Installation Guide McAfee Firewall Enterprise (Sidewinder ) on Riverbed Services Platform

Similar documents
Installation Guide. McAfee Web Gateway. for Riverbed Services Platform

Firewall Enterprise epolicy Orchestrator

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

McAfee SiteAdvisor Enterprise 3.5.0

Product Guide. McAfee Plugins for Microsoft Threat Management Gateway Software

McAfee Firewall Enterprise epolicy Orchestrator Extension

McAfee Cloud Identity Manager

Release Notes for McAfee(R) Security for Microsoft Exchange(TM) Version 8.0 Copyright (C) 2013 McAfee, Inc. All Rights Reserved

McAfee Cloud Identity Manager

Total Protection Service

McAfee Cloud Identity Manager

Installation Guide. McAfee Web Gateway Cloud Service

McAfee Cloud Identity Manager

McAfee Cloud Identity Manager

McAfee Cloud Identity Manager

McAfee. Deployment and User Guide. epo 4 / Endpoint Encryption

McAfee epolicy Orchestrator 4.5 Hardware Sizing and Bandwidth Usage Guide

Release Notes - McAfee Deep Defender 1.0

Release Notes for McAfee(R) Security for Lotus Domino(TM) Version 7.5 with Patch 2 Hotfix Copyright (C) 2013 McAfee, Inc. All Rights Reserved

McAfee Cloud Identity Manager

Product Guide Revision A. McAfee Client Proxy 2.3.2

McAfee Cloud Identity Manager

McAfee Boot Attestation Service 3.5.0

Product Guide. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6

ACE Live on RSP: Installation Instructions

Addendum. McAfee Virtual Advanced Threat Defense

Boot Attestation Service 3.0.0

Installation Guide. McAfee epolicy Orchestrator software D R A F T

McAfee Cloud Identity Manager

Release Notes for McAfee(R) VirusScan Enterprise for Linux Version Hotfix Copyright (C) 2013 McAfee, Inc. All Rights Reserved

Reference Guide Revision B. McAfee Cloud Workload Security 5.0.0

McAfee Change Control Using Change Reconciliation and Ticket-based Enforcement

McAfee Client Proxy Product Guide

McAfee Endpoint Security

McAfee Client Proxy Product Guide. (McAfee epolicy Orchestrator)

McAfee Rogue Database Detection For use with epolicy Orchestrator Software

McAfee MVISION Mobile Microsoft Intune Integration Guide

Archiving Service. Exchange server setup (2010) Secure Gateway (SEG) Service Administrative Guides

McAfee Host Intrusion Prevention 8.0

McAfee Client Proxy Product Guide. (McAfee epolicy Orchestrator)

McAfee epo Deep Command 1.0.0

Installation Guide. McAfee Endpoint Security for Servers 5.0.0

McAfee Cloud Identity Manager

McAfee Management for Optimized Virtual Environments AntiVirus 4.5.0

McAfee Application Control Windows Installation Guide. (McAfee epolicy Orchestrator)

McAfee Content Security Reporter Installation Guide. (McAfee epolicy Orchestrator)

========================================================== Release date: December 03, This release was developed and tested with:

McAfee Content Security Reporter Release Notes. (McAfee epolicy Orchestrator)

Addendum. McAfee Virtual Advanced Threat Defense

McAfee Client Proxy Installation Guide

McAfee Solidcore Platform Support Matrix Version (Nov 16, 2011)

Videoscape Distribution Suite Software Installation Guide

Data Loss Prevention Discover 11.0

McAfee MVISION Mobile Microsoft Intune Integration Guide

McAfee Endpoint Security Migration Guide. (McAfee epolicy Orchestrator)

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

McAfee MVISION Mobile IBM MaaS360 Integration Guide

McAfee Agent Interface Reference Guide. (McAfee epolicy Orchestrator Cloud)

