewall products and versions that Firewall Enterprise epolicy Orchestrator Extension supports, refer to KnowledgeBase article KB Firewall Enterprise overview Firewall Enterprise appliances are designed to protect organization information technology infrastructure by keeping out unauthorized users, code, and applications, both internally and externally. epolicy Orchestrator and Firewall Enterprise appliances share information about protected hosts and firewall versions. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 7

8 1 Introduction How the Firewall Enterprise epolicy Orchestrator Extension works Control Center overview Control Center is an enterprise class management tool for creating and applying security policies across multiple firewalls. Use Control Center to remotely manage, maintain, and monitor firewalls for one or more domains. epolicy Orchestrator and Control Center share data about hosts, firewalls, and the Control Center Management Server. Control Center displays information about hosts, whereas epolicy Orchestrator displays health and status information about firewalls and the Control Center Management Server. See the McAfee Firewall Enterprise Control Center Product Guide for more information. Firewall Profiler overview Firewall Profiler is a network appliance that takes feeds from Firewall Enterprise appliances and instantly analyzes this information to provide true visibility into the impact of firewall rules on the network. Firewall Profiler complements Control Center for management and dramatically reduces troubleshooting efforts related to firewalls. epolicy Orchestrator and Firewall Profiler share data about hosts, firewalls, and the Profiler server. See the McAfee Firewall Profiler Product Guide for more information. How the Firewall Enterprise epolicy Orchestrator Extension works Use epolicy Orchestrator to poll and monitor firewall data from one or more Firewall Enterprise appliances, Firewall Profiler servers, or Control Center Management Servers. View host data from epolicy Orchestrator from the Control Center Client application or the Firewall Profiler web interface. Firewall Enterprise appliances at version or later can be configured to send information directly to the epolicy Orchestrator server. Information on registered firewalls can be viewed on epolicy Orchestrator dashboards. On the Control Center, an epolicy Orchestrator user is created and communication parameters are specified so that the Control Center Management Server can communicate information to the epolicy Orchestrator server. After each Control Center Management Server is registered in epolicy Orchestrator, administrators can view data about managed firewalls. epolicy Orchestrator communication parameters are specified on the Firewall Profiler server, allowing the two servers to pass information back and forth. After a Firewall Profiler server is registered in epolicy Orchestrator, administrators can view data about Firewall Profiler events occurring on monitored firewalls. 8 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

9 2 Firewall 2 Enterprise epolicy Orchestrator Extension setup Contents Setup overview Download and install the Firewall Enterprise epolicy Orchestrator Extension Needed permission sets and users Create a permission set for Firewall Enterprise or Control Center access to epolicy Orchestrator Create a user account for access to epolicy Orchestrator Create a permission set that allows users to view firewall data Create a user that can view firewall data Setup overview To complete the configuration of epolicy Orchestrator so that you can view firewall data from within epolicy Orchestrator, you must perform the following tasks: 1 Download and install the Firewall Enterprise epolicy Orchestrator Extension. 2 Configure permission sets and users to allow Firewall Enterprise appliances, Control Center Management Servers, or Firewall Profiler servers to communicate with epolicy Orchestrator. 3 Configure a permission set that allows access to Firewall Enterprise Extension functionality, and assign this permission set to one or more epolicy Orchestrator users. Download and install the Firewall Enterprise epolicy Orchestrator Extension Use the tasks in this section to download and install the Firewall Enterprise epolicy Orchestrator Extension onto your epolicy Orchestrator server. Download the Firewall Enterprise epolicy Orchestrator Extension Before you begin Know your grant number. Use this task to download the Firewall Enterprise epolicy Orchestrator Extension to the epolicy Orchestrator server. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 9

10 2 Firewall Enterprise epolicy Orchestrator Extension setup Needed permission sets and users 1 In a web browser, navigate to 2 Provide your grant number, then navigate to the appropriate product and version. 3 Download the McAfee Firewall Enterprise epolicy Orchestrator Extension (.zip) file. Install the Firewall Enterprise epolicy Orchestrator Extension Before you begin Make sure the epolicy Orchestrator server that you intend to use to monitor your firewalls is at version 4.6 or later. You must uninstall Firewall Enterprise epolicy Orchestrator Extension version before upgrading epolicy Orchestrator from version 4.5 to version 4.6. Make sure you have downloaded the Firewall Enterprise epolicy Orchestrator Extension from the McAfee downloads website and have saved it to a location that is accessible by the epolicy Orchestrator server. Use this task to install the Firewall Enterprise epolicy Orchestrator Extension from your download location onto your epolicy Orchestrator server. 1 Log on to epolicy Orchestrator. 2 In the epolicy Orchestrator console, select Menu Software Extensions. 3 At the bottom of the Extensions pane on the left side of the Extensions page, click Install Extension. The Install Extension window appears. 4 Browse to the Firewall Enterprise epolicy Orchestrator Extension.zip file you downloaded from the McAfee downloads page. 5 Click Open to select the file, then click OK to proceed with the selection. 6 Click OK to install the extension. Needed permission sets and users Firewall Enterprise appliances, Control Center Management Servers, and Firewall Profiler servers require user credentials to authenticate with epolicy Orchestrator. 10 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

11 Firewall Enterprise epolicy Orchestrator Extension setup Create a permission set for Firewall Enterprise or Control Center access to epolicy Orchestrator 2 For Firewall Enterprise and Control Center, creating user credentials is a two part process: 1 Create a permission set that allows data transmission. 2 Create a new user with that permission set. For Firewall Profiler, no special permission set is required. In addition to the appliance or server user credentials, you must create a permission set that allows epolicy Orchestrator users to view firewall data and assign this permission set to one or more users. See also Create a permission set for Firewall Enterprise or Control Center access to epolicy Orchestrator on page 11 Create a user account for access to epolicy Orchestrator on page 12 Create a permission set that allows users to view firewall data on page 12 Create a user that can view firewall data on page 14 Create a permission set for Firewall Enterprise or Control Center access to epolicy Orchestrator Before you begin Make sure that you have downloaded and installed the Firewall Enterprise epolicy Orchestrator Extension on your epolicy Orchestrator server. You must be an epolicy Orchestrator global administrator to perform this task. Use this procedure to create a permission set for these user accounts. 1 In the epolicy Orchestrator console, select Menu User Management Permission Sets 2 At the bottom of the Permission Sets page, click New. The New Permission Set page appears. 3 Enter a name for the permission set, then click Save. 4 Make sure that this permission set name is selected in the left pane of the Permission Sets page. 5 Scroll down to the McAfee Firewall Enterprise setting and click Edit. The Edit Permission Set page appears. 6 Enable communication. For Control Center Management Server user accounts, select Provide host information to a remote Firewall Enterprise Control Center. For Firewall Enterprise appliance user accounts, select Permit data exchange with Firewall Enterprise systems. 7 Click Save. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 11

12 2 Firewall Enterprise epolicy Orchestrator Extension setup Create a user account for access to epolicy Orchestrator Create a user account for access to epolicy Orchestrator Before you begin Make sure that you have downloaded and installed the Firewall Enterprise epolicy Orchestrator Extension on your epolicy Orchestrator server. You must be an epolicy Orchestrator global administrator to perform this task. Create a user account to enable communication with epolicy Orchestrator. 1 In the epolicy Orchestrator console, select Menu User management Users. 2 Do one of the following: To edit an existing user, select the user name on the left and click Edit at the bottom of the Users page. The Edit User user_name page appears. Skip to Step 4. To add a new user, in the lower left corner of the Users page, click New User. The New User page appears. Go to the next step. 3 Type a unique name for this user in the User name field. 4 Select the checkbox for the permission set you created in the Permission sets field. 5 Specify values in the other fields as needed. 6 Click Save. If you added a new user, this user is added to the list of users on the Users page. If you edited an existing user, your changes are saved and you are returned to the Users page. Create a permission set that allows users to view firewall data Before you begin Make sure that you have downloaded and installed the Firewall Enterprise epolicy Orchestrator Extension on your epolicy Orchestrator server. You must be an epolicy Orchestrator global administrator to perform this task. You can edit existing permission sets or add new sets to provide access to the information provided by the Firewall Enterprise epolicy Orchestrator Extension. McAfee recommends creating at least one general permission set for use by any user that needs to view Firewall Enterprise epolicy Orchestrator Extension data. The following permissions can be added to existing permission sets to provide Firewall Enterprise epolicy Orchestrator Extension functionality to epolicy Orchestrator users: Audit log View and purge audit log files. Dashboards Use public dashboards, and edit and create personal dashboards. Extensions Install and remove extensions. McAfee Firewall Enterprise View and manage firewalls. 12 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

13 Firewall Enterprise epolicy Orchestrator Extension setup Create a permission set that allows users to view firewall data 2 Queries Use and edit public queries, and edit and create personal queries. Registered servers Use, create, and edit registered servers. 1 In the epolicy Orchestrator console, select Menu User Management Permission Sets. 2 Do one of the following: To edit an existing permission set, select the permission set in the list on the left. Skip to Step 6. To create a new permission set, in the lower left corner of the Permission Sets page, click New Permission Set. The New Permission Set page appears. Go to the next step. 3 Specify a name for the permission set and select the users the set is assigned to. 4 Click Save. 5 In the Permission Sets page, select the new permission set from the Permission Sets list. The details for the selected permission set are displayed on the right. 6 To view all of the information that the Firewall Enterprise epolicy Orchestrator Extension provides about the Firewall Enterprise appliances, Control Center Management Servers, and Firewall Profiler servers, configure the following settings. For most settings, higher levels of access are optional. a For each setting that is listed, scroll to the setting and click Edit. The Edit Permission Set page for that setting appears. b When you have finished editing the setting, click Save. You can also add these settings to an existing permission set to provide access to the Firewall Enterprise epolicy Orchestrator Extension information. Audit log No permissions is the default setting. To change the setting, select one of the following options: View audit log View and purge audit log Dashboards No permissions is the default setting. To change the setting, select one of the following options: To work with the Firewall Enterprise epolicy Orchestrator Extension, you must select at least the Use public dashboards setting, although higher settings are also allowed. Use public dashboards Use public dashboards; create and edit personal dashboards Use public dashboards; create and edit personal dashboards; make personal dashboards public Extensions Select the Install and remove extensions checkbox to install and remove extensions. This checkbox is deselected by default. You must have this setting selected in order to install and remove extensions. However, this setting is optional for viewing Firewall Enterprise epolicy Orchestrator Extension data in the epolicy Orchestrator console. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 13

14 2 Firewall Enterprise epolicy Orchestrator Extension setup Create a user that can view firewall data McAfee Firewall Enterprise No permissions is the default setting. To change the setting, select one of the following options: To work with the Firewall Enterprise epolicy Orchestrator Extension, you must select at least the View McAfee Firewall Enterprise Control Center managed firewalls or the Permit data exchange with Firewall Enterprise systems setting, although higher settings are also allowed. View McAfee Firewall Enterprise Control Center managed firewalls Manage and view McAfee Firewall Enterprise Control Center servers and firewalls Provide host information to a remote Firewall Enterprise Control Center McAfee recommends selecting this checkbox only for the unique permission set that is assigned to Control Center Management Server user accounts. You should not select this checkbox for other permission sets. Permit data exchange with Firewall Enterprise systems Select this checkbox for the unique permission set that is assigned to Firewall Enterprise appliance user accounts. Do not select this checkbox for other permission sets. Queries No permissions is the default setting. To change the setting, select one of the following options: To work with the Firewall Enterprise epolicy Orchestrator Extension, you must select at least the Use public queries setting, although higher settings are also allowed. Use public queries Use public queries; create and edit personal queries Use public queries; create and edit personal queries; make personal queries public Registered servers No permissions is the default setting. To change the setting, select one of the following options: Use registered servers Create and edit registered servers 7 Add or edit any additional permission settings as needed. Create a user that can view firewall data Before you begin Make sure that you have downloaded and installed the Firewall Enterprise epolicy Orchestrator Extension on your epolicy Orchestrator server. Also, you must be an epolicy Orchestrator global administrator to perform this task. You can edit existing users or create new users so that you can provide them with access to the Firewall Enterprise epolicy Orchestrator Extension data. This is accomplished by associating the user with one or more permission sets that provide this access. You can specify the permission set or sets in the User page or you can specify the User field of the Permission Settings page. This section describes the way to assign the permission set to the user. 14 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

15 Firewall Enterprise epolicy Orchestrator Extension setup Create a user that can view firewall data 2 1 In the epolicy Orchestrator console, select Menu User management Users. 2 Do one of the following: To edit an existing user, select the user name on the left and click Edit at the bottom of the Users page. The Edit User user_name page appears. Skip to Step 4. To add a new user, in the lower left corner of the Users page, click New User. The New User page appears. Go to the next step. 3 Type a unique name for this user in the User name field. 4 Select the checkbox for the permission set that allows users to view firewall data, and for any other permission set you want to assign to the user in the Permission sets field. 5 Specify values in the other fields as needed. 6 Click Save. If you added a new user, this user is added to the list of users on the Users page. If you edited an existing user, your changes are saved and you are returned to the Users page. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 15

16 2 Firewall Enterprise epolicy Orchestrator Extension setup Create a user that can view firewall data 16 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

17 3 Firewall 3 Enterprise setup Contents Configure Firewall Enterprise appliances for epolicy Orchestrator reporting Configure managed firewalls for epolicy Orchestrator reporting Troubleshooting Firewall Enterprise to epolicy Orchestrator communication Configure Firewall Enterprise appliances for epolicy Orchestrator reporting Configure data transmission from Firewall Enterprise to epolicy Orchestrator. The firewall must be at version or later. 1 Set up epolicy Orchestrator using the getting started instructions in the McAfee epolicy Orchestrator Product Guide. 2 Install Firewall Enterprise epo Extension on the epolicy Orchestrator server using the instructions in the McAfee Firewall Enterprise epo Extension Integration Guide. 3 Set up Firewall Enterprise to transmit data to epolicy Orchestrator. a From the Firewall Enterprise Admin Console, selectmonitor epolicy Orchestrator. The epolicy Orchestrator window appears. b Complete the following fields to configure the contact information for connections to the epolicy Orchestrator server: IP Address Type the IP address of the epolicy Orchestrator server. To find the IP address associated with a host name, use the DNS Lookup window. Do not use an IPv6 address. Port Type the epolicy Orchestrator Client to server authenticated communication port that epolicy Orchestrator is listening on for connections. Standard deployments of epolicy Orchestrator use port User name Type the user name of an epolicy Orchestrator user configured on the epolicy Orchestrator server. Password Type the password of the epolicy Orchestrator user specified in the User name field. Confirm password Type the password again. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 17

