Administrators Guide Revision A. McAfee Gateway Appliances

Transcription

1 Administrators Guide Revision A McAfee Gateway Appliances

2 COPYRIGHT Copyright 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Gateway Appliances Administrators Guide

3 Contents Preface 9 About this guide Audience Conventions What's in this guide Find product documentation Working with your McAfee Gateway 11 How McAfee Gateway processes mail traffic through your network The interface Make changes to the appliance's configuration Using lists Import and export information Ports used by McAfee Gateway Resources Top Frequently Asked Questions (FAQs) Using the McAfee Gateway 7.x troubleshooting tree Upgrade methods available Benefits of upgrading from previous versions of the product Migrate settings from and Web Security Appliance 5.6 and Content Security Blade Server Task Migrate settings from and Web Security Virtual Appliance Task Upgrade from McAfee Gateway 7.0 appliances managed by McAfee epolicy Orchestrator Differences in feature locations between and Web Security and Gateway About timeouts Working with FIPS Overview of Dashboard features 31 The Dashboard Benefits of using the Dashboard Dashboard portlets Task Setting Dashboard thresholds definitions Inbound Mail Summary portlet definitions Outbound Mail Summary portlet definitions SMTP Detections portlet definitions POP3 Detections portlet definitions System Summary portlet Task Set message queue size alerts definitions Hardware Summary portlet definitions Network Summary portlet definitions Services portlet definitions Clustering portlet definitions Tasks portlet McAfee Gateway Appliances Administrators Guide 3

4 Contents 3 Overview of Reports features 53 Types of reports Message Search overview Benefits of using Message Search Message Search parameters Message Search results Message Search icons Task Identify quarantined messages Task Find out which messages are queued Task Find out which messages are being blocked Task Find the s that were successfully delivered Task A user has requested that I release one of their quarantined messages Task Export a message search report Task Find a message containing a named attachment Scheduled Reports Benefits of creating Scheduled Reports definitions Scheduled Reports Task See the number of detections by protocol and threat type over the last week Task Send your manager an activity report in PDF format every Monday at 10.00am Task Download a report in.csv format for further processing Task Send the administrator a report that shows virus detections in messages over the last week Scheduled Reports New Report dialog box Scheduled Reports Edit Report dialog box Reports Introduction to the Reports page Benefits of using reports Types of reports Types of report views Types of report filters Favorite reports Task Generate an activity overview for a particular sender Task Show me the total viruses detected over the previous week System Reports Introduction to the System Reports page Benefits of using system reports Types of System reports Types of System report views Types of System report filters Favorite reports Task Generate a report that shows all threat detection updates Overview of menu 85 Life of an message Configuration overview Protocol Configuration definitions Protocol Presets dialog box definition - New Protocol Preset Receiving Sending Sending Add Relay List dialog box and Add MX Lookup dialog box Anti-Relay Settings Add Relay Domain dialog box and Add MX Lookup dialog box Policies Introduction to policies Policies McAfee Gateway Appliances Administrators Guide

5 Contents Task Re-write the Subject of all messages matching a policy Task Modify the headers of all messages matching a policy Scanning Policies - Add Policy definitions Add Rule dialog box and Edit Rule dialog box definitions Scanning Policies New Policy Add user group definitions Scanning Policies New Policy Add network group definitions Subject Templates Anti-Virus policy settings Anti-Spam policy settings Compliance policy settings Policy s settings DLP and Compliance overview Registered Documents Compliance Dictionaries definitions Add Dictionary Details definitions Applicable File Formats definitions OR Condition definitions AND Condition definitions Edit Regular Expression Encryption Types of Encryption Secure Web Mail S/MIME PGP encryption TLS Secure Web Mail Branding Task Encrypt all that triggers against the HIPAA compliance dictionaries Task Use S/MIME to encrypt all to a specific target domain Task Deliver all from a specific customer using S/MIME encryption Task Use PGP to encrypt all messages Task Deliver all from a specific customer using PGP encryption Certificate Management Certificates definitions Certificate Details dialog box Certificate Revocation Lists (CRLs) Hybrid configuration Benefits of using hybrid scanning About the hybrid registration and configuration process Registration Domain Management Group Management Directory Services Network Groups definitions Add Network Group definitions Add Rule Senders and Recipients definitions Add User Group Task Add a user group Add Directory Service wizard Benefits of adding LDAP directory services definitions Directory Service Details page definitions Directory Service Queries page definitions Directory Service Query page s Test Directory Service Query page Task Set up the appliance to use a Microsoft Exchange Server as an LDAP server Task Create a sample LDAP query McAfee Gateway Appliances Administrators Guide 5

6 Contents Quarantine Configuration Quarantine s Quarantine Digest s definitions Digest Message Content Quarantine Queue Settings Overview of System menu 313 Appliance Management General Network Interfaces Wizard DNS and Routing Time and Date Remote Access Gateway Certificate Certificate and Key Export wizard UPS Settings Add UPS Device Wizard Default Server Settings System Administration Configuration Management Configuration Push Cluster Management definitions MAC Addresses Resilient Mode Configure Automatic Configuration Backups wizard Database Maintenance Rescue Image System Commands Users Users and Roles definitions New Role dialog box definitions Role Details dialog box Password Management Login Services Add Login Services wizard Session Management DoD CAC Authentication definitions CAC Certificate Attribute Mapping definitions Custom Text dialog box definitions User Details Virtual Hosting Virtual Hosts Virtual Networks definitions - Edit Virtual Network Add Virtual Host wizard definitions New Scanning Policy definition - New Protocol Preset Logging, Alerting and SNMP Alerting SNMP Alert Settings SNMP Monitor Settings System Log Settings Logging Configuration Logging Configuration Override events dialog boxes Configure System Log Archive wizard Component Management McAfee Gateway Appliances Administrators Guide

7 Contents Update Status Package Installer epo Anti-virus engines Configure Anti-Virus Updates wizard Configure Anti-Spam Updates wizard Configure Automatic Package Updates Edit Preferences (Warning Thresholds) Setup Wizard Welcome Standard Setup Custom Setup Network Interfaces Wizard Network Interface Layout Restore from a file Setup epo Managed Setup Encryption Only Setup Overview of Troubleshoot features 447 Troubleshooting Tools Ping and Trace Route Generate Test System Load Route Information Disk Space Hardware Status FIPS Status Troubleshooting Reports Minimum Escalation Report Capture Network Traffic Save Queues Save Log Files Error Reporting Tool Tests definitions System Tests Overview of Gateway appliances and epolicy Orchestrator Integration 459 How appliances work with epolicy Orchestrator Differences in Gateway appliance administration under epolicy Orchestrator Configuring your appliance for epolicy Orchestrator management Removing the epolicy Orchestrator extension Managing your appliances from within epolicy Orchestrator Task Upgrade from McAfee Gateway 7.0 appliances managed by McAfee epolicy Orchestrator Overview of McAfee Quarantine Manager Integration 467 About McAfee Quarantine Manager How appliances work with McAfee Quarantine Manager The relationship between quarantine categories displayed in Message Search and MQM Custom quarantine queues in McAfee Quarantine Manager Index 471 McAfee Gateway Appliances Administrators Guide 7

8 Contents 8 McAfee Gateway Appliances Administrators Guide

9 Preface Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Conventions This guide uses these typographical conventions and icons. Book title, term, emphasis Bold User input, code, message Interface text Hypertext blue Title of a book, chapter, or topic; a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; a code sample; a displayed message. Words from the product interface like options, menus, buttons, and dialog boxes. A link to a topic or to an external website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee Gateway Appliances Administrators Guide 9

10 Preface Find product documentation What's in this guide Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at 2 Under Self Service, access the type of information you need: To access... User documentation Do this... 1 Click Product Documentation. 2 Select a product, then select a version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. 10 McAfee Gateway Appliances Administrators Guide

11 1 1 Working with your McAfee Gateway McAfee Gateway protects your network from viruses, undesirable content, spam, and other threats. Understand these concepts to help you configure your McAfee Gateway. Contents How McAfee Gateway processes mail traffic through your network The interface Ports used by McAfee Gateway Resources Top Frequently Asked Questions (FAQs) Using the McAfee Gateway 7.x troubleshooting tree Upgrade methods available About timeouts Working with FIPS How McAfee Gateway processes mail traffic through your network This information describes how McAfee Gateway processes mail traffic through your internal and external networks. Mail traffic flow Within McAfee Gateway, all messages originating from outside of your organization are considered Inbound, and all messages leaving your organization and considered to be Outbound. McAfee Gateway Appliances Administrators Guide 11

12 1 Working with your McAfee Gateway How McAfee Gateway processes mail traffic through your network 12 McAfee Gateway Appliances Administrators Guide

13 Working with your McAfee Gateway The interface 1 The interface The user interface provides you with an intuitive way of finding information and configuring options for your McAfee Gateway. The interface you see might look slightly different from that shown here, because it can vary depending on the appliance's hardware platform, software version, and language. Figure 1-1 Areas of the user interface A Navigation area The navigation area contains four areas: user information, section icons, tab bar, and support controls. B User information bar C Section icons The icons include the following: Icon Menu Features Dashboard Use this page to see a summary of the appliance. From this page you can access most of the pages that control the appliance. Reports Use the Reports pages to view events recorded on the appliance, such as viruses detected in messages, and system activities such as details of recent updates and logins. Use the pages to manage threats to messages, quarantine of infected , and other aspects of configuration. McAfee Gateway Appliances Administrators Guide 13

14 1 Working with your McAfee Gateway The interface Icon Menu Features System Use the System pages to configure various features on the appliance. Troubleshoot Use the Troubleshoot pages to diagnose any problems with the appliance. D Tab bar The contents of the tab bar are controlled by the selected section icon. The selected tab dictates what is displayed in the content area. E Support control buttons The support control buttons are actions that apply to the content area. Icon Description Refreshes or updates the content. Returns you to the previously viewed page. We recommend that you click this button, rather than your browser's Back button. Appears when you configure something to allow you to apply your changes. Appears when you configure something to allow you to cancel your changes. Opens a window of Help information. Much of the information in this window also appears in the Product Guide. F View control The view control button shows or hides a status window. The status window, which appears in the bottom right of the interface, shows recent activity. New messages are added at the top of the window. If a message is blue and underlined, you can click the link to visit another page. You can also manage the window with its own Clear and Close links. G Content area The content area contains the currently active content and is where most of your interaction will be. The changes that you make take effect after you click the green checkmark. Contents Make changes to the appliance's configuration Using lists Import and export information 14 McAfee Gateway Appliances Administrators Guide

15 Working with your McAfee Gateway The interface 1 Make changes to the appliance's configuration Use this task to make changes to the operation of the appliance. Task 1 In the navigation bar, click an icon. The blue tabs below the icons change to show the available features. 2 Click the tabs until you reach the page you need. To locate any page, examine the tabs, or locate the subject in the Help index. The location of the page is often described at the top of the Help page. Example: System System Administration Database Maintenance. 3 On the page, select the options. Click the Help button (?) for information about each option. 4 Navigate to other pages as needed. 5 To save your configuration changes, click the green checkmark icon at the top right of the window. 6 In the Configuration change comment window, type a comment to describe your changes, then click OK. Wait a few minutes while the configuration is updated. 7 To see all your comments, select Review Configuration Changes in System System Administration Configuration Management. Using lists Within the McAfee Gateway user interface, lists are used in many places to help define information. Contents Make and view lists Add information to a list Remove single items from a list Remove many items from a list Change information in a list View information in a long list Order information in a list by priority Order information alphabetically in a list Make and view lists Lists specify information such as domains, addresses and port numbers on many pages in the interface. You can add new items to a list, and delete existing items. Although the number of rows and columns might vary, all lists behave in similar ways. In some lists, you can also import items from a prepared file, and change the order of the items. Not all lists have these actions. This section describes all the actions that are available in the interface. McAfee Gateway Appliances Administrators Guide 15

16 1 Working with your McAfee Gateway The interface Add information to a list Add information into a list within the user interface. Task 1 Click Add below the list. A new row appears in the table. If this is your first item, a column of checkboxes appears on the left of the table. You might also see a Move column on the right of the table. 2 Type the details in the new row. Press Tab to move between fields. 3 For help with typing the correct information, move your cursor over the table cell, and wait for a pop up to appear. For more information, click. 4 To save the new items immediately, click the green checkmark:. Remove single items from a list Some lists take a long time to create, and therefore you can delete only one entry at a time to prevent the accidental deletion of a lot of information. If the item cannot be deleted, the trashcan icon is unavailable:. Task 1 Click the item to select it. The row turns pale blue. 2 Click the trashcan icon, or click Delete at the bottom of the list. Remove many items from a list On some long lists, you can remove many items quickly. Task 1 In the column of checkboxes on the left of the table, select each required item. To select many items, select the checkbox in the table's heading row to select all the items, then deselect those that you want to keep. 2 Click Delete at the bottom of the list. 3 To save the new changes immediately, click the green checkmark:. Change information in a list Change information contained within a list within the user interface. If an item cannot be changed, the icon is unavailable:. Task 1 Click the edit icon. 2 Click on the text, then delete or retype it. 16 McAfee Gateway Appliances Administrators Guide

17 Working with your McAfee Gateway The interface To save the new changes immediately, click the green checkmark: To cancel any recent changes, click the close button at the top right of the window: View information in a long list If the list has many items, you might not be able to see them all at the same time. Task 1 To determine the position of an item in the list or the size of the list, view the text at the bottom of the list, such as Items 20 to 29 of To move through the list or to move quickly to either end of the list, click the arrows at the bottom right of the list. ( ). Order information in a list by priority Some lists display items in priority order. The first item in the list is the highest priority, the last item is the lowest priority. To change an item's priority: Task 1 Find the row that contains the item. 2 In the Move column (on the right of the table), click the upward or downward arrow: Order information alphabetically in a list When information is given in a list, you can sort the list alphabetically. Task To change the order: To force items in a column into alphabetical order, click the column heading. Items in other columns are automatically sorted accordingly. An icon appears in the column heading to indicate that this column is sorted: To sort the information differently, click the other column headings. To reverse and restore the alphabetical order of the information within a single column, click the icons in the column heading: Import and export information Find out how to import information to, and export information from the McAfee Gateway. Contents Import prepared information Export prepared information Import prepared information From some pages, you can import information from other devices, appliances, or software for use on the appliance, such as from a previously prepared comma separated value (.csv) file, or a certificate needed to verify identity of your appliance or other devices. Imported information normally overwrites the original information. McAfee Gateway Appliances Administrators Guide 17

18 1 Working with your McAfee Gateway Ports used by McAfee Gateway Task 1 Click Import. 2 In the Import window, browse to the file. The contents of the Import dialog box change according to the requirements of the type of file or information you are importing. If further options are displayed in the dialog box, make the relevant choices based on that information. 3 Click Open to import the information from the file. Table 1-1 Some formats for comma separated value (.csv) files Type of information Format Example Domain D, domain, IP address D, Network address N, IP address, IP subnet mask N, , address E, address E, network_user@example.com Each item in the file is on a single line. Export prepared information From some pages, you can export or download information from the appliance for use on other devices, appliances, software, or to read. The information is generated in various forms, such as a.zip file, a.pdf, or a.csv file. Table 1-2 Some formats for comma separated value (.csv) files Type of information Format Example Domain D, domain, IP address D, Network address N, IP address, IP subnet mask N, , address E, address E, network_user@example.com Each item in the file is on a single line. Task 1 Click Export or Download. 2 In the Export or Download window, follow the instructions to create the file. Ports used by McAfee Gateway The appliance uses various ports to communicate with your network and other devices. Table 1-3 Ports used by McAfee Gateway Use Protocol Port Number Software updates FTP 21 Anti virus DAT updates HTTP FTP McAfee Global Threat Intelligence file reputation DNS 53 Anti spam rules and streaming updates HTTP McAfee Gateway Appliances Administrators Guide

19 Working with your McAfee Gateway Ports used by McAfee Gateway 1 Table 1-3 Ports used by McAfee Gateway (continued) Use Protocol Port Number Anti spam engine updates FTP 21 McAfee Global Threat Intelligence message reputation SSL 443 URL reputation lookup SSL 443 Secure Web Mail Client Encryption SSL 443 Management Port for the User Interface SSL URL reputation database update HTTP 80 Domain Name System (DNS) DNS 53 McAfee Quarantine Manager HTTP HTTPS Active directory 389 McAfee Global Threat Intelligence feedback SSL 443 Intercept ports When operating in either of the transparent modes transparent bridge mode or transparent router mode the appliance uses the following intercept ports to intercept traffic to be scanned. Table 1-4 Intercept ports Protocol POP3 110 SMTP 25 Port number Listening ports The appliance typically uses the following ports to listen for traffic on each protocol. The appliance listens for traffic arriving on the designated ports. You can set up one or more listening ports for each type of traffic being scanned by your appliance. Table 1-5 Typical listening ports Protocol POP3 110 SMTP 25 Port number Ports used for epolicy Orchestrator communication When you configure your McAfee Gateway to be managed by epolicy Orchestrator, or when you set epolicy Orchestrator to monitor and report on your appliances, the following ports are used by default for communication between epolicy Orchestrator and your appliances. Table 1-6 epolicy Orchestrator communication ports Port usage Agent to server communication port 80 Agent to server communication secure port Agent wake up communication port Agent broadcast communication port Port number 443 (when enabled) 8081 (default) 8082 (default) McAfee Gateway Appliances Administrators Guide 19

20 1 Working with your McAfee Gateway Ports used by McAfee Gateway Table 1-6 epolicy Orchestrator communication ports (continued) Port usage Port number Console to application server communication port 8443 Client to server authenticated communication port 8444 Ports used for Hybrid communication When you configure your McAfee Gateway for hybrid scanning with the McAfee Protection (Hybrid), the following ports are used by default for communication between McAfee Gateway and McAfee Protection (Hybrid). Table 1-7 Hybrid communication ports Use Protocol Port Number SaaS Control Console to appliance for inbound TCP 25 Appliance to the SaaS API web service URLs (hybridapi.mxlogic.com) TCP 443 IP addresses needed for communication between McAfee Gateway and the McAfee Protection (Hybrid) To allow communication between McAfee Gateway and the McAfee Protection (Hybrid), you must ensure that relevant IP addresses for the McAfee Protection (Hybrid) can be accessed from your McAfee Gateway appliances. Preferred Setting If your hardware firewall solution accepts CIDR notation and supports Class 8 C notation, please include the following: CIDR Starting IP Ending IP / / Alternative settings If your hardware firewall solution accepts CIDR notation but supports only Class 1 C notation, you need to include the following entries for the entire subnet: CIDR Starting IP Ending IP / / / / / / / / / / / / McAfee Gateway Appliances Administrators Guide

21 Working with your McAfee Gateway Resources 1 CIDR Starting IP Ending IP / / / / Further alternate setting If your hardware firewall solution does not accept CIDR notation, you need to include the starting and ending IP address for either the Class 8 C addresses or the Class 1 C addresses, which are included above. Least desirable setting If your hardware firewall does not accept CIDR notation or ranges of starting and ending IP addresses, you can download a complete listing of affected IP addresses at: validiplist.txt. You can make any of the above changes by creating a firewall rule or restricting access at the server level. We highly recommend that you lock down these subnets at your firewall as the priority preference. Please consult with your network administrator before making any changes. For additional information regarding the restriction of IP addresses, please refer to instructions for setting up your firewall or guidelines from your firewall provider. Resources The information, links, and supporting files that you can find from the Resources dialog box. Click Resources from the black information bar at the top of the McAfee Gateway user interface. The Resources dialog box contains links to different areas or to files that you might need when setting up your appliance. Link name Technical Support Submit a sample Virus Information Library Description Clicking this link takes you to the McAfee Technical Support ServicePortal login page ( From this page, you can search the KnowledgeBase, view product documentation and video tutorials, as well as access other technical support services. If you have a file that you believe to be malicious, but that your McAfee systems are not detecting, you can safely submit it to McAfee for further analysis. Follow the Submit a sample link and either log on or register as a new user to access the McAfee Labs Tool to submit suspicious files. Viruses are continually evolving, with new malicious files being developed daily. To find out more about particular viruses or other threats, follow the link to the McAfee Threat Center. McAfee Gateway Appliances Administrators Guide 21