McAfee Content Security Reporter 2.6.x Migration Guide

McAfee File and Removable Media Protection Installation Guide

McAfee Content Security Reporter 2.6.x Installation Guide

Configuring the SMA 500v Virtual Appliance

Virtual Appliance User s Guide

Migration Guide. McAfee Content Security Reporter 2.4.0

Product Guide. McAfee Web Gateway Cloud Service

Product Guide. McAfee Web Gateway Cloud Service

Migration Guide. McAfee File and Removable Media Protection 5.0.0

McAfee MVISION Mobile IBM MaaS360 Integration Guide

Wowza Media Server Pro for Riverbed Steelhead. Installation Guide

McAfee epolicy Orchestrator 4.5 Reporting Guide

Hardware Guide. McAfee MVM3200 Appliance

Application Note. Protecting Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

SonicWall SonicOS 5.9

EMC Secure Remote Support Device Client for Symmetrix Release 2.00

McAfee MVISION Endpoint 1808 Installation Guide

McAfee File and Removable Media Protection 6.0.0

SRA Virtual Appliance Getting Started Guide

McAfee MVISION Endpoint 1811 Installation Guide

McAfee Data Protection for Cloud 1.0.1

Installing and Configuring vcloud Connector

Installation Guide Revision B. McAfee Cloud Workload Security 5.0.0

akkadian Global Directory 3.0 System Administration Guide

Installation and Configuration Guide

McAfee MVISION Mobile Citrix XenMobile Integration Guide

McAfee MVISION Mobile AirWatch Integration Guide

Product Guide Revision A. Endpoint Intelligence Agent 2.2.0

Product Guide. McAfee Endpoint Upgrade Assistant 1.5.0

McAfee Threat Intelligence Exchange Installation Guide. (McAfee epolicy Orchestrator)

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

Installation and Configuration Guide

McAfee Cloud Workload Security Suite Amazon Machine Image Installation Guide

McAfee epolicy Orchestrator 5.9.1

Forcepoint Sidewinder Control Center, Virtual Appliance. Installation Guide 5.3.x. Revision A

UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

SonicOS Release Notes


Quest Collaboration Services 3.6. Installation Guide

UDP Director Virtual Edition

SmartPath EMS VMA Virtual Appliance Quick Start Guide

Cisco Prime Collaboration Deployment

Transcription:

Installation Guide McAfee Firewall Enterprise (Sidewinder ) on Riverbed Services Platform version 7.0.1.02

COPYRIGHT Copyright 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. Issued April 2010 / McAfee Firewall Enterprise 7.0.1.02 on RSP

Contents About this Guide 5 Conventions...................................................................5 Acronyms.....................................................................6 1 Introduction 7 About Firewall Enterprise on RSP.....................................................7 Firewall Enterprise overview......................................................7 RSP overview................................................................7 Requirements................................................................7 Deployment scenario.............................................................8 2 Firewall Installation 11 Before you begin............................................................... 11 Download the Firewall Enterprise package............................................. 11 Add the package to RSP.......................................................... 11 Install the package in a slot....................................................... 11 Configure the data flow.......................................................... 12 3 Setup 13 Firewall setup................................................................. 13 Turn on the firewall........................................................... 13 Perform initial configuration..................................................... 15 Enable Admin Console access for the management network............................... 17 Admin Console setup............................................................ 18 Install the Firewall Enterprise Admin Console.........................................18 Log on to the firewall using the Admin Console........................................ 18 Manually activate the license.................................................... 20 Policy configuration............................................................. 21 Create a gateway-to-gateway VPN................................................21 Create packet filter rules....................................................... 21 Post-setup tasks............................................................... 22 McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide 3

