Network Threat Behavior Analysis Administration Guide Revision H. McAfee Network Security Platform 8.1

Transcription

1 Network Threat Behavior Analysis Administration Guide Revision H McAfee Network Security Platform 8.1

2 COPYRIGHT Copyright 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, , TRADEMARK ATTRIBUTIONS Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence, McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

3 Contents Preface 11 About this guide Audience Conventions Find product documentation Network Threat Behavior Analysis Basics 1 Overview 15 NTBA Appliance features Terminologies NTBA components NTBA Appliance benefits NTBA Appliance types Considerations for NTBA Appliance installation 25 Ports used by the NTBA Appliance Resource limit matrix Selecting the right Virtual NTBA Appliance Selecting installation and upgrade files Setting up a Physical NTBA Appliance 3 Setting up the NTBA Appliance: T-200 and T Install the mounting rails Install the NTBA Appliance in the mounting rails Front panel features and indicators T-500 and T Back panel features and indicators T Back panel features and indicators T Hardware specifications NTBA Appliance - technical specifications Cabling the T-500 NTBA Appliance Cabling the T-200 NTBA Appliance Connect the console ports Connect the power cables Install the Manager software Add the NTBA Appliance to the Manager Set up NTBA Appliance Verify successful NTBA Appliance configuration Verification process Download the latest NTBA Appliance software Upgrade NTBA Appliance software Setting up the NTBA Appliance: T-600 and T McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 3

4 Contents Verify the shipment Download documentation Install the mounting rails Install the NTBA Appliance in the mounting rails Front panel features and indicators T Back panel features and indicators T Front panel features and indicators T Back panel features and indicators T Hardware specifications Environmental requirements Connect the console ports Connect the power cables Install the Manager software Add the NTBA Appliance to the Manager Set up NTBA Appliance Verify successful NTBA Appliance configuration Verification process Download the latest NTBA Appliance software Upgrade NTBA Appliance software Setting up a Virtual NTBA Appliance 5 Setting up Virtual NTBA Appliance on an ESX server 67 NTBA as a Virtual Appliance Virtual NTBA Appliance models Verify materials Selecting an OVA or ISO image Download the software Download the documentation Configure network port mappings on the ESX server Create a virtual instance using OVA image Create a virtual instance using ISO image Add a new hard disk Configure the CPUs Configure memory Add an NTBA Management Ethernet adapter Add a serial port Add the Virtual NTBA Appliance software [Optional] Remove unwanted hardware devices [Optional] Configure the security profile Install the Virtual NTBA Appliance Add the Virtual NTBA Appliance to the Manager Delete an existing Virtual NTBA Appliance Configuring the NTBA Appliance on the Manager 6 Configuring NTBA Appliance settings 95 Define the IP settings Configure the collection ports Enable or disable a collection port Port color key Viewing management port settings Add a router as an exporter Add interfaces to the router Configure L7 data collection Configure Network Security Sensor as an exporter McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

5 Contents Edit exporter configuration [Optional] Configure static route Mark exporter interfaces as internal or external Define zones Define inside zones Define outside zones Update configuration of a Sensor or an NTBA Appliance Deploy pending changes to a device Configure a Central Collector Display monitors for Central Collector NTBA exception object management Add exception objects Clone exception objects View or edit exception objects Assign exception objects Import exception objects Export exception objects Delete exception objects Alert notification options View alert notification details Forward alerts to an SNMP server Modify or delete SNMP server settings Forward alerts to a syslog server Configure or pager alert notifications Enable alert notification by script Configure alert suppression Send notifications for quarantined attacks Create a custom message Add flow exclusion Inherit exclusions to child domains Deploy configuration changes on device Define an external storage device Configure services Configure exporter access How communication rules work Configure a new communication rule Create a communication rule for XFF Configure Time of Day criterion for communication rules Configure name resolution How Global Threat Intelligence integrates with NTBA Configure IP Reputation at the global level Configure IP Reputation at the zone level Configure miscellaneous settings Active device profiling Configure active device profiling Advanced malware policies How the McAfee Gateway Anti-Malware engine works Download or update anti-malware signatures Configuring policies Configure the default NTBA attack settings Configure the NTBA policies Configure the worm policies Assign policies Delete policies Export NTBA and worm policies Import NTBA and worm policies McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 5

6 Contents Configure the policy fields Quarantine options for NTBA alerts Apply NTBA and worm policies Integrating with other McAfee products 7 Integrating with McAfee Endpoint Intelligence Agent 179 Overview Architecture Benefits How integration with McAfee EIA works Setting up McAfee EIA integration Verify system requirements Setting up McAfee Agent with epolicy Orchestrator server Setting up McAfee EIA with epolicy Orchestrator server Enabling McAfee EIA integration on the Manager Understanding executable classification Working with whitelisted and blacklisted hashes Import of whitelisted and blacklisted hashes Export of whitelisted and blacklisted hashes Move hashes from or to whitelist or blacklist Remove or replace hashes from whitelists and blacklists Configuring NTBA policies for McAfee EIA alerts Viewing executables running on endpoint Sample scenario: Analyze an unclassified executable with high malware confidence Viewing endpoint intelligence reports NTBA-EIA Deployment scenarios Best practices NTBA-EIA sizing recommendations Troubleshooting Connectivity issues Data not seen on Manager Integrating with McAfee Global Threat Intelligence Integrating with McAfee Logon Collector 227 NTBA Monitors and Reports 10 Monitoring networks 231 Types of NTBA monitors and options View NTBA default monitors List of NTBA default monitors List of NTBA additional default monitors Create and assign custom NTBA monitors Create a dashboard Create a custom NTBA Appliance-specific monitor Monitoring traffic in NTBA Appliance NTBA Denial-of-Service profiles NTBA Denial-of-Service alerts Alerts and scans Viewing NTBA reports 249 Configuration reports Generate Device Summary report View NTBA Appliance reports McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

7 Contents View NTBA Configuration Summary reports Next generation reports Run a Next Generation Default report Create a Next Generation duplicate report Run Next Generation User Defined report Run Next Generation default report Create Next Generation duplicate reports Managing the NTBA Appliance 12 Maintenance 269 Updating software and signatures Download software updates Download signature set updates How to automate updates Manually import a software image or signature set Update software for a Sensor or NTBA Appliance Possible actions from the Devices node View details of a selected device Reboot a device from the Manager Shut down a Sensor or NTBA Appliance Upload diagnostics trace Import an NTBA Appliance configuration file Export the Sensor configuration Export the NTBA Appliance configuration Database tuning and pruning Tune the database Prune the database Data archive options Archive alerts and packet logs Schedule automatic archival Export an archive Delete archives from the Manager Restore an archive Manager Disaster Recovery (MDR) support for NTBA Appliance NTBA CLI commands 13 NTBA CLI commands 291 backup resume backup suspend clear antimalware cache commands deinstall deletemgrsecintf deletesignatures download antimalware updates exit factorydefaults help host-vlan installdb installntba loadimage nslookup passwd McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 7

8 Contents ping quit reboot resetconfig resetpasswd scan service list service restart service start service status service stop set antimalware cache set antimalware encryption set console timeout set flow-fw set endpointintelligence demo set endpointintelligence alertinterval set htf delta-period set htf max-deltas set manager alertport set manager installsensorport set manager ip set manager secondary ip set mgmtport auto set mgmtport speed and duplex set sensor gateway set sensor ip set sensor name set sensor sharedsecretkey set store-url-type set tftpserver ip setup show show aggstats show anomaly show antimalware encryption status show antimalware scandetails show antimalware status show backupstats show cachestats show dbstats show disk-usage show endpointintelligence details show endpointintelligence summary show exporters show fingerprinting stats show host-vlan show htf show intfport show mem-usage show mgmtport show netstat show nfcstats show pktrecvstats show route show store-url-type McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

9 Contents show tsstats shutdown status tcpdump sec traceupload unknown-interfaces-flows watchdog Troubleshooting 14 Troubleshooting 365 The NTBA Appliance does not start The NTBA Appliance is not receiving power The NTBA Appliance is not booting up The NTBA Appliance is not communicating with the network on the management port The NTBA Appliance is not communicating or receiving traffic in the collection port Troubleshooting a hardware failure If trust is not getting established Signature update failure/if channel is not coming up NetFlow is not being received at the interface level of NTBA If no URLs and files data are seen If no Application data is being received If no data is seen in the Top External Host By Reputation, Top URLs By Reputation, and Top URLs By Category monitors If no Communication alerts are seen If no Behavioral alerts are seen If Threat Analyzer is not auto-refreshing If no Botnet alerts are seen Antimalware system faults If no Anti-malware alerts are seen Database issues IPS Sensor troubleshooting Upload diagnostics trace Perform a NTBA Appliance system recovery procedure Reset the NTBA Appliance admin password to default Checklist for known issues NTBA diagnostic CLI commands Index 385 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 9

10 Contents 10 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

11 Preface This guide provides the information you need to configure, use, and maintain your McAfee product. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Users People who use the computer where the software is running and can access some or all of its features. Conventions This guide uses these typographical conventions and icons. Book title, term, emphasis Bold User input, code, message Interface text Hypertext blue Title of a book, chapter, or topic; a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; a code sample; a displayed message. Words from the product interface like options, menus, buttons, and dialog boxes. A link to a topic or to an external website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 11

12 Preface Find product documentation Find product documentation After a product is released, information about the product is entered into the McAfee online Knowledge Center. Task 1 Go to the McAfee ServicePortal at and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 12 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

13 Network Threat Behavior Analysis Basics Chapter 1 Chapter 2 Overview Considerations for NTBA Appliance installation McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 13

14 Network Threat Behavior Analysis Basics 14 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

15 1 Overview 1 The McAfee NTBA Appliance is a feature-rich, non-intrusive solution for monitoring network traffic by analyzing flow information flowing through network in real time. The NTBA Appliance complements the IPS capabilities in a scenario where Network Security Platform IPS Sensors and NTBA Appliances are installed and managed through the McAfee Network Security Manager (Manager). Real-time monitoring of network reduces the time needed to solve network-related problems and helps in identifying threats. Questions as to why our network is slow, which application has the maximum download impact, are easily answered in a network that is monitored by the NTBA Appliance. The NTBA Appliance gathers flow information from across users, applications, endpoints, network devices, and stores them in an embedded database. You can see real-time data and a moving profile of applications, endpoints, zones, and interface traffic. The NTBA Appliance provides a graphic configurable real-time view of the network traffic. Threat-related events such as endpoint scans, port scans, worm attacks, new service / application, new endpoint, suspicious connection, DoS, P2P, and spambots can be tracked based on user-defined policies. All this information is coalesced into a summary view in the Threat Analyzer of the Manager that can be drilled down for detailed information. The NTBA Appliance does effective malware monitoring by detecting unauthorized reconnaissance scanning of any infected laptops in the system that can spread worm traffic. It also detects unauthorized applications, rogue web servers, and peer-to-peer applications. Contents NTBA Appliance features Terminologies NTBA components NTBA Appliance benefits NTBA Appliance types NTBA Appliance features This section provides a high-level view of the features supported by NTBA. Detection of volume and threshold traffic anomalies in normal traffic within the network, and in incoming traffic after establishing a threshold profile. If traffic is attack traffic and the burst size exceeds the threshold, an alert is raised. Detection of behavioral anomaly and checks for generic behavioral violations. Detection of communication between endpoints. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 15

16 1 Overview NTBA Appliance features Detection of worms, and SMTP botnets based on behavior analysis. The NTBA Appliance maintains profiles of cardinality for endpoints, establishes the baseline for each parameter during a given period, and updates the average of parameters regularly. Worm outbreak detection is done by comparing the sample parameters with the baseline parameters. Detection of SMTP mail domain for mail sent from internal endpoints and comparison of the same against configured mail domains. Detection of services, ports, protocols, and IP addresses. Detection of port scan/endpoint sweep attacks through inspection of flow packets. A mix of the source endpoints address and destination port is used to key the scan entry. A scan entry times out after 5 seconds by default (configurable). Detection happens when the scan weight crosses a configured threshold. Monitoring and reporting unusual network behavior by analyzing the flow traffic from flow-enabled switches/routers of vendors such as Cisco. Processing of enhanced flow packets from IPS with Layer7 (L7) data without requiring SPAN traffic feed. IPS sends L7 data to the NTBA Appliance. The types of L7 data handled by the NTBA Appliance are FTP (Action, Banner, File Name, and User Name), HTTP (CLSID, Host Header, Request URI, Request User-Agent Header, and Server Type), NetBios (Action, and Filename), and SMTP (Attachment, Banner, From, and To). These are used in rules and are stored in the embedded database for forensic analysis. Perform context-aware network forensics that analyzes an endpoint and its network activities. The Manager integrates with NTBA to capture network activity information for a time period and summarizes them for an administrator to take action. Perform deduplication. User can choose to enable deduplication through the Manager. The NTBA Appliance checks each new flow and determines if it is a duplicate of an already existing conversation. The flow is processed based on the User setting. User can enable or disable Deduplication. Allow security investigation and forensic analysis seamlessly for IPS events. Check for compliance to the organization's network access policies. Provide an automated means through alerts and notifications of enforcing policies relating to anomalies, worms, and botnets. This provides real-time protection in areas not covered by signature-based detection. Perform forensic analysis based on past flow data. Identify endpoints running non-standard applications and laptop users that generate the most IDS events. Answer many specific queries through various monitors in the Threat Analyzer of the Manager. For example, top N endpoints, top N services, top N files, top N URLs, top N endpoints, and endpoint threat factor. Apply communication rules to flows through policies. Communication rules for a policy can be applied to inbound, outbound, or bidirectional flows. They can match specific combination of application, service, CIDR block, file, and URL. Maintain destination, services, and application information for every internal endpoint. Maintain Endpoint Threat Factor with the following threat ranges: Less than six (low/medium threat) Greater or equal to six (high threat) Greater or equal to nine (critical threat) 16 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

17 Overview Terminologies 1 Keep track of the endpoint name changes by refreshing endpoint names at a specific time every day. If the endpoint name is changed, the NTBA Appliance automatically updates the endpoint name to the new endpoint name. Collect application finger printing information from the IPS Sensor and provide useful application visibility data for the flow traffic. Store data in an embedded database. The NTBA Appliance has an internal MySQL database, which is used to save flow processed data. The database has different tables for capturing various types of flow processed data such as conversation traffic, service traffic, traffic per endpoint, per exporter, per service, per application, and per zone. Provide real-time information through default, drill down, and custom monitors in the Threat Analyzer of the Manager. The NTBA Appliance supports Cisco NetFlow routers. Terminologies Some important terminologies relating to J-Flow, NetFlow, and NTBA are explained in this section. Flow Flow is defined as a set of IP packets passing an observation point in the network during a certain time interval. All packets belonging to a particular flow have a set of common properties. Each property is defined as the result of applying a function to the following values: One or more packet header field (for example, destination IP address), transport header field (for example, destination port number), or application header field (for example, Real Time Protocol (RTP) header fields). One or more characteristics of the packet itself (for example, number of Multi-Protocol Label Switching (MPLS) labels). One or more of fields derived from packet treatment (for example, next hop IP address and the output interface). Throughout this document, flow is used to refer to both NetFlow and J-Flow. J-Flow J-Flow is a Juniper Networks proprietary flow monitoring implementation. Juniper devices generate summarized flow records for sampled packets. J-Flow records are compliant with the NetFlow format. Currently, McAfee supports J-Flow v5 and v9. NetFlow NetFlow is a flow type developed by Cisco and has two components: flow generator and flow collector. Currently, McAfee supports NetFlow v5 and v9. NetFlows from Palo Alto are also supported. Flow exporter Flow exporters are network devices such as routers and Sensors configured to export flow to the flow collector. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 17

18 1 Overview Terminologies Flow collector Flow collector is a device that receives the data pushed from one or more flow exporters. The collector stores the information coming from the flow exporters and provides the administrator with reporting and analysis through a graphical user interface. As the flow collector creates its archive of traffic details, a graphical user interface uses this data to provide the network administrator with details such as, top talkers on a link, who they are communicating with, what protocol/application they are using, and how long the connections last. This information can then be used for capacity planning, usage control, security, and incident resolution. The NTBA Appliance acts as a flow collector and provides reporting as well as analysis through the Manager. Aggregator An aggregator is an NTBA Appliance that aggregates flow data from other NTBA Appliances in a multi-ntba Appliance set up. Central Collector It is possible to install more that one NTBA Appliance in a network when such multiple NTBA Appliance installations are called for due to the geographical spread and flow volume of the network. In a multiple NTBA Appliance scenario, one of the NTBA Appliances can be designated as the central collector. In such a scenario, the central collector acts as the aggregator. The designated central collector consolidates flow information from all other NTBA Appliances to provide a network-wide view. Endpoint Threat Factor The NTBA Appliance maintains a threat factor per endpoint in the network by correlating endpoint behavior with alerts raised on the endpoint. This risk factor is called the Endpoint Threat Factor. The NTBA Appliance calculates traffic profiles for every endpoint on the network by calculating and summarizing endpoint behavior into behavior indexes. Behavior indexes are calculated by comparing endpoint behavior over a period, over its average behavior over a larger period. The behavior index is maintained in the database along with the metrics and other data for every endpoint as its traffic profile. When an alert is raised for the endpoint, the alert level is used and combined with the current behavior index to generate a threat factor for the endpoint. The Endpoint Threat Factor is an index that ranges from zero to 10 including fractional values. The Endpoint Threat Factor is aged automatically if an endpoint no longer raises alerts (say after it was quarantined after a high critical alert, and subsequently its behavior was brought to normal). In such a situation, the NTBA Appliance brings the behavioral index of the endpoint to zero as soon as the endpoint behavior approaches its average behavior. If an endpoint shows no anomalous behavior for long periods, its Endpoint Threat Factor will remain at or decrease to zero, which is the normal Endpoint Threat Factor value for a benign endpoint. 18 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

19 Overview NTBA components 1 The Endpoint Threat Factor has the following threat ranges: Less than six (low/medium threat) Greater or equal to six (high threat) Greater or equal to nine (critical threat) De-duplication De-duplication is the process of eliminating redundant flow data. De-duplication can be enabled or disabled for the NTBA Appliance in the Manager. Checking for duplicate flows is done only if de-duplication is enabled. Redundant flows are dropped if de-duplication is enabled. Communication rules Communication rules are traffic match and alert trigger threshold rules. Communication rules are applied to network traffic flows in relation to an NTBA policy. NTBA zones A zone is a concept of segregating the traffic either logically based on IP Addresses (CIDR zones), or physically based on exporter interfaces (interface zones). Zones represent groups of endpoint whose traffic should be analyzed collectively for anomalous behavior. You can group the network into various logical and physical zones. You can create zones according to specific network monitoring requirements. For example, you can create a zone based on a particular LAN, a server zone, or a functional zone like HR or Finance for a group of endpoints with similar functions. You can monitor traffic and security threats for individual zones. You can create different policies for each zone and monitor them exclusively. NTBA components The NTBA Appliance captures flow from network devices such as routers and Sensors and analyzes them. The processed data is then forwarded to the Manager for monitoring. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 19

20 1 Overview NTBA Appliance benefits The NTBA Appliance also enforces policies that can be configured through the Manager. Figure 1-1 NTBA NetFlow flow diagram The NTBA Appliance has single/dual quad core processor for the low-end and high-end appliance respectively. A RAID 0 configuration for Linux and RAID 10 (mirrored disks) for the database with hardware controller is used to set up the disks for the device. NTBA Appliance benefits The NTBA Appliance has benefits for both operations and security requirements. The NTBA Appliance provides traffic trends that are useful as an operational tool for administering a network. Based on customizable summary information that the NTBA Appliance provides through the Threat Analyzer of the Manager, operational decisions can be taken for effective monitoring of traffic flow. You can secure your network by configuring policies based on anomaly and worm attacks. You can set customized alert and notification response to attacks through the Default NTBA Attack Settings. Granular refinements to your security requirements are possible through policies that are applied to zones, which is a concept of grouping that can isolate network traffic either logically (IP Address based) or physically (interface based). You can group the network into various logical zones (CIDR based), and physical zones (Exporter Interface based) and respond to security threats for an individual zone. Common management McAfee offers common management of its NTBA Appliance and Sensor through the Manager. 20 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

21 Overview NTBA Appliance benefits 1 In this environment, you can add, configure, and apply policies to NTBA Appliances and to IPS Sensors from the Policy page of the Manager. You can do security investigation and forensic analysis seamlessly for IPS events. The NTBA Appliance can be added in the same manner as an IPS Sensor under Devices in the resource tree of the Manager. The NTBA Appliance can be configured in a similar manner as an IPS Sensor. Multiple NTBA Appliance environments Multiple NTBA Appliance deployment option is possible in a network where this is called for due to the geographical spread and flow volume of the network. In a multiple NTBA Appliance environment, one NTBA Appliance can be designated as the Central Collector. The Central Collector consolidates information from all other NTBA Appliances and provides a network-wide view. The NTBA Appliance designated as the Central Collector acts as a data aggregator, rest of the NTBA Appliances in the network are components (peers) of the NTBA Appliance cluster. Figure 1-2 Aggregator - schematic view The NTBA Appliance High Availability Primary and backup Central Collectors can be configured through the Manager. High Availability (availability of a backup NTBA Appliance in case of failure of the Primary NTBA Appliance) is ensured by the Central Collector. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 21

22 1 Overview NTBA Appliance benefits The Manager appoints the primary as the aggregator and mutually informs the components and the aggregator, their respective IP addresses. If the primary goes down, Manager appoints the backup NTBA Appliance as the aggregator. The IP address of the new aggregator is communicated to the components. The components establish a handshake with the aggregator by a simple ACK protocol. If the aggregator does not receive the handshake from a component within a timeout, an alert is raised prompting remedial action. High-level visibility The NTBA Appliance is about high-level visibility into the behavior of your network. The NTBA Appliance provides a visibility umbrella over network infrastructure, firewalls, IPS, applications, and database. The NTBA Appliance uses a combination of deterministic (based on past occurrences), and non-deterministic mechanisms to analyze flow information generated by the network infrastructure or packet capture devices. The NTBA Appliance provides network-wide visibility to understand how systems are used, who uses them (endpoint IP address), how they connect, depend on each other, as also the ports and protocols they connect over. The NTBA Appliance provides protection from threats that other security systems cannot identify, such as insider attacks, unauthorized servers or services, and zero-day attacks. The NTBA Appliance makes the network transparent to the Administrator. This eases regulatory compliance because network behavior that did or did not occur becomes unambiguous. Misuse detection The NTBA Appliance catches hard-to-detect insider misuse, detects potentially harmful behavior, and helps an organization contain them before they spread. As a decision-support system, the NTBA helps organizations address the impact of various attacks and behaviors on their network. Security and operations requirement The NTBA Appliance provides visibility into network activity to satisfy security and operations requirement. In a network where firewalls, intrusion prevention and security information management systems have been successfully deployed, NTBA provides the last line of defense that can identify network events and behavior not detectable using other deployed techniques. Passive discovery NTBA makes passive discovery of network assets and the nature of network communications. This is used to monitor network traffic. Real-time picture The NTBA Appliance also identifies policies and regulatory violations in real time. The NTBA Appliance tracks all network connectivity and assembles a picture in real time of how data flows. This can be used to plan security, to debug problems as also to keep applications up and running from an end user perspective. 22 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

23 Overview NTBA Appliance types 1 Easy exporter configuration Network devices such as routers and IPS Sensors can be configured to export flows to the NTBA Appliance. You can define a router or IPS Sensor flow exporter, and specify ports and flow direction to forward records to NTBA for processing. McAfee M-series and NS-series Sensors can function as flow exporters and send flow information (including Layer 7 data) to NTBA Appliances. However, M-series or NS-series Sensors cannot be configured to export to a third-party Netflow collector. Low cost, high value Since the NTBA Appliance uses the flow information data that is part of all standard network devices, it is a simple low cost-high value offering for network security and analysis. NTBA Appliance types The NTBA Appliance is available as a physical or virtual appliance. Physical NTBA Appliance The NTBA Appliance is shipped as a physical appliance like T-200, T-500 that is pre-imaged with the NTBA software. You can use an ISO image to install NTBA on physical appliances. Virtual NTBA Appliance Virtual McAfee Network Threat Behavior Analysis Appliance (hereinafter referred to as the Virtual NTBA Appliance) runs on the VMware ESX operating system, allowing you to provide flexible security for your virtual environment. You can use an ISO or OVA image to deploy NTBA on virtual appliances. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 23

24 1 Overview NTBA Appliance types 24 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

25 2 Considerations for NTBA Appliance installation This chapter details the considerations for NTBA Appliance installation. Contents Ports used by the NTBA Appliance Resource limit matrix Selecting the right Virtual NTBA Appliance Selecting installation and upgrade files Ports used by the NTBA Appliance The following table lists the ports used by the NTBA Appliance. Table 2-1 Port Information for configuring firewall rules Client Server Protocol Port User configurable? Description Communication Any NTBA TCP 22(ssh) No Command Line access Manager NTBA TCP 443(https) No Command channel NetFlow Exporter System running EIA NTBA UDP 9996 Yes NetFlow channel SSH SSL (128-bit RC4, MD5), with client authentication UDP NTBA UDP 9008 Yes EIA service DTLS Sensor NTBA TCP 8505 No IPS Channel SSL (AES-128, SHA1) NTBA Manager TCP 8504 No File Transfer channel TCP, Encryption (AES-128) NTBA Manager TCP 8502 No Alert channel SSL (128-bit RC4, MD5), with client authentication NTBA Manager TCP 8501 No Control channel SSL (128-bit RC4, MD5), with client authentication McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 25

26 2 Considerations for NTBA Appliance installation Resource limit matrix Table 2-1 Port Information for configuring firewall rules (continued) Client Server Protocol Port User configurable? Description Communication NTBA epo Server TCP 8444 Yes For certificate signing NTBA NTBA TCP 8443 No Aggregation channel NTBA NetFlow Exporter TCP 22(ssh) No Router ACL channel NTBA NTBA tunnel.web. trustedsource.org tunnel.web. trustedsource.org SSL SSL SSH TCP 443(https) No GTI channel SSL TCP 80 No GTI Database download NTBA DNS Server UDP 53(dns) No DNS query UDP NTBA NetFlow collector UDP - Yes Netflow orwarding NTBA TFTP Server UDP 69(tftp) No Not for Customer NTBA Any endpoint UDP 137 (netbios-ns) No Netbios lookup NTBA list.smartfilter.com TCP 80 No GTI database download NTBA BackupServer TCP/UDP NFS Yes Backup channel NTBA BackupServer TCP 445 Yes Backup channel NTBA tau.mcafee.com TCP 443 No Anti-malware downloads NTBA Exporter UDP 161 Yes Query SNMP (v2c) NTBA Exporter UDP 161 Yes Query SNMP (v3) HTTP UDP Not for customer Netbios-NS HTTP NFS CIFS SSL UDP UDP, (Md5, SHA1, AES, DES) Resource limit matrix Table 2-2 Resource limit matrix SKU Recommended RAM Recommended CPU Maximum Exporters Maximum Hosts Flow processing rate (flows per second) T-200 NA NA T-500 NA NA T-600 NA NA T-1200 NA NA Maximum Zones 26 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

27 Considerations for NTBA Appliance installation Selecting the right Virtual NTBA Appliance 2 Table 2-2 Resource limit matrix (continued) SKU Recommended RAM Recommended CPU Maximum Exporters T-VM 16 4 Sensor/ Routers: 256 T-100VM 8 4 Sensor/ Routers: 256 T-200VM 16 4 Sensor/ Routers: 256 Maximum Hosts Flow processing rate (flows per second) Maximum Zones Whenever the user configuration of resources does not meet the recommended values as mentioned in the resource limit matrix, an error event is raised. Selecting the right Virtual NTBA Appliance The number of flows for a given throughput can vary based on the traffic in your network. The following table illustrates the approximate number of flows generated based on the traffic flowing through the exporter. Table 2-3 Correlation between number of flows and throughput from exporter Average throughput from exporter 1 Gbps ~5,000 3 Gbps ~15,000 > 6 Gbps ~30,000 Number of flows per second in NTBA Appliance To determine how many flows are received by IPS Sensors configured as exporters: View the consolidated Sensor TCP/UDP flow utilization status under Manager Threat Analyzer Dashboards NSP Health. -OR- Use the show flows CLI command on the IPS Sensor to get the same information. For better performance of the Virtual NTBA Appliance, make sure that more CPUs are allocated to the Virtual NTBA Appliance. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 27

28 2 Considerations for NTBA Appliance installation Selecting installation and upgrade files Selecting installation and upgrade files Before you download files, it is important to understand whether you wish to do a fresh installation, re-image an appliance, or upgrade existing NTBA software. The extracted download files are a combination of.iso,.ova,.jar, and.opt files. Figure 2-1 Installation and upgrade files Files Description 1. jar files If you wish to upgrade virtual appliances or existing NTBA software on physical appliances, download these files. For virtual appliances, you can upgrade a T-VM to T-100VM or T-200VM and T-100VM to T-200VM. For physical appliances, you can only upgrade the existing NTBA software and not the appliances as such. For example, you can upgrade to , but you can't upgrade T-200 to T ova files If you wish to install NTBA on virtual appliances, download these files for T-VM, T-100VM, and T-200VM. We recommend to deploy OVA images on virtual appliances. 28 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

29 Considerations for NTBA Appliance installation Selecting installation and upgrade files 2 Files Description 3.opt files If you wish to upgrade virtual machines or existing NTBA software on physical appliances, you can use a TFTP server to download and load images. The.opt and.unsigned files enable you to upgrade VMs and upgrade NTBA software on appliances. This is an alternative for the.jar files. 4.iso files If you wish to install NTBA on physical or virtual appliances, download these files. You need to extract the winzip files and install the specific versions. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 29

30 2 Considerations for NTBA Appliance installation Selecting installation and upgrade files 30 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

31 Setting up a Physical NTBA Appliance Chapter 3 Setting up the NTBA Appliance: T-200 and T-500 Chapter 4 Setting up the NTBA Appliance: T-600 and T-1200 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 31

32 Setting up a Physical NTBA Appliance 32 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

33 3 Setting 3 up the NTBA Appliance: T-200 and T-500 Contents Install the mounting rails Front panel features and indicators T-500 and T-200 Back panel features and indicators T-500 Back panel features and indicators T-200 Hardware specifications NTBA Appliance - technical specifications Cabling the T-500 NTBA Appliance Cabling the T-200 NTBA Appliance Connect the console ports Connect the power cables Install the Manager software Add the NTBA Appliance to the Manager Set up NTBA Appliance Verify successful NTBA Appliance configuration Install the mounting rails Position the mounting rails correctly and install them at same levels. Task 1 At the front of the rack, position one of the mounting rails so that its mounting bracket aligns with the required rack holes. Clip the rail into the rack. Figure 3-1 Slide rail installation 2 At the back of the rack, pull the back mounting-bracket (extending the mounting rail) so that it aligns with the required rack holes. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 33

34 3 Setting up the NTBA Appliance: T-200 and T-500 Front panel features and indicators T-500 and T Clip the rail to the rack and secure it. 4 Repeat these steps to secure the second mounting rail to the rack. 5 Make sure that the mounting rails are at the same level on each side of the rack. Make sure that you follow the safety warnings. When identifying where you want the NTBA Appliance to go in the rack, remember that you should always load the rack from the bottom up. If you are installing multiple NTBA Appliances, start with the lowest available position first. Install the NTBA Appliance in the mounting rails 1 With help from another person, lift the NTBA Appliance so that the side rails at the back of the NTBA Appliance are aligned with the mounting rails in the rack, then push the NTBA Appliance into the mounting rails until it stops. Lifting the NTBA Appliance and attaching it to the rack is a two-person job. 2 Use a screwdriver to fix a screw through the front and back rack holes to secure the system to the rack. 3 Attach the provided cable management arm if required. 4 Attach the lockable bezel to protect the front panel if required. Front panel features and indicators T-500 and T-200 The front panel features and indicators of NTBA Appliance T-500 and T-200 are as follows: Figure 3-2 Front panel T-500 and T-200 Item Description 1 Hard drives 2 Optical drive 3 Power-on indicator (on the Mini Control Panel) 4 System identification indicator light (on the Mini Control Panel) 5 USB connector (on the Mini Control Panel) 34 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

35 Setting up the NTBA Appliance: T-200 and T-500 Back panel features and indicators T Back panel features and indicators T-500 The back panel features and indicators of NTBA Appliance T-500 are as follows: Figure 3-3 Back panel T-500 Item Description 1 System identification indicator light 2 Console port 3 Video connector 4 USB ports (4) 5 Management port 6 Remote management module NIC 7 Collection ports (2-copper) 8 Power supply 1 9 Power supply 2 10 Collection ports (2-fiber) 11 Power supply 1 status indicator light 12 Power supply 2 status indicator light Back panel features and indicators T-200 The back panel features and indicators of NTBA Appliance T-200 are as follows: Figure 3-4 T-200 back panel Item Description 1 System identification indicator light 2 Console port 3 Video connector 4 USB ports (4) McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 35

36 3 Setting up the NTBA Appliance: T-200 and T-500 Hardware specifications Item Description 5 Management port 6 Remote management module NIC 7 Collection ports (4-copper) 8 Power supply 1 status indicator light 9 Power supply 1 10 Power supply 2 status indicator light 11 Power supply 2 Hardware specifications Table 3-1 Hardware specifications Appliance model T-200 T-500 Form factor 1U 1U Width 16.9" (430 mm) 16.9" (430 mm) Depth 27.19" (690.6 mm) 27.19" (690.6 mm) Height 1.69" (43 mm) 1.69" (43 mm) Maximum weight 17.2 kg (38.1 lbs) 17.2 kg (38.1 lbs) Redundant power supply 650W 650W Quiescent power utilization 170W 225W Estimated inlet power utilization (worst case scenario) 426W 544W NTBA Appliance - technical specifications Table 3-2 NTBA Appliance technical specifications Parameter Limits Dimensions Height mm 1.70 in Depth without CMA mm 26.2 in Width without rails mm in Width with rails mm in Depth with CMA mm in Operating Temperature Non- Operating Temperature +10 C to +35 C with the maximum rate of change not to exceed 10 C per hour -40 C to +70 C Non- Operating Humidity 90%, non-condensing at 35 C Acoustic noise Shock, operating Sound power: 7.0 BA in an idle state at typical office ambient temperature. (23 +/- 2 C) Half sine, 2 g peak, 11 milliseconds Shock, unpackaged Trapezoidal, 25 g, velocity change 136 inches/second ( 40 lbs to <80 lbs) 36 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

37 Setting up the NTBA Appliance: T-200 and T-500 Cabling the T-500 NTBA Appliance 3 Table 3-2 NTBA Appliance technical specifications (continued) Parameter Shock, packaged Vibration, unpackaged ESD System Cooling Requirement in BTU/Hr Limits Non-palletized free fall in height 24 inches ( 40 lbs to <80 lbs) 5 Hz to 500 Hz, 2.20 g RMS random +/- 15 KV except I/O port +/- 8 KV per Intel Environmental test specification 2250 BTU/hour Cabling the T-500 NTBA Appliance The T-500 NTBA Appliance has four collection ports and one management port. The collection ports connect to the network infrastructure that generates the NetFlow data from the routers and McAfee Network Security Sensor (Sensor)s. The four collection ports can be used to distribute the NetFlow data from different routers and Sensors. The management port connects to a network device that in turn connects to the Manager. The NTBA Appliance is managed through the Manager. Ports for cabling in the back panel Figure 3-5 T-500 back panel Item Description 1 Console port 2 Management port 3 Collection ports (2-copper) 4 Collection ports (2-fiber) Cabling the T-200 NTBA Appliance The T-200 NTBA Appliance has four collection ports and one management port. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 37

38 3 Setting up the NTBA Appliance: T-200 and T-500 Cabling the T-200 NTBA Appliance The collection ports connect to the network infrastructure that generates the NetFlow data from routers and McAfee Network Security Sensor (Sensor)s. The four collection ports can be used to distribute the NetFlow data from different routers and Sensors. The management port connects to a network device that in turn connects to the Manager. The NTBA Appliance is managed through the Manager. Ports for cabling in the back panel Figure 3-6 T-200 back panel ports Item Description 1 Console port 2 Management port 3 Collection ports (2-copper) 4 Collection ports (2-copper) 38 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

39 Setting up the NTBA Appliance: T-200 and T-500 Connect the console ports 3 Connect the console ports Task 1 Plug a console cable (RJ45 to DB9 serial) to the console port at the back panel of the NTBA Appliance. 2 Connect the other end of the cable directly to the serial port of the PC or Terminal Server you will be using to configure the NTBA Appliance (for example, a PC running correctly configured Windows HyperTerminal software.) You must connect directly to the console for initial configuration. You can't configure the NTBA Appliance remotely. The required settings for HyperTerminal are: Name Setting Baud rate Number of Bits 8 Parity Stop Bits 1 Control Flow None None The procedure for cabling the console port of NTBA Appliance T-1200 and T-600 is similar. Connect the power cables Connect one end of the power cable to the NTBA Appliance. Plug the other end of the power cable into a grounded electrical outlet or a separate power source such as an uninterrupted power supply (UPS) or a power distribution unit (PDU). When you connect power to the appliance, the appliance will immediately turn on and boot up. Install the Manager software Task 1 Prepare the system according to the requirements outlined in the McAfee Network Security Platform Installation Guide and McAfee Network Security Platform Release Notes. 2 Close all open applications. 3 Insert the Manager CD into the appropriate drive of the Windows server that you want to use as your Manager server. Follow the instructions in the Installation Wizard as it guides you through the entire process. You must have administrator rights on the target Windows server to install the Manager software. A MySQL database is included with the Manager and is installed (embedded) automatically on your target Windows server during this process. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 39

40 3 Setting up the NTBA Appliance: T-200 and T-500 Add the NTBA Appliance to the Manager Add the NTBA Appliance to the Manager Adding an NTBA Appliance to the Manager enables the Manager to accept communication from a physically installed and network-connected Appliance. After communication has been established, the Manager allows editing of the Appliance configuration. The alert data is available in the Threat Analyzer and Report queries. You can add a device by selecting Devices <Admin Domain Name> Global Add and Remove Devices but it is recommended to use the Add Device Wizard to add all devices (except Virtual HIP Sensors) and to establish the trust between the Manager and the device. Task 1 The Add Device Wizard window is displayed after the Manager Initialization Wizard is completed. McAfee recommends adding an Appliance to the Manager first. Select Devices <Admin Domain Name> Global Add Device Wizard. The Preparation page is displayed. Figure 3-7 Add Device Wizard 2 Click Next. The Add New Device page is displayed. 3 Enter the device name. The name must begin with a letter and can contain alphanumeric characters, hyphens, underscores and periods. The length of the name is not configurable. 4 Select the Device Type as NTBA Appliance. 5 Enter the Shared Secret (repeat at Confirm Shared Secret). The device name and shared secret are case-sensitive. The Device Name and Shared Secret must also be entered on the device command line interface (CLI) during physical installation and initialization. If not, the Appliance will not be able to register itself with the Manager. 40 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

41 Setting up the NTBA Appliance: T-200 and T-500 Add the NTBA Appliance to the Manager 3 The shared secret must be a minimum of 8 characters in length: the length of the shared secret is not configurable. The shared secret cannot start with an exclamation mark or have any spaces. The characters that can be used while creating a shared secret are as follows: 26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z) 10 digits: symbols: ~ # $ % ^ & * ( ) _ + - = [ ] { } \ ; : " ',. <? / 6 Select the updating mode. 7 [Optional] Enter the Contact Information and Location. 8 Click Next. The Trust Establishment page is displayed. 9 Follow the instructions on the page to complete the command line interface (CLI) setup and click Check Trust. Using the command line interface (CLI), enter the necessary information for the Appliance identification and communication as described in Configure the Sensor. If you set up the Appliance first, you will need to return to the Appliance after the Manager addition to reset the shared secret key and begin Appliance-to-Manager communication. 10 Click Next. The Next button will be enabled once the trust between the Appliance and the Manager is established. The Port Settings page is displayed. 11 Make the necessary changes and click Next. The General Settings page is displayed. 12 Define essential NTBA Appliance settings, including flow record listening port and Ethernet port IP settings. Click Next. The DNS Settings page is displayed. The DNS Settings page is applicable only to M-series and NS-series Sensors (software version above 7.0). 13 Configure the DNS server details. Click Next. The Exporters page is displayed. You can add a new exporter or edit the existing one. 14 Define exporters that will forward records to the NBA Sensor for processing and click Next. The Inside Zones page is displayed. You can add a new inside zone or edit the existing one. 15 Define inside zones and click Next. The Outside Zones page is displayed. You can add a new outside zone or edit the existing one. 16 Define outside zones and click Next. The Active Device Profiling page appears. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 41

42 3 Setting up the NTBA Appliance: T-200 and T-500 Set up NTBA Appliance 17 Select the Active Device Profiling checkbox and click Next. The Update Configuration page is displayed. 18 Click Update to start update. The Update Configuration page is displayed. 19 Click Finish. The NTBA Appliance appears added under the Device drop-down list in the Devices tab. It also appears in the Add and Remove Devices in the Global tab. Figure 3-8 Add and Remove Devices 20 To edit or delete an existing device, click Edit or Delete. 21 Skip the Chapter, Setting up Virtual NTBA Appliance on an ESX server, and proceed to Chapter, Configuring NTBA Appliance settings. See also Configuring NTBA Appliance settings on page 4 Set up NTBA Appliance Task 1 Plug a console cable (RJ45 to DB9 serial) to the console port at the back panel of the NTBA Appliance. 2 Connect the other end of the cable directly to the serial port of the PC or Terminal Server you are using to configure the NTBA Appliance. (For example, a PC running correctly configured Windows HyperTerminal software.) The required settings for HyperTerminal are: Name Setting Baud rate Number of Bits 8 Parity Stop Bits 1 Control Flow 3 Run the HyperTerminal. None None 4 At the logon prompt, log on to the NTBA Appliance using the default user name admin and password admin McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

43 Setting up the NTBA Appliance: T-200 and T-500 Set up NTBA Appliance 3 5 At the Press Y to start the setup now or N to do it later prompt, enter Y. Set and confirm a setup password. Wait for some time to configure the NTBA Appliance. 6 At the Please enter the sensor name prompt, enter the name of the NTBA Appliance. The values between <> characters are to be entered by the user, excluding the <> characters. Example: ntba_appliance_1 The NTBA Appliance name is a case-sensitive alphanumeric character string up to 25 characters. The string must begin with a letter and can include hyphens. underscores, periods but not spaces. The NTBA Appliance name typed here should be identical to the one entered against Device Name in the Add New Device page of the Manager. 7 At the Please enter the sensor IP(A.B.C.D) prompt, type the management port IP address of the NTBA Appliance. Specify a 32-bit address written as four eight-bit numbers separated by periods as in <A.B.C.D>, where A, B, C, or D is an eight-bit number between Example: Setting the IP address for the first time during the initial configuration of the NTBA Appliance does not require an NTBA Appliance reboot. Subsequent changes to the IP address however, require reboot for the change to take effect. 8 At the Please enter the sensor subnet mask(a.b.c.d) prompt, type the management port subnet mask of the Appliance. <A.B.C.D> represents the subnet mask. Example: At the Please enter the manager primary IPv4 address(a.b.c.d) prompt, type the IPv4 address of the Manager server. Example: (Optional) At the Press Y to configure manager secondary IP address prompt, type Y if you wish to set a Manager secondary IP address. By default, this is set to N. 11 At the Please enter the sensor default gateway(a.b.c.d) prompt, type the IP address. Use the same convention as for the Sensor IP address. Note that you should be able to ping the gateway. The gateway should be reachable. Example: Make sure you have set a shared secret key on the Manager for this Sensor. 13 At the Please enter shared secret key prompt, type the shared secret key value. This value is used to establish a trust relationship between the NTBA Appliance and the Manager. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 43

44 3 Setting up the NTBA Appliance: T-200 and T-500 Verify successful NTBA Appliance configuration 14 Type the same shared secret key value that you typed in the Add New Device page of the Manager. The NTBA Appliance prompts you to verify the value. Make sure that the configuration settings to this point have successfully established the NTBA Appliance on the network. 15 Type the value again and press ENTER. You can change the NTBA Appliance password by using the passwd command. A password must be between 8 and 25 characters, is case-sensitive, and can consist of any alphanumeric character or symbol. McAfee strongly recommends that you choose a password with a combination of characters that is easy for you to remember but difficult for someone else to guess. Verify successful NTBA Appliance configuration You can check whether the NTBA Appliance is configured and is available by executing the following actions: Verification process You can check the NTBA Appliance is configuration as follows: At the NTBA Appliance console type status. The status information of the NTBA Appliance is displayed. This includes information on whether the NTBA Appliance is initialized and its health status. Figure 3-9 'status' command result 44 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

45 Setting up the NTBA Appliance: T-200 and T-500 Verify successful NTBA Appliance configuration 3 At the NTBA Appliance console type show. The system information is displayed. This includes information on system uptime and the status of the Management port link. Figure 3-10 'show' command result To exit the session, type exit. To view or configure the settings of the collection ports for the NTBA appliance, you access the configuration page in Devices Device List <Device_Name> Setup Physical Ports. Figure 3-11 NTBA Physical Ports page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 45

46 3 Setting up the NTBA Appliance: T-200 and T-500 Verify successful NTBA Appliance configuration Download the latest NTBA Appliance software Task 1 Select <Admin Domain Name> Update Server Software. The Sensor Software page is displayed. Figure 3-12 Sensor Software page 46 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

47 Setting up the NTBA Appliance: T-200 and T-500 Verify successful NTBA Appliance configuration 3 2 Select the latest software listed under Software Available for Download and click Download. The Download Status page is displayed. Figure 3-13 Download Status page 3 Click Close Window once the download is complete. The downloaded software is listed under Software on the Manager in the Sensor Software page as also in the Software Upgrade page (<Admin Domain Name> Device List/<NTBA Appliance> Physical Device Software Upgrade.) Upgrade NTBA Appliance software You need to upgrade to the latest available version from the Manager. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Maintenance Deploy Device Software. The Deploy Device Software page is displayed. Figure 3-14 Software Upgrade page 2 Select the latest software listed under Software Ready for Installation and click Upgrade. The Download Status page is displayed. 3 Click Close Window once the download is complete. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 47

48 3 Setting up the NTBA Appliance: T-200 and T-500 Verify successful NTBA Appliance configuration 48 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

49 4 Setting 4 up the NTBA Appliance: T-600 and T-1200 Contents Verify the shipment Download documentation Install the mounting rails Front panel features and indicators T-1200 Back panel features and indicators T-1200 Front panel features and indicators T-600 Back panel features and indicators T-600 Hardware specifications Environmental requirements Connect the console ports Connect the power cables Install the Manager software Add the NTBA Appliance to the Manager Set up NTBA Appliance Verify successful NTBA Appliance configuration Verify the shipment Check for these contents that are shipped with the McAfee Network Threat Behavior Analysis Appliance (NTBA Appliance). NTBA Appliance Accessory kit containing: NTBA Appliance Quick Start Guide Lockable front bezel with key Power cords (2) Console cable (1) System diagnostic USB flash drive System restore (recovery / image re-installation) USB flash drive Tool-less slide rail (2) Chassis cable management arm McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 49

50 4 Setting up the NTBA Appliance: T-600 and T-1200 Download documentation If any of the contents from the preceding list are missing or damaged, contact McAfee support at Download documentation Download the product documentation for the NTBA Appliance. 1 Go to McAfee ServicePortal at and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display list of documents. 3 Download these documents. McAfee Network Threat Behavior Analysis Release Notes McAfee Network Threat Behavior Analysis Administration Guide Install the mounting rails Position the mounting rails correctly and install them at same levels. Task 1 At the front of the rack, position one of the mounting rails so that its mounting bracket aligns with the required rack holes. Clip the rail into the rack. Figure 4-1 Slide rail installation 2 At the back of the rack, pull the back mounting-bracket (extending the mounting rail) so that it aligns with the required rack holes. 3 Clip the rail to the rack and secure it. 4 Repeat these steps to secure the second mounting rail to the rack. 5 Make sure that the mounting rails are at the same level on each side of the rack. Make sure that you follow the safety warnings. When identifying where you want the NTBA Appliance to go in the rack, remember that you should always load the rack from the bottom up. If you are installing multiple NTBA Appliances, start with the lowest available position first. 50 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

51 Setting up the NTBA Appliance: T-600 and T-1200 Front panel features and indicators T Install the NTBA Appliance in the mounting rails 1 With help from another person, lift the NTBA Appliance so that the side rails at the back of the NTBA Appliance are aligned with the mounting rails in the rack, then push the NTBA Appliance into the mounting rails until it stops. Lifting the NTBA Appliance and attaching it to the rack is a two-person job. 2 Use a screwdriver to fix a screw through the front and back rack holes to secure the system to the rack. 3 Attach the provided cable management arm if required. 4 Attach the lockable bezel to protect the front panel if required. Front panel features and indicators T-1200 The front panel features and indicators of NTBA Appliance T-1200 are as follows: Figure 4-2 Front panel T-1200 Item Description 0-11 Hard Drive Bays (12) 12 Front Control Panel Front Control Panel options 1 Power button with integrated indicator light 2 Hard Drive Activity indicator light 3 System ID button integrated with indicator light 4 System Cold Reset button 5 System NIC 4 Activity indicator light McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 51

52 4 Setting up the NTBA Appliance: T-600 and T-1200 Back panel features and indicators T-1200 Item Description 6 System NIC 3 Activity indicator light 7 Non-maskable interrupt (NMI) button 8 System Status indicator light 9 System NIC 2 Activity indicator light 10 System NIC 1 Activity indicator light (Management port) Back panel features and indicators T-1200 The T-1200 NTBA Appliance has three collection ports and one management port. For cabling, use ports 1 to 10 in the back panel. The collection ports connect to the network infrastructure that generates the NetFlow data from the routers and McAfee Network Security Sensor (Sensor)s. The three collection ports can be used to distribute the NetFlow data from different routers and Sensors. The management port connects to a network device that in turn connects to the Manager. The NTBA Appliance is managed through the Manager. Figure 4-3 Back panel T-1200 Item Description 1 Power supply 1 2 Power supply 2 3 Management port (1) 4-6 Collection ports (3) 7 Video connector 8 Console port 9 USB ports (3) 10 Remote Management Module (RMM4 NIC) port 11 Add-in card slots 52 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

53 Setting up the NTBA Appliance: T-600 and T-1200 Front panel features and indicators T Front panel features and indicators T-600 The front panel features and indicators of NTBA Appliance T-600 are as follows: Figure 4-4 Front panel T-600 Item Description 0-3 Hard drive bays (4) 4 Front Control Panel 5 USB ports (2) 6 Video connector Front Control Panel options 1 System ID button integrated with indicator light 2 Non-maskable interrupt (NMI) button 3 System NIC 1 Activity indicator light (Management port) 4 System NIC 3 Activity indicator light 5 System Status indicator light 6 Power button with integrated indicator light 7 Hard Drive Activity indicator light 8 System Cold Reset button 9 System NIC 4 Activity indicator light 10 System NIC 2 Activity indicator light McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 53

54 4 Setting up the NTBA Appliance: T-600 and T-1200 Back panel features and indicators T-600 Back panel features and indicators T-600 The T-600 NTBA Appliance has three collection ports and one management port. For cabling, use ports 1 to 10 in the back panel. Figure 4-5 Back panel T-600 Item Description 1 Power supply 1 2 Power supply 2 3 Management port (1) 4-6 Collection ports (3) 7 Video connector 8 Console port 9 USB ports (3) 10 Remote Management Module (RMM4 NIC) port 11 Add-in card slots Hardware specifications These are the hardware specifications for T-1200 and T-600. Table 4-1 Hardware specifications Appliance model T-1200 T-600 Form factor 2U 1U Width in (438 mm) in (438 mm) Depth in (707.8 mm) in ( mm) Height 3.45 in (87.6 mm) 1.7 in (43.2 mm) Maximum weight 21.6 kg (47.65 lbs) kg (33 lbs) Redundant power supply 750W 750W Estimated inlet power utilization (worst case scenario) 666W 402W Quiescent power utilization (@ 120V) 230W 140W Flows per second (fps) McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

55 Setting up the NTBA Appliance: T-600 and T-1200 Environmental requirements 4 Environmental requirements These are the system level operating and non-operating environmental limits. Table 4-2 NTBA Appliance environmental requirements Parameter Environment Operating Temperature Non- Operating Temperature Limits +10 C to +35 C with the maximum rate of change not to exceed 10 C per hour -40 C to +70 C Non- Operating Humidity 50% to 90%, non-condensing at 35 C Acoustic noise Shock, operating Shock, unpackaged Shock, packaged Vibration, unpackaged Vibration, packaged ESD, Air Discharged ESD, Contact Discharge System Cooling Requirement in BTU/Hr Sound power: 7.0 BA in an idle state at typical office ambient temperature. (23 +/- 2 C) Half sine, 2 g peak, 11 milliseconds Trapezoidal, 25 g, velocity change 136 inches/second ( 40 lbs to <80 lbs) Non-palletized free fall in height 18 inches ( 40 lbs to <80 lbs) 5 Hz to 500 Hz, 2.20 g RMS random 5 Hz to 500 Hz, 1.09 g RMS random 12 kv 8 kv T-1200: 2280 BTU/Hr T-600: 1370 BTU/Hr Connect the console ports Task 1 Plug a console cable (RJ45 to DB9 serial) to the console port at the back panel of the NTBA Appliance. 2 Connect the other end of the cable directly to the serial port of the PC or Terminal Server you will be using to configure the NTBA Appliance (for example, a PC running correctly configured Windows HyperTerminal software.) You must connect directly to the console for initial configuration. You can't configure the NTBA Appliance remotely. The required settings for HyperTerminal are: Name Setting Baud rate Number of Bits 8 Parity Stop Bits 1 Control Flow None None The procedure for cabling the console port of NTBA Appliance T-1200 and T-600 is similar. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 55

56 4 Setting up the NTBA Appliance: T-600 and T-1200 Connect the power cables Connect the power cables Connect one end of the power cable to the NTBA Appliance. Plug the other end of the power cable into a grounded electrical outlet or a separate power source such as an uninterrupted power supply (UPS) or a power distribution unit (PDU). When you connect power to the appliance, the appliance will immediately turn on and boot up. Install the Manager software Task 1 Prepare the system according to the requirements outlined in the McAfee Network Security Platform Installation Guide and McAfee Network Security Platform Release Notes. 2 Close all open applications. 3 Insert the Manager CD into the appropriate drive of the Windows server that you want to use as your Manager server. Follow the instructions in the Installation Wizard as it guides you through the entire process. You must have administrator rights on the target Windows server to install the Manager software. A MySQL database is included with the Manager and is installed (embedded) automatically on your target Windows server during this process. Add the NTBA Appliance to the Manager Adding an NTBA Appliance to the Manager enables the Manager to accept communication from a physically installed and network-connected Appliance. After communication has been established, the Manager allows editing of the Appliance configuration. The alert data is available in the Threat Analyzer and Report queries. You can add a device by selecting Devices <Admin Domain Name> Global Add and Remove Devices but it is recommended to use the Add Device Wizard to add all devices (except Virtual HIP Sensors) and to establish the trust between the Manager and the device. 56 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

57 Setting up the NTBA Appliance: T-600 and T-1200 Add the NTBA Appliance to the Manager 4 Task 1 The Add Device Wizard window is displayed after the Manager Initialization Wizard is completed. McAfee recommend to first add an Appliance to the Manager. Select Devices <Admin Domain Name> Global Add Device Wizard. The Preparation page is displayed. Figure 4-6 Add Device Wizard 2 Click Next. The Add New Device page is displayed. 3 Enter the device name. The name must begin with a letter and can contain alphanumeric characters, hyphens, underscores and periods. The length of the name is not configurable. 4 Select the Device Type as NTBA Appliance. 5 Enter the Shared Secret (repeat at Confirm Shared Secret). The device name and shared secret are case-sensitive. The Device Name and Shared Secret must also be entered on the device command line interface (CLI) during physical installation and initialization. If not, the Appliance will not be able to register itself with the Manager. The shared secret must be a minimum of 8 characters in length: the length of the shared secret is not configurable. The shared secret cannot start with an exclamation mark or have any spaces. The characters that can be used while creating a shared secret are as follows: 26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z) 10 digits: symbols: ~ # $ % ^ & * ( ) _ + - = [ ] { } \ ; : " ',. <? / 6 For a NTBA Appliance, the Updating mode is set to Online. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 57

58 4 Setting up the NTBA Appliance: T-600 and T-1200 Add the NTBA Appliance to the Manager 7 [Optional] Enter the Contact Information and Location. 8 Click Next. The Trust Establishment page is displayed. 9 Follow the instructions on the page to complete the command line interface (CLI) setup and click Check Trust. Using the command line interface (CLI), enter the necessary information for the Appliance identification and communication as described in the McAfee Network Security Platform Installation Guide. If you set up the NTBA Appliance first, after the Manager addition, you need to return to the Appliance to reset the shared secret key and begin Appliance-to-Manager communication. 10 Click Next. The Next button is enabled once the trust between the Appliance and the Manager is established. The Port Settings page is displayed. By default, the collection ports are disabled. 11 Enable the ports and modify settings. Click Save and then Next. The General Settings page is displayed. 12 Configure NTBA Appliance settings for collection ports. Click Next. The DNS Settings page is displayed. 13 By default global settings are inherited. If you wish, modify the DNS server details. Click Next. The Exporters page is displayed. 14 Add a router exporter that will forward records to the NBA Sensor for processing and click Next. To add a IPS exporter, go to IPS devices. The Inside Zones page is displayed. 15 Add a new inside zone or edit the default inside zones. Click Next. The Outside Zones page is displayed. 16 Add a new outside zone or edit the default outside zone. Click Next. The Update Configuration page is displayed. 17 On the Active Device Profiling page, select the Active Device Profiling checkbox and click Next. 58 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

59 Setting up the NTBA Appliance: T-600 and T-1200 Set up NTBA Appliance 4 18 Click Update to deploy configuration on the device. This might take some time. The Update Status bar displays 100% complete. 19 Click Finish. On the Devices tab, under the Device drop-down list, the NTBA Appliance is added. From Global Add and Remove Devices option, you can also view the added Appliance. Figure 4-7 Add and Remove Devices Set up NTBA Appliance Task 1 Plug a console cable (RJ45 to DB9 serial) to the console port at the back panel of the NTBA Appliance. 2 Connect the other end of the cable directly to the serial port of the PC or Terminal Server you are using to configure the NTBA Appliance. (For example, a PC running correctly configured Windows HyperTerminal software.) The required settings for HyperTerminal are: Name Setting Baud rate Number of Bits 8 Parity Stop Bits 1 Control Flow 3 Run the HyperTerminal. None None 4 At the logon prompt, log on to the NTBA Appliance using the default user name admin and password admin At the Press Y to start the setup now or N to do it later prompt, enter Y. Set and confirm a setup password. Wait for some time to configure the NTBA Appliance. 6 At the Please enter the sensor name prompt, enter the name of the NTBA Appliance. The values between <> characters are to be entered by the user, excluding the <> characters. Example: ntba_appliance_1 The NTBA Appliance name is a case-sensitive alphanumeric character string up to 25 characters. The string must begin with a letter and can include hyphens. underscores, periods but not spaces. The NTBA Appliance name typed here should be identical to the one entered against Device Name in the Add New Device page of the Manager. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 59

60 4 Setting up the NTBA Appliance: T-600 and T-1200 Set up NTBA Appliance 7 At the Please enter the sensor IP(A.B.C.D) prompt, type the management port IP address of the NTBA Appliance. Specify a 32-bit address written as four eight-bit numbers separated by periods as in <A.B.C.D>, where A, B, C, or D is an eight-bit number between Example: Setting the IP address for the first time during the initial configuration of the NTBA Appliance does not require an NTBA Appliance reboot. Subsequent changes to the IP address however, require reboot for the change to take effect. 8 At the Please enter the sensor subnet mask(a.b.c.d) prompt, type the management port subnet mask of the Appliance. <A.B.C.D> represents the subnet mask. Example: At the Please enter the manager primary IPv4 address(a.b.c.d) prompt, type the IPv4 address of the Manager server. Example: (Optional) At the Press Y to configure manager secondary IP address prompt, type Y if you wish to set a Manager secondary IP address. By default, this is set to N. 11 At the Please enter the sensor default gateway(a.b.c.d) prompt, type the IP address. Use the same convention as for the Sensor IP address. Note that you should be able to ping the gateway. The gateway should be reachable. Example: Make sure you have set a shared secret key on the Manager for this Sensor. 13 At the Please enter shared secret key prompt, type the shared secret key value. This value is used to establish a trust relationship between the NTBA Appliance and the Manager. 14 Type the same shared secret key value that you typed in the Add New Device page of the Manager. The NTBA Appliance prompts you to verify the value. Make sure that the configuration settings to this point have successfully established the NTBA Appliance on the network. 15 Type the value again and press ENTER. You can change the NTBA Appliance password by using the passwd command. A password must be between 8 and 25 characters, is case-sensitive, and can consist of any alphanumeric character or symbol. McAfee strongly recommends that you choose a password with a combination of characters that is easy for you to remember but difficult for someone else to guess. 60 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

61 Setting up the NTBA Appliance: T-600 and T-1200 Verify successful NTBA Appliance configuration 4 Verify successful NTBA Appliance configuration You can check whether the NTBA Appliance is configured and is available by executing the following actions: Verification process You can check the NTBA Appliance is configuration as follows: At the NTBA Appliance console type status. The status information of the NTBA Appliance is displayed. This includes information on whether the NTBA Appliance is initialized and its health status. Figure 4-8 'status' command result McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 61

62 4 Setting up the NTBA Appliance: T-600 and T-1200 Verify successful NTBA Appliance configuration At the NTBA Appliance console type show. The system information is displayed. This includes information on system uptime and the status of the Management port link. Figure 4-9 'show' command result To exit the session, type exit. To view or configure the settings of the collection ports for the NTBA appliance, you access the configuration page in Devices Device List <Device_Name> Setup Physical Ports. Figure 4-10 NTBA Physical Ports page 62 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

63 Setting up the NTBA Appliance: T-600 and T-1200 Verify successful NTBA Appliance configuration 4 Download the latest NTBA Appliance software Task 1 Select <Admin Domain Name> Update Server Software. The Sensor Software page is displayed. Figure 4-11 Sensor Software page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 63

64 4 Setting up the NTBA Appliance: T-600 and T-1200 Verify successful NTBA Appliance configuration 2 Select the latest software listed under Software Available for Download and click Download. The Download Status page is displayed. Figure 4-12 Download Status page 3 Click Close Window once the download is complete. The downloaded software is listed under Software on the Manager in the Sensor Software page as also in the Software Upgrade page (<Admin Domain Name> Device List/<NTBA Appliance> Physical Device Software Upgrade.) Upgrade NTBA Appliance software You need to upgrade to the latest available version from the Manager. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Maintenance Deploy Device Software. The Deploy Device Software page is displayed. Figure 4-13 Software Upgrade page 2 Select the latest software listed under Software Ready for Installation and click Upgrade. The Download Status page is displayed. 3 Click Close Window once the download is complete. 64 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

65 Setting up a Virtual NTBA Appliance Chapter 5 Setting up Virtual NTBA Appliance on an ESX server McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 65

66 Setting up a Virtual NTBA Appliance 66 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

67 5 Setting 5 up Virtual NTBA Appliance on an ESX server This chapter describes the steps to configure your Virtual NTBA Appliance. Contents NTBA as a Virtual Appliance Virtual NTBA Appliance models Verify materials Selecting an OVA or ISO image Download the software Download the documentation Configure network port mappings on the ESX server Create a virtual instance using OVA image Create a virtual instance using ISO image Add the Virtual NTBA Appliance to the Manager Delete an existing Virtual NTBA Appliance NTBA as a Virtual Appliance A virtual machine is a software implementation of a computer in which an operating system or a program can be installed and run. While the virtual machine emulates a physical computing environment, requests for CPU, memory, hard disk, hardware resources, and network are managed by a virtualization layer. Virtual machines are created within a virtualization layer, such as a hypervisor or a virtualization platform, that runs on top of a client or a server operating system. This operating system is known as the host operating system. The virtualization layer can be used to create many individual, isolated virtual machine environments. McAfee Network Threat Behavior Analysis Virtual Appliance (hereinafter referred to as the Virtual NTBA Appliance) runs on the VMware ESX operating system, allowing you to provide flexible security for your virtual environment. McAfee provides a single instance of the Virtual NTBA Appliance (T-VM) with every new purchase of Network Security Manager. For T-VM, you can configure only two standalone/failover IPS Sensors to send NetFlows to the Virtual NTBA Appliance. The maximum number of exporters (IPS Sensors and Routers) supported by the NTBA Appliance is 256. If you are an existing user of Network Security Manager, you can download and install a single instance of the Virtual NTBA Appliance either by using the open virtualization format (OVF) image or the ISO image by extracting CD/DVD image files. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 67

68 5 Setting up Virtual NTBA Appliance on an ESX server Virtual NTBA Appliance models Open Virtualization Format (OVF) is an open standard across various virtualization platforms, for packaging and distributing the software to be run on virtual machines. An OVF virtual machine consists of a folder containing virtual machine files and a file describing them. An Open Virtualization Appliance (OVA) file is a single compressed file that contains the contents of an OVF folder. The NTBA OVA image comes with pre installed NTBA Appliance software, including the recommended configurations and therefore, is easier to deploy. McAfee recommends that you deploy the Virtual NTBA Appliance using the OVA image going forward. You can also install the Virtual NTBA Appliance using the ISO image by extracting the CD/DVD image files. You will have to configure the hard disks, CPUs, memory, and serial port separately as explained in the Section, Create a virtual instance using ISO image. Virtual NTBA Appliance models McAfee supports these Virtual NTBA Appliances. T-VM Available free with every new purchase of Network Security Manager T-100VM and T-200VM Two stock-keeping units (SKU) for paid virtual NTBA Appliance You can upgrade your T-VM to NTBA T 100 or T 200 Virtual Appliance software. However, once you have upgraded, you cannot downgrade. For example, if you have upgraded your Virtual NTBA Appliance software to Virtual NTBA T 200 Appliance, you cannot downgrade to Virtual NTBA T 100 Appliance or any version of Virtual NTBA Appliance. For more information, refer to the McAfee Network Security Platform Upgrade Guide. Verify materials Make sure that you have all the necessary documents and hardware to set up your Virtual NTBA Appliance. Grant letter When you purchase or request an evaluation for Network Security Platform, an is sent to the point of contact for your company on record at McAfee. The contains the: Serial number Grant number Hardware The following resources must be dedicated for the Virtual NTBA Appliance. Table 5-1 VMware ESX server requirements for Virtual NTBA Appliance Component Virtualization software Network ports Storage Details VMware ESX 5.0 and higher 5 (One network management port and four network collection ports)* 500 GB (create two partitions: 250 GB and 250 GB) *If you want to use only two collection ports, then create two switches and add two collection ports to Switch 1 and the other two to Switch 2. The management port and the collection ports can be mapped to the same network. See also Selecting the right Virtual NTBA Appliance on page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

69 Setting up Virtual NTBA Appliance on an ESX server Selecting an OVA or ISO image 5 Selecting an OVA or ISO image You can use an ISO image to install NTBA on physical and virtual appliances. OVA images can be deployed only on virtual appliances. Table 5-2 ISO Vs. OVA for installing NTBA ISO image OVA image Appliances Physical and virtual appliances Virtual appliances Models All models T-VM, T-100VM, and T-200VM Packaging Needs user to manually configure settings like creating virtual machines Setup time More Less Configuration User needs to create and configure VM options like CPU, memory, network interfaces, and hard disk Errors Readiness Due to manual intervention might lead to more errors Create and configure VMs, install NTBA, and reboot the appliance Single and complete package Pre-installed NTBA Appliance software that includes the recommended configuration Less Deploy an OVA image McAfee strongly recommends to deploy OVA images on virtual machines as it is simpler and faster than ISO image deployment. Download the software You need to download the Virtual NTBA Appliance software to your computer before installing it. Task 1 Go to the McAfee product downloads page at downloads.aspx. 2 Enter your grant ID to view the latest downloads available. 3 Download the Virtual NTBA Appliance software (.iso file or.ova file) depending on the Virtual NTBA Appliance you want to install and save it on your local drive. Table 5-3 OVA file names for Virtual NTBA Appliance Virtual NTBA Appliance T-VM T-100VM T-200VM File name ntbasensorimage.t-vm_opt.ova ntbasensorimage.t-100vm_opt.ova ntbasensorimage.t-200vm_opt.ova 4 Copy the Virtual NTBA Appliance software (.iso file or.ova file) to the ESX server datastore (either at datastore1 or datastore2 under /vmfs/volumes) using SSH from the server hosting the iso/ova release image. This is used for booting and installing the Virtual NTBA Appliance. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 69

70 5 Setting up Virtual NTBA Appliance on an ESX server Download the documentation Go to/vmfs/volumes/datastore1 and issue: For ISO: scp <user Example: scp For OVA: scp <user Example for T-VM: scp See also Resource limit matrix on page 26 Download the documentation You can refer to these documents for more information about the product. Task 1 Go to the McAfee ServicePortal at and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 3 Download the NTBA Administration Guide and Release Notes. Configure network port mappings on the ESX server Task 1 In the VMware vsphere Client, connect to the ESX server. 2 In the left pane, select the ESX server that you want to configure. 3 Click the Configuration tab. 4 In the Hardware list, click Networking. 5 In the top right, click the Add networking link. The Add Network Wizard appears. 6 Specify the connection type as Virtual Machine, then click Next. 7 Use any two unused physical ports and map it to labels: NTBA Management and Collection Port. Select the interface to be used as management port for Network Access, then click Next. 70 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

71 Setting up Virtual NTBA Appliance on an ESX server Configure network port mappings on the ESX server 5 8 In the Connection Settings field, type the network label as NTBA Management. This will be the management port. Figure 5-1 Virtual Machines-Connection Settings page 9 Click Next. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 71

72 5 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using OVA image 10 Preview the summary and click Finish. 11 Repeat steps 3 through 10 to add collection ports. Type the network label as Collection Port (see port vmnic5 in the following figure) The Network Configuration page is displayed. Figure 5-2 Network Configuration page Create a virtual instance using OVA image You can create a virtual instance for the Virtual NTBA Appliance using either the OVA image or the ISO image. McAfee recommends that you deploy the Virtual NTBA Appliance using the OVA image. 72 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

73 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using OVA image 5 Task 1 In the VMware vsphere Client, select File Deploy OVF Template. The Deploy OVF Template window is displayed. Figure 5-3 The Deploy OVF Template option McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 73

74 5 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using OVA image 2 Browse to the location where the OVA images are placed, and select a file depending on the virtual Appliance you want to install. In this example, OVA image for T-VM is selected. Figure 5-4 Select the OVA image source location 74 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

75 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using OVA image 5 3 Click Next. The OVF Template Details are displayed. Figure 5-5 Verify the OVA image details McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 75

76 5 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using OVA image 4 Click Next. In the Name and Location page, specify the name and location for the deployed template. By default, the OVA file is displayed. Figure 5-6 The Name and Location page with the default OVA image name 5 Type the name for the virtual machine. The name can contain up to 80 characters. In this example, the virtual machine is named as My-NTBA. Click Next. 76 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

77 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using OVA image 5 6 In the Resource Pool page, select where you want to deploy this template. In this example, it is named as My Resource Pool. Click Next. Figure 5-7 Select a resource pool 7 In the Disk Format page, select the disk format as thick or thin provisioning depending on the amount of the physical disk storage left. McAfee recommends the default option, which is thick provisioning. Click Next. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 77

78 5 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using OVA image 8 On the Network Mapping page, map NTBA Collection source network to a collection port configured earlier while setting the network port mapping on the ESX server. Similarly, map NTBA Management source network. Click Next. Figure 5-8 Networking Mapping page 78 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

79 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using OVA image 5 9 On the Ready to Complete page, check the options you have selected. Click Finish to deploy the settings. Figure 5-9 Check the options selected McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 79

80 5 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using OVA image 10 Verify that you have created one management port, four collection ports, and two hard disks as shown. Figure 5-10 View Virtual Machine properties for the deployed settings Select the Power on after deployment checkbox if you want the virtual machine to be powered on once the deployment is complete. 11 Once the deployment is successful, click Close. 12 Type Y to proceed with the setup and configure NTBA IP address, device name, device IP address, device default gateway, Manager IP address, TFTP server IP address. At this time, do not give the set sensor sharedsecretkey CLI command. 13 This completes creation of the virtual instance using the NTBA OVA image. Skip the next section Create a virtual instance using ISO image and proceed to the section Configuring Virtual NTBA Appliance using Manager. You can opt to add a serial port for troubleshooting purposes. However this is optional. a Turn off the Virtual NTBA Appliance. b c [Optional] Right-click the new virtual machine and select Edit Settings to view the properties. [Optional] Once the installation is complete, add a serial port. 80 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

81 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using ISO image 5 See also Add a serial port on page 85 Add the Virtual NTBA Appliance to the Manager on page 88 Create a virtual instance using ISO image Use this section only if you wish to create a virtual instance using the NTBA ISO image. McAfee recommends that you deploy the Virtual NTBA Appliance using the OVA image. Task 1 In the VMware vsphere Client, go to the Getting Started tab, and click Create a new virtual machine link. Figure 5-11 Create new virtual machine instance on NTBA 2 By default, Typical is selected. Click Next. 3 Type a name for the virtual machine. 4 Click Next. 5 Select a destination storage for the virtual machine files. 6 Click Next. 7 Select the guest operating system as Linux. Select the version as Other 2.6.x Linux (64 Bit) from the drop-down list. 8 Click Next. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 81

82 5 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using ISO image 9 From the drop-down list, select four NICs and map them to the Collection Port label. These will act as the virtual collection ports for the NTBA Appliance. Depending on the virtual machine version, more than four virtual collection ports can be added after the virtual machine is created, using its Edit Settings dialog. Figure 5-12 Network Connections window 10 Click Next. 11 Specify the virtual disk size and the provisioning policy. You can choose the default size for now as this will be removed later. 12 Select the Edit the virtual machine settings before completion checkbox. 13 Click Continue. 14 Remove the default virtual disk created from the list of devices by selecting the device and clicking Remove. You can add new hard disks as explained in the following section. 82 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

83 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using ISO image 5 Tasks Add a new hard disk on page 83 Configure the CPUs on page 84 Configure memory on page 84 Add an NTBA Management Ethernet adapter on page 84 Add a serial port on page 85 Add the Virtual NTBA Appliance software on page 85 [Optional] Remove unwanted hardware devices on page 86 [Optional] Configure the security profile on page 86 Install the Virtual NTBA Appliance on page 86 Add a new hard disk Task 1 In the VMware vsphere Client, go to the Virtual Machine Properties window, and click Add. The Add Hardware wizard appears. 2 Select the device type as Hard Disk. Figure 5-13 Add Hardware window 3 Click Next. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 83

84 5 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using ISO image 4 Select the Create a new virtual disk option. 5 Click Next. 6 Specify the disk size as 250 GB. This is to store the Virtual NTBA Appliance software. 7 Select the Specify a datastore or datastore cluster option. 8 Click Next. 9 Select any SCSI virtual device node. 10 Click Next. 11 Click Finish. 12 Repeat these steps to add another hard disk of 250 GB or above. This will be used to store the NTBA database. Configure the CPUs Task 1 In the VMware vsphere Client, go to the Virtual Machine Properties window, and select CPUs from the list of hardware devices. 2 Select Number of virtual socket and Number of cores per socket so that the total cores configured are 4. Configure memory Task 1 In the VMware vsphere Client, go to the Virtual Machine Properties window, and select Memory from the list of hardware devices. 2 Depending on the virtual Appliance you want to install, specify the memory size. See also Resource limit matrix on page 26 Add an NTBA Management Ethernet adapter Task 1 In the VMware vsphere Client, go to the Virtual Machine Properties window, and click Add. The Add Hardware wizard appears. 2 Select the device type as Ethernet Adapter. 3 Click Next. 4 Select Adapter Type as E1000 and map it to the NTBA Management label. 5 Click Next. 6 Click Finish. 84 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

85 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using ISO image 5 Add a serial port Task 1 In the VMware vsphere Client, go to the Virtual Machine Properties window, and click Add. The Add Hardware wizard appears. 2 Select the device type as Serial Port and click Next. 3 On the right-hand panel, select connection as Use output file. Browse to the location where the output file is saved. After you have added all the hardware devices, you must see the final screen as shown. Figure 5-14 Configured Virtual NTBA Appliance Add the Virtual NTBA Appliance software You must have completed the steps in the Section, Download the Software to proceed. Task 1 In the Virtual Machine Properties window, select CD/DVD drive from the list of hardware devices. 2 In the right pane, under Device Type, select the Datastore ISO File option. 3 Browse to the location where the NTBA Virtual Appliance software is stored. 4 Click OK. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 85

86 5 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using ISO image 5 Under Device Status, select the Connect at power on checkbox. 6 Click OK. See also Download the software on page 69 [Optional] Remove unwanted hardware devices You can remove unwanted hardware devices such as floppy drive, LSI SCSI adapter, and so on. Task 1 In the VMware vsphere Client, go to the Virtual Machine Properties window, select Floppy drive from the list of hardware devices. 2 Click Remove. 3 Click OK. Repeat the steps to remove other unwanted hardware devices from the list. [Optional] Configure the security profile The security profile is configured on the ESX server for copying the Virtual NTBA Appliance Software from your local drive to install the Virtual NTBA Appliance. Task 1 In the VMware vsphere Client, go to the Configuration tab on the VMWare ESX wizard. 2 From the Software list, select Security Profile. 3 In the Firewall section, click Properties. 4 In the Firewall Properties window, select the SSH Server checkbox under Secure Shell. 5 Click Options. 6 In Startup Policy, select the Start and stop with host option. 7 Click Start. 8 Click OK. 9 In the Firewall Properties window, select the SSH Client checkbox. 10 Click OK. Install the Virtual NTBA Appliance Task 1 In the VMware vsphere Client, select the Virtual NTBA Appliance that you want to configure. 2 Right-click the Virtual NTBA Appliance, then select Power Power On. 86 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

87 Setting up Virtual NTBA Appliance on an ESX server Create a virtual instance using ISO image 5 3 Click the Console tab. After startup is complete, the NTBA Virtual Appliance Quick Start Program console appears. Figure 5-15 Virtual NTBA Appliance Quick Start Program window 4 Type NTBA login as admin and Password as admin123 to log on to the Virtual NTBA Appliance. 5 Run the installntba command to start the Virtual NTBA Appliance installation. You will be prompted to reboot the Virtual NTBA Appliance, but do not reboot. Reboot must happen only at Step 9. A detailed error message will be displayed if the command fails. 6 Once the installation is complete, select the Virtual NTBA Appliance under the ESX server. Right-click the Virtual NTBA Appliance and select Edit Setting. The Virtual Machine Properties window appears. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 87

88 5 Setting up Virtual NTBA Appliance on an ESX server Add the Virtual NTBA Appliance to the Manager 7 Select CD/DVD drive and deselect the Connect at power on checkbox under Device Status. A Virtual Machine Message window appears. Figure 5-16 Virtual Machine Message window 8 Click Yes. 9 From the NTBA console, type the reboot command. The Virtual NTBA Appliance installation is complete when you see the NTBA login prompt. This might take several minutes to complete. 10 Type Y to proceed with the setup and configure NTBA IP address, device name, device IP address, device default gateway, Manager IP address, TFTP server IP address. At this time, do not give the set sensor sharedsecretkey CLI command. Add the Virtual NTBA Appliance to the Manager Define and configure the vntba in the Manager. Task 1 Log on to the Network Security Manager. 2 Add the Virtual NTBA Appliance to the Manager using the Add Device Wizard. 3 If you have not already configured the NTBA interfaces (to which the flow records are addressed) in the Add Device Wizard, specify the IP address and network mask for the NTBA Virtual Appliance collection port by selecting Devices <Admin Domain Name> Devices <NTBA Appliance> Setup Collection Settings. 88 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

89 Setting up Virtual NTBA Appliance on an ESX server Add the Virtual NTBA Appliance to the Manager 5 4 Verify that the collection ports are up by selecting Devices <Admin Domain Name> Devices <NTBA Appliance> Setup Physical Ports. Check that the ESX server's physical port that is mapped to the collection port is up. If the connection is down, you will see a red cross mark as shown in the figure. Figure 5-17 Verifying if physical port connection is up 5 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Exporters <IPS Exporter> and click Edit. Configure the Sensor for L7 data export by selecting Devices <Admin Domain Name> Devices <IPS/vIPS Sensor> Setup L7 Data Collection. 6 Provide the Destination NTBA Appliance and the Destination IP. 7 Under Flow Source: a Select the designated port for exporting flows. b Provide the port IP address to be used in the IPS monitoring port. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 89

90 5 Setting up Virtual NTBA Appliance on an ESX server Add the Virtual NTBA Appliance to the Manager c d Provide the network mask. Provide the default gateway. If the IPS exporting port and the NTBA collection port are directly connected, then provide the default gateway as NTBA Collection IP Address. Figure 5-18 Configuration for NetFlow exporting When the IPS interfaces are deployed inline, NTBA automatically inherits the direction from IPS. For example, If the IPS interface is set to inbound the direction in NTBA will be set to internal. For span, the direction must be configured manually. Only after making this change, the Save operation is allowed. You can mark interfaces as either external or internal only for the IPS interfaces that are non-inline. 8 Select the monitoring ports of IPS, which you wish to monitor, and click Save. The saved settings are displayed. 9 If you would like the traffic to go through the collection port, you must configure static route. Select Devices NTBA Appliance Setup Routing. 10 [Optional] To add a router or IPS Sensor as an exporter, select Devices <Admin Domain Name> Devices <NTBA Appliance> Exporters Exporters and click New. The Add Exporter page is displayed. 90 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

91 Setting up Virtual NTBA Appliance on an ESX server Add the Virtual NTBA Appliance to the Manager 5 11 To create zones: If your deployment uses a CIDR network, then create CIDRs and associate them to internal or external zones. The Virtual NTBA Appliance appears in the Manager as shown. Figure 5-19 Newly added NTBA Virtual Appliance in Manager 12 Perform a configuration update by selecting Devices <Admin Domain Name> Devices <NTBA Appliance> Deploy Pending Changes. 13 Check the NetFlow processing: On the command line, enter show nfcstats. Check the output to verify if the packets are being processed correctly by the Virtual NTBA Appliance. Figure 5-20 Output of show nfcstats CLI command McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 91

92 5 Setting up Virtual NTBA Appliance on an ESX server Delete an existing Virtual NTBA Appliance 14 To make sure that NTBA monitors display information received from McAfee Global Threat Intelligence, complete the following steps: a Enable Global Threat Intelligence integration by selecting Manage Integration Global Threat Intelligence. b Configure DNS settings by selecting Devices <Admin Domain Name> Devices <NTBA Appliance> Setup Name Resolution. c d Verify whether Global Threat Intelligence is enabled by default by selecting Devices <Admin Domain Name> Global Default Device Settings NTBA Devices Zone Settings GTI IP Reputation. Perform a configuration update by selecting Devices <Admin Domain Name> Devices <NTBA Appliance> Deploy Pending Changes. 15 Verify/monitor your network traffic by selecting Analysis Threat Analyzer Real-Time Dashboards NTBA. If all the endpoints are internal and if all the URLs are internal, then no data is displayed in the Top External Endpoints By Reputation and the Top URLS By Reputation monitors as McAfee GTI lookup fails for internal endpoints and internal URLs. The ETF monitors take at least five minutes to populate and display data. See also Add a router as an exporter on page 100 Define zones on page 108 Delete an existing Virtual NTBA Appliance You can delete an existing Virtual NTBA Appliance. Task 1 Connect to the ESX server using the VMware vsphere Client. 2 Click the Virtual Machines tab. 3 If the Virtual NTBA Appliance that you want to delete is running, turn it off. a Select the Virtual NTBA Appliance. b c From the menu bar, select Inventory Virtual Machine Power Power Off. Click Yes to confirm. 4 Delete the Virtual NTBA Appliance. a Select the Virtual NTBA Appliance. b From the menu bar, select Inventory Virtual Machine Delete from Disk. 5 Click Yes. A confirmation window appears. The Virtual NTBA Appliance is deleted. 92 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

93 Configuring the NTBA Appliance on the Manager Chapter 6 Configuring NTBA Appliance settings McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 93

94 Configuring the NTBA Appliance on the Manager 94 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

95 6 Configuring 6 NTBA Appliance settings This chapter details the steps involved in configuring the NTBA Appliance settings. Contents Define the IP settings Configure the collection ports Viewing management port settings Add a router as an exporter Configure L7 data collection Configure Network Security Sensor as an exporter Edit exporter configuration [Optional] Configure static route Mark exporter interfaces as internal or external Define zones Update configuration of a Sensor or an NTBA Appliance Deploy pending changes to a device Configure a Central Collector NTBA exception object management Alert notification options Send notifications for quarantined attacks Add flow exclusion Define an external storage device Configure services Configure exporter access How communication rules work Configure name resolution How Global Threat Intelligence integrates with NTBA Configure miscellaneous settings Active device profiling Advanced malware policies Configuring policies Define the IP settings You need to define essential NTBA Appliance settings, such as the flow record listening port and the Ethernet port IP address settings. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 95

96 6 Configuring NTBA Appliance settings Configure the collection ports Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Setup Collection Settings. The Collection Settings page is displayed. Figure 6-1 Collection Settings page 2 Select the Use Global Settings checkbox if you want to use global settings. Global settings are set at Devices <Admin Domain Name> Global Default Device Settings NTBA Devices Device Settings Setup Collection Settings. All other settings are disabled if this checkbox is selected. Deselect this checkbox to set NTBA Appliance device specific settings. 3 Select the Enable De-duplication? checkbox to enable de-duplication. If de-duplication is enabled, the NTBA Appliance can detect if one or more exporters are sending flow records belonging to the same traffic. This prevents duplication. 4 Specify the following IP Settings for the NTBA Appliance interfaces to which flow records are to be addressed: IP Address for collection ports Network Mask 5 Click Save. To isolate and protect your management traffic, McAfee strongly recommends using a separate, dedicated management subnet to interconnect the NTBA Appliance and the Manager. If the management and collection ports of the NTBA Appliance are in the same subnet, flow information might be sent to the management port instead of the collection port. Configure the collection ports In the Collection Ports tab within the Physical Ports page, you can view or edit the parameters of the collection ports for a specific NTBA Appliance. Collection port configuration allows you to change NTBA Appliance deployment modes, select port speeds, or indicate enabled or disabled ports. 96 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

97 Configuring NTBA Appliance settings Configure the collection ports 6 To configure the collection ports, select Devices Devices <NTBA Appliance> Setup Physical Ports. The Collection Ports tab in the Physical Ports page is displayed. The Collection Ports tab displays the list of ports available for the NTBA Appliance. Figure 6-2 Collection Ports tab - T-1200 Table 6-1 Collection Port details Column Port Link Connector Type Speed IP Address Description Specifies the collection port. Specifies the status of the collection port. The available status are: Up Down Disabled Displays the connector type. T-200, T-600, and T-1200 Appliance displays only the connector type RJ-45. The T-500 Appliance displays the connector types RJ-45 and LC Fiber. Specifies the speed and duplex of the port. The following are the available options for speed: Auto-negotiate 1 Gbps(full) 100 Mbps(full) 100 Mbps(half) 10 Mbps(full) 10 Mbps(half) Specifies the IP address and network mask assigned to the collection port. These details are displayed for each port. To view or configure settings for the NTBA Appliance, do the following: McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 97

98 6 Configuring NTBA Appliance settings Configure the collection ports Task 1 In the Collection Ports tab, double-click on the row of a collection port. The Collection Port Details window is displayed. Figure 6-3 Collection Port Details window 2 Configure the following: Select Enabled or Disabled from the State drop-down list. Select the speed and duplex type from the Speed (Duplex) drop-down list. The following are the available options: Auto-Negotiate 100 Mbps(half) 1 Gbps(Full) 10 Mbps(Full) 100 Mbps(Full) 10 Mbps(Half) 3 In IP Settings, type the IP Address and Network Mask for the collection port. The Physical Ports page displays the configured collection ports 4 Click Save to save the configuration changes. A window is displayed to confirm the changes. Click OK to confirm changes. 98 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

99 Configuring NTBA Appliance settings Configure the collection ports 6 Tasks Enable or disable a collection port on page 99 This section explains about enabling and disabling a collection port from the Collection Ports tab. Enable or disable a collection port This section explains about enabling and disabling a collection port from the Collection Ports tab. To view or configure the settings of the collection ports for McAfee Network Security Platform NTBA Appliance, you access the configuration page in Devices Devices <NTBA Appliance> Setup Physical Ports. A list of ports available for the device you selected is displayed in the Collection Ports tab. To disable a collection port: 1 Click the row of the collection port that you want to disable. To disable multiple collection ports, press the Shift key and click the multiple collection ports that you want to disable. 2 Click Disable. The collection ports are disabled. To enable a collection port: 1 Click the row of the collection port that you want to enable. To enable multiple collection ports, press the Shift key and click the multiple collection ports that you want to enable. 2 Click Enable. The collection ports are enabled. Port color key This section describes a port's status color under the Link column in the Collection Ports tab. Table 6-2 Port color key Color Green Red Gray Orange Beige Description Port is enabled and operating correctly. Port is enabled, but not operating due to some failure. Check system faults. Port has been disabled by the user. Device or NTBA Appliance is disconnected. The port data is retrieved from the database. Port has been modified. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 99

100 6 Configuring NTBA Appliance settings Viewing management port settings Viewing management port settings You can view the details of the management port settings by performing the following steps: Task 1 Select Devices <Admin Domain Name> Devices <NTBA_Appliance> Setup Physical Ports. 2 Click the Management Port tab. The following information is displayed. Settings IP Address Network Mask Default Gateway Description Displays the IPv4 IP address. Displays the Network mask for IPv4 Displays the Default Gateway for IPv4 You will not be able to modify any settings in this page. The settings can be modified only from the device CLI. Add a router as an exporter Network devices such as routers and IPS Sensors can be added and listed under Exporters under the NTBA_Appliance_name node in the Devices page of the Manager. When added, these devices can be configured to export flow information to the NTBA Appliance. Without SNMP access, you cannot add a router as an exporter. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Exporters Exporters. The Exporters page is displayed. 100 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

101 Configuring NTBA Appliance settings Add a router as an exporter 6 2 Click New. From the Exporter Type, select Router. By default, IPS Sensor is selected. Figure 6-4 Add Exporter page : Router options 3 Set the following choices: In the Exporter Name field, enter a name for the router. In the Exporter IP Address field, enter the router's IP address. In the Description field, enter the description for the router. Deselect the Use Global Settings checkbox if you want to set SNMP parameters specific to the router. If Use Global Settings is not selected, enter the UDP port in the UDP Port field. From the SNMP Version drop-down list, select SNMP Version (2c or 3). In the Read Only community String field, enter a read only community string. In the SNMP Polling Interval (minutes) field, set the interval. In the User Name field, enter the user name. In the Password field, enter the password. In the Write Password field, re-enter the password for the router. 4 Click Test Connection to test the SNMP connection to the router. If SNMP is not configured, NTBA cannot discover interfaces and does not accept any flows from a router unless unknown-interfaces-flows command is set to accept. You also need to configure proper CIDR ranges in inside and outside zones. If not configured, all endpoints are treated as inside by NTBA. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 101

102 6 Configuring NTBA Appliance settings Configure L7 data collection 5 [Optional] If you want the NTBA Appliance to use SSH to add access rules (similar to ACLs in the Manager) to exporters when configured to quarantine in response to alerts, then specify a user name and click Test Connection. Once the NTBA Appliance has the router information, this option will test SSH to router. 6 Click Save. The newly added router is listed in the Exporters page. Tasks Add interfaces to the router on page 102 See also Configure Network Security Sensor as an exporter on page 103 Add interfaces to the router After adding a router, you must add interfaces to the router that can be configured to collect flow data. You can see the list of interfaces if you have configured the SNMP settings. Task 1 In Exporters, select the exporter you have added and click the Interfaces tab. The Interfaces page is displayed. Figure 6-5 Interfaces page 2 Click New. The Add Interfaces page is displayed. The list of interfaces on this exporter are displayed. 3 To select the interfaces, select the radio buttons. Select the External? checkbox to mark interfaces as external. 4 Click Save. The selected interfaces are displayed on the Interfaces page. 5 To delete an interface, select the radio button for that interface and click Delete. Configure L7 data collection Sensor captures Layer 7 (L7) data using FTP, HTTP, Netbios-ss, SMTP, and TELNET protocols and sends it to the NTBA Appliance. 102 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

103 Configuring NTBA Appliance settings Configure Network Security Sensor as an exporter 6 You can customize the Layer 7 data that the Sensor captures and sends to NTBA Appliance. Task 1 Select Devices <Admin Domain Name> Devices <IPS/vIPS Sensor> Setup L7 Data Collection. The L7 Data Collection page is displayed. Figure 6-6 L7 Data Collection page 2 Select Customize against the protocol that you want to customize and select the required Enabled? checkboxes. 3 Click Save. Configure Network Security Sensor as an exporter Before you begin You need to configure the Sensor for L7 data export at the L7 Data Collection page before performing this procedure (Devices <Admin Domain Name> Devices <IPS/vIPS Sensor> Setup L7 Data Collection). Sensor or Virtual IPS Sensor (Virtual Sensor) can be configured to export flow information to a particular NTBA Appliance or forward details for advanced malware analysis to the Gateway Anti-Malware (GAM) engine or both. Since the Sensor does deep packet inspection, its flow records will include Layer 7 data. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 103

104 6 Configuring NTBA Appliance settings Configure Network Security Sensor as an exporter Task 1 Select Devices <Admin Domain Name> Devices <IPS Sensor> Setup NTBA Integration. Figure 6-7 NTBA Integration page 2 Set the following configuration choices: From NTBA Integration drop-down list, select to export flows or forward files to GAM engine or both. By default, this is set to Disabled prior to integration. You can select one of these options: Enabled for Flow Exporting and Advanced Malware Analysis Enabled for Flow Exporting only Enabled for Advanced Malware Analysis only If NTBA was integrated with a Sensor, and you upgrade from 7.5 or 8.0 to 8.1, the NTBA Integration option must show Enabled for Flow Exporting and Advanced Malware Analysis as selected. If Sensor is on 7.1, and you upgrade NTBA from 7.1 to 8.1, it displays Enabled for Flow Exporting only. From the Target NTBA Appliance drop-down list, select the NTBA Appliance to which you want to send the flow or advanced malware information or both. Select the NTBA Appliance collection and listening port. Under IPS Monitoring Port to be Used to Export Traffic, select the Sensor port for exporting the flow by selecting it from the Designated Port for Exporting Flows drop-down list. 104 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

105 Configuring NTBA Appliance settings Edit exporter configuration 6 In the Port IP Address field, enter the port IP Address. In the Network Mask field, enter the network mask. In the Default Gateway field, enter the default gateway. In the VLAN ID field, enter the VLAN ID. Click View Connectivity to confirm if exporting connectivity is established between the Sensor and NTBA Appliance. Under Traffic to be Forwarded to NTBA, specify the Sensor monitoring ports for which ingress traffic should generate flow records by selecting the Forward to NTBA checkbox against the listed ports. 3 Click Save. If the port specified as the Designated Port for Exporting Flows is used exclusively for exporting flow (not used for IPS monitoring), you have to necessarily configure it as a SPAN port. 4 The newly added interface will be displayed in the Exporters page. Edit exporter configuration You can edit the existing exporter configuration. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Exporters <Exporters>. You can also edit the exporter by clicking Properties under the exporter you want to edit. 2 Click Edit. The Properties page is displayed. If the exporter is a Sensor, then you can only edit the description of the Sensor. 3 Make edits and click Save. [Optional] Configure static route You can configure static routes on an NTBA Appliance for diagnostic purposes and to check for connectivity between NTBA and IPS Sensor ports. A static route is also required if you want to route outbound traffic from a collection port. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Setup Routing New. The Add a Static Route page is displayed. Figure 6-8 Add a Static Route page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 105

106 6 Configuring NTBA Appliance settings Mark exporter interfaces as internal or external 2 Select an appliance port from the drop-down list. Check the port status. When you select a port, Port Status displays whether the port is Up,Down, or Disabled. For disabled ports, static routes can't be defined. Go to Devices <Admin Domain Name> Devices <NTBA Appliance> Setup Physical Ports to assign an IP address to an appliance port. If the port is assigned an IP address , the static route might not be able to reach the port. Figure 6-9 Physical Ports page 3 Type the destination address and mask length. 4 Type the gateway address that exists in the same network as the appliance port. 5 Click Save. The Static Routes page displays the route details like appliance port, port status, destination, and gateway addresses. Figure 6-10 Static Routes page You can select and delete multiple static routes from the list. 6 Select the route and click Edit or Delete to make changes. Mark exporter interfaces as internal or external When you configure an IPS device as exporter, you can configure the ports as internal or external zone, for example, if port 1A is configured as Inbound, then you can configure that interface as external zone; if port 1A is configured as Outbound, then you can configure it as internal zone. 106 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

107 Configuring NTBA Appliance settings Mark exporter interfaces as internal or external 6 Task 1 Select Devices <Admin Domain Name> Devices <IPS Sensor> Setup NTBA Integration. Figure 6-11 NTBA Integration page -OR- You can configure only ports that have N/A against them. Choose from the NTBA Direction drop-down list to mark the port as internal or external. Select Devices <Admin Domain Name> Devices <NTBA Appliance> Exporters <Exporters> Interfaces. The Interfaces page is displayed. Figure 6-12 Interfaces page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 107

108 6 Configuring NTBA Appliance settings Define zones 2 Select the External checkbox to mark the interface as external. Deselect this checkbox to mark the interface as internal. 3 Click Save. The current zone assignment for the interface is shown in brackets against Name. On changing the direction (to internal or external), the interface will be automatically moved to the corresponding default zone. If you want to add an exporter to another NTBA Appliance, first delete the existing exporter by selecting Devices <Admin Domain Name> Devices <NTBA Appliance> Exporters Exporters. Select an exporter and click Delete. Define zones A zone is a concept of segregating network traffic either logically based on IP Addresses (CIDR zones) or physically based on exporter interfaces (Interface zones). Zones represent groups of endpoints whose traffic should be analyzed collectively for anomalous behavior. You can group the network into various logical and physical zones. You can create zones according to specific network monitoring requirements. For example, you can create a zone based on a particular LAN, a server zone, or a functional zone like HR or Finance for a group of endpoints with similar functions. You can create different policies for each zone and monitor them exclusively. Zone creation - rationale Zone creation involves creating zone elements within the inside and outside zone configuration options in the Manager. The reason for providing the option to mark zone elements as inside or outside is to provide greater flexibility in applying policies, and for better capacity planning. (NTBA Appliances T-500 and T-200 have capacities to monitor 200,000 endpoints and 100,000 endpoints, respectively. Information in excess of these capacities is dropped.) All zone elements within the inside zone are monitored through the NTBA monitors in the Threat Analyzer of the Manager. You can apply different policies for each zone to monitor threats. Zone element types Zone element type can be either CIDR or exporter interface. The CIDR type settings always override the exporter interface type settings. The NTBA Appliance checks for the CIDR first to identify if the specific IP address in question belongs to a zone. If it does not belong to the CIDR, only then does it look for the exporter interface information. Logic for configuring zone elements For configuring CIDR zone elements, you need to apply the following logic: You should include any CIDR address range within the network segment covered by NTBA Appliance as an inside zone element. You can group them based on groups of endpoints belonging to a network segment with similar functions such as different departments. For configuring Interface zone elements, you need to apply the following logic: Exporter interfaces that export NetFlow to the NTBA Appliance are to be included in the interface zone elements. 108 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

109 Configuring NTBA Appliance settings Define zones 6 Edge interfaces (interfaces connected to traffic coming from outside the network) are to be included while configuring external interface zone elements. There are many situations where you would not want to monitor information on network segments covered by CIDR or exporter interfaces within your internal network through the Threat Analyzer of the Manager. In such cases, you should exclude these CIDR ranges and exporter interfaces from inside zone elements and set them as outside zone elements. Configuring SPAN ports and CIDR zones If SPAN port is configured as internal, then there will not be any McAfee GTI lookups for endpoint/ URL. If SPAN port is configured as external (considering there are no CIDRs corresponding to the traffic from this SPAN port in the inside zone), all the conversations from this port will be dropped. Therefore, the best practice is to configure SPAN/TAP ports as external. Keep the default CIDRs in the inside zone. If required, add more CIDRs in the inside zone as per the traffic requirement. This will keep the dashboards populated. Zone context A zone is a context with an NTBA Appliance. Hence in a multi-ntba Appliance context, they are defined for each NTBA Appliance. Define inside zones Inside zones represent groups of internal endpoints whose traffic should be analyzed for anomalous behavior. Zones can be based on CIDR blocks and exporter interfaces. You can select the default inside zone or define a new inside zone. When an NTBA Appliance is added to the Manager, all the RFC 1918 IP addresses are added under the default inside zone. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Zones Inside Zones Summary. The Summary page for inside zones is displayed. Figure 6-13 Summary page 2 Click New. Enter a name and description for the inside zone. 3 From Zone Elements, select Type as CIDR. 4 In CIDR, enter the CIDR address. 5 Click Add to create an inside CIDR zone. The zone element is displayed. 6 From Zone Elements, select Type as Interface. The Exporter and Interfaces options are displayed. 7 From Exporters, select one of the network devices configured as exporters. 8 From Interfaces, select the interfaces. (Hold down the CTRL key for multiple selections.) McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 109

110 6 Configuring NTBA Appliance settings Define zones 9 Select the interface listed in the Interfaces field. (Hold down the CTRL key for multiple selections.) 10 Click Add and then Save to create an inside interface zone. Tasks Apply NTBA policies to inside zones on page 110 Apply NTBA policies to inside zones The NTBA policies are applied to the NTBA Appliance zones. The procedure for applying NTBA policies to the default inside zone for an NTBA Appliance is described below. The procedure for applying policies to other inside zones is similar. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Zones Inside Zones Default Inside Zone Protection Profile. The Protection Profile page is displayed. 2 From the NTBA Policy drop-down list, select the policy that you want to apply. 3 Click Save. Define outside zones Outside zones represent groups of internal endpoints whose traffic should be analyzed for anomalous behavior. Zones can be based on CIDR blocks and exporter interfaces. You can select the default outside zone or define a new outside zone. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Zones Outside Zones Summary. The Summary page for outside zones is displayed. Figure 6-14 Summary page for outside zones 2 Click New. Enter a name and description for the outside zone. 3 From Zone Elements, select Type as CIDR. 4 In CIDR, enter the CIDR address. 5 Click Add to create an outside CIDR zone. The zone element is displayed. 6 From Zone Elements, select Type as Interface. The Exporter and Interfaces options are displayed. 7 From Exporters, select one of the network devices configured as exporters. 8 From Interfaces, select the interfaces. (Hold down the CTRL key for multiple selections.) 9 Click Add and then Save to create an outside interface zone. Tasks Apply NTBA policies to outside zones on page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

111 Configuring NTBA Appliance settings Update configuration of a Sensor or an NTBA Appliance 6 Apply NTBA policies to outside zones The NTBA policies are applied to the NTBA Appliance zones. The procedure for applying policies to other outside zones is similar. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Zones Outside Zones Default Outside Zone Protection Profile. The Apply Policy page is displayed. 2 From the NTBA Policy drop-down list, select the policy that you want to apply. 3 Click Save. Update configuration of a Sensor or an NTBA Appliance Configuration updates refer to changes to device and interface/subinterface configurations, such as port configuration, non-standard ports, interface traffic types, and configuration changes to the Sensor or NTBA Appliance. Signature updates have new and modified signatures that can apply to the attacks enforced in a chosen policy. Policy changes update the device in case of a newly applied policy or changes made to the current enforced policy. You can schedule configurations to be pushed to the NTBA Appliances and Sensors from Manage <Admin Domain Name> Automatic Updating IPS Signature Sets. The Automatic IPS Signature Set Deployment options allow you to set the time when these configurations can be deployed on Sensors and NTBA. Configurations are automatically deployed based on schedule. All configurations in the Policy page that apply to your Sensors or NTBA Appliance can also be manually pushed from Devices <Admin Domain Name> Global Deploy Pending Changes (all Sensors and NTBA Appliance in a domain) or Devices <Admin Domain Name> Devices <NTBA Appliance> Deploy Pending Changes (to a single Sensor or NTBA Appliance) action. Scheduled deployment 1 Select Manage <Admin Domain Name> Automatic Updating IPS Signature Sets. The IPS Signature Sets page is displayed. Figure 6-15 IPS Signature Sets page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 111

112 6 Configuring NTBA Appliance settings Deploy pending changes to a device 2 From the Automatic IPS Signature Set Deploymentoptions set the schedule for deploying signature updates: For Deploy in Real Time, select Yes. (This option pushes signature sets update to all Sensors and NTBA Appliances immediately after it is downloaded to the Manager.) By default, No is the default option. For Deploy at Scheduled Interval, select Yes to schedule for automatic deployment of signature sets. In Schedule, set the frequency by which you want the Manager to check for a newly downloaded signature set. The choices are: Frequently Several times a day during a specified period at interval indicated in the Recur every option Daily Once a day Weekly Once a week Select the Start Time, End Time, and Recur every options to specify intervals. Based on Schedule frequency, these fields allow you to select options. 3 Click Save. On-demand deployment Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Deploy Pending Changes. The Deploy Pending Changes page is displayed. Figure 6-16 Deploy Pending Changes page 2 View the update information. If changes have been made, the Configuration & Signature Set column is checked by default. 3 Click Update. A pop-up window displays configuration download status. Deploy pending changes to a device When you make any configuration changes, or policy changes on the Manager, or a new/updated signature set is available from McAfee, you must apply these updates to the devices (such as Sensors and NTBA Appliances) in your deployment for the changes to take effect. Note the following: Configuration changes such as port configuration, non-standard ports and interface traffic types are updated regardless of the changes made to the Sensor, interface/ subinterface. NTBA configuration updates refer to the changes done in the various tabs of the Devices node. Policy changes are updated on the Sensor or NTBA Appliance in case of a newly applied policy, or changes made to the current enforced policy. Signature updates contain new and/or modified signatures that can be applied to the latest attacks. 112 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

113 Configuring NTBA Appliance settings Deploy pending changes to a device 6 You can deploy the configuration changes to all the devices in the admin domain from the Global tab. The navigation path for this is Devices <Admin Domain Name> Global Deploy Pending Changes. Alternatively, you can deploy the configuration changes at a device level by selecting Devices <Admin Domain Name> Devices <Device name> Deploy Pending Changes. In this case, the Deploy Pending Changes option is available in the menu only if the device is active. Task 1 Select Devices <Admin Domain Name> Global Deploy Pending Changes. The Deploy Pending Changes page is displayed. Figure 6-17 Deploy Pending Changes page The columns in the table are as follows: Device Name Unique name of each device Last Update Last day and time device configuration was updated Updating Mode Online or offline update mechanism selected for the device Pending Changes Summary of changes that have been made. Configuration & Signature Set A selected checkbox indicates that the device is to be updated for any configuration change other than those related to SSL key management Status Displays the status of the Sensor during update. 2 Click Deploy. The Manager processes these updates in three stages Queued, Deploying, Completed and displays the current stage in the Status Column. Figure 6-18 Configuration update McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 113

114 6 Configuring NTBA Appliance settings Configure a Central Collector Status Queued Deploying Completed Description The Queued status indicates that the Manager is preparing to deploy updates to the devices. If more than one device is being updated, devices are updated one at a time until all downloads are complete. If you want to cancel the updates for certain devices, click the X. Consider the following: The deployment of the configuration changes or signature file updates can be cancelled for bulk updates only. Updates cannot be cancelled when deployed for individual devices. After you click Deploy, wait for five seconds before you start cancelling the updates for devices. Once cancelled, the checkbox is deselected, suggesting that the update was cancelled. There is no status change to indicate the cancellation of an update. In this state, the configuration changes are applied to the devices. There is no option to abort the update process for devices in which the deployment of updates are already in progress. When the deployment is cancelled for any device, the item will still be selected for future updates unless it is explicitly deselected. Shows that all the configuration changes have been updated for the devices. 3 Click Offline Update Files to view and export the deployment changes file to offline Sensors. The changes can then be deployed to the Sensors manually using the CLI command window. 4 Click Refresh to refresh the page and the status of the deployment. 5 Click Clear Status to clear the status column in the UI. Clearing the status does not cancel the deployment. The update process will be running in the background. Configure a Central Collector In an environment with multiple NTBA Appliances, the designated Central Collector consolidates flow information from all other NTBA Appliances to provide a network-wide view. You can configure the central collector only at the root level. You can either configure an aggregator or leave it as individual devices. Only one NTBA Appliance can be nominated as the central collector among multiple NTBA Appliances. Task 1 Select Manage Setup Network Threat Behavior Analysis Central Collector. The Central Collector page is displayed. 2 From the drop-down list, select a central collector. 3 Click Save. Tasks Display monitors for Central Collector on page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

115 Configuring NTBA Appliance settings NTBA exception object management 6 Display monitors for Central Collector You can select the display option for a specific NTBA Appliance if you have not configured the NTBA Appliance as described in the preceding section. If there is more than one NTBA Appliance but you have not configured any as central collector, you will see a drop-down list of all the NTBA Appliances. You can select one to display the monitors only for the selected Appliance. Figure 6-19 Monitor-level data filtering page Task 1 On the Manager home page, click Configure. 2 Select Central Collector as None. 3 Restart Threat Analyzer. The dashboard will now display the name of the configured central collector and display the Enterprise wide data in monitors. The Manager does not support different time period options for these monitors; it displays data only for the last 10 minutes. NTBA exception object management Exception objects are rules that filter attacks/attack responses in IPv4 or IPv6 traffic based on source IP address, destination IP address, or both. You can also define port-based exception objects, which McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 115

116 6 Configuring NTBA Appliance settings NTBA exception object management filter exception objects based on the source or destination port (TCP/UDP ports) in addition to the source IP or destination IP addresses. In the Manager, you can define exception objects from the Policy node and assign them to NTBA Appliances and zones. Exception objects defined at the domain level get associated with all NTBA Appliances belonging to that domain. Similarly, exception objects defined at the NTBA Appliance level are associated with all zones belonging to that NTBA Appliance. Exception objects can be added, edited, assigned, exported, and imported at the Policy node. You can edit an exception object only in the admin domain where the exception object was created. You can define the following types of exception objects in the Manager: IPv4 IPv4 exception objects without any source/destination port settings IPv6 IPv6 exception objects without any source/destination port settings TCP/UDP Port exception objects with only source/destination port settings IPv4 with TCP/UDP Port IPv4 exception objects with source/destination port settings IPv6 with TCP/UDP Port IPv6 exception objects with source/destination port settings The exception objects (TCP/UDP Port, IPv4 with TCP/UDP Port, and IPv6 with TCP/UDP Port) are based on the source or destination TCP/UDP port settings. While defining an exception object, you can choose any one the following criteria for the Source or Destination IP address settings: Any IP Address A range of IP Addresses Any internal IP Address A single IP Address Any external IP Address For the port-based exception object types (TCP/UDP Port, IPv4 with TCP/UDP Port, IPv6 with TCP/UDP Port), any one of the following options can be chosen in the Source port and Destination port settings: Any Port TCP/UDP Port TCP Port UDP Port Select Policy Network Threat Behavior Analysis Exceptions Exception Objects to view the Exception Objects page. Add exception objects You can add exception objects at the Policy node. Task 1 Select Policy Network Threat Behavior Analysis Exceptions Exception Objects. The Exception Objects page is displayed. 116 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

117 Configuring NTBA Appliance settings NTBA exception object management 6 2 Click New. The Add an Exception Object page is displayed. Figure 6-20 Add an Exception Object 3 Configure the following: Enter the Name of the exception object. Select from the Exception Type drop-down list. For example, IPv4. This can be IPv6, TCP/UDP Port, IPv4 with TCP/UDP Port, or IPv6 with TCP/UDP Port. 4 To add the matching criteria in the IP address settings or port settings, click New. The Add Matching Criteria page is displayed. This page displays the IP address settings, port settings, or both depending on the exception type chosen. 5 The Add Matching Criteria page displays any of the following options depending on the exception type selected: Table 6-3 Add Matching Criteria options Field Source Destination Source Port Destination Port Description The IP address of the source exception type. The IP address of the destination exception type. Source port (setting choice available when type includes TCP/UDP Port) Destination port (setting choice available when type includes TCP/UDP Port) Using these matching criteria, you can define the rules for exception objects. For the exception object type IPv4, only IP address settings criteria are displayed. For the exception object type IPv6, only IP address settings criteria are displayed. For the exception object type TCP/UDP Port, only port-based settings are displayed. For the exception object type IPv4 with TCP/UDP Port, both IP Address Settings (Source or Destination) and port settings criteria (Source Port and Destination Port) are displayed. For the exception object type IPv6 with TCP/UDP Port, both IP Address Settings (Source or Destination) and port settings criteria (Source Port and Destination Port) are displayed. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 117

118 6 Configuring NTBA Appliance settings NTBA exception object management For example, when you select the exception type as IPv4 and TCP/ UDP Port, the Add Matching Criteria page displays both IP address settings and port settings: Figure 6-21 Add Matching Criteria page 6 For the source and destination IP address settings, choose any one of the criteria from the Source drop-down list. If you choose A Range of IP Addresses two new fields, Start Address, and End Address are displayed where you can specify the range of IP address from which attacks/responses are excluded. If you choose A Single IP Address, an IP address field is displayed where you can specify a single IP address for exclusion. 7 For port-based exception objects, choose any one of the criteria from the Source Port drop-down list. Figure 6-22 Source Port drop-down list Incorrect selections result in error messages. Figure 6-23 Error message 8 After selecting the matching criteria, click OK. The selected matching criteria are listed in the Matching Criteria section of the Add an Exception Object page. You can add more than one set of criteria for an exception object. 118 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

119 Configuring NTBA Appliance settings NTBA exception object management 6 9 Click Save. The exception object is added to the list of exceptions in the Exception Objects page. Clone exception objects You can clone exception objects at the Policy node. Task 1 Select Policy Network Threat Behavior Analysis Exceptions Exception Objects. The Exception Objects page is displayed. 2 Select the exception object you want to clone and click Clone. The Clone an Exception Object window is displayed. 3 [Optional] Edit the Name, Exception Type. 4 Use any of the following options: Create a new matching criteria Clone a listed matching criteria View/edit a matching criteria Delete a matching criteria 5 Click Save. If a clone already exists for the exception object, the Manager displays an informational message and does not create another clone. View or edit exception objects You can view and edit exception objects at the Policy node. Task 1 Select Policy Network Threat Behavior Analysis Exceptions Exception Objects. The Exception Objects page is displayed. 2 From Exception Objects, select one and click View/Edit. The Edit Exception Objects window is displayed. 3 Configure the following: Edit the Name. Select the Exception Object Type (IPv4, IPv6, TCP/UDP Port, IPv4 and TCP/UDP Port, or IPv6 or TCP/UDP Port). Click New to add a new IP address setting as a matching criteria. Select a listed matching criteria and click Clone to clone it. Select a listed matching criteria and click View/Edit to edit it. Select a listed matching criteria and click Delete to delete it. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 119

120 6 Configuring NTBA Appliance settings NTBA exception object management Assign exception objects You can assign exception objects either at the Policy node or at the zone level of a specific NTBA Appliance. The procedure for exception object assignment is similar at these levels. You can assign exception objects at the Policy node. Task 1 Select Policy Network Threat Behavior Analysis Exceptions Assignments. The Assignments page is displayed. The Assignments page lists the attack details (Attack Name, NSP Attack ID, Attack Type, and # of Exception Objects). 2 Select an attack for which you want to assign exception objects and click View/Edit. The Filter Assignment page for the selected attack is displayed. Figure 6-24 Filter Assignment page for a selected attack 3 Click a row in the Available Exception Objects page for an attack to select it. 4 Click >> to move the selected exception object to the list of Selected Exception Objects. 5 Click Save. 6 After assignment of exception objects, perform a configuration update on the NTBA Appliance for the filter to come into effect, select Devices <Admin Domain Name> Devices <NTBA Appliance> Deploy Pending Changes. 7 You can assign exception objects at the zone level of NTBA Appliance by navigating to the Exceptions page by selecting Devices <Admin Domain Name> Devices <NTBA Appliance> Zones Inside Zones/Outside Zones Default Inside Zone/Default Outside Zone Exceptions. Import exception objects You can import files containing exception objects into Manager. Task 1 Select Policy Network Threat Behavior Analysis Exceptions Import. The Import page is displayed. 120 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

121 Configuring NTBA Appliance settings Alert notification options 6 2 Select the Skip duplicates checkbox if you want to skip duplicate exception object definitions. Deselect this checkbox if you do not want to include duplicate exception object definitions. 3 Click Browse. 4 Select a file to import. 5 Click Import to import. Export exception objects You can export exception objects to a location in your computer. Task 1 Select Policy Network Threat Behavior Analysis Exceptions Export. The Export page is displayed. 2 Select one or more exception objects you want to export. 3 Click Export. The File Download window of your client system is displayed. 4 Click Save to export the file to a location of your choice. Delete exception objects You can delete exception objects at the Policy node. Task 1 Select Policy Network Threat Behavior Analysis Exceptions Exception Objects. The Exception Objects page is displayed. 2 Select the exception object you want to delete and click Delete. 3 Confirm to delete the object. Only objects that are not assigned to any attack can be deleted. Alert notification options The Manager can send alert information to third-party repositories such as SNMP servers and syslog servers. Further, you can configure your Sensor to forward syslog notifications directly to a syslog server, thereby ensuring that the Sensor forwards alerts to a server other than that assigned to the Manager. In addition to SNMP and syslog notifications, the Manager can also be configured to notify you through , pager, or script of detected attacks. For the alert notifications for the Sensor and the NTBA Appliance select Manage <Admin Domain Name> Setup Notification (IPS/NTBA) Events. Alert notifications are forwarded to syslog servers based on the configuration. Within the configuration, settings notification destination form only one aspect. The Manager and Sensor send notifications depending on the attack, the attack severity, or both. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 121

122 6 Configuring NTBA Appliance settings Alert notification options View alert notification details You can view the summary of configured alert notification settings from the Manage node. Task Select Manage Setup Notification NTBA Events Summary. The Summary page is displayed. Figure 6-25 Summary page Forward alerts to an SNMP server You can configure the SNMP server to which alert information for Sensor or NTBA Appliance is to be sent. You can configure more than one SNMP server. You can configure the SNMP servers for each admin domain separately. The SNMP server configured for a root admin domain can be different from the SNMP server configured for its child domains. When the Children and the Current checkbox is selected while configuring an SNMP server for the root admin domain, the SNMP server configured for the child domain will forward notifications to both, the parent and child domain SNMP servers. When the Children checkbox is not selected in the root admin domain, then the child domain will use only the SNMP server configured for that domain to forward notifications. The SNMP Servers list in the SNMP tab displays the SNMP servers you have configured. Task 1 Select Manage Setup Notification IPS Events SNMP. The SNMP tab is displayed where Enable SNMP Notification option and the configured SNMP Servers list is displayed. 2 Select Yes against Enable SNMP Notification and click Save. 122 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

123 Configuring NTBA Appliance settings Alert notification options 6 3 Click New. The SNMP page is displayed. Figure 6-26 SNMP page 4 Specify your options in the appropriate fields. Table 6-4 SNMP - configuration options Field Admin Domains IP Address Target Port SNMP Version Community String Send Notification If Description Specify whether this applies to the child domains as well. IP address of the target SNMP server. This can be an IPv4 or IPv6 address. SNMP listening port of the target server. The version of SNMP running on your target SNMP server. Version options are 1, 2c, Both 1 and 2c, and 3. Enter an SNMP community string to protect your Network Security Platform data. SNMP community strings authenticate access to Management Information Base (MIB) objects and functions as embedded passwords. By attack for Sensor and The attack definition has this notification option explicitly enabled for IPS Forwards attacks that match customized policy notification settings, which you must set when editing attack responses within the Policy Editor. By Exception Object for Sensor and The following notification filter is matched for NTBA Sends notification for all, or based on the severity of alerts: Allow All Notifies for all discovered attacks. Block All Blocks notification. Informational severity and above Includes all alerts. Low severity and above Includes low, medium, and high severity alerts. Medium severity and above Includes both medium, and high severity alerts. High severity Includes only high severity alerts. The following fields appear only when SNMP Version 3 is selected. User Name Authoritative Engine ID (Hex Values) User name for authentication. The authoritative (security) engine ID used for SNMP version 3 REQUEST messages. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 123

124 6 Configuring NTBA Appliance settings Alert notification options Table 6-4 SNMP - configuration options (continued) Field Authentication Level Description This specifies the authentication level and has the following categories: No Authorization, No Privileges Uses User name match for authentication. Authorization, No Privileges Provides authentication based on the MD5 or SHA algorithms. Authorization and Privileges Provides authentication based on the MD5 or SHA algorithms. It also provides encryption in addition to authentication based on the DES or AES standards. The following fields appear only when Authorization, No Privileges is selected as Authentication Level: Authentication Type The authentication protocol (MD5 or SHA) used for authenticating SNMP version 3 messages. Authentication Password The authentication pass phrase used for authenticating SNMP version 3 messages. The following fields appear only when Authorization and Privileges is selected as Authentication Level: Authentication Type The authentication protocol (MD5 or SHA) used for authenticating SNMP version 3 messages. Authentication Password The authentication pass phrase used for authenticating SNMP version 3 messages. Encryption Type The privacy protocol (AES or DES) used for encrypting SNMP version 3 messages. Privacy Password 5 Click Save. The SNMP server is added to the SNMP Servers page. The privacy pass phrase used for encrypting SNMP version 3 messages. Do not use a broadcast IP address (that is, ) as the target SNMP server for forwarding alerts. Modify or delete SNMP server settings You can modify or delete the SNMP server settings at the Manage node. Task 1 Select Manage Setup Notification IPS/NTBA Events SNMP. The SNMP tab with the Enable SNMP Notification option and the SNMP Servers list is displayed. 2 Select the configured SNMP server instance from the SNMP Servers list. 3 Configure the following: a To edit the settings, click Edit, modify the fields as required, and click Apply. b To delete the settings, click Delete and click OK to confirm deletion. Forward alerts to a syslog server You can forward Sensor and NTBA Appliance alerts to a syslog server. Syslog forwarding enables you to view the forwarded alerts from a third-party syslog application. 124 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

125 Configuring NTBA Appliance settings Alert notification options 6 Task 1 Select Manage Setup Notification NTBA Events Syslog. The Syslog page is displayed. 2 Configure the following fields: Figure 6-27 Syslog page Table 6-5 Syslog - configuration options Field Enable Syslog Notification Server Name or IP Address UDP Port Facility Description Yes is enabled; No is disabled Enter the Endpoint IP address or the Endpoint name of the syslog server where alerts will be sent. For Endpoint IP address, you can enter either IPv4 or IPv6 address. Port on the target syslog server that is authorized to receive syslog messages. Standard syslog prioritization value. The choices are as follows: Security/authorization (code 4) Security/authorization (code 10) Log audit (note 1) Log alert (note 1) Clock daemon (note 2) Local user 0 (local0) Local user 1 (local1) Local user 2 (local2) Local user 3 (local3) Local user 4 (local4) Local user 5 (local5) Local user 6 (local6) Local user 7 (local7) McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 125

126 6 Configuring NTBA Appliance settings Alert notification options Table 6-5 Syslog - configuration options (continued) Field Severity Mapping Send Notification If Description You can map each severity (Informational, Low, Medium, or High) to one of these standard syslog severities: Emergency System is unusable Alert Action must be taken immediately Critical Critical conditions Error Error conditions Warning Warning conditions Notice Normal but significant condition Informational Informational messages Debug Debug-level messages The attack definition has this notification option explicitly enabled Send notification for attacks that match customized policy notification settings, which you must set when editing attack responses within the policy editor. The following notification filter is matched Send notification based on following filters: Allow All Notifies for all discovered attacks. Block All Blocks notification. Severity Informational and above Includes all alerts. Severity Low and above Includes low, medium, and high severity alerts. Severity Medium and above Includes both medium and high severity alerts. Severity High Includes only high severity alerts. 3 Click Save. You must click Save before you can customize the message format to be sent to your syslog server. Customization option is available only if notification is enabled against Enable Syslog Notification. 4 Select your Message Preference to customize the format of the message to be sent to your syslog server. Table 6-6 Message Preference - options Field System Default Description The default message is a quick summary of an alert with two fields for easy recognition: Attack Name and Attack Severity. A default message reads: Attack $IV_ATTACK_NAME$ ($IV_ATTACK_SEVERITY$). Customized Create a custom message. Create a custom message Select the Customized and click Edit to view the Custom message page. Type a message and select (click) the parameters for the appropriate alert identification format. You can type custom text in the Message field. You can also click the Content-Specific Variables to move them to the Message field. Click Save to return to the Syslog page. Click Save. 126 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

127 Configuring NTBA Appliance settings Alert notification options 6 Configure or pager alert notifications Before you begin You must identify a mail server for notifications in the Server page (Manage Setup Server). Users can be alerted by or pager when an alert is generated that matches a chosen severity or customized attack setting. The procedure for configuring alerts is described here. The procedure for configuring pager is similar. Task 1 Select Manage Setup Notification IPS/NTBA Events . The and Recipient List information is displayed under the tab. Figure page 2 Specify your options in the corresponding fields. Field Enable Notification Send Notification If Description Select Yes to enable alert notification through . The attack definition has this notification option explicitly enabled Send notification for attacks that match customized policy notification settings, which you must set when editing attack responses within the policy editor. The following notification filter is matched Send notification based on the following filters: Allow All Notifies for all discovered attacks. Block All Blocks notification. Severity Informational and above Includes all alerts. Severity Low and above Includes low, medium, and high severity alerts. Severity Medium and above Includes both medium and high severity alerts Severity High Includes only high severity alerts. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 127

128 6 Configuring NTBA Appliance settings Alert notification options Field Suppression Time Message Body Description Type a Suppression Time for the notification. The suppression time is the duration (minutes and seconds) to wait after an alert notification has been sent before sending another alert notification. The default and minimum value is 10 minutes and 0 seconds. Suppression time is useful to avoid sending excessive notifications when there is heavy attack traffic. The message body is a preset response sent with the notification with information pertaining to the alert. System Default The system default message provides the notified admin with the most basic attack details so that an immediate response can be made. Details include the attack name, time detected, attack type, severity, the Sensor interface where detected, and the source and/or destination IP addresses. You cannot edit the System Default message. Customized Select Customized against Message Body and click Edit to view the Custom Message page. You can type custom text in the Subject field or Body section, as well as click one or more of the provided variable links at Subject Line Variables or Content-Specific Variables. 3 Click Save to return to the or pager notification settings page. 4 Click New in the Recipient List section of the page. The Add a Recipient page is displayed. 5 Enter the Recipient address in the SMTP Address field and click Save. The address is listed under the Recipient List in the tab. You can configure pager sittings using a similar procedure in the Pager page. Select Manage Setup Notification Alerts IPS Pager to view the Pager page. and pager notifications are configured per admin domain. Enable alert notification by script Users can be alerted through an executed script when an alert is generated that matches a chosen severity or customized attack setting. Task 1 Select Manage Setup Notification IPS/NTBA Events Script. The Script page is displayed. 2 Specify the options in the corresponding fields. Figure 6-29 Script page 128 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

129 Configuring NTBA Appliance settings Alert notification options 6 Table 6-7 Script configuration options Field Enable Script Execution Send Notification If Suppression Time Description Select Yes to enable alert notification through an executed script. The attack definition has this notification option explicitly enabled send notification for attacks that match customized policy notification settings, which you must set when editing attack responses within the policy editor. The following notification filter is matched: Allow All Notifies for all discovered attacks Block All Blocks notification Severity Informational and above Includes all alerts Severity Low and above Includes low, medium, and high severity alerts Severity Medium and above Includes both medium and high severity alerts Severity High Includes only high severity alerts Enter a Suppression Time for the notification. The suppression time is the amount of time (minutes and seconds) to wait after an alert has been generated before sending the notification. This will prevent alerts being sent through notification in the event an alert has been acknowledged or deleted through the Threat Analyzer within the suppression time. The default and minimum value is 10 minutes and 0 seconds. 3 Click Edit. The Script Contents page is displayed. Figure 6-30 Script Contents page Enter a description in the Description field. Enter the required text in the Script Content field. Click the links provided against Content-Specific Variables to add variables in the Script Content field. 4 Click Save to return to the Script page. 5 Click Save to save your settings. The local system user needs to have permission to create the script output file on the Manager installation directory. Notifications are configured per admin domain. Configure alert suppression Alert suppression minimizes the number of duplicate alerts the NTBA Appliance sends to the Manager. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 129

130 6 Configuring NTBA Appliance settings Alert notification options Within the configured suppression interval, when the configured number of individual alerts has been reached, all subsequent alerts containing the same attack, source, and destination details are suppressed. At the conclusion of suppression interval, a summary alert is sent, which includes the total number of suppressed alerts for each of the maintained source-destination IP pairs. An additional total is shown for all other IP pairs. Task 1 Select Devices <Admin Domain Name> Devices NTBA Appliance Setup Advanced Alert Suppression. The Alert Suppression page is displayed. Figure 6-31 Alert Suppression page 2 Select the Enabled checkbox to enable alert suppression. 3 Configure the following under Threshold Settings: Suppress for [X] seconds This value is the time span in which you accumulate instances of the same attack. This value acts as a timer, when the timer expires, the current instance is cleared to make room for a new suppression instance. The value entered in this field is the suppression interval. Send first [X] as individual alerts This value identifies the minimum number of alerts that must be detected for a unique suppression instance to be classified as an exploit throttle attack or summary alert. The value entered in this field is the configured number of individual alerts. Sending a few of the summary alerts as individual alerts, allows you to view details and packet log information for the first few instances of an attack. Within the configured suppression interval, once the configured number of individual alerts has been reached, all subsequent alerts containing the same attack, source, and destination details are suppressed. If there are x+1, the first x attacks are sent as individual alerts and the attacks exceeding this count are throttled into one summary alert that summarizes this persistent attack. Maintain [X] unique source-destination IP pairs for summary alerts This value determines the number of unique source-destination IP pairs for summary alerts that are to be maintained at a given time. For example, if you enter the number 10, then 10 unique summary alert instances can be tracked at a given time. Once 10 is reached, all other cases are kept in a single "wildcard" instance. Source and destination IP do not appear in the exploit throttle summary since multiple addresses may be involved. This is due to memory limits. A throttle entry is removed after the time limit (Suppress for [X] seconds) has expired. 4 Click Save. 130 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

131 Configuring NTBA Appliance settings Send notifications for quarantined attacks 6 Send notifications for quarantined attacks You can define if and how administrators should be notified when endpoints are quarantined. This can be done only at the root level and it is inherited by the child domains. Task 1 Select Policy Network Threat Behavior Analysis Quarantine Syslog. The Syslog Notification page is displayed. Figure 6-32 Syslog Notification page 2 Configure the following fields. Field Enable Syslog Notification Server Name or IP Address UDP Port Facility Severity Mapping Description Yes is enabled; No is disabled. Enter the Endpoint IP address or the Endpoint name of the syslog server where alerts will be sent. For Endpoint IP address, you can enter either IPv4 or IPv6 address. Port on the target syslog server that is authorized to receive syslog messages. Standard syslog prioritization value. The choices are as follows: Security/authorization (code 4) Security /authorization (code 10) Log audit (note 1) Log alert (note 1) Clock daemon (note 2) Local user 0 (local0) Local user 1 (local1) Local user 2 (local2) Local user 3 (local3) Local user 4 (local4) Local user 5 (local5) Local user 6 (local6) Local user 7 (local7) You can map each severity (Informational, Low, Medium, or High) to one of the standard syslog severities listed below: Emergency - System is unusable Alert - Action must be taken immediately Critical - Critical conditions Error - Error conditions Warning - Warning conditions Notice - Normal but significant condition Informational - Informational messages Debug - Debug-level messages McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 131

132 6 Configuring NTBA Appliance settings Add flow exclusion 3 Click Save. You must click Save before you can customize the message format to be sent to your syslog server. TheCustomization option is available only if notification is enabled against Enable Syslog Notification. 4 Select a Message Preference to customize the format of the message to be sent to your syslog server. Field System default Customized Description The default message is a summary of an alert with two fields for easy recognition: Attack Name and Attack Severity. A default message reads: Attack $IV_ATTACK_NAME$ ($IV_ATTACK_SEVERITY$). Create a custom message. Tasks Create a custom message on page 132 Create a custom message You can create a custom message by selecting the parameters for the desired alert identification format. Task 1 Select Policy Network Threat Behavior Analysis Quarantine Syslog. 2 In Message Preference, select the Customized option and click Edit. The Custom Message page is displayed. 3 Type a message and select (click) the parameters for the desired alert identification format. You can type custom text in the Message field. You can also click the Content-Specific Variables to move them to the Message field. Figure 6-33 Custom Message page 4 Click Save to return to the Syslog page. 5 Click Save. Add flow exclusion You can exclude processing of all flow data or Layer 7 (L7) data for specific networks by including the IP address to the exclusion list. These data will not be displayed, stored, or analyzed for threats. 132 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

133 Configuring NTBA Appliance settings Add flow exclusion 6 Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Setup Flow Exclusions. You can also add exclusions at the root node. This is explained in the following section. The Flow Exclusions page is displayed. 2 Click New page. By default, the Inherit CIDR Exclusion List checkbox is selected. The New button is enabled on deselecting this checkbox. 3 Provide the IP address and the gateway port of the endpoint you want to exclude. Figure 6-34 Add exclusions page 4 From the drop-down list, select Exclude all flow data or Exclude only L7 flow data. 5 Click Add and click Save. 6 Click Edit or Delete to make updates to the existing exclusion. Tasks Inherit exclusions to child domains on page 133 Deploy configuration changes on device on page 134 Inherit exclusions to child domains You can set exclusions at the root level so it can be inherited to the child domains. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 133

134 6 Configuring NTBA Appliance settings Define an external storage device Task 1 Select Devices <Admin Domain Name> Global Default Device Settings NTBA Devices Device Settings Setup Flow Exclusions. The Flow Exclusions page is displayed. Figure 6-35 Flow Exclusions page 2 If you want the child nodes to inherit the exclusion list, select the Inherit CIDR Exclusion List checkbox. 3 Click Save. Deploy configuration changes on device For the exclusions to be implemented, you must deploy configuration changes on your device. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Deploy Pending Changes. The Deploy Pending Changes page is displayed. Figure 6-36 Deploy Pending Changes page 2 Select the Configuration & Signature Set checkbox for the device and click Update. A pop-up window displays that the download is in progress. 3 When the download completes, click Close Window. Define an external storage device The NTBA Appliance provides internal storage for typical data storage time requirements. If you need to maintain data for an extended time, use this page to define an external storage device. 134 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

135 Configuring NTBA Appliance settings Define an external storage device 6 Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Setup Advanced External Storage. The External Storage page is displayed. Figure 6-37 External Storage page 2 Configure the following fields: Field Server Name or IP Address File System Description Enter the Endpoint IP address or the Endpoint name of the backup server where data will be stored. For Endpoint IP address, you can enter IPv4 address. Select either CIFS or NFS. By default, it is CIFS. The Common Internet File System (CIFS) is an enhanced version of Microsoft Server Message Block (SMB) which operates as an application-layer network protocol mainly used for providing shared access to files between nodes on a network. Network File System (NFS) is a distributed file system protocol to allow a user on a client computer to access files over a network in a manner similar to how local storage is accessed. Server Port Target Directory Username Password Storage Interval (1-24 hours) Storage Limit (1-100%) Include Layer 7 Data Enter the server port number (applicable for CIFS only). Enter the directory on the external storage where files will be stored. Enter the user name for file system authentication (applicable for CIFS only). Enter the password for file system authentication (applicable for CIFS only). Specify the storage interval between 1 and 24 hours. Specify the maximum storage that can be used on external storage. Indicate whether Layer 7 data must be backed up. The default is Yes. The following field is displayed only when NFS is selected: Do you want to use SUN RPC Port Mapper? Select this if you want to use the SUN RPC Port Mapper. The default is Yes. The following fields are displayed when you select No in the Do you want to use SUN RPC Port Mapper? option: Service Port Mount Port Enter the service port number. Enter the mount port number. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 135

136 6 Configuring NTBA Appliance settings Configure services 3 Click Test Connection to check if the connection is successful. The connection might fail if the device is down. 4 Click Save when you get a message that the connection as successful. You can retrieve data stored on an external storage device using the Top Most Recent Connections report. You can specify a time range and NTBA fetches the data from either local storage or external storage to provide a unified report for the specified time range. Configure services Services map ports to protocols for reporting and policy configuration display purposes. You can view default services and define custom ones thorough the Services page. Task 1 Select Manage <Admin Domain Name> Setup Network Threat Behavior Analysis Services. The Services page with the defaults services already listed is displayed. Figure 6-38 Services page 136 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

137 Configuring NTBA Appliance settings Configure exporter access 6 2 Click New. The New Service page is displayed. Figure 6-39 New Service page 3 Configure the following: Select the Enabled? checkbox if you want to enable the service once you create it. (Do not select this checkbox if you wish to enable it later using the Edit option.) Enter a name for the service. Select the protocol from the Protocol drop-down list. Enter the port values against Ports and click Add to add it to the list of ports. (You can select a listed port and click Remove to remove it from the list.) 4 Click Save. The newly configured service is listed the Services page. You can select a custom service and click Edit to edit the settings. Configure exporter access You can control the way the NTBA Appliance gains access to the exporters configured to export NetFlow information to the NTBA Appliance by configuring the SNMP and SSH Parameters in the Exporter Access page. The NTBA Appliance uses SNMP to poll exporters and gather device-specific information, such as quantity and type of interfaces according to set parameters. NTBA Appliances use SSH to add ACLs to exporters when configured to quarantine in response to alerts. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 137

138 6 Configuring NTBA Appliance settings Configure exporter access Task 1 Select Devices <Admin Domain Name> Global Default Device Settings NTBA Devices Device Settings Setup Exporter Access. The Exporter Access page is displayed. Figure 6-40 Exporter Access page 2 Configure the following: Enter the UDP port number against UDP Port. Select the SNMP version (2c or 3) from the drop-down list against SNMP Version. The following fields appear only when SNMP Version 3 is selected. Table 6-8 Choices for SNMP Version 3 Field Security Level Description This specifies the authentication level and has the following categories: Authentication and Privacy (AuthPriv) Provides authentication based on the MD5 or SHA algorithms. It also provides encryption in addition to authentication based on the DES or AES standards. Authentication Only (AuthNoPriv) Provides authentication based on the MD5 or SHA algorithms. No Authentication and No Privacy (NoAuthNoPriv) Uses name match for authentication. The following fields are enabled/disabled according to the selection in Security Level. User Name Authentication Protocol User name for authentication. The authentication protocol (MD5 or SHA) used for authenticating SNMP version 3 messages. Applicable when Authentication and Privacy (AuthPriv) or Authentication Only (AuthNoPriv) is selected as Security Level. 138 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

139 Configuring NTBA Appliance settings How communication rules work 6 Table 6-8 Choices for SNMP Version 3 (continued) Field Authentication Key Description Authentication key used for authenticating SNMP version 3 messages. Applicable when Authentication and Privacy (AuthPriv) or Authentication Only (AuthNoPriv) is selected as Security Level. Encryption Protocol The privacy protocol (DES or AES) used for encrypting SNMP version 3 messages. Applicable when Authentication and Privacy (AuthPriv) and is selected as Security Level. Encryption Key Encryption key used for the selected privacy protocol. Applicable whenauthentication and Privacy (AuthPriv) is selected as Security Level. Type a string against Read Only Community String. (Applicable when SNMP Version 2c is selected.) Enter the SNMP Polling Interval in minutes. 3 Enter the User Name, Password, and the Write Password for the SSH Parameters. 4 Click Save. How communication rules work Communication rules provide a mechanism to match network traffic through flow fields and generate alerts when there is a match. Communication rules are applied to network traffic flows in relation to an NTBA policy. For instance, for a given NTBA policy you can set a communication rule to match the BitTorrent application and Remote Desktop protocol with a threshold of 10 inbound packet per second. When these communication rule parameters are met, an alert is raised. Configure a new communication rule Task 1 Select Policy Network Threat Behavior Analysis NTBA. The NTBA Policies page is displayed. The NTBA Policies page lists the Default NTBA Policy and other policies created by the user. 2 Select an NTBA policy and click View/Edit. The Edit NTBA Policy page is displayed. 3 Click the Communication Rules tab. The Communication Rules page is displayed. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 139

140 6 Configuring NTBA Appliance settings How communication rules work 4 Click New. The Add a communication rule page is displayed. Figure 6-41 Add a communication rule page 5 Configure the following: Select Enabled to enable the communication rule. Enter a name for the rule against Name. Enter a description against Description. Set the severity from the Severity drop-down list. Select the time of day (Peak Traffic Hours, Off Traffic Hours, Weekend Traffic Hours, or Normal Traffic Hours) from the Time of Day drop-down list. 140 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

141 Configuring NTBA Appliance settings How communication rules work 6 6 Click View/Edit under Traffic to Match. The Edit Matched Traffic page is displayed. Figure 6-42 Edit Matched Traffic page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 141

142 6 Configuring NTBA Appliance settings How communication rules work 7 Depending on the options selected in the Edit Matched Traffic page, alerts are triggered when traffic is matched to those conditions. Selecting the Service option lists the standard applications on standard ports while selecting the Port option allows you to specify the custom port numbers and range of port numbers. For example, if you have selected the service as File Transfer Protocol and port as TCP 21, a rule will be triggered when traffic is matched to FTP on port 21. The Edit Matched Traffic page is displayed with options for the selected items. Figure 6-43 Edit Matched Traffic page options You can enter multiple file names separated by commas against File, such as file1, file2, and file3. You can enter multiple URLs separated by commas against URL, such as URL1, URL2, and URL3. 8 Click OK to return to the Add a Communication rule page. 142 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

143 Configuring NTBA Appliance settings How communication rules work 6 9 [Optional] Click View/Edit under Trigger Thresholds. The Edit Traffic Threshold page is displayed. Figure 6-44 Edit Traffic Thresholds page 10 Select OR or AND from the drop-down list against Operation for All of Enabled Trigger Thresholds. Select OR to enable all the enabled thresholds or the selected trigger thresholds, select AND to enable all the enabled thresholds and the selected trigger thresholds 11 Select a listed trigger threshold, and click Edit/View. The Edit Traffic Threshold page is displayed. Here you can edit the selected threshold. If you select multiple thresholds using the CTRL key, and click Bulk Edit, the edited values are applied to all the selected thresholds. Figure 6-45 Edit Traffic Threshold page If you configure alerts as Trigger Threshold, then alerts will be displayed as Bandwidth Exceeded. This is because Trigger Threshold gets higher priory over any Traffic to Match alerts; therefore, if you want to trigger rules for Traffic to Match, exclude Trigger Threshold from Communication rule criteria. The names of the Triggered Alerts are hardcoded according to the values matching the traffic from the rules; therefore, if a rule is configured with Service as Telnet Protocol, then on matching the traffic, the name of the triggered alert will be Illegal service detected and not Telnet Protocol detected. Similarly if rule is configured with Application as FTP, the triggered alert will be Illegal Application detected. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 143

144 6 Configuring NTBA Appliance settings How communication rules work 12 Configure the following: Select Selected if you want to select the threshold. select Unselected if want to disable the threshold. Enter a threshold value between 1 and if you have selected the threshold. 13 Click OK to return to Edit Traffic Thresholds page. 14 Click OK to return to Add a Communication rule page. 15 Select Sensor Action to quarantine the traffic if it matches the Sensor rule. 16 Under Notifications, select the appropriate notification mode ( , Pager, Script, SNMP, Auto.Ack. and Syslog). 17 Click OK to return to the Communications Rules page. 18 Click Save to save your communication rules settings. You will get a message that the update was successful and you must now push your changes to the resource. 19 Click Deploy Pending Changes on the Devices page, then select the Configuration & Signature Set checkbox and click Update. The Download status window is displayed. 20 Wait for the update to complete and close the window. The procedure for configuring communication rules for an NTBA zone is similar to the one described here. Communication rules can be set for each NTBA zone. You can configure communication rules for a zone by selecting Devices <Admin Domain Name> Devices <NTBA Appliance> Zones Inside Zones/Outside Zones Default Inside/Outside Zone Communication Rules. The procedure for an inside zone is similar. If you upgrade from 7.1, 7.5, or 8.0 to 8.1, the communication rules that have Not Equal to qualifiers are removed. Only the rules that have Equal to qualifier for the matched condition are retained. Create a communication rule for XFF The X-Forwarded-For (XFF) feature allows the Manager to identify the original source IP address even when that client resides behind an explicit HTTP proxy IP address. The IPS Sensor sends the original source IP addresses of the endpoints to the NTBA Appliance when XFF header parsing is enabled in the IPS Sensor. The NTBA Appliance sends a quarantine request to the IPS Sensor if original source IP reputation is bad. The IPS Sensor then quarantines the packets when the original source IP address is in the quarantine list. The XFF feature in NTBA is applicable only for NetFlows coming from the IPS Sensors and not for NetFlows from routers such as Cisco, because the L7 data needed for XFF processing is available in NetFlows generated from IPS Sensors. Although communication rule set for IP Reputation will still work, it is recommended that you set a new communication rule to optimize quarantining endpoints with original source IP addresses. 144 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

145 Configuring NTBA Appliance settings How communication rules work 6 Task 1 Select Devices <Admin Domain Name> Devices <NTBA_Appliance> Zones Inside/Outside Zones Default Inside/ Outside Zones Communication Rules. The Communication Rules page is displayed. 2 Click New. The Add a communication rule page is displayed. Figure 6-46 Adding a new communication rule for XFF 3 Type a name and description for the new communication rule. 4 Set the following values: Severity: Select a severity level. Direction: Select Bidirectional. Time of Day: Select from the list. Traffic to Match: Click View/Edit. Select CIDR Block and specify value as equal to the web server IP address/32. Select Reputation checkbox. Specify IP as High Risk. 5 Select the Quarantine checkbox in Sensor Actions. 6 Click Save. See also How communication rules work on page 139 Configure Time of Day criterion for communication rules Time of Day is one of the attributes of communication rules. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 145

146 6 Configuring NTBA Appliance settings How communication rules work Normal Hours, Off Hours, Peak Hours, and Weekend Hours are the filter criterion choices under the Time of Day attribute. The Start Time and End Time specific to each filter criterion can be configured globally for all NTBA Appliances in the network as also at each NTBA Appliance level. Global configuration is done by selecting Devices <Admin Domain Name> Global Default Device Settings NTBA Devices Device Settings Setup Time of Day while the NTBA Appliance level configuration is done by selecting Devices <Admin Domain Name> Devices <NTBA Appliance> Setup Advanced Time of Day. You have the choice of applying or not applying the global configuration settings while configuring the filter criterion at the NTBA Appliance level. The procedure for configuring the Time of Day at the NTBA Appliance node is described here. The procedure for configuring the global settings for the Time of Day from the Global tab is similar. To configure the Time of Day criterion for communication rules from the NTBA Appliance node: If you are a new user, you must: Check the current time zone of the IPS device by selecting Devices <Admin Domain Name> Devices <IPS Device> Setup Time Zone. The default time zone is the Greenwich Mean Time (GMT). Set the same time zone for the NTBA Appliance. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Setup Advanced Time of Day. The Time of Day page is displayed. Figure 6-47 Time of Day page The values you see on this screen are preset. You can edit these values, if required. 146 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

147 Configuring NTBA Appliance settings Configure name resolution 6 2 By default, the Use Global Settings is selected. Keep it selected if you want to apply global settings, else deselect this checkbox if you want to configure Time of Day specific to the NTBA Appliance selected. The New and Delete buttons appear if the Use Global Settings checkbox is deselected. 3 Click New. The Add a Range page is displayed. Figure 6-48 Add a Range page Whatever time zone set here is automatically converted according to the communication rule set for the NTBA Appliance. 4 Do the following: Select the range type (Normal Hour or Off Hour or Peak Hour or Weekend) from the drop-down against Type. Set the Start Time and End Time. 5 Click Save to set the time range for the selected type. Only unique Time of Day values can be set. Error messages are displayed if the values set are overlapping or duplicate. Configure name resolution The NTBA Appliance collects flow information from network routers and Sensors. You can set the DNS Settings values for collection of flow information. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Setup Name Resolution. The Name Resolution page is displayed. Figure 6-49 Name Resolution page By default, the Inherit the Default Settings checkbox is selected. Deselect the checkbox to enable the fields in the Name Resolution section. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 147

148 6 Configuring NTBA Appliance settings How Global Threat Intelligence integrates with NTBA 2 Configure the following: Select the Enable Name Resolution checkbox to enable it. (Do not select this checkbox if you want to disable this feature.) Specify the IP addresses for Primary Name Server and Secondary Name Server. Specify the Refresh Interval in hours. 3 Click Test Connection to check the DNS connection with primary DNS server. 4 Click Save. How Global Threat Intelligence integrates with NTBA McAfee Global Threat Intelligence (formerly McAfee TrustedSource ) is a global threat correlation engine and intelligence base of global messaging and communication behavior; including reputation, volume, trends, , web traffic, and malware. McAfee GTI can be integrated with NTBA. Having evolved to become a worldwide communications security resource, Global Threat Intelligence (McAfee GTI) and global internet communications behavior intelligence is incorporated into products across McAfee appliances and service suite, as well as into appliances and services of other companies and organizations. The additional knowledge provided by McAfee GTI data enables appliances and services to more accurately filter communications and protect electronic communications and transactions between people, companies, and countries. McAfee GTI receives and analyzes billions of queries per month from McAfee network of Sensors deployed to protect consumer and enterprise network traffic across 120 countries globally, collecting and correlating threat data for URLs, IP addresses, domains, and content. McAfee GTI assigns a reputation score and further classifies network identities and content with a risk level based on an in-depth highly sophisticated analysis derived by processing thousands of behavior attributes to profile each network traffic sender, website, domain, and content. McAfee GTI is the first and only reputation system to combine traffic data, routing, IP/domain registration data, and network characteristics with the unparalleled breadth of the global customer base of McAfee. For each IP address on the internet, McAfee GTI calculates a reputation value based on sending or hosting behavior and various environmental data. McAfee GTI automatically collects, aggregates, and correlates this data from customers as well as partners to assess the state of internet threat landscape. McAfee GTI is expressed in four classes: Figure 6-50 McAfee GTI classes Minimal Risk Indicates this is a legitimate source or destination of content/traffic. McAfee GTI defines the reputation of private addresses that are not seen on the public internet also to be minimal risk. Unverified Indicates that this appears to be a legitimate source or destination of content/traffic, but also displays certain properties suggesting that further inspection is necessary. 148 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

149 Configuring NTBA Appliance settings How Global Threat Intelligence integrates with NTBA 6 Medium Risk Indicates that this source/destination shows behavior believed to be suspicious and content/traffic to or from it requires special scrutiny. High Risk Indicates that this source/destination does or will send/host potentially malicious content/traffic and we believe it presents a serious risk. In the context of NTBA, McAfee GTI provides reputation and country of origin information. Endpoint communication rules can use that information as matching criteria. For example, you can generate an alert in the Threat Analyzer if the source of a connection is from a specific country or is known to be malicious. Configure IP Reputation at the global level Before you begin You must have enabled sending alert data details on the Integration Global Threat Intelligence page to configure settings on this page. If you configure IP reputation at the global node, it is reflected in the child nodes. Task 1 Select Devices < Admin Domain Name> Global Default Device Settings NTBA Devices Zone Settings GTI IP Reputation. The IP Reputation page is displayed. Figure 6-51 IP Reputation page 2 Select the NTBA checkbox under State to enable Global Threat Intelligence IP Reputation. 3 Set the list of services to be excluded or included in the McAfee GTI lookups by moving them under Excluded Services or Included Services by using the left and right arrows under Service-Based Lookups field. 4 Select Inherit CIDR Exclusion list from GTI Participation page to add the exclusion list directly from Manage Integration Global Threat Intelligence. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 149

150 6 Configuring NTBA Appliance settings How Global Threat Intelligence integrates with NTBA 5 Click Add to add the CIDR block to the Excluded Endpoints list. 6 Click Delete to exclude from the CIDR block list. 7 Click Save. Configure IP Reputation at the zone level You can also configure IP reputation at the zone level. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Zones Outside Zones Default Outside Zone IP Reputation. The IP Reputation page is displayed. Figure 6-52 IP Reputation page 2 By default, the Inherit from NTBA Settings node? checkbox is selected. Keep it selected to inherit the settings from the Global node. Deselect this checkbox to configure Global Threat Intelligence IP Reputation settings at the zone name level. 3 Select the NTBA checkbox under State to enable Global Threat Intelligence IP Reputation. 4 Set the list of services to be excluded or included in the McAfee GTI lookups by moving them under Excluded Services or Included Services by using the left, and right arrows under Service-Based Lookups field. 5 Set the list of services to be excluded or included in the McAfee GTI lookups by moving them under Excluded Services or Included Services by using the left and right arrows under Service-Based Lookups field. 6 Click Add to add the CIDR block to the Excluded Endpoints list. 150 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

151 Configuring NTBA Appliance settings Configure miscellaneous settings 6 7 Click Delete to exclude from the CIDR block list. 8 Click Save. Before configuring the McAfee GTI integration with NTBA, it must be enabled at Manage Integration Global Threat Intelligence. In exchange for detailed alert information, full integration with the McAfee GTI is enabled. Full integration permits you to report, filter, and sort endpoints involved in attacks based on their network reputation and/or country of origin In exchange for alert summary information, partial integration with the McAfee GTI is enabled. Partial integration permits you to right-click an alert and view the network reputation and country of origin for its source or destination endpoint. To optimize the use of the McAfee GTI, only send alert data (and retrieve the McAfee GTI information) for attacks for which you are most interested in viewing endpoint reputation and country information. With the exception of the optional contact information, all data is sent anonymously. Firewall port 443 (port for the McAfee GTI queries) and port 80 (port for the McAfee GTI database download) should be open for the McAfee GTI information to be displayed in the NTBA monitors. NTBA Appliance does an endpoint lookup through NetBIOS or DNS. Hence, this type of network traffic emanating from NTBA is normal. For more information on configuring the McAfee GTI integration in the Manager, see McAfee Network Security Platform Integration Guide. Configure miscellaneous settings You can specify corporate domain, which is used to identify compromised internal endpoints acting as spambots. Task 1 Select Manage <Admin Domain Name> Setup Network Threat Behavior Analysis Miscellaneous. The Miscellaneous configuration page is displayed. Figure 6-53 Miscellaneous page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 151

152 6 Configuring NTBA Appliance settings Active device profiling 2 Type the corporate domain(s) against Domain. This information is used to identify compromised internal endpoints acting as spambots. The NTBA examines whether the domain name of the addresses it receives is one of the domain name inputs specified against Domain, if not the source IP is treated as a candidate for botnet activity. 3 Do the following: Enter the value of N in the Top N Lists presented in the Threat Analyzer against The Value of N in Top N Lists. Set the time limit (days) to consider endpoints/protocols as new if seen for first time in the Threat Analyzer against Consider Endpoints/Protocols "New" if Seen for First Time Within. Set the time limit (days) to consider endpoints/protocols as new if seen for first time in the Threat Analyzer with reference to a number of previous days against Consider Endpoints/Protocols "New" if Seen for First Time With Reference Days As. 4 Click Save. The value entered in the Consider Endpoints/Protocols "New" if Seen for First Time With Reference Days As is the number of previous reference days. For example if this value is set to 90 and the value for Consider Endpoints/Protocols "New" if Seen for First Time Within is set to 7, all the endpoints/protocols seen for the first time during the past 7 days during the last 90 days are presented in the Threat Analyzer. Active device profiling NTBA Appliances can actively scan your internal devices to identify the device type and operating system. By default, the NTBA Appliance scans all endpoints that fall in the inside zones. Before scanning, the NTBA Appliance fetches the list of IP addresses to scan from the Manager. The Manager then sends the passive scan information to the NTBA Appliance to optimize the active scans. The NTBA Appliance sends active endpoint scan details to the Manager. The Manager will consolidate data from all sources and provide a comprehensive view of the endpoints on the network. It also uses the data for alert relevancy. The NTBA Appliance supports CIDR/zone-based exclusions for scanning. It also supports port exclusions, which are passed as input to the scan engine. Scan categories Active device profiling is performed based on these scan needs: Scheduled scan You can schedule to scan a set of endpoints or all endpoints in the inside zones. The IP addresses can be sent from the Manager too. Example: Daily, Weekly. Internal scan If no scheduled scans are defined, NTBA triggers a scan on its own endpoints as per its own schedule. You can also exclude a list of IP addresses, CIDR zones, or ports that you do not wish to scan. 152 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

153 Configuring NTBA Appliance settings Active device profiling 6 Active device profiling workflow After you define the inside zones, a scan can be performed based on this workflow. Figure 6-54 How a scan is performed Configure active device profiling NTBA Appliances can actively scan your internal devices to identify the device type and operating system. Task 1 If you are installing the Manager using the Add Device Wizard, the option to enable active device profiling appears on the last screen. -OR- Select Devices <Admin Domain Name> Devices <NTBA Appliance> Policy Active Device Profiling. The Active Device Profiling page is displayed. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 153

154 6 Configuring NTBA Appliance settings Active device profiling 2 Select the Enable Active Device Profiling? checkbox. The Enable Active Device Profiling? checkbox will be enabled per the NTBA Appliance. By default, it is disabled. On enabling the checkbox, the previous configuration, if any, is displayed. This allows you to temporarily disable the option without losing the original settings. By enabling this checkbox, the scanning feature is enabled. This will start the scanning service. Various scan configurations can also be enabled. The status of the device profiler service can be verified by using the service status DeviceProfiler CLI command. Figure 6-55 Active Device Profiling page for NTBA Appliance 3 Use this section to exclude the following from being profiled and to bypass specific TCP/UDP ports normally used by the scanner during the profiling process: Available Zones: By default, only inside zones are profiled. Use the arrow key to move it to the excluded list. CIDR Blocks: Type and click (+) to add a CIDR block to the excluded list. TCP/UDP Ports: Type and click (+) to add a TCP/UDP port block to the excluded list. By default, NTBA scans the ports 1, 7, 9,13, 21-23, 25-26, 37, 53, 79-81, 88, 106, , 119, 135, 139, , 179, 199, 389, 427, , 465, , 543, 544, 548, 554, 587, 631, 646, 873, 990, 993, 995, , 1110, 1433, 1720, 1723, 1755, 1900, 2000, 2001, 2049, 2121, 2717, 3000, 3128, 3306, 3389, 3986, 4899, 5000, 5009, 5051, 5060, 5101, 5190, 5357, 5432, 5631, 5666, 5800, 5900, 6000, 6001, 6646, 7070, 8000, 8008, 8009, 8080, 8081, 8443, 8888, 9100, 9999, 10000, 32768, , and Be extremely cautious while configuring the internal and external zones. A configuration error might lead to external endpoints being unintentionally scanned and could be considered an attack by an external organization. 154 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

155 Configuring NTBA Appliance settings Advanced malware policies 6 4 In the Advanced section, you can set: a Profiling Frequency: To scan when needed or scheduled. Profile as needed: This option is for internal scan. The NTBA Appliance will decide when to scan. Profile as scheduled: This option lets you schedule the scan as you need it. The time zone for this setting is GMT. To minimize scanning traffic, configure the schedule during off-peak hours. b Profile Expiration (days): Signifies the rescan time. For example, if the expiration date is set as 2 days, then the asset, if it has been scanned before, will be scanned again only after the expiration date. After expiration, a device is profiled anew. By default, the expiration is set as 2 days. 5 Click Save. Scanning/scan results might be filtered if devices such as IPS Sensor or Firewall are configured between the NTBA Appliance and the endpoint to be scanned. Advanced malware policies Modern advanced malware-based attacks pose acute security threats to enterprises. McAfee Network Security Platform provides several features to detect and prevent the advanced threats prior to infection. You can also detect post infection by monitoring the bot command and control server activity. McAfee Network Security Platform provides visibility across multiple network vectors (endpoint, IP, user, and so on) and the ability to correlate this information over a period of time. Once a threat is identified, understanding the root cause and exposure are critical to avoid similar threats in the future. McAfee Network Security Platform provides a highly effective solution in identifying vulnerability and signature-based threat vectors and preventing damage to customer networks. However, the threat landscape is evolving and malware is getting more evasive and the activity is also spread over a bigger time frame. For more information, refer to the McAfee Network Security Platform IPS Administration Guide. How the McAfee Gateway Anti-Malware engine works The McAfee Gateway Anti-Malware engine (or McAfee anti-malware engine) is a multi-platform engine that detects and blocks malware threats everything from viruses and worms to adware, spyware, and riskware. To further protect end users against emerging malware threats, zero-day threats, and targeted attacks, the McAfee anti-malware engine focuses on generic and heuristic detection of malware. The NTBA Appliance has the McAfee Gateway Anti-Malware engine running on it. The IPS Sensor sends the file with potential malware to the NTBA Appliance, which scans this using this engine and sends the results (confidence level) back to the IPS Sensor. The Sensor sends the alert to the Manager and the configured response action takes place. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 155

156 6 Configuring NTBA Appliance settings Configuring policies Download or update anti-malware signatures The primary function of the Advanced Malware Protection feature is to provide a prioritized list of endpoints that need remediation based on a risk score determined on a set of threat vectors and events correlated over time. The IPS Sensor sends files to the NTBA Appliance over the NTBA management port. Therefore, for the Advanced Malware Protection feature to work, make sure that the NTBA collection port and the IPS Sensor management port are not on the same subnet. You can automatically download the anti malware signature sets on the NTBA Appliance by enabling the Gateway Anti Malware Engine Updating option. This option is available at both the root level and at the device level node of the NTBA Appliance. Make sure you are connected to the Internet while downloading and updating anti-malware software and signatures. Updating anti-malware software and signatures from offline servers is not supported. Task 1 You can enable the gateway anti-malware engine updates at the root-level node by selecting Devices <Admin Domain Name> Global Default Device Settings NTBA Devices Device Settings Maintenance Gateway Anti Malware Engine Updating OR at the device-level node by selecting Devices <Admin Domain Name> Devices <NTBA Appliance> Maintenance Gateway Anti Malware Engine Updating. By default, the Inherit Settings? checkbox is enabled. This allows you to inherit any settings done at the root-level node to be applied to the child nodes as well. The Gateway Anti-Malware Engine Updating page is displayed. Figure 6-56 Gateway Anti-Malware Engine Updating page 2 In the Gateway Anti-Malware Engine Updating section, enter the Update Interval text box. This allows for the next automatic download signature set for download. The default value is 90 minutes. The minimum is 90 minutes and the maximum is 1440 minutes. Configuring policies The NTBA Appliance polices are rule based monitoring and control tools. The NTBA Appliance policies include two types of policies called NTBA policies and worm policies. The NTBA policies consist of anomaly policies that contain attack definitions for anomalies in TCP, UDP, and ICMP traffic. Worm policies contain attack definitions for worms and botnets. The NTBA policies are assigned per zone. Both NTBA policies and worm policies can be assigned to specific NTBA Appliances. They are assigned separately to each NTBA Appliance in the network. Configure the default NTBA attack settings The Default NTBA Attack Settings tab provides an attack editor that works in concert with the NTBA Appliance policy editors. 156 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

157 Configuring NTBA Appliance settings Configuring policies 6 The Default NTBA Attack Settings tab enables you to edit an attack definition's response once and have that modification apply across all policies that contain that attack definition, rather than having to find all policies that use a particular attack, and then modify the response on each of those policies one at a time. Changes made to an attack in the Default NTBA Attack Settings apply to that attack in all policies unless customized within a specific policy. You can customize severity, alerts, and notification actions for each attack in the Default NTBA Attack Settings tab. Task 1 Select Policy Network Threat Behavior Analysis Advanced Default NTBA Attack Settings. The Default NTBA Attack Settings page that lists all the NTBA attacks is displayed. Figure 6-57 Default NTBA Attack Settings page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 157

158 6 Configuring NTBA Appliance settings Configuring policies 2 Select an attack from the attacks listed and click View/Edit. (You can also select and double click the listed attack.) The edit page for the selected attack is displayed. For example if a behavior attack is selected, the Edit Behavior Attack detail for Attack page is displayed. Figure 6-58 Edit Behavior Attack detail for Attack page 3 Do the following: Select the Customize Severity check box to customize severity by selecting severity from the drop-down list. The choices for severity are, 0 - Informational, 1 to 3 - Low, 4 to 6 - Medium and 7 to 9 - High. Select Customize and Enable Alerts checkboxes under Sensor Response to customize Sensor response. Select the Notifications setting checkboxes that you want to customize notifications. Select Customize Quarantine Setting and Quarantine checkboxes to enable quarantine options for this type of attack in the alerts page of the Threat Analyzer. 4 Click OK to return to the Default NTBA Attack Settings page. 5 Click Save. Configure the NTBA policies You can create NTBA policies by modifying the settings for a default NTBA policy. 158 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

159 Configuring NTBA Appliance settings Configuring policies 6 Task 1 Select Policy Network Threat Behavior Analysis NTBA. The NTBA Policies page is displayed. The NTBA Policies page lists the Default NTBA Policy by default. Figure 6-59 NTBA Policy page 2 Click New. The Add an NTBA Policy page is displayed. (The Policy tab is selected by default.) Figure 6-60 Add an NTBA Policy page 3 Do the following: Enter a name for the policy against Policy Name. Enter a description for the policy against Description. Select the Visible to Child Admin Domain checkbox to make the policy visible to child admin domains. Deselect this checkbox if you do not want this policy to be visible to child admin domains. 4 Click Save. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 159

160 6 Configuring NTBA Appliance settings Configuring policies 5 Click the NTBA Attacks tab. The NTBA Attacks list is displayed. Figure 6-61 NTBA Attacks list 6 Select an attack from the attacks listed and click View/Edit. (You can also select and double click the listed attack.) The Edit <type of attack> detail for Attack page for the selected attack is displayed. For example if you select a behavior attack the Edit Behavior Attack detail for Attack page for a behavior attack is displayed. Figure 6-62 Edit Behavior Attack detail for Attack page 160 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

161 Configuring NTBA Appliance settings Configuring policies 6 7 Select Customize Severity to customize severity by selecting severity from the drop down-list. The choice of severity ranges from 0 - Informational, 1 to 3 - Low, 4 to 6 - Medium, and 7 to 9 - High. 8 Select Customize and Enable Alert checkboxes under Sensor Response to customize NTBA Appliance alert response. 9 Select the desired Notifications setting checkboxes to customize notifications. 10 Select Customize Quarantine Setting and Quarantine checkboxes to quarantine attacks when detected. 11 Click OK. Configure the worm policies The NTBA Appliance worm policies contain attack definitions for worms and botnets. You can create NTBA Appliance worm policies by customizing the settings for a default NTBA Appliance worm policy or by creating a new worm policies. Worm policies are assigned per NTBA Appliance. Task 1 Select Policy Network Threat Behavior Analysis Worm. The Worm page which lists the default worm policy is displayed. 2 Click New. The Add an NTBA Policy page is displayed. (It opens in the Policy tab by default.) Figure 6-63 Add an NTBA Policy page 3 Do the following: Enter a name for the policy against Policy Name. Enter a description against Description. Select the Visible to Child Admin Domains checkbox to make the policy visible to child admin domains. Click Save. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 161

162 6 Configuring NTBA Appliance settings Configuring policies 4 Click the Worm Attacks tab. The Worm Attacks list is displayed. Figure 6-64 Worm Attacks list 5 Select a listed attack and click View / Edit. The Edit Worm Attack detail for Attack page is displayed. Figure 6-65 Edit Worm Attack detail for Attack page 6 Configure the following: Check Customize Severity to customize severity by selecting the severity from the drop-down list. The choice of severity ranges from 0 - Informational, 1 to 3 - Low, 4 to 6 - Medium and 7 to 9 - High. Select Customize Suppression Rate and Customize Suppression Interval checkboxes under Threshold and enter the required values to customize the threshold suppression rate and interval. Select Customize and Enable Alert checkboxes under Sensor Response to customize NTBA Appliance response. Select the Notifications setting checkboxes that you want to customize. Select the Customize Response Sensibility Level checkbox and select the level (Low, Medium or High) from the drop-down list. More alerts are raised when this level is set to High. 162 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

163 Configuring NTBA Appliance settings Configuring policies 6 7 Click OK to return to Worm Attacks tab. 8 Click Save. Worm attack and botnet attack are the two types of worm attacks listed under the Worm Attacks tab in the Edit Worm Attack details for Attack: <Attack Name> page of the default NTBA policy. The procedure for configuring the botnet attack is similar to configuring the worm attack. However, botnet attack configuration does not involve threshold suppression and interval settings. You can customize severity and notifications for botnet attacks. You can also choose to quarantine NTBA attack packets of botnet attack type when detected. Tasks Set default NTBA and worm policies on page 163 Set default NTBA and worm policies You can set default NTBA and worm policies at the Manage node. Task 1 Select Manage <Admin Domain Name> Setup Admin Domains. The Admin Domains page is displayed. 2 Click New. The Add a Child Admin Domain page is displayed. Figure 6-66 Add a Child Admin Domain page 3 Enter the child domain configuration details: Domain Name Contact Person McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 163

164 6 Configuring NTBA Appliance settings Configuring policies Address Title Contact Phone Number Company Phone Number Organization Address City State Country 4 Click Save. The settings are saved. 5 Click Allocate to allocate an interface. The Available Interfaces page is displayed. Figure 6-67 Available Interfaces page 6 Click Close. 7 Click Finish. The Admin Domains page now lists the newly created child admin domain. The default NTBA and worm policies selected while configuring the new child admin domain are listed under Policy <Admin Domain Name>/<Child Admin Domain Name> Network Threat Behavior Analysis NTBA and Policy <Admin Domain Name>/<Child Admin Domain Name> Network Threat Behavior Analysis Worm. Configure advanced botnet detection Advanced Botnet Detection feature supports the detection by correlation of multiple attacks across flows. Attacks are correlated by observing a endpoint for a given period of time. This detection provides detailed information retrieved from different attack phases at the end of a successful correlation. Network Security Platform forwards the attack information to the NTBA appliance for doing similar correlation. Use any one of the following paths to configure Advanced Botnet Detection: 164 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

165 Configuring NTBA Appliance settings Configuring policies 6 Device <Admin Domain Name> Global Default Device Settings NTBA Devices Zone Settings Advanced Botnet Detection Device <Admin Domain Name> Devices <NTBA Appliance> Zones Inside Zones/ Outside Zones Default Inside Zone/ Outside Zone Advanced Botnet Detection Figure 6-68 Advanced Botnet Detection at Global level Figure 6-69 Advanced Botnet Detection at Zone level For further details, refer McAfee Network Security Platform IPS Administration Guide. Assign policies After creating an NTBA or a worm policy Policies page, you must assign the policy to a resource for it work. Once a policy is modified or a new policy is created, make sure the same is applied to the respective zones (inside/outside) where the attacks that have been customized are getting generated. Task 1 Select Configure <Admin Domain Name> NTBA Settings <NTBA Appliance> Zones Inside Zones Profile Default Inside Zone. The Default Inside Zone page is displayed. 2 Click the Policy Assignment tab. 3 Select your policy from the drop-down list and click Save. You will get a message that the update was successful and you must now push your changes to the resource. If you have created zones, then you must assign the policies to those zones. 4 Select Configure <Admin Domain Name> Device List <NTBA Appliance> Physical Device. 5 Select the Configuration Update tab and select Configuration & Signature Set checkbox and click Update 6 Wait for the update to complete and close the window. Delete policies You can delete the policies that you have created on the Policy page. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 165

166 6 Configuring NTBA Appliance settings Configuring policies Task 1 Select<Admin Domain Name> NTBA Settings Policies NTBA Policies. The NTBA Policies page is displayed. 2 Select the policy you want to delete. If you have not assigned the policy to any resource, then you can delete it directly. If not, you will see an error message. Figure 6-70 Error message 3 Unassign the policy by going to the Policy Assignment page. 4 If you have created any communication rules for the policy in the zones and deployed the configuration update, then delete those. 5 You will now be able to delete the policy. Export NTBA and worm policies NTBA policy export enables you to save one or more custom (created/cloned) NTBA policies and worm policies from your Manager to your client. This is effective for archiving as well as transferring a policy from a test Manager environment to your live environment. For example, you log in to your test Manager from a client and create a new policy. After creation, you export the policy to your client. You then log into your live Manager from the client and import the policy for active use. Task 1 Select Policy Network Threat Behavior Analysis Advanced Export NTBA and Worm Policies. The Export NTBA and Worm Policies page is displayed. Figure 6-71 Export NTBA and Worm Policies page 2 Select the policy or policies you want to export. 3 Click Export. 166 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

167 Configuring NTBA Appliance settings Configuring policies 6 4 Browse to the location on your client where you want to save the exported file. 5 Verify successful export by checking the destination for the exported file. The policy file is saved as an XML file and it contains all the policies you selected for export. Thus, if you select two policies for export, both policies are saved in the same file. Although this feature outputs an XML file, this file is not intended for reading or editing. Any manipulation of this file besides regular copying from/to different media will result in possible import failure. Import NTBA and worm policies The Import NTBA and Worm Policies action enables you to add an NTBA policy and a worm policy to the Manager from an outside location. You can import from the Manager, through CD-ROM, by browsing connected network servers, or from your remote client. Task 1 Select Policy Network Threat Behavior Analysis Advanced Import NTBA and Worm Policies. The Import NTBA and Worm Policies page is displayed. 2 Click Browse to search your system for an exported policy file. Select the Skip duplicate file definitions checkbox if you want to skip duplicate file definitions. 3 Click Save to download the file to the Manager. Visibility rules apply to imported policies. For any custom (created or cloned) policy you import, if you deselect the Visible to Child Admin Domains checkbox in the Add an NTBA Policy page during creation, the imported policy will only be visible in the parent admin domain. Configure the policy fields The Default NTBA policy contains the following attack types: Behavior attack Threshold attack Anomaly attack Reconnaissance attack Zone anomaly attack McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 167

168 6 Configuring NTBA Appliance settings Configuring policies The configuration choices vary from attack type to attack type. The choices are summarized below: Behavior attack Figure 6-72 Edit Behavior Attack detail for Attack page 168 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

169 Configuring NTBA Appliance settings Configuring policies 6 You can customize severity and notifications. You can choose to quarantine NTBA attack packets of this attack type when detected. Anomaly attack Figure 6-73 Edit Anomaly Attack details for Attack page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 169

170 6 Configuring NTBA Appliance settings Configuring policies You can customize severity, endpoint anomalies for any IP address or a specific IP address, threshold suppression rate, threshold interval, notifications, and response sensitivity level. Zone anomaly attack Figure 6-74 Zone Anomaly Attack detail for Attack page You can customize severity, threshold suppression rate, threshold interval, notifications, and response sensitivity level. You can choose to quarantine NTBA attack packets of this attack type when detected. Setting the response sensitivity to Low tells the detection algorithm to be tolerant of traffic spikes before raising alerts. The system becomes more sensitive to traffic surges if the response sensitivity is set to High. 170 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

171 Configuring NTBA Appliance settings Configuring policies 6 Threshold attack Figure 6-75 Edit Threshold Attack detail for Attack page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 171

172 6 Configuring NTBA Appliance settings Configuring policies You can customize severity, threshold host service group (threshold rate and interval for a named group of selected services that can be applied to Any IP Address or a specific IP Address), and notifications. Reconnaissance attack Figure 6-76 Edit Reconnaissance Attack detail for Attack page You can customize severity, threshold value, threshold interval, threshold timeout, and notifications. Default NTBA worm policy The default NTBA worm policy contains the following attack types. Botnet attack Worm attack Configuration choices are as follows: Botnet attack 172 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

173 Configuring NTBA Appliance settings Configuring policies 6 No configuration choices for the current release. Worm attack Figure 6-77 Edit Worm Attack detail for Attack page You can customize severity, suppression rate, suppression interval, notifications, and response sensitivity. Quarantine options for NTBA alerts You can choose to quarantine policy violation, botnet attacks, recon and threshold-based attacks, endpoint-based anomaly attacks, and behavioral NTBA alerts. The quarantine response action needs to be enabled at the policy level per zone. If the attack was detected by Cisco router, the NTBA Appliance quarantines that endpoint by setting an ACL at the router for 5 minutes by default. If the attack was detected at a Sensor, the NTBA Appliance sends the quarantine details as part of the alert to the Manager. In response to this, the Manager sends the corresponding source endpoint as part of endpoint quarantine to the Sensor. The quarantine details sent in the alert are exporter id, response action, and source interface. The period for which quarantine is effective is 5 minutes by default. If you want to change this value, contact McAfee Technical Support. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 173

174 6 Configuring NTBA Appliance settings Configuring policies Add to Quarantine right-click options on an alert listed in the Alerts page of the Threat Analyzer provide specific quarantine period options (15 Minutes, 30 Minutes, 45 Minutes, 60 Minutes, or Until Explicitly Released). Figure 6-78 Add to Quarantine right-click options Quarantine response - Sensor as an exporter In respect of NTBA alerts emanating from a Sensor acting as an exporter, the quarantine settings at Quarantine page of the Policy node (Policy Intrusion Prevention Quarantine Default Port Settings) overrides the Add to Quarantine options that can be set for an NTBA alert in the Alerts page of the Threat Analyzer. Quarantine Response - third party exporters In respect of NTBA alerts emanating from third-party routers acting as exporters, the Add to Quarantine options that can be set for an NTBA alert in the alerts page of the Threat Analyzer is applicable. Apply NTBA and worm policies NTBA policies and worm policies are created at the Policy node and are applied to specific NTBA Appliances at the NTBA Appliance level. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Policy Protection Profile. The Protection Profile page is displayed. Figure 6-79 Protection Profile page 174 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

175 Configuring NTBA Appliance settings Configuring policies 6 2 Select the NTBA policy to be applied from the NTBA Policy drop-down list. 3 Select the worm policy to be applied from the Worm Policy drop-down list. 4 Click Save. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 175

176 6 Configuring NTBA Appliance settings Configuring policies 176 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

177 Integrating with other McAfee products Chapter 7 Chapter 8 Chapter 9 Integrating with McAfee Endpoint Intelligence Agent Integrating with McAfee Global Threat Intelligence Integrating with McAfee Logon Collector McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 177

178 Integrating with other McAfee products 178 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

179 7 Integrating 7 with McAfee Endpoint Intelligence Agent This chapter explains how NTBA Appliance is integrated with McAfee Endpoint Intelligence Agent (McAfee EIA) (McAfee EIA). Contents Overview Architecture Benefits How integration with McAfee EIA works Setting up McAfee EIA integration Understanding executable classification Working with whitelisted and blacklisted hashes Configuring NTBA policies for McAfee EIA alerts Viewing executables running on endpoint Viewing endpoint intelligence reports NTBA-EIA Deployment scenarios Best practices Troubleshooting Overview Most enterprises today face a challenge in understanding executables running on the network. With malware increasing at a rampant pace, it has become imperative for networks to understand executables sending traffic on the network. Malware can exploit the network and endpoint's inability to coordinate information/policies. Some malware can name themselves as standard executables and make standard application connections on the network. Such malware cannot be easily detected by looking at just the endpoint processes or monitoring the network traffic flows in isolation. Combining information at the endpoints with information in the network can provide security administrators deeper visibility into your enterprise. McAfee Network Security Platform, along with Endpoint Intelligence Agent, provides security administrators insight into what executables are running at endpoints that are linked to the network traffic. The administrator can then quickly investigate any unusual executable behavior, classify executables running on the network as malicious or safe, and take response actions. McAfee Endpoint Intelligence Agent (McAfee EIA) (McAfee EIA) is an endpoint solution that provides executable information to the NTBA Appliance. It delivers real-time, flow-aware correlation between the Network Security Platform and the endpoint. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 179

180 7 Integrating with McAfee Endpoint Intelligence Agent Architecture When McAfee EIA is installed on an endpoint, it monitors the system for all outgoing connections made by executables, which includes processes and libraries (DLLs). When a connection attempt is made by an executable, McAfee EIA sends the executable information to the NTBA Appliance over an encrypted channel. This gives enough time for the NTBA Appliance to process the executable information and make it available at policy-decision points before the connection request packet is received. The executable information contains: 5-tuple information such as source IP address, destination IP address, source port, destination port, and protocol Executable name, full path, and hash of the executable that generated the connection With this solution, you can view all executables used on the endpoint. It also provides the number of endpoints using each executable. All executables are classified as known good (whitelisted), known bad (blacklisted), or unclassified. For the unclassified executables, the solution provides further malware confidence. User and operating system information associated with the executable Details such as MD5 hash value, file version, malware confidence, signer name, malware indicators, signed time, file name (same as the executable file name), product name, and trust details for good and unknown executables. When network traffic is generated, based on the reputation of the executable file, these files can be whitelisted or blacklisted. Architecture McAfee EIA resides on the endpoint where it collects details about the executables that initiate traffic. When integration with McAfee EIA is enabled, McAfee EIA sends the executable information to the NTBA Appliance, which uses it to enhance its analysis, such as determining which endpoints are infected or are at risk of infection. The communication between the McAfee EIA and the NTBA Appliance is through the Datagram Transport Layer Security (DTLS) protocol with the McAfee EIA as the client and the NTBA Appliance as the server. 180 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

181 Integrating with McAfee Endpoint Intelligence Agent Architecture 7 Both the client and the server must have the certificates signed by the common Certification Authority (CA). The common CA can be McAfee epolicy Orchestrator (McAfee epo) server. Figure 7-1 Architecture diagram epo Server: The epo server installs and configures the McAfee Agent and McAfee EIA settings on the managed hosts. The server is used to exchange the certificates that will be used to authenticate and secure McAfee EIA communication with the NTBA Appliance. McAfee EIA : These are endpoints that have the McAfee EIA installed on them. They provide the executable information about the outgoing connections to the NTBA Appliance. NTBA Appliance: The McAfee EIA connects to the NTBA Appliance and sends the executable information to the NTBA Appliance. The IPS Sensor/router, if configured, sends NetFlows to the NTBA Appliance. The NTBA Appliance also responds to the Manager queries for monitors/ dashboards data and also for endpoint intelligence information for existing NTBA and IPS alerts. IPS Sensors/Routers: The NetFlow data that come from the IPS Sensor is correlated with the executable information coming from the McAfee EIA. For the NTBA Appliance to receive NetFlows, you must configure the IPS Sensor/router as an exporter (optional). McAfee Global Threat Intelligence: McAfee EIA gets the GTI information via the NTBA Appliance and computes the malware confidence for an executable along with its own malware indicators. Manager: The Manager maintains the whitelisted and blacklisted hashes that can be leveraged by all devices configured on the Manager for reporting and blocking purposes. The Manager pushes all the imported hashes to all the available NTBA Appliances and the IPS Sensors. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 181

182 7 Integrating with McAfee Endpoint Intelligence Agent Benefits Benefits The benefits ofmcafee EIA are as follows: Provides visibility into the executables used in the enterprise network Provides characteristics of the executable such as the version, the endpoints where it was executed, the number of connections made, the applications invoked, and the events associated with it Provides reputation (malware confidence) for each executable using its own malware indicators and the data provided by McAfee GTI Provides trust information for good and unknown executables Enables detection of unknown executables in the network that the administrator can classify as whitelisted or blacklisted, thereby creating an intelligent baseline for the network Provides the administrator the flexibility to enable auto-classification of known good executables as whitelisted and known bad executables as blacklisted Integrates with the IPS Sensor's Blacklist and Whitelist functionality to prevent further spread of malware in the network Provides correlation between the Application Identification feature provided by the IPS Sensor with the executable information for every flow Correlates McAfee EIA executable information with analysis from other network detections such as ATD and NTBA. How integration with McAfee EIA works This section provides the high-level steps to integrate NTBA Appliance with McAfee EIA. Task 1 Set up McAfee Agent with epolicy Orchestrator: Deploy McAfee Agent extension and McAfee Agentpackage to the epolicy Orchestrator server. Skip this step if you have deployed McAfee Agent version Set up McAfee EIA with epolicy Orchestrator: Deploy the Endpoint Intelligence Management extension and McAfee EIA package to the epolicy Orchestrator server. Assign policy to managed systems for McAfee EIA to communicate with the NTBA Appliance. 3 Enable EIA integration on the Manager: Establish connections between the NTBA appliance and the managed host systems with the McAfee EIA by enabling EIA integration at the Global level or the Device level on the Manager. The Auto-Classification Settings are available only at the Global level. Maximum endpoint connections supported on the NTBA Appliance is Work with whitelists and blacklists: You can either enable the auto-classification settings or manually change the executable classification. The manually classified values of the executable hashes are added to the whitelisted/blacklisted hashes that the administrator maintains. 5 Configure NTBA policies for McAfee EIA alerts: Six attack definitions have been added to the NTBA policies. Based on which of the alerts you want to see, you can configure policies to raise only those EIA alerts. 182 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

183 Integrating with McAfee Endpoint Intelligence Agent Setting up McAfee EIA integration 7 6 View executables running on endpoints: You can view all the executables running on your internal endpoints that have made network calls on the Endpoint Executables page. The top n endpoint executables are displayed in the Top Endpoint Executables monitor on the Home Dashboard page. 7 Analyze executable behavior: Even with auto-classification settings enabled, there might be instances where the executable classification is not justified with its behavior. In such cases, you might want to investigate these executables and accordingly change the executable classification as whitelisted or blacklisted so they appear with the modified value the next time. The changes are updated to the whitelisted and blacklisted hashes maintained by the Manager. You can also generate reports to see more details on the top 10 endpoint executables and endpoint executable connections. Quarantine of endpoints is not supported. Setting up McAfee EIA integration McAfee EIA can be installed on epo-managed endpoints. This section explains how you can deploy McAfee Agent and McAfee EIA and configure the agents to send the executable information to the NTBA Appliance in the epolicy Orchestrator console. It also explains how to enable McAfee EIA integration on the Manager. Verify system requirements Make sure your NTBA, McAfee epo, and managed systems meet the requirements. McAfee epo server must be at version 4.6.5, 5.x, or later McAfee Agent must be at version 4.8. patch 2 McAfee Endpoint Intelligence Management extension must be at version McAfee EIA must be at version or later McAfee Network Security Manager (Manager) must be at version or later McAfee Network Threat Behavior Analysis Appliance (NTBA Appliance) must be at version or later We recommend you to upgrade McAfee EIA to version McAfee EIA runs on these Microsoft operating systems: Only Enterprise editions for Server operating systems are supported. Windows XP Service Pack 2 and later Windows Server 2003 Service Pack 1 and later Windows Server 2003 R2 Service Pack 1 and later Windows Server 2008 Windows 7 Windows Server 2012 (64-bit) Windows 8.1 Windows Server 2012 R2 (64-bit) Windows Server 2008 R2 (64-bit) McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 183

184 7 Integrating with McAfee Endpoint Intelligence Agent Setting up McAfee EIA integration Setting up McAfee Agent with epolicy Orchestrator server Install McAfee Agent extension, upload McAfee Agent package, and deploy McAfee Agent on managed systems. Download McAfee Agent and the extension package Before you begin Locate your grant number. Task 1 In a web browser, go to 2 Enter your grant number, then go to the appropriate product and version. 3 Download the McAfee Agent extension, MA-WIN Build 1500 Package #2 (ENU-LICENSED-RELEASE-PATCH2), and the agent packages to the system containing the McAfee epo server. For more information, see the McAfee Agent Product Guide, version Install McAfee Agent extension Task 1 From the epolicy Orchestrator console, click Menu Software Extensions. Figure 7-2 Navigating to software extensions on epo console 184 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

185 Integrating with McAfee Endpoint Intelligence Agent Setting up McAfee EIA integration 7 2 At the bottom of the Extensions pane on the left side of the Extensions page, click Install Extension. Figure 7-3 Installing McAfee Agent extension 3 Browse to the MA-WIN Build 1500 Package #2 (ENU-LICENSED-RELEASE-PATCH2) file you downloaded from the McAfee downloads page. 4 Click Open to select the file, then click OK to proceed with the selection. 5 Click OK to install the extension. Upload McAfee Agent package Upload the McAfee Agent package to the epolicy Orchestrator server. This package contains the files necessary to install McAfee Agent on managed systems. Task 1 From the epolicy Orchestrator console, select Menu Software Master Repository. Figure 7-4 Master Repository in epo console McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 185

186 7 Integrating with McAfee Endpoint Intelligence Agent Setting up McAfee EIA integration 2 Click Check In Package. The Check In Package page is displayed. 3 From the Package type list, select Product or Update (.ZIP), then browse and select the McAfee Agent package file. Figure 7-5 Uploading McAfee Agent package 4 Click Next. 5 Click Save. The package is added to the Master Repository. Deploy McAfee Agent Deploy McAfee Agent to managed systems. Task 1 From the epolicy Orchestrator console, select Menu Policy Client Task Catalog. Figure 7-6 Client Task Dialog in epo console 186 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

187 Integrating with McAfee Endpoint Intelligence Agent Setting up McAfee EIA integration 7 2 Click New Task. 3 From the Task Types list, select Product Deployment. 4 Click OK. The Client Task Catalog: New Task McAfee Agent: Product Deployment page appears. Figure 7-7 Selecting McAfee Agent to deploy 5 In the Task Name field, enter a name for the task. 6 From the Products and components menu, select McAfee Agent Click Save. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 187

188 7 Integrating with McAfee Endpoint Intelligence Agent Setting up McAfee EIA integration 8 Run the task. a Click the System Tree icon. The Systems tab appears. Figure 7-8 Selecting systems to deploy McAfee Agent b c d e Select the systems to deploy McAfee Agent. Select Actions Agent Run Client Task now. In the Task Type column, select Product Deployment, and in the Task Name column, select the task you created. Click Run Task Now. For more information, see the McAfee Agent Product Guide, version 4.8. Setting up McAfee EIA with epolicy Orchestrator server Install the Endpoint Intelligence Management extension, upload the Endpoint Intelligence Agent package, and deploy McAfee EIA on managed systems. Download McAfee EIA and the extension package Download McAfee EIA package and the Endpoint Intelligence Management extension to the epolicy Orchestrator server. Before you begin Locate your grant number. 188 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

189 Integrating with McAfee Endpoint Intelligence Agent Setting up McAfee EIA integration 7 Task 1 In a web browser, go to 2 Enter your grant number, then go to the appropriate product and version. 3 Download the Endpoint Intelligence Management extension file, eim_epo_extension_220.zip. 4 Download the Endpoint Intelligence Agent file, eia_epo_deploy_220.zip. Install the Endpoint Intelligence Management extension Install the Endpoint Intelligence Management extension from your download location to your epolicy Orchestrator server. Task 1 From the epolicy Orchestrator console, select Menu Software Extensions. Figure 7-9 Navigating to software extensions on epo console McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 189

190 7 Integrating with McAfee Endpoint Intelligence Agent Setting up McAfee EIA integration 2 At the bottom of the Extensions pane on the left side of the Extensions page, click Install Extension. Figure 7-10 Installing Endpoint Intelligence Management extension 3 Browse to the eim_epo_extension_220.zip file you downloaded from the McAfee downloads page. 4 Click Open to select the file, then click OK to proceed with the selection. 5 Click OK to install the extension. Upload McAfee EIA package Upload McAfee EIA package to the epolicy Orchestrator server. This package contains the files necessary to install McAfee EIA on managed systems. Task 1 From the epolicy Orchestrator console, select Menu Software Master Repository. Figure 7-11 Master Repository in epo console 2 Click Check In Package. The Check In Package page is displayed. 190 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

191 Integrating with McAfee Endpoint Intelligence Agent Setting up McAfee EIA integration 7 3 From the Package Type list, select Product or Update (.ZIP), then browse and select epo_deploy.zip. Figure 7-12 Uploading package 4 Click Next. 5 Click Save. The package is added to the Master Repository. Deploy McAfee EIA Deploy McAfee EIA to managed systems. Task 1 From the epolicy Orchestrator console, select Menu Policy Client Task Catalog. 2 Click New Task. 3 From the Task Types list, select Product Deployment. 4 Click OK. The Client Task Catalog: New Task Endpoint Intelligence Agent: Product Deployment page appears. Figure 7-13 Selecting Endpoint Intelligence Agent to deploy McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 191

192 7 Integrating with McAfee Endpoint Intelligence Agent Setting up McAfee EIA integration 5 In the Task Name field, enter a name for the task. 6 From the Products and components menu, select Endpoint Intelligence Agent Click Save. 8 Run the task. a Click the System Tree icon. The Systems tab appears. Figure 7-14 Selecting systems to deploy McAfee Agent b c d e Select the systems to deploy McAfee EIA. Select Actions Agent Run Client Task now. In the Task Type column, select Product Deployment, and in the Task Name column, select the task you created. Click Run Task Now. For more information, see the Endpoint Intelligence Agent Product Guide. Create and assign policy to managed systems For McAfee EIA to communicate with the NTBA Appliance, policy must be applied to managed systems. 192 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

193 Integrating with McAfee Endpoint Intelligence Agent Setting up McAfee EIA integration 7 Task 1 From the epolicy Orchestrator console, select Policy Catalog: a Select Product as Endpoint Intelligence Agent b Select Category as EIA Settings. Figure 7-15 Policy Catalog epolicy Orchestrator page 2 Click the My Default policy to edit it. a In the General Settings tab, select the Device Type as NTBA from the drop-down list. Figure 7-16 General Settings tab b c d e f Enter the source IP address. Enter the subnet mask. Enter the device IP address. The device IP address you specify here must be the same as the NTBA Management IP address running on your Manager. Enter the port number. Select the NTBA listening port for McAfee EIA connections and make sure that this port is not blocked by Firewall rules. Default port used on NTBA is Click Add Route and click Save. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 193

194 7 Integrating with McAfee Endpoint Intelligence Agent Setting up McAfee EIA integration 3 Click Wake Up Agent for the new configurations to take effect. By default, the policy is applied to all groups/subgroups. Figure 7-17 Wake Up Agents option on epolicy Orchestrator console For more information, see the Endpoint Intelligence Agent Product Guide. Enabling McAfee EIA integration on the Manager You must have deployed McAfee Agent and McAfee EIA and configured the agents to send their results to NTBA in the epolicy Orchestrator console as explained in the preceding sections. You can enable McAfee EIA integration with the NTBA Appliance at the Global level and at the Device level. When you enable McAfee EIA integration at the Global level, the settings are inherited by its child domain nodes as the Inherit Settings checkbox is enabled by default. When you enable McAfee EIA integration at the Device level, you can apply the configuration settings only to that particular NTBA Appliance. Enable McAfee EIA integration globally By default, the Inherit Settings checkbox is enabled, so settings done at the global level are inherited by all NTBA Appliances in this domain (and child admin domains). The Auto-Classification Settings options are available only at the Global level and are inherited by all devices. 194 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

195 Integrating with McAfee Endpoint Intelligence Agent Setting up McAfee EIA integration 7 Task 1 Select Devices <Admin Domain Name> Global Default Device Settings NTBA Devices Device Settings Setup EIA Integration. The EIA Integration page is displayed. The settings done at the parent admin domain level are inherited by default by its child domains. 2 Select the Enable EIA Integration checkbox to enable the feature. Figure 7-18 Enable EIA Integration page globally Table 7-1 Field descriptions Field Agent Connection Settings epo Settings Description The NTBA Listening Port is the port on which the NTBA Appliance listens for incoming connections from endpoints running McAfee EIA. It is pre-populated with the value used by default by the agents. You can edit this field by specifying a port number between 0 and This section defines the parameters used to connect with the epo server and exchange the certificates used to authenticate and secure agent communication with the NTBA Appliance. epo Server IP Address: Displays the IP address of the epo server epo Server Port: This field is pre-populated with the value used by default by the epo server. You can edit this field by specifying a port number between 0 and epo User Name: Type the user name to log on to the epo console epo Password: Type the password to log on to the epo console Open epo Console: Click to configure the epo settings from here McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 195

196 7 Integrating with McAfee Endpoint Intelligence Agent Setting up McAfee EIA integration Table 7-1 Field descriptions (continued) Field Auto-Classification Settings Description This section provides options to automatically whitelist and blacklist executables in which McAfee is confident of their posture. It provides the following options: Automatically Whitelist Executables Signed by a Trusted Certificate Authority: If the executable is found signed by a trusted CA or if there is a signer name, then it is whitelisted. This is enabled by default. Automatically Whitelist Executables Found on the GTI Whitelist: If GTI file reputation is clean, then it is whitelisted. This is enabled by default. Automatically Blacklist Executables Found on the GTI Blacklist: If GTI file reputation is malicious, then it is blacklisted. This is disabled by default. McAfee recommends that you keep all auto-classification settings as enabled unless you want to investigate every executable manually. Update epo Certificate Click this button if there have been changes in the certificate on the epo side to automatically update all NTBA Appliances in the admin domain node (and devices in the child admin node that are inheriting them). To check if McAfee EIA service is running on the NTBA Appliance, run the show endpointintelligence summary CLI command. See also Understanding executable classification on page 197 show endpointintelligence summary on page 341 Enable McAfee EIA integration per device You can enable McAfee EIA integration for a particular device or domain at the Device level. 196 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

197 Integrating with McAfee Endpoint Intelligence Agent Understanding executable classification 7 Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Setup EIA Integration. The EIA Integration page is displayed. Figure 7-19 Enabling McAfee EIA integration at Device level If the Inherit Settings checkbox is selected (default), then the settings from the Global level for the selected admin domain will be inherited by the device. 2 Deselect the Inherit Settings checkbox and select the Enable EIA Integration checkbox to configure settings for a particular device. 3 Follow the procedure as explained in Enable McAfee EIA integration globally to configure McAfee EIA at the device level. Understanding executable classification The Manager provides options to auto-classify or manually classify the executables. Executables that appear as unclassified can be whitelisted or blacklisted. The Manager pushes the updates in the whitelisted and blacklisted hashes to the NTBA Appliance every five minutes. The executables are classified as: Whitelisted: Executables that are considered safe. Blacklisted: Executables that are not considered safe or not allowed per corporate policy. Unclassified: Executables that are yet to be classified. You can classify executables from any of the following: McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 197

198 7 Integrating with McAfee Endpoint Intelligence Agent Understanding executable classification Endpoint Baseline Generator: When the Endpoint Baseline Generator tool is run on a computer, it scans the computer, calculates the heuristics for all the executable hashes on the system, and generates an XML file. This XML file contains information such as file name, file size, hash type (MD5), and file hash. McAfee recommends that you run the tool on a system that can be treated as a baseline computer profile for your organization. You can then use the import option in the Manager to append your list to the existing whitelist and blacklist in the Manager. Auto-Classification: You can configure Auto-Classification Settings at the Global level of the EIA Integration page to classify executables based on the following: If the executable is signed and trusted, then it is whitelisted. If GTI file reputation is malicious, then it is blacklisted. If GTI file reputation is clean, then it is whitelisted. Auto-classified blacklisted and whitlelisted executables are added to the Whitelisted and Blacklisted Hashes page. Make sure that GTI is reachable. This can be done by configuring the local DNS Server (or proxy) by selecting Devices <Admin Domain Name> Global Default Device Settings Common Name Resolution. Enter the IP Address (IPv4 or IPv6) here. Manual Classification: You can also manually classify the executables from the Manager. Based on their overall malware confidence and their network behavior, you can classify them as whitelisted or blacklisted. Manual classification has the highest priority and takes precedence over auto-classification. The following aspects are used to classify executables: Table 7-2 Executable classification Manually whitelisted Manually blacklisted Digitally trusted Auto-GTI whitelisted Auto-GTI blacklisted Gets classified as Yes - Yes or No Yes or No Yes or No Whitelisted - Yes Yes or No Yes or No Yes or No Blacklisted Not classified Yes Yes or No Yes or No Whitelisted Not classified No Yes No Whitelisted Not classified No No Yes Blacklisted Scenario: A new executable is seen in your network - Yes Unknown Whitelisted - No Unknown Unclassified A new executable is not known to McAfee GTI and an administrator can't classify it until its behavior is analyzed. For the second occurrence, GTI discovers and computes reputation for an unclassified executable, and accordingly the NTBA classification may vary. See also Enabling McAfee EIA integration on the Manager on page 194 Working with whitelisted and blacklisted hashes on page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

199 Integrating with McAfee Endpoint Intelligence Agent Working with whitelisted and blacklisted hashes 7 Working with whitelisted and blacklisted hashes The Manager maintains a single list of whitelisted (good) and blacklisted (bad) hashes. Each list contains file hashes and executable names that can be leveraged by all devices configured on the Manager for reporting purpose. See also Understanding executable classification on page 197 Sample scenario: Analyze an unclassified executable with high malware confidence on page 210 Import of whitelisted and blacklisted hashes You can use this page to import hashes into the whitelist and blacklist. Supported file formats include XML and CSV. The XML format is used to import a list of hashes that have been exported from endpoints running McAfee EIA using the Endpoint Baseline Generator utility. The Manager exports the lists in CSV format, so CSV can be used to import previous exports. It also provides a straightforward way to create a list manually. CSV file format The file to be imported should be in the following CSV format: <File name>,<file size>,<hash type>,<file hash>,<description>. For example: Application.exe, 1024, MD5, 30a4edd18db6dd6aaa20e3da93c5f425, My description where: Application.exe is the file name. File name must be a string value and at least 1 character long is the file size. File size must be an integer value and at least 1 character long. It is not currently used. MD5 is the hash type. Hash type can only be MD5. 30a4edd18db6dd6aaa20e3da93c5f425 is the file hash. File hash must be a valid MD5 hash value. My description is the description. Description must be a string value and at least 1 character long. If you are importing multiple files, each file has to be on a new line. Once hashes are imported, the list of all available hashes is displayed. The Manager pushes all the imported hashes to all the available NTBA Appliances and the IPS Sensors. The auto-whitelisted and auto-blacklisted executable hashes are added to the Manager global list. The Comment column on the Policy Advanced Malware Whitelisted and Blacklisted Hashes page provides details for the same. The Manager supports up to 100,000 hash entries (whitelisted and blacklisted combined). Task 1 Select Policy <Admin Domain Node> Intrusion Prevention Advanced Malware Whitelisted and Blacklisted Hashes. The Whitelisted and Blacklisted Hashes page is displayed. You can also go to the Whitelisted and Blacklisted Hashes page by clicking the Manage Whitelist and Blacklist link from the Malware Detections page or the Endpoint Executables page. 2 Depending on the type of hashes you want to import, select the Whitelisted Hashes or the Blacklisted Hashes tab. View Comment for auto-whitelisted and auto-blacklisted executables and decide to import the hashes. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 199

200 7 Integrating with McAfee Endpoint Intelligence Agent Working with whitelisted and blacklisted hashes 3 Click Import. The Import page is displayed. Figure 7-20 Importing hashes into the whitelist 4 Browse to the location of the file and click Import. The list is populated. By default, the list is sorted in the ascending order of the file name. To sort it according to your choice, you can click any of the column name and select an option from the drop-down list. 5 You can append to the existing list by clicking the Append option, which is selected by default. For information about how to use the Replace option, see the Section, Remove or replace hashes from whitelists and blacklists. 6 Use the Search option to locate an entry by the file hash, file name, or classifier. 7 You can consider adding a description in the Comment field as to why a file hash was whitelisted or blacklisted. The Comment field allows up to 250 characters. Export of whitelisted and blacklisted hashes If you want to export the hashes, you can go to the appropriate tab and click Export All. The exported CSV file contains either whitelisted or blacklisted hashes based on the tab from where it is exported. You can use the exported file as source of import in another Manager. Currently, export of only CSV files is supported. Task 1 Select Policy <Admin Domain Node> Intrusion Prevention Advanced Malware Whitelisted and Blacklisted Hashes. The Whitelisted and Blacklisted Hashes page is displayed. You can also go to the Whitelisted and Blacklisted Hashes page by clicking the Manage Whitelist and Blacklist link from the Malware Detections page or the Endpoint Executables page. 2 Depending on the type of hashes you want to export, select the Whitelisted Hashes or the Blacklisted Hashes tab. 200 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

201 Integrating with McAfee Endpoint Intelligence Agent Working with whitelisted and blacklisted hashes 7 3 Click Export All. The File Download page is displayed. Figure 7-21 Exporting hashes 4 Click Open or Save. The exported CSV file will contain the file name, file size, hash function (MD5), file hash, and description. Move hashes from or to whitelist or blacklist After you have imported the list, you can move some or all of the hashes from one list to another. If a hash is part of both whitelist and blacklist, the one in the whitelist takes precedence. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 201

202 7 Integrating with McAfee Endpoint Intelligence Agent Working with whitelisted and blacklisted hashes Task 1 Select an entry that you want to move. To select multiple entries, hold the SHIFT key while selecting. 2 From the Take Action drop-down list, select Move selected hashes to blacklist or Move all hashes to blacklist. Figure 7-22 Moving a selected hash to the blacklist The selected entry is moved to the corresponding list that you have chosen. A message that the action is successful is displayed on top of the page. Remove or replace hashes from whitelists and blacklists You can remove some or all of the hashes from the whitelist or the blacklist and mark them as unclassified. The hashes are removed from the Manager database but are available in the NTBA database as unclassified. Task 1 Select an entry that you want to remove. To select multiple entries, hold the SHIFT key while selecting. 2 From the Take Action drop-down list, select Remove selected hashes (reset as Unclassified) or Remove all hashes (reset as Unclassified). The selected entry is no longer be displayed on this page. 202 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

203 Integrating with McAfee Endpoint Intelligence Agent Configuring NTBA policies for McAfee EIA alerts 7 3 You can use the Replace option to put back the removed entry or to overwrite the old entries with new ones. A confirmation message will be displayed. 4 Click OK to continue. The old list is replaced with the new list. Configuring NTBA policies for McAfee EIA alerts Six new attack definitions have been added to the NTBA policies in Policy Network Threat Behavior Analysis NTBA: NTBA policy Description Enabled by default EXECUTABLE: Unclassified executable detected by Endpoint Intelligence Agent engine EXECUTABLE: Whitelisted executable detected by Endpoint Intelligence Agent engine This alert is raised when the executable is not classified by the administrator or is not auto-classified. This alert is raised when the executable is marked as whitelisted by the administrator. This alert is also raised when the executable is found to be digitally whitelisted or GTI whitelisted. No No Alert frequency Raised once per executable from the NTBA Appliance EXECUTABLE: Blacklisted executable detected by Endpoint Intelligence Agent engine This alert is raised when the executable is marked as blacklisted by the administrator or when the executable is auto-classified based on GTI blacklist. Yes Raised per executable per endpoint MALWARE: Very High-confidence malware executable detected by Endpoint Intelligence Agent engine This alert is raised when the malware confidence of the executable detected by McAfee EIA is very high and the executable is not whitelisted. Yes MALWARE: High-confidence malware executable detected by Endpoint Intelligence Agent engine This alert is raised when the malware confidence of the executable detected by McAfee EIA is high and the executable is not whitelisted. Yes MALWARE: Medium-confidence malware executable detected by Endpoint Intelligence Agent engine This alert is raised when the malware confidence of the executable detected by McAfee EIA is medium and the executable is not whitelisted. No Depending on which of the attack definitions are enabled in the NTBA policies, alerts are generated for the matching traffic. If executables are auto-whitelisted in 8.0, then after upgrading to 8.1, NTBA will reclassify these auto-whitelisted executables. The new classification values are sent to the Manager. The malware attacks can be viewed in the Top Malware Detections monitor on the Home Dashboard page, and the Top Attack Executables table in the Threat Explorer. Alert throttling McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 203

204 7 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint Run set endpointintelligence alertinterval CLI command to configure the time interval as to when the alert should be raised again. By default, it is 7 days. It can be configured between 0 and 30 days. Configure it as zero to disable alert throttling. Whenever a given executable property changes (malware confidence or classification), the alert generation interval is reset for that executable. Filter functionality is not supported for Endpoint Intelligence Agent alerts. If you upgrade from 8.0 to 8.1, the alert throttling information will be reset for malware alerts and blacklisted alerts. See also Critical faults on page 222 set endpointintelligence alertinterval on page 316 Viewing executables running on endpoint The Endpoint Executables page on the Analysis tab provides a snapshot of all the executables running on your internal endpoints that have made network calls. It also provides network visibility on how many endpoints are running the executables, how many connections were made, and the events triggered by the executable during the selected timeframe. All NTBA Appliances that have McAfee EIA services running on them will be displayed in the Devices drop-down list. You can filter data based on the NTBA Appliance selection. The executables listed here are processes and their libraries (DLLs). They can be whitelisted, blacklisted, and unclassified. You can use this page to investigate further on what factors led to the classification of the executable and manually change the classification. By default, the order is sorted by the endpoints, so executables with most endpoint connections are displayed first. Maximum number of executables displayed on the Endpoint Executables page is Historical data and inactive executable data are kept for 30 days. The page is divided into the Executable panel and the Details panel. Click a row in the Executable panel to view additional information about the executable hash in the Details panel. Figure 7-23 Endpoint Executables page with default settings 204 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

205 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint 7 Item Description 1 Filters and Search options 2 Executable panel 3 Details panel Following are the filters and search option available: Field Description Default Value Malware Confidence Any Malware Confidence Displays all executables irrespective of their malware confidence Medium+ Malware Confidence Displays executables with medium, high, and very high malware confidence High+ Malware Confidence Displays executables with high and very high malware confidence High+ Malware Confidence Classification Any Classification Displays all executables, whether blacklisted, whitelisted, and unclassified Blacklisted Displays only blacklisted executables Unclassified Displays executables that are neither blacklisted nor whitelisted Whitelisted Displays only blacklisted executables Any Classification Devices Displays the list of NTBA Appliances that have McAfee EIA services running on them Time interval Last 5 minutes Last 24 hours Displays device names in the alphabetical order. Last 12 hours Last 1 hour Last 6 hour Last 12 hours Last 48 hours Last 7 days Last 14 days Search Allows you to search executable by the file hash or the binary name of the executable Blank For the selected NTBA Appliance, the Executable panel consists of: Table 7-3 Field descriptions of Executable panel Field Executable Malware Confidence Classification First Seen Description Actions Click Take Actions to classify an executable as whitelisted, blacklisted, or unclassified Hash Displays the file hash of the executable Name Displays the binary name of the executable Version Displays the product version Displays the malware confidence level returned by the configured McAfee EIA. The malware confidence values are very high, high, medium, low, very low, and unknown. Displays the executable classification whether blacklisted, whitelisted, or unclassified Displays when the executable was first reported by McAfee EIA to the NTBA Appliance for the selected timeframe McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 205

206 7 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint Table 7-3 Field descriptions of Executable panel (continued) Field Last Seen Counts Comment Description Displays when the executable was last reported by McAfee EIA to the NTBA Appliance By default, the order is sorted by the endpoints, so executables with most endpoint connections displayed first. Endpoints Displays the number of endpoints running the executable for the selected timeframe Events Displays the number of attacks triggered by the executable for the selected timeframe Connections Displays the number of connections made by the executable for the selected timeframe Reason for changing the executable classification Click any row to see additional information of the executable hash in the Details panel. The Details panel consists of: EIA Details 206 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

207 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint 7 This tab displays the process or library (DLL) information. This includes: Properties Displays the malware confidence for the executable along with malware indicators that helped determine the reputation. Figure 7-24 Executable details Table 7-4 Field descriptions of EIA Details tab Field View Detections Hash Binary Name (type) Product Name Version Malware Confidence Classification Classified Certificate Status Certificate Signer GTI Reputation Description Takes you to the Malware Detections page to view the malware confidence computed by individual engines and the overall malware confidence for the executable Displays the file hash. This link takes you to the Threat Explorer with a filter on the hash and the selected time. Displays the binary name and the type, whether process or library Displays the product name for the executable Displays the product version number Displays the malware confidence level returned by the configured McAfee EIA. The malware confidence values are very high, high, medium, low, very low, and unknown. Displays the executable classification whether blacklisted, whitelisted, or unclassified Displays the method of classification (Auto if the executable has been auto-classified by the NTBA Appliance or Manual if it has been manually classified) and the timestamp, only for classified executables Displays if the certificate is from a trusted CA or not. Valid values for executables are Signed and Signed and Trusted. If the executables are unsigned, the status displays blank. Displays the certificate signer name. Displays the file reputation received from GTI. Valid values are Very Low, Low, Medium, High, Very High, and Unknown. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 207

208 7 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint Malware Indicators Shows some of the methods that were used to compute the executable reputation. Figure 7-25 Malware Indicators Invoked Libraries Lists all libraries (DLLs) invoked by the executable. The DLLs are displayed only if McAfee EIA finds the corresponding malware confidence to be greater than or equal to the McAfee epo Reputation Threshold value. By default, the McAfee epo Reputation Threshold value is Medium. Figure 7-26 Library names invoked by the executable Invoked libraries are displayed when the executable is a process. Table 7-5 Field descriptions of Invoked Libraries panel Field Name Hash Malware Confidence Description Displays names of the library files invoked by the executable Displays the file hash. This link takes you to the Threat Explorer with a filter on the hash and the selected time. Displays the malware confidence level returned by the configured McAfee EIA Processes Using this Library Lists all parent processes associated with the library (DLL). Processes are displayed when the executable is a library (DLL). Table 7-6 Field descriptions of Process Using this Library panel Field Name Hash Malware Confidence Description Displays names of processes using this library Displays the file hash. This link takes you to the Threat Explorer with a filter on the hash and the selected time. Displays the malware confidence level returned by the configured McAfee EIA Endpoints This tab displays the list of endpoints running the executable during the selected timeframe. Figure 7-27 Endpoints information 208 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

209 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint 7 Table 7-7 Field descriptions of Endpoints tab Field IP Address Hostname OS User Counts Description Displays the IP address of the endpoint. This link takes you to the Threat Explorer with a filter on the IP address as Attacker IP address and the selected time. Displays the name of the managed host Displays the version of the operating system running on the endpoint. For example: Windows 7. Displays the user name who invoked the executable or the DLL. The user name can include system users and local users. Events Displays the number of attacks triggered by the executable during the selected timeframe Connections Displays the number of connections made by the executable during the selected timeframe The Search field allows you to search by IP address, host name, operating system, or user columns. Applications This tab displays the list of applications that have been invoked by the executable during the selected timeframe. Figure 7-28 Applications invoked by the executable Table 7-8 Field descriptions of Applications tab Field Application Risk Category Counts Description Displays the name of the application. This link takes you to the Threat Explorer with a filter on the application name and the selected time. Displays whether the application is high, medium, or low risk. McAfee Labs categorizes an application based on its vulnerability and the probability for it to deliver malware. Displays the category that the application falls under. For example, HTTP falls under the Infrastructure Services category. Events Displays the number of attacks triggered by the executable during the selected timeframe Connections Displays the number of connections made by the executable during the selected timeframe The Search field allows you to search by application name, risk, or category. Events McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 209

210 7 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint This tab displays the list of events triggered by the executable during the selected timeframe. Maximum events displayed on the Endpoint Executables page is Figure 7-29 Events triggered by the executable Table 7-9 Field descriptions of Events tab Field Time Attack Attacker Target Device Description Displays the time the event occurred About Displays detailed attack information and description Attack Displays the name of the attack. The Attack link takes you to the Threat Explorer with a filter on the attack name and the selected time. Result Displays the result of the attack on your network Direction Displays the direction of the traffic on which the attack is detected whether inbound or outbound IP Address Displays the IP address of the attacker. This link takes you to the Threat Explorer with a filter on the attacker IP address and the selected time. Country Displays the country of the attacker IP Address Displays the IP address of the target. This link takes you to the Threat Explorer with a filter on the target IP address and the selected time. Country Displays the country of the target Port Displays the port number of the target Displays the name of the device detecting the attacks For alerts triggered by McAfee EIA, Direction and Protocol are displayed as unknown, Attacker Country and Target Country are displayed as blank, and Result is displayed as inconclusive. The Search field allows you to search by attack name, result, target IP address, attacker IP address, or device name. See also Working with whitelisted and blacklisted hashes on page 199 show endpointintelligence details on page 339 Sample scenario: Analyze an unclassified executable with high malware confidence Consider an executable, DAP.exe, is shown on the Top Endpoint Executables monitor with malware confidence as High and classification as Unclassified. This section provides you a workflow that you could follow in the Manager user interface to further investigate the executable properties, malware indicators used to compute the malware confidence, the type of alerts it triggered, the confidence assigned by other malware engines to this file, and subsequently whitelist or blacklist it. 210 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

211 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint 7 Task 1 Click Dashboard on the Home page to view the Top Endpoint Executables monitor. a Select Attacks to view executables that have generated most attacks. -OR- Select Endpoints (default) to view executables that have made most connections. The Device drop-down list is shown when you select Endpoints. This list shows all NTBA Appliances configured that have McAfee EIA services running on them sorted in alphabetical order. Figure 7-30 Top Endpoint Executables monitor on Dashboards page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 211

212 7 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint b Click DAP.exe in the Top Endpoint Executables monitor to go the Endpoint Executables page. Figure 7-31 Endpoint Executables page Hover the mouse on the bar graph to see the executable name, number of attacks/endpoints, executable hash name, classification type, and malware confidence level. The executable, DAP.exe, shows high malware confidence but the classification type is shown as Unclassified. 212 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

213 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint 7 2 The Endpoint Executables page provides network visibility on how many endpoints are running the executables, how many connections were made, and the events that it triggered. It also displays the malware indicators used to compute the malware confidence of the executable. a Click the Hash link, IP Address link, Application link, Attack link, Attacker IP Address link, or Target IP Address link in the Details panel to go to the Threat Explorer page. Figure 7-32 Threat Explorer page In some cases, alert count is shown even for whitelisted executables such as Mozilla Firefox. If bad or malicious sites were accessed and files downloaded using Mozilla Firefox, there could be executables generating alerts that result in increase of the attack count. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 213

214 7 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint 3 Click View Detections in the Threat Explorer page to go to the Malware Detections page to view the malware confidence alerts, how the malware confidence was computed by the individual malware engines, and overall malware confidence of the executable was computed. This page also allows an in-depth analysis of the malware detected in your network. You can also go to the Malware Detections page from the Endpoint Executables page. Figure 7-33 Malware Detections page For alerts triggered by McAfee EIA, the bottom panel displays the Direction and Protocol as unknown, Attacker Country and Target Country as blank, and Result as inconclusive. 214 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

215 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint 7 4 Select Analysis Network Forensics to further analyze the endpoint behavior on your network. a Enter the IP address of the endpoint for the selected date and time and click Analyze. The Network Forensics page is displayed with summary, conversation, and event information. All the executables invoked on the endpoint are displayed in the Client connections panel. Figure 7-34 Network Forensics page b c Scroll to the Top 10 Conversations panel to see the connections made using this IP address. Scroll to the Last 50 Events to view more details about the attacks. The Endpoint Executables column displays hash, name, classification, and malware confidence. Click the hash link to go to the Threat Explorer page. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 215

216 7 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint 5 Click View Alerts & PCAPs in the Threat Explorer to open the Real-Time Threat Analyzer window to view and analyze alerts. a Click the Alerts tab. All the executables invoked on the endpoint are displayed in the Client connections panel. Figure 7-35 Alerts generated for DAP.exe You can view and group by alerts based on the following: Executable Name: Displays binary name of the executable Executable Hash: Displays the file hash of the executable Executable Classification: Displays the executable classification, whether blacklisted, whitelisted, or unclassified Executable Malware Confidence: Displays the malware confidence level returned by the configured McAfee EIA. The malware confidence values are very high, high, medium, low, very low, and unknown. The above-mentioned fields are not displayed for suppressed alerts. The alert count and attack count are displayed for the attribute selected in the list. 216 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

217 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint 7 b Double-click an alert to open the Alert Details window. The Alert Details window is displayed. Figure 7-36 Endpoint Intelligence details in Alert Details window For all alerts triggered by McAfee EIA, an additional panel called Endpoint Intelligence panel is displayed. This displays the hash, name, classification, and malware confidence of the executable. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 217

218 7 Integrating with McAfee Endpoint Intelligence Agent Viewing executables running on endpoint c Click Real-time EIA Details to view executable information for existing IPS and NTBA alerts that have 5-tuple information. Alerts such as Exploits, Botnets, Behavioral, Malware and Policy violation have the 5-tuple information. It also gives information of the library invoked by the executable, the malware indicators used to compute the score, and classifier information. As an administrator, you might want to investigate the alerts further. Figure 7-37 Real-time EIA Details window The malware confidence and classification values shown in the Real-time EIA Details window might be different from what is shown in the Alert Details window. This is because the Alert Details window shows the malware confidence and classification of the alert when the alert as first generated while the Real-time EIA Details shows the current details of the executable. 6 Based on the analysis, you can classify the executable as whitelisted or blacklisted by clicking the Take Action link on the Malware Detections page. These updates are made to the whitelisted and blacklisted hashes maintained in the Manager. Figure 7-38 Executable hash added to the blacklisted hashes The Manager sends the changes in the whitelisted and blacklisted hashes to the NTBA Appliance every five minutes. Whenever the file's hash matches with the ones in the whitelist and blacklist hashes, the whitelisted hashes are exempted from malware analysis. See also Viewing executables running on endpoint on page 204 Working with whitelisted and blacklisted hashes on page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

219 Integrating with McAfee Endpoint Intelligence Agent Viewing endpoint intelligence reports 7 Viewing endpoint intelligence reports Two new Next Generation reports, Default-Top 10 Endpoint Executables and Default-Endpoint Executable Details, have been added to provide you detailed reports based on your alerts. See also Default - Top 10 Endpoint Executables on page 256 Default - Endpoint Executable Details on page 257 NTBA-EIA Deployment scenarios Scenario NTBA-EIA integration with IPS Sensor NTBA-EIA integration without netflows coming to NTBA NTBA-EIA integration in a setup with IPS Sensor and multiple NTBA Appliances Solution The NTBA Appliance, the IPS Sensor, and McAfee EIA should be configured in such a way that traffic from endpoints passing through IPS, same endpoints must be configured to send executable information to the NTBA Appliance. The solution will work. Applications associated with the executables will not be shown. Events will not have executable information. The Network Forensics page will be blank. The Endpoint Executables page displays information per NTBA appliance. The blacklists and whitelists maintained by the Manager are pushed to all NTBA Appliances with EIA integration enabled. McAfee recommends that you distribute EIA agents across various NTBAs depending on the maximum limit of endpoints supported by connected NTBA models. When more than one NTBA is configured to get executable information from endpoints and if an NTBA is not connected to IPS Sensor, the Endpoint Executables Applications displays no applications. Sensor generated alerts do not display executable information. NTBA-EIA integration in a setup with endpoints distributed across geo-locations NTBA-EIA integration in a setup with multiple epo servers The NTBA Appliance must be deployed closer to the specific geo to be monitored in order to reduce data exchange across WAN links. The number of endpoints at a particular geo-location should be used as a factor to decide the location at which the NTBA Appliance is to be deployed. For more information, refer to the NTBA-EIA sizing recommendations. If there are multiple epos managing different parts of the network and all endpoints need to communicate to a NTBA appliance on the network, this can be achieved by using third-party CA in epo to provide the CA certificates. This way, all endpoints will receive certificates from the same CA. Best practices The auto-classification settings for whitelisting executables (based on GTI reputation or signed by a trusted authority) are enabled by default. Auto-classification for blacklisting executables based on GTI reputation is disabled by default. McAfee recommends that you keep all auto-classification settings as enabled unless you want to investigate every executable manually. For all executables, the malware confidence displayed on the Manager is a best effort based on malware indicators associated with each executable. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 219

220 7 Integrating with McAfee Endpoint Intelligence Agent Best practices If time permits: Once the solution is deployed, learn the executables used in the network to create a baseline computer profile, investigate, and classify as whitelisted all the approved executables for your enterprise. Every time new patches are deployed, use the endpoint baseline generator to create an updated hash list and import into the Manager. Investigate each executable that displays malware confidence as low or very low. For example, use the malware indicators, alerts generated, network forensics. Integrate with McAfee Advanced Threat Defense to leverage its sandboxing capabilities. Enable the Gateway Anti-Malware Engine running on NTBA as an additional engine for inspection of malware. Look at the number of endpoints using an executable, and the type of applications, events associated with the executable. If the number of endpoints is high, then it is unlikely that it is a bot. Analyze the results from all of these, and then make the final decision to whitelist or blacklist an executable. If you have time constraints, investigate executables that have malware confidence displayed as medium and above. NTBA-EIA sizing recommendations Table 7-10 NTBA-EIA sizing recommendations SKU T-200 8,000 T ,000 T ,000 T ,000 T-VM 8,000 T-100VM 8,000 T-200VM 10,000 Maximum endpoints Below are the observations from tests conducted at McAfee: On a typical working day, the average number of executable information records sent by one endpoint in an enterprise is around 2500 per hour. The average size of each record is around 300 bytes. Depending on the number of active endpoints, you can compute the bandwidth requirements for data sent by Endpoint Intelligence Agent on endpoints to NTBA. Assume you have total 50,000 endpoints in your enterprise network: Number of NTBA Appliance recommended = 5 T-500 Appliances Assume 70% of endpoints are active => 7000 endpoints will be talking to each NTBA Network bandwidth requirement for each NTBA = [7000*2500*300/3600] *8 bits per second = 12 Mbps 220 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

221 Integrating with McAfee Endpoint Intelligence Agent Troubleshooting 7 See also Ports used by the NTBA Appliance on page 25 Troubleshooting This section addresses some of the issues that might be encountered while working with McAfee EIA. Contents Connectivity issues Data not seen on Manager Connectivity issues This section covers the scenarios and solutions for connectivity issues. To check if connection between epo server and NTBA Appliance is established Run the show endpointintelligence summary command: Check the epo connection status and the epo certificate status as shown. The output of the command is: [Endpoint Configuration and Status] Endpoint Intelligence Service : Not Running epo Server IP : Last epo connection attempt : :12:20 Last epo connection status : Failed (epo server not reachable) epo certificate : Not available Alert throttling : Disabled GTI file reputation server : Reachable [Endpoint connections] Total active endpoint connections : 22 Total packets received : Total packets sent : 778 Last packet received time : :49:05 Last packet sent time : :06:23 Last endpoint connected : If there is a failure in downloading the epo certificate, the reason is displayed for troubleshooting purpose. If there is any issue with SSL handshake Run show endpointintelligence details CLI command. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 221

222 7 Integrating with McAfee Endpoint Intelligence Agent Troubleshooting In Packet processing stats, check session failures as shown. [Packet processing stats] Total packets received : Total packets sent : 790 Total metadata flows : Total GTI file reputation requests : 6 Total GTI file reputation responses : 0 Total Sysinfo packets received : 789 Total keepalives received : 790 Total keepalives sent : 790 Total malformed packets : 0 Total unsupported packets : 0 Total packet send failures due to session not available : 0 Total connections : 46 Total active connections : 22 Total connection timeouts : 1 Total sessions : 23 Total session failures : 1 Total session failures due to certificate mismatch : 1 Total session failures due to timeouts : 1 Total session failures due to certificate mismatch indicates that McAfee EIA is not able to talk to NTBA and that endpoints are using a different epo certificate from what is available in NTBA. To resolve this, push the latest epo certificate to NTBA using the Manager interface. Critical faults Critical faults are the highest severity faults and generally indicate a serious issue. See the Action column for potential troubleshooting tips. Table 7-11 Critical faults Fault Description/Cause Action Endpoint Intelligence Service is down Endpoint Intelligence Service has not started as the epo is not reachable. Endpoint Intelligence Service has not started as the epo extension does not support auto-signing service. Endpoint Intelligence Service has not started because of authentication error connecting to the epo server. Please make sure that the epo server is up and running and is reachable to NTBA. Make sure that the epo server supports epo Auto Signing functionality (Change on Name confirmation). Please provide valid epo Server credentials. 222 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

223 Integrating with McAfee Endpoint Intelligence Agent Troubleshooting 7 Table 7-11 Critical faults (continued) Fault Description/Cause Action Endpoint Intelligence Service has not started because of internal error from the epo server. Endpoint Intelligence Service has not started because of unexpected errors. Endpoint Intelligence Service has not started because of corrupt certificate. Endpoint Intelligence Service has not started because the configured port for Endpoint Intelligence Service is already in use. epo server responded error, please look at the epo logs. Please look at the epo server and NTBA logs for the error. Please try again. Certificate invalid, please retry saving again. This port is already in use; please configure an unused port. Data not seen on Manager This section covers scenarios when there is data mismatch or unavailability in the Manager. If no data is seen in Executables panel of the Endpoint Executables page Make sure McAfee EIA service is running on the NTBA Appliance. Make sure that endpoint connections are made to the NTBA Appliance. Check the ntba.log file by running the TOP_PROCESS query: :51:10,019 INFO iv.core.nba.control.command - NBA Command ID -> :51:10,019 INFO iv.core.nba.control.command - NBA Command Name -> TOP_PROCESS :51:10,019 INFO iv.core.nba.control.command - Response returned from NBA Server :51:10,019 INFO iv.core.nba.control.command - {message=ok, isxml=true, respcode=200, msgcode=0, data=<results> <proc p_id=" " p_hash="62880e4a7bd8d63aed b4093" p_nm="htmlayout" b_name="htmlayout.dll" s_name="" p_ver="3, 3, 2, 4" p_conf="5" p_cls="0" f_size="0" f_sn=" :00:00" l_sn=" :00:00" host_cnt="1" con_cnt="2" /></results>, Id=4697, ispartial=false, code=200} :51:10,019 INFO iv.core.nba.control.command - Response -> {message=ok, isxml=true, respcode=200, msgcode=0, data=<results> <proc p_id=" " p_hash="62880e4a7bd8d63aed b4093" p_nm="htmlayout" b_name="htmlayout.dll" s_name="" p_ver="3, 3, 2, 4" p_conf="5" p_cls="0" f_size="0" f_sn=" :00:00" l_sn=" :00:00" host_cnt="1" con_cnt="2" /></results>, Id=4697, ispartial=false, code=200} :51:10,019 INFO iv.core.nba.control.command - Response message text -> <results> <proc p_id=" " p_hash="62880e4a7bd8d63aed b4093" p_nm="htmlayout" b_name="htmlayout.dll" s_name="" p_ver="3, 3, 2, 4" p_conf="5" p_cls="0" f_size="0" f_sn=" :00:00" l_sn=" :00:00" host_cnt="1" con_cnt="2" /></results> :51:10,019 INFO iv.core.nba.control.command - This query returns the list of Top Executables from the NTBA Appliance. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 223

224 7 Integrating with McAfee Endpoint Intelligence Agent Troubleshooting 224 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

225 8 8 Integrating with McAfee Global Threat Intelligence The Global Threat Intelligence data is powered by McAfee Global Threat Intelligence correlation engine that receives and analyzes billions of queries per month from McAfee's network of Sensors deployed to protect consumer, and enterprise network traffic across 120 countries globally, collecting and correlating threat data for URLs, IP addresses, domains, and content. McAfee GTI assigns a reputation score and further classifies network identities, and content with a risk level based on an in-depth highly sophisticated analysis derived by processing thousands of behavior attributes to profile each network traffic sender, website, domain, or content. McAfee GTI is the first and only reputation system to combine traffic data, routing, IP/domain registration data, and network characteristics with the unparalleled breadth of McAfee's global customer base. You can view the McAfee GTI portal data for a selected endpoint from the right-click options in the Traffic Volume (Bytes) - Top Source Endpoints, Endpoint Threat Factor, and Endpoints - New (Last 1 day) NTBA monitors. McAfee GTI integration needs to be configured in the Manager (Devices <Admin Domain Name> Global Default Device Settings NTBA Devices Zone Settings GTI IP Reputation) for viewing McAfee GTI information in NTBA monitors. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 225

226 8 Integrating with McAfee Global Threat Intelligence Before configuring McAfee GTI integration with NTBA, participation in Global Threat Intelligence needs to be enabled at Manage Integration Global Threat Intelligence. Figure 8-1 McAfee GTI Details page Firewall port 443 (port is for McAfee GTI queries) and port 80 (port for McAfee GTI database download) should be open for McAfee GTI information to be displayed in the NTBA monitors. NTBA Appliance does endpoint look-up through NetBIOS or DNS. Hence, this type of network traffic emanating from NTBA is normal. For more information on configuring McAfee GTI integration in the Manager, see McAfee Network Security Platform Integration Guide. 226 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

227 9 9 Integrating with McAfee Logon Collector The Manager can display a variety of information about the endpoints inside and outside a network. In the Real-Time Threat Analyzer, the endpoint user name is available along with the IP address. However, the user names are available only when NAC is enabled. The Manager integrates with McAfee Logon Collector (MLC) to display user names of the endpoints in your IPS and NTBA deployments. The Logon Collector provides an out-of-band method to obtain user names from the Active Directories. For more information, refer to the McAfee Network Security Platform Integration Guide. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 227

228 9 Integrating with McAfee Logon Collector 228 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

229 NTBA Monitors and Reports Chapter 10 Chapter 11 Monitoring networks Viewing NTBA reports McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 229

230 NTBA Monitors and Reports 230 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

231 10 Monitoring networks Monitoring of networks is a complex process. The process involves monitoring of network components consisting of network devices and the traffic that flows through such devices. Monitoring of network devices is essential as it has a direct impact on decisions regarding optimal use of network resources, and tailored allocation of available bandwidth. The ability to monitor network traffic in real time provides the inputs needed to take critical decisions that address the economic and security concerns of an enterprise. This is more so when the network is spread across different geographical locations with distributed applications. McAfee Network Threat Behavior Analysis (NTBA) Appliance effectively addresses these concerns and provides several options of network monitoring that can be tailored by an enterprise to suit its requirements. How NTBA Appliance helps network monitoring The McAfee NTBA Appliance provides a graphic configurable real-time view of the network traffic. The NTBA Appliance gathers flow and application data from across users, applications, endpoints, devices, and stores them in an embedded database. You can see real-time data and a moving profile of the typical behavior of users, applications, endpoints, and devices. All this information is coalesced into a summary view in the Threat Analyzer of the McAfee Network Security Manager (Manager) that can be drilled down for more detailed information. A typical activity like endpoints scans, port scans, worm detection, new service / application, new endpoint, suspicious connection, DoS, P2P, and spambots can be tracked based on user-defined policies. Real-time monitoring of network reduces the time needed to solve network-related problems, and helps in identifying threats. Questions such as why is our network slow, which application has the maximum download impact, are easily answered in a network that is monitored by the NTBA Appliance. The NTBA Appliance does effective malware monitoring by detecting unauthorized reconnaissance scanning by any infected laptops in the system that can spread worm traffic. The NTBA Appliance detects unauthorized applications, rogue web servers, and peer-to-peer Applications. If McAfee GTI integration is enabled in the Manager, relevant NTBA monitor options provide access to McAfee GTI portal data. This data is powered by McAfee GTI global threat correlation engine that receives and analyzes billions of queries per month from a network of McAfee Sensors deployed to protect consumer and enterprise network traffic across 120 countries globally, collecting and correlating threat data for URLs, IP addresses, domains, and content. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 231

232 10 Monitoring networks Types of NTBA monitors and options Endpoint Threat Factor The NTBA Appliance maintains a threat factor per endpoint in the network by correlating endpoint behavior with alerts raised on the endpoint. This threat factor is called the Endpoint Threat Factor. The NTBA Appliance calculates traffic profiles for every endpoint on the network by calculating and summarizing endpoint behavior into behavior indexes. Behavior indexes are calculated by comparing normal endpoint behavior over a period over its average behavior over a larger period. The behavior index is maintained in the database along with the metrics and other data for every endpoint as its "traffic profile." When an alert is raised for the endpoint, the alert level is combined with the current behavior index to generate a threat factor for the endpoint. The Endpoint Threat Factor is an index, which ranges from zero to 10, including fractional values. The Endpoint Threat Factor is aged automatically if an endpoint no longer raises alerts (say after it was quarantined after a high critical alert, and subsequently its behavior was brought to normal). In such a situation, the NTBA Appliance brings the behavioral index of the endpoint to zero as soon as the endpoint behavior approaches its average behavior. If an endpoint shows no anomalous behavior for long periods, its behavior risk factor will remain at, or decrease to zero, which is the normal Endpoint Threat Factor value for a benign endpoint. The Endpoint Threat Factor has the following color-coded threat ranges: Less than Six (Low/Medium Threat) YELLOW Greater or equal to Six (High Threat) ORANGE Greater or equal to Nine (Critical Threat) RED Equal to Zero GREEN The Endpoint Threat Factor values for the endpoints in the network are displayed in the Endpoint Threat Factor monitor. Contents Types of NTBA monitors and options Create and assign custom NTBA monitors Monitoring traffic in NTBA Appliance NTBA Denial-of-Service profiles NTBA Denial-of-Service alerts Alerts and scans Types of NTBA monitors and options The Threat Analyzer of the Manager displays ten default monitors in the NTBA dashboard. You can create additional dashboards and assign additional default or custom monitors. You can create a set of dashboards and monitors to suit your monitoring requirements. The right-click menu in the relevant default and additional default monitors has options for scanning endpoints and viewing alerts listed in the All Alerts page of the Threat Analyzer. 232 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

233 Monitoring networks Types of NTBA monitors and options 10 Viewing options Some monitors have options to switch views. To switch between graph and table, click View Graph (table to bar graph) and View Table (graph to table) icons at top right of the monitor. To switch between pie chart and table, click View Pie Chart (table to pie chart) and View Table (pie chart to table) icons at top right of the monitor. To switch between area chart and table, click Area Chart (table to area chart) and Table View (area chart to table) icons at top right of the monitor. The refresh rate of data in all the monitors is five minutes. The Enterprise Traffic Summary and Application Traffic Summary monitors show data for the past 30 minutes when the Real-time Threat Analyzer is started. View NTBA default monitors The NTBA default and additional default monitors provide an enterprise-wide view of the various components of NetFlow traffic. There are eight NTBA monitors displayed in the default dashboard of the Threat Analyzer. You can display additional default monitors by assigning them to newly created dashboards. Task 1 In the Manager, click Analysis Threat Analyzer Real-Time. 2 Click the Start the Real-Time Threat Analyzer link. The Threat Analyzer opens in a new window. 3 Click the NTBA tab on the Dashboards menu to view the default NTBA dashboard. The NTBA default dashboard displays eight default monitors. You can drill down for more information through the right-click menu in some of the default monitors. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 233

234 10 Monitoring networks Types of NTBA monitors and options List of NTBA default monitors Eight monitors are displayed in the default NTBA dashboard. Some of the default monitors have drill-down options in the right-click menu. You can view related information in drill-down monitors. Monitor name Drill-down monitors Typical use Endpoints - Threat Factor Endpoint Informat ion Endpoint Profile DoS Profile Endpoint Interacti ons Show Alerts Layer7 Activity Endpoint Traffic Service Traffic Summar y Applicati on Traffic Summar y Active Services Active Applicati ons Active Ports NSLooku p Informat ion GTI Details Monitors endpoints based on their threat factor. Top External Endpoints By Reputation Endpoint Informat ion Applicati on Traffic Summar y Monitors the reputation of external endpoints. External endpoints that might pose a threat to the network can be identified through this monitor. Endpoint Profile Active Services DoS Profile Active Applicati ons Endpoint Interacti ons Active Ports Layer7 Activity NSLooku p Informat ion Endpoint Traffic GTI Details Service Traffic Summar y 234 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

235 Monitoring networks Types of NTBA monitors and options 10 Monitor name Drill-down monitors Typical use Top URLs By Reputation Traffic Volume (Bytes) - Top Source Endpoints None Endpoint Informat ion Endpoint Profile DoS Profile Layer7 Activity Endpoint Interacti ons NSLooku p Informat ion GTI Details Monitors URLs that are used most in the network through this monitor based on their reputation. Enables threat investigation. For example, if there are any endpoints in the list that are not normally expected to be in the list of top traffic volume consumers, it is a pointer for further investigation. Endpoints New Endpoint Informat ion Layer7 Activity Active Ports NSLooku p Informat ion Displays information on endpoints that are new in the network. New endpoints can be watched for any possible issues using this monitor. Active Services GTI Details Active Applicati ons Top URLs By Category Applications Traffic (Bytes) Show URLs Application Profile Monitors URLs that are used most in the network through this monitor based on their category. Monitors traffic of applications in the network during the last day. Top Files Show File Activity Monitors files that are used most in the network through this monitor. Information on top files is an aid to threat investigation. Unknown files that have high access counts can be identified for further investigation. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 235

236 10 Monitoring networks Types of NTBA monitors and options Right-click options in monitors Figure 10-1 Accessing right-click monitors - an example List of NTBA additional default monitors NTBA additional default monitors provide an enterprise-wide view of various components of network traffic. You can create new dashboards and assign additional monitors to suit your monitoring requirements. Table 10-1 NTBA additional default monitors Monitor name Applications - Active Applications - New Drill-down monitors Application Profile Application Profile Typical use Monitors applications that are currently active in the network. This information can be used to identify active applications that are known to be potentially unsafe as also to check on the effectiveness of blocking applications. Monitors new applications in the network during the last day. New applications that are known to be potential threats can be identified. Effectiveness of blocking of applications can also be verified through this monitor. Endpoints - Active None Monitors the currently active endpoints. This information can be used for threat related administrative purposes like choosing the time for remote access, and putting in place threat prevention related software in the endpoint. Protocol Distribution (Bytes) None Monitors traffic distribution among the various protocols used in the network. The usage pattern can be an important input for capacity planning, and appropriate distribution of existing bandwidth. 236 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

237 Monitoring networks Create and assign custom NTBA monitors 10 Table 10-1 NTBA additional default monitors (continued) Monitor name Drill-down monitors Typical use Services - Active None Monitors currently active services in the network. Service, and protocol related traffic pattern for the last one hour could be monitored using this monitor. Services New None Monitors new services in the network during the last one day. Service and protocol related traffic pattern for the last one day could be monitored using this monitor. Services Traffic (Bytes) None Charts the inbound and outbound services traffic volume in bytes over time. This monitor enables monitoring of services traffic in the network at 10-minute intervals. Specific protocols can be displayed in the graphic by selecting, or clearing the check box for each protocol in the color legend. Top URLs Show URL Activity Monitors URLs that are most visited by endpoints in the network. High URL visit counts of URLs that are suspicious are alarm calls for threat investigation. Appropriate action can be taken based on the information displayed in this monitor. Create and assign custom NTBA monitors NTBA monitors are displayed in the default NTBA dashboard and new dashboards that you can create in the Threat Analyzer of the Manager. You can create custom monitors specific to an NTBA Appliance and assign them to new dashboards that you create. Thus you can have a set of dashboards and monitors tailored to your monitoring requirements. Custom NTBA monitors are in addition to the default monitors displayed in the NTBA tab of the Dashboards page of the Threat Analyzer. The Assign Monitor button in a new dashboard displays a choice of monitors that can you can assign to the dashboard; these include default, additional default, and custom monitors. Custom monitors provide an easy way to track the endpoints and alerts about which you care the most. Create a dashboard Besides the default dashboards, you can create your own dashboard with the monitors you want to look at. You can also add, delete, and customize monitors. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 237

238 10 Monitoring networks Create and assign custom NTBA monitors Task 1 Start the Real-time Threat Analyzer from the Manager home page and click the NTBA tab to open the NTBA Dashboard page. The NTBA Dashboard page is displayed. Figure 10-2 NTBA dashboard page 2 Select Options Dashboard New. The New Dashboard page is displayed. Figure 10-3 New Dashboard page 3 Enter the dashboard name. The name cannot contain NSP Health, IPS, NTBA, or Applications and GTI in its name. By default, the dashboard is public and is visible to the child admin domain. The dashboard name cannot exceed 25 characters in length. It cannot contain any special characters; however, it can contain a space. The dashboard displays the selected monitor with pre-populated data. After the dashboard is created, the Properties pane is displayed. Click it to view. 4 To close an existing dashboard, right-click the dashboard and click Close. To open a closed dashboard, select Options Dashboard Open. Tasks Assign a monitor to a dashboard on page 238 Assign a monitor to a dashboard You can assign more than one monitor to the dashboard. 238 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

239 Monitoring networks Create and assign custom NTBA monitors 10 Task 1 On the dashboard, click Assign Monitor. The Assign Monitor page is displayed. Figure 10-4 Assign Monitor page 2 Make the following selections: a Select Assign an existing Monitor. b c d Select a Category. Select NTBA as the Type. Select a monitor from the listed monitors. 3 Click OK to display the selected monitor in the dashboard. You can only add one monitor at a time. 4 Click Save. Create a custom NTBA Appliance-specific monitor In a deployment scenario where more that one NTBA Appliance is installed, you can create custom monitors for a specific NTBA Appliance. Task 1 Select Options Monitor New. Alternatively, select Options Dashboard New Assign Monitor. Select the Create a new Monitor option and click Next. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 239

240 10 Monitoring networks Create and assign custom NTBA monitors 2 In the New Monitor Dialog, make the following entries and selections and click OK. Enter a name for this monitor. (A monitor name cannot contain special characters or spaces.) From the Data Source drop-down list, select NTBA. Figure 10-5 Create a new monitor dialog 3 From the Select a Monitor Type list, select a monitor type and click Next. 4 From the Select an NTBA Appliance list, select the NTBA Appliance for which you want a monitor and click Next. 5 From the Select a Monitor list, select the monitor you want to assign. Configure the parameters and click Finish. After you assign a custom monitor to a dashboard, you can click the View Settings icon on the top right of the custom monitor to toggle to the parameters page where you can edit and update the parameters for the monitor. Parameter choices might vary from monitor to monitor. List of NTBA custom monitors The NTBA custom monitors display NTBA Appliance-specific information in new dashboards. All the NTBA default and additional default monitors can be assigned to new dashboards as NTBA Appliance-specific custom monitors. Each custom monitor has parameters that are customizable. Table 10-2 Custom monitors - NTBA Appliance-specific Monitor name Applications - Active Applications - New Applications Traffic (Bytes) Endpoints - Active Endpoints - New Endpoints - Threat Factor Protocol Distribution (Bytes) Services - Active Services New Services Traffic (Bytes) Drill-down monitors Top N, Time Period (Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom [Start Time and End Time]) Top N Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1min, 10 min, hourly, daily), Customize (Start Time and End Time) Top N, Time Period (Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom [Start Time and End Time]) Top N Top N, Time Period (Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom [Start Time and End Time]) Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1min, 10 min, hourly, daily), Customize (Start Time and End Time) Top N, Time Period (Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom [Start Time and End Time]) Top N Top N, Direction (Bi-directional, Inbound, Outbound), Frequency (1min, 10 min, hourly, daily), Customize (Start Time and End Time) 240 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

241 Monitoring networks Monitoring traffic in NTBA Appliance 10 Table 10-2 Custom monitors - NTBA Appliance-specific (continued) Monitor name Top External Endpoints By Reputation Top Files Top URLs Top URLs By Category Top URLs By Reputation Traffic Volume (Bytes) - Top Source Endpoints Drill-down monitors Top N, Time Period (Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom [Start Time and End Time]) Top N, Custom (Start Time and End Time) Top N, Custom (Start Time and End Time) Time Period (Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom [Start Time and End Time]) Top N, Time Period (Last Minute, Last 10 min, Last Hour, Last 24 Hour, Custom [Start Time and End Time]) Top N, Direction (Bi-directional, Inbound, Outbound), Customize (Start Time and End Time) Monitoring traffic in NTBA Appliance You can monitor traffic per NTBA Appliance to check if traffic is going through the device, zone, or its exporter's interface. Task 1 Select Devices Devices <NTBA Appliance> Troubleshooting Traffic Throughput. The Traffic Throughput page is displayed. By default Device is selected. Figure 10-6 Traffic Throughput page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 241

242 10 Monitoring networks NTBA Denial-of-Service profiles 2 Select Device to generate a bar graph showing the total bytes observed in each direction for the last hour. 3 Select Zones to display the throughput for each zone in each direction with the time when the last packet was seen on that zone. You can use the Search field to search by a particular zone of the device. 4 Select Exporters to display the combination of exporter and interface, its line speed, and the utilization percentage in each direction. You can use the Search field to search by a particular zone of the device. NTBA Denial-of-Service profiles A Denial-of-Service (DoS) attack is a malicious attempt to render a service, system, or network unusable by its legitimate users. DoS profiles are a method used to combat DoS attacks. The NTBA Appliance automatically creates two types of DoS Profiles: Endpoint DoS profiles are created for every endpoint in the network. Zone DoS profiles are created for every zone in the network. You can view the Endpoint DoS profile by clicking DoS profile listed in the right-click menu for the Traffic Volume (Bytes) - Top Source Endpoints, and Endpoints - Threat Factor default monitors in the NTBA tab under the Dashboards page of the Threat Analyzer. Figure 10-7 Endpoint DoS Profile monitor 242 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

243 Monitoring networks NTBA Denial-of-Service profiles 10 You can view the Zone DoS profile by clicking Zone DoS Profile listed in the right-click menu for the Traffic Volume (Bytes) - Zones default monitor in the NTBA tab under the Dashboards page of the Threat Analyzer. Figure 10-8 Zone DoS profile monitor These profiles are created for six measures, namely, icmp_pkt (ICMP Echo Packet), tcp_rst_pkt (TCP Reset Packet), tcp_syn_or_fin_pkt (TCP Syn or Fin Packet), icmp_echo_or_reply_pkt (ICMP Echo or Reply Packet), and udp_pkt (UDP Packet). The dynamics of the Zone DoS profiles is explained here. The dynamics of Endpoint DoS profiles are similar. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 243

244 10 Monitoring networks NTBA Denial-of-Service profiles Zone DoS profile The following example illustrates the Zone DoS profile for one measure. The method for reading the profile for the other five measures is similar. Figure 10-9 Zone DoS profile for ICMP Echo packet Two parameters are used, namely, packet rate (rate value), and percentage. Packet rate refers to the number of packets observed per second. Percentage refers to the percentage of observations out of the total for a given rate in a bin. The X-axis shows the packet rate breakdown, from low to high, in packets per second. The Y-bars are percentages of rate samples that fall into the ranges represented by the X points (bins). Long-term distribution is based on observations made over a long period. Short-term distribution is based on observations made over a short period (a few minutes). In the above profile, the x-axis points are bins representing 1.103, 1.133, packets per second. The values for the bins are set based on an analysis of traffic, and its statistical significance and hence vary from time to time. Each bin represents the percentage of samples that fall between the rate values for the bin, and the next bin. The values for the bins represented in the illustration are as follows: Long-term distribution The long-term distribution represents values that were learned initially for a few days, and then updated every four hours or so. During the updating process, 90% of the long-term profile value is retained and 10% of the short-term value is incorporated into the long-term value. 244 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

245 Monitoring networks NTBA Denial-of-Service alerts 10 Short-term distribution The short-term distribution is based on observations during a short-term (few minutes), and is updated every few minutes. In this example profile, the short-term profile values at the time of viewing the profile add up to This is a snapshot of the short-term rate sample observation during a short period. Alerts against the Volume DoS category are raised in the Threat Analyzer when there is a significant deviation from the profiles as determined by the NTBA Appliance. The short-term Y bars can at times exceed the long-term Y bars if there is a short-term traffic burst. The short-term Y bars can be zero when the short-term profile is reset to zero every four hours are so when the process of updating the long-term profile takes place. Further, the short-term, and long-term Y bars for a bin can be zero when there is no traffic relating to that bin. NTBA Denial-of-Service alerts The NTBA DoS alerts in the Threat Analyzer are grouped under the category Volume DoS. The attacks listed against the Volume DoS category alerts are of two kinds. They are either Volume Anomaly attacks or Threshold Anomaly Attacks. Volume DoS alerts for volume anomaly attacks The volume anomaly attacks listed as alerts in the Threat Analyzer are attacks that are detected with reference to DoS profiles. They are essentially anomalies in the volume of traffic with reference to the Endpoint DoS Profiles and Zone DoS Profiles. If the rate sample for any short-term observation in a bin of a DoS profile exceeds the corresponding rate sample for the long-term significantly, for a duration determined as significant by the NTBA Appliance, an alert is raised in the Threat Analyzer. Figure Volume DoS anomaly attack alert listed in the Threat Analyzer You can double-click an attack listed in the Alerts page of the Threat Analyzer to view the Alert Details page. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 245

246 10 Monitoring networks NTBA Denial-of-Service alerts The alerts detail for a Volume DoS Anomaly Alert reflects the sample rate distribution at the time of raising the alert. In the following illustration, the percentage of observed rate samples at the time of raising the alert in the 10th bin is Figure NTBA volume DoS anomaly alert details Volume DoS alerts for threshold anomaly attacks Threshold anomaly attack alerts are listed under Volume DoS alerts if the threshold for an attack set in the NTBA Policy Editor is exceeded beyond the set threshold interval. Threshold anomaly attack alerts are listed against the Volume DoS category in the Threat Analyzer. Figure Volume DoS threshold alert listed in the Threat Analyzer Quarantine option is also supported for Threshold-based anomaly attacks for endpoints. The Alerts Detail for a Volume DoS threshold alert lists the details of the alert. 246 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

247 Monitoring networks Alerts and scans 10 In the following illustration, the Alert Details page shows that the set threshold value and the observed value. Figure Volume DoS threshold attack alert details Policies that contain set values for anomaly attacks and threshold attacks need to be applied to an NTBA Appliance and NTBA zones for alerts to be raised in the Threat Analyzer. Alerts and scans The NTBA Appliance detects threats and displays alerts in the All Alerts page of the Threat Analyzer. You can use McAfee epo, and vulnerability scan options to investigate endpoints for security status. Alerts and scan options are available in relevant monitors as follows. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 247

248 10 Monitoring networks Alerts and scans Table 10-3 Alerts and scans options To view this... Right-click this monitor... All alerts Endpoints - Threat Factor The right-click menu of the Endpoint Threat Factor monitor has options for viewing of All Alerts, IPS Alerts, and NTBA Alerts though the All Alerts page NTBA alerts Endpoint scan Endpoints - Threat Factor Traffic Volume (Bytes) - Top Source Endpoints Endpoints - Threat Factor Endpoints - New Selected endpoint can be scanned using McAfee epo Scan and Vulnerability Scan. All Alerts include IPS as well as NTBA alerts. Viewing alerts on an endpoint gives detailed threat related information on the selected endpoint. Scan results are displayed in the Forensics page of the Threat Analyzer. These scans are part of the threat investigation on an endpoint. With the integration of Vulnerability Manager, top five new endpoints are automatically subjected to vulnerability scan. The process is repeated every five minutes as the next top five endpoints are automatically scanned, providing continuous vulnerability information. The automatic scan can be enabled or disabled by changing the Enable Auto Scan property in the General tab of the preferences page in the Threat Analyzer. McAfee epo and Vulnerability Scan options are available when Vulnerability Manager and epolicy Orchestrator are integrated with and enabled in the Manager. IPS alerts are available in a deployment scenario where both Sensor and NTBA appliance are installed. 248 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

249 11 Viewing NTBA reports The Reports page of the Manager enables generation of Traditional and Next Generation reports on the data generated by the NTBA Appliances. Contents Configuration reports Next generation reports Configuration reports The Configuration reports display information specific to an admin domain or NTBA Appliance with reference to the time at which the report is generated. The output choices are HTML, PDF, Save as CSV and Save as HTML. Generate Device Summary report The Device Summary report contains information regarding all the IPS, Virtual IPS, NTBA, and Virtual NTBA devices configured. It provides a summary of information per device irrespective of the number of similar Sensor models configured. The device count provides a summarized count of all the devices configured. To generate a Device Summary report, do the following: Task 1 Click the Manage tab. 2 Select Reporting Configuration Reports Device Summary. 3 Select the Output Format. 4 Click Submit. The field descriptions in this report are as follows: Summary Device model Provides the Sensor models configured Count Displays a summarized count of the similar Sensor models Sensor Name (IPS, Virtual IPS, NTBA, Virtual NTBA) McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 249

250 11 Viewing NTBA reports Configuration reports Field Name Description Applicable to Sensor model Name Displays the name of the Sensor. IPS, Virtual IPS, NTBA, Virtual NTBA Model Displays the Sensor model number. IPS, Virtual IPS, NTBA, Virtual NTBA Serial Number Software Version Contact Information Location Updating Mode Signature Version Hardware Version IP Address Connected to the Manager Displays the serial number specified on the physical Sensor. Displays the current software version configured on the Sensor. Displays the contact information provided by the user at the time of configuration of the Sensor. Displays the geographical location provided by the user at the time of configuration of the Sensor. Displays the mode of configuration update for the Sensor. It can be updated online or offline. Displays the current signature version configured on the Sensor. Displays the current hardware version running on the Sensor. Displays the IP address used by the Sensor to connect with the Manager. IPS, NTBA, Virtual NTBA IPS, Virtual IPS, NTBA, Virtual NTBA IPS, Virtual IPS, NTBA, Virtual NTBA IPS, Virtual IPS, NTBA, Virtual NTBA IPS, Virtual IPS IPS, Virtual IPS IPS IPS, Virtual IPS, NTBA, Virtual NTBA Subnet Mask Displays the subnet mask IP address. IPS, Virtual IPS Default Gateway Displays the IP address of the default gateway. IPS, Virtual IPS Up Time Last Reboot Last Signature Set Update Displays the time period from when the Sensor started running. Displays the date and time of the previous reboot. Displays the date and time of the previous signature set update. IPS, Virtual IPS, NTBA, Virtual NTBA IPS, Virtual IPS, NTBA, Virtual NTBA IPS, Virtual IPS, NTBA, Virtual NTBA FIPS Mode Displays if FIPS mode is enabled or disabled. IPS, Virtual IPS View NTBA Appliance reports The NTBA Appliance report displays information on the selected NTBA Appliance. Information includes device name, serial number, port configuration, flow information, general settings, IP settings to the interfaces, exporters settings, SNMP settings, list of NTBA interfaces, list of inside zones, list of outside zones, and zone elements. Follow this procedure to view the NTBA Appliance report: Task 1 Select Manage Reporting Configuration Reports. The Configuration Reports page is displayed. 250 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

251 Viewing NTBA reports Configuration reports 11 2 Click the NTBA Appliance link. The NTBA Appliance report page with the configuration options is displayed. Figure 11-1 NTBA Appliance report page 3 Configure the following: Select the device for which you want to generate the report from the Device field. Select the required checkboxes against Device Information, Port Configuration, NTBA Configuration, and Zone. Select the required Output Format from the Output Format drop-down list. Click Submit. For the selected admin domain, the NTBA Appliance report displays the following device configuration details: 1 NTBA Appliance Information for <Device Name> a Device Name f Software Version b Serial Number g IP Address c Contact Information h Up Time d Location i Last Reboot e Model j Last Signature Set Update 2 Current NTBA Port Configuration for device <Device Name> 3 Port Settings a Port # e Duplex b Port Type f Administrative Status c Configuration g Operational Status d Speed 4 Flow Information a Flow Protocol Supported 5 Proxy Server Settings a User Parent Settings? d Port Number b User Proxy Server? e User Name c Proxy Server Name or IP Address f Test URL McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 251

252 11 Viewing NTBA reports Configuration reports 6 NTBA General Settings a Use Global Settings? b c NTBA listening port for flow records Enable De-duplication? 7 IP Settings to the NTBA interfaces a IP Address b c Network Mask Gateway IP 8 Exporters a Name d Enabled b IP Address e Description c Type f Flow Type and Version 9 SNMP Settings for exporter <Device Name> a Use Global Settings? d Read-Only Community String b UDP Port e SNMP Polling Interval Time c SNMP Version 10 List of NTBA-ready Interface a Enabled d External? b Name e Description c Type 11 SNMP Settings for exporter a Use Global settings? d Read-Only Community String b UDP Port e SNMP Polling Interval Time c SNMP Version 12 List of NTBA-ready Interface a Enabled d External? b Name e Description c Type 13 Summary of list of inside zones a Name b Description 252 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

253 Viewing NTBA reports Configuration reports Summary of list of outside zones a Name b Description 15 Zone elements of inside Zones a Zone b c Element Type 16 Zone elements of outside Zones a Zone b c Element Type View NTBA Configuration Summary reports The NTBA Configuration Summary report displays information on NTBA Appliance configuration. The settings include spambot detection, Threat Analyzer presentation, services, collector details, and exporter settings. Task 1 Select Manage Reporting Configuration Reports. The Configuration Reports page is displayed. 2 Click NTBA Configuration Summary link. The NTBA Configuration Summary report page with the configuration options is displayed. Figure 11-2 NTBA Configuration Summary report page 3 Configure the following: Select the Admin Domain for which you want to generate the report from the drop-down list. The admin domain selected in the left pane has no impact on the reports generated. The Admin Domain drop-down list is explicitly to filter the reports that are generated. Select the Output Format from the drop-down list. Click Submit. For the selected Admin Domain, the NTBA Configuration Summary report is displayed with the following configuration details: 1 Spambot Detection a Domain McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 253

254 11 Viewing NTBA reports Next generation reports 2 Threat Analyzer Presentation a The Value of N in Top N lists b c d Consider Endpoints/Protocols "New" if Seen for First Time Within (days) Consider Endpoints/Protocols "New" if Seen for First Time With Reference Days As (days) Consider Endpoints/Protocols "Active" if Seen for First Time Within (days) 3 Service a Name b c Enable Service Details 4 Collector Details a Listen for flow information on UDP Port d Secondary Name Server b Enable De-duplication e Refresh Interval (hours) c Primary Name Server 5 Exporter Settings a UDP Port b c d SNMP Version Read Only Community String SNMP Polling Interval Time Next generation reports The Next Generation reports display network-wide information with data options for generating queries for a day, between two dates, or during the past month(s), week(s), day(s) or hour(s). 254 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

255 Viewing NTBA reports Next generation reports 11 Run a Next Generation Default report The Next Generation reports display network-wide information with data options for generating queries for a day, between two dates, or during the past months, weeks, days, or hours. Figure 11-3 Next Generation Saved Reports Tasks Default - Top URLs Accessed report on page 255 Default - Top URLs by Reputation report on page 256 Default - Top URL Categories report on page 256 Default - Top 10 Endpoint Executables on page 256 Default - Top Files Accessed report on page 257 Default - Top Most Recently-Active Endpoints report on page 257 Default - Top Endpoint Summary report on page 258 Default - Top Endpoints by Bandwidth Usage report on page 258 Default - Top Endpoints by GTI Reputation report on page 258 Default - Top Endpoints by Threat Factor report on page 258 Default - Top New Applications Seen report on page 259 Default - Top New Services Seen report on page 259 Default - Top New Endpoints Seen report on page 259 Default - Top Services by Bandwidth Usage report on page 259 Default - Top Applications by Bandwidth Usage report on page 260 Default - Top Most Recent Connections report on page 260 Default - Top Interface Traffic report on page 260 Default - Top Conversations report on page 260 Default - Top URLs Accessed report This report shows the most accessed URLs by hosts in the network during the selected period. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 255

256 11 Viewing NTBA reports Next generation reports Field Access Count URL URL Category URL Reputation Country Description Displays the number of times the URLs were accessed. Displays all the URLs accessed. Displays the URL categories, for example, Business,Games, Search Engine. Displays the reputation score (risk factor) of the URLs. Displays the country the URLs originate from. Default - Top URLs by Reputation report This report shows the list of URLs sorted by reputation during the selected period. Field URL Reputation URL URL Category Country Access Count Description Displays the reputation score (risk factor) of the URLs. Displays all the URLs accessed. Displays the category of the URLs, for example, Business, Games, Search Engine. Displays the country the URLs originates from. Displays the number of times the URLs were accessed. Default - Top URL Categories report This report shows the most accessed URL categories during the selected period. Field URL Count URL Category Description Displays the number of times the URLs were accessed. For each category, the following data will be displayed: URL - Displays all the URLs accessed. URL Reputation - Displays the reputation score (risk factor) of the URLs. Country- Displays the country the URLs originates from. Default - Top 10 Endpoint Executables This report displays the list of Top 10 endpoint executables based on the filters used. This report shows the Summary data such as the total number of endpoints using the executable, the number of connections created via the executable, and the number of events raised by the executable. To run this report, select Analysis Event Reporting Next Generation Reports Default - Top 10 Endpoint Executables. The available filters are admin domain, application, classification, device, executable name, malware confidence, and time interval. Table 11-1 Field descriptions of Top 10 Endpoint Executables report Field Executable Malware Confidence Classification First Seen Description Displays the file hash, name, and version of the executable Displays the malware confidence of the executable. Malware confidence values are very high, high, medium, low, very low, and unknown Displays the executable classification, whether blacklisted, whitelisted, or unclassified Displays when the executable was first reported by the endpoint to the NTBA Appliance 256 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

257 Viewing NTBA reports Next generation reports 11 Table 11-1 Field descriptions of Top 10 Endpoint Executables report (continued) Field Last Seen Counts Comment Description Displays when the executable was last reported by the endpoint to the NTBA Appliance Displays the number of endpoints running the executables, the events triggered by the executable, and the number of connections made by the endpoint Displays the comments you have entered Default - Endpoint Executable Details This report displays a detailed view of the executables selected as part of the filter criteria. To run this report, select Analysis Event Reporting Next Generation Reports Default - Endpoint Executable Details. The available filters are admin domain, device, and executable name. You must select an executable name to generate this report. Table 11-2 Field descriptions of Endpoint Executables Details report Field Endpoint Executable Details Properties for Executable Malware Indicators for Executable Libraries Invoked by Executable Endpoints that have run Executable Description Displays the file hash, name, version, malware confidence, classification of the executable, time when the executable was first seen and last seen as reported by the endpoint to the NTBA Appliance, the number of endpoints running the executables, the events triggered by the executable, and the number of connections made by the endpoint, and comments. Displays the binary type, classifier, and classified details Displays the methods that were used to compute the executable reputation Displays the all the libraries (DLLs) invoked by the executable Displays information of the endpoints that have run the executable Default - Top Files Accessed report This report shows the most accessed files in the network during the selected period. Field Access Count File Name File Path Description Displays the number of times the files were accessed. Displays the name of the files accessed. Displays the path of the files accessed. Default - Top Most Recently-Active Endpoints report This report shows the endpoints most recently active on the network. Field Last Seen Endpoint IP Hostname Zone ETF Description Displays when the endpoints were last seen on the network. Displays the IP address of the endpoints. Displays the endpoints accessed. Displays the zone names. Displays the threat factor value of the endpoints. See also, Endpoint Threat Factor. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 257

258 11 Viewing NTBA reports Next generation reports Default - Top Endpoint Summary report This report shows the summary detail for endpoints in the network during the selected period. Field Last Activity Time Endpoint IP Hostname Zone Applications Active Connections ETF Description Displays the last activity time of the endpoints. Displays the IP address of the endpoints. Displays name of the endpoints. Displays zone name of the endpoints. Displays the list of application names, for example, HTTP, Gmail, edonkey. Displays the number of active connections to the endpoints. Displays the threat factor value of the endpoints. See also, Endpoint Threat Factor. Default - Top Endpoints by Bandwidth Usage report This report shows endpoints sending/receiving the most bytes in the network during the selected period. Field Total Bytes Endpoint IP Hostname Zone ETF In Bytes Out Bytes Description Displays the traffic volume in bytes. Displays the IP address of the endpoints. Displays name of the endpoints. Displays zone name of the endpoints. Displays the threat factor value of the endpoints. See also, Endpoint Threat Factor. Displays the inbound traffic volume in bytes. Displays the outbound traffic volume in bytes. Default - Top Endpoints by GTI Reputation report This report shows the endpoint with the highest GTI Reputation in the network during the selected period. Field Reputation Endpoint IP Hostname Country Zone Description Displays the reputation of the endpoints. Displays IP address of the endpoints. Displays the name of the endpoints. Displays the country of the endpoints. Displays the zone name of the endpoints. Default - Top Endpoints by Threat Factor report This report shows the endpoints sorted by Threat Factor during the selected period. Field ETF Endpoint IP Hostname Zone In Bytes Description Displays the threat factor value of the endpoints. See also, Endpoint Threat Factor. Displays the IP address of the endpoints. Displays the name of the endpoints. Displays the zone name of endpoints. Displays the inbound traffic in bytes. 258 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

259 Viewing NTBA reports Next generation reports 11 Field Out Bytes Total Bytes Description Displays the outbound traffic in bytes. Displays the traffic volume in bytes. Default - Top New Applications Seen report This report shows the applications that are new on the network during the selected period. Field First Seen App Name Last Seen Description Displays the first seen time of the applications. Displays the application names, for example, HTTP, Gmail, edonkey. Displays the last seen time of the applications. Default - Top New Services Seen report This report shows services that are new on the network during the selected period. Field First Seen Service Name Last Seen Description Displays the first seen time of the services. Displays the service names, for example, ftp (tcp), dns (udp). Displays the last seen time of the services. Default - Top New Endpoints Seen report This report shows the endpoints that are new on the network during the selected period. Field First Seen Endpoint IP Hostname Zone ETF Description Displays the first seen time of the endpoints. Displays the IP address of the endpoints. Displays the name of the endpoints. Displays the zone name of the endpoints. Displays the threat factor value of the endpoints. See also, Endpoint Threat Factor. Default - Top Services by Bandwidth Usage report Thisreport shows services consuming the most bandwidth (bytes) in the network during the selected period. Field Total Bytes Service Name In Bytes Out Bytes In Packets Out Packets Total Packets Description Displays the traffic volume in bytes. Displays the service names, for example, ftp (tcp), dns (udp). Displays the inbound traffic volume in bytes. Displays the outbound traffic volume in bytes. Displays the inbound packets on the network. Displays the outbound packets on the network. Displays the total packets on the network. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 259

260 11 Viewing NTBA reports Next generation reports Default - Top Applications by Bandwidth Usage report This report shows applications consuming the most bandwidth (bytes) in the network during the selected period. Field Total Bytes App Name In Bytes Out Bytes In Packets Out Packets Total Packets Description Displays the traffic volume in bytes. Displays the application being accessed. Displays the inbound traffic volume in bytes. Displays the outbound traffic volume in bytes. Displays the inbound packets in the network. Displays the outbound packets in the network. Displays the total packets in the network. Default - Top Most Recent Connections report This report shows connection summary in the network during the selected period. Field Time Src IP Dst IP Src Port Dst Port App Total Bytes Total Packets URLs File Names Description Displays the time of connections. Displays the IP address of the source hosts. Displays the IP address of the destination hosts. Displays the source port of the hosts. Displays the destination port of the hosts. Displays the application names or service names or protocol. Displays the traffic volume in bytes. Displays the total packets on the network. Displays the URLs on the network. Displays the files on the network. Default - Top Interface Traffic report This report lists the Exporter interfaces that were high on traffic during the selected period. Field Total Bytes (packets) Interface Name In Bytes (packets) Out Bytes (packets) Avg Bytes (packets) Max Bytes (packets) Description Displays the traffic volume in bytes. Displays name of the interface. Displays the inbound traffic in bytes. Displays the outbound traffic in bytes. Displays the average traffic in bytes. Displays the maximum traffic in bytes. Default - Top Conversations report This report lists conversations that were high on traffic during the selected time period. 260 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

261 Viewing NTBA reports Next generation reports 11 Field Total Bytes Src IP Dest IP Service In Bytes Out Bytes Description Displays the traffic volume in bytes. Displays the IP address of the source hosts. Displays the IP address of the destination hosts. Displays the service names, for example, ftp (tcp), dns (udp). Displays the inbound traffic in bytes. Displays the outbound traffic in bytes. Create a Next Generation duplicate report You can create duplicate reports of the Default Next Generation reports. You can then edit the parameters to suit your requirements. Task 1 On the Manager home page, click Analysis. 2 Select Event Reporting Next Generation Reports. 3 From the Saved Reports list, select a Next Generation default report and click Duplicate. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 261

262 11 Viewing NTBA reports Next generation reports 4 Select a Next Generation default report and click Duplicate. The Duplicate Next Generation Report page is displayed. Figure 11-4 Duplicate Next Generation Report page 5 Enter the name and description (mandatory fields), then click OK. The duplicate report is displayed in the Saved Reports section. 6 Click Edit to change the parameters. The Data Source page is displayed. Figure 11-5 Data Source page 7 Select a row in the left pane to view the Data Fields options. 262 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

263 Viewing NTBA reports Next generation reports 11 8 Click Save. 9 On the Save Query page, enter a name and description for the query. 10 Click Next. The Select Recipients page is displayed. 11 Click New to add a recipient. 12 Click Finish to complete the process. Run Next Generation User Defined report You can create a new report with a choice of data source, presentation, and filter. Task 1 On the Manager home page, click Analysis. 2 Select Event Reporting Next Generation Reports. 3 Click New. 4 Select a data source for the report. Data source represent the database tables the report information is retrieved from. 5 Click New. 6 Select how the report is displayed: table, bar chart, or pie chart. The Display Options page is displayed. Figure 11-6 Display Options page 7 Select the columns that you want to include in the report by selecting rows in the left pane. 8 Select a row in the left pane to view the data filter options. You can enhance the filter options for the fields selected in step 4 from the Data Filter options. Use the + and - options to add or delete conditions. When you finish the selections, you can save your report query by clicking Save. You can also run the report directly without saving by clicking the Run Once option. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 263

264 11 Viewing NTBA reports Next generation reports 9 On the Save Query page, enter a name and description for the query. 10 Click Finish to save the query. The report is saved and displayed in the Saved Reports section of the Next Generation page. 11 Select the report, then click Run Once. 12 In Run Query, enter the data options and the report format. 13 Click Run to run the report query. The generated report is displayed in the selected report format. If there are no alerts, only the table is displayed. After the User Defined Report is saved, you cannot change its data source. The New option is not supported for NTBA Generated Reports. You can either run it or duplicate and modify some of the conditions in the query. Run Next Generation default report Task 1 Select Analysis Event Reporting Next Generation Reports. The Next Generation Saved Reports page is displayed. The available reports are listed in the left pane. 2 Select the report that you want to run among those listed in the Saved Reports pane. The details of the report are listed in the right pane. Figure 11-7 Next Generation Saved reports 264 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

265 Viewing NTBA reports Next generation reports 11 3 Click Run. The Run Report page is displayed. Figure 11-8 Run Report page 4 Select the Date options. [Query for the day or between two dates, or for the specified period (number of months or weeks or days or hours.)] 5 Select the Report Format. (HTML or PDF or Save as CVS or Save as HTML.) 6 Click Run. For HTML and PDF options, the report is displayed in the Manager. For Save as CSV and Save as HTML, use the File Download option to save the report. Create Next Generation duplicate reports The Manager allows you to create duplicate reports of the Default Next Generation reports. The parameters for the duplicated report can then be edited to suit your requirements. To create a duplicate report, do the following: Task 1 Select a Next Generation default report and click Duplicate. 2 Enter the Name and Description (mandatory fields) and click OK. 3 The duplicate report is displayed under Next Generation Saved Reports section. 4 Click Edit to change the parameters. 5 Select a row in the left panel to view the Data Fields options. The admin domain selected in the left pane has no impact on the reports generated. The admin domain data filter selected is explicitly to filter the reports that are generated. 6 Click Save to save the change made. 7 In the Save Query page, you need to enter a Name and Description for the Query. You can also select the following options in the Save Query: Automate Report Generation Report Frequency Events to Display Report Format McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 265

266 11 Viewing NTBA reports Next generation reports 8 Select Next. Select Recipients page is displayed. 9 Click New to add a recipient through the Add Recipient dialog. 10 Click Finish to completes the process and Next Generation main page is displayed. 266 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

267 Managing the NTBA Appliance Chapter 12 Maintenance McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 267

268 Managing the NTBA Appliance 268 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

269 12 Maintenance 12 You can maintain your NTBA appliance by keeping the software and signatures up-to-date, archiving data and maintaining the database, and preparing for disaster recovery. Contents Updating software and signatures Possible actions from the Devices node Database tuning and pruning Data archive options Manager Disaster Recovery (MDR) support for NTBA Appliance Updating software and signatures You can manually download and import the latest software and signatures for the Sensor and the NTBA Appliance. You can also schedule automatic downloads and imports. Make sure you are connected to the Internet while downloading and updating antimalware software and signatures. Updating antimalware software and signatures from offline servers is not supported. You can perform only one download or upload at a time from any McAfee Network Security Platform component, including the update server. The Updating menu contains: Download IPS Signature Sets Download the latest attack and signature information from the update server to the Manager. Download Botnet Detectors Download the latest botnet detectors from the server. Downloading Device Software Download the latest Sensor or NTBA Appliance software image file from the update server to the Manager. Manual Import Manually import downloaded Sensor or NTBA Appliance software image and signature files to the Manager. Messages from McAfee View and acknowledge messages from McAfee. Automatic Updating Configure the frequency by which the Manager checks the update server for updates, and the frequency by which Sensors and NTBA Appliances receive signature updates from the Manager. Download software updates You can download the available Sensor software and NTBA Appliance updates on demand from the update server. If more than one version is available, select the most recent version. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 269

270 12 Maintenance Updating software and signatures Automation enables the Manager to check the update server for software updates on a periodic basis. Task 1 Select Manage Updating Download Device Software. The Download Device Software page is displayed showing the software available for download. There are two tables on this page. Software Available for Download Current software versions available on the update server. Software on the Manager The software versions that have been downloaded to the Manager. 2 Select the required software update from the Software Available for Download column of the Software table. Click a version listed in the Software Available for Download column to view details of the software update. 3 Click Download to download the software updates. The following options are available for Sensor Update all Sensors under the Sensors node, update a single Sensor. Use the Deploy Device Software option to deploy these software updates. For more information, see the Installation Guide. Download signature set updates The Signature Sets option enables you to download available attack signature updates on demand from the update server to the Manager server. You can then push the signature download onto your Sensors or NTBA Appliance. Because incremental emergency signature sets can be downloaded with regular signature sets, you do not need to use the custom attack definitions feature to import late-breaking attacks. The Download IPS Signature Sets option not only allows you to import regular signature sets, but also incremental emergency signature sets that include attack signatures not yet available in regular signature sets. Incremental emergency signature sets are meant to address late-breaking attacks that might need to be addressed immediately. Emergency signature sets are non-cumulative and can only add new signatures, so they do not contain a full set of signatures. To ensure that you have a complete set of signatures, Network Security Platform checks to see if a required regular signature set is missing and downloads it prior to downloading the related emergency signature set. You must use the Download IPS Signature Sets or Automatic Updating option in order for Network Security Platform to download a required regular signature set automatically, before downloading an emergency signature set. You will receive an error if you try to import an emergency signature set through the Manual Import option. When a signature file or version is downloaded, the version is listed in the Download IPS Signature Sets configuration table as the Active Manager IPS Signature Set. Setting a schedule enables the Manager to check the update server for signature updates on a periodic basis, download the available updates, and push these updates to your Sensors or NTBA Appliances without your intervention. 270 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

271 Maintenance Updating software and signatures 12 Task 1 Select Manage Updating Download IPS Signature Sets. The Download IPS Signature Sets page is displayed. 2 View the Active Manager Signature Set: Version n. This is the version that is currently available for your Sensors or NTBA Appliances to download. This signature set is kept in a queue for download to your Sensors or NTBA Appliances. You can only have one version in the queue for download. 3 Select the signature update you want from IPS Signature Sets Available for Download. You can click a version number to view update details. If you have downloaded the latest version, a default message reads, "No new signature sets available. The Manager has the most recent signature set." Click view all to display all the signature updates available on the update server. 4 Click Download. A status window opens to verify signature download progress. The Download button only appears when there is a new version to download. How to automate updates McAfee is constantly researching security issues and developing new signatures to provide the best protection available. New signatures are being constantly developed and existing ones modified to respond to the most current attacks. Software updates continually improve Sensor and NTBA Appliance performance. These enhancements are made available on a regular basis through the update server. Update availability is not confined to a set day and time; rather, updates are provided when they are developed, enabling you to have the latest improvements as soon as they are ready. The Automation feature enables you to configure the frequency by which the Manager or McAfee Network Security Central Manager (Central Manager) checks the update server for updates. At your automated time, the Manager polls the update server; if an update is available that is newer than the current signature set for the Sensor and NTBA Appliance software versions on your Manager, that update is downloaded to the Manager. You can check what has been downloaded at the Software and Signature Sets option. The Automation feature is available in the Central Manager in the Manage Updating Automatic Updating. After downloading a signature set update, you can configure your Manager to push the update to all your Sensors or NTBA Appliances either immediately or by automation. Since signature sets can be updated to Sensors and NTBA Appliances in real time without shutdown, this scheduling feature enables you to propagate the latest signature set across your Sensors and NTBA Appliances quickly. The Automatic Updating IPS Signature Sets combines two actions for scheduling updates: Automatic IPS Signature Set Downloading Downloads signature sets from the update server. Configure a schedule by which Manager polls the update server for available signature set updates. Automatic IPS Signature Set Deployment Deploys new signature sets to NTBA and Sensor devices. Enable either automatic or scheduled downloading of the most recently downloaded signature set to your Sensors. You must perform each action separately. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 271

272 12 Maintenance Updating software and signatures Automate signature set downloads from the update server The server update automation process involves scheduling the Manager to poll the update server for signature downloads on a periodic basis. After your polling schedule is set, you can use the Signatures action to check what signature updates have been downloaded to your Manager and thus available for download to your Sensors and NTBA Appliances. Task 1 Select Manage Updating Automatic Updating IPS Signature Sets. The IPS Signature Sets page is displayed. Figure 12-1 IPS Signature Sets page 2 For Enable Automatic Downloading, select Yes. By default, No is selected. 3 Select the Schedule by which you want the Manager to poll the update server. The choices are: Frequently Several times a day during a specified period at interval indicated in the Recur every option Daily Once a day Weekly Once a week 4 Select the Start Time, End Time, and Recur every options specify intervals. Based on Schedule frequency, these fields allow you to select options. 5 Click Save. When enabled, the Manager downloads signature sets from the update server as per the set schedule. Automatically deploy new signature sets to your devices You can automate signature file updating for all your Sensor and NTBA Appliances. This means you can have all your Sensors and NTBA Appliances updated: 1 As soon as signature updates are downloaded to the Manager from the update server (real-time). 2 By a set schedule. 3 By both a real-time setting and a scheduled time in an effort to reinforce immediate updating with a scheduled check to make sure the latest update is loaded to your Sensors and NTBA Appliances. Setting both real-time and schedule options enables the system to check update availability for cases where the real-time updating might have missed an update. If you are going to use automated updating, McAfee recommends a scheduled time rather than real time for signature updating in case slower performance is experienced during signature file download. You can schedule a time when you know your network sees a lesser amount of traffic. 272 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

273 Maintenance Updating software and signatures 12 Task 1 Select Manage Updating Automatic Updating IPS Signature Sets. The IPS Signature Sets page is displayed. Figure 12-2 IPS Signature Sets page 2 Configure the following: For Deploy in Real Time, select Yes. (This option pushes signature sets update to all Sensors and NTBA Appliances immediately after it is downloaded to the Manager.) By default, No is the default option. Select the Schedule by which you want the Manager to check for a newly downloaded signature set. The choices are: Frequently Several times a day during a specified period at interval indicated in the Recur every option Daily Once a day Weekly Once a week Select the Start Time, End Time, and Recur every options to specify intervals. Based on Schedule frequency, these fields allow you to select options. 3 Click Save. Manually import a software image or signature set The Manual Import option enables manual loading of the latest Sensor and NTBA Appliance software and signature files to the Manager or Central Manager from another workstation. This method is particularly useful if the Manager server is in a lab or secure environment and you do not want to compromise that environment by an Internet connection. This is crucial for administrators who do not want to connect their Manager to the update server through the Internet. McAfee provides an alternate FTP server that contains the latest updates. You can download the update you need from the FTP location to a client machine. After the image file is downloaded to the alternate machine, you can pull the file from the client to the Manager server using the Import action. Task 1 Select Manage Updating Manual Import. The Manual Import page is displayed. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 273

274 12 Maintenance Possible actions from the Devices node 2 Click Choose File to locate the Sensor or NTBA Appliance software or signature set file or enter the absolute path of the file. 3 Click Import. You need to restart the Sensor after manual import. For more information on rebooting the Sensor, see McAfee Network Security Platform IPS Administration Guide. Update software for a Sensor or NTBA Appliance The Upgrade action enables an on-demand download of the latest or earlier software updates for a Sensor or NTBA Appliance from your Manager. All the software versions, applicable to the device and available in the Manager are listed. From this, you can choose the version that you want to push to the device. These versions are the ones that you downloaded from the update server onto your Manager. You can only update online devices. Make sure it is discovered, initialized, and connected to the Manager. You can switch between different minor versions of the device software. Consider the scenario where you downloaded , , and versions for M6050 Sensors from the update server onto the Manager. Also, assume that currently the M6050 Sensor that you want to update is on You can now update this Sensor to either or Subsequently, you can also revert to However, you cannot switch between major versions of the software through the Manager. For example, you cannot switch between 6.0 and 5.1 versions of device software using the Manager. After you update the software of a device, you must restart it. Task 1 Click Devices <Admin Domain Name> Devices <Device Name> Maintenance Deploy Device Software. The Deploy Device Software page is displayed. In case of Sensors in fail-over pair, select a Sensor under the fail-over pair name node, and then select Upgrade. <Device_Name> refers to name of the Sensor or NTBA Appliance. 2 Select the required version from the Software Ready for Installation section. The Software Ready for Installation section lists the applicable versions of software that you downloaded from the update server (Manage Updating Download Device Software). 3 Click Upgrade. When a device is being updated, it continues to function using the software that was present earlier. 4 After the update is complete, restart the Sensor or NTBA Appliance. If the device that you updated is a Sensor in a fail-over pair (not applicable to NTBA Appliance), then update the other Sensor in the pair also to the same version. Note that both the Sensors of a fail-over pair need to be of the same software version. Possible actions from the Devices node This section describes all the options under the Devices node. 274 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

275 Maintenance Possible actions from the Devices node 12 View details of a selected device The <Device Name> Summary action presents a read-only view of the configured information for an installed device (Sensor or NTBA Appliance). The information displayed is configured during the installation and initialization of the selected device through the device or NTBA Appliance command line interface. For the selected device, verify that the Name, IP address, subnet mask, and default gateway IP address are the same as what you set through the command line interface. When the Sensor is configured with dual stack (IPv4 and IPv6 addresses) and the NTBA Appliance is configured with IPv4 addresses, following fields in the Summary page displays only the IP address on which trust was established between the device and the Manager. IP Address Subnet Mask Default Gateway For example, if you configure both IPv4 and IPv6 addresses in the Sensor, but establish trust with the Manager on IPv4, then the Summary page displays only the IPv4 address for IP Address, Subnet Mask, and Default Gateway. Follow this procedure to view the summary of the device configurations: Select Devices <Admin Domain Name> Devices <Device Name> Summary (Devices <Admin Domain> Devices < Failover Pair Node> Summary in the case of failover pair Sensors). The Summary page is displayed. The Name could refer to either a Sensor or an NTBA Appliance. Figure 12-3 Summary page of device Click Edit to edit the displayed information. Reboot a device from the Manager You can reboot the device from the Manager. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 275

276 12 Maintenance Possible actions from the Devices node Task 1 Select Devices <Admin Domain Name> Devices <Device_Name> Maintenance Reboot. The Reboot page is displayed. 2 Click Reboot Now. 3 Click OK to confirm reboot. Shut down a Sensor or NTBA Appliance The Shut Down action turns off a Sensor or an NTBA Appliance with no restart. Task 1 Select Devices <Admin Domain Name> Devices <Device Name> Maintenance Shut Down. The Shut Down page is displayed. 2 Click Shut Down Now. The <Device Name> could be a Sensor or an NTBA Appliance. Upload diagnostics trace The Diagnostics Trace action uploads a device diagnostics log from a Sensor or NTBA Appliance to your Manager server. The diagnostics file includes debug, log, and other information that can be used to determine device or NTBA Appliance malfunctions or other performance issues. Once uploaded to your Manager, this file can be sent through to McAfee Technical Support for analysis and troubleshooting advice. Task 1 Select Devices <Admin Domain Name> Devices <Device Name> Troubleshooting Diagnostics Trace. The <Device Name> could refer to a Sensor or an NTBA Appliance. The Diagnostics Trace page is displayed. Figure 12-4 Diagnostics Trace page 2 Select the Upload? checkbox if it is not already selected. 3 Click Upload. The status appears in the Upload diagnostics Status pop-up window. 276 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

277 Maintenance Possible actions from the Devices node 12 4 Click Close Window when the message "DOWNLOAD COMPLETE" appears. The trace file is saved to your Manager server at: <Install Dir> \temp \tftpin \< Device Name \trace\. Once downloaded, the file also appears in the Uploaded Diagnostics Trace Files dialog box under this action. 5 [Optional] Export a diagnostics file to a client machine by selecting the file from the Uploaded Diagnostics Files listed and clicking Export. Save this file to your client machine. Saving the file is particularly useful if you are logged in remotely, need to perform a diagnostics trace, and send the file to technical support. Import an NTBA Appliance configuration file Before you begin The NTBA Appliance from which configuration is exported and the one to which configuration is imported must be identical. They should be of the same model, and same software version. Both Managers must have the same admin domain hierarchy, or at a minimum, the same admin domain hierarchy starting from the domain wherein the NTBA Appliance resides. For example, if you exported an NTBA Appliance belonging to /My Company/Domain A, and below Domain A, there is: /My Company/Domain A/Domain B /My Company/Domain A/Domain B/Domain C The importing NTBA Appliance must reside in a domain that has the following sub-domains: Domain B Domain B/Domain C McAfee recommends that the NTBA Appliance receiving the import has the same signature set as the exporting NTBA Appliance. It is recommended that both the Managers have the same set of policies if policies have also been exported/imported. The Import Configuration option enables you to overwrite the current configuration on a saved (exported) NTBA Appliance configuration file. Importing a saved configuration is useful in a test-to-production environment where you configure your settings on a test (non-production) Manager system, then import to an NTBA Appliance in your live environment. Importing is also useful in the event a NTBA Appliance fails and you replace the failed NTBA Appliance with a new NTBA Appliance, which requires the same configuration as the previous NTBA Appliance. Task 1 Select Devices <Admin Domain Name> Devices <Device Name> Maintenance Import Configuration. The <Device Name> could refer to either a Sensor or an NTBA Appliance. The Import Configuration page is displayed. 2 Click Browse to locate your saved Sensor configuration. 3 Click Apply. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 277

278 12 Maintenance Possible actions from the Devices node 4 Upon completion of import, reboot the NTBA Appliance. 5 Run an NTBA Appliance report to verify settings. Export the Sensor configuration The Export Configuration feature enables you to save the configuration of a Sensor (including NTBA Appliance configuration settings of the Sensor) into a single file for later application to the same Sensor or another Sensor of the same model. The Export Configuration feature helps to avoid duplication of work when it comes to configuring Sensors. For example, if you are deploying multiple Sensors of the same model with similar configuration, you can configure one Sensor and export its configuration to the rest. This feature is also useful if you plan on restoring the configuration back on the same Sensor or its replacement. You can include the following when you export a Sensor configuration. The choices vary depending on the Sensor model: Include firewall policy information Includes firewall policy information. Include monitoring port information Includes monitoring port information. Include exceptions This option exports the alert-filter-to-attack mappings configured for the Sensor, its interfaces, and sub-interfaces. Note that selecting this option exports only the exceptions association but not the actual exceptions. Include NTBA configuration This option exports NTBA configuration set for M-series and NS-series Sensors. Task 1 Select Devices <Admin Domain Name> Devices <IPS Sensor> Maintenance Export Configuration. The Export Configuration page is displayed. Figure 12-5 Configuration Export page 2 Select the configurations that you want to include in the export. 3 Click Export and save the file to a location of your choice. Export the NTBA Appliance configuration You can export the NTBA Appliance configuration to any location on the system. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Maintenance Export Configuration. The Export Configuration page is displayed. 278 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

279 Maintenance Database tuning and pruning 12 2 Click Export and save the file. Although this feature outputs an XML file, this file is NOT intended for reading or editing. Any manipulation of this file besides regular copying from/to different media might result in failure during import. Database tuning and pruning Each NTBA Appliance stores its flow information in an embedded database. Database tuning and pruning are essential to ensure optimal performance of the NTBA Appliance. It can be enabled on a weekly basis and is optional. Database pruning is based on capacity planning settings. Database tuning is a memory intensive process on big databases. The system might consume lot of memory during the tuning process. Hence, database tuning and pruning are set to occur at different intervals to ensure that the NTBA Appliance does not run out of memory. Both database tuning and pruning do not result in any downtime for the user. The procedure for database tuning and pruning from the Devices node is similar. Tune the database Each NTBA Appliance has an embedded database. You can tune the database of an individual NTBA Appliance or apply global settings configured at the Devices node. Task 1 Select Devices <Admin Domain Name> Devices <NTBA Appliance> Maintenance Database Tuning. The Database Tuning Scheduler page is displayed. Figure 12-6 Database Tuning page If you have applied global settings, then the Use Global Settings? checkbox will be selected. Deselect the checkbox to tune the database at the NTBA Appliance level. 2 Do the following: Select the Enable Database Tuning? checkbox to enable database tuning. Select the day of the week from the drop-down list against Run Every. 3 Select the start time from the hour and minutes drop-down list against Start Time. 4 Click Save. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 279

280 12 Maintenance Database tuning and pruning Prune the database You can prune the NTBA Appliance database by setting the disk space capacity planning threshold. Setting disk space thresholds ensures that older flow records are deleted, to make space for new records. You can also set the maximum time period for which you want to store data in the NTBA database. Capacity planning sessions are for 1-minute data, 1-hour data, and 24-Hour data. The 1-minute data and refers to data refreshed every one minute in the NTBA monitors displayed in the Threat Analyzer. Capacity level based pruning configuration is common for netflow and forensic database. Whenever these databases reach a configured critical level, only the specific database is pruned as part of the critical or emergency level. Age based pruning for netflow database is based on the pruning configuration of 1-minute data, 1-hour data, and 24-Hour data. For the context data, pruning configuration is based on Network Forensics Data. The 1-hour data and the 24-Hour data refer to data summarized and presented in the following NTBA monitors: Applications - Active (Last 7 Days) Services Traffic (Bytes) Applications - New (Last 7 Days) Throughput Enterprise Traffic (Bytes) Applications Traffic (Bytes) Top External Endpoints By Reputation Bandwidth Utilization (%) - Interfaces Top Files Endpoints - Active (Last 7 Days) Top URLs Endpoints - New (Last 7 Days) Top URLs By Category Endpoints - Threat Factor Top URLs By Reputation Protocol Distribution (Bytes) Traffic Volume (Bytes) - Zones Services - Active (Last 7 Days) Traffic Volume (Bytes) - Top Source Endpoints Services New (Last 7 Days) These are the maximum storage days for each storage type: Storage types Default value (days) Valid range (days) 1-Minute Flow Data Hour Summary Data Hour Summary Data Network Forensics Data The default threshold settings are adequate to ensure proper pruning of the database and to ensure optimum memory usage. The default threshold settings are therefore recommended. You can change the default settings based on the volume of traffic in your network. You can use the following broad indicators for setting the values for the 1-minute data, which is the crucial segment in relation to database capacity: 280 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

281 Maintenance Database tuning and pruning 12 Average traffic volume Low (less than or equal to 1000 NetFlow records per minute) Medium (around NetFlow records per minute) Recommended threshold setting (days) T-200 and T-500 T-600 and T High ( NetFlow records per minute) The threshold settings should be based on a clear idea of average traffic volume, and set as soon as possible after the NTBA Appliance is installed. Changing the threshold settings later might involve pruning a large number of NetFlow records. This might tie up system resources. If you are in doubt about your average traffic volume, retain the default values. Task 1 Select Devices Device <NTBA Device> Maintenance Database Pruning. The Database Pruning page is displayed. Figure 12-7 Database Pruning page 2 In the Total Disk Space section, the used and available disk space for flows is displayed. Click Show Disk Usage to view the latest details. 3 Deselect the Use Global Settings? checkbox to prune the database for the NTBA device. If you have applied global settings, then this checkbox is selected by default. You can configure and apply global settings from Devices Global NTBA Device Settings Device Settings Setup Maintenance Database Pruning. 4 Configure the values in the following fields: For each fault, you can set the disk capacity to in the range of % like 55%, 60%, 65% and so on in increments of 5. If you do not want to generate any of these alerts, Select Disabled from the drop-down list. Informational Fault By default, these faults are generated when the disk capacity is 60%. Warning Fault By default, these faults are generated when the disk capacity is 70%. Critical Fault By default, these faults are generated when the disk capacity is 80%. 1-Minute Flow Data By default, this is set to 10 days. Valid range is 1-15 days. 1-Hour Summary Data By default, this is set to 20 days. Valid range is 1-30 days. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 281

282 12 Maintenance Data archive options 24-Hour Summary Data By default, this is set to 30 days. Valid range is 1-60 days. Network Forensics Data By default, this is set to 100 days. Valid range is System events are raised when the database capacity reaches the set values. 5 Click Save. Data archive options The Archiving option presents actions that enable you to save alerts and packet logs from the database on demand or by a set schedule. You can also restore archived alerts and packet logs on the client or another Manager. The procedure for archiving data relating to Sensor and NTBA Appliance is similar. The archiving action for the Sensor and the NTBA Appliance is done from the Manage Maintenance Alerts Archiving option of the Manage tab tree. Archive alerts and packet logs The Now action enables you to archive alerts and packet logs on demand into an archival file for future restoration. This process reads alerts and packet logs for the given time range from the database and writes them into a zip file. Archive your alerts and packet logs regularly. We recommend that you archive your alert data monthly, and that you discard alert and packet log information from your database every 90 days to manage your database size. There is a 4 GB size limitation for a single archive file. Archived files are saved locally to the Manager, and can be exported to your client. Task 1 Select Manage Maintenance Alerts Archiving IPS Archive Now (Manage Maintenance Alerts Archiving NTBA Archive Now for the NTBA Appliance). The Archive Now page is displayed. Figure 12-8 Archive Now page 282 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

283 Maintenance Data archive options 12 2 Choose one of the following time spans in Time Range: A single day (yyyy/mm/dd) Select alerts and packet logs for a single day in the format yyyy/mm/dd. Default is the Manager system date. Within a specific period (yyyy/mm/dd hh:mm:ss) Select alerts and packet logs between the begin and end dates in the format yyyy/mm/dd hh:mm:ss. Default Begin Date is the oldest alert detected time and default End Date is the Manager system time. In the past Selects alerts from a point in the past relative to the current time. This time in the past can be months, weeks, days (default), or hours. Select a time (yyyy/mm/dd hh:mm:ss) when the span of reporting time ends (default is the Manager system time). 3 Click Archive. When the archival process is complete, the file is saved to <Network Security Manager install directory>\alertarchival The files also appear in the Existing Archives page. Figure 12-9 Existing Archives page You can click an archived file listed in the Existing Archives page to view the details in the Archived File Info page. 4 Optionally, select an archived file in the Existing Archives page and click Export to download that file from the Manager to your client. You can import an exported file it into another Manager, such as a test Manager. Schedule automatic archival The Automation action enables you to set a schedule by which alerts and packet logs are automatically archived. The scheduled archival process archives alerts and packet logs daily, weekly, or monthly depending on the frequency you select. If you choose Weekly and select a day of the week from the drop-down list, the archival begins from the previous week for the selected day. For example, if you choose Weekly and choose Sunday as the day of the week, logs from the previous Sunday through Saturday are archived. If you choose Monthly, the archive frequency is the 1st of every month and the logs for the month are archived. If you choose Daily, the logs from the hour 00:00:00 through from 2 days back are archived. For example, if you set the Scheduler to Daily on 3-Sep, then the logs from 1-Sep are archived. When scheduling archival, set a time when no other scheduled functions (backups, database tuning) are running. The time should be a minimum of an hour after/before other scheduled actions. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 283

284 12 Maintenance Data archive options Task 1 Select Manage Maintenance Alerts Archiving NTBA Automated Archival. The Automated Archival page is displayed. Figure Automated Archival page 2 Select Yes against Enable Automatic Downloading to turn on the scheduling process. 3 Select values for any of the following against Frequency: Daily Weekly (select the day of the week) Monthly Start Time Hours: Minutes (24 hour clock) 4 Click Save. Every time the process runs, finished archival is saved to: <Network Security Manager install directory>\alertarchival. 5 Optional: Click Refresh to reset the settings to those last applied. This is helpful when you started to make changes but forgot what the last settings were. Click View Scheduler Detail to see the present settings for all scheduled processes. (Including backups, database maintenance, and file maintenance actions.) Export an archive The Export Archives action enables you to export an archive from the Manager to your client, or to a location reachable by your client. You can take the exported archival and import (that is, restore) it into another Manager, such as a test Manager. Task 1 Select Manage Maintenance Alerts Archiving IPS / NTBA Export Archives. The Export Archives page is displayed. Figure Export Archives page 2 Select an archive to export from the list. 284 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

285 Maintenance Data archive options 12 3 Click Export. The File Download window of your client machine is displayed. 4 Click Save to save the file to a location in your client machine. Delete archives from the Manager You can delete archives from the Manager. Task 1 Select Manage Maintenance Alerts Archiving IPS / NTBA Restore Archives. 2 Scroll down the page to the list of Existing Archives. Figure Existing Archives page 3 Select an archival and click Delete. 4 Click OK to confirm deletion. Restore an archive The Restore action enables you to restore an archived alerts and packet logs file to the Manager. When restoring an archival to a target Manager, the archive must be copied to a directory on the target Manager or a network directory that Manager can access. The Restore feature also enables you to filter through the alerts in the archival. Task 1 Select Manage <Admin Domain Name> Maintenance Alerts Archiving IPS/NTBA Restore Archives. The Restore page with Restore Archives option and Existing Archives list is displayed. Figure Restore page McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 285

286 12 Maintenance Manager Disaster Recovery (MDR) support for NTBA Appliance 2 Do one of the following: a Click Browse to locate the archival or enter the absolute path of the archived file and click Restore. b Select an archival listed under Existing Archives and click Restore. The Restore Filter page is displayed. Figure Restore Filter page 3 Filter alerts by the following parameters: Severity Select one or more severities to keep. Result Status Select one or more results to keep. Start Date Keep only the alerts and packet logs starting from the designated time. End Date Keep only the alerts and packet logs up to the designated time. 4 Click Restore. Click Restore All to restore all alerts without any filtering. Manager only permits 300,000 alerts to be restored at a time if filtering is applied. If your archive contains more than 300,000 alerts, you need to perform the restoration process multiple times. For example, if your archival still contains 750,000 alerts after filtering parameters have been met, you will have to restore three times: 1) 300,000 2) 300,000 3) 150,000. Manager Disaster Recovery (MDR) support for NTBA Appliance The Manager Disaster Recovery (MDR) refers to a setup where you can have a secondary Manager available in case the primary Manager fails. In the initial setup, the primary Manager is in the active state and the secondary Manager is in the standby state. Whenever the stand-by Manager detects that the active Manager is down, it takes over the Manager functions seamlessly after the Downtime Before Switchover configured in the Manager at the Manager Pair page of the primary Manager (Manage Setup MDR). The active Manager manages devices configured in the Manager, including NTBA Appliances. The standby Manager is connected to the devices but can manage them only when it moves to the active state. MDR setup and NTBA Appliance MDR support for NTBA Appliance works in IPv4, and a dual stack environment. The communication between the NTBA Appliance and the Manager takes place over IPV4. NTBA Appliance is installed on the active Manager. The active Manager communicates the NTBA Appliance installation information to the standby Manager. Once the Configuration data synchronization happens between the active, and standby Managers, the NTBA Appliance information is received by both the Managers. 286 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

287 Maintenance Manager Disaster Recovery (MDR) support for NTBA Appliance 12 Signature sets can be pushed to the NTBA Appliance from the active Manager. NTBA policy configuration export (Policy Network Threat Behavior Analysis Advanced Export NTBA and Worm Policies), and import (Policy Network Threat Behavior Analysis Advanced Import NTBA and Worm Policies) are allowed only from the active Manager. Alerts and faults are sent to both the Managers, however alerts action responses are done only from the active Manager. The Manager alert right-click options that are queried from the Threat Analyzer are allowed simultaneously from both the Managers. The right-click monitors (accessed from the right-click options) in the NTBA default monitors can be viewed from both the active and standby Managers. The next generation and traditional reports can be viewed from both the active and standby Managers; however, the scheduled reports can be viewed only from the active Manager. When the NTBA Appliance is uninstalled from the Manager in an MDR setup, the Manager IP address is reset to the primary Manager IP address. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 287

288 12 Maintenance Manager Disaster Recovery (MDR) support for NTBA Appliance 288 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

289 NTBA CLI commands Chapter 13 NTBA CLI commands McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 289

290 NTBA CLI commands 290 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

291 13 NTBA CLI commands You can use the NTBA command line interface commands to configure the NTBA Appliance. Some of the commands are common to both NTBA Appliance and the Sensor. Contents backup resume backup suspend clear antimalware cache commands deinstall deletemgrsecintf deletesignatures download antimalware updates exit factorydefaults help host-vlan installdb installntba loadimage nslookup passwd ping quit reboot resetconfig resetpasswd scan service list service restart service start service status service stop set antimalware cache set antimalware encryption set console timeout set flow-fw set endpointintelligence demo set endpointintelligence alertinterval set htf delta-period set htf max-deltas set manager alertport set manager installsensorport McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 291

292 13 NTBA CLI commands backup resume set manager ip set manager secondary ip set mgmtport auto set mgmtport speed and duplex set sensor gateway set sensor ip set sensor name set sensor sharedsecretkey set store-url-type set tftpserver ip setup show show aggstats show anomaly show antimalware encryption status show antimalware scandetails show antimalware status show backupstats show cachestats show dbstats show disk-usage show endpointintelligence details show endpointintelligence summary show exporters show fingerprinting stats show host-vlan show htf show intfport show mem-usage show mgmtport show netstat show nfcstats show pktrecvstats show route show store-url-type show tsstats shutdown status tcpdump sec traceupload unknown-interfaces-flows watchdog backup resume Resumes processing activities related to external storage backup. Syntax: backup resume 292 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

293 NTBA CLI commands backup suspend 13 Applicable to: NTBA Appliances only. backup suspend Suspends/halts the backup process until resumed. Syntax: backup suspend Applicable to: NTBA Appliances only. clear antimalware cache Clears the antimalware cache. Syntax: clear antimalware cache Sample Output: clear antimalware cache It will take 5 to 10 seconds to clear the cache commands Displays all CLI commands supported for the current user role. This command has no parameters. Syntax: commands Applicable to: M-series and NS-series, and NTBA Appliances. deinstall Clears the Manager-Sensor trust data (the certificate and the shared key value). Every time you delete a Sensor from the Manager, you must issue this command on the Sensor to clear the established trust relationship before reconfiguring the Sensor. This command has no parameters. Syntax: deinstall McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 293

294 13 NTBA CLI commands deletemgrsecintf On executing the command, the following messages are displayed: Initiating to deinstall and will remove trust with the configured Manager. Closed communication channels with Network Security Manager. Stopping all services. Removing anomaly profiles. Resetting the Endpoint Intelligence Agent related configurations. Executable classifications are removed. Endpoint Intelligence Agent certificate files are removed. Whitelist and blacklist sync information is reset to default. epolicy Orchestrator credentials are removed. The Service manager is informed to load the configurations. Restarting services. This will take few minutes. The Manager trust is removed. Wait for the services to start. After the services are up, establish trust with the Manager. Applicable to: M-series and NS-series, and NTBA Appliances. Errors while running deinstall The following errors might occur while you run this command: Error: Database migration is in progress. You can run deinstall only after migration. Error: The system can't verify if the IPS Sensor is installed. Reboot the appliance or VM and rerun deinstall. NTBA is deinstalled and so you can establish trust with the Manager. Error: An exception occurred. Reboot the appliance or VM and rerun deinstall. Error: The system can't communicate with the Service manager to load configurations. Reboot the appliance or VM and rerun deinstall. Error: The system can't communicate with the Service manager to restart services. Run service restart all. Error: An exception occurred while restarting the services. Run service restart all. deletemgrsecintf Clears the IP address of a Manager's secondary NIC. This command has no parameters. Syntax: 294 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

295 NTBA CLI commands deletesignatures 13 deletemgrsecintf On executing the command, the following messages are displayed: Please enter Y to confirm: y Managers secondary intf IPaddr doesn't exist. Deleting managers secondary interface had some Warnings/Errors. Applicable to: M-series and NS-series, and NTBA Appliances. deletesignatures Deletes signatures on the Sensor and reboots the Sensor. When you execute this command, the signatures are deleted and then the Sensor is restarted automatically. Before executing the command, you are prompted whether both the tasks should be performed. This command has no parameters. Syntax: deletesignatures On executing the command, the following messages are displayed: Delete the signatures and reboot the sensor? Please enter Y to confirm: y deleting the signatures and rebooting the sensor signatures deleted Broadcast message from root (Fri Mar 28 05:15: ): The system is going down for reboot NOW! Applicable to: M-series and NS-series, and NTBA Appliances. download antimalware updates This command is used to download the antimalware updates. Make sure you are connected to the Internet to download and update antimalware software and updates. Syntax: download antimalware updates Sample Output: McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 295

296 13 NTBA CLI commands exit On executing the command, the following messages are displayed If already running: download antimalware updates Downloading the antimalware updates. Antimalware update is in progress. If not running: download antimalware updates Downloading the antimalware updates. Initiated to download the antimalware update download. Run show antimalware status to see the results. Errors while running download antimalware upgrades: The following errors might occur while you run this command: Error: Detached from shared memory Error: An exception occurred while downloading the antimalware updates. In the Manager, check the system events for root cause. exit Exits the CLI. This command has no parameters. Syntax: exit Applicable to: M-series and NS-series, and NTBA Appliances. factorydefaults Wipes all settings, certificates, and signatures, from the Sensor, clearing it to blank settings. This command does not appear when you type? or commands, nor does the auto-complete function apply to this command. You must type the command in full to execute it. This command has no parameters. Syntax: You are warned that the operation will clear the Sensor and you must confirm the action. The warning occurs since the Sensor returns to its clean, pre-configured state, thus losing all current configuration settings. factorydefaults 296 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

297 NTBA CLI commands factorydefaults 13 On executing the command the following messages are displayed for an NTBA Appliance: Are you sure you want to reset NTBA to factory defaults? WARNING: All existing configuration and data will be lost. Please enter Y to confirm: y Step 1 of 3: Removing trust with Network Security Manager Network Security Manager trust is removed. Step 2 of 3: Resetting the NTBA database to factory defaults. This will take few minutes. Stopping all services. Formatting NTBA database partitions. This will take several minutes depending on the disk size. Creating fresh databases. Resetting NTBA configurations. The NTBA configuration and signature files are reset to default. Step 3 of 3: Rebooting the NTBA appliance. After the reboot, log in to complete the NTBA setup. Broadcast message from root (Thu Feb 27 11:57: ): The system is going down for reboot NOW! Applicable to: M-series and NS-series, and NTBA Appliances. Errors while running factorydefaults The following errors might occur while you run this command: An error occurred while stopping the database events. Restart the appliance or VM and rerun factorydefaults. An error occurred while trying to disable database events. Restart the appliance or VM and rerun factorydefaults. An error occurred while stopping the database processes. Restart the appliance or VM and rerun factorydefaults. An error occurred while disabling the database processes. Restart the appliance or VM and rerun factorydefaults. The NTBA database service is still up. Sending a termination signal. The NTBA database service is still up. Sending a kill signal. The NTBA database service can't be stopped. Restart the appliance or VM and rerun factorydefaults. Formatting the NTBA database partitions. This will take several minutes depending on the disk size. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 297

298 13 NTBA CLI commands help Dropping NTBA databases failed. Restart the appliance or VM and rerun factorydefaults. Formatting NTBA database partitions failed. Restart the appliance or VM and rerun factorydefaults. Creating fresh databases Mounting NTBA database partitions failed. Restart the appliance or VM and rerun factorydefaults. Installing the NTBA database engine failed. Restart the appliance or VM and rerun factorydefaults. Installing the NTBA databases failed. Restart the appliance or VM and rerun factorydefaults. Resetting NTBA configurations Verifying software image on the appliance or VM failed. Load the correct NTBA software image and rerun factorydefaults. Extracting the tar file failed. Load the correct NTBA software image and rerun factorydefaults. Checking consistency of software image on the appliance or VM failed. Load the correct NTBA software image and rerun factorydefaults. Retrieving package from the software image failed. Load the correct NTBA software image and rerun factorydefaults. NTBA configuration and signature files are reset to default. help Provides a description of the interactive help system. This command has no parameters. Syntax: help Sample Output: intrushell@john> help or ntbasensor@vntba> help If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available options. Two styles of help are provided: 1. Full help is available when you are ready to enter a command argument (e.g. 'set?') and describes each possible argument. 2. Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input (e.g. 'set em?'.) Applicable to: M-series and NS-series, and NTBA Appliances. 298 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

299 NTBA CLI commands host-vlan 13 host-vlan Enables or disables host-vlan. Syntax: host-vlan <enable disable> Parameter enable disable Description enables host vlan disables host vlan Applicable to: M-series and NS-series, and NTBA Appliances. installdb This command is used to reinstall the NTBA NetFlow database and the configuration database. This command backs up your current database configuration and restores it once the database is recreated. If the database is up while you run this command, the trust connection between the Manager and NTBA remains intact. If the database is down while you run this command, the trust connection is removed and you need to re-establish the trust between the Manager and NTBA. Syntax: installdb On executing the command, the following messages are displayed: Scenario 1: Database is up Are you sure you want to reinstall the NTBA database? WARNING: All existing data will be lost. Please enter Y to confirm: y Starting installdb... Step 1/7: Stopping all services Step 2/7: Stopping all database processes Step 3/7: Backing up configurations Step 4/7: Formatting NTBA database partition. This will take several minutes depending on the disk size. Step 5/7: Creating fresh databases Step 6/7: Restoring configurations Step 7/7: Starting services. This will take few minutes. NTBA database reinstallation successfully completed. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 299

300 13 NTBA CLI commands installntba Scenario 2: Database is down Are you sure you want to reinstall the NTBA Database? WARNING: All existing data will be lost. Please enter Y to confirm: y Starting installdb... Step 1/7: Stopping all services Step 2/7: Stopping all database processes Step 3/7: Backing up configurations Database is down. Configuration was not backed up. Network Security Manager trust is removed. Step 4/7: Formatting NTBA database partition. This will take several minutes depending on the disk size. Step 5/7: Creating fresh databases Step 6/7: Restoring configurations Step 7/7: Starting services. This will take few minutes. IMPORTANT: Re-establish trust with Network Security Manager after the services are up. Go to the Manager console and update configuration for the NTBA appliance so that the system can function. NTBA database reinstallation successfully completed. ntbasensor@ntba_vm> At the prompt, run the set sensor sharedsecretkey to establish trust between Manager and NTBA, and receive latest configuration from the Manager. After installdb is executed successfully, a system reboot and configuration push from Manager is not required. If you wish to reset configuration to defaults, run the resetconfig command. installntba Installs the NTBA Appliance. You can use this command only by inserting CD, DVD, or USB drive. Syntax: installntba On executing the command, the following messages are displayed: Initiating to format system hard disk and install NTBA! WARNING: This will delete all existing data. Please enter Y to confirm: 300 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

301 NTBA CLI commands loadimage 13 If you enter Y, you will see: Creating Linux disk partitions for installation... Formatting Linux disk partitions... Installing boot loader... Loading the NTBA image... Creating NTBA database disk partitions... Creating labels... Formatting NTBA database disk partitions... NTBA is successfully installed. Remove the CD or USB key and reboot the system. Errors while running installntba The following errors might occur while you run this command: Installation failed: Hard disk for database is not found. Add a hard disk and rerun installntba. Installation failed: Hard disk for NTBA is not found. Add a hard disk and rerun installntba. Installation failed: An error occurred while creating Linux disk partitions for NTBA. Check /temp/install_errors.log and rerun installntba. Installation failed: An error occurred while formatting Linux disk partitions for NTBA. Check /temp/install_errors.log and rerun installntba. Installation failed: An error occurred while installing the boot loader. Check /temp/ install_errors.log and rerun installntba. Installation failed: An error occurred while loading the NTBA installation image. Check /temp/install_errors.log and rerun installntba. Installation failed: An error occurred while creating disk partitions and labels for the NTBA database. Check /temp/install_errors.log and rerun installntba. Installation failed: An error occurred while formatting the disk partitions for the NTBA database. Check /temp/install_errors.log and rerun installntba. During installation, if an error occurs and the installation fails, you can check the install_errors.log file and fix the error. After this, rerun the installntba to install NTBA. loadimage This command is used to install or upgrade the NTBA software on a physical or virtual NTBA Appliance. Syntax: loadimage <image path> Sample Output: McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 301

302 13 NTBA CLI commands loadimage loadimage NTBA/ /ntbasensorImage.T-200VM.opt.unsigned Downloading NTBA/ /ntbasensorImage.T-200VM.opt.unsigned from TFTP Server Image NTBA/ /ntbasensorImage.T-200VM.opt.unsigned downloaded successfully Verifying the NTBA software image: NTBA configuration is backed up. NTBA configuration policy is not found. So NTBA configuration can't be backed up. NTBA software image is found. Verifying the NTBA software image security: NTBA software image security check passed NTBA software package check passed Database will be upgraded from 8.0 to 8.1. Loading NTBA software image The NTBA software image is loaded. Reboot the NTBA appliance. Errors while running loadimage The following errors might occur while you run this command: Before loading the image, set the TFTP server IP address. Execute set tftpserver ip. An error occurred while downloading NTBA/ /ntbasensorImage.T-200VM.opt.unsigned from An error occurred while downloading NTBA/ /ntbasensorImage.T-200VM.opt.unsigned from Check the connectivity. Verifying NTBA software image: Error: Unzipping the NTBA combined image [image + signature file] failed. Load the correct NTBA software image and retry loading the image. Error: NTBA combined image [image + signature file] missing files. Load the correct NTBA software image and rerun loadimage. Verifying NTBA software image security: Error: NTBA software image security check failed. Load the correct NTBA software image and rerun loadimage. Error: Make sure to load signed image as NTBA accepts only signed image. Error: NTBA software package security check failed. Load the correct NTBA software image and rerun factorydefault. Error: The NTBA software image loaded is not compatible. Physical appliance image must be loaded into physical appliance and VM image must be loaded into virtual NTBA. 302 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

303 NTBA CLI commands nslookup 13 Error: Downgrading virtual machine software is not permitted. Load supported VM software image. Error: Trying to load and found incompatible appliance software image. Load compatible appliance software image. Verify the appliance model and the loaded NTBA software image. Error: Virtual machine is configured with $totalmem GB, which is lesser than the required minimum memory of $minmem GB. The configured number of ethernet ports is $totalnetworkports, which is not as per the supported configuration of $numport. Error: Configured hard disk size for NTBA database is $totaldbdisksizeingb GB, which is lesser than the required minimum database disk space of $dbdisksizeingb GB. Error: Configured hard disk size for NBA disk is $totalntbadisksizeingb GB, which is lesser than the required minimum disk space of $ntbadisksizeingb GB. Warning: Attempting to downgrade the NTBA appliance database version from $cur_ver to $db_schema. This requires reinstalling the NTBA database. Error: Current NTBA version not supported for migration. Consider upgrade to supported version $min_ver. Attempting database migration $cur_ver to $db_schema. Loading NTBA software image: Error: An exception occurred while extracting the NTBA software image. Load the correct NTBA software image and rerun loadimage. Error: An exception occurred while extracting the boot package. Load the correct NTBA software image and rerun loadimage. Error: The system can't find the NTBA software image. Load the correct NTBA software image and rerun loadimage. nslookup Displays nslookup query result for the given host-name. Syntax: nslookup WORD Where WORD stands for the host name for which the nslookup query result must be displayed. Sample Output: nslookup google.com Server: Address 1: Name: google.com Address 1: dfw06s32-in-f6.1e100.net McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 303

304 13 NTBA CLI commands passwd Address 2: dfw06s32-in-f8.1e100.net Address 3: dfw06s32-in-f0.1e100.net Address 4: dfw06s32-in-f14.1e100.net Address 5: dfw06s32-in-f5.1e100.net Address 6: dfw06s32-in-f1.1e100.net Address 7: dfw06s32-in-f7.1e100.net Address 8: dfw06s32-in-f2.1e100.net Address 9: dfw06s32-in-f9.1e100.net Address 10: dfw06s32-in-f4.1e100.net Address 11: dfw06s32-in-f3.1e100.net Address 12: 2607:f8b0:4000:804::1003 dfw06s32-in-x03.1e100.net passwd Changes the logon password for the Sensor. It prompts for the old password and then prompts for a new password. A password must contain at least eight characters and can consist of any alphanumeric character or symbol. This command has no parameters. Syntax: passwd Sample Output: ntbasensor@vntba> passwd Please enter old password:xxxxxxxx Please enter new password: Please Re-enter new password: Password successfully changed Applicable to: M-series and NS-series, and NTBA Appliances. ping Pings a network host. You can specify either the IPv4 or IPv6 address here. Syntax: ping <A.B.C.D><A:B:C:D:E:F:G:H> 304 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

305 NTBA CLI commands quit 13 Parameter <A.B.C.D> Description denotes the 32-bit IP address written as four eight-bit numbers separated by periods. Each number (A,B,C or D) is an eight-bit number between <A:B:C:D:F:G:H> denotes the 128-bit address written as octet (eight groups) of four hexadecimal numbers, separated by colons. Each group (A,B,C,D etc) represents a group of hexadecimal numbers between 0000-FFFF. Sample Output: For Sensor, the output is as shown: intrushell@john> ping host is alive For an NTBA Appliance the output is as shown: ntbasensor@vntba> ping host is alive Example: The following command pings a 128 bit address written as an octet of four hexadecimal numbers. ping 2001:0db8:8a2e:0000:0000:0000:0000:0111 Applicable to: M-series and NS-series, and NTBA Appliances. quit Exits the command line interface. This command has no parameters. Syntax: quit Applicable to: M-series and NS-series, and NTBA Appliances. reboot Reboots the device. You must confirm that you want to reboot the device. If hitless reboot is currently available for the device, then you are prompted to enter 'h' for hitless and 'y' for a full reboot. Use the status command to know if the hitless reboot option is currently available for the device. Syntax: reboot In case of a full reboot, all the processes of a device are restarted. So, there is a break in the device's function until it comes up again. In case of hitless reboot, only the required processes are restarted. For more information on hitless reboot, see McAfee Network Security Platform IPS Administration Guide. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 305

306 13 NTBA CLI commands resetconfig On executing the command the following messages are displayed: For Sensor, the output is as shown: reboot Please enter Y to confirm: y rebooting the Sensor... Broadcast message from root (Fri Mar 29 05:45: ): The system is going down for reboot NOW! For an NTBA Appliance, the output is as shown: ntbasensor@vntba> reboot Please enter Y to confirm: y rebooting the NTBA Appliance... Broadcast message from root (Fri Mar 28 06:30: ): The system is going down for reboot NOW! Applicable to: M-series and NS-series, and NTBA Appliances. resetconfig This command is used to reset the NTBA configuration to the factory default values. This command can be used to clear all the user defined configurations and to reset to default values. Syntax: resetconfig This command will reset the configurations related to host finger printing, database pruning, anti-malware settings, proxy settings, and de-duplication. This command will also remove the anomaly profiles, signature files, and external storage configurations. The command will break the Manager trust and after successful completion of the command will request user to re-establish trust with the Manager. This command will not remove the exporter and interface details from the configuration. On executing the command, the following messages are displayed: Are you sure you want to reset the NTBA appliance configuration? WARNING: All existing configuration will be lost and reset to defaults. Please enter Y to confirm: y If you enter Y, you will see: Step 1 of 4: Checking if database migration is in progress Database migration is not in progress. Continue with resetconfig. Step 2 of 4: Removing trust with Network Security Manager Step 3 of 4: Resetting NTBA configurations 306 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

307 NTBA CLI commands resetconfig 13 Stopping all services The configuration for the NTBA database is reset to default. The configuration for NTBA services is reset to default. Anomaly profile data is removed. Signature files are removed. External storage configuration is removed. Anti-Malware cache and DAT files are removed. Miscellaneous configuration files are removed. Executable classifications are removed. Endpoint Intelligence Agent certificate files are removed. Whitelist and blacklist sync information is reset to default. epolicy Orchestrator credentials are removed. Step 4 of 4: Restarting all services Configuration for NTBA appliance is reset to defaults. IMPORTANT: Re-establish trust with Network Security Manager after the services are up. Go to the Manager console and update configuration for the NTBA appliance so that the system can function. Errors while running resetconfig The following errors might occur while you reset the NTBA configuration: Step 1 of 4: Checking if database migration is in progress Database migration is not in progress. Continue with resetconfig. Step 2 of 4: Removing trust with Network Security Manager Network Security Manager trust is not removed. After resetconfig, run deinstall and re-establish the trust. Step 3 of 4: Resetting NTBA configurations Stopping all services An error occurred while stopping the database events. Restart the appliance or VM and rerun resetconfig. An error occurred while disabling database events. Restart the appliance or VM and rerun resetconfig. An error occurred while generating disable-database processes script. Restart the appliance or VM and rerun resetconfig. An error occurred while disabling database processes. Restart the appliance or VM and rerun resetconfig. The NTBA database is down and so configuration can't be reset to default. Restart all services and once they are up, run resetconfig. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 307

308 13 NTBA CLI commands resetconfig An error occurred while accessing the configuration database. Restart the appliance or VM and rerun resetconfig. An error occurred while backing up the current configuration. Restart the appliance or VM and rerun resetconfig. An error occurred while restoring internal configuration. Run deinstall and re-establish trust with Network Security Manager. An error occurred while removing the configuration backup. This error can be ignored. So resetconfig will continue. The configuration for the NTBA database is reset to default. Verifying the software image failed on the appliance or VM. Load the correct NTBA software image and rerun resetconfig. Extracting from a tar file failed. Load the correct NTBA software image and rerun resetconfig. Checking consistency of software image failed on the appliance or VM. Load the correct NTBA software image and rerun resetconfig. Retrieving the package from the software image failed. Load the correct NTBA software image and rerun resetconfig. The configuration for NTBA services is reset to default. Anomaly profile data is removed. Signature files are removed. External storage configuration is removed. Anti-Malware cache and DAT files are removed. Miscellaneous configuration files are removed. An error occurred while clearing the classification for executables. Executable classifications are removed. Endpoint Intelligence Agent certificate files are removed. Whitelist and blacklist sync information is reset to default. epolicy Orchestrator credentials are removed. Step 4 of 4: Restarting all services An error occurred while sending a signal to the Service manager to use the latest configuration. Run service restart all. An error occurred while sending a signal to the Service manager to restart services. Run service restart all. An error occurred while restarting services. Run service restart all. Configuration for the NTBA appliance is reset to default. 308 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

309 NTBA CLI commands resetpasswd 13 resetpasswd Changes the log in password for the NTBA Appliance. You can use this command only by inserting CD. Syntax: resetpasswd On executing the command, the following messages are displayed: Are you sure you want to reset admin password to default? Please enter Y to confirm. If you enter Y, you will see Resetting admin password to default... Reset admin password to default completed, please reboot the NTBA Appliance and remove the NTBA CD. scan Scans the IP address and provides information about host name, operating system, services running, device type, and MAC address. Syntax: scan ip <ip_address> Sample Output: ntbasensor@vntba> scan ip Starting Nmap 6.25 ( ) at :57 UTC Nmap scan report for Host is up ( s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.0 (protocol 2.0) 111/tcp open rpcbind 2-4 (RPC #100000) 443/tcp open ssl/https? 3306/tcp open mysql MySQL (unauthorized) 9876/tcp open sd? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at servicefp-submit.cgi : SF-Port443-TCP:V=6.25%T=SSL%I=7%D=3/28%Time=53351D6F%P=x86_64-unknown-linu SF:x-gnu%r(GetRequest,6F,"HTTP/1\.0\x20501\x20Not\x20Implemented\r\nConten McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 309

310 13 NTBA CLI commands service list SF:t-Length:\x2033\r\nContent-Type:\x20text/plain\r\n\r\nDownload\x20hook\ SF:x20is\x20not\x20implemented\.")%r(FourOhFourRequest,6F,"HTTP/1\.0\x2050 SF:1\x20Not\x20Implemented\r\nContent-Length:\x2033\r\nContent-Type:\x20te SF:xt/plain\r\n\r\nDownload\x20hook\x20is\x20not\x20implemented\."); No exact OS matches for host (If you know what OS is running on it, see nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=6.25%E=4%D=3/28%OT=22%CT=1%CU=35842%PV=Y%DS=0%DC=L%G=Y%TM=53351DF OS:7%P=x86_64-unknown-linux-gnu)SEQ(SP=CF%GCD=1%ISR=D0%TI=Z%CI=Z%II=I%TS=A) OS:OPS(O1=M400CST11NWA%O2=M400CST11NWA%O3=M400CNNT11NWA%O4=M400CST11NWA%O5= OS:M400CST11NWA%O6=M400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6 OS:=8000)ECN(R=Y%DF=Y%T=40%W=8018%O=M400CNNSNWA%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S= OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O=M400C OS:ST11NWA%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y% OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD OS:=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL OS:=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 0 hops OS and Service detection performed. Please report any incorrect results at nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in seconds service list Lists all the available services. Syntax: service list Sample Output: ntbasensor@vntba> service list [Services List] NetflowProcessor AntiMalwareService DeviceProfiler EpIntelligenceServer 310 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

311 NTBA CLI commands service restart 13 service restart Restarts all services or the specified service. To get the list of all services, run the service list command. This command has all and <service_name> as parameters Syntax: service restart all service restart <service_name> Sample Output: service restart all Service command execution in progress. Please check status using "service status <service-name>" or status command after some time. service start Starts all services or the specified service. To get the list of all services, run the service list command. This command has all and <service_name> as parameters Syntax: service start all service start <service_name> For example, if the service user display name is NetflowProcessor, the command is service start NetflowProcessor. Sample Output: service start NetflowProcessor Service command execution in progress. Please check status using "service status <service-name>" or status command after some time. service status Shows the status of all services or the specific service. To get the list of all services, run the service list command. This command has all and <service_name> as parameters Syntax: To get the status of all services, run: service status service status all McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 311

312 13 NTBA CLI commands service stop To get the status of a specific service, run: service status <service_name> For example, if the service user display name is NetflowProcessor, the command is service status NetflowProcessor. Sample Output: For a particular service: ntbasensor@vntba> service status NetflowProcessor [Services Status] NetflowProcessor : Running For all services: ntbasensor@vntba> service status all [Services Status] NetflowProcessor : Running AntiMalwareService : Running DeviceProfiler : Disabled EpIntelligenceServer : Running The service status are displayed as: Running The service is running properly. Not Running The service is not running because of some issue, for example, service crash. Stopped When user runs the service stop command, this status will appear for the corresponding service. Disabled This status is displayed depending on the Manager configurations set by the administrator. It appears only for the DeviceProfiler service based on the Manager configuration. service stop Stops all services or the specified service. To get the list of all services, run the service list command. This command has all and <service_name> as parameters Syntax: service stop all service stop <service_name> For example, if the service user display name is NetflowProcessor, the command is service stop NetflowProcessor. Sample Output: ntbasensor@ntba_210> service stop NetflowProcessor 312 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

313 NTBA CLI commands set antimalware cache 13 Service command execution in progress. Please check status using "service status <service-name>" or status command after some time. set antimalware cache Allows you to enable or disable the antimalware cache. Syntax: set antimalware cache <enable/disable> set antimalware encryption Enables or disables encryption on the antimalware channel. Syntax: set antimalware encryption <on off> Sample Output: set antimalware encryption on Strong encryption on the antimalware channel. Restart the antimalware service for changes to take effect. set antimalware encryption off Weak encryption on the antimalware channel. Restart the antimalware service for changes to take effect. Applicable to: NTBA Appliances set console timeout Specifies the number of minutes of inactivity that may pass before the console connection times out. Syntax: set console timeout <0-1440> Parameter Description <0-1440> an integer between 0 (never) and 1440 (24 hours) where <0-1440> is an integer between 0 (never) and 1440 (24 hours). Default Value: 15 (15 minutes) Example: set console timeout 60 Applicable to: McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 313

314 13 NTBA CLI commands set flow-fw M-series and NS-series Sensors. set flow-fw Forwards a copy of the NetFlow information from the NTBA Appliance to a third party device. Syntax: set flow-fw <ip> <A.B.C.D port> < > Parameter Description <A.B.C.D> A 32-bit address written as four eight-bit numbers separated by periods. A,B,C or D represents an eight-bit number between < > Port number range This command is applicable only to NTBA Appliances. This command forwards NetFlow information received by NTBA Appliance from third-party network devices such as CISCO Routers. NetFlow information received by the NTBA Appliance from Network Security Sensors is proprietary, and is not forwarded when this command is executed. set endpointintelligence demo This command is to enable or disable endpoint intelligence in demo mode. Syntax: set endpointintelligence demo <enable/disable> 314 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

315 NTBA CLI commands set endpointintelligence demo 13 Sample Output: Enable endpoint intelligence demo mode: set endpointintelligence demo enable Setting endpoint intelligence in demo mode. Demo handler is created. Configuration file for certificates is created. NTBA private key is created and copied. Endpoint key is created and self signed. epolicy Orchestrator certificate is copied. Endpoint certificate files are created. Uploading endpoint certificates to tftp server Uploading eiahostcert.p12... Transfer Successful Uploading CA certificates to tftp server Uploading ntbacacert.pem... Transfer Successful Endpoint intelligence is set in demo mode. Disable endpoint intelligence demo mode: set endpointintelligence demo disable Setting endpoint intelligence in demo mode. Demo file is removed. epolicy Orchestrator demo certificates are removed. Demo certificates are removed. Private key is removed. Endpoint certificate is removed. Demo mode is disabled for endpoint intelligence. Errors while running set endpointintelligence demo The following errors might occur while you run this command: Error: The system failed to remove the demo handler. Error: The system failed to clean up the epolicy Orchestrator demo certificates. Error: The system failed to clean up the endpoint intelligence demo certificates. Error: The system failed to clean up the private key. Error: The system failed to clean up the endpoint certificate. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 315

316 13 NTBA CLI commands set endpointintelligence alertinterval Error: The TFTP server IP address is not set. Run set tftp server ip to set the IP address. Error: The system failed to create the demo handler. Error: The system failed to create the configuration file required to create the certificates. Error: The system failed to create the NTBA private key. Error: The system failed to copy the NTBA private key. Error: The system failed to create the endpoint key. Error: The system failed to self sign the endpoint private key. Error: The system failed to copy the epolicy Orchestrator certificate. Error: The system failed to create the endpoint certificate files. The certificate files upload process failed or timed out. Make sure that you have a file $SRCFILENAME with correct permissions. If the full path name doesn't work, try path name relative to /tftpboot. Timeouts may occur when the network is congested. Error: The system failed to upload the endpoint certificate file. The certificate files upload process failed or timed out. Make sure that you have a file $SRCFILENAME with correct permissions. If the full path name doesn't work, try path name relative to /tftpboot. Timeouts may occur when the network is congested. Error: The system failed to upload the endpoint certificate file. Error: The system failed to upload the CA certificate file. set endpointintelligence alertinterval Configures the time interval as to when the alert should be raised again. By default, it is 7 days. Syntax: set endpointintelligence alertinterval <0-30> Configure it as zero if you want to disable alert throttling. Sample Output: Setting the endpoint intelligence alert interval Alert throttle interval is set to McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

317 NTBA CLI commands set htf delta-period 13 If you wish to disable alert throttling, set the interval to 0. If EIS is enabled and you disable alert throttling: set endpointintelligence alertinterval 0 Alert throttle interval was set to 0. Continue with the cleanup. Stopping endpoint intelligence services Resetting the alert throttle for all executables Removing alert throttling files Restarting endpoint intelligence services. This will take few minutes. If EIS is disabled and you disable alert throttling: ntbasensor@vntba> set endpointintelligence alertinterval 0 Setting endpoint intelligence alert interval. Alert throttle interval set to 0. Errors while running set endpointintelligence alertinterval The following errors might occur while you run this command: Error: The system can't find alert statistics. From the Manager console, go to Setup Enable Integration, enable EIA integration and configure the settings. Error: An exception occurred while resetting the alert throttle for executables. Try to set the alert interval. Error: The system can't communicate with the Service manager. Restart the endpoint intelligence services. Error: An exception occurred while restarting endpoint intelligence services. Run the endpoint intelligence services. Error: An exception occurred while setting the alert throttle interval. Set the alert throttle interval again. set htf delta-period Specifies the duration (in minutes) of the htf delta period. Syntax: set htf delta-period WORD Parameter Description WORD denotes minutes between 0 to 1440 Example: set htf delta-period 180 Run the show htf CLI command to check if the change has taken effect. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 317

318 13 NTBA CLI commands set htf max-deltas set htf max-deltas Specifies the maximum count for htf delta period. Syntax: set htf max-deltas <1-100> Parameter Description <1-100> an integer between 1 to 100 Example: set htf max-deltas 100 set manager alertport Specifies the port on which the Manager listens to the Sensor alerts. You can assign any unassigned port for this communication. If the Sensor and the Manager are separated by a firewall, you must make sure to open the specified port on the firewall. If your Sensor is already installed, deinstall the Sensor before changing this parameter. Syntax: set manager alertport < > Parameter Description < > the port number ranging from integer values 0 to On executing the command, the following messages are displayed When Sensor is installed: sensor is already installed, please do a deinstall before changing this parameter When Sensor is deinstalled: Missing manager alert port, default 8502 used Default Value: Default port number is Applicable to: M-series and NS-series, and NTBA Appliances. set manager installsensorport Specifies the port which the Manager uses to exchange configuration information with the Sensor when using 2048 bit encryption. You can assign any unassigned port for this communication. Syntax: set manager installsensorport < > 318 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

319 NTBA CLI commands set manager ip 13 Parameter Description < > the port number ranges from integer values 0 to On executing the command, the following messages are displayed When Sensor is installed: sensor is already installed, please do a deinstall before changing this parameter When Sensor is deinstalled: Missing manager Install Sensor Port, default 8501 used Default Value: Default port number is Applicable to: M-series and NS-series, and NTBA Appliances. set manager ip Specifies the IPv4 or IPv6 address of the Manager server's primary interface. Syntax: set manager ip <A.B.C.D A:B:C:D:E:F:G:H> Parameter <A.B.C.D> Description a 32-bit address written as four eight-bit numbers separated by periods. A,B,C or D represents an eight-bit number between <A:B:C:D:E:F:G:H> a 128-bit address written as octet (eight groups) of four hexadecimal numbers, separated by colons. Each group (A,B,C,D etc) represents a group of hexadecimal numbers between 0000-FFFF Example: set manager ip Or set manager ip 2001:0db8:8a2e:0000:0000:0000:0000:0111 Applicable to: If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::) M-series and NS-series, and NTBA Appliances. set manager secondary ip Specifies an IPv4 or IPv6 address for the Manager server's secondary interface. Syntax: set manager secondary ip <A.B.C.D A:B:C:D:E:F:G:H> McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 319

320 13 NTBA CLI commands set mgmtport auto Parameter <A.B.C.D> Description a 32-bit address written as four eight-bit numbers separated by periods. A,B,C or D represents an eight-bit number between <A:B:C:D:E:F:G:H> a 128-bit address written as octet (eight groups) of four hexadecimal numbers, separated by colons. Each group (A,B,C,D etc) represents a group of hexadecimal numbers between 0000-FFFF Example: set manager secondary ip Or set manager secondary ip 2001:0db8:8a2e:0000:0000:0000:0000:0111 Applicable to: If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::) M-series and NS-series, and NTBA Appliances. set mgmtport auto Configures the Management port to auto-negotiate the connection between the Sensor and the network device. This command has no parameters. Syntax: set mgmtport auto Default Value: By default, the Management port is set to auto (auto-negotiate). Applicable to: M-series and NS-series, and NTBA Appliances. set mgmtport speed and duplex Configures the management port to match the speed of the network device connecting to the Sensor and to run in full- or half-duplex mode. Syntax: set mgmtport <speed <10 100> duplex <full half>> Parameter Description <10 100> sets the speed on the ethernet management port. The speed value can be either 10 or 100 Mbps. To set the speed to 1000 Mbps, use the set mgmtport auto command. <half full> sets the duplex setting on the ethernet management port. Set the value half for half duplex and full for full duplex. 320 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

321 NTBA CLI commands set sensor gateway 13 Default Value: By default, the management port is set to auto (auto-negotiate). Applicable to: M-series and NS-series, and NTBA Appliances. set sensor gateway Specifies IPv4 address of the gateway for the Manager server. Syntax: set sensor gateway <A.B.C.D> Parameter Description <A.B.C.D> Sample Output: a 32-bit address written as four eight-bit numbers separated by periods. A,B,C or D represents an eight-bit number between For Sensor, the output is as shown: intrushell@john> set sensor gateway sensor gateway = For an NTBA Appliance, the output is as shown: ntbasensor@vntba> set sensor gateway sensor gateway = Example: set sensor gateway Applicable to: M-series and NS-series, and NTBA Appliances. set sensor ip Specifies the Sensor's IPv4 address and subnet mask. Changing the Sensor IP requires a Sensor reboot for the changes to take effect. See the reboot command for instructions on how to reboot the Sensor. Syntax: set sensor ip <A.B.C.D E.F.G.H> Parameter <A.B.C.D E.F.G.H> Description indicates an IPv4 address followed by a netmask.the netmask strips the host ID from the IP address, leaving only the network ID. Each netmask consists of binary ones (decimal 255) to mask the network ID and binary zeroes (decimal 0) to retain the host ID of the IP address(for example, the default netmask setting for a Class C address is ). Sample Output: McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 321

322 13 NTBA CLI commands set sensor name For Sensor, the output is as shown: set sensor ip Sensor IP is already set, new IP will take effect after a reboot sensor ipv4 = , sensor subnet mask = For an NTBA Appliance, the output is as shown: ntbasensor@ntba_210> set sensor ip Sensor IP is already set, new IP will take effect after a reboot sensor ipv4 = , sensor subnet mask = Example: set sensor ip Applicable to: M-series and NS-series, and NTBA Appliances. set sensor name Sets the name of the Sensor. This name is used to identify the Sensor to the Manager and to identify the Sensor to the admin in the Manager interface. The name you use here in the CLI to identify the Sensor must match the name you use in the Manager interface or the Manager and Sensor will be unable to communicate. Syntax: set sensor name <WORD> Parameter Description <WORD> Sample Output: indicates a case-sensitive character string up to 25 characters. The string can include hyphens, underscores, and periods, and must begin with a letter. On executing the command, the following messages are displayed When Sensor is installed: sensor is already installed, please do a deinstall before changing this parameter When Sensor is deinstalled: intrushell@john> set sensor name admin sensor name = admin ntbasensor@ntba_210>set sensor name vntba Example: sensor name = vntba set sensor name SanJose_Sensor1 Applicable to: M-series and NS-series, and NTBA Appliances. 322 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

323 NTBA CLI commands set sensor sharedsecretkey 13 set sensor sharedsecretkey Specifies the shared secret key value that the Manager and Sensor will use to establish a trust relationship. Type the command as shown in the Syntax below. The Sensor prompts you for a secret key value. The value you enter is not shown. You will be prompted to type the value a second time to verify that the two entries match. Syntax: The sharedsecretkey value you use here in the CLI to identify the Sensor must match the one you use in the Manager interface or the Manager and Sensor will be unable to communicate. If you want to change the value, you must change the value in the CLI as well as the manager interface. set sensor sharedsecretkey At the Sensor's prompt for a secret key value, enter a case-sensitive character string between 8 and 25 characters of any ASCII text. Sample Output: On executing the command, the following messages are displayed When the Sensor is installed: sensor is already installed, please do a deinstall before changing this parameter When Sensor is deinstalled: intrushell@john> set sensor shared secretkey Please enter shared secret key: Please Re-enter shared secret key: This will take a couple of seconds, please check status on CLI ntbasensor@vntba> set sensor sharedsecretkey Please enter shared secret key: Please Re-enter shared secret key: This will take a couple of seconds, please check status on CLI Applicable to: M-series and NS-series, and NTBA Appliances. set store-url-type This command is used to set the configuration to full capture information from the URL. Example: For domain: for full-url: Syntax: set store-url-type <domain-name full-url> McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 323

324 13 NTBA CLI commands set tftpserver ip Parameter domain-name full-url Description capture only the domain name information from the URL capture full path information from the URL When the NTBA Appliance is configured to store full URL (set store-url-type full-url), the performance might drop by percent. set tftpserver ip Specifies the IPv4 or IPv6 address of your TFTP server. Syntax: set tftpserver ip <A.B.C.D A:B:C:D:E:F:G:H> Parameter <A.B.C.D> Description indicates a 32-bit address written as four eight-bit numbers separated by periods. A,B,C or D represents an eight-bit number between <A:B:C:D:E:F:G:H> indicates a 128-bit address written as octet (eight groups) of four hexadecimal numbers, separated by colons. Each group (A,B,C,D etc) represents a group of hexadecimal numbers between 0000-FFFF. Sample Output: For Sensor, the output is as shown: intrushell@john> set tftpserver ip TFTP Server IP = For an NTBA Appliance, the output is as shown: ntbasensor@vntba> set tftpserver ip TFTP Server IP = Example: set tftpserver ip Or set tftpserver ip 2001:0db8:8a2e:0000:0000:0000:0000:0111 Applicable to: If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::). M-series and NS-series, and NTBA Appliances. setup This command is used to setup Sensor parameters. You are required to run this command when you newly set up your Sensor or after resetting the Sensor by using the factory defaults command. This command has no parameters. Syntax: 324 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

325 NTBA CLI commands setup 13 setup When you enter this command, you are prompted to enter the following: Current password New password Sensor name IP Type (IPV4=1 or IPV6=2 or BOTH=3) The IP Type command is applicable only for IPS. It is not applicable for NTBA. Sensor IP(IPv4 or IPv6 address or BOTH) Sensor subnet mask (IP address) Manager primary IP (IPv4 or IPv6 address or BOTH) Manager secondary IP (IPv4 or IPv6 address or BOTH) Sensor default gateway (IPv4 or IPv6 address or BOTH) Management port configuration choice (a/m) Shared secret key If you press Enter, your current settings are taken as default. Sample Output: setup **Press ESC key or CTRL-C at any prompt to abort the setup** Please enter the current password before starting setup: Please enter the new password [current password]: Please confirm the new password: Password successfully changed Please enter the sensor name [NTBA_210]: Please enter the sensor IP(A.B.C.D) [ ]: Please enter the sensor subnet mask(a.b.c.d) [ ]: Please enter the manager primary IPv4 address(a.b.c.d) [ ]: **You can set the Manager secondary IP in case the manager has two interfaces** Press Y to configure manager secondary IP address [N]: n Please enter the sensor default gateway(a.b.c.d) [ ]: Please enter management port configuration choice(a/m) [Auto]: a Sensor configuration is almost complete. The final step is to establish a secure management channel (trust) between the sensor and its Manager. This is accomplished by a secret key that is shared by the Manager and this sensor. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 325

326 13 NTBA CLI commands show Please ensure that a shared secret key has already been defined on the Manager for this sensor... Press Y to set shared secret key now or N to exit [Y]: y Please enter shared secret key: Please re-enter the shared secret key: This will take a couple of seconds, please check status on CLI show Shows all the current configuration settings on the Sensor. This command has no parameters. Syntax: show Information displayed by the show command includes: [Sensor Info] Date Software Version System Uptime MGMT Ethernet Port System Type [Sensor Network Config] IP Address Netmask Default Gateway Default TFTP server [Manager Config] Manager IP addr Install TCP Port Alert TCP Port [Peer Manager Config] Manager IP addr Install TCP Port Alert TCP Port 326 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

327 NTBA CLI commands show 13 Sample Output: For Sensor, the output is as shown: show [Sensor Info] System Name : M2850-Doc Date : 1/28/2014-9:47:10 UTC System Uptime : 14 days 36 min 15 secs System Type : M-2850 Serial Number : S Software Version : Hardware Version : 1.00 MGMT Ethernet port : auto negotiated MGMT port Link Status : link up [Sensor Network Config] IP Address : Netmask : Default Gateway : Default TFTPserver : SSH Remote Logins : enabled [Manager Config] Manager IP addr : (primary intf) Install TCP Port : 8501 Alert TCP Port : 8502 Logging TCP Port : 8503 [McAfee NAC Config] McAfee NAC Server IP Address : Console-to-Application Server Communication Port : 8443 Client-to-Server Authenticated Communication Port : 8444 McAfee NAC Server-to-Sensor Communication Port : 8445 Sensor-to-NAC Client Communication Port : 8444 For an NTBA Appliance, the output is as shown: ntbasensor@vntba> show [Sensor Info] McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 327

328 13 NTBA CLI commands show aggstats System Name : vntba Date : Fri Mar 28 08:55: System Uptime : 02 hrs 24 min 54 secs System Type : T-200VM Serial Number : T Software Version : MGMT Ethernet port : speed = 10 mbps, full duplex, link up [Sensor Network Config] IP Address : Netmask : Default Gateway : Default TFTP server : [Manager Config] Manager IP addr : (primary intf) Install TCP Port : 8501 Alert TCP Port : 8502 Applicable to: M-series and NS-series, and NTBA Appliances. show aggstats Displays aggregator statistics. Syntax: show aggstats Sample Output: ntbasensor@vntba> show aggstats [Aggregation module stats] aggregator - mode : 1 aggregator - running flag : 1 aggregator - stop flag : 0 aggregator - thread stage : 11 aggregator - number of peers : 2 aggregator - peer component nodes : 328 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

329 NTBA CLI commands show aggstats aggregator - thread start timestamp : Mon Sep 30 14:54: aggregator - latest packet processing timestamp : Tue Oct 1 10:27: aggregation self - running flag : 1 aggregation self - stop flag : 0 aggregation self - thread stage : 15 aggregation self - thread start timestamp : Mon Sep 30 14:54: aggregation self - latest run timestamp : Tue Oct 1 10:27: aggregation committer - running flag : 1 aggregation committer - stop flag : 0 aggregation committer - thread stage : 2 aggregation committer - thread start timestamp : Mon Sep 30 14:54: aggregation committer - latest run timestamp : Tue Oct 1 10:27: component - mode : 0 component - running flag : 0 component - stop flag : 0 component - thread stage : 51 component - aggregator ip : component - thread start timestamp : Not applicable component - latest packet processing timestamp : Not applicable Num of Sensor_Traffic monitor data processed : 2786 Num of Top_HTF monitor data processed : 3245 Num of Top_Src_Host monitor data processed : 3246 Num of Top_Dst_Host monitor data processed : 0 Num of Top_Hosts monitor data processed : 0 Num of Top_Ext_Hosts monitor data processed : 3246 Num of Zones monitor data processed : 3246 Num of Top_Services monitor data processed : 3246 Num of Top_Applications monitor data processed : 3173 Num of New_Hosts monitor data processed : 3251 Num of New_Services monitor data processed : 3251 Num of New_Apps monitor data processed : 3251 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 329

330 13 NTBA CLI commands show anomaly Num of Top_Files monitor data processed : 0 Num of Top_URLs monitor data processed : 2093 Num of Interface_Summary monitor data processed : 3251 show anomaly Displays statistics of host-level and zone-level anomaly profiles created. Syntax: show anomaly Sample Output: ntbasensor@vntba> show anomaly [anomaly info] [zone anomaly status:] [0] Zone id: 112, mode: DETECTION [1] Zone id: 113, mode: DETECTION [2] Zone id: 109, mode: DETECTION [Host anomaly status:] Number of Host Profiles maintained: 869 Number of hosts in DETECTION mode: 486 show antimalware encryption status Displays encryption status on the antimalware channel. Syntax: show antimalware encryption status Sample Output: ntbasensor@vntba> show antimalware encryption status Strong encryption on the antimalware channel. ntbasensor@vntba> show antimalware encryption status Weak encryption on the antimalware channel. Applicable to: NTBA Appliances show antimalware scandetails Displays the antimalware scanning details for IPS Sensors. 330 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

331 NTBA CLI commands show antimalware scandetails 13 Syntax: show antimalware scandetails Sample Output: show antimalware scandetails [Antimalware Scanning details for IPS Sensors] IPS Sensor [1] IPS Sensor IP : TotalPktsReceived : 652 TotalPktsSent : 652 LastPktRecvdTime : Thu Sep 12 13:22: LastPktSentTime : Thu Sep 12 13:22: Successful scan counts : 0 Session Handle Null counts : 0 Internal Error Counts : 0 Unknown command received from IPS : 0 File String NULL : 0 File Data NULL : 0 Unknown File : 0 Out of Order Packets : 0 Scan Failed : 0 Md5 Mismatch : 0 Max Load on Workers : 0 Memory allocation Failure : 0 File Transfer Timeout : 0 New File Count : 0 Shared Memory Allocation Failed Count : 0 Scan Response Sent : 0 Scan Request Received : 0 Scan Requests Timedout : 0 LastKeepAliveRecvdTime : Thu Sep 12 13:22: LastKeepAliveSentTime : Thu Sep 12 13:22: KeepAliveReceivedCount : 651 KeepAliveSentCount : 651 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 331

332 13 NTBA CLI commands show antimalware status Md5 of Last File Downloaded From IPS : 86aa4dd53cfeefb17a722485b98b20af show antimalware status Displays the anti-malware engine status (initialized or uninitialized), the engine dat version, the anti virus dat version, the anti-malware last update time, the anti-malware last update status, the anti-malware last update status details, the total scan requests received, the successful scans, and the failure count. It also displays the number of entries of a scanned file in the cache, for example, how many times the same file was sent to the NTBA Appliance (hit count), the last access time, and the last update time. Syntax: show antimalware status Sample Output: ntbasensor@vntba> show antimalware status [AntiMalware Engine Status] Current Engine Status : Anti-Malware Engine Initialized Gateway Antimalware Engine Version : Gateway Antimalware Dat Version : Antivirus Dat Version : 7195 Antivirus Engine Version : 5600 [AntiMalware Update Status] Last Update Time : Thu Sep 12 12:11: Last Update Status : Download Updates Completed Last Update Status Details : Success [AntiMalware Scan Summary] Total Scan Requests : 0 Total Successful scans : 0 Total Scan Failures : 0 [AntiMalware Cache Stats] Number of Entries in Cache : 0 Hit Count : 0 Last Access Time : Last Update Time : Cache Look up : Enabled 332 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

333 NTBA CLI commands show antimalware status 13 The Current Engine Status might display any of the following statuses depending on the action performed: Action Engine will be initialized whenever IPS service is coming up. If engine fails to initialize When successfully initialized NTBA failed to initialize the downloaded anti-malware signatures Status Description Anti-Malware Engine Initializing NTBA failed to initialize Anti-Malware Engine because Anti-Malware signatures are not available. Please try \"download antimalware updates\" command. Anti-Malware Engine Initialized NTBA failed to initialize the downloaded Anti-Malware signatures The following table lists the different statuses that can be displayed by Last Update Status and the corresponding Last Update Status Details depending on the action: Last Update Status Download Updates Failed Download Updates In Progress Last Update Status Details Update Request Not Valid Protocol Version Not Supported No Node Groups Found Sending Update Request Parsing Response Downloading Dat and Engine Files Validating Downloaded Engine Request Blocked by Export Compliance Internal Server Error Download Updates Failed Sending Update Request Failed Get Url List Failed Failed to Download Dat and engine Files Could not get Version Internal Error Validating Downloaded Engine Failed Download Updates Success Nothing To Update Download Updates Completed Success Update Dats In Progress Applying Dats and Engine Update Dats Completed Success Update Dats Failed Internal Error Failed to set Configuration Variables Failed to set Dat/Engine Version Setting Configuration Variables Setting Dat/Engine Version Copying Downloaded Files to Slot Copying Downloaded Files to Slot Copying Downloaded Files to Slot Failed Copying Downloaded Files to Slot Failed Removing Old Dats from the slot Removing Old Dats the slot Removing Old Dats from the slot Failed Removing Old Dats from the slot Failed Getting current slot Getting current slot Getting current slot Failed Getting current slot Failed McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 333

334 13 NTBA CLI commands show backupstats Last Update Status Setting Last Update Time Setting Update Version Setting Update Version Failed Last Update Status Details Setting Last Update Time Setting Update Version Setting Update Version Failed show backupstats Displays backup processing status, success/error counters, and current configuration summary. Syntax: show backupstats Sample Output: show backupstats [BackUp Stats] Start Time : Fri May 25 10:44: Available External Storage : 99 % Backup Status : OK Files Consolidated : 1 Files Zipped : 1 Files BackedUp : 1 ConvFiles Dropped : 0 Last Zip Time : Sat May 26 10:16: Last Remote Copy Time : Sat May 26 10:17: [BackUp Config] Server : Share Path :NTBA-Backup Protocol :CIFS Storage Interval:1 Hrs Storage Limit :99 % Include L7 data :1 show cachestats Displays cache statistics information for NetFlow processor. Syntax: show cachestats 334 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

335 NTBA CLI commands show cachestats 13 Sample Output: show cachestats [Cache Stats Info for NetflowProcessor] Cache Name : nf_conversation_cache Node Size : 920 Max Nodes : Current Allocs : 2074 Total Allocs : Total Frees : Failed Allocs : 0 Max Allocs : 2854 Cache Name : netflow_data_cache Node Size : 1856 Max Nodes : Current Allocs : Total Allocs : Total Frees : Failed Allocs : 0 Max Allocs : Cache Name : netflow_src_cache Node Size : 80 Max Nodes : Current Allocs : 2972 Total Allocs : Total Frees : Failed Allocs : 0 Max Allocs : 3901 Cache Name : netflow_pkt_cache Node Size : 1552 Max Nodes : Current Allocs : 0 Total Allocs : Total Frees : McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 335

336 13 NTBA CLI commands show cachestats Failed Allocs : 0 Max Allocs : 240 Cache Name : db_update_cache Node Size : Max Nodes : 65 Current Allocs : 1 Total Allocs : Total Frees : Failed Allocs : 0 Max Allocs : 6 Cache Name : traffic_summary_cache Node Size : 160 Max Nodes : Current Allocs : 1948 Total Allocs : Total Frees : Failed Allocs : 0 Max Allocs : [Cache Stats Info for EIS] Cache Name : nia_sock_cache Node Size : 112 Max Nodes : Current Allocs : 31 Total Allocs : Total Frees : Failed Allocs : 0 Max Allocs : 35 Cache Name : nia_pkt_cache Node Size : 3016 Max Nodes : Current Allocs : Total Allocs : Total Frees : McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

337 NTBA CLI commands show dbstats 13 Failed Allocs : 0 Max Allocs : Cache Name : nia_metadata_cache Node Size : 5720 Max Nodes : Current Allocs : 3262 Total Allocs : Total Frees : Failed Allocs : 0 Max Allocs : 3263 Cache Name : wb_entry Node Size : 20 Max Nodes : Current Allocs : 0 Total Allocs : 0 Total Frees : 0 Failed Allocs : 0 Max Allocs : 0 show dbstats Displays statistics of the database such as its status, disk size, total records and so on. Syntax: show dbstats Sample Output: ntbasensor@vntba> show dbstats [Database Info] Database Status : UP Database Uptime : 7 days 19 hrs 37 min 25 secs Total Records Inserted into DB : 0 Average Records Per Second : 0 Average Data Log Files Per Second : 0 Total Number of Queries executed : 0 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 337

338 13 NTBA CLI commands show disk-usage Database growth rate : 0 % Database size : 995 MB Current DB Schema version : 8.0 Database Disk Size : MB show disk-usage Displays disk usage per partition for all disk drives. This is equivalent to the df-h command in Linux. Syntax: show disk-usage Sample Output: 338 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

339 NTBA CLI commands show endpointintelligence details 13 show endpointintelligence details Displays the number of executables processed after reboot, network connection summary, blacklist and whitelist update details, EIA alert details, and packet processing statistics. Syntax: show endpointintelligence details Sample Output: show endpointintelligence details [Endpoint executables since reboot] Total executables : 52 Total high and very high malware confidence executables : Programs: 0 DLLs: 0 Total medium malware confidence executables : Programs: 0 DLLs: 0 Total auto-classified white executables : 40 Total auto-classified black executables : 0 Total unclassified executables : 15 [Network connections summary] Total connections by all endpoints : Total connections by blacklisted executables : 0 Total connections by unclassified executables : Total connections by whitelisted executables : Total connections by high & very high malware confidence executables: 0 Total connections by medium malware confidence executables : 0 Total connections by low & very low malware confidence executables : Total connections by unknown malware confidence executables : 1035 Total connections by trusted executables : Total connections by GTI whitelisted executables : 3319 Total connections by GTI blacklisted executables : 0 [Whitelist and Blacklist] Last Whitelist and Blacklist update time : :56:02 Total user blacklisted executables : 59 Total user whitelisted executables : 20 [Endpoint Intelligence alerts] Alert throttling interval (in days) : 7 Total alerts : 0 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 339

340 13 NTBA CLI commands show endpointintelligence details Very High confidence malware alerts : 0 High confidence malware alerts : 0 Medium confidence malware alerts : 0 Blacklisted executable alerts : 0 Unclassified executable alerts : 0 Whitelisted executable alerts : 0 Throttled Alerts : 0 Alerts dropped due to high-load : 0 [Packet processing stats] Total packets received : Total packets sent : 790 Total metadata flows : Total GTI file reputation requests : 6 Total GTI file reputation responses : 0 Total Sysinfo packets received : 789 Total keepalives received : 790 Total keepalives sent : 790 Total malformed packets : 0 Total unsupported packets : 0 Total packet send failures due to session not available : 0 Total connections : 46 Total active connections : 22 Total connection timeouts : 1 Total sessions : 23 Total session failures : 0 Total session failures due to certificate mismatch : 0 Total session failures due to timeouts : 0 [Incoming packets] Packets per second in last 10 minutes : 0 Packets in last 0-1 minute : 1 Packets in last 1-2 minute : 1 Packets in last 2-3 minute : 1 Packets in last 3-4 minute : McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

341 NTBA CLI commands show endpointintelligence summary 13 Packets in last 4-5 minute : 1 Packets in last 5-6 minute : 1 Packets in last 6-7 minute : 1 Packets in last 7-8 minute : 1 Packets in last 8-9 minute : 1 Packets in last 9-10 minute : 1 show endpointintelligence summary Displays summarized data for active endpoint connections, connectivity status of epo, and certificate status. Syntax: show endpointintelligence summary Sample Output: ntbasensor@vntba> show endpointintelligence summary [Endpoint Configuration and Status] Endpoint Intelligence Service : Running epo Server IP : Last epo connection attempt : :17:59 Last epo connection status : Success epo certificate : Downloaded at :17:59 Alert throttling : Enabled GTI file reputation server : Not reachable [Endpoint connections] Total active endpoint connections : 22 Total packets received : Total packets sent : 778 Last packet received time : :49:05 Last packet sent time : :06:23 Last endpoint connected : McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 341

342 13 NTBA CLI commands show exporters Field Endpoint Intelligence Service Last epo connection status Alert throttling GTI file reputation server epo certificate Values Running Not Running Stopped Disabled Success or Failed Enabled or Disabled Reachable or Not reachable If epo certificate is available, it will display as Downloaded along with the time it was downloaded If epo certificate is not available, it will display as Failed along with the reason for failure within parentheses show exporters This command displays exporter details like IP address, type, and count. Syntax: show exporters Sample Output: show exporters [Exporter name] [Exporter type] [Exporter IP] [Packets received] [Packets received] [Last packet received time] [Flow data records] Exporter_17_66_16_44 IPS :52: [Template records] show fingerprinting stats Shows statistics related to active device profiling. The statistics are collected or reset once the Device Profiler service is started or stopped. Syntax: show fingerprinting stats The fingerprinting statistics include: Fingerprinting Service Enabled: Describes whether the user has enabled/disabled the service. Values will be "Yes" or "No". Service Start Time: Indicates when the service should be started. Schedule Type: Indicated whether the schedule is either configured by the user or by NTBA Next Scan Schedule: Shows the next available schedule time for scan. 342 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

343 NTBA CLI commands show fingerprinting stats 13 Total Results Sent to Manager: This counter signifies the number of device profile results sent to the Manager through alert channel. Total Current Running Scan Count: This counter signifies the number of scans currently in progress. Total number of Hosts Scanned: This counter signifies the number of hosts scanned and results stored in the database. Total Scan Failures: This counter signifies the number of scan failures. Total Passive Info Host Count Received From Manager: This counter signifies the number of hosts the Manager sent as the preferred list of IP addresses to be scanned. Total Number of Hosts Excluded From Scan: This counter signifies the total number of hosts excluded from scanning. Total Internal Host: This counter signifies the total number of hosts to be considered for scanning. Total Active FP Host: This counter signifies the total number of hosts for which the active scan results are available in the database. Total Host with no FP: This counter signifies the total number of hosts for which the active scan results are not available in the database. [Last Scan Run Details] Last Scan Time: Indicates the last scan time. Total Number of Hosts Scanned: This counter signifies the total number of hosts scanned. Total Number of Hosts UP: This counter signifies the total number of hosts that are up. Total Number of Hosts DOWN: This counter signifies the total number of hosts that are down. Total Results sent to Manager: This counter signifies the total number of results sent to the Manager. Sample Output: show fingerprinting stats [Host FingerPrinting Stats] [ Note: All Stats Will be Reset Once Host FingerPrinting Service Restarts ] FingerPrinting Service Enabled : NO Service Start Time : :57 UTC Schedule Type : 0 Next Scan Schedule : 0 Total Alerts Sent to NSM : 20 Total Current Running Scan Count : 3000 Total Number of Hosts Scanned : Total Scan Failures : 10 Total Passive Info Host Count Received From NSM : 0 [ Last Scan Run Details ] McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 343

344 13 NTBA CLI commands show host-vlan Last Scan Time : :57 UTC Total Number of Hosts Scanned : 2000 Total Number of Hosts UP : 164 Total Number of Hosts DOWN : 20 Total Results Sent to NSM : 140 show host-vlan Shows the status of host-vlan whether it is enabled or disabled. This command has no parameters. Syntax: show host-vlan Sample Output: ntbasensor@vntba> show host_vlan [HOST VLAN settings] HOST VLAN : enabled Applicable to: M-series and NS-series, and NTBA Appliances. show htf Displays the htf configuration of delta period, learning period, max deltas, and htf filter. Syntax: show htf Sample Output: ntbasensor@vntba> show htf [HTF settings] HTF delta period : 180 minutes HTF Filter IP List : show intfport Shows the status of the specified Sensor port. Note that specifying a non-existent port results in an error. For example, specifying port 3B on an I-4000 will cause the command to fail. Ensure to capitalize the character when typing the command. For example, 1a will be seen as an invalid command. 344 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

345 NTBA CLI commands show intfport 13 Syntax: show intfport <port> Parameter Description <port> Sets the port for which the status is to be displayed. Valid port numbers for M-series are: 1A 1B 2A 2B 3A 3B 4A 4B 5A 5B 6A 6B 7A 7B 8A 8B WORD all Valid port numbers for NS-series are: G0/1 G0/2 G1/1 G1/2 G1/3 G1/4 G1/5 G1/6 G1/7 G1/8 G1/9 G1/10 G1/11 G1/12 G2/1 G2/2 G2/3 G2/4 G2/5 G2/6 G2/7 G2/8 G2/9 G2/10 G2/11 G2/12 G3/1 G3/2 G3/3 G3/4 G3/5 G3/6 G3/7 G3/8 WORD all Information displayed by the show intfport command includes: Whether the port's administrative status is enabled or disabled The Sensor's operational status The Sensor's operating mode Whether full duplex mode is enabled The port's configured traffic direction (inside or outside) The speed of the 10/100 ports, if applicable The speed of the Gigabit ports, if applicable The peer port's supported link mode The peer ports negotiated duplex and speed The auto-negotiating configuration (I-2700 Sensors only) Total packets received Total packets sent Total CRC errors received Total CRC errors sent Whether or not flow control is on (this applies only to Sensor gigabit ports) McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 345

346 13 NTBA CLI commands show intfport Sample Output: For Sensors, the output is as shown show intfport 2A Displaying port 2A Administrative Status : ENABLED Operational Status : UP Operating Mode : INLINE_FAIL_CLOSED Duplex : FULL Port Connected to : OUTSIDE Port Speed : 1 GBPS-AUTONEG Peer port supported link modes : 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Half 1000baseT/Full Actual negotiated Duplex: FULL Actual negotiated Speed : 1 GBPS Additional Porttype Info: Total Packets Received : 403 Total Packets Sent : Total CRC Errors Rcvd : 0 Total Other Errors Rcvd : 0 Total CRC Errors Sent : 0 Total Other Errors Sent : 0 Flow Control Status : OFF For NTBA, the output is as shown ntbasensor@ntba_210> show intfport 1 Administrative status : Enabled Link status : Up Port speed : Auto, 1000 Mbps Duplex : Auto, Full Total packets received : Total packets sent : McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

347 NTBA CLI commands show mem-usage 13 Total CRC errors received : 0 Total other errors received : 0 Total CRC errors sent : 0 Total other errors sent : 0 IP Address : MAC Address : 00:1B:21:44:77:48 Mapped to ethernet port : eth2 Applicable to: M-series and NS-series, and NTBA Appliances. show mem-usage This command displays the system memory usage details of the device. This command has no parameters. Syntax: show mem-usage The show mem-usage command also gives the average percentage usage (Avg.) and the maximum percentage usage (Max.) of these entities on all the processing elements. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 347

348 13 NTBA CLI commands show mem-usage Sample Output: For Sensors, the output is as shown Avg. Used TCP and UDP Flows across all PEs : 0% Max. Used TCP and UDP Flows on a single PE : 0% Avg. Used Fragmented IP Flows across all PEs : 0% Max. Used Fragmented IP Flows on a single PE : 0% Avg. Used ICMP Flows across all PEs : 0% Max. Used ICMP Flows on a single PE : 0% Avg. Used SSL Flows across all PEs : 0% Max. Used SSL Flows on a single PE : 0% Avg. Used Fragment Reassembly Buffers across all PEs : 0% Max. Used Fragment Reassembly Buffers on a single PE : 0% Avg. Used Packet Buffers across all PEs : 0% Max. Used Packet Buffers on a single PE : 0% Avg. Used Attack Marker Nodes across all PEs : 0% Max. Used Attack Marker Nodes on a single PE : 0% Avg. Used Shell Marker Nodes across all PEs : 0% Max. Used Shell Marker Nodes on a single PE : 0% Avg. Used L7 Dcap Alert Buffers across all PEs : 0% Max. Used L7 Dcap Alert Buffers on a single PE : 0% Avg. Used L7 Dcap flows across all PEs : 0% Max. Used L7 Dcap flows on a single PE : 0% Avg Attacks received across all PEs : 0% For an NTBA Appliance, the output is as shown ntbasensor@vntba> show mem-usage total used free shared buffers cached Mem: Swap: Total: Applicable to: M-series and NS-series, and NTBA Appliances. 348 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

349 NTBA CLI commands show mgmtport 13 show mgmtport Shows all the current configuration settings for the Sensor Management port. This command has no parameters. Syntax: show mgmtport Information displayed by the show mgmtport command includes: The Sensor's Management port value (1000Mbps, 100Mbps, 10Mbps, or auto-negotiate) The Sensor's Management port link status (what speed the two devices settled upon typically the highest common setting) What mode has been settled upon The link status The capabilities of the Management port (possible values are: 1000baseTx-FD, 100baseTx-FD, 100baseTx-HD, 10base-T-FD, 10base-T-HD) What the Management port is advertising its capabilities as (possible values are: 1000baseTx-FD, 100baseTx-FD, 100baseTx-HD, 10base-T-FD, 10base-T-HD) The characteristics of its link partner (possible values are: 1000baseTx-FD, 100baseTx-FD, 100baseTx-HD, 10base-T-FD, 10base-T-HD) McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 349

350 13 NTBA CLI commands show mgmtport Sample Output: For Sensor, the output is as shown show mgmtport MGMT Ethernet port : auto negotiated Settings for MGMT port : Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Half 1000baseT/Full Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Half 1000baseT/Full Advertised auto-negotiation: Yes Speed: 100Mb/s Duplex: Full Auto-negotiation: on Wake-on: d Link detected: yes eth0 Link encap:ethernet HWaddr 00:06:92:2B:69:40 inet addr: Bcast: Mask: inet6 addr: fe80::206:92ff:fe2b:6940/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: errors:0 dropped:0 overruns:0 frame:0 TX packets: errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes: (243.6 Mb) TX bytes: (36.9 Mb) Interrupt:24 For NTBA, the output is as shown ntbasensor@ntba_210> show mgmtport Link status : Up Port speed : Auto, 1000 Mbps Duplex : Auto, Full Total packets received : Total packets sent : McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

351 NTBA CLI commands show netstat 13 Total CRC errors received : 0 Total other errors received : 0 Total CRC errors sent : 0 Total other errors sent : 0 IP Address : MAC Address : 00:24:E8:46:46:D6 Mapped to ethernet port : eth4 Applicable to: M-series and NS-series, and NTBA Appliances. show netstat This command displays the management port netstat output. This command has no parameters. Syntax: show netstat Sample Output: For Sensor, the output is as shown Figure 13-1 show netstat command output for Sensors McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 351

352 13 NTBA CLI commands show nfcstats For an NTBA Appliance, the output is as shown Figure 13-2 show netstats command output for NTBA Applicable to: M-series and NS-series, and NTBA Appliances. show nfcstats Displays the NetFlow collector statistics. Check the output to verify if the packets are being processed correctly by the Virtual NTBA Appliance. Syntax: show nfcstats Sample Output: show nfcstats [Netflow-Collector Statistics] McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

353 NTBA CLI commands show nfcstats 13 Total packets received : Total flow data records received : Total v9 flow data records : Total v5 flow data records : 0 IPS flow data records : Total Templates : 467 IPS templates : 467 Total TCP conversations : Total UDP conversations : Total ICMP conversations : Total L7 URL count : Total L7 FILE count : 12 Internal Hosts : 823 [Netflow Processing Stats] Duplicate flow data records : 0 Flows excluded by User Config : 0 L7 data excluded by User Config : 0 Flows getting processed : 2824 Flows processed in last minute : 3107 Coalesced Conversations count : Template Cache : 1 Throttled flow data records : 0 Write index : 0 Remove index : 0 Nba read index : 0 Recon read index : 0 Htf read index : 0 Anomaly read index : 0 [Packet Parsing and Preprocessing Errors] Erroneous flow data records : 0 Pkts from unconfigured exporter : 0 Pkts with invalid netflow version : 0 Pkts with IP version other than 4 : 0 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 353

354 13 NTBA CLI commands show pktrecvstats Unidirectional flow in ips pkt : Needs dedup count : 0 Update nxthop failed : 0 Functional buf insert failed : 0 Invalid L7 data length : 0 Invalid templates : 0 Flows ignored after max host limit : 0 Flows ignored for not-enough memory : 0 Flows ignored for external traffic : 187 Flows ignored for non-match template: 1444 Misc preprocessing error : 0 [Netflow-Collector Incoming Load Stats] Last netflow seen time : Mon Sep 30 04:41: Incoming flows per sec for last 10 minutes : 7 Incoming flows for last 10 minutes : Flows for last 0-1 minute : 4432 Flows for last 1-2 minute : 0 Flows for last 2-3 minute : 0 Flows for last 3-4 minute : 0 Flows for last 4-5 minute : 0 Flows for last 5-6 minute : 0 Flows for last 6-7 minute : 0 Flows for last 7-8 minute : 0 Flows for last 8-9 minute : 0 Flows for last 9-10 minute : 0 show pktrecvstats Displays the statistics of the packets received by NTBA. Syntax: show pktrecvstats Sample Output: ntbasensor@vntba> show pktrecvstats 354 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

355 NTBA CLI commands show route 13 [Pktrecv Info] Start Time : Sat Sep 21 14:25: Last Packet Recv Time : Never Packets observed : 0 Packets Read : 0 Pktrecv socket mode : 0 Number of Restarts : 0 Netflow Listen Port : 9996 Thread status : PROCESSING_PKT show route This command is used to show routes configured in the NTBA Appliance using Manager interface. Syntax: show route Sample Output: ntbasensor@vntba> show route network netmask gateway port 1 Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface U mgmt U U mgmt U UG mgmt show store-url-type This command displays the current settings of the URL. The setting can be either ONLY-DOMAIN or FULL-URL. Syntax: show store-url-type Sample Output: ntbasensor@vntba> show store-url-type [store url type] McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 355

356 13 NTBA CLI commands show tsstats Url Store Type : ONLY-DOMAIN show tsstats Displays statistics for GTI-related lookups. Syntax: show tsstats Sample Output: ntbasensor@vntba> show tsstats [Trusted-Source Stats] Trusted Source Activate Failed : 0 Trusted Source NetConfigInternal Failed : 0 Trusted Source NetConfigSetting Failed : 0 Trusted Source NetLookup Failed : 0 Trusted Source DB Download Failed : 0 Trusted Source DB Load Failed : 0 Trusted Source Create Attribute Failed count : 0 Trusted Source Create Url Failed count : 0 Trusted Source Ip Cache Insert Failed count : 2559 Trusted Source Parse Url Failed count : 0 Trusted Source Create Category Failed count : 0 Trusted Source Remove Category Failed count : 0 Trusted Source Category to Array Failed count : 0 Trusted Source Category to String Failed count : 0 Trusted Source Rate Ip Failed count : Trusted Source Rate Url Failed count : 6 Trusted Source NTBA DB Ip Updates Failed count : 0 Trusted Source NTBA DB Url Failed count : 2939 Trusted Source Conversation Drop count : 5188 Trusted Source Urls Drop count : Trusted Source Conversation Send Drop count : 0 Trusted Source Urls Send Drop count : 0 Trusted Source Number of Ip's Updated : McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

357 NTBA CLI commands shutdown 13 Trusted Source Number of Ips Loaded from File : 0 Trusted Source Number of Entries in Cache : 2025 Trusted Source Lookup drops due to configuration : Trusted Source Total Conv Request Count : Trusted Source Successful Connection Lookup count : 0 Trusted Source Total Url Request Count : Trusted Source Successful Url Lookup count : 7144 Trusted Source Conversation Cachehit Count : Trusted Source Conversation Cache Busy Count : 28 Trusted Source Rate cache Lookup Time : 0 Time Of Day In Seconds : shutdown Halts the Sensor so you can turn it off. You can turn off the Sensor manually after a minute (for example, unplug the I-4010). The Sensor does not turn off automatically. You must confirm that you want to shut down the Sensor. This command has no parameters. Syntax: shutdown Applicable to: M-series and NS-series, and NTBA Appliances. status Shows Sensor system status, such as System Health, Manager communication, total number of alerts detected, and total number of alerts sent to the Manager. This command has no parameters. Syntax: status Sample Output: For Sensor, the output is as shown: intrushell@john> status [Sensor] System Initialized : yes McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 357

358 13 NTBA CLI commands status System Health Status : good Layer 2 Status : normal (IDS/IPS) Installation Status : complete IPv6 Status : Parse and Detect Attacks Reboot Status : Not Required Guest Portal Status : up Hitless Reboot : Not-Available Last Reboot reason : reboot issued from CLI [Signature Status] Present : yes Version : Power up signature : good Geo Location database : Present DAT file : Present Version : [Manager Communications] Trust Established : yes (RSA 1024-bit or 2048-bit) Alert Channel : up Log Channel : up Authentication Channel : up Last Error : None Alerts Sent : 961 Logs Sent : 974 [Alerts Detected] Signature : 4246 Alerts Suppressed : 3483 Scan : 0 Denial of Service : 2 Malware : 0 [McAfee NTBA Communication] Status : down IP : Port : 8505 [McAfee MATD Communication] Status : down 358 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

359 NTBA CLI commands tcpdump sec 13 IP : Port : 8505 The same status message appears in an NTBA Appliance also. Applicable to: If there is a failure in establishing trust relationship between the Sensor and Manager due to mismatch in shared secret key, the Last Error displays the message Alert Channel - Install Keys Mismatch. In such an instance, check the shared secret key on the Manager and set it on the Sensor using set sensor sharedsecretkey command. M-series and NS-series, and NTBA Appliances. tcpdump sec Displays tcpdump capture for specified duration in seconds; optionally, tcpdump arguments can be placed after second duration value. Syntax: tcpdump sec <1-30> WORD WORD Sample Output: ntbasensor@vntba> tcpdump sec 5 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes Examples: tcpdump sec 5 tcpdump sec 5 -i eth4 dst host A.B.C.D Applicable to: NTBA Appliances only. traceupload Uploads an encoded diagnostic trace file to the configured TFTP server, from which you can send it to the McAfee Technical Support for diagnosing a problem with the Sensor. A trace upload facility is also available in the Manager interface. Syntax: traceupload WORD where WORD stands for the file name to which the trace must be written. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 359

360 13 NTBA CLI commands unknown-interfaces-flows Note the following: Before executing this command, configure TFTP server on NTBA Appliance by running the set tftpserver ip command. When loading a trace file from the configured TFTP server the pathname of the file should be relative to /tftpboot. Before executing this command (uploading on the TFTP server), ensure that the file is created on the TFTP server with write permissions for everyone. As part of traceupload, additional information is collected using logstat. Due to this, additional time is required to collect logs from the Sensor, and can take around minutes based on the Sensor model. On executing the command the following messages are displayed: Please enter Y to confirm: y Uploading trace file to TFTP server Trace file uploaded successfully to TFTP server. Sample Output: For an NTBA Appliance, the output is as shown: ntbasensor@vntba> traceupload ntbatracefile Make sure the file ntbatracefile exists on the server with 'WRITE' permission for everyone. If it doesn't exist, then create an empty ntbatracefile file with 'WORLD WRITE' permissions. Please enter Y to confirm: y Uploading trace file to TFTP server Trace file uploaded successfully to TFTP server. Applicable to: M-series and NS-series, and NTBA Appliances. unknown-interfaces-flows Flows from an unknown interfaces to NTBA Appliance. The unknown interfaces are only from known exporters. Syntax: unknown-interfaces-flows <accept> <reject> <status> Parameter <accept> <reject> <status> Description NTBA accepts flows from an unknown interface NTBA rejects flows from an unknown interface displays the status of the unknown interface flows (accepted or rejected) If SNMP is not configured, NTBA cannot discover interfaces and does not accept any flows from a router unless this command is set to accept. You also need to configure proper CIDR ranges in inside and outside zones. If not configured, all endpoints are treated as inside by NTBA. 360 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

361 NTBA CLI commands watchdog 13 Sample Output: For Sensor, the output is as shown: unknown-interfaces-flows accept Accepted For an NTBA Appliance, the output is as shown: unknown-interfaces-flows accept unknown-interfaces-flows status interface status: Reject Applicable to: Only NTBA Appliances watchdog The watchdog process reboots the device whenever an unrecoverable failure is detected in the device. Syntax: watchdog <on off status> Parameter Description <on> <off> <status> Sample Output: enables the watchog disables the watchdog. Use it when a Sensor reboots continuously due to repeated system failure. displays the status of the watchdog process ('on' or 'off') For Sensor, the output is as shown: intrushell@john> watchdog status watchdog = off For an NTBA Appliance, the output is as shown: ntbasensor@vntba> watchdog status watchdog = on Applicable to: M-series and NS-series, and NTBA Appliances. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 361

362 13 NTBA CLI commands watchdog 362 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

363 Troubleshooting Chapter 14 Troubleshooting McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 363

364 Troubleshooting 364 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

365 14 Troubleshooting 14 This chapter addresses some of the issues that might be encountered while handling and setting up the NTBA Appliance. Repairs to the NTBA Appliance may be done only by certified technicians under the guidance of McAfee support personnel. The information given here is only for customer awareness purposes. Damage due to servicing that is not authorized is not covered by any liability. Contents The NTBA Appliance does not start The NTBA Appliance is not receiving power The NTBA Appliance is not booting up The NTBA Appliance is not communicating with the network on the management port The NTBA Appliance is not communicating or receiving traffic in the collection port Troubleshooting a hardware failure If trust is not getting established Signature update failure/if channel is not coming up NetFlow is not being received at the interface level of NTBA If no URLs and files data are seen If no Application data is being received If no data is seen in the Top External Host By Reputation, Top URLs By Reputation, and Top URLs By Category monitors If no Communication alerts are seen If no Behavioral alerts are seen If Threat Analyzer is not auto-refreshing If no Botnet alerts are seen Antimalware system faults If no Anti-malware alerts are seen Database issues IPS Sensor troubleshooting Upload diagnostics trace Perform a NTBA Appliance system recovery procedure Reset the NTBA Appliance admin password to default Checklist for known issues NTBA diagnostic CLI commands The NTBA Appliance does not start If the power-on indicator light on the front panel does not appear after the NTBA Appliance has had reasonable time to boot, ensure that all external cables are securely attached to the external connectors on your system. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 365

366 14 Troubleshooting The NTBA Appliance is not receiving power The NTBA Appliance is not receiving power Check the following: The NTBA Appliance is connected properly to a working power outlet, using the supplied power cord. If the power outlet has a switch, make sure it is on. The NTBA Appliance is correctly switched on. The power cord is plugged in to the back of the NTBA Appliance. If the NTBA Appliance is still not receiving power, check the power outlet by plugging other equipment into it. If the power outlet is working, there could be a problem with the NTBA Appliance or its power cord. Contact your supplier or McAfee technical support. The NTBA Appliance is not booting up After you power on an appliance, if the appliance does not boot up automatically and come to the logon prompt, follow these steps. 1 Connect the System restore USB flash drive to the NTBA appliance and power on the appliance. 2 After the McAfee logo is displayed, press F6 and under boot options, select the USB drive. 3 At the logon prompt, log on to the NTBA Appliance using the default user name admin and password admin123. You can type help or? to access instructions on using the built-in command syntax help. 4 At the prompt, type installntba. This will take some time. 5 At the prompt, type reboot to bring up the NTBA appliance. Remove the USB flash drive. 6 At the logon prompt, log on to the NTBA Appliance using the default user name admin and password admin123. The NTBA Appliance is not communicating with the network on the management port Check the following: The NTBA Appliance is turned on and its software is running, indicated by the lights on the front display panel. The NTBA Appliance has a valid management port IP address, can ping the gateway, or can be pinged from another system. The network cables that you are using are undamaged and connected properly to the NTBA Appliance management port and your existing network equipment. Ensure that the cables you use are of the correct specification. 366 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

367 Troubleshooting The NTBA Appliance is not communicating or receiving traffic in the collection port 14 You have used the correct management port when connecting the NTBA Appliance to your existing network equipment. Perform the configuration process afresh. If the NTBA Appliance is still not receiving network traffic, check the network cables and the network ports on your existing network equipment. If the cables and ports are working, there could be a problem with the NTBA Appliance. Contact your supplier or McAfee technical support. The NTBA Appliance is not communicating or receiving traffic in the collection port Task 1 Check the following: The NTBA Appliance is turned on and its software is running, indicated by the lights on the front display panel. The NTBA Appliance has valid collection port IP addresses. The network cables that you are using are undamaged and connected properly to the NTBA Appliance collection ports and your existing network equipment. Ensure that the cables you use are of the correct specification. You have used the correct collection ports when connecting the NTBA Appliance to your existing network equipment. Perform the configuration process afresh. 2 Execute the following command in the NTBA Appliance command line interface: Whether the NTBA Appliance is initialized The NTBA Appliance's health status Boot Flag On/Off Status of signatures (if present) and version number The NTBA Appliance signature version Whether trust is established between NTBA Appliance and Manager The Alert Channel status Alert / SysEvent Sent Alert / SysEvent Dropped Alert Detected SysEvent Detected In case any errors are found, contact McAfee technical support. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 367

368 14 Troubleshooting Troubleshooting a hardware failure 3 Check whether port LEDs are lighting up according to the NIC codes: Figure 14-1 NIC indicator codes Item Description 1 Link indicator 2 Activity indicator Indicator Link and activity indicators are off. Link indicator is green. Description The NIC is not connected to the network. The NIC is connected to a valid network link at 1000 Mbps. Link indicator is amber. The NIC is connected to a valid network link at 10/100 Mbps. Activity indicator is green and blinking. Check the connections, connectors and try again. Network data is being sent or received. Troubleshooting a hardware failure If you suspect a hardware failure, contact McAfee Technical Support. McAfee recommends you troubleshoot all hardware issues with a technical support technician. You might be asked to use the recovery disk included with the NTBA Appliance. If trust is not getting established Task 1 Check if the Manager IP address is correct. 2 Check if the default gateway is correct. Ping the Manager IP address and check if the Manager is reachable. 3 Check if the device type was selected as NTBA from the drop-down list while adding the Sensor. 4 Check if firewall is blocking port 8443/44. 5 Check if the sensor shared secretkey is correct. Re-enter the key. 6 Check if the NTBA Appliance name is correct. It is case-sensitive. 368 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

369 Troubleshooting Signature update failure/if channel is not coming up 14 Signature update failure/if channel is not coming up Task 1 Check if the version of the Manager and the NTBA Appliance are supported. 2 If channel is not coming up for T-VM, check if it has already been added. Only one T-VM can be added. 3 Check if the NTBA Appliance is in good health. 4 Check whether installdb was executed on NTBA when the database was down. If after installdb, trust is not established again, then sigfile push may fail. 5 Check if exporter configuration is complete on Manager. 6 Check if the Manager to NTBA connectivity is fine. Ping from the NTBA CLI to Manager IP address and check. Check if "MAX CIDR COUNT IN A ZONE REACHED" error message is thrown. There is a bug that sigfile update fails if CIDR count is exceeding more than 18 elements in NTBA release. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 369

370 14 Troubleshooting NetFlow is not being received at the interface level of NTBA NetFlow is not being received at the interface level of NTBA Task 1 Run the ntbastat command on the IPS Sensor and see if IPS is sending NetFlow and template data as shown: intrushell@k > ntbastat Core id range is not selected, Displaying ALL Total netflows created : Templates created : 0 TCP netflows created : UDP netflows created : ICMP netflows created : Total netflows sent : Templates sent : 1291 Netflows sent via ring buffer : 0 Total active netflows : 0 Total free netflow buffers : 741 Multiple netflows count : Total netflow allocation failures : Netflow creation failures due to exporting port disable : Netflow data record allocation failures : Total Dcap L7 fields counts : Total Dcap Attack Id count : Total Dcap HTTP URL count : Total Dcap HTTP UserAgent count : Total Dcap HTTP Host count : Total Dcap FTP Banner count : 112 Total Dcap FTP UserName count : 71 Total Dcap SMTP Attachment count: 3 Total Dcap SMTP From count : 462 Total Dcap SMTP To count : 238 Total Dcap SMTP Banner count : 2334 Total Dcap FTP Return count : 134 Total Dcap HTTP Request count : McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

371 Troubleshooting If no URLs and files data are seen 14 Total Dcap HTTP Return count : Check if the NTBA Appliance is in good health. Appliance will be in good health when signature file is applied successfully to the NTBA Appliance and when all process is working. Only then will the packets be processed. Check the signature file push. To verify this, select Deploy Pending Changes and click the Configuration & Signature Set checkbox for NTBA and IPS, and click Update. 3 Check if the firewall is blocking port 9996 in the NetFlow receiving path of the NTBA Appliance. 4 Check if the collection port IP address of the NTBA Appliance is configured to the correct physical port. 5 Check if the mask value of the collection port is correct. 6 Check if NetFlow between the IPS Sensor and the NTBA Appliance is being blocked by the firewall. 7 Check in the IPS Sensor if the flow source IP address is configured for the port that is exporting NetFlow to NTBA. 8 Check in the IPS Sensor if the flow source ports gateway is configured correctly. It should be next hops ip. 9 Check in the IPS Sensor if the ports are chosen for them to be monitored. 10 Check if the IPS monitoring and the NTBA collection port are up. 11 Check if all the configuration signature file update has been done to the NTBA Appliance and the IPS Sensor. To verify this, select Deploy Pending Changes and click the Configuration & Signature Set checkbox for NTBA and IPS, and click Update. 12 In the IPS Sensor, enable ping to the IPS monitoring port that is configured for exporting NetFlow. Use the set mon-port-ping-status enable command in the IPS CLI to enable ping to the IPS exporting port. Now from the NTBA CLI, ping the IPS exporting port to check for connectivity. Once testing is done, disable this option. The usage of this command is just to ping the IPS exporting port from the NTBA CLI. Even when this command is enabled, we cannot ping from IPS CLI to the NTBA interface to which that exporting port is connected. 13 From the CLI, do a tcpdump sec 5 and check if NetFlows are received at the interface level. 14 Check if the IPS Sensor is in good health. 15 Use CLI commands such as show intf 5A command, 5A being flow exporter to check if flows are reaching a particular interface. 16 If these steps do not resolve the problem, then go to Section, IPS Sensor troubleshooting to check if problem is on the IPS side. If no URLs and files data are seen Task 1 Check that the exporter being used is IPS Sensor. Routers do not send L7 data. 2 Check that in IPS, L7 data for NetBIOS, ftp, telnet and SMTP are enabled. 3 Check using the show nfcstats command if L7 data are coming in the NetFlow. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 371

372 14 Troubleshooting If no Application data is being received 4 Check using ntbastat command on IPS sensor if IPS is sending the L7 data or not. 5 Check if the IPS Sensor is in good health. If no Application data is being received Task 1 Check that exporter being used is IPS Sensor. Routers do not send L7 data. 2 Check that Application Identification is enabled in the IPS Sensor and the sigfile is being pushed to the IPS sensor. 3 Check that Application identification is happening in the IPS Sensor by checking in the IPS dashboard of the Threat Analyzer. 4 Check if the IPS Sensor is in good health. If no data is seen in the Top External Host By Reputation, Top URLs By Reputation, and Top URLs By Category monitors Task 1 Check if DNS is enabled and is configured for the device. 2 Check if the DNS name is getting resolved using the nslookup command. 3 Check from the NTBA CLI if trustedsource.org is being reached. Do a nslookup to check as shown: ntbasensor@my-ntba> nslookup trustedsource.org Server: Address 1: Name: trustedsource.org Address 1: Check that port 443 and 80 is not blocked by the firewall from NTBA. 5 Check if proxy is enabled and traffic from proxy for port 443 and 80 is not blocked by firewall. 6 If proxy is enabled DNS should be configured either in proxy to download URL database. 7 Check the output of show store-url-type as shown: ntbasensor@my-ntba> show store-url-type [store url type] Url Store Type : ONLY-DOMAIN 372 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

373 Troubleshooting If no data is seen in the Top External Host By Reputation, Top URLs By Reputation, and Top URLs By Category monitors 14 8 Check using the show tsstats command if connection lookup and URL lookups are being shown as successful. ntbasensor@my-ntba> sho tsstats [Trusted-Source Stats] Trusted Source Activate Failed : 0 Trusted Source NetConfigInternal Failed : 0 Trusted Source NetConfigSetting Failed : 0 Trusted Source NetLookup Failed : 0 Trusted Source DB Download Failed : 0 Trusted Source DB Load Failed : 0 Trusted Source Create Attribute Failed count : 0 Trusted Source Create Url Failed count : 0 Trusted Source Ip Cache Insert Failed count : Trusted Source Parse Url Failed count : 0 Trusted Source Create Category Failed count : 0 Trusted Source Remove Category Failed count : 0 Trusted Source Category to Array Failed count : 0 Trusted Source Category to String Failed count : 0 Trusted Source Rate Ip Failed count : 1311 Trusted Source Rate Url Failed count : 0 Trusted Source NTBA DB Ip Updates Failed count : 0 Trusted Source NTBA DB Url Failed count : Trusted Source Conversation Drop count : 797 Trusted Source Urls Drop count : 7123 Trusted Source Conversation Send Drop count : 540 Trusted Source Urls Send Drop count : 501 Trusted Source Number of Ip's Updated : Trusted Source Number of Ips Loaded from File : 0 Trusted Source Number of Entries in Cache : 281 Trusted Source Lookup drops due to configuration : Trusted Source Total Conv Request Count : Trusted Source Successful Connection Lookup count : Trusted Source Total Url Request Count : McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 373

374 14 Troubleshooting If no Communication alerts are seen Trusted Source Successful Url Lookup count : Trusted Source Conversation Cachehit Count : Trusted Source Conversation Cache Busy Count : Trusted Source Rate cache Lookup Time : 0 Time Of Day In Seconds : Check if there are external hosts. If all hosts fall under inside zone, no lookups will happen. Configure zones, using CIDR or interface, appropriately. 10 Check if McAfee GTI lookups are failing. Failed value is not shown in the Threat Analyzer. 11 Check in sysevent for any error message regarding McAfee GTI. If no Communication alerts are seen Task 1 Check if the Time of Day is configured correctly. 2 Check if the time zone is matching the configured Time of Day value. 3 Check if the communication rule is configured for Time of Day value chosen and if it is falling under the present time when checking for alert. If no Behavioral alerts are seen Behavioral alerts are informational by default. Check if auto acknowledgment is enabled. If so, disable auto ack to see these alerts. If Threat Analyzer is not auto-refreshing Delete the java cache files and restart the Threat Analyzer. If no Botnet alerts are seen Check that in the IPS Sensor, the forward to NTBA option is enabled at the interface level. 374 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide

375 Troubleshooting Antimalware system faults 14 Antimalware system faults Antimalware system faults might occur while you download the antimalware updates. Make sure you are connected to the Internet while downloading and updating antimalware software and DAT updates. You can check the system events for the root cause. Figure 14-2 Incorrect proxy credentials The Fault Type displays Gateway Anti-Malware signature download failure and the reasons can be: Incorrect proxy credentials To resolve this issue, configure correct credentials. Update server is not reachable To resolve this issue, check the network connection. McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide 375

376 14 Troubleshooting If no Anti-malware alerts are seen If no Anti-malware alerts are seen Task 1 Check if in the IPS Sensor, the interface through which the traffic is being sent is selected for anti-malware detection at the policy level. 2 Check if in IPS the policy that is applied has anti-malware enabled for the anti-virus engine for all file types. Figure 14-3 Advanced Malware Policies page 3 Check using the show netstat command if the NTBA Appliance is listening on port [root@ntba /nba]# netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp : :https ESTABLISHED tcp :ssh :ltp ESTABLISHED tcp : :56329 ESTABLISHED tcp : :https ESTABLISHED tcp : :8502 ESTABLISHED tcp 0 0 localhost:https localhost:60564 TIME_WAIT tcp : :https ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path 4 Check whether the proxy server is enabled. Anti-malware download support with the proxy server is added from and later release. 5 Check whether IPS Sensor is sending antimalware files to the Gateway Anti-Malware engine of NTBA. 376 McAfee Network Security Platform 8.1 Network Threat Behavior Analysis Administration Guide