22 1 Working with your McAfee Gateway Top Frequently Asked Questions (FAQs) Link name McAfee Customer Submission Tool epo Extensions epo Help Extensions SMI File MIB File HP OpenView NNM Smart Plug in Installer Description This free tool integrates into Microsoft Outlook and allows users to submit missed spam samples and that was wrongly categorized as spam to McAfee Labs. McAfee Customer Submission Tool version 2.3 can also be used with McAfee Gateway and McAfee Quarantine Manager. The tool supports automated blacklisting and whitelisting, and has an installer that supports automated script based installations. The latest McAfee Customer Submission Tool and documents can also be downloaded from the following location: tools/customer submission tool.aspx Download the McAfee epolicy Orchestrator extensions for and Web Security Appliances. This file contains both the EWG and the EWS extensions. The EWG extension allows reporting from within McAfee epolicy Orchestrator for the following products: McAfee and Web Security Appliances version 5.5 McAfee and Web Security Appliances version 5.6 McAfee Web Gateway McAfee Gateway The EWS extension provides full McAfee epolicy Orchestrator management for McAfee and Web Security Appliances version 5.6. For you to use McAfee epolicy Orchestrator for either reporting or management, the epo extensions need to be installed on your McAfee epolicy Orchestrator server. Download the McAfee epolicy Orchestrator Help extensions for the epo extensions listed above. This file installs the Help extensions relating to the McAfee epolicy Orchestrator extensions for and Web Security Appliances onto your McAfee epolicy Orchestrator server. Download the Structure of Managed Information (SMI) file for use with the Simple Network Management Protocol (SNMP). This file provides information about the syntax used by the SNMP Management Information Base (MIB) file. Download the MIB file for use with SNMP. This file is used to define the information that your McAfee Gateway can transmit using SNMP. Download the HP OpenView installer file to enable you to configure your McAfee Gateway to communicate with HP OpenView. Top Frequently Asked Questions (FAQs) To view a selection of frequently asked questions that have been submitted by other customers, and learn the answers provided by McAfee Technical Support, refer to KnowledgeBase article KB McAfee Gateway Appliances Administrators Guide

23 Working with your McAfee Gateway Using the McAfee Gateway 7.x troubleshooting tree 1 Using the McAfee Gateway 7.x troubleshooting tree McAfee support has published a troubleshooting tree to assist you in resolving issues that you might experience with your McAfee Gateway. Download the McAfee Gateway 7.x troubleshooting tree from KnowledgeBase article PD Upgrade methods available Upgrade configuration and log files from and Web Security Appliance 5.6 or Content Security Blade Server 5.6 to McAfee Gateway Appliance and Blade Server upgrades If upgrading an appliance or blade server to McAfee Gateway from the box itself, you can either use: a to perform a new installation without preserving any previous settings. c to perform a full upgrade, restoring the network settings, policies, log files, and messages. d to preserve the network configuration only. e to restore the configuration only, such as policy settings. If installing on a Content Security Blade Server, go first to the Failover Management blade to perform the upgrade, then repeat on the Management blade. Then update the content scanning blades. To perform the upgrade remotely, use the Rescue Image feature from within the user interface on your and Web Security 5.6 appliance (System System Administration Rescue Image). Cluster server upgrade If installing on an appliance cluster the steps must be done on all the appliances in the cluster, starting with the Failover Management appliance, then the Management appliance, then the remainder. Virtual Appliance upgrade To upgrade from and Web Security Virtual Appliance 5.6 to McAfee Gateway Virtual Appliance you have the 2 choices available. 2a restores configuration and log files, while option 2b restores just the configuration. Benefits of upgrading from previous versions of the product Learn how easy it is to upgrade from and Web Security Appliance 5.6 or Content Security Blade Server 5.6. Upgrading or migrating settings from previous product versions restores all protocol, policy, and system settings for you using the McAfee Gateway inbuilt migration tools ensuring your previous level of protection is maintained in all areas. Features associated with LDAP and role based access control include enhanced protection options in McAfee Gateway There are several supported methods that you can choose from to manage the process in the way that is best suited to your organization: McAfee Gateway Appliances Administrators Guide 23

24 1 Working with your McAfee Gateway Upgrade methods available From a McAfee Gateway installation CD, perform a new installation and restore a configuration file from a previous version From a McAfee Gateway installation CD, perform an upgrade from a previous version retaining configuration and log files To perform the upgrade from another location, obtain the McAfee Gateway ISO image and upload it on to an and Web Security Appliance 5.6 using the Rescue Image feature (System System Administration Rescue Image. Migrate settings from and Web Security Appliance 5.6 and Content Security Blade Server 5.6 This task describes how to migrate settings from McAfee and Web Security Appliance 5.6 or McAfee Content Security Blade Server 5.6 to McAfee Gateway Before you begin Before performing any upgrade, back up the and Web Security Appliance configuration (System Cluster Management Backup and Restore Configuration). If installing on an appliance cluster the steps must be done on all the appliances in the cluster, starting with the Failover Management appliance, then the Management appliance, then the remainder. If installing on a Content Security Blade Server, go first to the Failover Management blade server to perform the upgrade, then repeat on the Management blade server, then the scanning blades. Task 1 Turn on the appliance or blade server, and agree to the license agreement. 2 When the installation options menu appears, choose one of the following installation options: a To upgrade from the appliance itself: Choose option a to perform a new installation, then restore the and Web Security Appliance 5.6 configuration from a previously backed up configuration file. Choose option c to back up the configuration, policies, log files, and messages and restore them automatically when you install McAfee Gateway Choose option d to restore only the network configuration settings. Choose option e to restore policy settings, but no log files or messages. To get a description of the installation options, press the RETURN key on the installation options menu appears. Press the RETURN key to continue through the descriptions until you return to the installation options menu. b c d Use the installation options menu to define any further installation options such as the action you want to take when the installation finishes, and press the ENTER key. Select option a to perform the upgrade, then press the ENTER key to confirm the installation option you chose. Press the RETURN key to complete the installation, and wait while the computer restarts. 3 Open a web browser, and connect to the appliance's IP address. If you chose option a, select Restore from a File to reinstate the previous configuration settings. 24 McAfee Gateway Appliances Administrators Guide

25 Working with your McAfee Gateway Upgrade methods available 1 Depending on the installation option you chose, all protocol, policy, and system settings from and Web Security Appliance 5.6 are migrated for you to ensure your previous level of protection is maintained. Settings related to web scanning are not migrated. To change any network settings after installation, select System Appliance Management General and click Change Network Settings. Task Migrate settings from and Web Security Virtual Appliance 5.6 Use this task to upgrade to Gateway Virtual Appliance from and Web Security Virtual Appliance 5.6 using the software.iso image. Before you begin You must have and Web Security Virtual Appliance 5.6 installed already. After an operating system is installed on a virtual appliance, the virtual machine always starts from the hard disk first. To work around this feature, you have to shut down the virtual machine and configure a power on boot delay so that you have enough time to access the Boot menu and tell it to start from the installation CD instead. Task 1 Download the Gateway Virtual Appliance.ISO upgrade file from the McAfee download site and extract it. 2 Shut down the virtual appliance: a Log on to the virtual appliance user interface and go to System System Administration System Commands b c Enter the password. Select Shutdown Appliance. 3 Log on to VMware ESX Server or use the VMware Infrastructure Client, or the VMware vsphere Client to log on to VMware Virtual Center Server. 4 Enable a Power on Boot delay to get enough time to force the virtual machine to boot from CD: a Select the virtual appliance in the Inventory list and click Summary. b c Select Edit Settings s Boot s. In Power on Boot delay, type 10,000 in the text box, and click OK. 5 Turn on the virtual appliance. 6 Make sure the cursor focus is on the Virtual Appliance console. Then press the ESC key to open the Boot Menu. Do not select any options yet. 7 Release the cursor from the console and select Connect CD/DVD1. 8 Browse to the folder where you downloaded the Gateway Virtual Appliance.ISO file and double click <McAfee MEG 7.0 <build number>.vmbuy.iso>. 9 When the.iso file is connected, click back on to the console screen. Select CD ROM Drive and press the ENTER key. The virtual appliance starts from the.iso file. McAfee Gateway Appliances Administrators Guide 25

26 1 Working with your McAfee Gateway Upgrade methods available 10 Press y to agree to the terms of the license agreement. 11 Select the upgrade option that you want, and press the ENTER key to perform the upgrade. 12 Type y to confirm that you want to continue. Depending on the installation option you chose, all protocol, policy, and system settings from and Web Security Virtual Appliance 5.6 are migrated for you to ensure your previous level of protection is maintained. Settings related to web scanning are not migrated. Task Upgrade from McAfee Gateway 7.0 appliances managed by McAfee epolicy Orchestrator Use this task to upgrade to McAfee Gateway from McAfee Gateway 7.0 appliances managed by McAfee epolicy Orchestrator (McAfee epo). Before you begin Your McAfee Gateway 7.0 appliance must have been upgraded to McAfee Gateway and configured and running correctly. This upgrade process automatically disconnects the appliance from being managed by McAfee epo. The inbuilt McAfee Gateway migration tools migrate many of your McAfee Gateway 7.0 settings for you. However, some settings will need to be recreated. Task 1 In McAfee epo, click Policy Catalog and select the McAfee Gateway 7.0 product. 2 Click Export to export the product policies. 3 Right click the Policies_for_McAfee_ _Gateway_7.0.xml link, and save the file. 4 Go to your McAfee Gateway appliance. 5 Go to System Component Management epo. 6 Select Migrate epo Configuration. 7 Import the Policies_for_McAfee_ _Gateway_7.0.xml file you just created. The import process can take a few minutes to complete. 8 Select the epo_config_<date_stamp>.xml file produced at the end of this process, and save the file. 9 From the McAfee Gateway Resources link, download the epo Extensions and epo Help Extensions files. 10 From McAfee epo, install the epo Extensions and epo Help Extensions files. 11 In McAfee epo, click Policy Catalog and select the McAfee Gateway product. 12 Click Import, and import the epo_config_<date_stamp>.xml you saved in step 8. The policies and settings within the configuration file are migrated across to your McAfee epo server. After you have imported the settings into McAfee Gateway managed by McAfee epo, you need to re assign the migrated policies to the correct groups in the System Tree in McAfee epo. 13 On McAfee epo, navigate to Menu Gateway Protection and Web Gateway. 26 McAfee Gateway Appliances Administrators Guide

27 Working with your McAfee Gateway Upgrade methods available 1 14 From Actions, select Export Connection Settings. Save the epoconfig<xxxxxxx>.zip file. 15 On your McAfee Gateway 7.5.0, navigate to System Component Management epo, click Import epo connection settings. Browse to the epoconfig<xxxxxxx>.zip file, and click OK. Your McAfee epo configuration settings are imported into your McAfee Gateway appliance. 16 Select both Enable epo management, and Allow configuration to be applied from epo. 17 Apply changes within your McAfee Gateway Your upgraded appliance is again under McAfee epo control. If you had documents registered for Data Loss Prevention in your McAfee Gateway 7.0 appliance, the document fingerprints for these are copied to your McAfee Gateway McAfee epo installation. If you chose to create a scheduled task to push your McAfee Gateway 7.0 DLP database to your appliance, you will need to create an equivalent scheduled task to push your McAfee Gateway DLP database to your appliance. Differences in feature locations between and Web Security and Gateway Due to some changes in functionality in McAfee Gateway, some features have moved from where they were located in McAfee and Web Security Appliance 5.6. For customers upgrading to McAfee Gateway 7.5.0, learn where these features are now located. Table 1-8 The menu Previous Feature Location Overview Message Search Policies Compliance Dictionaries Policies Registered Documents Configuration Transport Layer Security Policies Scanner Policies Content Handling Corrupt or Unreadable Content Encrypted Content Policies Scanner Policies Content Handling Corrupt or Unreadable Content Signed Messages New Feature Location No longer applicable Reports Message search DLP and Compliance DLP and Compliance Encryption TLS Policies Policy s Content handling Encrypted content Policies Policy s Content handling Signed messages Table 1-9 The System menu Previous Feature Location System Appliance Management Database Maintenance System Appliance Management Rescue Image System Appliance Management System Commands System Cluster Management System Cluster Management Backup and Restore Configuration System Cluster Management Configuration Push System Cluster Management Load Balancing System Users, Groups and Services New Feature Location System System Administration Database Maintenance System System Administration Rescue Image System System Administration System Commands System System Administration System System Administration Configuration Management System System Administration Configuration Push System System Administration Cluster Management Group Management McAfee Gateway Appliances Administrators Guide 27

28 1 Working with your McAfee Gateway About timeouts Table 1-9 The System menu (continued) Previous Feature Location System Certificate Management System Certificate Management Appliance HTTPS certificate New Feature Location Certificate Management System Appliance Management Gateway Certificate About timeouts Learn about the timeouts that occur between the appliance receiving a message, scanning it, and delivering it. When the appliance receives an message, the SMTP conversation and corresponding timeouts occur as follows: Where T equals "Time". T0 The time the appliance receives the connection (where time = zero) T1 The time taken between commands (EHLO, MAIL FRIM, RCPT TO, DATA (but not the dot that signifies the end of DATA), RSET) defined in Configuration Protocol Configuration Connection Settings (SMTP) Timeouts T2 The time taken between receiving the chunks of data during DATA transfer T3 The time taken for the whole conversation to occur, that is, to receive a message, scan it, and deliver it T4 The total time taken to scan the message, that is, when the appliance has received all the data T5 The appliance has received all the data As an message passes through the appliance, the following timeouts are applied. Client: Connection Appliance: 220 banner The appliance waits T1 seconds to receive the next command Client: EHLO Appliance: 250 OK The appliance waits T1 seconds to receive the next command Client: MAIL FROM: Appliance: 220 OK The appliance waits T1 seconds to receive the next command Client: RCPT TO: rcpt@e.f Appliance 220 OK The appliance waits T1 seconds to receive the next command Client: DATA Appliance: 354 Enter mail, end with "dot" on a line by itself The appliance waits T2 seconds to receive each chunk of data 28 McAfee Gateway Appliances Administrators Guide

29 Working with your McAfee Gateway Working with FIPS Client: Subject: 1234 Hello there. The appliance scans the data The appliance waits T4 seconds to scan the data The appliance delivers the message and makes an onward connection. It has taken T3 T5 T0 to deliver the message. In other words, if the overall time to process a message is six minutes, (T3), and receiving the message and scanning has taken four minutes, the appliance has two minutes to deliver the message. If this limit is exceeded, the is queued for delivery later. Appliance: 250 OK Working with FIPS Describes how to configure the appliance in FIPS mode. FIPs mode is enabled during installation. When the appliance is installed with FIPS mode enabled, the Gateway installation menu (available locally, serial, ssh) is available. By default, it does not include "Shell access" To enable FIPS, select k Enable FIPS level 1 compliant installation in the configuration console, then select a Perform installation. In the Gateway Configuration Menu, a FIPS option is available. Select it to access the following options: Table 1-10 definitions Shell Enable or disable shell access (disabled by default) This option makes the appliance non FIPS compliant. Failure Configure how to handle FIPS validation failure: Ignore the failure and continue booting. Prompt for cryptographic officer password (Default). This privilege is available to an administrator role with Access system administration privileges. SSLFIPS Validate Enable or disable the OpenSSL FIPS checking (enabled by default) All applications on the appliance that use the OpenSSL library perform the OpenSSL FIPS validity check when they start. If it causes compatibility issues with other devices, it can be disabled Re run FIPS validity tests The ability to re run the tests and view the output in the console. McAfee Gateway Appliances Administrators Guide 29

30 1 Working with your McAfee Gateway Working with FIPS To check that the appliance is running in FIPS mode, click About the Appliance in the menu bar. The FIPS Compliant status shows Yes, No, or Partial. A Partial status is given in the following situations: The Shell is enabled. FIPS validation failures occurred, where the failure handling has been modified from the default setting Prompt for cryptographic officer password. OpenSSL checking is disabled. Go to Reports System Reports in the user interface to get more information about the FIPS status. 30 McAfee Gateway Appliances Administrators Guide

31 2 Overview 2 of Dashboard features When you first open the browser, you see the Dashboard, which gives a summary of the activity of the appliance. Dashboard From this page you can access most of the pages that control the appliance. Contents The Dashboard definitions Inbound Mail Summary portlet definitions Outbound Mail Summary portlet definitions SMTP Detections portlet definitions POP3 Detections portlet definitions System Summary portlet definitions Hardware Summary portlet definitions Network Summary portlet definitions Services portlet definitions Clustering portlet definitions Tasks portlet The Dashboard The Dashboard provides a summary of the activity of the appliance. Dashboard Use this page to access most of the pages that control the appliance. On a cluster master appliance, use this page also to see a summary of activity on the cluster of appliances. On a McAfee Content Security Blade Server cluster master appliance, use this page also to see a summary of all activity on the scanning blades within the McAfee Content Security Blade Server. McAfee Gateway Appliances Administrators Guide 31

32 2 Overview of Dashboard features The Dashboard Benefits of using the Dashboard The Dashboard provides a single location for you to view summaries of the activities of the appliance through a series of portlets. Figure 2-1 Dashboard portlets Some portlets display graphs that show appliance activity over the following periods of time: 1 hour 2 weeks 1 day (the default) 4 weeks 1 week Within the Dashboard, you can make some changes to the information and graphs displayed: Expand and collapse the portlet data using the and buttons in the portlet's top right hand corner. Drill down to specific data using the and buttons. See a status indicator that shows whether the item needs attention: Healthy the reported items are functioning normally Requires Attention a warning threshold has been exceeded Requires Immediate Attention a critical threshold has been exceeded Disabled a service is not enabled 32 McAfee Gateway Appliances Administrators Guide

33 Overview of Dashboard features The Dashboard 2 Use and to zoom in and zoom out of a timeline of information. There is a short delay while the view is updated. By default, the Dashboard shows data relating to the previous one day. Move a portlet to another location on the Dashboard, Double click the top bar of a portlet to expand it across the top of the Dashboard, Set your own alert and warning thresholds to trigger events. To do so, highlight the item and click it, edit the alert and warning threshold fields, and click Save. When the item exceeds the threshold you set, an event is triggered. Depending on the browser used to view the McAfee Gateway user interface, the Dashboard "remembers" the current state of each portlet (whether it is expanded or collapsed, and if you have drilled down to view specific data), and attempts to re create that view if you navigate to another page within the user interface and then return to the Dashboard within the same browsing session. Dashboard portlets Understand the portlets found on the dashboard within the user interface of your McAfee Gateway. Inbound Mail Summary Outbound Mail Summary SMTP Detections POP3 Detections System Summary Hardware Summary Network Summary Services Clustering Tasks Displays the number of detections for the SMTP protocol. You can drill down to find information about the number of detections for each category of detection. Displays the number of detections for the POP3 protocol. You can drill down to find information about the number of detections for each category of detection. Displays the status of important information and parameters for your McAfee Gateway. Displays the number of connections Displays a list of links to commonly performed tasks. Detections and Web Detections System Health Displays the number of detections under each protocol. Click Edit to change the view in this window. Although you can choose not to display information about a protocol, the appliance continues to scan that traffic Displays the status of important information and parameters for your and lets you change the settings of recommended system configuration changes: For Updates, a green checkmark indicates that the components will update itself automatically. To make a manual update, click the blue link For other components, a green checkmark indicates that the component is operating within acceptable limits. For more information, click the blue links To adjust the levels at which the warning and alert icons appear, and to change what the recommended configuration changes dialog box displays, click Edit Current detection rates Displays the status of important detections by the appliance, using icons McAfee Gateway Appliances Administrators Guide 33