Contents 4 McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide

About this Guide This guide contains installation and startup instructions for McAfee Firewall Enterprise (hereinafter Firewall Enterprise) software on RSP. This guide is intended for network and security administrators. It assumes familiarity with Riverbed Steelhead appliances, UNIX and Microsoft Windows operating systems, system administration, the Internet, networks, and related terminology. You can find additional information at the following locations. Table 1 Additional resources Resource McAfee Firewall Enterprise Riverbed Services Platform Online Help From the McAfee Firewall Enterprise Admin Console, click Help. From the Steelhead appliance Management Console, click?. Support and documentation mysupport.mcafee.com support.riverbed.com Tip: In particular, refer to the McAfee Firewall Enterprise Administration Guide. Tip: In particular, refer to the RSP User s Guide. Product updates go.mcafee.com/goto/updates support.riverbed.com Conventions Refer to Table 2 for a list of the text conventions used. Table 2 Conventions Convention Courier bold Courier italic <Courier italic> nnn.nnn.nnn.nnn Courier plain Plain text italics Description Identifies commands and key words you type at a system prompt Note: A backslash (\) signals a command that does not fit on the same line. Type the command as shown, ignoring the backslash. Indicates a placeholder for text you type When enclosed in angle brackets (< >), identifies optional text Indicates a placeholder for an IP address you type Used to show text that appears on a computer screen Identifies the names of files and directories Used for emphasis (for example, when introducing a new term) Plain text bold Identifies buttons, field names, and tabs that require user interaction [ ] Signals conditional or optional text and instructions (for example, instructions that pertain only to a specific configuration) Caution Signals be careful in this situation, you might do something that could result in the loss of data or an unpredictable outcome. Note Used for a helpful suggestion or a reference to material not covered elsewhere in the guide Security Alert Identifies information that is critical for maintaining product integrity or security Tip Indicates time-saving actions; may help you solve a problem Note: The IP addresses, screen captures, and graphics used within this document are for illustration purposes only. They are not intended to represent a complete or appropriate configuration for your specific needs. Features may be enabled in screen captures to make them clear; however, not all features are appropriate or desirable for your setup. McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide 5

Acronyms Acronyms Refer to Table 3 for a list of acronyms used throughout this document. Table 3 Acronyms Acronym DHCP LAN RiOS RSP SSH UTM VNI VPN WAN Description Dynamic Host Configuration Protocol local area network Riverbed Optimization System Riverbed Services Platform Secure Shell Unified Threat Management virtual network interface virtual private network wide area network 6 McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide

1 Introduction Contents About Firewall Enterprise on RSP Deployment scenario About Firewall Enterprise on RSP RSP runs virtualized services on Riverbed Steelhead WAN optimization appliances. McAfee Firewall Enterprise (hereinafter Firewall Enterprise) software on RSP is an in-band package, so the data flow to and from branch offices passes through the firewall. This allows administrators to provide local security at branch offices without deploying additional hardware. Firewall Enterprise overview Firewall Enterprise combines all of the following into one UTM security appliance: Application-layer firewall IPsec VPN capabilities Web filtering (McAfee SmartFilter ) Global reputation-based filtering (TrustedSource ) For more information about Firewall Enterprise, see the McAfee Firewall Enterprise Administration Guide at mysupport.mcafee.com. RSP overview RSP consolidates virtualized services on a single Steelhead appliance, providing the following benefits: VMware-based virtualization Up to five virtualized services (packages) per Steelhead appliance Support for different service types: In-band The service is positioned in the optimized data path. Out-of-band The service is positioned separately from the optimized data path and provides infrastructure for the branch network. For more information on RSP, see the RSP User s Guide at support.riverbed.com. Requirements Firewall Enterprise runs on Riverbed Steelhead appliances that meet the following requirements: RiOS version 6.0 or later RSP version 6.0 or later installed and licensed Available RSP slot 28 GB of free disk space 512 MB of free memory McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide 7

Introduction Deployment scenario Deployment scenario In this scenario, Firewall Enterprise is deployed in-band between RiOS and the Steelhead appliance WAN interface. As a result, network traffic that passes through the Steelhead appliance also flows through the firewall. Firewall Enterprise is also deployed on the remote Steelhead appliance in the same configuration. Note: Other configurations might work but have not been tested. Figure 1 In-band WAN package Riverbed Steelhead appliance This deployment offers the following advantages. Optimized WAN traffic between the Steelhead appliances is protected by a gateway-to-gateway VPN between the firewalls. Traffic destined for the Internet is subject to firewall policy. A connection must match a rule to be allowed. SmartFilter web filtering and TrustedSource global reputation-based filtering can be applied. Figure 2 Data center and branch office protected by in-band WAN firewalls Network traffic is processed differently based on the destination. 8 McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide

Introduction Deployment scenario Table 4 Traffic processing based on destination Traffic destination Processing Remote LAN 1 RiOS determines that the destination is behind another Steelhead appliance and optimizes the traffic. 2 When the optimized traffic reaches the firewall, it enters a gateway-to-gateway VPN between the firewalls. The VPN protects the optimized traffic as it traverses the WAN. Internet 1 RiOS determines that the destination is not behind another Steelhead appliance and does not optimize the traffic. 2 When the traffic reaches the firewall, it must match a rule to be allowed through. Any content inspection that is configured, such as SmartFilter or TrustedSource filtering, is performed at this time. McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide 9

Introduction Deployment scenario 10 McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide

2 Firewall Installation Contents Before you begin Download the Firewall Enterprise package Add the package to RSP Install the package in a slot Configure the data flow Before you begin Schedule downtime to install and configure your firewall. During the installation and configuration process, network connectivity to the Internet and remote LANs will be interrupted. Download the Firewall Enterprise package After you purchased Firewall Enterprise on RSP, a grant letter was emailed to you containing download, activation, and support information. From the computer you are using to administer your Steelhead appliance: 1 Follow the instructions in the grant letter to download the Firewall Enterprise package. 2 When the download is complete, extract the file. Add the package to RSP To add the Firewall Enterprise package to RSP: 1 Using a web browser, connect to the Management Console of your Steelhead appliance. 2 Select Configure Branch Services RSP Packages. The RSP Packages window appears. 3 Click Add a Package. The Fetch a Package view appears. 4 In the Name field, specify a descriptive name for the package, such as Firewall_Enterprise. 5 Select From Local File, then click Browse and select the Firewall Enterprise package in the folder you extracted. 6 Click Add Package. The Firewall Enterprise package uploads to the Steelhead appliance. Install the package in a slot To install the Firewall Enterprise in a slot: 1 Click an empty slot number. The slot details appear. 2 [Optional] In the Slot Name field, specify a descriptive name for the slot, such as Firewall Enterprise. 3 From the Package drop-down list, select the Firewall Enterprise package. McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide 11

Firewall Installation Configure the data flow 4 Click Install. The Firewall Enterprise package begins installing in the slot, which might take a few minutes. When installation is complete, package details appear for the slot. 5 Save your changes. Configure the data flow The data flow determines where the firewall is positioned in the optimized data path. To deploy your firewall as an in-band WAN package, add firewall VNIs to the data flow in a specific order. When you add firewall VNIs, default VNI rules are created to redirect all traffic to the firewall slot. Note: Do not modify the default VNI rules. To configure the data flow: 1 Select Configure Branch Services RSP Data Flow inpath0_0. The RSP Data Flow window appears. 2 Configure a VNI for the firewall LAN interface. a b c d Click Add a VNI. The Add a VNI view appears. From the Interface drop-down list, select slot:em1, where slot is the name of the Firewall Enterprise slot. From the Data Flow Position drop-down list, select End. Click Add. The VNI em1 is added. 3 Configure a VNI for the firewall WAN interface. a b c d Click Add a VNI. The Add a VNI view appears. From the Interface drop-down list, select slot:em0, where slot is the name of the Firewall Enterprise slot. From the Data Flow Position drop-down list, select End. Click Add. The VNI em0 is added. 4 Confirm that the data flow is ordered as follows: LAN0_0 > RiOS0_0 > em1 > em0 > WAN0_0. Re-order the VNIs if necessary. Figure 3 Data Flow for WAN 5 Save your changes. 12 McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide

3 Setup Contents Firewall setup Admin Console setup Policy configuration Post-setup tasks Firewall setup Perform the following procedures to set up your firewall: Turn on the firewall Perform initial configuration Enable Admin Console access for the management network Turn on the firewall From the Steelhead Management Console: 1 Enable the Firewall Enterprise slot. a b c Select Configure Branch Services RSP Packages. Click the slot that contains Firewall Enterprise. The slot details appear. Click Enable Slot. A message appears indicating that the slot is enabled. 2 Open the firewall console. a b c Click the slot that contains Firewall Enterprise. The slot details appear. Click Launch VM Console. The VMware Infrastructure Web Access window appears in a new browser tab or window. [Conditional] If a certificate warning appears, accept the certificate to proceed. McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide 13

Setup Firewall setup Figure 4 VMware Infrastructure Web Access window d e f In the VMware Infrastructure Web Access window, specify your Riverbed Steelhead credentials, then click Log In. [Conditional] If a message appears indicating the VMware Remote Console Plug-in is not found, follow the on-screen instructions to install it. Select Virtual Machine Open in a New window. The VMware Remote Console window appears. Figure 5 VMware Remote Console window 14 McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide

Setup Firewall setup Perform initial configuration Complete the initial Firewall Enterprise configuration. 1 Click inside the VMware Remote Console window, then press Enter. The Software License Agreement appears. 2 Read the Software License Agreement. Type c and press Enter to advance the page. Continue until the following text appears: Type Y to accept the license, N to decline the license, or R to redisplay the License. 3 Press y, then press Enter to accept the license. The Serial number prompt appears. 4 Complete the Quick Start Program using the information in Table 5. Press Enter after each entry. Table 5 Quick Start Wizard responses Prompt Serial number First Name through License Comments Do you want the system to be managed by a Control Center server and use Rapid Deployment? Do you want the system to have a standard interface setup or a transparent (bridged) interface setup? Entry Type the serial number found in your grant letter. Enter your registration information. Press n. Press s. Note: Firewall Enterprise on RSP does not support transparent interfaces at this time. Do you want the system to initially allow To allow administrative services only, press a. administrative services only or administrative To allow administrative services and basic Internet services, press i. plus basic Internet services? Hostname Type a host name for the firewall. Example: vfirewall.example.com Use DHCP for external interface? Press n. Note: Firewall Enterprise on RSP does not support DHCP on the external interface at this time. external IP external netmask internal IP Type an IP address that is appropriate for VNI em0 and the data flow you created in Configure the data flow. Type a netmask that is appropriate for the external IP address you specified. Type an IP address that is appropriate for VNI em1 and the data flow you created in Configure the data flow. internal netmask Type a netmask that is appropriate for the internal IP address you specified. external (internet) burb name To use the default name (external), press Enter. To specify a custom name, type the name and press Enter. internal burb name To use the default name (internal), press Enter. To specify a custom name, type the name and press Enter. Primary DNS IP Type the IP address of a DNS server that is reachable on the external burb. Secondary DNS IP If you do not want to specify a secondary DNS server, press Enter. To specify a secondary DNS server, type the IP address of the server. Default route Type the IP address of the router that will handle packets destined for addresses that are not in your firewall routing table. Note: The default route you specify must provide Internet connectivity. Internal mail host Type a host name for an internal email server. Example: smtp.example.com Do you need an additional route for Press n. administrative or Control Center access? Username Type a user name to create an administrative user. McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide 15

Setup Firewall setup Table 5 Quick Start Wizard responses (continued) Prompt Entry Password Type a password for the administrative user. Administrator email address If you do not want to specify an email address for the administrative account, press Enter. To specify an email address for the administrative account, type the address and press Enter. A summary of your input appears. 5 Press Enter. The text Press E to edit or A to apply the configuration appears. 6 Do one of the following: If you would like to make changes to the configuration, press e, then press Enter. If you are satisfied with the configuration summary, press a, then press Enter. When you apply the configuration, the firewall uses your responses to perform its initial configuration. When initial configuration is complete, the login prompt appears. 16 McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide

Setup Firewall setup Enable Admin Console access for the management network The Firewall Enterprise Admin Console is graphical software you can use to manage Firewall Enterprise appliances. The Admin Console runs on a Windows-based computer within your network. By default, Admin Console access is enabled for the internal burb. If your management computer is connected to a Steelhead appliance management interface instead of the in-path LAN interface, perform this procedure to enable administrative access. 1 Log on to the firewall console. a b c If necessary, click inside the VMware Remote Console window. Log on using the administrator user name and password you specified in Perform initial configuration. Type srole, then press Enter. The User prompt changes to the Admn prompt. Tip: The srole command logs you on to the Admn domain, which allows access to all firewall domains. 2 Create a management burb. a b Select a name for the burb, such as management. To create the burb, run the following command: cf burb add name=burb_name modes=12 where burb_name is the name of the management burb. 3 Configure the management network interface (VNI). Note: This step configures firewall interface em4, which is bridged to the Steelhead appliance primary physical port. a Select a management IP address to assign to the firewall. Tip: Choose an IP address that is appropriate for the network that the Steelhead appliance primary physical port is connected to. b To configure the interface, run the following command: cf interface add entrytype=interface name=interface_name hwdevice=em4 enabled=yes burb=burb_name addresses=ip/netmask where: interface_name is the name to assign to the new interface. burb_name is the name of the burb you created in Step 2. IP/netmask is the IP address and netmask to assign to the interface; for example: 192.168.0.10/24. 4 Run the following command to configure the Admin Console rule to accept connections from the management burb: cf policy modify name= Admin Console source_burbs= internal,burb_name dest_burbs= internal,burb_name where burb_name is the name of the burb you created in Step 2. The firewall now accepts Admin Console connections from the management burb. McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide 17

Setup Admin Console setup Admin Console setup Perform the following procedures to set up the Admin Console: Install the Firewall Enterprise Admin Console Log on to the firewall using the Admin Console Manually activate the license Install the Firewall Enterprise Admin Console The Admin Console is the primary user interface for the firewall. It is the graphical user interface (GUI) application used to manage your firewall from a Windows computer. Note: The Windows-based computer that you install the Admin Console on must have connectivity to the internal interface of your firewall. To install the Admin Console on a Windows-based computer: 1 Use Windows Explorer to view the contents of the folder you created when you extracted the firewall package. 2 Double-click the.exe file. The Welcome window appears. 3 Follow the on-screen instructions to complete the setup program. McAfee recommends using the default settings. Tip: You should also install an SSH client on your computer. Use the SSH client to obtain secure command line access to the firewall. Log on to the firewall using the Admin Console Using the information you provided in the Quick Start Program, connect to your firewall and perform the following steps: 1 From the computer you installed the Admin Console on, select Start Programs McAfee Firewall Enterprise (Sidewinder) Admin Console. The Firewall Enterprise Admin Console appears. 2 Add a firewall to the Admin Console tree. a b On the toolbar, click New Firewall. The Add Firewall window appears. Enter the firewall name and IP address, then click Add. 3 Connect to your firewall. a b In the left pane, select your firewall. In the right pane, click Connect. If the Admin Console successfully connects to the firewall, a popup window appears with the firewall certificate that will be used for all subsequent administrative connections. If a message appears stating Failed to connect to SSL server, the firewall might not have finished restarting. Try connecting again in a few minutes. 4 [Initial connection only] Accept the firewall certificate or verify it before accepting it. Accept To accept the certificate, click Yes. The Login window appears. Verify To verify the certificate before accepting it, record the fingerprint in the popup window, then perform Step 5. 18 McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide

Setup Admin Console setup 5 [Optional] To verify the firewall certificate, obtain the certificate fingerprint from the command line interface. a b c Using command line, log on to the firewall. Type srole to change to the Admin domain. Enter the following command: cf cert view fw name=default_ssl_cert The contents of the certificate appear. d e Beneath the END CERTIFICATE identifier, locate the certificate fingerprint. Compare the certificate fingerpint to the fingerprint you recorded in Step 4. If the fingerprints match, connect to the firewall again and accept the certificate. 6 Type the administrator user name, then click OK. 7 Type the password, then click Enter. A Feature Notification window appears listing the features that are licensed on your firewall. Note: If a message appears stating The SecureOS will expire in approximately 7 day(s), the license was not automatically activated and you have a trial license. You must activate the license manually before the trial license expires. See Manually activate the license for instructions. 8 Click Close. You are connected to your firewall. McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide 19

Setup Admin Console setup Manually activate the license The firewall license is automatically activated after the configuration is applied. Note: Your firewall must have Internet access to activate its license. If your license was not auto-activated, it will operate for seven days with a trial license. These features are licensed during the trial period: SecureOS Support VPN Failover Strong Cryptography To manually activate your firewall license: 1 Locate the serial number for your firewall. The serial number is on your grant letter. 2 In the Admin Console, select Maintenance License. The License window appears. 3 Click the Contact tab, and enter your company contact information. 4 Click the Company tab, and enter your company information. 5 Click the Firewall tab, and enter the firewall information: a b In the Serial Number field, type the 16-digit alphanumeric serial number for this firewall. In the Firewall ID field, accept the default. Note: Do not change the Firewall ID unless instructed by McAfee support. 6 Click Activate Firewall. The firewall uses an encrypted HTTPS session to send the license information to the McAfee licensing website. If the data is complete, the request is granted and a new activation key appears in the Activation Key field. The Current Features list updates with the new license information. Your firewall software and any features you licensed are activated. 20 McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide

Setup Policy configuration Policy configuration Configure the firewall to allow optimized WAN traffic to flow from the local Steelhead appliance RiOS to the remote Steelhead appliance RiOS. Use one of the following methods: Create a gateway-to-gateway VPN Use a VPN between the local firewall and the remote firewall to: Bypass firewall rules. Encrypt optimized WAN traffic between Steelhead appliances. Create packet filter rules Rules allow matching optimized WAN traffic to pass through the firewall unmodified. Tip: WAN optimization interferes with firewall content inspection. For best results, use packet filter rules for optimized traffic and avoid proxies. Each method has advantages and disadvantages. Table 6 Methods to pass optimized WAN traffic Method Advantages Disadvantages VPN WAN traffic is encrypted No rules are required Rules Firewall is not required on remote Steelhead appliance No VPN definition is required Access control policy can be enforced on WAN traffic using rules Firewall is required on both Steelhead appliances VPN must be defined on both firewalls Rules cannot be used to enforce access control policy WAN traffic is not encrypted Rules are required to allow WAN traffic Create a gateway-to-gateway VPN On each firewall, create a gateway-to-gateway VPN definition that allows the local network to communicate with the network behind the remote Steelhead appliance. For information on creating VPNs, see the Virtual Private Networks chapter of the McAfee Firewall Enterprise Administration Guide. Create packet filter rules Create packet filter rules to allow optimized WAN traffic through the firewall. 1 Create a packet filter rule that allows TCP port 7800 between the local RiOS and the remote RiOS. 2 Create additional packet filter rules as necessary to allow optimized WAN traffic to pass through the firewall. McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide 21

Setup Post-setup tasks Post-setup tasks Consider performing the following tasks. Check for updates and patches. Set the date and time. Create a configuration backup. Configure the rule elements, rules, and rule groups. Set up accounts for other administrators. Configure your internal mail server to route email through the firewall. Set up email by running the Reconfigure Mail tool and creating the necessary objects and rules. Set up an authentication server to validate remote users. For information on managing your firewall, see the McAfee Firewall Enterprise Administration Guide. 22 McAfee Firewall Enterprise 7.0.1.02 on RSP Installation Guide

700-2488A00

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback