McAfee Firewall Profiler Product Guide. version 1.5

Transcription

1 McAfee Firewall Profiler Product Guide version 1.5

2 COPYRIGHT Copyright 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE, LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions Refer to the product Release Notes. Issued January 2009 / McAfee Firewall Profiler software version 1.5

3 Contents About this guide 5 Conventions Acronyms Introduction to Firewall Profiler 7 Introducing the Firewall Profiler Putting Firewall Profiler to use What Firewall Profiler provides Deploying a Firewall Profiler 9 Setup tasks Additional information Verify materials Record your initial configuration responses Setting up the hardware Configuring the Firewall Profiler at first boot Activating a Firewall Profiler Backing Up a Firewall Profiler What is backed up What s next Configuring the Firewall Profiler 17 Record your configuration information Getting started quickly Reviewing system status Enabling identities collection Define the DNS server(s) and NTP server Collect the certificate common name and hash values Install and configure a McAfee Login Collector Define the identities address space Encrypt credentials for domains Add a domain to the Firewall Profiler Ranking preferred user groups What s next Working with Live Data 29 Live Data page Live Data interface Selecting a data feed Selecting a time frame Viewing trend chart details Using the WHO, WHAT, and WHERE filters Comparing time frames Reading event trends Viewing the remediation summary Viewing the remediation details Managing the Firewall Profiler 41 Firewall Profiler web interface for managing System logon indicator Operations System status Logs Data feeds Flow Firewall Profiler 1.5 Product Guide 3

4 Contents Configuration General Domains Users Software update epo Reporting Reporters Preferred Groups Preferences A Troubleshooting 61 Backing up and restoring a Firewall Profiler Re-imaging a Firewall Profiler Determining Firewall Profiler version Configuring network information Downloading log files Enabling a serial port connection Verifying the domain credentials Connecting to a DC Running a CPU Performance Query Running a Back Log Query Running a Forward Log Notification Query Creating a non-administrator account to access the security event log on a DC Instructions for Windows 2003 server Instructions for Windows 2000 server Useful resources B Installing a McAfee Login Collector 73 McAfee Login Collector installation requirements Installing the MLC software Configuring the MLC Configuration tab Remote tab Using Microsoft Management Console to manage MLC certificates Importing or removing a server or client CA certificate for MLC Using NTLMv2 with MLCs Index 81 4 Firewall Profiler 1.5 Product Guide

5 About this guide The McAfee Firewall Profiler Product Guide describes the features and capabilities of the McAfee Firewall Profiler software. This guide is intended for network and security administrators, and especially McAfee Firewall Enterprise (Sidewinder ) administrators. It assumes familiarity with Linux, a basic understanding of system administration, a working knowledge of the Internet and its associated terms and applications, and an understanding of networks and network terminology, including TCP/IP protocols. You should also be familiar with the McAfee Firewall Enterprise (Sidewinder ) and have access to its documentation. You can find additional information at the following locations: Help Help is built into Firewall Profiler in the form of a PDF version of this Product Guide. Click the Help Help link in the Firewall Profiler web interface. Support Visit mysupport.mcafee.com to find product documentation, announcements, and support. Product updates Visit mysupport.mcafee.com to find product updates and patches. To navigate to the download area, click Download Software Updates under Self Service, then click Product Downloads, then click My Products under the applicable category. Finally, type your Grant Number and click Submit. Conventions Refer to Table 1 for a list of the text conventions used. Table 1 Conventions Convention Courier bold Courier italic <Courier italic> nnn.nnn.nnn.nnn Courier plain Plain text italics Description Identifies commands and key words you type at a system prompt Note: A backslash (\) signals a command that does not fit on the same line. Type the command as shown, ignoring the backslash. Indicates a placeholder for text you type When enclosed in angle brackets (< >), identifies optional text Indicates a placeholder for an IP address you type Used to show text that appears on a computer screen Identifies the names of files and directories Used for emphasis (for example, when introducing a new term) Plain text bold Identifies buttons, field names, and tabs that require user interaction [ ] Signals conditional or optional text and instructions (for example, instructions that pertain only to a specific configuration) Caution Signals be careful in this situation, you might do something that could result in the loss of data or an unpredictable outcome. Note Used for a helpful suggestion or a reference to material not covered elsewhere in the guide Security Alert Identifies information that is critical for maintaining product integrity or security Tip Indicates time-saving actions; may help you solve a problem Note: The IP addresses, screen captures, and graphics used within this document are for illustration purposes only. They are not intended to represent a complete or appropriate configuration for your specific needs. Features may be enabled in screen captures to make them clear; however, not all features are appropriate or desirable for your setup. Firewall Profiler 1.5 Product Guide 5

6 Acronyms Acronyms Refer to Table 2 for a list of acronyms used throughout this document. Table 2 Acronyms Acronym URL SNMP SMTP NTP DNS MLC NTLM LM (hash) MTU epo Description Uniform Resource Locator Simple Network Management Protocol Simple Mail Transport Protocol Network Time Protocol Domain Name System McAfee Login Collector NT LAN Manager LAN Manager Hash Maximum Transmission Unit McAfee epolicy Orchestrator 6 Firewall Profiler 1.5 Product Guide

7 1 Introduction to Firewall Profiler Contents Introducing the Firewall Profiler Putting Firewall Profiler to use What Firewall Profiler provides Introducing the Firewall Profiler McAfee Profiler addresses the most time-consuming tasks in current Firewall Administration: Resolving user access problems due to changes in the network or due to introduction of new applications. McAfee Profiler turns days of troubleshooting into a couple of clicks McAfee Firewall Profiler is a network appliance that takes feeds from McAfee Firewall Enterprise and flow data from across the network and instantly analyzes this information to provide true visibility into Firewall rules impact on the network. Profiler complements McAfee Firewall Enterprise Control Center for management and dramatically reduces troubleshooting efforts related to Firewalls. Changing firewall policy can be an inefficient endeavor, where you may not know the full extent of the effects of your changes until well after you have made them and users are contacting you with issues. With Firewall Profiler, you gain visibility into your firewall, enabling you to detect changes in access patterns in real time. Putting Firewall Profiler to use Following are some of the ways you can put Firewall Profiler to use for you: Quick root cause detection of application outages Meaningful Firewall management systems have notoriously provided vast amounts of data to the firewall administrator. Typically, however, the data collected by the firewall is neither sufficient nor presented in a meaningful enough manner to enable the firewall administrator to quickly understand the root cause of a firewall problem like application outages. Network infrastructure can easily fall out of synchronization with a firewall s rule set. For example, application servers are sometimes moved or re-purposed, or user groups come online that require immediate access to an application. With Firewall Profiler, you can quickly and easily determine whether a particular user group has the access it requires, or whether an application server is trending to denying traffic. Situational Awareness Firewall Administrators can at a glance visualize what access is being granted and denied by the firewall in a single view. Application roll-out support Firewall Profiler enables Firewall Administrators to visualize the effect of their firewall rule set changes. FA can in real time assess the accuracy and validity of their firewall changes and quickly identify if there is a gap between the specifications of the applications and the actual application requirements. Firewall Profiler 1.5 Product Guide 7

8 Introduction to Firewall Profiler What Firewall Profiler provides What Firewall Profiler provides Following is a sampling of the features and functionality Firewall Profiler provides: Real-time detection of changes in access patterns Firewall Profiler enables you to see whether firewall policy changes have resulted in significant trends in allowing or denying traffic, or fluctuations in the volume of traffic. Such changes to access or volume can be an indication that the firewall administrator should review those policy changes immediately. Quick identification of whether access was prevented at the firewall Consistently, firewall administrators are the first to be blamed when access to applications breaks in the network. Firewall Profiler enables you to quickly identify whether the problem at hand is a firewall problem or not and can reduce the time you spend investigating log files. Quick understanding of the scope of both a problem and a potential fix Firewall Profiler enables you to quickly answer the question of whether a particular problem is a one-off access issue (such as a user accessing from a forbidden location), or an indication of a more wide-spread problem involving multiple users (such as a user group was moved from one location to another). Being able to quickly diagnose the problem can help reduce the number of support calls that may come in, especially for problems involving many users. As a firewall administrator, you are required to understand what you need to do to change a firewall rule set to address a particular problem. Firewall Profiler enables you to discover which rule set must be modified, or how the rule should be implemented in the firewall to enable access that is being denied. 8 Firewall Profiler 1.5 Product Guide

9 2 Deploying a Firewall Profiler Contents Setup tasks Verify materials Record your initial configuration responses Setting up the hardware Configuring the Firewall Profiler at first boot Activating a Firewall Profiler Backing Up a Firewall Profiler What s next Setup tasks To set up your Firewall Profiler, use this chapter to perform the following tasks: 1 Plan your setup. Verify necessary hardware and media Prepare configuration responses 2 Set up the hardware. 3 Start the Firewall Profiler and perform the initial configuration. Configure network information and required user accounts Activate the license Perform a post-setup backup Additional information See the table below for a list of related resources. Table 3 Summary of documentation Document McAfee Firewall Enterprise Setup Guide McAfee Firewall Enterprise Administration Guide Release notes Knowledge Base Description Leads you through your initial McAfee Firewall Enterprise configuration and describes fundamental concepts of firewall administration. Provides complete administration information on all McAfee Firewall Enterprise features and functionality. You should read this guide if you are responsible for configuring and managing a McAfee Firewall Enterprise. Software updates include release notes, which describe any new features as well as fixes and enhancements to the software. Release notes are located at mysupport.mcafee.com. Supplemental information for Firewall Profiler. Articles include troubleshooting tips and commands. All manuals and application notes are also posted here. The Knowledge Base is located at mysupport.mcafee.com. Firewall Profiler 1.5 Product Guide 9

10 Deploying a Firewall Profiler Verify materials Verify materials Make sure that you have all the necessary hardware, software, and documents needed to set up your Firewall Profiler. Table 4 Materials provided by McAfee Hardware, software, and documents included in your shipment Power cord and serial cable Appliance pre-loaded with Firewall Profiler software 1U server mounting rails Installation CD: (To be used only if system needs re-imaging) Quick Start Activation Certificate (These documents are printed) Table 5 Materials provided by you Hardware Component Requirements Firewall Profiler initial configuration Management system for web interface (desktop or laptop) Monitor 1024 x 768 or higher, plugged directly into the Firewall Profiler appliance Keyboard USB, plugged directly into the Firewall Profiler appliance OS MS Windows 2000 Workstation, 2000 Server, XP Pro, or Vista CPU Intel (1 GHz minimum) Memory 2 GB minimum Drives 300 MB of available disk space CD-ROM drive Monitor 1024 x 768 or higher Network interface card Access to network hosting your firewall Browser Internet Explorer 7 Use of Internet Explorer 6 requires an AJAX plug-in Mozilla Firefox 3.0 or later Network cables At least two network cables for the Firewall Profiler; one network cable for management system 10 Firewall Profiler 1.5 Product Guide

11 Deploying a Firewall Profiler Record your initial configuration responses Record your initial configuration responses Complete this form so that you have responses available when you initially configure your Firewall Profiler upon booting for the first time. License Information McAfee uses this information to send customer announcements, such as patches or end-of-life notifications. The serial number is on your Activation Certificate and it is also attached to the top of the appliance. Your 16-digit, alphanumeric serial number is in this format: SWXX-XXXX-XXXX-XXXX. Serial Number Enter the contact and company information for this Firewall Profiler s administrator. McAfee uses this information to send customer announcements, such as patches or end-of-life notifications. Contact Information: First Name Last Name Phone Number Purchased From Company Information: Name Street City State/Province Postal (ZIP) Code Country Machine name and access information Type the machine name that the Firewall Profiler will be known by on the external burb (internet). Determine a naming scheme for your Firewall Profiler or select a name that fits into your existing scheme. For example, if you have more than one Firewall Profiler, your naming scheme could be profiler_a.example.com, profiler_b.example.com, and so on. Machine name MTU Size The default MTU size is appropriate for most situations. Type the value appropriate for your environment. If you are using a PPPoE connection, for example, change the value to SSH enabled (yes or no) Determine whether you are going to allow SSH access to the Firewall Profiler. Firewall Profiler 1.5 Product Guide 11

12 Deploying a Firewall Profiler Record your initial configuration responses Network Information Assign an IP address to your network interface. You can assign either an IPv4 or IPv6 address to the network interface during initial configuration. Firewall Profiler also supports configuring IPv6 via Stateless Auto Address Configuration (STAAC), which automatically configures IPv6 settings by negotiating with the router. Check with your site network administrator before enabling this option due to security concerns. IP address Netmask Gateway Gathering User Account Information You need to create a user account that can access the Firewall Profiler web interface, and then specify passwords for other built-in user accounts. Web interface administrator Create a user name and password that you will use to connect to the Firewall Profiler web interface. A user name can consist of 6-16 characters, upper and lowercase letters, numbers, spaces, and the dash (-) or underscore (_) characters. The password must meet these strong password guidelines: Use a minimum of eight characters. Use at least one uppercase letter, one lowercase letter, one number and one special character. Administrator username: Password: Root password Create a password for root on the Firewall Profiler appliance. You cannot SSH into the Firewall Profiler as the root user. Instead, you must use the svs user. Root password: svs account password Create a password for the svs account on the Firewall Profiler appliance. You use the svs account, which is root-equivalent, to SSH into the Firewall Profiler for administrative tasks that cannot be performed through the web interface. svs password: swcfg account password Create a password for the swcfg account on the Firewall Profiler appliance. The McAfee Firewall Enterprise uses the swcfg account to access the Firewall Profiler. swcfg password: For more information on the swcfg account used by the McAfee Firewall Enterprise, see SCP username and password on page 19 and SCP username and password on page Firewall Profiler 1.5 Product Guide

13 Deploying a Firewall Profiler Setting up the hardware Setting up the hardware Before you boot the Firewall Profiler appliance and begin the initial configuration, make sure your hardware is set up and your information is available. 1 Use a diagram of your network to determine the proper placement of your Firewall Profiler. The Firewall Profiler must be able to reach the appropriate McAfee Firewall Enterprises and servers (such as mail servers and name servers). 2 Attach the power cord to the Firewall Profiler and plug it into an electrical outlet (but do not power on the appliance yet). 3 Connect a display, keyboard, and optionally a mouse to the Firewall Profiler. You are now ready to power on the Firewall Profiler and perform the initial configuration. Proceed to Configuring the Firewall Profiler at first boot. Configuring the Firewall Profiler at first boot These instructions assume you are booting your Firewall Profiler for the first time after you have set up the hardware (see Setting up the hardware). For information about re-installing the McAfee Firewall Profiler software, see Re-imaging a Firewall Profiler on page 62. You should have available the information you previously gathered (see Record your initial configuration responses). 1 Power on the appliance. 2 Press Enter to read the license agreement when prompted. To navigate the agreement, press the space bar to move to the next page, press b to move back to the previous page, press h for more help, or press q to quit reading and move to the next step. 3 After pressing q (to quit reading), type yes, and then press Enter to agree to the terms. 4 Configure the network information as prompted. Use the mouse, tab key, or arrow keys to move from one field to another. Type over the displayed value, such as the IP address, to change it. Press the space bar to toggle on and off a property with a check box. Note: You can change the IP address for the Firewall Profiler at any time by running editsvnetwork.pl directly as root from the console or remotely using an SSH connection to the appliance. You need to have /opt/svs/system/bin in your path, or change to that directory to run the command. 5 Press the space bar to toggle on or off the serial port login to the Firewall Profiler. See Enabling a serial port connection for information on performing this step outside of the installation process. When serial port login is enabled, you can connect a tty to the serial port of the Firewall Profiler to connect to the command line interface. Only the svs account can log on by way of the serial tty. When serial port login is off, this feature is disabled. The recommended setting is disabled, the default. 6 Configure user accounts as prompted. 7 Review the summarized information and save a copy, then press Enter to reboot the Firewall Profiler. With your Firewall Profiler configured, you are ready to proceed to Activating a Firewall Profiler. Firewall Profiler 1.5 Product Guide 13

14 Deploying a Firewall Profiler Activating a Firewall Profiler Activating a Firewall Profiler The Firewall Profiler must be activated to establish your technical support license and communicate with McAfee Firewall Enterprises. Note: If at any time you change the terms of your support contract or perform a major version upgrade, you are required to re-license your system. To activate a Firewall Profiler: 1 Locate the serial number for your Firewall Profiler on your Activation Certificate. 2 Log on (or SSH in) to the Firewall Profiler console as the svs account, and then at the command prompt, type the following to be logged in as root: #sudo -s 3 Type the following command at the system prompt: #getsystemid The result should look similar to the following: #99aaaaa9a9a9 Write down this number as you will need it for the Server ID field on the activation web page in the next step. 4 Open a browser and go to the Firewall Profiler activation web page: Following are the fields for which you will need to provide values: For this field... Provide... Serial Number The serial number from your printed Activation Certificate. Server ID The output of the getsystemid command in step 3. Version The appropriate version number from the drop-down list. End User Information The appropriate information such as name, phone number, address, address, and other values as prompted on the form. 5 Complete the form on the activation web page and then click Submit at the bottom of the page. 6 Save the resulting web page. You must save the complete web page so that pertinent meta information is saved. For Internet Explorer, select Webpage, complete (*.htm;*.html) for Save as type For Firefox, select Web Page, complete for Save as type The file name should be similar to activation.cfm.htm. You can use any file name. Caution: Take appropriate measures to protect this file as it contains critical information related to the functioning of your Firewall Profiler. 7 Log on (or SSH in) to the Firewall Profiler console again as described in step 2 if you are not still logged on to the console as root. 8 Copy the activation form web page file you saved in step 6 (for example, activation.cfm.htm )to /opt/svs/config on the Firewall Profiler. For example, use scp. 9 Type the following command at the system prompt: #licensesetup.pl --file /opt/svs/config/activation.cfm.htm If you did not use the file name activation.cfm.htm, substitute the file name you chose. Note: If the saved web page does not match the information obtained from using the getsystemid command, you see an error regarding licensing information mismatch. 14 Firewall Profiler 1.5 Product Guide

15 Deploying a Firewall Profiler Activating a Firewall Profiler 10 Verify the activation by typing the following command at the system prompt: #verifyactivation What you see depends on whether you have the correct license. For this license... Correct Expired Incorrect or no license present You see output similar to this... SystemID: xxxxxxxxxxxx; Serial Number: XXXX-XXXX-XXXX-XXXX System time : Fri Mar 6 15:53: SecureOS License expires on: never Support License expires on: Wed Jan 1 06:00: SystemID: xxxxxxxxxxxx; Serial Number: XXXX-XXXX-XXXX-XXXX System time : Fri Mar 6 15:53: SecureOS License expires on: never Support License expired on: Sun Jan 24 06:00: SystemID: xxxxxxxxxxxx Serial Number: XXXX-XXXX-XXXX-XXXX System has not been registered correctly, incorrect Master Key present 11 With your Firewall Profiler activated, you should proceed to Backing Up a Firewall Profiler so that your configuration can be preserved. Firewall Profiler 1.5 Product Guide 15

16 Deploying a Firewall Profiler Backing Up a Firewall Profiler Backing Up a Firewall Profiler To establish a base point post-configuration with license and activation information, you should create a backup file and store it away from the Firewall Profiler. Note: For information about restoring a Firewall Profiler from a backup file, see Backing up and restoring a Firewall Profiler in Appendix A, Troubleshooting. 1 Log on to Firewall Profiler console. 2 Run the following command at the prompt: # backup.pl Following is a sample of the output from this command: # backup.pl Creating a backup for McAfee Firewall Profiler 1.5 Backup was successful, copy the following file off box: /var/log/profiler_dhcp _2009_03_15_08:23:24.backup.tgz 3 Copy the resulting backup file from the Firewall Profiler to a safe location. What is backed up The following items are backed up: Certificates User account information, including credentials Flow exporters list Configuration information, including network settings and values specified in the web interface SSH keys What s next At this point, you have configured network and user information, activated the Firewall Profiler, and backed up the initial configuration to a safe location. You are now ready to attach the Firewall Profiler to your network with the included 1U server mounting rails and network cable (that you provide). Once the Firewall Profiler is attached to the network, you can: Proceed to Appendix B, Installing a McAfee Login Collector if you intend to enable identities collection (highly recommended) Proceed to Configuring the Firewall Profiler on page 17 to use the web interface to continue with configuring the Firewall Profiler 16 Firewall Profiler 1.5 Product Guide

17 3 Configuring the Firewall Profiler Contents Record your configuration information Getting started quickly Reviewing system status Enabling identities collection Record your configuration information Complete this form so that you have information available when you configure the Firewall Profiler using the web interface. Data feeds Note the fully qualified domain names of any McAfee Firewall Enterprises you want to act as data feeds. Fully qualified domain names Note the IP addresses of any Flow exporters you want to act as data feeds to the Firewall Profiler. Flow IP addresses McAfee epo Integration Note the network information and credentials required for access to an epo server. epo server IP address and port number User Name and password External servers Note the IP addresses of the following servers you may require to interact with the Firewall Profiler. DNS server IP addresses NTP server IP address SNMP server IP address SMTP server IP address Identities collection If you plan to deploy identities collection, you will need the information requested in this section. Note the credentials required to access Domain Controllers (DCs) on your network. DC administrator credentials Note the network information for any MLCs on your network For information on installing MLCs, see Installing a McAfee Login Collector on page 73. MLC IP addresses and port numbers Firewall Profiler 1.5 Product Guide 17

18 Configuring the Firewall Profiler Getting started quickly Getting started quickly Once you have completed the actions described in Deploying a Firewall Profiler on page 9, you can get started quickly by simply adding data feeds. With McAfee Firewall Enterprises feeding you data, you can get to work with the live data (as described in Working with Live Data on page 29). 1 Log on to the web interface as a user with the Administrator role. If you are starting immediately after deploying the Firewall Profiler as described in Deploying a Firewall Profiler on page 9, the only user account is an Administrator so log on as that user. 2 Click Configuration and then copy the value for Certificate Common Name. Figure 1 Basic section of General tab for Configuration The Certificate Common Name will identify the Firewall Profiler to the McAfee Firewall Enterprise. 3 Define a McAfee Firewall Enterprise as a data feed to a Firewall Profiler With the Firewall Profiler known to the McAfee Firewall Enterprise, you must next define the McAfee Firewall Enterprise as a data feed so that audit and configuration data can travel to the Firewall Profiler. a Log on to the Firewall Profiler web interface, click Operations, and then click the Data Feeds tab. Figure 2 Data Feeds tab for Operations b c Click Add and then type the fully qualified domain name of a McAfee Firewall Enterprise. Click Save. 4 Identify the Firewall Profiler to the McAfee Firewall Enterprise. a Open the McAfee Firewall Enterprise Admin Console, open Maintenance and then select Profiler. Figure 3 Enabling Profiler communication on a McAfee Firewall Enterprise For more information, see the section on sending configuration and audit data in the chapter on general maintenance tasks of the McAfee Firewall Enterprise Administration Guide. 18 Firewall Profiler 1.5 Product Guide

19 Configuring the Firewall Profiler Getting started quickly b Specify the following: Option Profiler IP Profiler common name (CN) SCP username and password Description The IP address of a Firewall Profiler that communicates with this McAfee Firewall Enterprise. The Certificate Common Name for the Firewall Profiler. The user account swcfg is used by the McAfee Firewall Enterprise to access the Firewall Profiler. This user account exists on the Firewall Profiler and you provide the password during the configuration phase of the Firewall Profiler installation. Ensure that the password you provide here is the same as the one you specified on the Firewall Profiler. For more information, see Gathering User Account Information on page Click Live Data to display the Live Data interface (Figure 4). Figure 4 Live Data page 6 Click in the trend graph at the top and select a time frame. Figure 5 Select a time frame 7 Experiment with the WHO, WHAT, and WHERE filters to change what is shown in the event trend bubble chart. These filters and more, including how to compare time frames, are described in detail beginning at Working with Live Data on page Proceed to Reviewing system status on page 20 to verify your Firewall Profiler is behaving as expected. Firewall Profiler 1.5 Product Guide 19

20 Configuring the Firewall Profiler Reviewing system status Reviewing system status You can use the System Status tab (available when you click Operations) to verify the appropriate components are running as expected. Look for components that may have a status of DOWN (the System Status title bar shows DOWN if any component has a status of DOWN). You can click on the Status column to sort by status. Figure 6 System status Note: Configuration changes restart system components so you should wait a few minutes after making changes before you look for status changes on the System Status tab. Following is a table of components that you may want to review: Table 6 System components This system component... Firewall Policy Status {FPstat} AuditLog Information {ALInfo} Flow Information {FInfo} IAM Service {iasvc} Logon Acquisition Manager {lam} Logon Flow {logons} License {lic} System Performance {perf} Version {ver} Reports on the status of... Firewall Profiler receiving configuration information from configured McAfee Firewall Enterprises. After adding a McAfee Firewall Enterprise as a data feed and identifying the Firewall Profiler to the McAfee Firewall Enterprise, you should see the name of the McAfee Firewall Enterprise as the DataSourceName value, and a recent time stamp for the ChangeDate value. This confirms that the McAfee Firewall Enterprise and the Firewall Profiler are communicating properly. Firewall Profiler receiving audit log information from configured McAfee Firewall Enterprises. Firewall Profiler is receiving information from configured flow exporters. Identities collection. Identities collection with respect to MLCs. Receiving logon events from connected Domain Controllers. Activation and license registration. Output from top. Software version of the Firewall Profiler. For choices on where to proceed from here, see What s next on page Firewall Profiler 1.5 Product Guide

21 Configuring the Firewall Profiler Enabling identities collection Enabling identities collection To enable identity collection for a Domain, follow these steps (which are described in further detail in subsequent parts of this section): 1 Define the DNS server(s) and NTP server 2 Collect the certificate common name and hash values 3 Install and configure a McAfee Login Collector 4 Define the identities address space 5 Encrypt credentials for domains 6 Add a domain to the Firewall Profiler Note: It is assumed you are starting from the point of at least already configuring and activating the Firewall Profiler (as described in Deploying a Firewall Profiler on page 9) and that you have already completed the tasks described in Getting started quickly on page 18. Therefore, as shown in Figure 7, you have a McAfee Firewall Enterprise configured as a data feed and able to communicate with the Firewall Profiler, and you have Domain Controllers and at least one DNS waiting to be connected. Figure 7 Installed and activated Firewall Profiler Define the DNS server(s) and NTP server 1 Log on to the Firewall Profiler web interface. 2 Click Configuration. 3 Type the IP addresses of the DNS and NTP servers you want to use. You can specify multiple DNS servers by separating their IP addresses with a comma. The DNS servers you specify must be authoritative for the Domains you define. Figure 8 Servers section of General tab for Configuration 4 Review Enabling identity collection progress with DNS on page 22 and then proceed to Collect the certificate common name and hash values on page 22. Firewall Profiler 1.5 Product Guide 21

22 Configuring the Firewall Profiler Enabling identities collection Enabling identity collection progress with DNS You have now defined the IP address for the DNS server on the installed and activated Firewall Profiler. Figure 9 Installed Firewall Profiler with DNS server defined Collect the certificate common name and hash values 1 Log on to the Firewall Profiler web interface. 2 Click Configuration and then copy the values for Certificate Common Name and Certificate Hash. Figure 10 Basic section of General tab for Configuration You use the Certificate Common Name and Certificate Hash to identify the Firewall Profiler to a McAfee Login Collector (see McAfee Login Collector configuration remote tab on page 23). 3 Proceed to Install and configure a McAfee Login Collector. Install and configure a McAfee Login Collector For complete information on installing and activating the Firewall Profiler, see Appendix B, Installing a McAfee Login Collector. When you install a McAfee Login Collector, you have the option to configure it at that time. You can also configure it at any time. For more information, see Configuring the MLC on page 75. The Remote tab is duplicated here for convenience. 22 Firewall Profiler 1.5 Product Guide

23 Configuring the Firewall Profiler Enabling identities collection McAfee Login Collector configuration remote tab Use the Remote tab of the McAfee Login Collector Configuration window to identify Firewall Profilers. Figure 11 Remote tab of McAfee Login Collector Configuration 1 Ensure Certificate Hash is selected for Certificate Checking in the Client Connection section of the Configuration tab. 2 Type the Certificate Common Name into the Common Name field and type the Certificate Hash into the Certificate Hash field on the Remote tab. 3 Click OK to commit the information, or click Cancel to quit without saving. Changes are also committed if you click the Configuration tab. 4 Review Enabling identities collection progress with MLC and then proceed to Define the identities address space. Enabling identities collection progress with MLC You now have a McAfee Login Collector integrated as part of the system. Figure 12 Installed and configured McAfee Login Collector Firewall Profiler 1.5 Product Guide 23

24 Configuring the Firewall Profiler Enabling identities collection Define the identities address space The Identities Address Space feature enables you to constrain the set of IP addresses within which the Firewall Profiler will collect and establish identities. You can specify only those areas of your network that are critical for reporting with identities. By constraining the realm of identity collection, you can also avoid stressing your system from trying to establish identities for non-network IP addresses, such as those from the Internet. By default, there are no constraints on identity collection. For more information, see Identities Collection on page 48. To define the Identities Address space: 1 Click Configuration and then click Identities Address Space in the Identities Configuration section. Figure 13 McAfee Firewall Enterprise and Firewall Profiler connected 2 Click Add IP Range and then specify an IP address range. Repeat this step for as many IP address ranges as you want to define from which identities are collected. 3 Click Save. 4 Proceed to Encrypt credentials for domains. Encrypt credentials for domains As a security measure, you may want to require that the credentials you supply for domains are encrypted on the Firewall Profiler. When credentials are encrypted, the Firewall Profiler must decrypt them to use them to connect to a Domain Controller. This has the effect of also requiring the passphrase whenever you attempt to add, remove, or edit a domain in the web interface because Firewall Profiler must access the encrypted credentials file to perform those actions. Figure 14 McAfee Firewall Enterprise and Firewall Profiler connected For more information, see Domains on page Firewall Profiler 1.5 Product Guide

25 Configuring the Firewall Profiler Enabling identities collection Add a domain to the Firewall Profiler Configuring a domain on the Firewall Profiler involves the following: Add a Domain This is described in this section. Add a McAfee Login Collector to the domain on page 26 Assign a McAfee Login Collector to watch a Domain Controller within the domain on page 26 To add a Domain: 1 Log on to the Firewall Profiler web interface. 2 Click Configuration and then click the Domains tab. Figure 15 Domains tab for Configuration 3 Click Add Domain and then specify the necessary information. You must supply the appropriate credentials for managing domains if you are prompted. See Encrypt credentials for domains on page 24. Figure 16 Adding a domain Table 7 Domain properties Option Domain Name User Name and password Description Name of the domain you are adding to Firewall Profiler. Credentials required to log in to the Domain Controller managing the domain. Ensure you supply the proper credentials for logging on to the Domain Controller. For more information, see Verifying the domain credentials on page 64. Note: For information on ensuring you are using the correct credentials, see Verifying the domain credentials on page 64. The Domain Controllers must be logging Security events. 4 Click Save. Firewall Profiler automatically progresses to the MLC tab. 5 Proceed to Add a McAfee Login Collector to the domain. Firewall Profiler 1.5 Product Guide 25

26 Configuring the Firewall Profiler Enabling identities collection Add a McAfee Login Collector to the domain For the specified Domain, you must identify the McAfee Login Collector that provides logon information. For information about installing a McAfee Login Collector, see Appendix B, Installing a McAfee Login Collector. To start, you should add just a single MLC. 1 Click Add MLC. Figure 17 Adding an MLC 2 Specify a name, IP Address and Port number. The MLC name is an arbitrary label you provide for use in Firewall Profiler; you can obtain the IP address and port number from the MLC itself. 3 Click Save and then accept the certificate for the MLC. Firewall Profiler automatically progresses to the Domain Controllers tab (described in Assign a McAfee Login Collector to watch a Domain Controller within the domain). Assign a McAfee Login Collector to watch a Domain Controller within the domain For the specified Domain, you must assign an MLC to watch a particular Domain Controller. Note: When you add the Domain, Firewall Profiler determines which Domain Controllers are available so that they appear automatically. To assign an MLC to watch a Domain Controller: 1 Click a Domain Controller. Figure 18 Assigning an MLC to watch a DC 2 Click Select... in the Watch From MLC column and then select an MLC. 3 Click Save. You now have identities collection enabled for a domain on the Firewall Profiler. Proceed to Ranking preferred user groups. Figure 19 Identities collection completed diagram 26 Firewall Profiler 1.5 Product Guide

27 Configuring the Firewall Profiler Enabling identities collection Ranking preferred user groups With identities collection enabled, you may find that the user groups you see being reported on in the Live Data pages are not what you would like to see. By default, Firewall Profiler assigns a user to a group based on the groups the user is assigned to in the Active Directory and then by a formula that determines the number of active users in those groups. The user is assigned to the group with the fewest active users. You can change this default ranking by creating a list of preferred groups and then ranking them in the order that provides the results you want. To alter the ranking of user groups: 1 Log on to the web interface as either an Administrator or an Operator. 2 Click Reporting and then Preferred Groups. Figure 20 Preferred Groups ranking 3 Select groups from the Available Groups list and then click the left arrows button:. 4 Click a group in the Preferred Groups list and then click the up button:. 5 Use the Up and Down buttons to move user groups within the Preferred Groups list, and add or remove user groups using the left and right arrows buttons. Remember to click Save when you are finished ranking user groups. Your changes are not committed until you click Save. 6 See What s next on page 28 for a choice of activities to pursue next. Firewall Profiler 1.5 Product Guide 27

28 Configuring the Firewall Profiler What s next What s next Following are some of the things you may want to do next: If you have not already done so, verify your Firewall Profiler is behaving as expected as described in Reviewing system status on page 20. For instructions on how to configure identities collection, see Enabling identities collection on page 21. For a reference of the Live Data web interface, see Working with Live Data on page 29. For a reference of the managing and configuring elements of the web interface, see Managing the Firewall Profiler on page 41. Following are some examples of management tasks you may want to do: For information on this... See... Adding flow exporters as data feeds Flow on page 46 Adding Reporters Adding a Reporter on page 57 Configuring access to an epo server epo on page 55 Utilizing alerts Alerts on page 49 and Servers on page 48 Creating operator accounts Adding a new user on page Firewall Profiler 1.5 Product Guide

29 4 Working with Live Data Contents Live Data page Live Data interface Viewing the remediation summary Viewing the remediation details Live Data page The Live Data page enables you to visualize firewall actions in real-time so that you can quickly address the fundamental question of whether or not a network access problem is caused by the firewall. Figure 21 Live Data page The presentation of McAfee Firewall Enterprise audit data in the Live Data page provides: A view of the current firewall state, enabling situational awareness A summarization of firewall actions with a high level of abstraction for root cause analysis Compare mode for viewing trends in firewall actions (allows and denies) and changes in volume Presentation of and analysis on Flow data (NetFlow v5 and v9, JFlow) Further delving into the Remediation Summary and Remediation Details pages provides: A presentation of firewall audit details that are most relevant to troubleshooting access problems On-demand query of firewall rule sets to enhance context for analysis Firewall Profiler 1.5 Product Guide 29

30 Working with Live Data Live Data interface Live Data interface When you first log on to the Firewall Profiler web interface, you are presented with the Live Data page viewing data from the first data feed (if any are defined) in alphabetical order. Figure 22 Live Data interface Following are the means with which you can work with the available data (see Figure 22 for locations of these items on the Live Data page): Use this... To do this... 1 Data feed selector View data from different feeds. See Selecting a data feed on page Notification of logged Determine to which Firewall Profiler you are logged on, and as what user account. The on status Firewall Profiler name is specified in Basic on page Buttons and links for Manage and configure the Firewall Profiler (see Firewall Profiler web interface for managing managing on page 41). 4 Selected time frame View the message indicating the currently selected time frame, and, if applicable, the time status message frame being compared. 5 Live Data view Toggle between the bubble chart view (shown in Figure 22) and the Remediation Summary selector view (shown in Figure 38) for the available data. See Viewing the remediation summary on page Bubble chart Determine what is happening on the network (see Reading event trends on page 36). 7 More available See more items in the row or column. For example, click the arrow to see more sources indicators (WHO), or more sources for a particular destination (WHERE), or more destinations for a particular source. 8 Bubble chart legend Analyze the bubbles in the bubble chart. The bubble sizes and colors indicate the nature of the trends in the network traffic. See Reading event trends on page WHO, WHAT and Narrow your view of the available data based on the selected criteria. See Filtering on WHO WHERE filters (source) on page 32, Filtering on WHAT (services) on page 33, and Filtering on WHERE (destination) on page Trend chart details View allows and denies, along with firewall policy change indicators, for the time frame selected from the trend chart. See Viewing trend chart details on page Comparison selector Compare two time frames to determine the nature of any trends occurring in network traffic. For example, a surge of denies, or disappearing traffic. See Comparing time frames on page Trend chart View allows and denies charted from all available data, up to fourteen (14) days plus one hour, and select a time frame for viewing in the trend chart details. See Selecting a time frame on page Firewall Profiler 1.5 Product Guide

31 Working with Live Data Live Data interface Selecting a data feed The first action to take on the Live Data page is to select a data feed. For information on defining data feeds, see Data feeds on page 44 and Flow on page 46. Figure 23 Data feed selector Click on the drop-down list and then select a data feed. The Live Data page updates based on available data for that feed. Selecting a time frame With a data feed selected, you should select a time frame in the trend chart. By default, the selected time frame is seventy-two (72) hours plus whatever part of the current hour is available. Note: All time stamps are normalized to UTC when events are received on the Firewall Profiler from a McAfee Firewall Enterprise. You are always looking at your own local time regarding events in the web interface. Figure 24 Trend chart To select a time frame, click anywhere in the trend chart and the Select Time Frame window displays. Figure 25 Select Time Frame window Viewing trend chart details The currently selected time frame is displayed in the trend chart details below the filters. Figure 26 Trend chart details The granularity of the trend chart details depends on how much time is selected in the trend chart. If the time frame you select is less than or equal to forty-eight (48) hours, you can move the mouse over the selected area and see the number of allows and denies for five (5) minute increments. Figure 27 Mouse over increments For selected time frames that are greater than forty-eight hours, the increments are one (1) hour. Firewall Profiler 1.5 Product Guide 31

32 Working with Live Data Live Data interface McAfee Firewall Enterprise rule change indicators In the trend chart details, rule changes are indicated by light blue lines. If you hold the mouse cursor over the light blue line, the time of the rule change is displayed below the bottom chart line. You know you are over a rule change indicator because you only see the date and time and not the number of allows and denies. You can use this information to narrow your time frame selection around a rule change. Figure 28 Trend chart details displaying rule change indicators Rule change indicators Using the WHO, WHAT, and WHERE filters To get the most out of the WHO, WHAT and WHERE filters, you should have some kind of starting point from which you want to search for more specificity in the available data. For example, do you know if a particular source (WHO) is having difficulties, or maybe a destination (WHERE) that is causing issues? Figure 29 WHO, WHAT, and WHERE filters Using the filters, you can narrow the scope of the available data. Not all filter options create an immediate impact on the view of the data. Some, such as IP Address for WHO and WHERE, may not be readily apparent until you view the Remediation Summary or Remediation Details pages. Note: The values you specify for these filters remain in effect when you click on a bubble to view the Remediation Summary page. Filtering on WHO (source) The WHO filter enables you to narrow your search for the source of a network event. The Reporter and Firewall Object options for this filter directly affect the view of data on the Live Data page and the change is immediately apparent because the content of the WHO column changes to reflect your selection. The User Name and User Group options also directly affect the view of data, if you have identities collection enabled (see Enabling identities collection on page 21). When you filter on IP Address, it is not immediately apparent because there is no view of IP Addresses on the bubble chart. The data, however, is still constrained by the filter and only those IP addresses that qualify are visible when you view the Remediation Summary or Remediation Details pages. Select an option from the drop-down list, type a value and then press Enter or click Search. Ensure you have the desired filter option selected when you specify a value for the filter. If you find that you are not seeing what you expect, it may be because you have entered a value that is not appropriate for the filter option that is currently selected. Figure 30 WHO filter Option User Name User Group Description Provides results only when identities collection is enabled. The name of a user retrieved from the Active Directory. Provides results only when identities collection is enabled. The name of a user group retrieved from the Active Directory. Reporter The name of a Reporter. Reporters can be defined (see Adding a Reporter on page 57) or synthetic (in the case of Flow (see Flow on page 46). 32 Firewall Profiler 1.5 Product Guide

33 Working with Live Data Live Data interface Option Firewall Object IP Address Description Provides results only when a McAfee Firewall Enterprise is selected as a data feed. Any IP Address. Note that WHO items of the form N.N.N.x, where N is a one to three digit number, are actually synthetic Reporters created by Firewall Profiler. You may want to consider creating Reporters that contain those IP addresses rolled up into the synthetic Reporters. Filtering on WHAT (services) The WHAT filter enables you to narrow your search for information by filtering on the port number or service involved. This filter directly affects the view of data on the Live Data page and the change is immediately apparent because the content of the What box changes to reflect your selection. Select an option from the drop-down list, type a value and then press Enter or click Search. Ensure you have the desired filter option selected when you specify a value for the filter. If you find that you are not seeing what you expect, it may be because you have entered a value that is not appropriate for the filter option that is currently selected. Figure 31 WHAT filter Option Port Service Description Port number for a network application. Name of a network service. Filtering on WHERE (destination) The WHERE filter enables you to narrow your search for the destination of a network event. The Reporter and Firewall Object options for this filter directly affect the view of data on the Live Data page. When you filter on IP Address, it is not immediately apparent because there is no view of IP Addresses on the bubble chart. The data, however, is still constrained by the filter and only those IP addresses that qualify are visible when you view the Remediation Summary or Remediation Details pages. Select an option from the drop-down list, type a value and then press Enter or click Search. Ensure you have the desired filter option selected when you specify a value for the filter. If you find that you are not seeing what you expect, it may be because you have entered a value that is not appropriate for the filter option that is currently selected. Figure 32 WHERE filter Option Description Reporter The name of a Reporter. Reporters can be defined (see Adding a Reporter on page 57) or synthetic (in the case of Flow (see Flow on page 46). Firewall Object The name of an object as defined on the McAfee Firewall Enterprise selected as a Data Feed. IP Address Any IP Address. Note that WHERE items of the form N.N.N.x, where N is a one to three digit number, are actually synthetic Reporters created by Firewall Profiler. You may want to consider creating Reporters that contain those IP addresses rolled up into the synthetic Reporters. Firewall Profiler 1.5 Product Guide 33

34 Working with Live Data Live Data interface Comparing time frames The compare feature enables you to compare the selected time frame with an equivalent previous time frame. This can help you determine whether there is an issue with network behavior. You can quickly determine whether there is: a trend toward allowed traffic, perhaps indicating a new influx of network users or maybe a firewall rule that is too lax or incorrect and therefore not in place a trend toward denied traffic, perhaps indicating an overly aggressive firewall rule, or a change in an application a sudden change in network traffic, perhaps indicating that an application is down or was moved Selected time frames and comparison options Only those compare buttons that are applicable are enabled when you select a time frame. For definitions on the compare buttons, see Table 8. When this amount of time is selected... Greater than twenty-four hours Exactly twenty-four hours Less than twenty-four hours Any number of hours plus a number of minutes less than sixty You can compare to this... Week Week and Day Week, Day, and Hour The same number of hours. Selected time frames are rounded back to the previous hour. For example, if the current time is 4:53pm and you select 2:00pm to Current time, and then select the Hour compare button, you will compare to 12:00pm to 2:00pm. To compare one time frame to another: 1 Open the Select Time Frame window by clicking somewhere in the trend chart. Figure 33 Select Time Frame window 2 Specify a beginning and ending time frame by clicking the drop-down lists and selecting the appropriate values. 3 Select a COMPARE option (Figure 34 on page 35). Only those options that are applicable for the currently selected time frame are functional (see Compare button definitions on page 35). 34 Firewall Profiler 1.5 Product Guide

35 Working with Live Data Live Data interface Figure 34 Compare options Table 8 Compare button definitions Option Week Day Hour Description Compares the current time frame selection to the same time frame from one week previous, if there is enough data available. For example, if you select a time frame of 8:00am to 1:00pm on Wednesday, April 8 and then click Week, you are comparing data to 8:00am to 1:00pm on Wednesday, April 1. Compares the current time frame selection to the same time frame from one day previous, if there is enough data available. For example, if you select a time frame of 8:00am to 1:00pm on Wednesday, April 8 and then click Day, you are comparing data to 8:00am to 1:00pm on Tuesday, April 7. This option is functional only if the selected time frame is twenty-four (24) hours or less. Compares the current time frame selection to the same time frame immediately available, if there is enough data available. For example, if you select a time frame of 2:00pm to 7:00pm on Wednesday, April 8 and then click Hour, you are comparing data to 8:00am to 1:00pm also on Wednesday, April 8. In other words, think of the Hour compare function as a mirror; whatever number of hours are available in the selected time frame are included in the comparison going back from the starting point of the selected time frame. A five hour time frame is compared to the five hours immediately preceding. Time is always rounded down to the hour for the purposes of comparing. For example, if the current time is 4:53pm and you select 2:00pm to Current time, and then select the Hour compare button, you will compare to 12:00pm to 2:00pm. None This option is functional only if the selected time frame is less than twenty-four (24) hours. The default selection None means you are looking at the currently selected time frame only (see Figure 22). 4 View the resulting bubble chart graph to determine what trends, if any, have transpired between the two time frames. By holding your mouse cursor over a bubble, you can view the differences in allows and denies between the two times. Figure 35 Mouse-over a bubble Note: You can verify that you are comparing the desired time frames by reviewing the selected time frame status message: Figure 36 Selected time frame status message 5 Continue to refine your comparison or proceed to view the remediation summary by clicking a bubble or the Remediation Summary view from the Live Data view selector. Note: When you click a bubble, both the WHO and WHERE filters are populated. Firewall Profiler 1.5 Product Guide 35

36 Working with Live Data Live Data interface Reading event trends When you first select a time frame (see Selecting a time frame on page 31), the Live Data bubble chart view displays the current traffic results. You can see the current bandwidth, number of allows and number of denies by holding the mouse cursor over a bubble. For example: When you compare two time frames (see Comparing time frames on page 34), the bubble details change to display both before and now data. For example: Bubbles tend to change color and size when you view data while comparing two time frames. The meaning of the bubbles is always shown in the bubble chart legend (as seen in Figure 22 on page 30). Following are examples of the available bubble types. Figure 37 Bubble examples When comparing time frames, you are typically looking for meaningful changes in trends. For example, you want to know when there is a sudden increase in Denies in events, or maybe a sudden drop in events. The bubble chart always displays what is occurring with network events for the selected time frame. When you are comparing, the bubble type indicates what has happened with events relative to the compared time frame. For example, you could narrow your view of the data to a specific set of users and a specific system. By comparing your current time frame with a previous time frame, you could see from the bubble type whether something occurred that should have your interest. A large bubble in the comparison view would indicate that relative to the previous time frame, there has been an increase in the number of events. A dark orange color would further indicate that the trend is heavily toward denies. This increase in the number of events, and the increase of those events being denies may indicate a problem that requires your attention. For example, if there was recently a firewall policy change, there may be a problem with the rule that was introduced or changed. You can click on the bubble to see the Remediation Summary page (see Viewing the remediation summary on page 37) and then from that the Remediation Details page (see Viewing the remediation details on page 38) to determine the nature of the problem. 36 Firewall Profiler 1.5 Product Guide

37 Working with Live Data Viewing the remediation summary Viewing the remediation summary To view the current data as a table, click the Remediation Summary selector from the Live Data view selector. The Remediation Summary page presents a quick summary of events: whether the event was allowed or denied, the source and destination, the application involved, a count of connections, and the root cause and rule name (supplied by the McAfee Firewall Enterprise currently selected as the data feed). You can also change to the Remediation Summary page by clicking a bubble in the bubble chart. In this case, the WHO and WHERE filters are populated with the values taken from the intersection of the bubble you clicked. The resulting view of the data is shown in Figure 38. Any values you specified for the WHO, WHAT, or WHERE filters are honored in the resulting data even if, as with specifying an IP address for WHO, it was not immediately obvious when viewing the bubble chart. You can review, in the title bar area of the Remediation Summary table, what filtering was applied to the data when you clicked on the bubble (labeled as Filtering from Bubble). For example, for Source, you can see whether it was a Reporter or a User Group. Note that only one What filter (from the list next to the WHO column of the bubble chart) is active, and it is identified by the label Application. To return to the bubble chart view, click the bubble chart selector from the Live Data view selector. Your view of the data for the bubble chart is the same as before you clicked the bubble, enabling you to drill down again by clicking a different bubble. To remain on the Remediation Summary page, but remove any filtering that was applied by clicking on a bubble, click the Clear Bubble Filter button. Figure 38 Remediation Summary page Table 9 Remediation Summary page fields Option Details Description Click the Details icon to view the Remediation Details page (see Viewing the remediation details on page 38) For descriptions of the rest of these fields, see Remediation Details page fields on page 38. To sort a column, click on it. Clicking again toggles between sorting in ascending or descending order. Use the scroll bar on the right, and the paging function along the bottom to navigate multiple pages of data. Firewall Profiler 1.5 Product Guide 37

38 Working with Live Data Viewing the remediation details Viewing the remediation details On the Remediation Summary page (see Viewing the remediation summary on page 37), click the Details icon to view the Remediation Details page. You can review, in the title bar area of the Remediation Details table, what filtering was applied to the data when you clicked on the bubble. For example, for Source, you can see whether it was a Reporter or a User Group. The filtering from the bubble details are removed when you click the Clear Bubble Filter button on the Remediation Summary page. Figure 39 Remediation Details page Table 10 Remediation Details page fields Option Details Action Source Application Destination Root Cause Description Click Back to return to the Remediation Summary page. Visible for McAfee Firewall Enterprise data feeds only Specifies whether the action was Allowed or Denied. When the action is Denied, you can review the values for Root Cause and Rule Name to investigate why the traffic was denied. The source (or WHO, to Firewall Profiler) for the network event. The name of the service involved in the network event. The destination (or WHERE, to Firewall Profiler) for the network event. Visible for McAfee Firewall Enterprise data feeds only The root cause for the traffic being denied, taken from the data received from the McAfee Firewall Enterprise. There is no value for this option when the action is Allowed. Possible values for Root Cause are: General Attack, Application Defense violation, URL filter by SmartFilter, Denial of Service Attack, Buffer Overflow Attack, Protocol Violation, Signature-based IPS, SPAM, Virus, TrustedSource: Bad Reputation, Policy Violation: Improper Source, Service or Destination, Policy Violation: IPFilters, Policy Violation: User Failed auth to Firewall, Policy Violation, and NetProbe. For more information on these, see your McAfee Firewall Enterprise (Sidewinder ) documentation. Note that for NetProbe there is no corresponding rule name. 38 Firewall Profiler 1.5 Product Guide

39 Working with Live Data Viewing the remediation details Table 10 Remediation Details page fields Option Rule Name Description Visible for McAfee Firewall Enterprise data feeds only The name of the McAfee Firewall Enterprise rule that caused the Action. Click the rule name to display the rule definition. Count Source User Source Reporter Source Firewall Object Source IP If the Rule Name contains angle brackets ( < > ), it is an implicit rule generated by the McAfee Firewall Enterprise. There is no rule definition to display. The number of connections involved in the network event. If available, the name of the user associated with the source IP address. Identities collection must be enabled for Source User to contain a value. The name of the Reporter that contains the Source Burb, Source Firewall Object or Source IP. If the Reporter is user-defined, you see that name. Otherwise, you see the Source Burb or Source Firewall Object (for McAfee Firewall Enterprise data feeds only). If you do not have a user-defined Reporter, or Burb, or Firewall Object that contains the IP address, a synthetic Reporter is created that acts as a default IP address aggregation. For information on Reporters, see Reporters on page 56. Visible for McAfee Firewall Enterprise data feeds only The name of the Firewall Object, if one exists, identified as the source of the network event. The IP address of the source of the network event. If you have configured an epo server (see epo on page 55), you can click the IP address to see host profile information. Source Burb Destination Firewall Object Port Destination IP Destination Burb Total Bytes Count If you do not have an epo server configured, and you click the IP address, you see a message indicating that this Firewall Profiler is not configured for epo. If the epo agent is not installed on the host that corresponds to this IP address, and you click the IP address, you see a message that the host IP address is not managed by epo. Visible for McAfee Firewall Enterprise data feeds only The name of the Burb, if one exists, that contains the IP address identified as the source of the network event. A Burb is a logical division of network spaces. For more information, see your McAfee Firewall Enterprise (Sidewinder ) documentation. Visible for McAfee Firewall Enterprise data feeds only The name of the Firewall Object, if one exists, identified as the target of the network event. The port number of the Application. The IP address of the destination of the network event. If you have configured an epo server (see epo on page 55), you can click the IP address to see a host profile (as shown for Source IP). Visible for McAfee Firewall Enterprise data feeds only The name of the Burb, if one exists, identified as the destination of the network event. A Burb is a logical division of network spaces. For more information, see your McAfee Firewall Enterprise (Sidewinder ) documentation. Total byte count for the network traffic consumed by the network event. The number of connections involved in the network event. Firewall Profiler 1.5 Product Guide 39

40 Working with Live Data Viewing the remediation details 40 Firewall Profiler 1.5 Product Guide

41 5 Managing the Firewall Profiler Contents Firewall Profiler web interface for managing System logon indicator Operations Configuration Reporting Preferences Firewall Profiler web interface for managing You use links and buttons (Figure 40) to access operations and configuration features that enable you to manage the Firewall Profiler. Figure 40 Firewall Profiler web interface managing buttons and links These items, visible in the upper right-hand corner of the Firewall Profiler web interface (as highlighted in Figure 41), are described in further detail in this chapter. Figure 41 Firewall Profiler web interface System logon indicator The system logon indicator area (Figure 42) informs you to which Firewall Profiler you are logged on and as what user. Figure 42 Firewall Profiler web interface system logon indicator For example, the screen capture in Figure 42 indicates that you are logged on to the Firewall Profiler Profiler as the user administrator. Firewall Profiler 1.5 Product Guide 41

42 Managing the Firewall Profiler Operations Operations From the Operations button, you have access to functions that affect how your Firewall Profiler operates. Both Administrators and Operators (see User Roles) can access the tabs available from this button. On this tab... System status Logs Data feeds Flow You can... View the status of the Firewall Profiler components. Download Firewall Profiler log files (including DME, at the direction of technical support). Add McAfee Firewall Enterprise systems as data feeds. Add Flow exporters as data feeds. System status On the System Status window, you are able to see in which of four states the components of a Firewall Profiler are: up, down, stopped, or warning. This symbol... up down stopped inactive warning Indicates... The component is up and running. The component is down. Note that normal functionality may be available, even when a component is down. The System Status title bar displays DOWN when any component has a status of DOWN. The component has been stopped. This status appears most often when a component is restarting. The component is not currently enabled. There is a potential problem, for example, disk space is running low. Figure 43 System Status displaying UP and DOWN components 42 Firewall Profiler 1.5 Product Guide

43 Managing the Firewall Profiler Operations Logs On the Logs window, Operators and Administrators can download log files for offline viewing and analysis. You can open and view a log file with any text editor such as Microsoft Notepad. There are two types of logs: User logs contain recorded user activity from the web interface, enabling you to monitor user activity. The user log records, in chronological order, all user activity initiated in the web interface that alters the Firewall Profiler configuration. Application logs contain information to enable you to assess application errors. The application logs are standard Linux logs, with the exception of svstrace. The svstrace log records Firewall Profiler activity, and is used for application diagnosis. Figure 44 Logs For User Logs and Application Logs, select a log file from the drop-down list and then click Download. Once the file is downloaded, you can open it in a text editor. To download a log bundle, select a time frame from the drop-down list and then click Download. Select from: Today This option provides all log files from midnight of the current day to the present time. From yesterday This option provides all log files from midnight up to 11:59PM of the previous day. From last N days, where N is a number from 2 to 7 This option provides all log files from midnight of the Nth day up to 11:59PM of the previous day. Note: DME is a proprietary format that compacts connection data into a file, and is an alternative to storing complete packet data (such as in a DMP file). A DME file contains identity mappings and is 50 to 100 times smaller than a DMP file (due in part to dropping the data payload). Enabling DME will adversely impact performance of the Firewall Profiler. Do not enable this feature (See Enable DME on page 47) unless directed to by McAfee Technical Support. Firewall Profiler 1.5 Product Guide 43

44 Managing the Firewall Profiler Operations Data feeds On the Data Feeds window, you add McAfee Firewall Enterprises as data feeds. Your Firewall Profiler must be activated (see Activating a Firewall Profiler in Chapter 2, Deploying a Firewall Profiler) and you must identify the Firewall Profiler to any McAfee Firewall Enterprises you want to add as data feeds. Note: For information on adding flow exporters, see Flow. Figure 45 Data feeds Adding a data feed To add a new McAfee Firewall Enterprise data feed: 1 Ensure you have followed the instructions in Establishing a connection between a McAfee Firewall Enterprise and a Firewall Profiler so that the McAfee Firewall Enterprise you add as a data feed can communicate with the Firewall Profiler. 2 Click Add on the Data Feeds tab. Figure 46 Data Feeds tab Add a data feed 3 Type the fully qualified domain name of a McAfee Firewall Enterprise. Note: Ensure you know the valid, fully qualified domain name of the McAfee Firewall Enterprise you are adding. The Firewall Profiler does not verify the validity or existence of the McAfee Firewall Enterprise from the Data Feeds tab. 4 Click Save. 5 Repeat these steps for each McAfee Firewall Enterprise you want to add as a data feed. Deleting a data feed To delete a McAfee Firewall Enterprise from the data feed list, click the name of the data feed and then click Delete. 44 Firewall Profiler 1.5 Product Guide

45 Managing the Firewall Profiler Operations Establishing a connection between a McAfee Firewall Enterprise and a Firewall Profiler For a McAfee Firewall Enterprise to act as a data feed to a Firewall Profiler, the McAfee Firewall Enterprise must be configured to communicate with the Firewall Profiler. To identify the Firewall Profiler to a McAfee Firewall Enterprise: 1 Log on to the Firewall Profiler web interface. 2 Click Configuration and then copy the value for Certificate Common Name from the Basic section. Figure 47 Basic section of General tab for Configuration 3 Log on to the McAfee Firewall Enterprise Admin Console. 4 Open Maintenance and then select Profiler as shown. Figure 48 Enabling Profiler communication on a McAfee Firewall Enterprise For more information, see the McAfee Firewall Enterprise Administration Guide. 5 Specify the following: Option Profiler IP Profiler common name (CN) SCP username and password Description The IP address of a Firewall Profiler that communicates with this McAfee Firewall Enterprise. The Certificate Common Name for the Firewall Profiler. The user account swcfg is used by the McAfee Firewall Enterprise to access the Firewall Profiler. This user account exists on the Firewall Profiler and you provide the password during the configuration phase of the Firewall Profiler installation. Ensure that the password you provide here is the same as the one you specified on the Firewall Profiler. For more information, see Gathering User Account Information of Record your initial configuration responses in Chapter 2, Deploying a Firewall Profiler. Firewall Profiler 1.5 Product Guide 45

46 Managing the Firewall Profiler Operations Flow You can configure a Firewall Profiler to receive flow from a specific list of IP addresses, or you can leave the list blank and accept flow from any IP address. For Flow as a data feed, if Firewall Profiler determines that an IP address is not covered by a Reporter, it creates a Reporter. For example, if there is flow data with an IP address range of to , but there are no Reporters that cover it, Firewall Profiler creates a synthetic Reporter for the IP address range x. Figure 49 Flow Exporters configuration To add a new flow exporter, click Add, type the IP address, and then click Save. You can add as many flow exporters as you want. To delete a flow exporter, click the IP address and then click Delete. You are prompted to confirm the deletion. Flow exporter requirements Use the following guidelines when determining which routers or switches you want to define as flow exporters to Firewall Profiler: Juniper network device capable of sending JFlow Network device capable of sending NetFlow V5 or V9 (but do not use sampled NetFlow) NetFlow must be enabled on every interface of the NetFlow device Set the inactive time-out to fifteen (15) seconds Set the active time-out to one (1) minute Devices that export NetFlow V5 do not need to configure templates Devices that export NetFlow V9 need to export the following fields: IPV4_SRC_ADDR L4_SRC_PORT PROTOCOL IPV4_DST_ADDR L4_DST_PORT TCP_FLAGS IN_BYTES IN_PKTS LAST_SWITCHED FIRST_SWITCHED Note: Refer to the documentation for your network device for more information on configuring flow. 46 Firewall Profiler 1.5 Product Guide

47 Managing the Firewall Profiler Configuration Configuration From the Configuration button, users with the Administrator role (see User Roles) have access to functions that affect how your Firewall Profiler operates. On this tab... General Domains Users Software update epo You can... Configure much of the Firewall Profiler system parameters such as name, identities collection, server IP addresses, alerts, logging, and logon security. Configure the domains in which Firewall Profiler operates, including establishing relationships between Domain Controllers and McAfee Login Collectors (MLCs). Create users (Administrators and Operators) who manage and use the Firewall Profiler. Install software updates to your Firewall Profiler. Specify the epo server for accessing epo information. General For Configuration, the General tab provides the following properties for you to manage: Basic Servers Identities Collection Alerts System audit Logon security Basic The Basic section provides identifying information about the Firewall Profiler. Figure 50 Basic Table 11 Basic properties for the General tab Option Firewall Profiler Name Certificate Common Name Certificate Hash Banner Text Enable DME Description A user-defined name for this Firewall Profiler. Displays the name presented by the appliance s SSL certificate. This value cannot be modified by the user. Displays the cryptographically generated digest of the certificate itself. Text that appears below the product logo when you log on to the Firewall Profiler. At the direction of Technical Support, select this checkbox to enable Firewall Profiler to collect DME data for analysis. You can download DME files on the Logs tab of Operations (see Logs). Firewall Profiler 1.5 Product Guide 47

48 Managing the Firewall Profiler Configuration Servers The Servers section enables you to specify the IP addresses of the various servers with which the Firewall Profiler interacts. Figure 51 Servers Table 12 Servers properties for the General tab Option DNS IP Address(es) NTP IP Address SMTP IP Address SNMP IP Address Description IP address of the DNS server that enables Firewall Profiler to look up machine names. You must specify DNS servers that are authoritative for the Domains you define. IP address of the Network Time Protocol (NTP) server that synchronizes time for the Firewall Profiler. Specify the same NTP server that your Domain Controllers use. IP address of the Simple Mail Transport Protocol (SMTP) server that relays alerts and notifications from the Firewall Profiler. IP address of the Simple Network Management Protocol (SNMP) server that receives traps for Firewall Profiler component status changes. If you do not specify the IP address for an SNMP server, traps are not generated. Identities Collection The Identities Collection section is where you enable the component that services collecting identities, specify a passphrase for encrypting domain credentials, and define the IP address space within which identities collection is active. Figure 52 Identities Collection To enable identities collection, click the Enable checkbox. Note: For more information on what else is involved with enabling identities collection, see Enabling identities collection in Chapter 3, Configuring the Firewall Profiler. To encrypt credentials: 1 Click Encrypt Credentials. Figure 53 Encrypt credentials 2 Type a passphrase and then confirm it. 3 See Domains for information on managing domains. To decrypt credentials, click Encrypt Credentials and then provide the passphrase as prompted. For example, you may need to do this after re-booting the Firewall Profiler to re-start the credential server process. 48 Firewall Profiler 1.5 Product Guide

49 Managing the Firewall Profiler Configuration To define the identities address space: 1 Click Identities Address Space. Figure 54 Identities Address Space 2 Click Add IP Range. 3 Type an IP address range in the space provided. Identities are collected only from the IP address ranges you specify in the Identities Address Space List. For example, you may want to ensure only intranet IP addresses are identified, to rule out attempting to collect identities from Internet IP addresses. If you do not limit the range of IP addresses for identities collection, you can severely degrade performance of the system. 4 Click Save. Note: For more information on what else is involved with enabling identities collection, see Enabling identities collection on page 21. Alerts The Alerts section enables you to define SNMP properties and configure status parameters. Ensure that you also configure an SNMP and SMTP server, depending on the type of alerts you want, as described in Servers on page 48. Figure 55 Alerts Table 13 Alerts properties for the General tab Option From Snmp Community String Snmp Max Send Rate Status Send Rate Status Recipients Description Specify the address used as the sender for system status s. The default sender address is mcafee@machinename, where machinename is the name of the Firewall Profiler (see Firewall Profiler Name on page 47). The SNMP community string used if the Firewall Profileris set to send SNMP traps (see SNMP IP Address on page 48, which must be defined to generate SNMP traps). The default value is public. The maximum number of SNMP-related compliance or status alerts sent after a fifteen second interval. If you restrict the number of messages sent to a reasonable amount, you can ensure that the operator is not overrun with messages about particular events. Any SNMP-related messages generated during the fifteen second interval exceeding this limit are deleted. The default value is 100. The maximum number of status update messages created as after a three hundred second interval. If you restrict the number of messages to a reasonable amount, you can ensure that the operator is not overrun with status updates. Any status update message generated during the three hundred second interval exceeding this limit is deleted. The default value is 10. A list of addresses that should receive status messages. Use commas to separate multiple values. You should also specify a value for From. Firewall Profiler 1.5 Product Guide 49

50 Managing the Firewall Profiler Configuration System audit The System Audit section enables you to configure the amount of information collected in the log files, typically for use in conjunction with McAfee Technical Support. Figure 56 System audit options Table 14 System audit properties for the General tab Option Log Levels Trace Options Description Specify the level of logging information included for debugging. Specify the level in the form: component=level where level is debug, info, warn, error, or fatal. Specify the application trace options to be used. This option should be changed only under the guidance of a McAfee technical support representative. Logon security The Logon Security section enables you to configure logon-related parameters to ensure a more secure environment. Figure 57 Logon Security Table 15 Logon Security properties for the General tab Option Max Logon Attempts Max Logon Lock Timeout Description The number of failed logon attempts before an account is prevented from logging onto a Firewall Profiler. The default is three. If one or two failed logon attempts occur, the status of the Firewall Profiler changes to yellow. When an account is locked out, however, their status changes to red. The amount of time an account is locked out of the system after the Max Logon Attempts limit is exceeded. The default is 30 minutes. 50 Firewall Profiler 1.5 Product Guide

51 Managing the Firewall Profiler Configuration Domains A domain to the Firewall Profiler is a Microsoft-related logical group of identified resources on a network, whether users, machines, or networked application services. These resources are collected for the domain into a distributed directory, shared in a group of Domain Controllers (DC). Members of a domain only need to authenticate one time to the closest domain controller. All the other resources in the domain are made accessible based on their privileges in the domain. To monitor activity on a network by identity rather than by IP address, the Firewall Profiler connects to DCs by way of the McAfee Login Collector (MLC) and monitors for login events, associating domain users to IP addresses, as well as to the groups to which they belong. Domains General The General tab enables you to specify the name of a domain for use in the Firewall Profiler. Figure 58 General tab for Domains Table 16 Domain properties tab Option Domain Name User Name and password Description Name of the domain you are adding to Firewall Profiler. Credentials required to log in to the Domain Controller (by way of the MLC) managing the domain. Ensure you supply the proper credentials for logging on to the Domain Controller. For more information, see Verifying the domain credentials in Appendix A, Troubleshooting. To add a new domain, click Add, type the name and credentials, and then click Save. When you click Save, and the save is successful, Firewall Profiler automatically progresses to the MLC tab. Ensure the Domain Controllers you are accessing are logging Security events. Note: You must specify DNS servers (see DNS IP Address(es) on page 48) that are authoritative for the Domains you define here. Figure 59 General tab Add a domain Note: If you have encrypted credentials (see Identities Collection), you are required to provide the passphrase when you add, edit or delete a domain. To edit a domain, click its name, provide credentials if necessary, and then edit the domain name, user name and password as desired. To delete a domain, click its name, provide credentials if necessary, and then click Delete. Firewall Profiler 1.5 Product Guide 51

52 Managing the Firewall Profiler Configuration Domains MLC The MLC tab enables you to specify the McAfee Login Collectors (MLCs) used for the selected Domain. Note: You should have already installed any MLCs you are adding in this tab. For more information, see Appendix B, Installing a McAfee Login Collector. Figure 60 MLC tab for Domains To add an MLC, click Add MLC, provide the name, IP Address and Port number and then click Save. When you are prompted, accept the certificate for the MLC. When you click Save, and the save is successful, Firewall Profiler automatically progresses to the Domain Controllers tab. The MLC name is an arbitrary label you provide for use in Firewall Profiler; you can obtain the IP address and port number from the MLC itself (see Server Port under Client Connection on page 76). The default port number is 443. To edit an MLC, click the MLC Name and then edit the properties as desired. You must click Save for your edits to take effect. To delete an MLC, click the MLC Name and then click Delete. You must click Save for the deletion to take effect. Domains Domain Controllers The Domain Controllers tab enables you to specify which MLC is watching which Domain Controller. The list of Domain Controllers is acquired automatically by the Firewall Profiler after you add a Domain. Figure 61 Domain Controllers tab for Domains To change which MLC is watching a particular Domain Controller, click the Watch From MLC column and then select an MLC. You must click Save for the selection to take effect. McAfee recommends that you start with a single Domain Controller and ensure that the system is behaving properly before going on to add more. Add Domain Controllers to the system gradually. 52 Firewall Profiler 1.5 Product Guide

53 Managing the Firewall Profiler Configuration Users The Users tab enables you to add and configure user accounts that are allowed to log on to, use, or manage the Firewall Profiler. You can also temporarily disable a user account by changing its status to inactive. Adding a new user To add a new user, click Add User, provide the necessary information, and then click Save. Figure 62 Adding a new user Table 17 New user properties Option User Name First Name, Last Name Address Password User Roles Description The name of the user account. This name appears at the top of the Firewall Profiler web interface, enabling you to see under what account you are logged in. Note: Extended ASCII characters are supported in user names. Real first and last name of the user. These fields are optional. address for the user. This field is optional. Credentials required for the user to log in to the Firewall Profiler. User access to information in a Firewall Profiler is determined by the role(s) assigned to that user. A user can have multiple roles. Administrator, a role for managing the Firewall Profiler. An Administrator can access all parts of the Firewall Profiler web interface. Operator, a role for level 1 operations personnel. An operator has access to the Live Data, Operations, and Reporting buttons. An operator cannot access the Configuration button. Firewall Profiler 1.5 Product Guide 53

54 Managing the Firewall Profiler Configuration Editing an existing user account To edit an existing user s properties, click the user name, provide the necessary information, and then click Save. Figure 63 Editing an existing user account Note: An existing user has the same properties as a new user, with the addition of the following. Table 18 Existing user properties Option Account Status (Edit existing user only) Description Specify the user account as active or inactive. Deleting an existing user account To delete a user, click the User Name and then click Delete. Software update To update the Firewall Profiler: 1 Log on to the web interface as an administrator. 2 Click Operations, and then click Software Update. Figure 64 Software Update tab 3 Click Browse, navigate to the update file, then click Open. 4 Click Submit on the Software Update window. 5 To verify the update, check the version component on the System Status window. 54 Firewall Profiler 1.5 Product Guide

55 Managing the Firewall Profiler Configuration epo epolicy Orchestrator (epo) provides a scalable platform for centralized policy management and enforcement of your security products and the systems on which they reside. It also provides comprehensive reporting and product deployment capabilities, all through a single point of control. The Firewall Profiler can retrieve data from the epolicy Orchestrator. The Firewall Profiler can display information it has retrieved from the epo server about hosts that are referenced in a policy or hosts that are passing traffic through the McAfee Firewall Enterprise. To view the data on the Firewall Profiler, you must install the McAfee Firewall Enterprise epo Extension on the epo server. For more information, see McAfee Firewall Enterprise Control Center Integration Guide for use with McAfee epolicy Orchestrator 4.0. Prerequisites for communicating with the epolicy Orchestrator server To be able to retrieve data from the epolicy Orchestrator server about hosts, the following prerequisites must be met: The McAfee Firewall Enterprise epo Extension must be installed on the epo server that you specify in the epo tab. A user account must exist on the epo server that has the setting, May provide host system information to a remote Firewall Control Center or Firewall Profiler enabled for Remote host information query. For more information, see the McAfee epolicy Orchestrator 4.0 documentation regarding permission sets for McAfee Firewall Enterprise. You provide the credentials for this user account on the epo tab of Firewall Profiler. You must configure settings for the epo server in the epo tab. This enables the Firewall Profiler to communicate with the epo server. After these prerequisites have been met, you can view host profile information for IP addresses on the Remediation Details page (see Viewing the remediation details on page 38). Figure 65 epo tab Table 19 epo properties Option epo Server IP Address User Name Password Port Description Specify the IP address of the epo server with which this Firewall Profiler communicates. Specify the user name with the appropriate rights to access the epo server. Specify the password for the epo user. Specify the port used to communicate with the epo server. Firewall Profiler 1.5 Product Guide 55

56 Managing the Firewall Profiler Reporting Reporting From the Reporting button, you can define Reporters for data on the Live Data screen, and you can specify the order in which users are reported from user groups. On this tab... Reporters Preferred Groups You can... Define Reporters, reporting objects that are an abstraction of IP addresses and/or McAfee Firewall Enterprise network objects. Create a hierarchy of preferred user groups from which users are reported (for example, if users belong to more than one group). Reporters On the Reporters window, you define the contents of a Firewall Profiler Reporter and to which McAfee Firewall Enterprise the Reporters are associated. Figure 66 Reporters List Table 20 Reporters properties Option Data Feed Add and Delete Reporter Name Add IP Add Firewall Object Delete Description The name of the McAfee Firewall Enterprise to which the Reporters are associated. You can also select Flow. You define data feeds on the Data feeds and Flow tabs. If Firewall Profiler determines that an IP address is not covered by a Reporter, it creates a Reporter. For example, if there is data with an IP address range of to , but there are no Reporters that cover it, Firewall Profiler creates a synthetic Reporter for the IP address range x. Enables you to add or delete a Reporter. Click Add to begin defining a Reporter, or click Delete to remove a Reporter. Moves the selected Reporter in the list. Select a Reporter and then click Up or Down to move the Reporter within the list. The higher up a Reporter is on the list, the more preference it is given when reporting against it. An arbitrary label you provide for the Reported in Firewall Profiler. Enables you to add IP addresses and ranges. Click Add IP to add a discreet IP address, a range of IP addresses, or a CIDR-notated range of IP addresses. Enables you to select from an existing list of objects retrieved from a McAfee Firewall Enterprise. Click Add Firewall Object to add the object to the current Reporter. For more information on establishing a connection between a McAfee Firewall Enterprise and a Firewall Profiler, see Adding a data feed. Enables you to delete selected content from the Reporter. Click an item in the list of contents and then click Delete. 56 Firewall Profiler 1.5 Product Guide

57 Managing the Firewall Profiler Reporting Adding a Reporter As you add Reporters here, the Live Data page (see Working with Live Data on page 29) changes to reflect the new data. Reporters can appear on the Live Data page in the WHERE columns of the bubble chart graph, and you can specify Reporters as a WHERE filter. You can also specify Reporters as a WHO filter, but the results are not visible until you click either a bubble or the Live Data view selector to switch to the Remediation Summary view. To add a new Reporter: 1 Select a data feed from the drop-down list. You select a data feed to report against. You build the contents of the Reporter from what is available for that data feed. In the case of a McAfee Firewall Enterprise, you can add IP addresses or firewall objects. For flow exporters, you can only define IP addresses as the contents. Figure 67 Reporters tab Add a Reporter 2 Type a name for the Reporter in the Reporter Name field. Note: When you return to the Reporters tab, the Reporter at the top of the Reporter Name list is selected for you. If you begin typing in the Reporter Name field, you will overwrite the existing name. Be aware of whether you are editing an existing Reporter name, which you can do at any time, or adding a new Reporter. 3 Define the contents for the Reporter by clicking Add IP or, if available, Add Firewall Object and then specifying the appropriate information. 4 Click Save to commit the Reporter to the list. 5 Use the Up and Down arrows to move the Reporter further up or down the Reporter list. The further up the list the Reporter is, the further preference it is granted by Firewall Profiler when reporting against it. 6 View the new Reporter on the Live Data page (if the Reporter meets the criteria for the data available) and optionally filter on the Reporter (for either WHO or WHERE). Figure 68 Live Data Reporters View new Reporter in WHO or WHERE (if applicable) Specify new Reporter as WHERE filter (for example) Firewall Profiler 1.5 Product Guide 57

58 Managing the Firewall Profiler Reporting Editing an existing Reporter To edit a Reporter: 1 Click the name of the Reporter you want to edit. Figure 69 Reporters tab Editing a Reporter 2 Edit the Reporter Name if you want to change it. Note: When you return to the Reporters tab, the Reporter at the top of the Reporter Name list is selected for you. If you begin typing in the Reporter Name field, you will overwrite the existing name. Be aware of whether you are editing an existing Reporter name, which you can do at any time, or adding a new Reporter. 3 Define the contents for the Reporter by clicking Add IP or, if available, Add Firewall Object and then specifying the appropriate information. 4 Delete contents from the Reporter by selecting the content and clicking Delete. 5 Click Save to commit your Reporter to the list. 6 Use the Up and Down arrows to move the Reporter further up or down the Reporter list. The further up the list the Reporter is, the further preference it is granted by Firewall Profiler when reporting against it. 7 The availability and significance of a Reporter on the Live Data page (Figure 68) can be altered when you edit it. Deleting an existing Reporter To delete a Reporter, click the name in the Reporter Name list and then click Delete. Note: When you delete a Reporter, the Live Data page may be altered. 58 Firewall Profiler 1.5 Product Guide

59 Managing the Firewall Profiler Reporting Preferred Groups On the Preferred Groups window, you define the hierarchy of user groups against which users are reported. Note: Access to user groups and the Preferred Groups tab requires enabling identities collection. For more information, see Enabling identities collection on page 21. With identities collection enabled, you may find that the user groups you see being reported on in the Live Data pages are not what you would like to see. By default, Firewall Profiler assigns a user to a group based on the groups the user is assigned to in the Active Directory and then by a formula that determines the number of active users in those groups. The user is assigned to the group with the fewest active users. You can change this default ranking by creating a list of preferred groups and then ranking them in the order that provides the results you want. Figure 70 Preferred Groups ranking Table 21 Preferred Groups properties Option Description Moves the selected group in the list. Select a group and then click Up or Down to move the Group within the list. The higher up a Group is on the list, the more preference it is given when reporting against it. Common Name Name of the user group as acquired from a Domain Controller. Note: Extended ASCII characters are supported in user groups names. # of Users Number of users in the group. Moves the selected group out of the Preferred Groups list and back to the list of Available groups. Moves the selected group into the Preferred Groups list, enabling you to adjust the preference given to the group when reporting on it. For any group in the list, all users that belong to the group are reported from that group in preference to any other group they may belong to that is further down in the list. Firewall Profiler 1.5 Product Guide 59

60 Managing the Firewall Profiler Preferences Ranking preferred user groups You must move user groups from the Available Groups list to the Preferred Groups list to rank them. To accomplish this, select groups in the Available Groups list (holding the Control key while you click enables you to select multiple groups at once), and then click the left arrows button:. To rank user groups: 1 Click a group in the Preferred Groups list and then click the up button:. 2 Use the Up and Down buttons to move user groups within the Preferred Groups list, and add or remove user groups using the left and right arrows buttons. View the changes on the Live Data page (if the available data means a change due to the new ranking) and optionally filter on the User Group for WHO. Figure 71 Live Data Reporters View User Groups in WHO rows (if applicable) Specify User Group as WHO filter Preferences From the Preferences link, users can change their current password for logging on to the Firewall Profiler web interface. In Figure 72, the user currently logged on is administrator. Note: Users with the Administrator user role can change any user s password by editing a user s properties. See Editing an existing user account on page 54. Figure 72 Changing the password for the user who is logged on To change your password: 1 Type your existing password. 2 Type a new password. 3 Confirm your new password. 4 Click Save. 60 Firewall Profiler 1.5 Product Guide

61 A Troubleshooting Review this appendix for information that may assist you with solving a problem. Backing up and restoring a Firewall Profiler Re-imaging a Firewall Profiler Determining Firewall Profiler version Configuring network information Downloading log files Enabling a serial port connection Verifying the domain credentials Creating a non-administrator account to access the security event log on a DC Backing up and restoring a Firewall Profiler You should periodically create a backup file and store it away from the Firewall Profiler so that you can restore a particular state of the Firewall Profiler as needed. For information on what is backed up, see What is backed up on page Log on to Firewall Profiler console. 2 Run the following command at the prompt: # backup.pl Following is a sample of the output from this command: # backup.pl Creating a backup for McAfee Firewall Profiler 1.5 Backup was successful, copy the following file off box: /var/log/profiler_dhcp _2009_03_15_08:23:24.backup.tgz 3 Copy the resulting backup file off of the Firewall Profiler to a safe location. With a good backup file available, you can restore a Firewall Profiler to the state saved in that backup file. Note: For information about creating a backup of a Firewall Profiler, see Backing Up a Firewall Profiler on page 16. To restore a Firewall Profiler from a backup file: Note: You should only restore from a backup file to a Firewall Profiler that is not configured beyond what occurs during the initial configuration phase (see Configuring the Firewall Profiler at first boot on page 13). This will ensure that you retain the state you expect from the backup file. 1 Log on to Firewall Profiler console as root. 2 Run the following command at the prompt: restore.pl --file location_of_file where location_of_file is the location on the Firewall Profiler to which you copied the backup file. By default, the backup.pl command stores the backup file in /var/log. For example, /var/log/profiler_dhcp _2009_03_15_08:23:24.backup.tgz 3 Re-activate your Firewall Profiler (see Activating a Firewall Profiler on page 14). Firewall Profiler 1.5 Product Guide 61

62 Troubleshooting Re-imaging a Firewall Profiler Re-imaging a Firewall Profiler Caution: Re-imaging the McAfee Firewall Profiler software erases the contents of the hard drive when you insert the CD and reboot the appliance. Follow these instructions to re-image the McAfee Firewall Profiler software on the appliance. 1 Connect the power cord, monitor and keyboard to the Firewall Profiler. 2 Press the power button located on the front to start the Firewall Profiler. 3 Open the CD drive, insert the CD, and then reboot the Firewall Profiler. 4 Press Enter to begin the installation. You see messages as the installation progresses. When the initial phase is completed, you see a screen showing the product name and version number. Next, you see messages as packages are installed and file systems are formatted. This can take several minutes. 5 Remove the CD when it is ejected at the end of installation and close the drive. Once the system reboots, the installation program reports on its progress. The Firewall Profiler may reboot a second time before beginning to build the embedded database. After the database is build, the installation program reboots the Firewall Profiler again. Once the Firewall Profiler reboots, the installation program displays: The Firewall Profiler has been fully installed. [System information appears here.] The system may be safely rebooted (and then halted) or the system specific information can be entered to finish customizing the system for use. Either press <ctl><alt><del> to exit OR <CR> to continue 6 Press Enter to continue with the configuration phase of the installation. See Configuring the Firewall Profiler at first boot on page 13. Determining Firewall Profiler version On the System Status tab, you can find the current version of your Firewall Profiler software. Figure 73 Firewall Profiler version To determine the version: 1 Click Operations to display the System Status tab. 2 Click Component twice to sort the components column in reverse order. 3 View the version number in the Comment column, in the form of V100_NNN where NNN is the build number. Note: The Version component indicates whether a software update has been successfully deployed. Determine the appropriate version number when you are alerted to an available update and verify it appears in the Comment for the Version {ver} component. Configuring network information You can change the IP address for the Firewall Profiler at any time by running editsvnetwork.pl directly as root from the console or remotely after connecting to the appliance by way of SSH. You need to have /opt/svs/system/bin in your path, or change to that directory to run the command. You may want to review the form in Record your initial configuration responses on page 11 prior to running the program so that you have the necessary information ready. 62 Firewall Profiler 1.5 Product Guide

63 Troubleshooting Downloading log files Downloading log files In the course of helping you solve an issue, McAfee Technical Support may direct you to download certain log files from the Firewall Profiler. You accomplish this by clicking the Operations button and then clicking the Logs tab. Figure 74 Log Files Select the log file as directed by Technical Support and click Download to download a copy of the file to the computer from which you are logging on to the Firewall Profiler web interface. Note: For DME, you must enable DME in the Basic section of the General tab for Configuration. Enabling a serial port connection You can perform this operation at any time if you do not do it during installation. 1 Log in to the Firewall Profiler as the svs user and then run the command sudo -s. 2 Type editsvmisc.pl. 3 Use the mouse, or press the space bar to enable a serial port connection. 4 Reboot the Firewall Profiler. 5 Connect to the Firewall Profiler s COM1 port with a db9 null modem cable. 6 Set the terminal settings to 8-N-1 at 9600 baud with a vt100 setting. Firewall Profiler 1.5 Product Guide 63

64 Troubleshooting Verifying the domain credentials Verifying the domain credentials This section describes how to verify that the credentials you specify for a domain (see Domains on page 51) are correct and have sufficient privileges to connect to a Domain Controller (DC) by way of the MLC. The Domain Controllers you access must be logging Security events. You test your credentials by using the wbemtest.exe tool to connect to a DC and run several queries (described in this section). If you are unable to specify credentials for an administrator user, you can use a non-admin account on the Domain Controller. For more information on creating such a user, see Creating a non-administrator account to access the security event log on a DC on page 68. Note: The administrator account you intend to use to access the DC MUST be in the same domain from which you want to obtain identities. Successfully executing the queries described in this section verifies that the credentials you specify are sufficient for access to the following on the DC: security event log CPU performance WMI connection DCOM connection Connecting to a DC These instructions describe how to use the wbemtest.exe tool to connect to a DC. 1 Open a command prompt and navigate to \Windows\System32\WBEM. 2 Run wbemtest.exe.: C:\Windows\System32\WBEM> wbemtest The Windows Management Instrumentation Tester dialog displays: 64 Firewall Profiler 1.5 Product Guide

65 Troubleshooting Verifying the domain credentials 3 Click Connect to display the Connect dialog: 4 Specify the following information: Table 22 Domain properties tab Option Description unlabeled connection \\<dc_name>\root\cimv2 User The user name to authenticate to the DC. Password The associated password. Authority Leave this field blank. Locale Leave this field blank. Impersonation level Select Impersonate. How to interpret empty Select NULL. password Authentication level Select Packet privacy. 5 Click Connect to proceed. If the message Access Denied appears, you may have mis-typed the credentials, or the user account does not have the necessary privileges. Try re-typing the credentials, and verify the user account is properly set up. If you are not using an administrator account, you can use a non-admin account on the Domain Controller. For more information on creating such a user, see Creating a non-administrator account to access the security event log on a DC on page 68. The Windows Management Instrumentation Tester dialog changes to display IWbemServices and Method Invocation Options. Firewall Profiler 1.5 Product Guide 65

66 Troubleshooting Verifying the domain credentials Successfully authenticating to the DC and viewing the above dialog means the MLC has access to WMI and DCOM connections. 6 Run each of the following queries: CPU performance query (see Running a CPU Performance Query) Success with this query means the MLC has access to CPU performance on the DC. back log query (see Running a Back Log Query on page 67) Success with this query means the MLC has access to the security event log. forward log notification query (see Running a Forward Log Notification Query on page 68) Success with this query means the MLC has access to the security event log. Note: You must successfully execute the CPU performance query and either one of the log queries to verify that you have the correct credentials and therefore sufficient access. Running a CPU Performance Query Follow these instructions to run a CPU performance query. 1 Connect to a DC as described in Connecting to a DC on page Click Query. 3 Type the following query: SELECT * FROM Win32_PerfRawData_PerfOS_Processor WHERE Name= _Total 4 Click Apply to view the query results. 5 Click Close when query functionality is proven successful by displaying the contents of the screen shot above. 6 Run the other queries if you have not already done so. 66 Firewall Profiler 1.5 Product Guide

67 Troubleshooting Verifying the domain credentials Running a Back Log Query Follow these instructions to run a back log query. 1 Connect to a DC as described in Connecting to a DC on page Click Query. 3 Type the following query: SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND (EventIdentifier = 672 OR EventIdentifier = 673 OR EventIdentifier = 680) AND TimeWritten > 'yyyymmdd' Note: Replace yyyymmdd with the appropriate date. 4 Click Apply to view the query results. 5 Click Close when query functionality is proven successful by displaying the contents of the screen shot above. You do not have to wait for all results to return. 6 Run the other queries if you have not already done so. Firewall Profiler 1.5 Product Guide 67

68 Troubleshooting Creating a non-administrator account to access the security event log on a DC Running a Forward Log Notification Query Follow these instructions to run a forward log notification query. 1 Connect to a DC as described in Connecting to a DC on page Click Notification Query. 3 Type the following query: SELECT * FROM InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.Logfile = 'Security' AND (TargetInstance.EventIdentifier = 672 OR TargetInstance.EventIdentifier = 673 OR TargetInstance.EventIdentifier = 680) 4 Click Apply. Results should be shown as they are logged. 5 Click Close. The operation does not complete until you click Close. 6 Run the other queries if you have not already done so. Creating a non-administrator account to access the security event log on a DC Ensure that you meet the following requirements for creating a non-administrator account on a DC for accessing security event logs: PSTOOLS ( Ability to modify registry of a DC running on either Windows 2003 Server or Windows 2000 Server Window of time for rebooting DC system Instructions for Windows 2003 server The following tasks must be completed to create a non-admin account on Windows 2003 Server that is able to access the DC security event log: Create a new AD group Determine the SID of the newly created AD group Create domain user account Enable permissions Grant DCOM access Enable WMI access to the required namespace 68 Firewall Profiler 1.5 Product Guide

69 Troubleshooting Creating a non-administrator account to access the security event log on a DC Create a new AD group Refer to Microsoft documentation for step-by-step instructions. 1 Create a group called Domain Security Event Log Reader of Group scope: Global and Group type: Security. 2 Make the Domain Security Event Log Reader a member of the Performance Monitor Users group. Determine the SID of the newly created AD group 1 Launch a DOS prompt and navigate to the directory where you unpacked PSTOOLS ( 2 Execute the command: psgetsid Domain Security Event Log Reader 3 Note the SID (for example, copy it to Notepad). Create domain user account Refer to the Microsoft Documentation for step-by-step instructions. Security best practices dictate rotating user credentials periodically. However, every time you change the credentials for this user, you must also update the Firewall Profiler (see Domains General on page 51) as these are the credentials used to access the security event log. 1 Ensure User must change password at next logon is not selected because this user does not have an interactive session. 2 Assign the new user to the Domain Security Event Log Reader group. Enable permissions Caution: THIS REQUIRES CHANGING THE REGISTRY IN THE DOMAIN CONTROLLER, WHICH MAY LEAVE THE SYSTEM IN AN UNSTABLE STATE. For each DC, logon to the domain controller console (or use Remote Desktop Connection) and perform the following steps: 1 Launch the registry editor (Start -> Run -> regedit). 2 Navigate to the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security 3 Add the following ACE to the value of CustomSD: (A;;0x3;;;SID) where SID is the value you determined as described in Determine the SID of the newly created AD group. The SID is a long string that starts S-, such as: S By default the value looks like this: O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA) It should look like this: O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x3;;;SID) Tip: When editing a long registry item, it is easy to mistakenly corrupt the value. Instead of editing the value in place, double-click the value, paste the value to Notepad, edit it, copy it, then paste it back. Then double-click and paste the value back to Notepad again to confirm before clicking OK. Firewall Profiler 1.5 Product Guide 69

70 Troubleshooting Creating a non-administrator account to access the security event log on a DC Grant DCOM access 1 Run dcomcnfg from a command prompt. An MMC console should appear. 2 Expand Component Services, expand Computers, and then right-click My Computer and click Properties in the Computer Services dialog. 3 Click the COM Security tab in the My Computer Properties dialog. 4 Click Edit Limits under Launch and Activation Permissions. 5 Perform the following in the Launch Permission dialog. Click Add and add the Domain Security Event Log Reader group in the Select Users, Computers, or Groups dialog. 6 Select your user and group in the Group or user names box in the Launch Permission dialog. In the Allow column under Permissions for User, select Remote Launch, then select Remote Activation, and then click OK. 7 Click Edit Limits under Access Permissions. 8 Add the Domain Security Event Log Reader group in the Access Permission dialog. 9 Select Remote Launch and Remote Activation in the Allow column under Permissions for User, and then click OK. Enable WMI access to the required namespace 1 Double-click Administrative Tools in the Control Panel. 2 Open Computer Management. 3 Expand the Services and Applications tree in the Computer Management window, and then double-click the WMI Control. 4 Right-click the WMI Control icon and select Properties. 5 Click the Security tab on the WMI Control Properties dialog. 6 Expand the Root namespace. 7 Select CIMV2. 8 Click the Security button at the bottom of the dialog. 9 Add the Domain Security Event Log Reader group under the Group or user names pane in the Security tab. 10 Select Remote Enable in the Allow column under Permissions for User, then click OK, and then close all windows. Note: Restarting DC System The Windows service associated with the changes in the registry is the Event Log. This service cannot be restarted from the management console. You may have to reboot the DC for these changes to take effect immediately. 70 Firewall Profiler 1.5 Product Guide

71 Troubleshooting Creating a non-administrator account to access the security event log on a DC Instructions for Windows 2000 server The following tasks must be completed to create a non-admin account on Windows 2000 server that is able to access the DC security event log: Create a new AD group Create domain user account Enable WMI access to the required namespace Grant DCOM access Enable read access to the security event log Create a new AD group Refer to Microsoft documentation for step-by-step instructions. Create a group called Domain Security Event Log Reader of Group scope: Domain local and Group type: Security. Create domain user account Refer to Microsoft documentation for step-by-step instructions. Security best practices dictate rotating user credentials periodically. However, every time you change the credentials for this user, you must also update the Firewall Profiler (see Domains General on page 51) as these are the credentials used to access the security event log. 1 Ensure User must change password at next logon is not selected because this user does not have an interactive session. 2 Assign the new user to the Domain Security Event Log Reader group. Enable WMI access to the required namespace 1 In the Control Panel, double-click Administrative Tools. 2 Open Computer Management. 3 In the Computer Management window, expand the Services and Applications tree and double-click the WMI Control. 4 Right-click the WMI Control icon and select Properties. 5 On the WMI Control Properties, click the Security tab. 6 Expand the Root namespace and then select CIMV2. 7 Click the Security button at the bottom of the dialog. The Security for ROOT\CIMV2 dialog displays. 8 Click Add to open the Select Users, Computers, or Groups dialog. 9 Select the Domain Security Event Log Reader group under Group or user names pane. 10 Click Advanced to open the Access Control Settings for CIMV2 box. 11 Select Domain Security Event Log Reader group and click View/Edit to open the Permission Entry for CIMV2 dialog. 12 Select This namespace and subnamespaces and then click OK. 13 Click OK in the Access Control Settings for CIMV2 dialog. 14 Click Apply for Security for ROOT\CIMV2 and then click OK. 15 Click OK for WMI Control Properties. 16 Close the Computer Management snap-in. Firewall Profiler 1.5 Product Guide 71

72 Troubleshooting Creating a non-administrator account to access the security event log on a DC Grant DCOM access 1 From a command prompt, run dcomcnfg to open the Distributed COM Configuration Properties window. 2 Select Windows Management Instrumentation and click Properties. 3 Open the Security tab. 4 Select Use Custom Access Permissions, and click Edit to open the Registry Value Permissions window. 5 Click Add to open the Add Users and Groups window. 6 Verify that Allow Access is selected for Type of Access. 7 Select Domain Security Event Log Reader group and click Add. 8 Click OK in the Add Users and Groups dialog. 9 Click OK in the Registry Value Permissions dialog. 10 By doing a similar process enable the Domain Security Event Log Reader to launch the application (second section of the Security tab. 11 Click Apply for Security for ROOT\CIMV2 and then click OK. 12 Click Apply and then click OK for WMI Control Properties. 13 Click OK for Distributed COM Configuration Properties. Enable read access to the security event log Caution: This procedure enables domain wide access to the security event log for the added group in the Windows 2000 environment. To perform this on a local Domain Controller, you can select the Domain Controller Security Policy. 1 In the Control Panel, double-click Administrative Tools. 2 Open Domain Security Policy. 3 Expand Security Settings under Windows Settings. 4 Expand Local Policies. 5 Select User Rights Assignment. 6 Right-click Manage Auditing and Security Log and select Security. 7 Click Define these policy settings to enable policy definition, and then click Add. 8 Browse for Domain Security Event Log Reader and click OK. 9 Close the Domain Security Policy snap-in. Useful resources Microsoft knowledge base article: Security Descriptor String Format: secauthz/security/security_descriptor_string_format.asp SID string description: ACE Strings description: Useful document for SDDL syntax: DCOM Remote access: WMI Remote access: 72 Firewall Profiler 1.5 Product Guide

73 B Installing a McAfee Login Collector This appendix describes how to install and configure the McAfee Login Collector, a required component for enabling identities collection. McAfee Login Collector installation requirements Installing the MLC software Configuring the MLC Using Microsoft Management Console to manage MLC certificates Using NTLMv2 with MLCs McAfee Login Collector installation requirements The MLC software runs as a Microsoft Windows service on a Windows server, and requires a system that meets these minimum requirements: Intel Pentium III processor running at 500 Mhz or better 1 GB RAM 10 GB hard drive free space Display set to a resolution of 1024x768 or greater Microsoft Windows 2003 Server Service Pack 2 or greater Network connectivity to the Firewall Profiler Network connectivity to the Domain Controllers of the Microsoft Active Directory domain that the Firewall Profiler is monitoring DNS resolution requirements Proper DNS resolution is a very critical prerequisite for identities collection. Both the computer on which the MLC is installed and the Firewall Profiler configured to collect identities must be configured to refer to a DNS server that: must be able to resolve any domains from which logons are collected This can be accomplished using DNS forwarding in Microsoft Windows must provide forward resolution for all hosts that belong to any domains from which logons are collected must provide reverse resolution for all Domain Controllers from which logons are collected must be able to access SRV records for all of the Domain Controllers from which logons are collected Firewall Profiler 1.5 Product Guide 73

74 Installing a McAfee Login Collector Installing the MLC software Installing the MLC software The MLC software is shipped on the Firewall Profiler CD. You do not need a special passphrase or license key to install the MLC software. You may install as many instances of the MLC as are needed to provide adequate coverage for the Domain Controllers in your monitored domain. Note: The MLC service may be incompatible with other Windows applications and processes. Use caution when deploying a MLC on a computer where it must share resources with other heavily utilized services. To install the MLC software: 1 Uninstall the previous version of MLC if you have one. Use the Add or Remove Programs tool in Control Panel to uninstall the McAfee Login Collector. 2 Ensure that you have also already upgraded all other components that communicate with the MLC (such as the Firewall Profiler). 3 Download the McAfee Login Collector installation program from a b c d e Click Download Software Updates under Self Service. Click Product Downloads. Click My Products under the applicable category. Type your Grant Number and click Submit. Find the McAfee Login Collector installation program and download it. 4 Display the installation program (for example, DLC_V100_264.exe) using Windows Explorer. 5 Ensure you are logged in as an administrator and double-click the installation file. Follow the prompts to install: a b c d e Accept the license agreement. Accept the default installation location or select a new one. Accept the default program group or select a new one. Allow the installation to start. Click Config to display the MLC Configuration dialog. You can configure the MLC now or any time by invoking the MLC configuration program. For more information, see Configuring the MLC on page Reboot the server and ensure the MLC service is started after the reboot. 74 Firewall Profiler 1.5 Product Guide

75 Installing a McAfee Login Collector Configuring the MLC Configuring the MLC The MLC runs as a Windows service and starts automatically after every power cycle. You configure the MLC with an application named Login Collector Configuration on the Windows computer on which you installed the MLC software. If you are not configuring the MLC as part of the installation, go to the Start menu and select Login Collector Configuration (for example, by default in Start > Programs > McAfee Login Collector > Login Collector Configuration) to display the McAfee Login Collector Configuration dialog (Figure 75). Note: You do not have to restart the MLC service when you make configuration changes. Changes take effect after you click OK. The configuration information for the MLC is stored in the Windows Registry. Configuration tab The Configuration tab (Figure 75) contains the settings for the MLC. Figure 75 MLC Configuration dialog Configuration tab Server Certificate In this section, you configure the certificate that the MLC uses to authenticate itself to the Firewall Profiler. Note: Ensure that you have a certificate for the MLC, whether it is a newly generated (by the MLC) self-signed certificate or one generated by a Certificate Authority. The MLC will not function without a certificate. To reconnect an MLC to a Firewall Profiler after a new certificate has been generated, log on to the Firewall Profiler web interface and click Configuration, then the Domains tab, then the MLC tab, and finally the MLC to reconnect. Click Save and then OK when you are prompted to accept the certificate. Distinguished Name The Distinguished Name contains the Common Name and other attributes that the MLC needs to identify the certificate found in its store (see Store Name below) that should be used to authenticate to the server. For example, cn=dlc.centserv.org, o=centserv, c=us could be the Distinguished Name, comprised of the certificate s Common Name (cn), organization name (o) and country of origin (c). To use a self-signed certificate, you only need to use the Common Name (prefixed with cn=) for identification. Store Name The Store Name, or Certificate Store name, is where the MLC looks to find its certificates. The default setting for the Store Name is McAfeeMLC\MY. This uses the Store Type CERT_SYSTEM_STORE_SERVICES. If the MLC is running in standalone mode, use the Store Name MY. This uses the Store Type CERT_SYSTEM_STORE_CURRENT_USER. Generate Self-Signed Certificate Only available when the Distinguished Name field is not blank, the Generate Self-Signed Certificate button generates a self-signed certificate and places it in the certificate store identified by Store Name. Firewall Profiler 1.5 Product Guide 75

76 Installing a McAfee Login Collector Configuring the MLC View Certificate Only available when the Distinguished Name field is not blank, the View Certificate button displays a Windows-standard certificate viewer displaying the certificate matching the Distinguished Name, if one is found in the store. Client Connection In this section, you configure the connection between the Firewall Profiler and the MLC. Server Port This option specifies the port for the MLC service to listen on. As long as another service is not listening on the specified port, use your choice of port. The default is port 443. Valid port numbers are Ensure this port number matches what you specify for this MLC in the Firewall Profiler web interface (see Domains MLC on page 52). Certificate Checking This option specifies the check type to perform. There are three types: Certificate Hash Verifies that the hash configured for the given common name matches the hash stored. You specify the certificate common name and hash on the Remote tab. Certificate Store The Certificate Store check is where the certificate must be signed by a certificate authority found in the Certificate Store. Certified Not Required Certificate Not Required does not check any certificate and is not deemed secure. McAfee recommends using Certificate Hash as the most secure method. Type The Types of Certificate available are encrypted using TLS or not encrypted. The encrypted certificate type encrypts communication between the MLC and the Firewall Profiler. Non-encrypted sessions are not recommended. Log In this section, you configure the logging options of the MLC. Debug Level This option controls the amount of information written out to the log during operation. The level of detail increases with the debug level; the default is 0, with no extra log detail recorded. File Location This option determines where in the system the log files are kept. Default is C:\Program Files\McAfee\Login Collector. File Size This option controls the size, in Kilobytes, to which the log file grows before rotating. The system keeps up to 5 log files in the selected file location; dlc.log is the most recent file, followed chronologically by dlc.log.1 to dlc.log.4. DC Connection In this section, you configure the connection to the DC. Authentication Type This option specifies the type of authentication for the connection between the MLC and any DCs. Kerberos and NTLM authentication are supported. Default is Kerberos. With the Kerberos authentication type, all machines using the same target must synchronize their time setting (see NTP under Servers on page 48). For information on NTLM, see also Using NTLMv2 with MLCs on page 79. CPU Disconnect Threshold This option determines when the MLC introduces rate-limiting if services on a monitored DC consume too much CPU too quickly. If the CPU threshold is crossed, the MLC stops polling a domain for twenty minutes. After the twenty minute window, giving the CPU time to handle its load, the MLC reconnects. If you find that the MLC frequently resorts to rate-limiting, try disabling the Allow Backlog Queries feature. Allow Backlog Queries This option determines whether the MLC checks the DC security event logs for identity-related events that may have occurred while it was not connected. With this option enabled, the MLC can query back into the time it was disconnected rather than simply picking up again at the time it reconnects. Note that backlog querying cannot occur when the MLC first connects to the DC. The query is done for records or until the time of the last connection, whichever comes first. Backlog queries are likely to affect the performance of heavily loaded machines and legacy hardware and are not recommended. McAfee does not recommend you enable this option for Windows 2000-based DCs. If you find that the MLC is frequently resorting to rate-limiting, try disabling this feature. 76 Firewall Profiler 1.5 Product Guide

77 Installing a McAfee Login Collector Configuring the MLC Remote tab The Remote tab (Figure 76) contains the certificate common name and certificate hash of any Firewall Profiler that connects to this MLC. Note: The MLC accepts any number of certificates in the Remote tab. Figure 76 MLC Configuration Remote tab To add a certificate for a new connection to a Firewall Profiler: 1 Ensure the McAfee Login Collector Configuration is running. 2 Ensure Certificate Hash is selected for Certificate Checking in the Client Connection section of the Configuration tab. 3 Log in to the Firewall Profiler web interface. 4 Click Configuration. 5 Copy the values for Certificate Common Name and Certificate Hash. 6 Type the common name of the certificate into the Common Name field and paste its corresponding hash into the Certificate Hash field on the Remote tab. 7 Click OK to commit the information, or click Cancel to quit without saving. Changes are also committed if you click the Configuration tab. Firewall Profiler 1.5 Product Guide 77

78 Installing a McAfee Login Collector Using Microsoft Management Console to manage MLC certificates Using Microsoft Management Console to manage MLC certificates MLC uses the Microsoft Certificate store to manage the certificates it generates. After you install the MLC, the easiest way to view the certificates is to use the Microsoft Management Console (MMC) to view the Certificate store for the MLC service. To use MMC: 1 Launch MMC (Start > Run > MMC). 2 Navigate to File > Add/Remove Snap-in to display the Add/Remove Snap-in dialog. 3 Click Add to display the Add Standalone Snap-in dialog. 4 Select Certificates and then click Add to display the Certificates snap-in dialog. 5 Select Service account on the Certificates snap-in dialog, and then click Next. 6 Select Local computer, and then click Next. 7 Select McAfee Login Collector from the list of services and then click Finish. 8 Click Close on the Add Standalone Snap-in dialog. 9 Click OK on the Add/Remove Snap-in dialog to close the dialog. MMC displays the certificate information for the MLC. 10 Right-click a certificate or a store to import certificate lists in the display. Importing or removing a server or client CA certificate for MLC See the Microsoft documentation on the Certificate snap-in for MMC for information on importing a certificate as a Certificate Authority (CA) for MLC. 78 Firewall Profiler 1.5 Product Guide

79 Installing a McAfee Login Collector Using NTLMv2 with MLCs Using NTLMv2 with MLCs McAfee recommends that you use Kerberos as the authentication type (see DC Connection on page 76). If you want to use NTLM, though, you should use NTLMv2 as described in this section. The default authentication method in Windows environments, LM hash, generates a weak response that can be used by an attacker to perform an off-line, brute-force attack in order to guess the actual password. Read this section to learn how to use the NTLMv2 authentication method for a more secure connection between a MLC and a Domain Controller. McAfee recommends that you use the NTLMv2 authentication method on Windows 2003 servers when you are running an MLC. This enables the MLC to use NTLMv2 to authenticate to the Domain Controllers. This can only be accomplished by modifying the Registry; no changes are required on the Domain Controllers. Caution: This procedure requires modifying the Windows 2003 Server Registry. Improper editing of the Registry could leave your system completely unusable or in an unstable state. Make a backup of your Registry before proceeding. For more information, see If the Windows 2003 Server offers other services and there are clients that do not support NTLMv2 (for example, Windows 95 or Windows 98), this change prevents these old clients from using the server. To force the use of NTLMv2: 1 Logon to the Windows 2003 Server where the MLC runs. 2 Launch the Registry editor (Start > Run > regedit). 3 Navigate to the key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA 4 Right-click the value LmCompatibilityLevel. See: fr=true 5 Click Modify. 6 Type the number 5 (only use NTLMv2 authentication and negotiate NTLMv2 session security if the server supports it) and click OK. 7 Restart the Windows 2003 Server. 8 Ensure the IAM status on the Firewall Profiler is UP after 10 minutes. For more information, see System status on page 42. Firewall Profiler 1.5 Product Guide 79

80 Installing a McAfee Login Collector Using NTLMv2 with MLCs 80 Firewall Profiler 1.5 Product Guide

81 Index A Action, for an event 38 activating licenses 14 getsystemid 14 licensesetup.pl 14 verifying 15 activation certificate 11 Administrator credentials, setup 12 user role 53 alerts, defining properties for 49 allows viewing on mouse over 31 application logs 43 Application, for an event 38 AuditLog Information {ALInfo} status 20 B back log query verifying domain credentials 67 backing up 16, 61 backup.pl 16 what is backed up 16 bandwidth for an event 39 banner text, for logon 47 bubbles meaning of 36 mouse-over, comparing 35 reading event trends 36 burb as destination, for an event 39 as source, for an event 39 C Certificate Common Name 22, 47 Configuration 18, 45 in MLC 77 Certificate Hash 22, 47 for Firewall Profiler, on MLC 76 in MLC 77 changing network information 13, 62 comparing time frames 34, 35 mouse-over bubble 35 status message 35 configuration backing up 16, 61 Certificate Common Name 18, 45 epo server 17 firewall domain names 17 flow IP addresses 17 initial 11 restoring 61 configuring domains 51 log levels 50 MLC 75 trace options 50 connection confirming, to firewall 20 MLC to Firewall Profiler 23 connections between Firewall Profiler and firewall 45 count of, for an event 39 Count, for an event 39 CPU performance query verifying domain credentials 66 credentials decrypting 48 for epo server 55 D data feeds adding flow 46 firewall, domain names 17 managing 44 selecting, Live Data 31 Day comparing 35 DC admin credentials 17 decrypting credentials 48 denies viewing on mouse over 31 Destination filtering on 33 for an event 38 Destination Burb, for an event 39 Destination Firewall Object, for an event 39 DME enabling 47 logs, for Technical Support 43 DNS and NTP defining for identities collection 21 Domain Controllers connection from MLC 76 MLC, watching 52 domain credentials back log query 67 Firewall Profiler 1.5 Product Guide 81

82 Index CPU performance query 66 forward log notification query 68 non-administrator account, Windows non-administrator account, Windows verifying 64 domains adding 25 Domain Controllers 52 encrypting credentials 24, 48 MLC 52 properties for 51 watching with an MLC 26 E editsvmisc.pl running 63 editsvnetwork.pl changing network information 13 running 62 from, for alerts 49 enabling serial port 63 enabling SSH, setup 11 encrypting credentials domains 24 setting 48 epo integration 55 configuring epo server 17 Destination IP 39 Source IP 39 events action 38 Application 38 Count 39 Destination 38 Destination Burb 39 Destination Firewall Object 39 Destination IP 39 Port 39 Root Cause 38 Rule Name 39 Source 38 Source Burb 39 Source Firewall Object 39 Source IP 39 Source Reporter 39 Source User 39 Total Bytes 39 trends and meaning of bubbles 36 extended characters supported for user names 53 supported in user group names 59 F filters using, Live Data 32 WHAT (services) 33 WHERE (destination) 33 WHO (source) 32 firewall and swcfg user 12 connection to Firewall Profiler 45 connection to, verifying 20 identifying a Firewall Profiler 19, 45 rule changes, time of 32 Firewall Object adding to Reporter 56 as destination, for an event 39 as source, for an event 39 for WHERE filter 33 for WHO filter 32 Firewall Policy Status {FPstat} use to confirm connection 20 Firewall Profiler connection to firewall 45 logged activity, svstrace 43 name 47 firewall rule name for an event 39 firewalls adding as data feeds 44 flow IP addresses 17 managing as data feed 46 requirements, as a data feed 46 Flow Information {FInfo} status 20 forward log notification query verifying domain credentials 68 fully qualified domain names for data feeds 44 for firewalls 17 G Gateway, for setup 12 getsystemid, activating licenses 14 H host profile for Destination IP 39 for Source IP 39 hostname 11 Hour comparing 35 I IAM Service {iasvc} status 20 identities address space defining 24, 49 identities collection DC admin credentials 17 DNS and NTP servers 21 domains 51 encrypt credentials 48 identities address space 24, Firewall Profiler 1.5 Product Guide

83 Index installing an MLC 22 instructions for 21 MLC information 17 source user, for an event 39 implicit rule for rule name 39 IP address adding to Reporter 56 DNS server 48 for epo server 55 for flow 17 for servers 17 for WHERE filter 33 for WHO filter 32 NTP server 48 of Firewall Profiler for firewall 19, 45 setup 12 SMTP server 48 SNMP server 48 K Knowledge Base 9 L License {lic} status 20 license agreement, navigating 13 licenses, activating 14 licensesetup.pl, activating licenses 14 Live Data comparing time frames 34 interface details 30 selecting a data feed 31 selecting a time frame 31 using filters 32 locked out, logon timeout for lock 50 logon banner text 47 changing current password 60 setting maximum attempts 50 status of 41 timeout lock 50 Logon Acquisition Manager {lam} status 20 Logon Flow {logons} status 20 Logs 43 downloading 43, 63 log bundles 43 setting levels for 50 trace options 50 M machine name 11 management system requirements 10 managing domains 51 users 53 materials, setting up 10 maximum logon attempts 50 MLC configuring 75 connection to Firewall Profiler 23 download from 74 identities collection 22 installing 74 managing certificates, with MMC 78 managing for domains 52 watching a domain 26 watching Domain Controllers 52 mouse over, trend chart 31 MTU size 11 N Netmask, for setup 12 network information, changing 13, 62 non-administrator account, Windows 2000 verifying domain credentials 71 non-administrator account, Windows 2003 verifying domain credentials 68 NTLMv2 using with MLC 79 O Operator user role 53 P password changing for logged on user 60 changing for user 53 for encrypting domain credentials 48 for epo server 55 root, setup 12 svs, setup 12 swcfg, setup 12 Port for an event 39 for epo server 55 for WHAT filter 33 preferred groups ranking 27, 59 Profiler common name of Firewall Profiler for firewall 19, 45 R ranking user groups 59 re-imaging Firewall Profiler 62 release notes 9 Remediation Details fields, meanings of 38 viewing 38 Remediation Summary fields, meanings of 37 sorting columns 37 viewing 37 Reporters Firewall Profiler 1.5 Product Guide 83

84 Index adding Firewall Objects to 56 adding IP addresses to 56 as source, for an event 39 for WHERE filter 33 for WHO filter 32 managing 56 synthetic 56 viewing on Live Data page 57 requirements DNS resolution, for MLC 73 for epo integration 55 for flow as data feed 46 for installing MLC 73 management system 10 restore.pl 61 restoring 61 Root Cause, for an event 38 root causes Application Defense violation 38 Buffer Overflow Attack 38 Denial of Service Attack 38 General Attack 38 NetProbe 38 Policy Violation 38 Policy Violation-Improper Source, Service or Destination 38 Policy Violation-IPFilters 38 Policy Violation-User Failed auth to Firewall 38 Protocol Violation 38 Signature-based IPS 38 SPAM 38 TrustedSource, Bad Reputation 38 URL filter by SmartFilter 38 Virus 38 root password, setup 12 rule change indicators trend chart details 32 Rule Name angle brackets 39 Rule Name, for an event 39 S serial number 11 serial port, enabling 13, 63 servers DNS 48 DNS and NTP for identities collection 21 IP addresses 17 NTP 48 SMTP 48 SNMP 48 services filtering on 33 services, for WHAT filter 33 setup Administrator credentials 12 enable serial port 13 initial configuration 11 network information 12 requirements 10 root password 12 svs password 12 swcfg password 12 tasks 9 verify materials 10 SMTP server, related settings 49 Snmp Community String, alerts 49 Snmp Max Send Rate, alerts 49 SNMP server, related settings 49 software update 54 Source Burb, for an event 39 Source Firewall Object, for an event 39 Source IP for an event 39 Source IP, for an event 39 Source Reporter, for an event 39 Source User, for an event 39 Source, filtering on 32 Source, for an event 38 SSH enabling 11 SSH, and the svs user 12 status logged on 41 of AuditLog Information {ALInfo} 20 of components, symbols for 42 of Firewall Policy Status {FPstat} 20 of Flow Information {FInfo} 20 of IAM Service {iasvc} 20 of License {lic} 20 of Logon Acquisition Manager {lam} 20 of Logon Flow {logons} 20 of selected time frame 35 of system components 20 of System Performance {perf} 20 of Version {ver} 20 Status Recipients, alerts 49 Status Send Rate, alerts 49 svs password setup 12 svs, for SSH 12 svstrace log 43 swcfg password, setup 12 swcfg user, for firewall 19, 45 synthetic Reporters 56 system logon indicator 41 System Performance {perf} status 20 system status reviewing 20 symbols for 42 T Technical Support 84 Firewall Profiler 1.5 Product Guide

85 Index DME log 43 enabling DME 47 log files 63 logs for 43 re-imaging Firewall Profiler 62 setting log levels 50 setting trace options 50 time frame comparing 34 selected 35 selecting, Live Data 31 trend chart 31 trend chart details 31 Total Bytes, for an event 39 trend chart mouse over 31 selecting a time frame 31 trend chart details 31 firewall rule changes 32 increments, viewing events 31 trends, mouse-over bubble 35 WHAT filter Port 33 Service 33 WHERE filter Firewall Object 33 IP address 33 Reporter 33 WHO filter Firewall Object 32 IP address 32 Reporter 32 User Grou 32 User Name 32 U updating Firewall Profiler 54 user groups ranking 59 ranking for preference 27 user logs 43 user roles Administrator 53 Operator 53 users managing 53 UTC time normalized for events 31 V verifying connection to firewall 20 domain credentials 64 license 20 license activation 15 version number 20 version determining 62 Version {ver} status 20 W watching Domain Controllers, MLC 52 wbemtest.exe, running 64 Web sites application notes 9 knowledge base 9 McAfee 9 Week comparing 35 Firewall Profiler 1.5 Product Guide 85

86 Index 86 Firewall Profiler 1.5 Product Guide

87

88 A-00