18 3 Firewall Enterprise setup Configure managed firewalls for epolicy Orchestrator reporting c d Click Save. Configure the Certificate Authority (CA) to use for validating the certificate that the epolicy Orchestrator server presents during a connection. Self signed certificate If epolicy Orchestrator uses a self signed certificate, click Retrieve epo root cert to retrieve the root certificate from the epolicy Orchestrator server. Then, select epo Server Certificate Authority from the Cert authority drop down list. CA certificate If epolicy Orchestrator uses a certificate that has been signed by a CA, select the CA from the Cert authority drop down list. e f g Click Save. Select the Enable communication with epo checkbox. Click Save. Configure managed firewalls for epolicy Orchestrator reporting Use the Control Center Client application to set up a managed firewall to pass information to epolicy Orchestrator. 1 Create an epolicy Orchestrator settings object. a From the Control Center Client application, click Policy. The Policy icon page appears. b c d e f g h On the Firewall Settings tab, right click epolicy Orchestrator, then select Add Object. The epolicy Orchestrator window appears. Enter a name and description for the epolicy Orchestrator settings object. Select Enabled. Enter the IP address of the epolicy Orchestrator server. Enter the user name and password used to communicate with the epolicy Orchestrator server. Click Retrieve epo root certificate. The epo root certificate is added to and selected in the CA certificate list. Click OK. The new epolicy Orchestrator settings object appears on the Firewall Settings tab under the epolicy Orchestrator node. 2 Apply the epolicy Orchestrator settings object to a managed firewall. a In the Policy area, double click the firewall. The Firewall window appears. b c d e f Click Offbox. The Offbox area appears. In the epolicy Orchestrator section, from the Configuration drop down list, select the epolicy Orchestrator settings object you created in step 1. Click OK. The Firewall window closes. Click Apply. The Apply Configuration window appears. Select the firewall, then click OK. The epolicy Orchestrator settings are applied to the firewall. 18 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

19 Firewall Enterprise setup Troubleshooting Firewall Enterprise to epolicy Orchestrator communication 3 The firewall sends information to the epolicy Orchestrator server. Firewall details can be viewed on the epolicy Orchestrator dashboards. Troubleshooting Firewall Enterprise to epolicy Orchestrator communication Perform the following troubleshooting steps if communication is failing from Firewall Enterprise to epolicy Orchestrator: 1 Ensure you have installed Firewall Enterprise epo Extension on the epolicy Orchestrator server. 2 Ensure the user configured on the epolicy Orchestrator server has been assigned a permission set with the Permit data exchange with Firewall Enterprise systems option selected. 3 Verify connectivity from the firewall to the epolicy Orchestrator server using ping. You can perform a ping in the Firewall Enterprise Admin Console in the Tools Ping host area. 4 Make sure the user name the Firewall Enterprise appliance uses to communicate with the epolicy Orchestrator server is accurate. From the Firewall Enterprise command line, enter the following command. cf epo q The command returns the user name the firewall uses for epo communication, and the IP address and port of the epolicy Orchestrator server. For example: epo set cert_authority=eporootcert_192_168_254_200_8444 enabled=on \ user=authorizeduser address= password='*****' port=8444 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 19

20 3 Firewall Enterprise setup Troubleshooting Firewall Enterprise to epolicy Orchestrator communication 20 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

21 4 Control 4 Center setup Contents Setup overview Configure Control Center for epolicy Orchestrator Register Control Center Setup overview Configuring Control Center for epolicy Orchestrator communication is a three step process. For each Control Center that will communicate with epolicy Orchestrator, you must perform the following tasks: 1 In the Control Center Client application, configure the Control Center for epolicy Orchestrator. 2 In epolicy Orchestrator, create a user account for the Control Center. 3 In epolicy Orchestrator, register the Control Center. Configure Control Center for epolicy Orchestrator Before you begin Make sure that the Control Center Management Servers that epolicy Orchestrator will communicate with are at version or later. You must be a Control Center administrator to perform this task. If you do not have these privileges, contact your Control Center administrator and have him or her perform this task. Use the epolicy Orchestrator Settings window to configure the Control Center Management Server to communicate with the epolicy Orchestrator server. You can create only one user with the epolicy Orchestrator role. You cannot register a Control Center Management Server with epolicy Orchestrator until you have configured communication on the Control Center. epolicy Orchestrator requires a Control Center user with privileges to obtain and display health and status information from the Control Center about firewalls and the Control Center Management Server. When you create the epolicy Orchestrator user, the user is automatically assigned the epolicy Orchestrator role, which is available only to one epolicy Orchestrator user. Additionally, the epolicy Orchestrator user is allowed to access only the epolicy Orchestrator configuration domain, in which McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 21

22 4 Control Center setup Configure Control Center for epolicy Orchestrator read only access to all firewall objects is allowed, but in which all other object access is denied. By default, this user has access to all of the firewalls. However, you can restrict this access on the Firewall Access List tab of the Control Center Administrator window. This information is also documented in the McAfee Firewall Enterprise Control Center Product Guide and in the Control Center Help. For option definitions, press F1 in the Control Center Client application. 1 Log on to the Control Center Client application. 2 In the Client application navigation bar, select Control Center. 3 In the Control Center tree, expand the Settings node. 4 Double click epolicy Orchestrator. The epolicy Orchestrator Settings window appears. Make sure that the epo Reports tab is selected. 5 Complete the fields on the epo Reports tab. Allow Control Center to retrieve reports from the epo server Select this checkbox. This checkbox determines whether the Control Center will be able to retrieve reports from the epolicy Orchestrator server. This checkbox is deselected by default. epo Server Information Use the fields in this area to configure the settings that are required to access the epolicy Orchestrator server. All of the fields in this area are required if the Allow Control Center to retrieve reports from the epo server checkbox is selected. Hostname Type the IP address or host name of the epolicy Orchestrator server you want the Control Center to communicate with. Port Specify the port that will be used to communicate with the epolicy Orchestrator server. The default value is port Username Type the user name that is required to access the epolicy Orchestrator server. Password Type the password for the epolicy Orchestrator user name. Confirm password Type the password again to confirm it. 6 Click the Control Center User tab. 7 Click Create User. The Control Center User Manager window appears. 8 Create a new user with the epolicy Orchestrator role. a Select the Account Enabled checkbox to enable the epolicy Orchestrator user. b Type a user name and password for the epolicy Orchestrator user. Make note of this user name and password, because you will need to specify both values when you register this Control Center Management Server with the epolicy Orchestrator server. c d On the Roles tab, select the epolicy Orchestrator checkbox. Click OK. The epolicy Orchestrator user appears on the Control Center User tab. 22 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

23 Control Center setup Register Control Center 4 Register Control Center The Control Center Management Server provides information on managed appliances to epolicy Orchestrator. Add, edit, and delete Control Center Management Servers on the Registered Servers page. Control Center Management Servers, High Availability (HA), and the epolicy Orchestrator platform If you have the High Availability (HA) feature configured on one or more pairs of Control Center Management Servers, you should register only the primary Management Server of each pair of HA servers with the epolicy Orchestrator server on the Registered Servers page. If the primary Control Center Management Server fails, the epolicy Orchestrator server will not automatically switch over to the backup (secondary) Management Server. You can monitor the connection failures by viewing the audit log (User Management Audit Log). When you verify the failure in the audit log, you must manually edit the registered server information in the Registered Servers page by changing the IP address of the registered Control Center Management Server from the primary IP address to the IP address of the backup Management Server. You must also request a new client certificate from the backup Management Server. Add a Control Center Management Server You must configure the Control Center Management Servers on the Registered Servers page before you can view information about the Firewall Enterprise appliances or the Control Center Management Server. Although there is information about the Registered Servers pages in the epolicy Orchestrator console Help, there are specific fields that are unique to the Control Center Management Server. The following task describes these fields when you are adding a new Control Center Management Server to the epolicy Orchestrator server. 1 In the epolicy Orchestrator console, select Menu Configuration Registered Servers. The Registered Servers page appears. 2 In the lower left corner, click New Server. The Registered Server Builder page appears. 3 In the Server type field, select McAfee Firewall Enterprise Control Center. 4 Specify a unique name and add any notes. Click Next. The Details page appears. 5 Specify the IP address or the name of the Control Center Management Server. 6 In the Control Center user name field, type the user name you set on the Control Center User tab of the epolicy Orchestrator Settings window on the Control Center. 7 In the Control Center password fields, type the password you set on the Control Center. 8 In the Server web service port field, enter the port the Control Center Management Server uses for web traffic. The default is port McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 23

24 4 Control Center setup Register Control Center 9 For the Certificate field, you can create a new, server signed, client certificate. a Make sure that the Control Center Management Server is running and that the Control Center user has been configured on it (in the epolicy Orchestrator Settings window). b c Click Create New Certificate. The certificate from the Control Center Management Server appears. Confirm that the certificate identifies the registered Control Center Management Server. 10 Click Save. Delete a Control Center Management Server from the epolicy Orchestrator server Use this task to remove a Control Center Management Server from epolicy Orchestrator management. If you ever need to re register this Control Center Management Server, you must re acquire the client certificate. To do this, edit the server and click Create New Certificate on the Details page. 1 In the epolicy Orchestrator console, select Menu Configuration Registered Servers. 2 In the Firewall Management group bar, select the Control Center Management Server to be deleted. 3 Click Actions, then click Delete. 4 Accept the change in the confirmation message that appears. 24 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

25 5 Firewall 5 Profiler setup Contents Setup overview Create a user account on Firewall Profiler Register Firewall Profiler Configure Firewall Profiler to retrieve host information from epolicy Orchestrator Setup overview Configuring Firewall Profiler for epolicy Orchestrator communication is a two step process. For each Firewall Profiler that will communicate with epolicy Orchestrator, you must perform the following tasks: 1 In Firewall Profiler, create a user account that has Operator permissions. 2 In epolicy Orchestrator, register the Firewall Profiler. Create a user account on Firewall Profiler Before you begin Make sure the Firewall Profiler server that epolicy Orchestrator will communicate with is at version 2.0 or later. You must create a user account with the Operator user role. epolicy Orchestrator uses the credentials for this account to authenticate with Firewall Profiler. For option definitions, click the Help link in the Firewall Profiler web interface. 1 In Firewall Profiler, select Configuration Users Add User. 2 In the User name field, type a user name. 3 In the Password and Confirm Password fields, type a password for the user. 4 Select the Operator or the Operator and Administrator user roles. 5 Click Save. The new user appears in the Users List. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 25

26 5 Firewall Profiler setup Register Firewall Profiler Register Firewall Profiler The Firewall Profiler server provides the mechanism by which epolicy Orchestrator communicates with Firewall Enterprise appliances. Add, edit, and delete Firewall Profiler servers on the Registered Servers page. Add a Firewall Profiler server to the epolicy Orchestrator server You must configure Firewall Profiler servers on the Registered Servers page before you can view information about the Firewall Enterprise appliances they monitor. Although there is information about the Registered Servers pages in the epolicy Orchestrator console Help, there are specific fields that are unique to Firewall Profiler. The following task describes these fields when you are adding a new Firewall Profiler to the epolicy Orchestrator server. 1 In the epolicy Orchestrator console, select Menu Configuration Registered Servers. The Registered Servers page appears. 2 In the lower left corner, click New Server. The Registered Server Builder page appears. 3 In the Server type field, select McAfee Firewall Enterprise Profiler. 4 Specify a unique name and add any notes. 5 Click Next. The Details page appears. 6 Specify the IP address or the name of the Profiler server. 7 In the Firewall Profiler user name field, type the name of the user you created (the one with the Operator role). 8 In the Firewall Profiler password fields, type the password for this user. 9 In the HTTPS service port field, type the port the Firewall Profiler server uses to send and receive encrypted traffic. The default is port For the Certificate field, you can create a new, server signed, client certificate. a Make sure that the Profiler server is running. b c Click Create New Certificate. The certificate from the Profiler server appears. Confirm that the certificate identifies the registered Profiler server. 11 Click Save. The new server is added to the Registered Servers page. Delete a Firewall Profiler server from the epolicy Orchestrator server Use this task to remove a Firewall Profiler server from epolicy Orchestrator server management. If you ever need to re register this Firewall Profiler server, you must re acquire the client certificate. To do this, edit the server and click Create New Certificate on the Details page. 26 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

27 Firewall Profiler setup Configure Firewall Profiler to retrieve host information from epolicy Orchestrator 5 1 In the epolicy Orchestrator console, select Menu Configuration Registered Servers. 2 In the Firewall Management group bar, select the Firewall Profiler server to be deleted. 3 Click Actions, then click Delete. 4 Accept the change in the confirmation message that appears. Configure Firewall Profiler to retrieve host information from epolicy Orchestrator Before you begin You must have created a permission set and a user account for Firewall Profiler access to the epolicy Orchestrator server. The Firewall Profiler can retrieve data from the epolicy Orchestrator. The Firewall Profiler can display information it has retrieved from the epolicy Orchestrator server about hosts that are referenced in a policy or hosts that are passing traffic through firewalls. This information is also documented in the McAfee Profiler Product Guide and in the Firewall Profiler Help. For option definitions, click Help in the Firewall Profiler web interface. 1 Click Configuration epo. 2 Complete the fields on the epo tab. epo Server IP Address Type the IP address of the epolicy Orchestrator server with which this Firewall Profiler communicates. User Name Type the user name with the appropriate rights to access the epolicy Orchestrator server. Password Type the password for the epolicy Orchestrator user. Port Type the port used to communicate with the epolicy Orchestrator server. 3 Click Save. Host information is displayed on the Event Analysis Summary page. See also Create a user account for access to epolicy Orchestrator on page 12 View epolicy Orchestrator Host Data reports from Firewall Profiler on page 38 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 27

28 5 Firewall Profiler setup Configure Firewall Profiler to retrieve host information from epolicy Orchestrator 28 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

29 6 Firewall 6 data Contents Configure Network Integrity Agent settings Generate the integrated hosts report View the gateway status report View Firewall Enterprise and Control Center data in the epolicy Orchestrator console Change how epolicy Orchestrator displays firewall data View epolicy Orchestrator Host Data reports from the Control Center Client application View epolicy Orchestrator Host Data reports from Firewall Profiler Configure Network Integrity Agent settings You can modify and configure routes, parameters, and policies for the Network Integrity Agent. 1 In the epolicy Orchestrator console, click Policy Catalog. 2 From the Product drop down list, select Network Integrity Agent The Category automatically displays NIA Settings. The Network Integrity Agent default policies are displayed, for example, McAfee Default, My Default. 3 Click My Default. The My Default page is displayed. 4 In the General Settings tab, enter the shared key to decrypt the redirect messages. This key must be same between the firewall and endpoint. 5 In the Routes area, configure the routes on which the Network Integrity Agent sends information to the firewall. 6 In the Advanced Settings tab, we recommend you to keep the default values. However, you can modify these values. 7 Click Save. s Edit server settings on page 30 You can modify the server settings on the Edit Network Integrity Settings page for the Network Integrity Agent. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 29

30 6 Firewall data Generate the integrated hosts report Edit server settings You can modify the server settings on the Edit Network Integrity Settings page for the Network Integrity Agent. 1 In the epolicy Orchestrator console, click Server Settings. 2 From the Setting Categories list, select Network Integrity Settings. The Network Integrity Settings page is displayed. 3 Click Edit and configure the server settings on this page. 4 Click Save. Generate the integrated hosts report You can view the epolicy Orchestrator managed endpoints that have Network Integrity Agent installed and active. 1 In the epolicy Orchestrator console, click Queries & Reports. 2 From the Queries list, select Network Integrity: Integrated Hosts.. 3 Click Edit to modify any settings for the report and save. 4 From the Queries list, select Network Integrity: Integrated Hosts.. 5 Click Run. The Network Integrity: Integrated Hosts report page is displayed. You can export this data in various formats. View the gateway status report The Network Integrity Agent provides epolicy Orchestrator with gateway status for the Gateway status reports. 1 In the epolicy Orchestrator console, click Menu Network. 2 From the list, select Gateway status reports. The Gateway Status Report page is displayed. You can export this data in various formats. View Firewall Enterprise and Control Center data in the epolicy Orchestrator console After communication has been established between firewalls, Firewall Profiler, Control Center, and the epolicy Orchestrator server, and you have configured your users and permission sets, you can view firewall data in the epolicy Orchestrator console. 30 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

31 Firewall data View Firewall Enterprise and Control Center data in the epolicy Orchestrator console 6 The Firewall Enterprise epolicy Orchestrator Extension provides several dashboards for quickly viewing firewall data: Firewall internal host mappings Firewall Resources Firewall Stats Profiler Events See the McAfee epolicy Orchestrator Product Guide for more information on working with dashboards. Detailed information on managed and monitored firewalls can be accessed on the Enterprise Firewalls and Profiler Firewalls pages. View internal host activity Before you begin You must have a registered Firewall Enterprise appliance communicating with epolicy Orchestrator. Use the Firewall internal host mappings dashboard to view information on protected hosts and firewall versions. The Firewall internal host mappings dashboard displays the following chart based queries. FWADDR: Firewall Internal Host Grouping query FWADDR: New Host Information query FWADDR: Firewall Hit Count Grouping query FWADDR: Firewall Top 10 Internal Hosts query Do not edit or remove firewall queries. 1 In the epolicy Orchestrator console, click Dashboards. 2 From the Dashboards drop down list, select Firewall internal host mapping. The Firewall internal host mapping dashboard appears. From the Firewall internal host mapping dashboard, you can do the following. Expand a report View information about a specific firewall Steps Click the drop down menu arrow in the upper left corner of the report, then select Full Screen. Click a firewall on the report. Information on the specified firewall is displayed. View firewall resources Before you begin You must have a registered Control Center Management Server communicating with the epolicy Orchestrator. Use the Firewall Resources dashboard to quickly view information on the performance of managed firewalls, including memory use, proxy and VPN sessions, and data flow. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 31

32 6 Firewall data View Firewall Enterprise and Control Center data in the epolicy Orchestrator console The Firewall Resources dashboard displays the following chart based queries. FWCC: Firewall Physical Memory Usage FWCC: Firewall Virtual Memory Usage FWCC: Firewall CPU Usage FWCC: Firewall Disk Usage FWCC: Firewall Filter Sessions FWCC: Firewall Proxy Sessions FWCC: Firewall Active VPN Sessions FWCC: Firewall Idle VPN Sessions FWCC: Firewall Inbound Data (Bytes) FWCC: Firewall Inbound Data Rate (Bytes/Sec) FWCC: Firewall Outbound Data (Bytes) FWCC: Firewall Outbound Data Rate (Bytes/Sec) You can edit the settings for the queries that produce these charts from the Queries page. 1 In the epolicy Orchestrator console, click Dashboards. 2 From the Dashboards drop down list, select Firewall Resources. The Firewall Resources dashboard appears. From the Firewall Resources dashboard, you can do the following. Expand a report View information about a specific firewall View details about a specific time period Steps Click the drop down menu arrow in the upper left corner of the report, then select Full Screen. Select the firewall from the Firewall drop down list on any report. All the queries on the dashboard display information about the selected firewall. 1 Click the desired data point on a report. Information for the selected time period is displayed in a table. 2 Click a row in the table to view the McAfee Firewall Activity Details page for the firewall. View firewall statuses Before you begin You must have a registered Control Center Management Server communicating with the epolicy Orchestrator. Use the Firewall Stats dashboard to quickly view status information about registered Control Center Management Servers and managed firewalls. The Firewall Stats dashboard displays the following chart based queries. FWCC: Firewall Enterprise Control Center Run Statuses FWCC: Firewall Versions FWCC: Firewall Run Statuses FWCC: Alert Summary You can edit the settings for the queries that produce these charts from the Queries page. 1 In the epolicy Orchestrator console, click Dashboards. 2 Click the Firewall Stats tab. The Firewall Stats dashboard appears. 32 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

33 Firewall data View Firewall Enterprise and Control Center data in the epolicy Orchestrator console 6 From the Firewall Stats dashboard, you can do the following. Expand a report View details about Control Center Management Servers with a specific run status View details about managed firewalls with a specific run status Steps Click the drop down menu arrow in the upper left corner of the report, then select Full Screen. Click a run status in the FWCC: Firewall Enterprise Control Center Run Statuses report. The McAfee Firewall Enterprise Control Centers Details page appears. Use the Previous and Next arrows to view details about other Control Centers with the same status. 1 Click a run status in the FWCC: Firewall Run Statuses report. The FWCC: Firewall Run Statuses page appears. 2 Click a firewall entry. The McAfee Firewalls Details page appears. Use the Previous and Next arrows to view details about other firewalls with the same status. View details about managed firewalls running a specific software version View alert information about a specific firewall View details about alerts of a specific priority Click a software version in the FWCC: Firewall Versions report. The McAfee Firewalls Details page appears. Use the Previous and Next arrows to view details about other firewalls with the same software version. Select the firewall from the Firewall drop down list. All the queries on the dashboard display information about the selected firewall. Click an alert priority in the FWCC: Alert Summary report. The McAfee Firewall Alert Summary Details page appears. Use the Previous and Next arrows to view details about other alerts with the same priority. View Firewall Profiler events Before you begin You must have a registered Firewall Profiler server communicating with the epolicy Orchestrator. Use the Profiler Events dashboard to quickly view status information on monitored firewalls. The Profiler Events dashboard displays the following chart based queries by default. Trend to Deny: Combined Trend to Allow: Combined Volume Increased: Combined Increased Risk: Dest Reporter Decreased Risk: Dest Reporter High Risk: Dest Reporter The results of other queries can be viewed by creating new Firewall Profiler dashboards. See the McAfee epolicy Orchestrator Product Guide for more information on creating dashboards. The following queries are available (the value in angle brackets [<>] is set on the Profiler Preferences page). Trend to deny: Source <> Trend to deny: Destination <> Trend to deny: Combined Trend to allow: Source <> Trend to allow: Destination <> Trend to allow: Combined Increased Risk: Source <> Increased Risk: Destination <> Increased Risk: Combined Decreased Risk: Source <> Decreased Risk: Destination <> Decreased Risk: Combined McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 33

34 6 Firewall data View Firewall Enterprise and Control Center data in the epolicy Orchestrator console High Risk: Source <> High Risk: Destination <> High Risk: Combined Medium Risk: Source <> Medium Risk: Destination <> Medium Risk: Combined Low Risk: Source <> Low Risk: Destination <> Low Risk: Combined No Traffic: Source <> No Traffic: Destination <> No Traffic: Combined Volume Increased: Source <> Volume Increased: Destination <> Volume Increased: Combined Volume Decreased: Source <> Volume Decreased: Destination <> Volume Decreased: Combined This task can be performed from custom Firewall Profiler dashboards as well. 1 In the epolicy Orchestrator console, click Dashboards. 2 Click the Profiler Events tab. The Profiler Events dashboard appears. From a Profiler dashboard, you can do the following. Expand a report View event information about a specific firewall View details about an event Steps Click the drop down menu in the upper left corner of the report, then select Full screen. Select the firewall from the Firewall drop down list on any report. All the queries on the dashboard display information about the selected firewall. 1 Click the desired event on a report. The corresponding Change Events or Risk Events page appears. 2 Click a row to see the Change Event Details or Risk Event Details page for the event. View all firewalls managed by a Control Center Management Server Use the Enterprise Firewalls page to view details about all the firewalls under Control Center Management. In the epolicy Orchestrator console, select Menu Network Firewalls. The Enterprise Firewalls page appears. From the Enterprise Firewalls page, you can do the following. Refresh firewall data View additional details about a specific firewall Steps Select Actions Update. Click a row in the table. The McAfee Firewalls Details page appears for the selected firewall. Use the left and right arrows at the bottom of the page to view details about other managed firewalls. 34 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

35 Firewall data View Firewall Enterprise and Control Center data in the epolicy Orchestrator console 6 View blackholed IP addresses for selected firewalls View the cluster status of selected firewalls View the interfaces for selected firewalls View the routing tables for selected firewalls View signature versions for selected firewalls View the system load of selected firewalls Steps 1 Select the checkboxes of the firewalls you want to see blackholed IP addresses for. 2 Select Actions Blackholed IPs. The firewall Blackholed IPs page appears, displaying the IP address, zone, and expire time for each IP address blackholed by one of the selected firewalls. Click Close to return to the Enterprise Firewalls page. 1 Select the checkboxes of the firewalls you want to see the interfaces of. 2 Select Actions Interfaces. The firewall Interfaces page appears, displaying the name, IP address, zone, active network interface card (NIC), active speed, and status of the interfaces of the selected firewalls. Click Close to return to the Enterprise Firewalls page. 1 Select the checkboxes of the firewalls you want to see routing tables for. 2 Select Actions Routing Table. The firewall Routing Table page appears, displaying the destination, gateway, flags, zone, network interfaces, and expire information for routes on the selected firewalls. Click Close to return to the Enterprise Firewalls page. 1 Select the checkboxes of the firewalls you want to see signature versions for. 2 Select Actions Blackholed IPs. The firewall Blackholed IPs page appears, displaying the IP address, zone, and expire time for each IP address blackholed by one of the selected firewalls. Click Close to return to the Enterprise Firewalls page. 1 Select the checkboxes of the firewalls you want to see blackholed IP addresses for. 2 Select Actions Signature Versions. The firewall Signature Versions page appears, displaying the name and version of the signatures of the selected firewalls. Click Close to return to the Enterprise Firewalls page. 1 Select the checkboxes of the firewalls you want to see the system load of. 2 Select Actions System Load. The firewall System Load page appears, displaying the name and value for different load averages for the selected firewalls. Click Close to return to the Enterprise Firewalls page. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 35

36 6 Firewall data Change how epolicy Orchestrator displays firewall data Export the Enterprise Firewalls table Steps 1 Select Actions Export Table. The Export window appears, providing configuration options for exporting the file. 2 Complete the fields. 3 Click Export. View the VPN tunnels of selected firewalls 1 Select the checkboxes of the firewalls you want to see the VPN tunnels of. 2 Select Actions VPN Tunnels. The firewall VPN Tunnels page appears, displaying the names and statuses for the VPN tunnels used by the firewalls. 3 Click Close to return to the Enterprise Firewalls page. View all firewalls monitored by a Firewall Profiler server Use the Profiler Firewalls page to view details about the firewalls monitored by a Firewall Profiler server. In the epolicy Orchestrator console, select Menu Network Profiler Firewalls. The Profiler Firewalls page appears. From the Profiler Firewalls page, you can do the following. View additional details about a specific firewall Steps Click a row in the table. The Profiler Firewalls Details page appears for the selected firewall. Use the Previous and Next arrows to view details about other monitored firewalls. Export the Enterprise Firewalls table 1 Select Actions Export Table. The Export window appears, providing configuration options for exporting the file. 2 Complete the fields. 3 Click Export. Change how epolicy Orchestrator displays firewall data You can configure how often firewall data is retrieved, how long the activity records are kept, and the source and destination of Firewall Profiler event data. Change Firewall Profiler event sources and destinations Before you begin You must have a registered Firewall Profiler server communicating with the epolicy Orchestrator. Use the Profiler Preferences page to configure source and destination settings for Firewall Profiler event data. 36 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

37 Firewall data Change how epolicy Orchestrator displays firewall data 6 Source options include: Source Reporter Source Geography User Group Destination options include: Destination Reporter Application Destination Geography 1 In the epolicy Orchestrator console, select Menu Configuration Profiler Preferences. 2 From the Combine drop down list, select a Firewall Profiler event source. 3 From the With drop down list, select a Firewall Profiler event destination. 4 Click Update. A confirmation message appears. All Firewall Profiler queries use the selected parameters to group and display event data. Change data refresh settings and host retention Use the Edit Mcafee Firewall Enterprise page of the Server Settings window to configure how often Firewall Enterprise data displayed in epolicy Orchestrator is refreshed and how long host records are retained. 1 In the epolicy Orchestrator console, select Menu Configuration Server Settings. 2 From the Setting Categories list, select McAfee Firewall Enterprise. The Refresh interval and Activity record retention settings are displayed. 3 Click Edit. The Edit McAfee Firewall Enterprise page appears. 4 In the Refresh interval field, type the number of minutes to wait before refreshing health and status data. 5 In the Activity record retention field, type the number of hours to retain information in the firewall activity table. 6 In the Internal host records retention field, type the number of days to keep host records. 7 Click Save. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 37

38 6 Firewall data View epolicy Orchestrator Host Data reports from the Control Center Client application View epolicy Orchestrator Host Data reports from the Control Center Client application Before you begin The Firewall Enterprise epolicy Orchestrator Extension must be installed on the epolicy Orchestrator server. You must configure settings for the epolicy Orchestrator server in the epolicy Orchestrator Settings window. This is to allow the Control Center to communicate with the epolicy Orchestrator server. You must have selected the Allow Control Center to retrieve reports from the epo server checkbox on the epolicy Orchestrator Settings window. After you have configured the report communication on both the Control Center and the epolicy Orchestrator server, you can view information about hosts in an epolicy Orchestrator Host Data report that is available for a host in Control Center. This host data is maintained on the epolicy Orchestrator server. To display data about a particular host, the host object must be managed by the epolicy Orchestrator server. For option definitions, press F1 in the Control Center Client application. 1 Log on to the Control Center Client application. 2 From the navigation bar, select Policy. 3 In the lower left corner of the window, click the Rule Objects tab. 4 Expand the Network Objects node. 5 Click the Policy group bar and then expand the Network Objects branch in the tree. The subnodes are displayed. 6 Expand the Hosts subnode. All of the defined host objects are displayed. 7 Right click the object for which you want to view epolicy Orchestrator server data and select Show epo Data. The epo Host Data page appears. View epolicy Orchestrator Host Data reports from Firewall Profiler Before you begin To view this information, the following prerequisites must be met: 1 The Firewall Enterprise epolicy Orchestrator Extension must be installed on the epolicy Orchestrator server. 2 You must configure settings for the epolicy Orchestrator server on the epo tab. Firewall Profiler can display information it has retrieved from the epolicy Orchestrator server about hosts that are referenced in a policy or hosts that are passing traffic through a Firewall Enterprise appliance. Host profile information for IP addresses is available on the Event Analysis details page. See the McAfee Firewall Profiler Product Guide for more information on viewing host profile information. 38 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

39 Firewall data View epolicy Orchestrator Host Data reports from Firewall Profiler 6 For option definitions, click Help in the Firewall Profiler web interface. 1 Log on to the Firewall Profiler. 2 From the Live Data view selector, click the Event Analysis Summary selector. The Event Analysis Summary page appears. 3 Click the Details icon. The Event Analysis Details page appears. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 39

40 6 Firewall data View epolicy Orchestrator Host Data reports from Firewall Profiler 40 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

41 7 Queries 7 Contents Firewall Enterprise epolicy Orchestrator Extension queries Firewall Enterprise Report queries Generate a Firewall Profiler Report query Firewall Profiler Report queries Generate a Firewall Enterprise Report query Control Center queries Generate a Control Center query Firewall Enterprise epolicy Orchestrator Extension queries Several queries are provided as part of the Firewall Enterprise epolicy Orchestrator Extension. The results of Firewall Enterprise specific queries can be viewed on the appropriate dashboards, or by running the queries on the Queries page. Each query that polls information from Firewall Enterprise appliances begins with the prefix FWADDR. Each query that polls information from a Control Center begins with the prefix FWCC. Queries that poll information from a Firewall Profiler begin with FWPro or Profiler Report. See the McAfee epolicy Orchestrator Product Guide for more information about working with queries. Firewall Enterprise Report queries The following Firewall Enterprise queries are provided with the Firewall Enterprise epolicy Orchestrator Extension. Table 7-1 Firewall Enterprise Report queries Query FWADDR: Firewall Details query FWADDR: Firewall Hit Count Grouping query Description Displays firewall information. Displays firewalls by hit count. FWADDR: Firewall Top 10 Internal Hosts query Displays the internal hosts with the most traffic through the firewall. FWADDR: Firewall Version Grouping query FWADDR: New Host Information query Displays firewalls by software version. Displays new host information. Use the drop down lists at the top of the report to run Firewall Enterprise Report queries for specific firewalls or for different time periods. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 41

42 7 Queries Generate a Firewall Profiler Report query Generate a Firewall Profiler Report query Use the Queries page to run a Firewall Profiler Report query. 1 In the epolicy Orchestrator console, click Queries & Reports. The Queries page appears. 2 Scroll down to the desired query, and click Run. The results of the query appear. For Firewall Profiler Report queries, you can perform the following actions. Generate a report for a specific firewall Change the time interval used in the report Export report data Steps Select the firewall from the Generate a report of drop down list. The results of the query are updated to reflect your selection. Select a different time interval from the displaying data in interval of drop down list. The results of the query are updated to reflect your selection. 1 Select Options Export Data. The Export window appears, providing configuration options for exporting the file. 2 Complete the fields. 3 Click Export. Firewall Profiler Report queries The following Firewall Profiler Report queries are provided with the Firewall Enterprise epolicy Orchestrator Extension Table 7-2 Firewall Profiler Report queries Query FWPRO: Decreased Risk: Combined FWPRO: Decreased Risk: Destinations FWPRO: Decreased Risk: Sources FWPRO: High Risk: Destinations FWPRO: High Risk Relationships FWPRO: High Risk: Sources FWPRO: Increased Risk: Combined FWPRO: Increased Risk: Destinations FWPRO: Increased Risk: Sources FWPRO: Low Risk: Destinations FWPRO: Low Risk: Relationships FWPRO: Low Risk: Sources FWPRO: Medium Risk: Destinations FWPRO: Medium Risk: Relationships Description Displays relationships with mitigated risk. Displays destinations with mitigated risk. Displays sources with mitigated risk. Displays destinations with high risk. Displays relationships with high risk. Displays sources with high risk. Displays relationships with new risk. Displays destinations with new risk. Displays sources with new risk. Displays destinations with low risk. Displays relationships with low risk. Displays sources with low risk. Displays destinations with medium risk. Displays relationships with medium risk. 42 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

43 Queries Generate a Firewall Enterprise Report query 7 Table 7-2 Firewall Profiler Report queries (continued) Query FWPRO: Medium Risk: Sources FWPRO: No Traffic: Combined FWPRO: No Traffic: Destinations FWPRO: No Traffic: Sources FWPRO: Trend to Allow: Combined FWPRO: Trend to Allow: Destinations FWPRO: Trend to Allow: Sources FWPRO: Trend to Deny: Combined FWPRO: Trend to Deny: Destinations FWPRO: Trend to Deny: Sources FWPRO: Volume Decreased: Combined FWPRO: Volume Decreased: Destinations FWPRO: Volume Decreased: Sources FWPRO: Volume Increased: Combined FWPRO: Volume Increased: Destinations FWPRO: Volume Increased: Sources Profiler Report Attack Events, Total Firewall Events Profiler Report Exposure by category Profiler Report Protection by category Profiler Report Protection percentage Description Displays sources with medium risk. Displays relationships with no activity. Displays destinations with no activity. Displays sources with no activity. Displays relationships with increased allowed activity. Displays destinations with increased allowed activity. Displays sources with increased allowed activity. Displays relationships with increased denied activity. Displays destinations with increased denied activity. Displays sources with increased denied activity. Displays relationships with reduced activity. Displays destinations with reduced activity. Displays sources with reduced activity. Displays relationships with increased activity. Displays destinations with increased activity. Displays sources with increased activity. Compares the number of attack events to the overall number of events on the monitored firewalls. Displays the number of exposure events for each firewall by exposure category. Displays the number of events protected against by category for each monitored firewall. Compares the number of exposure events to the percentage of protection by category for each monitored firewall. Use the drop down lists at the top of the report to run Firewall Profiler Report queries for specific firewalls or for different time periods. Generate a Firewall Enterprise Report query Use the Queries page to run a Firewall Enterprise Report query. 1 In the epolicy Orchestrator console, select Queries & Reports. The Queries page appears. 2 Scroll down to the desired query, and click Run. The results of the query are displayed. For Firewall Enterprise Report queries, you can perform the following action. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 43

44 7 Queries Control Center queries Export report data Steps 1 Select Options Export Data. The Export window appears, providing configuration options for exporting the file. 2 Complete the fields. 3 Click Export. Control Center queries The following Control Center queries are provided with the Firewall Enterprise epolicy Orchestrator Extension. Table 7-3 Control Center queries Query FWCC: Active Firewall VPN Sessions FWCC: Alert Summary FWCC: Firewall CPU Usage FWCC: Firewall Disk Usage FWCC: Firewall Enterprise Control Center Run Statuses FWCC: Firewall Filter Sessions FWCC: Firewall Physical Memory Usage FWCC: Firewall Proxy Sessions FWCC: Firewall Run Statuses FWCC: Firewall Versions FWCC: Firewall Virtual Memory Usage FWCC: Idle Firewall VPN Sessions FWCC: Inbound Data Rate Through Firewall (Bytes/Sec) FWCC: Inbound Data Through Firewall (Bytes) FWCC: Outbound Data Rate Through Firewall (Bytes/Sec) FWCC: Outbound Data Through Firewall (Bytes) Description Displays the average number of active VPN sessions taking place on managed firewalls by hour. Displays the total number of alerts on managed firewalls by type. Displays the average CPU use of managed firewalls by hour. Displays the average disk use percentage of managed firewalls by hour. Displays the number of Control Center Management Servers organized according to run status. Displays the average number of filter sessions for managed firewalls by hour. Displays the average percentage of physical memory used by managed firewalls by hour. Displays the average number of proxy sessions for managed firewalls by hour. Displays the number of managed firewalls according to run status of each firewall. Displays the number of managed firewalls according to the version of each firewall. Displays the average percentage of virtual memory used by managed firewall by hour. Displays the average number of idle VPN session for managed firewalls by hour. Displays the average inbound data rate for managed firewalls in bytes per second by hour. Displays the average amount inbound data for managed firewalls in bytes by hour. Displays the average outbound data rate for managed firewalls in bytes per second by hour. Displays the average outbound data rate for managed firewalls in bytes per second by hour. 44 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

45 Queries Generate a Control Center query 7 Generate a Control Center query Use the Queries page to run a Control Center query. 1 In the epolicy Orchestrator console, select Queries & Reports. The Queries page appears. 2 Scroll down to the desired query, and click Run. The results of the query are displayed. For Control Center queries, you can perform the following actions. View details about a specific time period [FWCC Alert Summary only] View details about alerts Steps Click the desired data point on a report. Information for the selected time period is displayed in a table. Click a row in the table to view the McAfee Firewall Activity Details page for the firewall. Click an alert priority in the FWCC: Alert Summary report. The McAfee Firewall Alert Summary Details page appears. Use the left and right arrows at the bottom of the page to view details about other alerts with the same priority. [FWCC: Firewall Enterprise Control Center Run Statuses only] View details about Control Center Management Servers [FWCC: Firewall Run Statuses and FWCC: Versions only] View details about managed firewalls Click a run status in the FWCC: Firewall Enterprise Control Center Run Statuses report. The McAfee Firewall Enterprise Control Centers Details page appears. Use the left and right arrows at the bottom of the page to view details about other Control Centers with the same status. Click a run status in the FWCC: Firewall Run Statuses report. The McAfee Firewalls Details page appears. Use the left and right arrows at the bottom of the page to view details about other firewalls with the same status. Export report data 1 Select Options Export Data. The Export window appears, providing configuration options for exporting the file. 2 Complete the fields. 3 Click Export. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 45

46 7 Queries Generate a Control Center query 46 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

47 8 Issues 8 and tickets Contents Create Firewall Profiler issues Use Profiler Firewall tickets Create Firewall Profiler issues You can create issues for Firewall Profiler events. You can assign issues a type of Profiler Change Event or Profiler Risk Event to quickly distinguish them from other issues. See the McAfee epolicy Orchestrator Product Guide for more information about creating and using issues. Create a change event issue Use this task to manually create a change event issue. 1 Select Menu Automation Issues, then select Actions New Issue. 2 In the New Issue dialog box, select Profiler Change Events Issue from the Create issue of type drop down list, then click OK. The New Issue page appears. 3 Complete the fields for the new issue. 4 Click Save. The new issue appears at the top of the Issues page. Create a risk event issue Use this task to manually create a risk event issue. 1 Select Menu Automation Issues, then select Actions New Issue. 2 In the New Issue dialog box, select Profiler Risk Events Issue from the Create issue of type drop down list, then click OK. The New Issue page appears. 3 Complete the fields for the new issue. Click Save. 4 The new issue appears at the top of the Issues page. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 47

48 8 Issues and tickets Use Profiler Firewall tickets Use Profiler Firewall tickets If you have a separate ticketing system, you can create tickets for Firewall Profiler events. Any time a ticket is created, a ticketed issue is created automatically. See the McAfee epolicy Orchestrator Product Guide for more information about creating and using tickets. Create an event ticket Use this task to create a Firewall Profiler change event or risk event ticket. 1 From the Risk Events or Change Events page, select the checkbox next to the event you want to create a ticket for. 2 Select Actions Create Ticket. The Create Ticket pop up window appears. A message on the window informs you whether or not an open ticket exists for the event. 3 Click OK. The ticket is created and the ticketed issue can be viewed on the Issues page. Associate a ticket with an issue Before you begin Make sure you have integrated a ticketing server. Use this task to assign a ticket to an issue that has already been created. 1 Select Menu Automation Issues. 2 Select the checkbox next to the issue you want to assign a ticket to. If you want to assign tickets to several issues at once, you can select multiple checkboxes. 3 Select Actions Assign Ticket. The Add Ticket pop up window appears. 4 Click OK. A ticket is assigned to all the selected issues that do not already have a ticket assigned. 48 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

49 9 Automatic 9 responses Contents Firewall Profiler event responses Create an automatic response for Firewall Profiler events Firewall Profiler event responses You can create automatic responses rules for Firewall Profiler change and risk events. See the McAfee epolicy Orchestrator Product Guide for more information about creating and using automatic responses. Create an automatic response for Firewall Profiler events Use this procedure to create an automatic response rule that specifies a change event or risk event. This procedure leads you through each page of the Response Builder wizard. See also Describe the rule on page 49 Set filters for the rule on page 50 Set thresholds for the rule on page 50 Configure the actions for the rule on page 51 Review and save the rule on page 52 Describe the rule Begin creating a rule. The Description page of the Response Builder wizard allows you to: Name and describe the rule. Specify the language used by the response. Specify the event type and group that triggers this response. Enable or disable the rule. McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 49

50 9 Automatic responses Create an automatic response for Firewall Profiler events 1 Select Menu Automation Automatic Responses. 2 Do one of the following: Click New Response Click Actions New Response Click Edit next to an existing rule. The Response Builder wizard opens. 3 On the Description page, type a unique name and any notes for the rule. Rule names on each server must be unique. For example, if one user creates a rule named Emergency Alert, no other user (including global administrators) can create a rule with that name. 4 From the Language menu, select the language the rule uses. 5 From the Event group drop down list, select Profiler Events. 6 From the Event type drop down list, select the Firewall Profiler event type (change event or risk event) that will trigger this response. 7 Next to Status, select the Enabled or Disabled radio button. 8 Click Next. The Filter page appears. Set filters for the rule Set the filters for the response rule on the Filters page of the Response Builder wizard. 1 From the Available Properties list, select the desired property, then specify the value to filter the response result. Available Properties depend on the event type and event group selected on the Description page of the Response Builder wizard. 2 Click Next. The Aggregation page appears. Set thresholds for the rule Define when the event triggers the rule on the Aggregation page of the Response Builder wizard. A rule s thresholds are a combination of aggregation, throttling, and grouping. 1 Next to Aggregation, select whether to Trigger this response for every event, or to Trigger this response if multiple events occur within a defined amount of time. If you select the latter, define the amount of time in minutes, hours, or days. 50 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide

51 Automatic responses Create an automatic response for Firewall Profiler events 9 If you selected Trigger this response if multiple events occur within, you can choose to trigger a response when the specified conditions are met. These conditions are any combination of: When the number of distinct values for an event property is at least a certain value This condition is used when a distinct value of occurrence of event property is selected. When the number of events is at least Type a defined number of events. You can select one or both options. For example, you can set the rule to trigger this response if the distinct value of occurrence of event property selected exceeds 300, or when the number of events exceeds 3,000, whichever threshold is crossed first. 2 Next to Grouping, select whether to group the aggregated events. If you select to group the aggregated events, specify the property of event on which they are grouped. 3 As needed, next to Throttling, select At most, trigger this response once every and define an amount of time that must be passed before this rule can send notification messages again. The amount of time can be defined in minutes, hours, or days. 4 Click Next. The Action page appears. Configure the actions for the rule Configure the responses that are triggered by the rule on the Responses page of the Response Builder wizard. You can configure the rule to trigger multiple actions by using the + and buttons, located next to the drop down list for the type of notification. 1 If you want the notification message to be sent as an or text pager message, select Send from the drop down list. a Next to Recipients, click... and select the recipients for the message. This list of available recipients is taken from Contacts (Menu User Management Contacts). Alternatively, you can manually type addresses, separated by a comma. b c d e Select the importance of the notification . Type the subject of the message. Optionally, you can insert any of the available variables directly into the subject. Type any text that you want to appear in the body of the message. Optionally, you can insert any of the available variables directly into the body. Click Next if finished, or click + to add another notification. 2 If you want the notification message to be sent as an SNMP trap, select Send SNMP Trap from the drop down list. a Select the desired SNMP server from the drop down list. b Select the type of value that you want to send in the SNMP trap. Options are: Value Number of Distinct Values McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide 51

52 9 Automatic responses Create an automatic response for Firewall Profiler events List of Distinct Values List of All Values Some events do not include this information. If a selection you make is not represented, the information is not available in the event file. c Click Next if finished, or click + to add another notification. 3 If you want the notification to run an external command, select Run External Command from the drop down list. a Select the desired registered executables, then type any arguments for the command. b Click Next if finished, or click + to add another notification. 4 If you want the notification to create an issue, select Create issue from the drop down list. a Select the type of issue that you want to create. b c d e Type a unique name and any notes for the issue. Optionally, you can insert any of the available variables directly into the name and description. Select the state, priority, severity, and resolution for the issue from the respective drop down lists. Type the name of the assignee in the text box. Click Next if finished, or click + to add another notification. 5 If you want the notification to run a scheduled task, select Execute Scheduled from the drop down list. a Select the task that you want to run from the to execute drop down list. b Click Next if finished, or click + to add another notification. Review and save the rule On the Summary page, verify the information, then click Save. The automatic response is added to the Automatic Responses page. 52 McAfee Firewall Enterprise epolicy Orchestrator Extension Integration Guide