34 2 Overview of Dashboard features The Dashboard Network Summary Queues Scanning Policies Clustering Tasks Graphs... Displays the number of connections under each protocol. Although you can deselect a protocol after clicking Edit, the appliance continues to handle that traffic Displays the number of items, and the number of recipients for each queued item in the Queued, Quarantined, and Release requests queues maintained by the appliance, using icons. To visit the pages that manage the queues, click the blue links. To quickly search through in the queues, click Quick search Displays a list of the policies that the appliance is applying. Although you can deselect a protocol after clicking Edit, the appliance continues to apply policies to that traffic. To view the scanning policies or add more policies, click the blue links On a master cluster appliance, displays the state of the cluster of appliances. To change the settings of the meter, click Edit Displays a list of common tasks. To remove or reorganize the tasks, click Edit Displays graphs that show appliance activity over time. Although you can deselect a protocol after clicking Edit, the appliance continues to monitor that traffic Task Setting Dashboard thresholds Within the Dashboard System Summary and Dashboard Services portlets, you can specify thresholds for some of the status indicators. These thresholds are the points at which the status indicators change color and at which the appliance logs an event, indicating a potential issue with your McAfee Gateway. Events will not be logged until after the thresholds have been saved, the next Dashboard refresh has taken place and the threshold has been hit or exceeded. Task 1 Navigate to the Dashboard System Summary or Dashboard Services portlet. If necessary, expand the portlet by clicking the button. 2 Drill down to find the area that you want to set a threshold on. Thresholds can only be set for some areas. These include: System Summary Swap Used System Summary Disk Space Inodes used and Disk used for each reported folder. System Summary Message Queue Inbound, Outbound and Total. Services External McAfee epo Event Reports, Communication Attempts, Policy Enforcement and DLP DB Update. 3 Click the status indicator (the red, yellow or green circle) for the area on which to set the threshold. 4 Adjust the number shown for the Requires Attention and Requires Immediate Attention thresholds fields. 5 Click to save the changed thresholds. When the values for the dashboard information reaches the new threshold, the status indicator changes to the appropriate color and an event is logged. 34 McAfee Gateway Appliances Administrators Guide

35 Overview of Dashboard features definitions Inbound Mail Summary portlet 2 definitions Inbound Mail Summary portlet Use the Inbound Mail Summary portlet to get the delivery and status information about messages sent to your organization. The information in this portlet relates to data from the SMTP Detections Inbound portlet. Data is shown in bar chart format. Each incoming message is categorized as either: Delivered Queued Blocked Quarantined Bounced Counter Total Inbound Messages Delivered A top level counter which increments for each that passes the MAIL FROM stage of the SMTP conversation. If multiple messages are sent down one connection, this counter will increment. You can drill down to see how the connection was received: TLS The was received over a TLS connection Non TLS The was received over a standard non TLS connection A top level counter which increments for each that is delivered. You can drill down to see how the was delivered: Plain The was delivered as a standard plain message Encrypted The was delivered encrypted by: TLS The was delivered over a TLS connection: Secure Web Mail the content was encrypted using one of the following methods: Push Pull Push/Pull S/Mime the content was encrypted by S/MIME PGP the content was encrypted by PGP Plain the content was a standard plain message Non TLS The was delivered over a standard non TLS connection: Secure Web Mail the content was encrypted by one of the following methods: Push Pull Push/Pull S/Mime the content was encrypted by S/MIME PGP the content was encrypted by PGP McAfee Gateway Appliances Administrators Guide 35

36 2 Overview of Dashboard features definitions Inbound Mail Summary portlet Counter Blocked A top level counter which increments for each that is blocked. You can expand the counter to see the number of messages blocked by sender or connection, recipient, and content: Sender/Connection provides a breakdown of the scanner which blocked the , either: Deny Sender RBL (Real Time Blackhole Lists) FCrDNS BATV SPF (Sender Policy Framework). Recipient provides a breakdown of the scanner which blocked the , either: Anti Relay LDAP Recipient Grey Listing Directory Harvesting Rejected Recipient Content provides a breakdown of the scanner which blocked the , either: GTI Message Reputation Compliance Sender ID Image Filtering DKIM Mail URL Reputation Spam Mail URL Reputation DoS Phish DLP Mail Filtering Virus Mail Size Filtering PUPs File Filtering Packers Denial of Service Bounced Queued The total number of inbound messages that were refused. The total number of inbound messages that were queued awaiting delivery. This includes messages that are subsequently successfully delivered. Quarantined A top level counter which increments for each message that is quarantined. The total number of messages in all of the quarantine queues. The total number of messages requested for release by users by quarantine digests. From within the Quarantined area, you can also drill down into the number of messages quarantined in each quarantine category. A single message may be quarantined to more than one category. Summing the total number of messages in all categories will not necessarily generate the total quarantined messages. Sender and Recipient Search Type the name of a particular sender or recipient for whom you wish to locate a message, and click Search to go to the Message Search page. Click Search to go to the Message Search feature where you can look for messages based on their status; either blocked, bounced, delivered, quarantined, or queued. 36 McAfee Gateway Appliances Administrators Guide

37 Overview of Dashboard features definitions Outbound Mail Summary portlet 2 definitions Outbound Mail Summary portlet Use the Outbound Mail Summary portlet to get the delivery and status information about messages sent from your organization. The information in this portlet relates to data from the SMTP Detections Outbound portlet. Each incoming message is categorized as either: Delivered Blocked Bounced Queued If you are using the quarantine features, messages may also summarized in the quarantined list. Counter Total Outbound Messages Delivered A top level counter which increments for each that passes the MAIL TO stage of the SMTP conversation. If multiple messages are sent down one connection, this counter will increment. You can drill down to see how the connection was received: TLS The was received over a TLS connection Non TLS The was received over a standard non TLS connection A top level counter which increments for each that is delivered. You can drill down to see how the was delivered: Plain The was delivered as a standard plain message Encrypted The was delivered encrypted by: TLS The was delivered over a TLS connection: Secure Web Mail the content was encrypted using one of the following methods: Push Pull Push/Pull S/Mime the content was encrypted by S/MIME PGP the content was encrypted by PGP Plain the content was a standard plain message Non TLS The was delivered over a standard non TLS connection: Secure Web Mail the content was encrypted by one of the following methods: Push Pull Push/Pull S/Mime the content was encrypted by S/MIME PGP the content was encrypted by PGP McAfee Gateway Appliances Administrators Guide 37

38 2 Overview of Dashboard features definitions Outbound Mail Summary portlet Counter Blocked A top level counter which increments for each that is blocked. You can expand the counter to see the number of messages blocked by sender or connection, recipient, and content: Sender/Connection provides a breakdown of the scanner which blocked the , either: Deny Sender RBL (Real Time Blackhole Lists) FCrDNS BATV SPF (Sender Policy Framework). Recipient provides a breakdown of the scanner which blocked the , either: Anti Relay LDAP Recipient Grey Listing Directory Harvesting Rejected Recipient Content provides a breakdown of the scanner which blocked the , either: GTI Message Reputation Compliance Sender ID Image Filtering DKIM Mail URL Reputation Spam Mail URL Reputation DoS Phish DLP Mail Filtering Virus Mail Size Filtering PUPs File Filtering Packers Denial of Service Bounced Queued Quarantined The total number of outbound messages that were refused. The total number of outbound messages that are queued awaiting delivery. A top level counter which increments for each message that is quarantined. The total number of messages in all of the quarantine queues. The total number of messages requested for release by users by quarantine digests. A single message may be quarantined to more than one category. Summing the total number of messages in all categories will not necessarily generate the total quarantined messages. Search Click Search to go to the Message Search feature where you can look for messages based on their status; either blocked, bounced, delivered, quarantined, or queued. 38 McAfee Gateway Appliances Administrators Guide

39 Overview of Dashboard features definitions SMTP Detections portlet 2 definitions SMTP Detections portlet Use the SMTP Detections portlet to find out the total number of messages that triggered a detection based on the sender or connection, the recipient, or the content, and to view data specific to either inbound or outbound SMTP traffic. The counters that appear in this portlet work differently to those in the Inbound and Outbound Summary portlets where each message represents a single counter. In the Detections portlets, one message can increment several counters, depending on the number of checks it fails. McAfee Gateway Appliances Administrators Guide 39

40 2 Overview of Dashboard features definitions SMTP Detections portlet Total Shows the total number of inbound and outbound messages that triggered a detection, and expands the statistics further to see the number of messages based on the following criteria: Sender/Connection provides a breakdown of the scanner which triggered a detection, either: Deny Sender RBL (Real Time Blackhole Lists) FCrDNS BATV SPF (Sender Policy Framework) Recipient provides a breakdown of the scanner which triggered a detection, either: Anti Relay Grey Listing Rejected Recipient LDAP Recipient Directory Harvesting Content provides a breakdown of the scanner which triggered a detection, either: GTI Message Reputation Sender ID DKIM Spam Phish Mail Filtering Mail Size Filtering File Filtering Denial of Service Compliance Image Filtering Mail URL Reputation Mail URL Reputation DoS DLP Virus by either the McAfee or the Commtouch Command scanner PUPs by either the McAfee or the Commtouch Command scanner Packers by either the McAfee or the Commtouch Command scanner Inbound Shows the total number of inbound messages that triggered a detection, and expands the statistics further to see the number of messages based on the following criteria: Sender/Connection provides a breakdown of the scanner which triggered a detection, either: Deny Sender RBL (Real Time Blackhole Lists) FCrDNS BATV SPF (Sender Policy Framework) Recipient provides a breakdown of the scanner which triggered a detection, either: 40 McAfee Gateway Appliances Administrators Guide

41 Overview of Dashboard features definitions SMTP Detections portlet 2 Anti Relay Grey Listing Rejected Recipient LDAP Recipient Directory Harvesting Outbound Content provides a breakdown of the scanner which triggered a detection, either: GTI Message Reputation Sender ID DKIM Spam Phish Mail Filtering Mail Size Filtering File Filtering Denial of Service Compliance Image Filtering Mail URL Reputation Mail URL Reputation DoS DLP Virus by either the McAfee or the Commtouch Command scanner PUPs by either the McAfee or the Commtouch Command scanner Packers by either the McAfee or the Commtouch Command scanner Shows the total number of inbound messages that triggered a detection, and expands the statistics further to see the number of messages based on the following criteria: Sender/Connection provides a breakdown of the scanner which triggered a detection, either: Deny Sender RBL (Real Time Blackhole Lists) FCrDNS BATV SPF (Sender Policy Framework) Recipient provides a breakdown of the scanner which triggered a detection, either: Anti Relay Grey Listing Rejected Recipient LDAP Recipient Directory Harvesting Content provides a breakdown of the scanner which triggered a detection, either: GTI Message Reputation Sender ID DKIM Spam McAfee Gateway Appliances Administrators Guide 41

42 2 Overview of Dashboard features definitions POP3 Detections portlet Phish Mail Filtering Mail Size Filtering File Filtering Denial of Service Compliance Image Filtering Mail URL Reputation Mail URL Reputation DoS DLP Virus by either the McAfee or the Commtouch Command scanner PUPs by either the McAfee or the Commtouch Command scanner Packers by either the McAfee or the Commtouch Command scanner definitions POP3 Detections portlet This information describes the data available from the POP3 Detections portlet. From here, find out how many messages triggered a detection based on threats such as viruses, packers, or potentially inappropriate images. The counters that appear in this portlet work differently to those in the Inbound and Outbound Summary portlets where each message represents a single counter incrementation. In the Detections portlets, one message can increment several counters, depending on the number of checks it fails. Spam Phish Mail Size Filtering Image Filtering Virus PUPs Packers Messages that could originate from a spammer. Messages that could contain a phish attack. Messages filtered because of their size. Messages that could contain inappropriate or pornographic images. Messages that exhibit virus like behavior or content. Messages that contain potentially unwanted programs. Messages that could contain packers. definitions System Summary portlet The System Summary portlet displays information about load balancing, the disk space used for each partition, total CPU usage, used and available memory, and swap details. Uptime Load Average Displays the amount of time the appliance has been running since it was last started Displays the five second load average 42 McAfee Gateway Appliances Administrators Guide

43 Overview of Dashboard features definitions System Summary portlet 2 Processor Memory Swap Disk Space Message Queue Displays the total usage for all processors Displays: Memory used includes used and buffered memory Free memory includes free and cached memory Displays: Used Percentage used of swap (the area on the hard disk that is part of the appliance's virtual memory which temporarily stores inactive memory pages if there is insufficient physical memory available to do so.) Rate A high swap rate indicates the system is in some form of overload. Displays the percentage of Inodes and disk space used for each partition Displays the current status of the message queue. Task Set message queue size alerts Use queue size alerts to notify administrators when the number of messages in the Message Queue reaches pre configured maximum numbers. You can set alerts and warnings for the primary Message Queue, and also for the Inbound and Outbound queues separately. You can set thresholds for warnings, alerts or both. The warning threshold must be equal to or less than the alert threshold. Task 1 Log on to Gateway. Gateway opens, displaying the Dashboard. 2 In the System Summary portlet, click the status icon beside Message Queue. The option expands horizontally, showing data fields for warning and alert thresholds. 3 Set thresholds by typing a number to represent the required number of messages in the queue to trigger the warning or alert. Click Save. The Message Queue option collapses to its original state. 4 Set thresholds for the Inbound or Outbound queue by clicking the Message Queue link (not the icon). The Message Queue option expands vertically, showing the Inbound and Outbound options. 5 Set thresholds for Inbound, Outbound, or both by typing a number to represent the required number of messages in the queue to trigger the warning or alert. Click Save The Inbound and/or Outbound queues collapse to their original state. McAfee Gateway Appliances Administrators Guide 43

44 2 Overview of Dashboard features definitions Hardware Summary portlet definitions Hardware Summary portlet The Hardware Summary portlet uses status indicators to show the status of network interfaces, UPS servers, bridge mode (if enabled), and RAID status. Information states On the Hardware Summary portlet, there are the following status indicators available: functioning normally a warning threshold has been exceeded a critical threshold has been exceeded the service is not enabled. Further descriptions of a red status indicator for external services are given in the definition table. Network Interface Shows the following for LAN1 and LAN2: Received Data received over the network interface Transmitted Data sent over the network interface Speed Speed of the network interface in bits per second A red status indicator against any Network Interface indicates that urgent attention is required. You may need to: Review your network configuration and check it is correct. Check that the switch is functioning correctly. Check that the switch configuration is correct. Check the cabling to and from the appliance. (Not necessary for the Content Security Blade Server). In virtual appliance installations, check the virtual switch configuration. Hardware Modules Shows a summary status indicator about the following hardware modules: Temperature Cooling Device Voltage Memory Fan Module Board Current Cable Interconnect Physical Security Management subsystem Power Supply Any module that is not installed is categorized as Not Applicable. Any module that shows as red or amber contains links to Troubleshoot Troubleshooting Tools Hardware Status where you can get more detailed information. 44 McAfee Gateway Appliances Administrators Guide

45 Overview of Dashboard features definitions Network Summary portlet 2 UPS When enabled, the following status indicators are available: Healthy The UPS is online with the mains power working Requires Attention Due to one of the following potential reasons: Using battery power (that is, not mains power) The battery is discharging No battery protection is available The UPS is overloaded The UPS is trimming or boosting incoming voltage Requires Immediate Attention The UPS is offline Critical The battery is low Bridge Raid A red status indicates that McAfee Gateway is running in bridge mode, and is not forwarding the network data. A red status indicates that the RAID status is not running to optimal levels. definitions Network Summary portlet This information describes the data available from the Network Summary portlet. Connections Throughput Kernel Mode Blocking A top level counter which increments to show the total number of TCP connections made to the SMTP port on the appliance A top level counter which increments to show the average throughput of data for all TCP connections made to the SMTP port on the appliance A top level counter which increments to show the total number of SYN packets blocked from an IP address that has triggered a Reject, close and deny (Block) action. The GTI message reputation lookup feature is configured to perform this action by default for the next ten minutes. Within the Kernel Mode Blocking counter, you can also drill down to view information about the number of Blocked Hosts. The information given by the Kernel Mode Blocking counter are the number of blocked packets for the currently selected time frame. The information given by the Blocked Hosts counter are the number of hosts currently being blocked. definitions Services portlet The Services portlet displays update and service status statistics based on protocol and external servers used by the appliance. Information states On the Services portlet, the following status indicators are available: McAfee Gateway Appliances Administrators Guide 45

46 2 Overview of Dashboard features definitions Services portlet Functioning normally. A warning threshold has been exceeded. A critical threshold has been exceeded. The service is not enabled. Further descriptions of a red status indicator for external services are given in the definition table. 46 McAfee Gateway Appliances Administrators Guide

47 Overview of Dashboard features definitions Services portlet 2 Updates Anti Virus Shows the anti virus DAT and engine update status. Any older than three days are shown in red. If you have activated the additional Commtouch Command anti virus engine, information specific to this engine is also shown. Anti Spam Shows the anti spam definition and engine update status. Any older than 30 minutes are shown in red. Status External Configuration Shows any configuration alerts, such as the appliance operating as an open relay. FIPS Compliance When installed in FIPS compliant mode, shows the current FIPS status for the McAfee Gateway. More details information on the FIPS status can be found at Troubleshoot Troubleshooting Tools FIPS Status. SMTP Service Shows whether the SMTP service is functioning correctly. POP3 Service Shows whether the POP3 service is functioning correctly. Encryption Service Shows whether the encryption service is functioning correctly. McAfee epo Shows the state of the communication between McAfee Gateway and McAfee epolicy Orchestrator. The following are reported: Event Reports Events are regularly sent from the appliance to the epolicy Orchestrator server for to be used to generate reports. If event files are not successfully uploaded, this indicator turns red. (The default threshold is 25 files that failed to upload.) Communication Attempts The appliance communicates with the McAfee epo server at regular intervals. Failures with these communication attempts are shown here. Configuration Integrity The appliance checks that the configuration that has been pushed by the epolicy Orchestrator server does not contain any inconsistencies. Inconsistencies could be a policy that refers to a Policy group or Directory service that might no longer exist. The status is either Healthy, or Operational, but requires attention. This issue can occur if incorrect McAfee epo policies are assigned within the McAfee epo System tree. Policy Enforcement Confirmation that the policy has been correctly enforced on the appliance. DLP DB Updates Confirmation that the Data Loss Prevention database has been correctly updated. MQM Shows the state of the communication between McAfee Gateway and McAfee Quarantine Manager (MQM). A red status indicates that communication between McAfee Gateway and MQM is broken. GTI Message Reputation Shows the state of the communication between McAfee Gateway and the McAfee Global Threat Intelligence (McAfee GTI) message reputation server. A red status indicates that communication between McAfee Gateway and the McAfee GTI message reputation server is broken. GTI Feedback Shows the state of the communication between McAfee Gateway and the McAfee Global Threat Intelligence feedback server. McAfee Gateway Appliances Administrators Guide 47

48 2 Overview of Dashboard features definitions Clustering portlet A red status indicates that communication between McAfee Gateway and the McAfee GTI feedback server is broken. GTI File Reputation Shows the state of the communication between McAfee Gateway and the McAfee GTI file reputation server. A red status indicates that a DNS query of a sample <Artemis> query did not respond with the expected answer. RBL Shows the state of the communication between McAfee Gateway and any RBL (Real time Blackhole List) servers that are configured. A red status indicates that communication between McAfee Gateway and RBL servers is broken, or gray status can indicate that there are no servers to monitor. Syslog Shows the state of the communication between McAfee Gateway and any off box system log servers that are configured. A red status indicates that communication between McAfee Gateway and the system log servers is broken, or a gray status can indicate that there are no servers to monitor. LDAP Shows the state of the communication between McAfee Gateway and any LDAP servers that are configured. A red status indicates that a test query did not respond with the expected response, or gray status can indicate that there are no servers to monitor. SNMP Shows whether the SNMP service is functioning correctly. A red status indicates that the SNMPD agent is not running or functioning correctly. DNS Shows the state of the communication between McAfee Gateway and any DNS servers that are configured. A red status indicates that communication between McAfee Gateway and the DNS servers is broken, or gray status can indicate that there are no servers to monitor. NTP Shows the state of the communication between McAfee Gateway and active NTP (Network Time Protocol) servers that are configured. A red status indicates that the time synchronization is not up to date with the active NTP server. definitions Clustering portlet This topic discusses the Clustering portlet found on the dashboard when you have configured your appliance as part of a cluster, or if you are using the blade server hardware to run your Gateway. This section is available only on a cluster master appliance or management blade (on a blade server). Message per hour When clicked, the meter displays Message per hour. Displays the average throughput of the cluster, based on measurements taken every few minutes. If the cluster has twice as many scanning appliances, its throughput almost doubles too. Extra management activity consumes some of the processing power 48 McAfee Gateway Appliances Administrators Guide

49 Overview of Dashboard features definitions Clustering portlet 2 Status Displays the status of the device: Operating normally Needs attention Needs immediate attention Scanning Device Type Displays the type of scanning device: Cluster Master Cluster Failover Gateway Appliance Name State Load Active Connections Component version information Displays the name of the appliance as configured Displays the current state of each appliance: Network Connected to the network Redundant The Cluster Failover device is not currently running but will take over if the master cluster appliance fails Install Installing software Synchronizing Synchronizing with the cluster master Boot Booting Shutdown Shutting down Malconfigured Configuration file is faulty Unconfigured Not configured for load balancing Disabled Disabled by the user Failed No longer on the network. No heartbeat was detected Fault A fault has been detected on this appliance Legacy Not compatible for load balancing Displays the average system load over a period of five minutes Displays the number of active connections for each appliance. The row for the cluster master shows the total for all appliance Displays the number of connections handled by each appliance since the counters were last reset Displays the versions of anti spam and anti virus DAT files. The version numbers are the same if the appliances are up to date. During updating, the values might be different. To see more information, move the cursor over the text and wait for a yellow box to appear McAfee Gateway Appliances Administrators Guide 49

50 2 Overview of Dashboard features definitions Tasks portlet definitions Tasks portlet Use the Tasks portlet to link directly to the areas of the user interface that search the message queue, view reports, manage policies, configure mail protocol settings and network and system settings, and access troubleshooting features. View Message Queue and Reports Create Policy Configure Mail Protocol Configure Network Search the Message Queue Search for messages blocked, bounced, delivered, quarantined, and queued by sender, recipient, and subject. View Favorite Reports Display your most popular reports in a variety of view types. Manage Scheduled Reports Create schedules for available report documents, such as activity. Manage Policy (SMTP) Go to the Policies settings for the SMTP protocol where you can create and edit policies for anti virus and anti spam protection, and compliance settings. Manage Policy (POP3) Go to the Policies settings for the POP3 protocol where you can create and edit policies for anti virus and anti spam protection, and compliance settings. Manage Compliance Dictionaries Choose from a library of predefined rules, or create your own rules and dictionaries specific to your organization. Compliance rules can vary in complexity from a straightforward trigger when an individual term within a dictionary is detected, to building on and combining score based dictionaries which will only trigger when a certain threshold is reached. Using the advanced features of compliance rules, dictionaries can be combined using logical operations. Register DLP Documents Restrict the flow of sensitive information sent by through the appliance. for example, block the transmission of a sensitive document such as a financial report that is to be sent outside of your organization. Configure Relay Domains Build a list of IP addresses, networks, and users who can, or cannot connect to the appliance. Configure Domain Routing Set up the network hosts that you want the appliance to use to route mail traffic to specific domains. Configure Encryption Enable the appliance to use supported encryption methods to securely deliver your messages. Manage Certificates Use digitally signed certificates for tasks such as securely transferring using TLS, or using S/MIME certificates. Manage Network Settings View and edit basic settings for the appliance such as its domain name, and the network interfaces settings. Manage a Cluster Specify the appliance's load balancing requirements when it acts as part of a cluster. Manage Virtual Hosting Specify the addresses where the appliance receives or intercepts mail traffic on the Inbound Address Pool. 50 McAfee Gateway Appliances Administrators Guide

51 Overview of Dashboard features definitions Tasks portlet 2 Configure System Troubleshoot Configure epo Management Set up the appliance to be managed by epolicy Orchestrator. Configure Quarantine s Tell the appliane to store quarantined messages itself, or to store them using the McAfee Quarantine Manager (MQM) service. Generate Syslog Reports Set up and view system logs for a variety of events. Define Directory Services Configure the appliance to work with your LDAP servers. Configure SNMP Send alerts to the trap manager for a variety of events. Configure DNS and Routing Create a list of DNS servers and sort them in order of priority, and set up routes. Generate a Minimum Escalation Reports Create a report that contains the minimum information needed by support to help them diagnose a problem with the appliance. Run System Tests Perform a series of tests on the appliance to ensure that key areas are functioning correctly. Back up and Restore Configuration Configure the appliance to back up the configuration, or create a backup schedule, and restore the configuration if necessary. McAfee Gateway Appliances Administrators Guide 51

52 2 Overview of Dashboard features definitions Tasks portlet 52 McAfee Gateway Appliances Administrators Guide

53 3 Overview of Reports features This topic provides an overview of the features within Gateway that relate to reporting the activities of the appliance. Contents Reports Types of reports Message Search overview Scheduled Reports Scheduled Reports New Report dialog box Scheduled Reports Edit Report dialog box Reports System Reports Types of reports You can generate reports either on your appliance, your epolicy Orchestrator server, or externally. System Logging, Alerting and SNMP Reports Use the external methods to keep the reported events over a longer period of time than that offered by the reporting options on the appliance itself. Use features available from System Logging, Alerting and SNMP, or McAfee epolicy Orchestrator to send data to generate reports externally. Table 3-1 External reporting options External report generation option System log SNMP System Logging, Alerting and SNMP. Supports the common event formats for Splunk and ArcSight. System Logging, Alerting and SNMP. Supports the SNMP Alert Settings and SNMP Monitor Settings options. The MIB file can be downloaded from the Resources tab available from the appliances toolbar. McAfee Gateway Appliances Administrators Guide 53

54 3 Overview of Reports features Message Search overview Table 3-1 External reporting options (continued) External report generation option Alerting McAfee epolicy Orchestrator McAfee Web Reporter System Logging, Alerting and SNMP Alerting. You can configure Alerting to alert specified people about different events that occur on your appliance. Use epolicy Orchestrator to generate reports about multiple appliances and security software within your organization, such as information about the total number of viruses detected within your organization. System Logging, Alerting and SNMP. Generates reports about Uniform Resource Locator (URL) filtering activities. See the McAfee Web Reporter Product Guide, available from the McAfee download site. Use the appliance Dashboard to see high level event statistics. Use the options in Reports to produce regular and real time reports on the following types of events on the appliance. Table 3-2 Reporting options on the appliance Report type Scheduled reports Reports Set up regular activity overview (by protocol, threat type, and detection), detections, web detections, and system event reports and send them to other administrators. reports System reports Reports Create and view information about threats detected in the passing through your appliance, and the subsequent actions taken by the appliance. Reports Create and view information about threat detection updates, and system events. Message Search overview Use this feature to search for messages that have passed to the DATA phase on your appliance. This feature is also available from within McAfee epolicy Orchestrator. Reports Message search Message Search provides you with a convenient method to locate messages on your appliance. If the appliance has not received the message body, the message cannot be found in Message Search. For example, if an message is blocked by the Real time Blackhole Lists (RBLs), the appliance will not have received the message body. In this situation, use Reports Reports from the McAfee Gateway to find further information about this message. Contents Benefits of using Message Search Message Search parameters Message Search results Message Search icons Task Identify quarantined messages Task Find out which messages are queued Task Find out which messages are being blocked Task Find the s that were successfully delivered Task A user has requested that I release one of their quarantined messages 54 McAfee Gateway Appliances Administrators Guide

55 Overview of Reports features Message Search overview 3 Task Export a message search report Task Find a message containing a named attachment Benefits of using Message Search Message Search enables you to search for messages that have passed to the DATA phase on your Gateway appliance. A common request from users is "What happened to the message I sent yesterday?", or "My supplier ed me on Monday, why haven't I received his message yet?" From a single location within the user interface, Message Search allows you to confirm the status of messages that have passed through the appliance. It provides you with information about the , including: Was it delivered? Was the message quarantined? Was it blocked? Is the message queued pending further action? Did the message bounce? You can use a wide range of different criteria to search on, including: The Message status Source IP Sender, Recipient or Subject information disposition Category If the has been modified or not Date range The Virtual host used Audit ID If you have configured Sender address masquerading or Recipient address aliasing, Message Search shows the masqueraded or aliased addresses. McAfee Gateway Appliances Administrators Guide 55

56 3 Overview of Reports features Message Search overview Message Search parameters This topic provides you with information about each of the parameters that are available to you with the Message Search feature. Message status You can choose to search All messages. If you suspect that a message is in a certain state, you can also search only for messages that are: Blocked Bounced Delivered Quarantined Sender, Recipient, Subject Queued This includes quarantined items that have pending release requests. You can multi select to search for messages in more than one status. You can search for s containing particular sender, recipient, or subject text. The appliance can modify the subject of some s, typically by adding a [spam] or [phish] prefix to the subject line. However, the subject displayed on the Message Search page is the original subject line of the message before the appliance makes any changes. You can use the * and? wildcard characters in your searches. To search for a literal *,?, or \ character within these fields, use the backslash (\) character before the search term. For example, use \* to search for the asterisk character. 56 McAfee Gateway Appliances Administrators Guide

57 Overview of Reports features Message Search overview 3 Category When you search on Blocked or Quarantined items, you can further refine your search by selecting the Category that the appliance used to block or quarantine the message. When viewing messages that have been Blocked, the following Category options are available: Anti Phish Anti Spam Anti Virus If you have enabled the additional Commtouch Command anti virus engine, you will see anti virus detections listed by detection engine. Anti Virus (Packer) Anti Virus (PUP) Compliance Corrupt Content Data Loss Prevention Directory Harvesting DKIM Encrypted Content File Filtering Image Filtering Mail Filtering Mail Size Message Reputation Sender Authentication Threshold SenderID Signed Content For messages that were Quarantined by the appliance, the following Category options are available: Anti Phish Anti Spam Anti Virus If you have enabled the additional Commtouch Command anti virus engine, you will see anti virus detections listed by detection engine. Anti Virus (Packer) Anti Virus (PUP) Compliance Corrupt Content Data Loss Prevention Directory Harvesting McAfee Gateway Appliances Administrators Guide 57

58 3 Overview of Reports features Message Search overview Encrypted Content File Filtering Image Filtering Mail Filtering Mail Size Signed Content You can multi select to search for messages in more than one category. See Quarantine s to find out how the categories relate to those reported in McAfee Quarantine Manager. Quarantined to: For messages that were quarantined, you can search all quarantine queues, or select one or more from the list of configured queues. The queues are: Viruses PUPs Compliance Other Phish Spam A single message may be quarantined to more than one category. Summing the total number of messages in all categories will not necessarily generate the total quarantined messages. All Dates / Date Range You can search on All Dates, or you can specify a Date Range, using From and To dates and times. Audit ID When an message passes through the appliance, a received header containing audit ID information is added to the message header. The received header will look similar to the following: Received: from (mta1.example.com [ ]) by meg_appliance1.example.com with smtp id 1448_0004_4d37a0e8_93e1_11df_b43f_ c271 Tue, 20 Jul :29: This audit ID information can be used to track the message as it passes through the appliance. Source IP Disposition Type This is the source IP address of the originating server. If your appliance is configured behind one or more Mail Transfer Agents (MTAs), the headers are used to obtain the correct source IP address. If you know the IP address that is sending messages to you, you can search using this address. You can use either a single address (for example, ) or a network address/netmask (for example, / ). Allows you to select All or One or more of Inbound, Outbound and Internal messages in your search. When dealing with quarantined messages, this allows you to search for the all, messages, original or for messages that have been modified by the appliance. It also allows you to search for messages that have their Release requested by your users. 58 McAfee Gateway Appliances Administrators Guide

59 Overview of Reports features Message Search overview 3 Virtual host Attachment (only visible when Attachment identification is enabled) View recipients Search/Refresh Clear Parameters If you have enabled the use of virtual hosts on your appliance, you can track or view messages that are processed by an individual virtual host on the appliance. To do this, select the relevant host name from the Virtual host drop down list. To find specific attachments within messages, enter a full or partial attachment name. You can also use wildcard characters. Clicking on any of the highlighted links in the View recipients area shows you either All messages, or a list of recipients and the number of items against each recipient beginning with the selected character. For example, it might show that one recipient currently has four queued messages, one quarantined message and three delivered messages. By clicking on a particular recipient, you can then view all relevant items for that recipient. To revert to the total view of messages, click Close. Click to search the appliance for messages that match your search parameters, or to refresh the list if you have changed any of the parameters. Resets all search parameters to their default states. Message Search results Within the Message Search, the following results may be displayed. McAfee Gateway Appliances Administrators Guide 59

60 3 Overview of Reports features Message Search overview s When you have searched for your required types, you can perform actions based on the type of message. These actions include: Message status is All: Delete selected Release selected Only available if all selected messages are quarantined "on the box", and do not contain viral content. Retry selected Forward selected Only available if all selected messages are either queued or quarantined. Find related Submit false positive Submit the selected messages to McAfee for analysis, to help reduce false positive detections. Delete all Message status is Quarantined : Delete selected Release selected Only available if all selected messages are quarantined "on the box", and do not contain viral content. Retry selected Forward selected Only available if all selected messages are either queued or quarantined. Find related Submit false positive Submit the selected messages to McAfee for analysis, to help reduce false positive detections. Delete all Release all Message status is Queued: Delete selected Release selected Only available if all selected messages are quarantined "on the box", and do not contain viral content. Retry selected Forward selected Only available if all selected messages are either queued or quarantined. Find related Submit false positive Submit the selected messages to McAfee for analysis, to help reduce false positive detections. Delete all Retry all If you have configured your appliance to perform off box quarantining using McAfee Quarantine Manager, you cannot make release requests from within Message Search. Real Time retry To retry the delivery of a queued item and to then show the results of the SMTP conversation with the target MTA, click Real Time Retry. You can only use Real Time Retry by selecting a single queued message. 60 McAfee Gateway Appliances Administrators Guide

61 Overview of Reports features Message Search overview 3 View Message View Conversation Log Download Message Show Report Hide and unhide columns If the message is still available to the appliance (for example, if the message has been queued or quarantined on the appliance) you can view the selected message. From within the message view, you can: Delete the message from the appliance. Release the message from the appliance. (Quarantined messages only.) Retry to deliver the message from the appliance. (Queued messages only.) Forward the message to another address. Download the message to your local file system in.eml format. You can also use Show headers to view the information contained within the header. When SMTP conversation logging is enabled (from Configuration Protocol Configuration Connection Settings (SMTP) SMTP conversation logging) on your appliance, select an message and click View Conversation Log to see the conversation details for the selected message through the different stages of the SMTP conversation. Downloads the selected queued or quarantined message to your local file system in.eml format. View information about the selected message. You can hide and unhide columns in the Message Search results area. Click the left arrow to hide the selected column. Click the down arrow to display options to sort or hide a column. Click the right arrow to re display information in the hidden column. Export Maintenance options Click to export a report based on your message search results. Click to go to the Database Maintenance area where you can define the number of items identified using Message Search that are retained in the database. Message Search icons Understand the meaning of the icons that are used within the message search page. message is Inbound. message is Outbound. message was composed within the Secure Web Mail Client. message is Internal. Internal messages are Alert messages and Quarantine Digest messages. This is the original version of the quarantined message. This is the version of the quarantined message that has been modified by the appliance. This message is currently held in a queue, but the appliance is not actively trying to deliver the message. McAfee Gateway Appliances Administrators Guide 61

62 3 Overview of Reports features Message Search overview The appliance is trying to deliver this message. The appliance has a release request pending for this message. Queued for delivery to your McAfee Quarantine Manager server. message is secured using the Encryption policy settings. message was received or delivered using TLS. Access to the quarantined message is restricted. You do not have sufficient privileges to view or download the message, or perform any actions (delete, release, forward) on the message. Task Identify quarantined messages Use this task to discover which messages have been quarantined by your McAfee Gateway Appliance. To view a list of all messages that have been quarantined: Task 1 Click Reports Message Search. 2 Select Quarantined from the Message status drop down list. 3 Click Search/Refresh. All messages that have been quarantined are displayed in the lower part of the page. Task Refine the search You can further refine your search for quarantined messages to show only those that have been quarantined due to specific triggers. In this example, to find those messages quarantined due to compliance issues: Task 1 Complete the steps in Task Find out which messages are quarantined. 2 Select Compliance from the Category drop down list. 3 Click Search/Refresh. The lower part of the screen is refreshed to show only the messages that have been quarantined due to compliance issues. Task View a specific message You can view the content of a quarantined message. Task 1 Complete the steps in Task Refine the search. 2 Select the relevant quarantined message using the checkbox to the left of the page. 3 Click View Message. The selected message is displayed in a new window. From this window, you can view the content of the message. You can also choose to view the detailed header information. After you have 62 McAfee Gateway Appliances Administrators Guide

63 Overview of Reports features Message Search overview 3 viewed the message, by clicking the relevant buttons, you can choose further actions to perform on the message. Task Release a quarantined message After viewing the message that has been quarantined, you may want to release the message from Quarantine. This task allows you to do this. To release a selected message from quarantine: Task 1 Complete the steps in Task View a specific message. 2 Click Release Selected. The selected message is released from quarantine. messages that contain viral content cannot be released from quarantine, as to do so would risk causing damage to your systems. Task Submit a false positive sample to McAfee Submit messages that have been incorrectly detected as spam or phishing messages to McAfee, to help reduce false positive detections in the future. Before you begin You can only submit messages that have been detected as either spam or phishing messages, and that have then been quarantined by McAfee Gateway. By investigating samples of genuine messages that have been incorrectly detected as either spam or phishing messages (false positive detections), McAfee can improve the accuracy of the spam and phishing message detections. Task 1 Select Reports Message search. 2 Select Quarantined from the Message status drop down list. 3 Click Search/Refresh. 4 Select the messages that have been incorrectly identified as either spam or phishing messages. 5 Select Submit false positive from s. 6 Click Go. The selected incorrectly identified spam or phishing messages are submitted to a secure McAfee site where they can be analyzed and the results used to improve spam and phishing message detections. McAfee Gateway Appliances Administrators Guide 63

64 3 Overview of Reports features Message Search overview Task Find out which messages are queued Use this task to find out which messages are currently queued pending delivery on your Gateway appliance. To view a list of all messages that have been queued on the appliance: Task 1 Click Reports Message Search. 2 Select Queued from the Message status drop down list. 3 Click Search/Refresh. All messages that have been queued are displayed in the lower part of the page. Task Find out which messages are queued for inbound delivery Use this task to refine your search for messages queued for inbound delivery. You can further refine your search for queued messages to show only those messages that have been queued for inbound or outbound delivery. To view the queued messages awaiting inbound delivery: Task 1 Complete the steps in Task Find out which messages are queued. 2 Select Inbound from the Disposition drop down list. 3 Click Search/Refresh. All messages that have been queued for inbound delivery are displayed in the lower part of the page. Task Delivering the queued message Use this task to deliver the message that are currently queued on your Gateway appliance. Having found the queued messages, and investigated the reason for the messages to be queued, you then need to force the appliance to try again to deliver the messages: Task 1 Complete the steps in Task Find out which messages are queued for inbound delivery. 2 Select the relevant queued messages using the check boxes to the left of the page. 3 Choose one of the following: From the s drop down list, select Retry selected. For a single message, click View Message, and then select the Retry button. To retry the sending of the messages and then see the results within the page, click Real Time Retry. Your Gateway appliance attempts delivery of the queued messages. 64 McAfee Gateway Appliances Administrators Guide

65 Overview of Reports features Message Search overview 3 Task Find out which messages are being blocked Use this task to find messages that have been blocked by your Gateway appliance. To view a list of all messages that have been blocked on the appliance: Task 1 Click Reports Message Search. 2 Select Blocked from the Message status drop down list. 3 Click Search/Refresh. All messages that have been blocked are displayed in the lower part of the page. messages can be blocked for a variety of reasons, and the table showing all blocked messages includes the reason that each message was blocked within the Status/Category column. Task Find the s that were successfully delivered Use this task to find all s that were successfully delivered by your Gateway appliance. You may have a request from your users to verify that an message has been successfully delivered to its intended recipient. To verify this: Task 1 Click Reports Message Search. 2 Select Delivered from the Message status drop down list. 3 Click Search/Refresh. All messages that have been successfully delivered by the appliance are listed in the lower part of the page. Task A user has requested that I release one of their quarantined messages Use this task to release a quarantined . When an message is quarantined, your users may receive a digest message, giving them options relating to the messages in quarantine. To view and then release an message that a user has requested be released: Task 1 Click Reports Message Search. 2 Select Quarantined from the Message status drop down list. 3 Select Release requested from the Type drop down list. 4 Click Search/Refresh. 5 Select the message (or messages) to be released. 6 Click View Message. McAfee Gateway Appliances Administrators Guide 65

66 3 Overview of Reports features Message Search overview 7 If you are happy that the selected message is safe to release, select Release selected from the s drop down list. 8 Click Go. In the Dashboard Queues area, you can see how many quarantine release requests have been made by your users. Clicking the link on this page opens the Message Search page, and auto populates the fields required to release these messages. Task Export a message search report When you have run a message search, you have the option of exporting a report of the results in.csv format. Before you begin Before you can export the report, you must run a message search that did not return 0 results. Task 1 Navigate to the Message Search window. You can navigate using Reports Message Search, or using the Task pane on the Dashboard (Dashboard Tasks Message Search & Reports Search Message Queue). The Message Search window opens. 2 Select your desired parameters and perform a message search. Your search results display. The report you create will contain the entire results from your search. 3 Click the Export link at the bottom of the results window. A message displays, providing a link to the exported.csv file. 4 Click the link to access the.csv file. The report displays. The format is essentially the same as the Message Search results table, with a few differences: The audit ID displays. The time displays both as seconds for sorting, and as a human readable local time string. The reason value for quarantined items displays. The Properties column shows as three columns: Disposition, Type, and Encryption Type. Task Find a message containing a named attachment Search for messages that contain named attachments Before you begin Before you can find messages that contain attachments, you must Enable attachment identification from Configuration Protocol Configuration Connection Settings (SMTP) Attachment identification. 66 McAfee Gateway Appliances Administrators Guide

67 Overview of Reports features Scheduled Reports 3 Task 1 Navigate to the Message Search window. You can navigate using Reports Message search, or using the Task pane on the Dashboard ( Dashboard Tasks Message Search & Reports Search the Message Queue). The Message Search window opens. 2 Choose the search parameters to use. 3 Click Search / Refresh. 4 Use the Attachments column to identify messages containing the relevant attachment. You can also search for specific attachment names by using the Attachment field. This field accepts either complete attachment names or partial names with wildcard characters. 5 Use the available controls to take appropriate actions on the selected messages. Scheduled Reports Use this page to see a list of the available reports about threats that the appliance has detected. Reports Scheduled Reports You can view the reports, send reports immediately to other people, or schedule reports to be sent at regular intervals. Benefits of creating Scheduled Reports Use this information to understand the benefits of creating and using scheduled reports. Keeping up to date with threat detection statistics and system activity, and sharing that information is vital. The Scheduled Reports option has some default report types already set up for you, or you can customize their content or frequency, or even create new report types as necessary. The resulting reports can be sent by immediately, or at regular intervals to other people in your organization in a variety of formats, such as PDF, HTML, or text. You must enable the default reports to run automatically. To do so, select the report type from the list of available reports, and click Edit. On the Edit Report dialog box, click Enable scheduled delivery. McAfee Gateway Appliances Administrators Guide 67

68 3 Overview of Reports features Scheduled Reports Table 3-3 Report types Overview System Favorite Lists the number of detections by protocol, and type of threat, and provides details about the types of detection made per protocol security summary (inbound) shows the % and number of messages to internal users that were delivered or blocked because a threat was detected security summary (outbound) shows the % and number of messages to external users that were delivered or blocked because a threat was detected traffic flow provides information relating to the flow of messages in to, and out of the organization security trend volume trends (inbound and outbound) provides information relating to the amount of messages coming in to, and going out of the organization size trends (inbound and outbound) provides information relating to the size of the messages coming in to, and going out of the organization Average number of s displays the average number of messages sent in to, or out of the organization for one day, or more Users activity lists internal or external users who send or receive the most blocked or monitored messages Top detections lists top virus, potentially unwanted programs, and spam, or phish detections, and sender authentication failures Disk utilization provides information relating to the used and available space on the disk for items such as the log and quarantine partitions Disk utilization trends shows the % utilization of each partition in graph format Click Edit to choose from a list of pre defined report types for , web and system reports, and optionally send the report to other people in your organization daily, weekly, or monthly. Any new favorite reports that you created in the Interactive Reports, or Web Interactive Reports section are available from here too. 68 McAfee Gateway Appliances Administrators Guide

69 Overview of Reports features Scheduled Reports 3 Table 3-3 Report types (continued) Dashboard Inbound Mail Outbound Mail Services SMTP Detections POP3 Detections Network Summary System Summary Hardware Summary Clustering The Dashboard report enables you to select information that is displayed in the dashboard portlets. Select the information to include: Inbound Mail lists all inbound mail activity, broken out into various categories, such as plain text, encryption method used, information about messages quarantined, bounced, queued and blocked, detection types triggered and information about the senders, connections and recipients. Outbound Mail lists all outbound mail activity, broken out into various categories, such as plain text, encryption method used, information about messages quarantined, bounced, queued and blocked, detection types triggered and information about the senders, connections and recipients. Services lists information about the software services provided. SMTP Detections lists information about SMTP detections made. POP3 Detections lists information about POP3 detections made. Network Summary shows network connections, kernal mode blocking statistics and total throughput. System Summary Shows the status of the services, network and hardware. Hardware Summary provides information about your hardware, including information about the mode of operation, the network interfaces, information relating to the hardware modules, RAID and UPS status. Clustering provides information about your McAfee Gateway cluster. Inbound Mail lists all inbound mail activity, broken out into various categories, such as plain text, encryption method used, information about messages quarantined, bounced, queued and blocked, detection types triggered and information about the senders, connections and recipients. Outbound Mail lists all outbound mail activity, broken out into various categories, such as plain text, encryption method used, information about messages quarantined, bounced, queued and blocked, detection types triggered and information about the senders, connections and recipients. Services lists information about the software services provided. SMTP Detections lists information about SMTP detections made. POP3 Detections lists information about POP3 detections made. Network Summary shows network connections, kernal mode blocking statistics and total throughput. System Summary Shows the status of the services, network and hardware. Hardware Summary provides information about your hardware, including information about the mode of operation, the network interfaces, information relating to the hardware modules, RAID and UPS status. Clustering provides information about your McAfee Gateway cluster. McAfee Gateway Appliances Administrators Guide 69

70 3 Overview of Reports features Scheduled Reports definitions Scheduled Reports Use this information to learn about the options available for the Scheduled Reports from within the user interface. Name Displays the name of the report. By default, the list includes some standard reports, which you cannot delete. The icon indicates the type of content in that report: Overview, such as numbers of overall detections. activity System activity such as disk usage. A choice of popular reports. Description Download Now Displays the title that appears on the first page of the report, the scheduling information, and a list of the recipients. When clicked, generates the report, then allows you to download it for viewing in a browser or saving as a file. When clicked, generates the report, then immediately sends it to the recipients. Any regular schedule is not affected. If the icon is disabled, the schedule has not been set. Double click the icon, then specify the details under Delivery Schedule. New report Edit Delete When clicked, lets you create a new report, which is an exact copy of an existing report. A dialog box prompts you for further information: Report name, which appears under the Name column on this page. Report title, which appears at the top of the report. When you click OK, you return to the main page. There you can select the new report, click the icon under Edit, and design your own report. When the icon is clicked, enables you to change the schedule, content, format and delivery information of the selected report. When the icon is clicked, deletes the selected report. Task See the number of detections by protocol and threat type over the last week Use this task to create a scheduled report to see the number of detections by protocol and threat type over the last week. Task 1 Select Reports Scheduled Reports. 2 From the list of report types, select Overview, and click Edit. 3 In the Edit Report dialog box, set the Reporting period to 1 week. 4 Click OK, and apply the changes to the appliance. 5 Click Download to generate the report. 70 McAfee Gateway Appliances Administrators Guide

71 Overview of Reports features Scheduled Reports 3 Task Send your manager an activity report in PDF format every Monday at 10.00am Use this task to send a PDF version of an activity report at a specific time and day each week, to a nominated person. Task 1 Select Reports Scheduled Reports. 2 From the list of report types, select , and click Edit. 3 In the Edit Report dialog box, click Enable scheduled delivery. 4 Set the Report sent option to Weekly and choose Monday from the drop down menu. 5 Click New Recipient, type myboss@examplecompany.com. 6 Click OK, and apply the changes to the appliance. Task Download a report in.csv format for further processing To enable further processing of information from your McAfee Gateway, export your report in.csv format. Task 1 Select Reports Scheduled Reports. 2 From the list of report types, select Favorite, and click Edit. 3 In Delivery schedule, ensure that Enable scheduled delivery is unselected. 4 In Report content, select the information that you want to appear in the.csv formatted file. For example, select reports and Top Spam Senders (last 24h). 5 In Advanced options, select CSV as the Document format. Configure other options to suit your requirements. 6 Click OK, and apply the changes. 7 Click Download. 8 Click on the link to download the file to your local computer. Task Send the administrator a report that shows virus detections in messages over the last week Use this task to send a report to a specific person showing all virus detections found within messages in the last week. Task 1 Select Reports Scheduled Reports. 2 From the list of report types, select Favorite, and click Edit. 3 In Sender and recipient details, type administrator@examplecompany.com. 4 Select Report content, and select the Top Viruses report. McAfee Gateway Appliances Administrators Guide 71

72 3 Overview of Reports features Scheduled Reports New Report dialog box 5 Click OK, and apply the changes. 6 Click Now. Scheduled Reports New Report dialog box Use this information to understand the options available when creating a new report. Name Title Use template Type a name for the new report that you are creating. Use the Title field to enter a descriptive title for the new report. Select the template that you want to use as the basis of the new report. Scheduled Reports Edit Report dialog box Use this information to understand the options available when editing the specification for an existing report. Table 3-4 definitions Delivery schedule Enable scheduled delivery Report sent to At Reporting period Use the postmaster address as the sender Sender address Recipients Selecting this will cause this report to be delivered according to the options set. Use Daily, Weekly, Monthly and At to specify how often, and at what time, you want the scheduled report to be delivered. Select the time period that you want covered by the report. The available options are: Today (default option) Previous day 1 week 2 weeks 1 month Select to use the already configured postmaster address as the sending address for the scheduled reports. To configure your appliance to use a sender address that is different to the already configured postmaster address, ensure that Use the postmaster address as the sender is unselected, and enter the required Sender address. The list of addresses to which the scheduled reports are to be sent. Click New Recipient to specify new addresses. Table 3-5 definitions Report content Title Include these reports Header Footer Specify the title for the scheduled report you are creating. Select the information to be included in the scheduled report. The available options change depending on the type of report (Overview, , or System report.) Enter text that you want displayed on the header of the report. Enter text that you want displayed on the footer of the report. 72 McAfee Gateway Appliances Administrators Guide

73 Overview of Reports features Reports 3 Table 3-6 definitions Advanced options Document format Paper size Character set Message subject Message body text Generate unique file names Attachment file name Maximum number of items in a list Select your required format for the scheduled report. The options include: PDF HTML Text CSV Select the paper size for the scheduled report. Select from: A4 (210x297 mm) Letter (8.5x11 in) Select the character set for the scheduled report. The options include: Unicode (UTF 8) Unicode (UTF 7) ASCII Latin Alphabet No. 1 (ISO ) Windows Latin 1 (WINDOWS 1252) Simplified Chinese (GBK) Traditional Chinese (BIG 5) Japanese (SJIS) Japanese (ISO 2022 JP) Korean (ISO 2022 KR) Enter the Subject line that you want to appear on the containing the scheduled report. Enter the body text for the message containing the scheduled report. Select this option to ensure that each scheduled report has a unique file name. To specify the name of the attachment file containing the scheduled report, unselect Generate unique file names and then enter the required file name. Specify the maximum number of items that you want to appear in each list. Reports Use this page to create and view real time reports about threats detected in the passing through your Gateway, and the subsequent actions taken by the appliance. Reports Reports You can generate a report based on a set of predefined filters, or edit the filters, test the results, and save the report as a new report. Introduction to the Reports page This information introduces the Reports page, found in the Reporting section of Gateway. Reports contains several sub pages, accessed from the tabs beneath Interactive Reporting and Selection. McAfee Gateway Appliances Administrators Guide 73

74 3 Overview of Reports features Reports The following tabs are shown beneath Interactive Reporting, each providing different views on a report's results. See View types: Total view Time view Itemized view Detail view There are two pages beneath Selection: Favorites enables you to choose a report with pre defined filters, and generate it immediately. See Report types. Filter enables you to further define the data in each Favorite report using standard and advanced filter settings, and set the period of time for which you want to retrieve data. See Filter types. Benefits of using reports This topic discusses the benefits of using the report features of Gateway to create and view reports about traffic. To keep your infrastructure running at optimal levels, you need access to up to date information about threats detected in the flowing through the appliance. Generate reports to get information such as: Types of threats detected, such as viruses, or spam and phishing messages. Messages that had to have an action taken upon them. Messages that were prevented from entering or leaving your network. Individual sender activity. Additionally, use the Reports feature with the Scheduled Reports feature to create regular reports, and send them immediately to other people, or at regular intervals. You can compile a list of, for example, blocked messages using the Message Search feature (Reports Message search). Message Search cannot locate messages if the appliance has not received the message body, such as messages blocked by the Real time Blackhole Lists (RBLs). In this situation, use the Reports feature to find out about an individual message. Types of reports Information on the types of reports that you can find within the Reports area of the user interface are discussed. The appliance comes with a set of reports with pre defined filters available from the Favorites tab. You can run these reports immediately, or edit them using standard and advanced settings and save as a new favorite report to run again in the future, then make it available in the Scheduled Reports feature. To see the default settings in each report, hold your mouse cursor to the left of a report name. Table 3-7 definitions Overview Profile Displays results in Total view by default. Results show the number of legitimate, monitored, modified, rerouted, or blocked messages processed over the previous day. Displays results in Itemized view by default. Results show the number of items detected for each filter selection over the previous week. 74 McAfee Gateway Appliances Administrators Guide

75 Overview of Reports features Reports 3 Table 3-7 definitions (continued) Top Spam Senders Top Viruses Legitimate Monitored Modified Rerouted Blocked Displays results in Itemized view by default. Results are filtered using the Spam/ Phish category by default, and show the spam or phish (or both) messages by sender over the previous 24 hours. Displays results in Itemized view by default. Results are filtered using the Viruses category by default, and show the viruses detected over the previous week, or results for a specific threat that you specify. Displays results in Time view by default. Results show the number of messages categorized as Legitimate (that is, delivered with no detection or modification) for all threat categories over the previous 24 hours. Displays results in Time view by default. Results show the number of messages for all threat categories over the previous 24 hours that triggered an event log but were delivered with no modification. Displays results in Time view by default. Results show the number of modified messages (for example, cleaned or replaced with an alert message) for all threat categories over the previous 24 hours. Displays results in Time view by default. Results show the number of messages routed to another server (for example, an encryption server) for all threat categories over the previous 24 hours. Displays results in Time view by default. Results show the number of inbound or outbound messages stopped by the appliance for all threat categories over the previous 24 hours. McAfee Gateway Appliances Administrators Guide 75

76 3 Overview of Reports features Reports Types of report views The Gateway reporting system uses different views of the available data, to enable you to select the view best suited to your needs. Each report that you generate can be presented in one of the following views: Type of View Total view Reports Reports Interactive Reporting Total View The information is displayed in a horizontal bar chart. If you see no information, click Apply on the Filter tab, or change the period and click Apply. For information about the Filter or Favorites section on the right, click its tab, then click the Help button (?). Action Displays the list of actions taken by the appliance s policies against each message or web access. Number of messages Displays the number of messages or web accesses where this action was applied. Time view Reports Reports Interactive Reporting Time View Displays results in a bar chart and table format over the time specified. Results are shown in periods of ten minutes for hourly reports, by the hour for 24 hour reports, every six hours for weekly reports, twelve hours for fortnightly reports, or daily for monthly reports. The information is displayed in a vertical bar chart, and organized into small intervals. For example, a weekly report shows activity in whole 6 hour portions of each day. If you see no information, click Apply on the Filter tab, or change the period and click Apply. You might not be able to view some older data, because the appliance s log is regularly purged. For information about the Filter or Favorites section on the right, click its tab, then click the Help button (?). Start Displays the start of the period, such as on the hour. Legitimate to Blocked Displays the numbers of messages or web accesses corresponding to each action in that period. If Action is not set to All, most columns have values of McAfee Gateway Appliances Administrators Guide

77 Overview of Reports features Reports 3 Type of View Itemized view Reports Reports Interactive Reporting Itemized View The information is displayed in a pie chart and table format for each filter criteria, or for all filters. If you see no information, click Apply on the Filter tab, or change the period and click Apply. For information about the Filter or Favorites section on the right, click its tab, then click the Help button (?). Pie chart Displays the percentage of all or web accesses that match the criteria selected in the Filter tab. The orange portion of the pie shows the portion of the data that matches the criteria. The green portion shows the remainder. If no filtering is set, the whole pie appears orange. Filter criteria Displays the list of categories taken against the message or web access. Click any blue link for more information represented as a bar chart. To return to the pie chart, click List all criteria. To examine the information further, click any blue links. As you click each link, values in the Filter tab are updated. Click Apply to display the pie chart again. Number of distinct criteria items within the selection Displays the number of messages or web accesses where each criteria applies. Detail view Reports Reports Interactive Reporting Detail View Displays all results in a table format. Results are shown for each detection in the report results. Information includes any threat in the messages or IP addresses. The information is displayed in a table. If you see no information, click Apply on the Filter tab, or change the period and click Apply. For information about the Filter or Favorites section on the right, click its tab, then click the Help button (?). Date and other headings Displays the details of each message or web access. To see all columns, move the horizontal scroll bar. To sort the data in any column, click the column heading. The most recently sorted column is indicated by a red arrow in the column heading. Data Click the blue link to see further information about an message in a table or as raw data (that is, in an XML like format). To move through the list or to move quickly to either end of the list, click the arrows at the bottom right of the list. Types of report filters To assist you finding the information you require, you can select filters to display more specific detail within the reports. Reports Reports Selection Filter McAfee Gateway Appliances Administrators Guide 77

78 3 Overview of Reports features Reports Each report allows you to filter the results by standard and advanced criteria. For example, you can see information about viruses from all sources in the last month. Make your selections, then click Apply. The new report might take a while to appear. You can save these selections to produce a similar report at any time. or clear the selections you made. Table 3-8 definitions Reports filter options Period and Ending Displays information for a period from one hour to one month, based on the selected start date. When clicked, the Previous and Next buttons adjust the From date, for example, moving it to next week or the previous day. Protocol Traffic Sender Recipient Action Displays the protocols you want to view, such as SMTP. Displays traffic, whether inbound or outbound. In a simple network, you might see reports on compliance for outbound traffic and reports on spam for inbound traffic. Displays information about one sender, such as user@example.com When selected, the advanced options, Source domain and Source ID, further specify the sender's domain or IP address, such as server1.example.com and Displays information about one recipient, such as user@example.com When selected, the advanced options, Destination domain and Destination ID, further specify the recipient's domain or IP address, such as server1.example.com and Enables you to filter reports on specific actions, such as Legitimate or Blocked. Examples: To view information about one sender or recipient, type: <user@example.com> The name is wrapped with chevron characters. To view information about all senders' names that begin with b or B, type: <b* To view information about all senders' names that begin with b, B, e, or E, type: <b*, <e* Category Detection Virus/PuPs Show Advanced Source Domain Source IP Destination Domain Destination IP Displays information about a single type of detection, such as spam or virus. If the selection is not All, you see further choices. For example, if you select Content, you can further select Mail Size. Extra categories appear here if you have installed any optional software. Top Spam Senders report only. Choose whether the report should contain results for spam senders, phish senders, or both. Top Viruses report only. Type the name of the virus or potentially unwanted program to get detection results for that specific threat. When clicked, shows the options below. To hide the options again, click Hide Advanced. Filter traffic based on the domain that the messages are being sent from. Filter traffic based on the IP address that the messages are being sent from. Filter traffic based on the domain that the messages are being sent to. Filter traffic based on the IP address that the messages are being sent to. 78 McAfee Gateway Appliances Administrators Guide

79 Overview of Reports features Reports 3 Table 3-8 definitions Reports filter options (continued) Audit ID Policy As traffic passes through the appliance it can have an Audit ID assigned. Use this field to filter traffic with a specific Audit ID. Provides a selection of policies. Favorite reports Use this page to run an existing favorite report immediately, or build a list of links to reports that you have already saved. Reports Reports Selection Favorites Reports System Reports Selection Favorites Table 3-9 definitions Name Run report Edit Delete Displays the name of each report that you have saved. When clicked, opens the selected report and displays it to the left of the screen. Opens the Filter page from where you can change the settings, test the report results, and save the report criteria into a new favorite report. Removes that Favorite report from the list, and from the reports available in Scheduled Reports. Task Generate an activity overview for a particular sender Use this task to create an overview of the activity for a particular sender. Use this task to: Create a report that shows global activity in the previous 24 hours Filter those results to show the activity of a particular sender Save the report as a new favorite report to be run again in the future Set up a schedule to send the report regularly to the administrator Task Run a standard activity report Create a report that shows global activity in the previous 24 hours Task 1 Click Reports Reports. 2 From the Favorites list, select the Overview (last 24h) report. 3 Click Run report to generate a report for all users. A report is created that shows the traffic over the last 24 hours, for all users. McAfee Gateway Appliances Administrators Guide 79

80 3 Overview of Reports features Reports Task Filter the data for a particular sender and save the report as a new favorite report Use this task to filter data produced from a global report to refer to a particular sender. Additionally, save the new report as a favorite. Before you begin Make sure that you have created the report detailed in Task Run a standard activity report. Task 1 Click Filter. 2 In Sender, type sender@examplecompany.com and click Apply to filter the data for that sender. 3 Click Save, type a name for the report, and click OK. The report appears in the list of Favorites. Task Set up a schedule to send the report regularly to the administrator Use this task to set up a schedule to regularly send a report to the administrator. Before you begin Make sure that you have created the report detailed in Task Filter the data for a particular sender and save the report as a new favorite report. Task 1 Click Reports Scheduled Reports. 2 In the list of available report documents, select Favorite, and click Edit. 3 Select Enable scheduled delivery, and set the report to run Daily at 17:00 hours. 4 Type the administrator address. 5 Click Report content. 6 In the list of favorite reports, select the report that you created, click OK, and apply the changes to the appliance. The selected report is send each day at 17:00 hours to the specified administrator. Task Show me the total viruses detected over the previous week Use this task to show the total number of viruses detected in the previous week, and analyze the data using different report views. Task 1 Click Reports Reports. 2 From the Favorites list, select the Top Viruses report, and click Filter. 3 Click Apply to run the report. 80 McAfee Gateway Appliances Administrators Guide

81 Overview of Reports features System Reports 3 4 Select Time view to see the action that was taken on each message broken down into eight hour periods. 5 Select Detail view to see further information such as policy details, and the source IP address for each message. The required report, showing the total number of viruses detected in the previous week, is generated. System Reports Use this page to create and view real time reports about threat detection updates, and system events. Reports System Reports You can generate a report based on a set of pre defined filters, or edit the filters, test the results, and save the report as a new report. Introduction to the System Reports page This information introduces the System Reports page, found in the Reporting section of Gateway. System Reports contains several sub pages, accessed from the tabs beneath System Interactive Reporting and Selection. Under System Interactive Reporting is a detailed view of the report results that tells you the type of update made, when it ran, and whether it was successful. Data shows the update number so you can check with the McAfee website that you're running the most up to date threat detection files available. There are two pages beneath Selection: Favorites enables you to choose a report with pre defined filters, and generate it immediately. See Report types. Filter enables you to further define the data in each Favorite report, and set the period of time for which you want to retrieve data. See Filter types. Benefits of using system reports This topic discusses the benefits of using the report features of Gateway to create and view reports about system events. Keeping up to date with McAfee threat detection updates is vital to the continued and successful running of your organization. Generate system reports to get information about threat detection files update status, user logon statistics, and network and hardware status. Additionally, use the System Reports feature with the Scheduled Reports feature to create regular reports, and send them immediately to other people, or at regular intervals. Types of System reports Information on the types of system reports that you can find within the Reports area of the user interface are discussed. The appliance comes with a set of reports with pre defined filters available from the Favorites tab. You can run these reports immediately, or edit them, and save as a new favorite report to run again in the future, then make it available in the Scheduled Reports feature. To see the default settings in each report, hold your mouse cursor to the left of a report name. McAfee Gateway Appliances Administrators Guide 81

82 3 Overview of Reports features System Reports Table 3-10 definitions Anti Virus Updates (last 24h) Anti Virus Updates (last week) Displays results in Detail view by default. Results show the type of update (anti virus, spam rules, or URL filtering definitions), when it was made, the results, and reference number associated with the update file Displays results in Detail view by default. Results show the type of update (anti virus, spam rules, or URL filtering definitions), when it was made, the results, and reference number associated with the update file Types of System report views Use this page to see the details of system updates or detection file updates. Reports System Reports System Interactive Reporting Detail View If you see no information, click Apply on the Filter tab, or change the period and click Apply. For information about the Filter or Favorites section on the right, click its tab, then click the Help button (?). Table 3-11 definitions Interactive reporting Detail view Date Displays the details of each message or web access. To see all columns, move the horizontal scroll bar. To sort the data in any column, click the column heading. The most recently sorted column is indicated by a red arrow in the column heading. Data Click the blue link to see further information about an message in a table or as raw data (that is, in an XML like format). To move through the list or to move quickly to either end of the list, click the arrows at the bottom right of the list. Types of System report filters To assist you finding the information you require, you can select filters to display more specific detail within the System reports. Reports System Reports Selection Filter Each report allows you to filter the results. Table 3-12 definitions System Reports filter options Period and Ending Displays information for a period from one hour to one month, based on the selected start date. When clicked, the Previous and Next buttons adjust the From date, for example, moving it to next week or the previous day. Event type Event Reason Displays reports about particular event types. For example, issues concerning the Network. Select individual events based on the chosen Event type. Select individual reasons based on the chosen Event. 82 McAfee Gateway Appliances Administrators Guide

83 Overview of Reports features System Reports 3 Favorite reports Use this page to run an existing favorite report immediately, or build a list of links to reports that you have already saved. Reports Reports Selection Favorites Reports System Reports Selection Favorites Table 3-13 definitions Name Run report Edit Delete Displays the name of each report that you have saved. When clicked, opens the selected report and displays it to the left of the screen. Opens the Filter page from where you can change the settings, test the report results, and save the report criteria into a new favorite report. Removes that Favorite report from the list, and from the reports available in Scheduled Reports. Task Generate a report that shows all threat detection updates Use this task to show all updates to the threat detection files on your Gateway. Use this task to: Run a report that shows all updates that took place in the last week Filter the results to show only the URL filter updates that failed Save the report as a new favorite report to be run again in the future Task 1 Click Reports System Reports. 2 From the Favorites list, select the Anti Virus Updates (last week) report. 3 Click Run report to generate a report for all updates. 4 Click Filter. 5 In Event, select URL filter update failed, and click Apply to filter the data accordingly. 6 Click Save, type a name for the report, and click OK. The report appears in the list of Favorites. McAfee Gateway Appliances Administrators Guide 83

84 3 Overview of Reports features System Reports 84 McAfee Gateway Appliances Administrators Guide

85 4 Overview of menu This section of the online help topic provides an overview of the features and controls within your Gateway appliances. Contents Life of an message Configuration overview Policies DLP and Compliance overview Encryption Certificate Management Hybrid configuration Group Management Add Directory Service wizard Quarantine Configuration Life of an message Use this topic to understand how the appliance processes the messages that it receives. The appliance handles an message according to: Who sent the message. Who will receive the message. The content of the message. On receiving an message, the appliance processes it in the following order: message processing order Kernel mode blocking Permit and Deny Lists CONNECT Permit Sender [Connection] Permit and Deny Lists EHLO/MAIL FROM Deny Sender [Connection] Real time Blackhole Lists (RBL) Permit Sender Deny Sender Permit and Deny Lists Sender Authentication Settings RBL Configuration Permit and Deny Lists Permit and Deny Lists McAfee Gateway Appliances Administrators Guide 85

86 4 Overview of menu Life of an message Bounce Address Tag Validation SPF (Sender Policy Framework) Address Masquerading Bounce Address Tag Validation Sender Authentication Settings SPF Sender ID and DKIM Address Masquerading (SMTP) RCPT TO Anti Relay Anti Relay Settings Greylisting Address Aliasing (Masquerading) Permitted Recipient list LDAP recipient check Directory Harvest Prevention Recipient Authentication Address Masquerading (SMTP) Recipient Authentication Recipient Authentication Recipient Authentication DATA RBL Sender Authentication Settings RBL Configuration If behind an MTA. Scanning SPF McAfee Global Threat Intelligence message reputation Sender ID Domain Keys Identified Mail (DKIM) Anti spam Anti phish Mail size filter Encrypted / Signed content check Corrupt content Encrypted content HTML check Compliance Sender Authentication Settings SPF Sender ID and DKIM If behind an MTA. Sender Authentication Settings McAfee Global Threat Intelligence message reputation The McAfee Global Threat Intelligence message reputation score is also passed to the anti Spam engine, where it is used to supplement the spam scores for the message being scanned. Sender Authentication Settings SPF Sender ID and DKIM Sender Authentication Settings SPF Sender ID and DKIM Anti Spam Settings Basic s Anti Spam Settings Advanced s Anti Spam Settings Blacklists and Whitelists Anti Phish Settings Mail Size Filtering Settings Message Size Mail Size Filtering Settings Attachment Size Mail Size Filtering Settings Attachment Count Signed or encrypted content Settings Content Handling Settings Corrupt or Unreadable Content Content Handling Settings Corrupt or Unreadable Content Protected files Content Handling Settings HTML s Compliance Settings 86 McAfee Gateway Appliances Administrators Guide

87 Overview of menu Configuration overview 4 Delivery Proxy Mode Transparent Mode Anti virus [Including McAfee Global Threat Intelligence file reputation, PUPs, Packers] DLP Image filtering File filter Domain Relay DNS Fallback relay Anti Virus Settings Basic s Anti Virus Settings McAfee Anti Spyware Anti Virus Settings Packers Anti Virus Settings Custom Malware s Data Loss Prevention Settings Image Filtering Settings File Filtering Settings When passing through the scanning stage, the next step that the message takes depends on the scanners that are triggered and the primary actions defined for each scanner. Primary actions are prioritized as follows: Deny connection Replace Refuse Allow through Accept and drop For example, consider the following circumstances: The appliance scans an message and triggers against both a virus and spam. The anti virus scanner is configured to block on detection, whereas the anti spam scanner is configured to block. In this situation, the appliance will report the message as containing viral content, as this is the highest priority primary action. The appliance scans an message and again triggers against both a virus and spam. However, this time, both the anti virus and the anti spam scanners have their primary actions set to block. In this case, the appliance will report the anti spam trigger anti spam scanning occurs before the anti virus scanning but, as both scanners are configured with the same priority primary action, this will also be reported as containing viral material. Configuration overview Use these topics to understand the protocol configuration, receiving and sending pages within the Gateway user interface. Configuration From the Configuration pages, you can configure features such as your protocol setting for SMTP and POP3 messages, Anti relay settings, Recipient authentication, Permit and deny lists, as well as other areas such as DKIM signing, delivering domains and fallback relays. McAfee Gateway Appliances Administrators Guide 87

88 4 Overview of menu Configuration overview Contents Protocol Configuration definitions Protocol Presets dialog box definition - New Protocol Preset Receiving Sending Sending Add Relay List dialog box and Add MX Lookup dialog box Anti-Relay Settings Add Relay Domain dialog box and Add MX Lookup dialog box Protocol Configuration The Protocol Configuration tab within Configuration enables you to configure settings that are protocol dependant. Configuration Protocol Configuration Further tabs enable you to configure connection and protocol settings for both SMTP and POP3 protocols, as well as to configure address masquerading and transport layer security for your SMTP protocol. Contents Connection Settings (SMTP) Protocol Settings (SMTP) Address Masquerading (SMTP) Connection and Protocol Settings (POP3) Connection Settings (SMTP) The Connection Settings (SMTP) page links to configuration areas that set up settings for SMTP connections on the appliance, such as ports, warning thresholds and timeouts. Configuration Protocol Configuration Connection Settings (SMTP) Basic SMTP settings Use this area to specify basic connection settings for the SMTP protocol, such as port numbers. Configuration Protocol Configuration Connection Settings (SMTP) Basic SMTP settings Changing these settings can affect scanning performance. If you are not sure about the impact of making any changes, ask your network expert. Table 4-2 definitions Enable the SMTP protocol Listening ports When deselected, ignores any SMTP traffic. Other traffic is not affected. Specifies a port number. The default value is McAfee Gateway Appliances Administrators Guide

89 Overview of menu Configuration overview 4 Table 4-2 definitions (continued) Transparent interception ports Specifies a port number. The default value is 25. Secure ports Specifies the type of port. The default value is 465. SMTPS uses a secure port. Click these icons and the port headings to reveal icons for managing the port information: Indicates the port number. Indicates the traffic that will be intercepted. Indicates a period when traffic is not scanned. Enable reverse DNS lookups When selected, enables the appliance to perform lookups. Default value is Yes. Take care if deselecting this setting. If you deny reverse DNS lookups, some functions might fail. Timeouts Use this area to specify the timeouts that apply to the SMTP conversations. These settings are configured by default to provide the best SMTP performance with most appliances and network configurations. Changing these settings can affect performance. If you are not sure about the impact of making any changes, ask your network expert. Protocol preset Select the required protocol preset, or create a new preset, using the drop down list and button to the right of the page. Maximum wait times when receiving Specifies how long the appliance waits for responses from the mail server that sends the message. Between commands Between receiving chunks of data Acknowledgment of all the data The default value is 60 seconds. The default value is 180 seconds. The default value is 360 seconds. Maximum wait times when sending Specifies how long the appliance waits for responses from the mail server that receives the message. McAfee Gateway Appliances Administrators Guide 89

90 4 Overview of menu Configuration overview Establishing a connection Response to a MAIL command Response to a RCPT command Response to a DATA command Between sending chunks of data Acknowledgment of the final dot The default value is 60 seconds. The default value is 60 seconds. The default value is 60 seconds. The default value is 60 seconds. The default value is 180 seconds. The default value is 300 seconds. SMTP conversation logging Learn about enabling SMTP conversation logging and its impact on performance. Enable SMTP conversation logging Attachment identification Select to produce a log of performed scans. These logs are available from Reports Message search. Enable attachment identification to use Message Search to find messages containing attachments. Table 4-3 definitions Enable attachment identification Configure McAfee Gateway to carry out additional scanning of messages to identify attachments contained within the messages. Once enabled, you can use Message Search to find messages containing specific attachments. Protocol Settings (SMTP) The Protocol Settings (SMTP) page links to areas to allow you to configure settings for the SMTP protocol on the appliance. Configuration Protocol Configuration Protocol Settings (SMTP) Data command options Use this area to specify how the appliance responds during the DATA phase when handling SMTP . Table 4-4 definitions Maximum message data size Maximum length of a single line Maximum number of hops Specify the maximum size of message data in kilobytes. Setting this option prevents excessively large data from being processed by the appliance. By default, no limit is set. Specify the maximum length of a line within the message data. Setting this option prevents data with excessively long line lengths from being processed by the appliance. By default, no limit is set. Specifies the maximum number of hops allowed, that is, the maximum number of Received lines allowed in the header. Default value is McAfee Gateway Appliances Administrators Guide

91 Overview of menu Configuration overview 4 Table 4-4 definitions (continued) If these limits are exceeded Maximum line length before the message is re encoded Specifies how the appliance responds. Default value is Close the connection. By default, no limit is set. Denial of service protection Use this area to specify how the appliance prevents possible denial of service attacks on your mail server. Table 4-5 definitions Minimum data throughput Maximum number of trivial commands Maximum number of AUTH attempts Maximum command length Maximum duration of an SMTP conversation Allow null senders Reject recipient if the domain is not routable Maximum number of recipients before a failure response is given Maximum number of recipients before a delay is imposed Delay period Prevents an average data throughput that is too low. An attacker might deliberately handle parts of the SMTP conversation slowly. Default value is No lower limit. Prevents the appliance receiving too many trivial commands before a successful DATA command. An attacker might repeatedly send commands like HELO, EHLO, NOOP, VRFY, and EXPN. Default value is 100. Prevents too many AUTH conversation attempts. (Transparent Bridge mode only). The SMTP AUTH command is a request to the server for an authentication mechanism. Default value is No limit. Prevents excessive command length. This might be a buffer overflow attack. According to RFC 2821, the maximum total length of a command line including the command word and the CR LF is 512 characters. Default value is 999. Limits the time between opening the connection and receiving the final dot (.) command. Default value is No limit. Accepts an empty From address. Default value is Yes. Default value is No. Prevents an excessive number of recipients. During spam or directory harvest attacks, the number of recipients often exceeds the number who typically receive company wide messages. When setting a number here, consider that typical maximum, then add some more to allow for possible increases. Consider changing this number if the network is reconfigured or the typical maximum changes. Default value is No limit. Prevents an excessive number of recipients. Default value is No limit. Specifies a period before connections may resume. Default value is Not set. McAfee Gateway Appliances Administrators Guide 91

92 4 Overview of menu Configuration overview Table 4-5 definitions (continued) Impose a lockout period Generate non delivery reports for undeliverable Specifies a delay to prevent an immediate reconnection. Default value is 600 seconds. Default value is Yes. Message processing Use this area to configure message processing options within the SMTP protocol. Table 4-6 definitions Welcome message Store and forward if Specifies the text that is seen by a host when connecting to the appliance in Explicit Proxy mode. By default, this message is empty. In proxy mode, messages which exceed the specified limits will always be accepted and queued by the appliance before onward delivery is attempted. Messages below the specified limits will have delivery attempted immediately (whilst the client is still connected). Default values: The message size exceeds No limit The number of recipients exceeds No limit Maximum number of MX records used Maximum number of A records used Specifies the response to messages that use MX (mail exchange) records excessively. Default value is 100. Specifies the response to messages that use A (address) records excessively. Default value is 100. Advanced options Use this section to specify further settings for message processing. You do not normally need to change the settings. Table 4-7 definitions Port for SMTP communications Maximum number of policies per Add the IP address of the connecting server to the Received header Add the domain name of the connecting server to the Received header Specifies the usual port number. The default port number is 25. Limits the number of policies that can be applied to each message. A larger number can affect scanning performance. Default number is 5. If you prefer that the IP address of your server is not made available, deselect this feature. Default value is Yes. If you prefer that the domain address of your server is not made available, deselect this feature. Default value is No. 92 McAfee Gateway Appliances Administrators Guide

93 Overview of menu Configuration overview 4 Table 4-7 definitions (continued) A HELO command implies a reset A HELO or EHLO command is required Dump input to disk Dump output to disk Forces the HELO command to automatically perform a reset (RSET command). The RSET command clears the buffers that store data such as the sender, recipients, and the message. Default value is Yes. Forces the use of the HELO or EHLO command in any SMTP communication. Most SMTP conversations begin with these commands. You need this feature only if the sender does not use the command. Default value is No. Provides information for troubleshooting. Select only if instructed to do so. Otherwise performance will be affected. Default value is No. Provides information for troubleshooting. Select only if instructed to do so. Otherwise performance will be affected. Default value is No. Transparency options (router and bridge mode only) Use this area to configure options applicable only in the transparent operating modes transparent router or transparent bridge mode. Table 4-8 definitions Use the welcome message from the mail server Prepend the following text Send keepalives (NOOP commands) during the DATA phase and Keepalive interval Specifies the welcome message that appears when a host using SMTP connects to an appliance operating in a transparent mode. When selected, displays the welcome message of the mail server at the other end of the connection. Prefixes extra text, if specified in the next option. When not selected, displays the appliance's own welcome message (in the Message processing section). Default value is Yes. Specifies text for the message. Default value is to prefix no text. Prevents the connection between the appliance and the onward server from timing out when the appliance is scanning large messages by sending a keep alive command to the destination server. This keeps the connection alive until the DATA phase from the sending server to the appliance has completed. When the data has been transferred to the appliance, the appliance stops sending the commands and starts the DATA phase between the appliance and the destination server. Default value is No. Specify how often to send the keep alive (NOOP) commands during the DATA phase. Default value of interval is 55 seconds Advanced options Use this section to specify further settings for transparency options. You do not normally need to change these settings. McAfee Gateway Appliances Administrators Guide 93

94 4 Overview of menu Configuration overview Table 4-9 definitions Allow the appliance to generate additional scanning alerts Allow multiple policies per Add a Received header to Secure conversation pass through Generates additional scanning alerts to warn a network administrator or other users when specific events occur. Default value is Yes. The actions that the appliance takes when one of these events occurs, depends on which detection was triggered and how the policies have been set up for each protocol. By default, most secondary actions are not available when the appliance is operating in a transparent mode. Only the quarantine actions are available by default. Allows the use of multiple policies for messages that have more than one recipient. Default value is No. If an message has more than one recipient, you can configure the appliance to allow different policies to apply to each of the recipients. If you do not allow multiple policies, the appliance applies only the highest priority policy, as defined by the order of your policies. Adds Received (RCPT) commands to the headers. Default value is Yes. Allows TLS or SSL secured conversations to be passed through the McAfee Gateway without being interrupted. With this option selected, when the McAfee Gateway either receives the STARTTLS command or a connection is received on a Secure Port (SMTPS), the connection is passed through to the other server, allowing a secure server to server connection to be made directly between the client and server without McAfee Gateway scanning or processing the data. As the TLS or SSL connection is effectively direct between the two servers, McAfee Gateway cannot scan the secured traffic that is passed through it using Secure conversation pass through. Therefore, it is possible that malicious content could pass undetected through your McAfee Gateway and into your network. ESMTP extensions Scans features of the Extended Simple Mail Transfer Protocol. Default values: Enable ESMTP extensions Yes DSN (Delivery Status Notification), 8BITMIME (8 bit data transfer), AUTH (Authentication) Yes SIZE No Microsoft Exchange ESMTP extensions Prevents scanning of some extensions. Default values: X EPS, X LINK2STATE, XEXCH50, CHUNKING No If the appliance operates between two Microsoft Exchange servers, the appliance must allow these headers to be exchanged without scanning. Address parsing options Use this area to configure options relating to the parsing of addresses. You do not normally need to change these settings. Change the settings only if you understand the possible effects, or you have consulted an expert. 94 McAfee Gateway Appliances Administrators Guide

95 Overview of menu Configuration overview 4 An address such as user@example.com has two parts: The local part is before character user. The domain part is after character example.com. Table 4-10 definitions Maximum length of the local part Maximum length of the domain part Allow non RFC characters in the domain part Specifies how many characters can be used in the local part. The RFC limit is 64 characters. Specifies how many characters can be used in the domain part. The RFC limit is 255 characters. By default, characters outside the ASCII range are not allowed in an address. McAfee Secure Web Mail Enable policy support for McAfee Secure Web Mail. Table 4-11 definitions Enable McAfee Secure Web Mail policy support Select this option to allow the creation of policies for McAfee Secure Web Mail. Address Masquerading (SMTP) Use the sections on this page to convert the addresses in incoming or outgoing messages. For example: Configuration Protocol Configuration Address Masquerading (SMTP) Send and receive for general enquiries using an anonymous address such as info@example.com, instead of one person s specific address. Redirect for several people to one person. Modify the headers to hide information about your internal domains. Make modifications to the From address and sender headers of outgoing under Sender address masquerading. Make modifications to the To address of incoming under Recipient address aliasing. Address masquerading is based on protocol presets and can affect a large number of messages. When configuring your policies, consider whether you need the policy rules to apply to the addresses before or after they might be re written. McAfee Gateway Appliances Administrators Guide 95

96 4 Overview of menu Configuration overview Useful websites Regular expressions: expressions.info/reference.html definitions Sender address masquerading Use this area to change the address from which messages appear to have been sent. Type Search pattern Replacement Move Add Entry Add LDAP entry Test Export States whether the sender address is a string replacement, or an LDAP lookup. Specifies a search pattern that uses regular expressions to convert the original sender address to a masqueraded address. Take care with the use of ^ and $ in a regular expression. If the headers contain extra characters such as chevrons (< >), the regular expression will not replace the address, as expected. Displays the address you want to put in place of the original address. The search for the pattern is done from the top to the bottom of the list. When a pattern matches, it replaces using the replacement. In the case of LDAP lookups, it uses the relevant LDAP query. Adds a string replacement entry to the list. Adds an LDAP lookup to the list. When clicked, opens a further window where you can test whether your regular expression makes the correct replacement address. Type an address as input, click Check to see the resulting output address. When clicked, this link opens a dialog box you can use to export your list of masquerade addresses as a text file. The list can be stored on the appliance, or on your local computer. The list is a text file in the following format: List, search pattern Replacement List, search pattern Replacement Write down the file name and location in case you need to import it. Import When clicked, this link opens a dialog box you can use to navigate to a stored (exported) address list and import it to your current Masquerade window. You can overwrite existing addresses, or append to the existing list. 96 McAfee Gateway Appliances Administrators Guide

97 Overview of menu Configuration overview 4 Sender mail headers to search (advanced) Specify the headers that McAfee Gateway will search when using Sender address masquerading to replace addresses. Sender mail headers to search Specifies the mail headers to search within outgoing messages. You need only add new headers if your mail server attaches its own unique headers, or extra headers are defined in new specifications. By default, the following headers are searched when using Sender address masquerading: return path resent sender from sender reply to return resent from definitions Recipient address aliasing Use this area to change the address to which messages appear to have been sent. Type Search pattern Replacement Move Add Entry Add LDAP Entry Test Export States whether the sender address is a string replacement, or an LDAP lookup. Specifies a search pattern that uses regular expressions to convert the recipients address to an aliased address. Take care with the use of ^ and $ in a regular expression. If the headers contain extra characters such as chevrons (< >), the regular expression will not replace the address, as expected. Displays the address you want to put in place of the recipient address. The search for the pattern is done from the top to the bottom of the list. When a pattern matches, it replaces using the replacement. In the case of LDAP lookups, it uses the relevant LDAP query. Adds a string replacement entry to the list. Adds an LDAP lookup to the list. When clicked, opens a further window where you can test whether your regular expression makes the correct replacement address. Type an address as input, click Check to see the resulting output address. When clicked, this link opens a dialog box you can use to export your list of virtual addresses as a text file. The list can be stored on the appliance, or on your local computer. The list is a text file in the following format: List, search pattern Replacement List, search pattern Replacement Write down the file name and location in case you need to import it. Import When clicked, this link opens a dialog box you can use to navigate to a stored (exported) address list and import it to your current Masquerade window. You can overwrite existing addresses, or append to the existing list. McAfee Gateway Appliances Administrators Guide 97

98 4 Overview of menu Configuration overview Recipient mail headers to search (advanced) Specify the headers that McAfee Gateway will search when using Recipient address aliasing. Recipient mail headers to search Specifies the headers to search within incoming messages. You need only add new headers if your mail server attaches its own unique headers, or if extra headers are defined in new specifications. Task Masquerading all incoming messages using an attribute in LDAP to masquerade the sender Use this task to masquerade all incoming or outgoing messages using an attribute in LDAP. Before you begin Ensure that you have a valid connection to an LDAP server created with a functioning Address Masquerading query. You can follow these steps to masquerade a recipient by selecting Add LDAP Entry from the Recipient address aliasing section of the page. Task 1 Go to Configuration Protocol Configuration Address Masquerading (SMTP) 2 In the Sender address masquerading section, click Add LDAP Entry. 3 Enter a search pattern such as.*@test.dom. 4 In Replacement, select the correct server and address masquerading query and click Test. 5 In Input address, type the address that you want to masquerade. and click Check. The Pattern matched and Output address fields are automatically populated. 6 Click Close. When the query is selected, any that comes from, for example originalsender@test.dom, should be replaced with the masqueraded address such as <masqueraded sender>@test.dom. Connection and Protocol Settings (POP3) Use this area to specify settings for the POP3 protocol such as port numbers and time outs. Configuration Protocol Configuration Connection and Protocol Settings (POP3) ally specify periods when some parts of the network will not be scanned. Before turning off scanning of any traffic, consider the security risks. The most secure option is to scan all traffic. If an appliance is operating in a transparent mode, use this feature to exclude some parts of the network from scanning traffic in a protocol during specific periods. You might need to do this if you regularly move many large files through the appliance. Changing these settings can affect scanning performance. If you are not sure about the impact of making any changes, ask your network expert. 98 McAfee Gateway Appliances Administrators Guide

99 Overview of menu Configuration overview 4 Basic POP3 settings Use this area to configure the basic setting for using the POP3 protocol. Table 4-12 definitions Enable the POP3 protocol When deselected, ignores any POP3 traffic. Other traffic is not affected. Listening ports Specifies a port number. The default value is 110. Transparent interception ports Dedicated POP3 proxy ports Specifies a port number. The default value is 110. Specifies connections to dedicated POP servers. Specify a unique port number for each server. Choose port numbers in the range 1024 to 65535, because numbers below 1024 are generally assigned to other protocols. The server must have an FQDN, for example pop3server.example.com. Click these icons and the port headings to reveal icons for managing the port information: Indicates the port number. Indicates the traffic that will be intercepted. Indicates a period when traffic is not scanned. Indicates a dedicated port. Enable reverse DNS lookups. When selected, enables the appliance to perform lookups. Default value is Yes. Take care if deselecting this setting. If you deny reverse DNS lookups, some functions might fail. Timeouts Use this area to specify time out values for the POP3 protocol. You do not need to change these values often. Table 4-13 definitions Maximum wait times when talking to a POP3 client Specifies how long the appliance waits for responses from the computer that sends the message. Default values: Between commands 600 seconds Completing data transfer 60 seconds Maximum wait times when talking to a POP3 server Specifies how long the appliance waits for responses from the mail server that receives the message. Default values: Establishing a connection 60 seconds Completing data transfer 60 seconds McAfee Gateway Appliances Administrators Guide 99

100 4 Overview of menu Configuration overview POP3 protocol settings Use this section to specify settings that apply only to the POP3 protocol. Table 4-14 definitions Enable server keepalives Specifies values to keep the server connection open. The appliance can repeatedly send a POP3 command to prevent the connection between the appliance and the mail server timing out. Default values: Enable server keepalives No Keepalive interval 60 seconds Keepalive command Not set Enable client keepalives Specifies values to keep the client connection open. The appliance can repeatedly send a POP3 command to prevent the connection between the appliance and the POP3 mail client timing out. Default values: Enable client keepalives No Keepalive interval 60 seconds Address delimiters Specifies the characters that identify each part of an address. For example: [user name]#[host name]:[port number]. Default values: # User delimiter : Host delimiter You need only change the delimiter characters if your POP3 provider uses different characters. Respond to CAPA requests Responds to a POP3 CAPA command, which returns a list of capabilities supported by the POP3 server. Default value is No. For more information, see RFC definitions Protocol Presets dialog box Use this dialog box to re order, create, and edit or remove existing protocol preset policies. Add network group Add Policy Order Policy name / Move / Delete Click to open the Add Network Group dialog box to group together hosts or networks that you want to be associated with each other. Network groups can be used when defining rules for policies and protocol presets by selecting the source or destination network group rule type. Click to open the New Preset dialog box. Shows the presets in the order in which you want them to be evaluated. The default policy is always evaluated last. Lists the presets, and allows you to move them or edit them as appropriate. The default policy cannot be modified or deleted. definition - New Protocol Preset Use this dialog box to create a protocol preset to apply to a policy. Some of these options may not be available in all instances of creating a new protocol preset. 100 McAfee Gateway Appliances Administrators Guide

101 Overview of menu Configuration overview 4 Policy name Description Inherit settings from Policy type Type a name for the virtual host policy ally type a description for the policy to help you identify it. Select the protocol preset from which you want to inherit the settings, that is, any settings that are not overridden by this protocol preset will be taken from the protocol preset specified here. Select either: Physical A standard policy that has rules available. A physical policy can be triggered when its rules are matched and can also be used for inheritance. Virtual A virtual policy can be considered to be a collection of settings available for the purposes of inheritance. A virtual policy can never be triggered. This option is only available when you create a protocol preset from Configuration when virtual hosting has been enabled on the appliance. Match logic Select either: Match one or more of the following rules this policy triggers if any of the specified rules are matched. Match all of the following rules this policy triggers if all of the specified rules are matched. This option is only available when you create a protocol preset from Configuration. Rule type / Move / Edit Lists the rules associated with the preset, and allows you to move or edit them as appropriate. This option is only available when you create a protocol preset from Configuration. Add Rule Click to specify the type of rule that you want to apply to the preset, and set its Match and Value. This option is only available when you create a protocol preset from Configuration. Add network group Click to create a network group to associate with the preset. This option is only available when you create a protocol preset from Configuration. Receiving The Receiving tab within Configuration enables you to configure settings that are protocol dependant. Further tabs enable you to configure permit and deny lists and anti relay settings as well as recipient authentication and bounce address tag validation. Contents Permit and Deny Lists Anti-Relay Settings Recipient Authentication Bounce Address Tag Validation McAfee Gateway Appliances Administrators Guide 101

102 4 Overview of menu Configuration overview Permit and Deny Lists Use this page to build a list of IP addresses, networks and users that are permitted, blocked or temporarily blocked from connecting to the appliance. Configuration Receiving Permit and Deny Lists The page has these sections: Benefits of using the permit and deny lists Use this information to understand the benefits of using the permit and deny lists. The permit and deny lists for connections and senders are located on a single page within the user interface, allowing you to easily configure these settings. Once set, the permit and deny lists help prevent your users from being swamped by unwanted messages, whilst helping ensure that messages from trusted senders do not accidentally get blocked. definitions Permitted and blocked connections Use this topic to learn where to specify IP addresses that are always permitted or blocked when connecting to the appliance. Table 4-15 definitions Permitted connections IP address Add Delete Import List Export List The appliance accepts from this address even if a detected threat caused a "Deny connection" action. This setting ensures that the appliance does not delay from trusted senders. Add IP addresses to the Permitted connections list. Remove selected IP addresses from the Permitted connections list. To prevent you having to enter the permitted connections individually onto each of your appliances, you can import a list of permitted connections. Once you have configured the permitted connections list for one of your appliances, you can export the permitted connections list, to be imported onto other appliances. The file is created in comma separated values (CSV) format. Table 4-16 definitions Blocked connections Virtual Host IP address Domain Name Port Displays the name of the virtual host that received the connection currently being blocked by the appliance. Displays the IP addresses for connections that the appliance is currently blocking. Addresses remain in this list for a specified period during which is not accepted. Permitting a connection does not override any time constraints set up by the policy that blocks the connection. For example, if a policy states that a connection will be blocked for 600 seconds and you change the connection to permitted within the 600 seconds, the connection continues to be blocked until the 600 seconds have elapsed. This is why a connection can temporarily appear in both the Blocked and Permitted connections list. Displays the domain name associated with the blocked IP address. Displays the number of the port on which the message was received. This is typically port McAfee Gateway Appliances Administrators Guide

103 Overview of menu Configuration overview 4 Table 4-16 definitions Blocked connections (continued) VLAN ID Seconds remaining Refresh Resolve Addresses Unblock Store a maximum of items in the blocked connections list Displays the ID of the virtual LAN on which the message was received. This is typically 1 to Applicable to Transparent Bridge mode only. Displays the time that must pass before the appliance again allows a connection from this IP address. When clicked, updates the list of connections. The list is not automatically updated. When clicked, the appliance attempts to resolve the IP addresses to show the relevant domain name. When clicked, enables the selected IP address to try to reconnect. If the limit is reached, the appliance can only add more IP addresses to the list when an existing address expires or is removed manually by clicking Unblock. Default value is definitions Permitted and blocked senders Use the information in this topic to specify senders, networks and domains that are always permitted or blocked when connecting to the appliance. Table 4-17 definitions Value type (Permitted senders) Value (Permitted senders) If an is from a permitted sender, Sender Authentication checks are bypassed, and the sender is accepted. Displays the details of the sender: address For example, network_user@ example.com IP address For example, Domain name For example, Value type (Blocked senders) Value (Blocked senders) Response if a sender is in the block list If an is from a blocked sender, it will be refused unless there is a corresponding entry in the permitted senders list. Displays the details of the sender ( address, IP address and domain name). Offers various actions, including: Allow through Reject and close Accept and drop Reject, close and deny Reject Resolve permitted / blocked host names to IP addresses Reverse lookup sender IP address When selected, causes the appliance to use DNS to resolve host names to IP addresses from a domain name. These lookups take place when the SMTP proxy is initialized. The default value is Yes. When selected, causes the appliance to use DNS to do a reverse lookup of the sending IP address to match domains in the list. Because this requires an extra lookup for each connection, this can affect performance. The default value is No. McAfee Gateway Appliances Administrators Guide 103

104 4 Overview of menu Configuration overview Table 4-17 definitions (continued) Import List Export List To prevent you having to enter the permitted or denied senders individually onto each of your appliances, you can import lists of permitted or denied senders. Once you have configured the permitted or denied senders list for one of your appliances, you can export the information, to be imported onto other appliances. The files are created in comma separated variables (CSV) format. Task How do I add a permitted connection? Use this task to add a permitted connection to your appliance. To add a permitted connection: Task 1 Browse to Configuration Receiving Permit and Deny Lists Permitted and blocked connections Permitted connections. 2 Click Add. 3 Type the IP address and the netmask for the connection that you want listed as permitted. 4 Apply the changes. The specified IP address is added as a new permitted connection. Task How do I export my lists of permitted or denied settings? Use this task to export your lists of either permitted or denied settings. Once you have configured your appliance with your permitted or denied settings, you can export a list of these settings, either as a backup or to import into other appliances. Task 1 Browse to Configuration Receiving Permit and Deny Lists. 2 Click Export List for the relevant area (Permitted connections, Permitted senders or Blocked senders). 3 Click the displayed link to download it to your local file system. 4 Click Close. Your list of Permitted connections, Permitted senders or Blocked senders is downloaded to your local file system. Task How do I import a list that I exported from another appliance? Use this task to import a list that was exported from another appliance. To prevent you having to repeatedly enter the same data into each of your appliances, McAfee Gateway enables you to import a list of permitted or denied senders or permitted connections into your appliance. Task 1 Ensure that you have exported the required list, and that it is located where it can be accessed from your user interface. 2 Browse to Configuration Receiving Permit and Deny Lists. 3 From the relevant area (Permitted connections, Permitted senders or Blocked senders), click Import List. 104 McAfee Gateway Appliances Administrators Guide

105 Overview of menu Configuration overview 4 4 Browse to the required file. 5 Click OK. The selected list is imported onto your appliance. Anti-Relay Settings Use this page to prevent the appliance from being used as an open relay. Configuration Receiving Anti Relay Settings Benefits of configuring relaying and anti-relay settings Understand the importance of preventing the appliance being used as an open relay. By default, the appliance is configured as an open relay. This means that anyone can send messages through it. You must specify the domains that can send and receive messages. Anti relay settings are required to ensure that the appliance only handles for authorized users, and to prevent other people such as spammers from using the appliance to forward their messages. When you first log on to the appliance, a warning is given in the Services portlet on the Dashboard. You must create at least one local domain to prevent the appliance from being used as an open relay. Even if you have a list of domains categorized as permitted domains or denied domains, the lack of a local domain will still mean that the appliance can be used as an open relay. The page has these sections: Relaying Anti relay options A typical scenario is that the local domain, such as *.local.dom, accepts messages for delivery by the appliance. You also have a network from which you accept messages, such as /24. The anti relay feature checks the contents of these lists to determine whether a recipient is acceptable. The order in which anti-relay checks take place Use this information to understand the order in which Gateway makes the anti relay checks. The appliance makes anti relay checks at the RCPT TO phase of the SMTP conversation. It is important to understand the order in which the anti relay checks take place: Is the local domain list empty? Yes. The appliance operates as an open relay and allows the recipient to receive the message. No. The appliance performs the next check. Is the recipient or connection in the permitted domains list? Yes. The appliance allows the recipient to receive the message. No. The appliance performs the next check. Is the recipient or connection in the denied domains list? Yes. The appliance rejects the recipient. No. The appliance performs the next check. McAfee Gateway Appliances Administrators Guide 105

106 4 Overview of menu Configuration overview Is the recipient or connection in the local domain list? Yes. The appliance checks whether the recipient matches on a permitted routing character. Yes. The appliance accepts the recipient. No. The appliance checks whether the recipient matches on a denied routing character. Yes. The appliance rejects the recipient. No. The appliance accepts the recipient. No. The appliance rejects the recipient. definitions Relaying Use this information to specify domains and networks that can use the appliance for handling their . Add Domain Click to specify the domains that can relay messages through the appliance to the recipient. Choose from: Local domain These are the domains or networks for which is accepted for delivery. For convenience, you can import a list of your local domain names using the Import Lists and Export Lists options. McAfee recommends that you add all domains or networks that are allowed to relay messages as local domains. Permitted domain is accepted. Use permitted domains to manage exceptions. Denied domain is refused. Use denied domains to manage exceptions. Hold your mouse cursor over the field to see the recommended format. You must set up at least one local domain. Add MX Lookup Delete Selected Items Domain Name/ Network Address/MX Record Type Click to specify a domain that the appliance will use to identify all mail server IP addresses from which it will deliver messages. Removes the selected item from the table. You must apply the changes before the item is completely removed from the appliance configuration. Displays the domain names, wildcard domain names, network addresses, and MX lookups from which the appliance will accept or refuse . Domain name for example, example.dom. The appliance uses this to compare the recipient's address and compare the connection against an A record lookup. Network Address for example, /32 or /24. The appliance uses this to compare the recipient's IP literal address such as user@[ ], or the connection. MX Record Lookup for example, example.dom. The appliance uses this to compare the connection against an MX record lookup. Wildcard domain name for example, *.example.dom. The appliance only uses this information to compare the recipients address. Category Local domain Permitted domain Denied domain 106 McAfee Gateway Appliances Administrators Guide

107 Overview of menu Configuration overview 4 Resolve the above domain names to IP addresses If a sender or recipient is rejected If selected, allows the appliance to use DNS to resolve the IP addresses of the domains. These lookups take place only when the SMTP proxy is initialized. Reject sends an SMTP 550 (permanent failure) response and closes the connection. Reject the and close the connection sends a rejection code, SMTP 550 (permanent failure) response code or a SMTP 421 (Temporarily unavailable service due to potential threat message), then closes the connection. Accept and ignore the recipient sends an acceptance code, SMTP 250 (OK). McAfee does not recommend this option because it suggests to the sender that the message was received as intended. Import Lists/ Export Lists On an appliance from which you want to save a list of domains for anti relay specification, click Export Lists to create a comma separated CSV file that contains details of all the domains that you specified on this page, whether they are local, permitted or denied. On an appliance onto which you wish to put the list of domains, click Import Lists. To create your own list, see Formats for export lists later on this page. definitions Anti-relay options Use this information to understand the options relating to the anti relay settings. Using routing characters (such as %,!, and ) is a method of passing messages between computers. With these characters, unauthorized users can relay messages (often spam) by using computers inside your network. To permit or block this form of relaying, you specify the routing characters, which are in the part of an address before the By default, the appliance does not support routing characters in addresses. Permitted routing characters Use the default (Permitted routing characters) Denied routing characters Use the default (Denied routing characters) Enable routing character checking for sender Specifies permitted routing characters. Normally you do not need to type any characters here. When selected, prevents the use of the following routing characters: *!* *%* * * Accepts any of the following characters: *%* Right binding routing character (% exploit). *!* Local or mail gateway routing. * * Pipe is used by some mail servers to execute commands. *[*]* Parentheses that encloses a dotted decimal domain address such as *:* Colon for multiple hops. For example, to block the relaying of addresses of the type add *@* to the list of denied characters. When selected, prevents the use of the following routing characters: *!* *%* * * When selected, examines routing characters on outgoing mail. McAfee Gateway Appliances Administrators Guide 107

108 4 Overview of menu Configuration overview Protocol preset Lists any connection based policies to which the routing characters setting applies. Click to open the Protocol Presets screen to assign additional policies, or create new policies or network groups to which the routing characters setting applies. Task Creating a simple configuration Use this task to create a simple configuration to allow controlled relaying of incoming and outgoing messages from your Gateway. To allow relaying of incoming messages to your domain, add a wildcard domain. To allow the relaying of outgoing messages from your domain, add the IP address or network address of the Message Transfer Agent (MTA): Task 1 Go to Configuration Receiving Anti Relay Settings. 2 Click Add Domain. 3 Type the domain name using a wildcard, such as *example.dom. 4 In Category, select Local domain, and click OK. 5 Click Add Domain, and type the network address or the IP address from which you expect to receive messages (such as /32 or /24). 6 In Category, select Local domain, and click OK. The domains that you specify are allowed to relay incoming or outgoing traffic. Task Creating a permitted subdomain based on a larger denied domain Use this task to create a new permitted subdomain, using the settings for a larger, denied, domain. To create a small permitted subdomain within a larger denied domain, create the main domain as a denied domain, and add the sub domain as a permitted domain. Task 1 Go to Configuration Receiving Anti Relay Settings. 2 Click Add Domain. 3 Type the domain name that you want to deny using a wildcard, such as *example.dom to reject all messages sent to that domain. 4 In Category, select Denied domain, and click OK. 5 Click Add Domain again, and type the name of the subdomain that you want to accept, such as sub.example.dom. 6 In Category, select Permitted domain, and click OK. The permitted subdomain is created. 108 McAfee Gateway Appliances Administrators Guide

109 Overview of menu Configuration overview 4 Task Create a list of domains and export it to another appliance Use this task to configure the domains on one appliance, generate a list of these domains, and then import this list onto another appliance. Task 1 On a master appliance, go to Configuration Receiving to set up the local domain, and any permitted or denied domains. 2 Click Export Lists to create a CSV file that contains a list of all domains displayed in the Relaying list. 3 Click the link to download the file, and save it onto your local file system. 4 On a secondary appliance, go to Configuration Receiving and click Import Lists. Formats for export lists Use this information to understand the formats you can use to create an export list. To create a list of domains for an export list, type the domains into a comma separated values file using the following formats: To add a local domain, type LD *<domain name> To add a local network address, type LN <IP address>/<cidr> To add a permitted domain, type PD *<domain name> To add a denied domain, type DD *<domain name> For example: LD *inbri.bs.dom, LN /24, PD *qa.ext.bs.dom, DD *ext.bs.dom Recipient Authentication Use this page to prevent attacks from zombie networks, bogus recipient names, and directory harvesting. Configuration Receiving Recipient Authentication The page has these sections: Benefits of using Recipient Authentication Use this information to understand the benefits of using Recipient Authentication on your McAfee Gateway. Greylisting messages from unknown senders causes messages from these senders to be rejected for a period of time. If the sending system is legitimate, it will follow the correct protocols for re delivering previously rejected messages. However, most "zombie" networks that are used to send spam messages do not comply with these protocols, and therefore messages from them are blocked. Recipient checks are useful tools in preventing directory harvest attacks and flooding attacks (where large volumes of messages are directed at your servers, in the hope that some will get through to valid addresses). Recipient checks work by you providing information about your genuine recipients of messages within your organization. This information may already be available from your LDAP servers. You can also import lists of recipient addresses from a file. McAfee Gateway Appliances Administrators Guide 109

110 4 Overview of menu Configuration overview This option is intended for small companies who can easily maintain a list of recipients. For larger companies, consider using LDAP directory services to provide attributes to the appliance ( Group Management Directory Services.) Directory harvest prevention compares the number of messages being sent to known and unknown addresses within your organization. From this, the appliance can identify when a directory harvest is taking place, and can take steps to minimize the impact of the attack. definitions Greylisting Use this information to learn about the options available for configuring greylisting on your McAfee Gateway. Use this section to create a grey list, which is effective against attacks from unknown senders such as zombie networks. Greylisting temporarily rejects from new senders to resist spam attacks. Protocol preset Accept SMTP callback requests Initial retry delay Unretried record lifetime Greylisted record lifetime Maximum number of records Specifies the policy (and network group) to which these settings apply. If selected, overcomes delays caused by devices that use SMTP callbacks to prevent spam. Specifies how long to reject any early attempt to resend the . The default value is 3600 seconds (1 hour). Many mail servers typically try to resend after one hour. The range is up to seconds (1 day). Specifies how long to keep a record, where the sender has not tried to send another message. After this time, the appliance deletes the record of any triplet that has not be retried. We recommend a value below 8 hours. The range is up to 96 hours (4 days). Default value is 4 hours. Specifies how long to keep a greylisted record. The appliance deletes records of triplets that have not been referenced for some time. The range is up to 2160 hours (90 days). Default value is 864 hours (36 days), which is suitable for occasional mail like monthly newsletters. Specifies the maximum number of greylisted records. When the number of records approaches this value, the appliance starts deleting old records. The range is 50,000 to 2,000,000. Default value is definitions Recipient Checks Use this information to learn about the options available within the user interface for configuring recipient checks. Use this section to prevent directory harvest attacks and attacks that issue large numbers of messages (known as flooding). You can provide the appliance with a list of permitted recipients. Your network might already have this information on its LDAP servers. Alternatively, you can import a list of addresses from a text file. Protocol preset If the recipient is not in the following list address Specifies the policy (and network group) to which these settings apply. When selected, checks the recipient address against addresses in the list. Lists the acceptable addresses. You can use wildcards, for example: user*@example.com. We recommend that you do not overuse wildcards, because you will defeat the intention. Add or remove addresses as necessary. 110 McAfee Gateway Appliances Administrators Guide

111 Overview of menu Configuration overview 4 Or if the recipient does not satisfy the query Take the following action When selected, checks the recipient address against addresses in the LDAP. To connect to an LDAP server, select Group management Directory Services and click Add Server. Accept and ignore the recipient Accepts the message and ignores it. The appliance sends an acceptance code (SMTP 250 OK). We do not recommend this option because it suggests to the sender that the message was received as intended. Reject Sends a rejection code (SMTP 550 Fail). We recommend this option because the sender is normally informed that the message was not accepted. definitions Directory harvest prevention Use this information to learn about the options available within the user interface for configuring directory harvest prevention. Use this section to prevent directory harvest attacks. The appliance examines the number of known and unknown addresses to determine whether an attack is taking place. When used with some servers, Directory Harvest Prevention might not function as expected. Table 4-18 definitions Protocol preset When the appliance is in transparent mode Specifies the policy (and network group) to which these settings apply. None Takes no action. Tarpit Delays a response to that has several recipient addresses. Tarpit then deny connection Delays a response to the , then adds the sender to the Denied Connections list. Deny connection Adds the sender to the Denied Connections list. Default value is Deny connection. When the appliance is in proxy mode None takes no action. Deny connection adds the sender to the Denied Connections list. Default value is Deny connection. When an has been deferred and is being retried None Takes no action. Deny connection Adds the sender to the Denied Connections list. Deny connection and quarantine Adds the sender to the Denied Connections list, then forwards the to a quarantine area. Default value is Deny connection and quarantine . Response delay When a tarpit action was selected, specifies the delay in responding to this . Default value is 5 seconds. This is often enough to deter an attack. McAfee Gateway Appliances Administrators Guide 111

112 4 Overview of menu Configuration overview Table 4-18 definitions (continued) Maximum number of recipients A directory harvesting attack... When a tarpit action was selected, specifies how many recipient addresses each may have. Default value is 10. Applies a delay if there are too many recipient addresses in the message. Defines this type of attack. Default values are 5 failed recipients and 10% accepted recipients. that falls outside this specification is not considered to be an attack, so no action is taken. Task Block all incoming where the user does not exist in LDAP Use this task to block all incoming messages where the user does not exist in LDAP. Task 1 Go to Configuration Receiving Recipient Authentication Recipient checks. 2 Select Or if the recipient does not satisfy the query and select the desired Valid recipient query for the LDAP server. 3 Select the action that you want to take. 4 Apply the configuration changes to the appliance. Bounce Address Tag Validation Use this page to combat backscatter bounced that was not originally sent from your organization. Configuration Receiving Bounce Address Tag Validation If an Mail Transfer Agent (MTA) cannot deliver an message, the MTA returns (or 'bounces') the message to the sender using a return address in the message. Unfortunately, spam messages often have a forged (or spoofed) return address. The bounced often goes to an innocent organization. This type of is known as backscatter. During a spam attack, your organization might receive many such messages. Benefits of using Bounce Address Tag Validation This topic discusses the benefits of using Bounce Address Tag Validation. Bounce Address Tag Validation (BATV) enables your organization to ignore any backscatter message by checking whether your organization was its original sender. The appliance can attach a encrypted digital signature (or tag) to the SMTP MailFrom address on every outgoing message. When a bounced arrives, the appliance searches for the digital signature, and rejects any message that has no digital signature or has an invalid digital signature. Such a message cannot be a genuine, bounced message. BATV can be implemented on a per policy basis, using suitably configured Protocol presets. For more information about BATV, visit levine batv 03.txt. If is handled by several appliances for example, one appliance handles outgoing , while another appliance handles incoming all the appliances need information about the signature seeds and signature lifetime. To distribute the information between your appliances, use the import and export features in the interface. 112 McAfee Gateway Appliances Administrators Guide

113 Overview of menu Configuration overview 4 definitions Bounce Address Tag Validation Use this information to learn about the controls available within the user interface for configuring Bounce Address Tag Validation. Enable bounce address tag validation Signature lifetime Signature seed Select to configure BATV on your appliance. Specifies how long the signature seed will be used to sign outgoing . Mail servers typically try to deliver mail for up to four days. McAfee recommend a value of 4 7 days. Specifies a seed for signing the sender's address. Use only letters, numbers and space characters. The acceptable key length is 4 64 characters. Type a seed that is not easy to guess. Generate Import settings Export settings When clicked, generates a signature seed that has 20 random letters and numbers. You can use this method instead of typing your own signature seed. When clicked, opens a file browser to import a text file that contains BATV settings from another appliance. When clicked, opens a file browser to create a text file that contains BATV settings for use by another appliance. Table 4-19 definitions Bounce Address Tag Validation Actions Protocol preset: Select a Protocol preset to allow you to configure per policy actions for BATV on your appliance. Select Create a new preset if you need to define a new preset. Click to open a dialog box enabling you to re order your existing protocol presets. When validation fails Specifies how the appliance must handle each invalid bounced message. The available options are: Allow through Reject You can assign different actions for each preset. When you enable BATV tagging, the maximum length of local part of the MAIL FROM address used by the appliance increases by 16 characters. Adjust your configuration setting to allow up to 80 characters to allow BATV tagged addresses. To do this, navigate to Configuration Protocol Configuration Protocol Settings (SMTP) Address Parsing s and change the maximum length. Sending Use this page to specify how the appliance delivers messages. Configuration Sending McAfee Gateway Appliances Administrators Guide 113

114 4 Overview of menu Configuration overview The page has these sections: Benefits of using the Sending features This information explains some of the benefits of using the Sending features found within McAfee Gateway. The features and options found within the Sending s tab enable you to configure the methods used by the appliance to send messages on. These options enable you to select the best options to suit your existing network and configuration. definitions Delivering Use this information to understand how the appliance tries to deliver , based on the domain part of the recipient's address. In a To field, the domain part of an address such as aaa@example.com is example.com. Using the recipient's domain, the appliance uses the following logic to decide how it will deliver messages: If the recipient's domain matches those listed in Domain Routing, it uses those relays to deliver the message. If the recipient's domain does not match those listed in Domain Routing, it can be configured to use an MX record lookup to deliver using DNS. If no MX records are available, it attempts to make the delivery using an A record lookup. MX delivery is attempted to hosts in the order of priority that is returned by the DNS server. If it cannot deliver using one of the previous methods, it uses fallback relays to make the delivery (providing the recipient's domain matches those listed in the Fallback relays field). If the domain does not exist, the appliance generates a non delivery report and sends it to the originator. If the receiving server cannot accept delivery, or there are no IP addresses to complete the delivery, the message is queued. Import Lists Export Lists Click the link to open the Import Lists dialog box. Click the link to open the Export Lists dialog box. 114 McAfee Gateway Appliances Administrators Guide

115 Overview of menu Configuration overview 4 Domain Routing Displays a list of domains. This list allows you to specify specific relays/sets of relays to be used to deliver messages destined for specific domains. Domains can be identified using exact matches, or using pattern matches such as *.example.com. Click Add Relay List to populate the Domain Routing table with a list of host names, or IP addresses for delivery. Delivery will be attempted in the order specified unless you select the Round robin the above hosts option which will distribute the load between the specified hosts. Host names/ip addresses may include a port number. Click Add MX Lookup to populate the Domain Routing table with an MX record lookup to determine the IP addresses for delivery. Delivery will be attempted to host names returned by the MX lookup in the order of priority given by the DNS server. Click Add LDAP Lookup to populate the Domain routing table with an LDAP lookup to determine the Home Mail Transfer Agent (MTA) to be used for s to the specified domain. Only LDAP servers that have already been set up in Group Management Directory Services Add Server appear on this list. Use an IPv4 or IPv6 address with optional port number or a fully qualified domain name. For example, , :25, 2001:db8:ac10:fe01:205:2cff:fe03:2a45 or mailrelay.mydomain1.dom. If you specify a fully qualified domain name, the appliance does an A record lookup to determine the IP address. To specify multiple relays for a single domain, separate each with a space. If the first mail relay is accepting , all is delivered to the first relay. If that relay stops accepting , subsequent is delivered to the next relay in the list. McAfee Gateway Appliances Administrators Guide 115

116 4 Overview of menu Configuration overview Enable DNS lookup for domains not listed above Fallback relays for unreachable domains If selected, the appliance uses DNS to route for other, unspecified domains. DNS delivery attempts an MX record lookup. If there are no MX records, it does an A record lookup. If you deselect this checkbox, the appliance delivers only to the domains that are specified under Domain Routing. Specifies the fallback relays. If delivery is unsuccessful by any other method, and the domain matches an entry in this list, the appliance uses the information in this list to determine a host to be used for delivery. Click Add Relay List to populate the Domain Routing table with a list of host names, or IP addresses for delivery. Delivery will be attempted using the hosts in the order specified unless you select the Round robin the above hosts option which will distribute the load between the specified hosts. Host names/ip addresses may include a port number. Click Add MX Lookup to populate the Domain Routing table with an MX record lookup to determine the IP addresses for delivery. Delivery will be attempted to host names returned by the MX lookup in the order of priority given by the DNS server. Click Add LDAP Lookup to populate the Domain Routing table with an LDAP lookup to determine the Home Mail Transfer Agent (MTA) to be used for s to the specified domain. Only LDAP servers that have already been set up in Group Management Directory Services Add Server appear on this list. definitions Postmaster address Use this information to understand the importance of assigning a postmaster address, and how to do this. McAfee recommends that you assign a postmaster, so that queries from your users are handled promptly. The postmaster must be someone who reads regularly. You can use the name of a single user or a distribution list. Postmaster address Specifies an address that the appliance uses to deliver that has a recipient of postmaster. We recommend that you specify an address here, so that any delivery problems are handled promptly. You can specify a distribution list or a single user who reads regularly. definitions Enable digests Use this information to understand the options available to allow you to configure quarantine digest messages. Enable digest messages and message Protocol preset Specifies whether to enable digest messages for the selected protocol preset. Reminds you that digest messages are enabled for this protocol preset. Allows you to make settings for any exception to the default setting. For example, you can specify that some parts of the network do not use digest messages. 116 McAfee Gateway Appliances Administrators Guide

117 Overview of menu Configuration overview 4 definitions DKIM signing Use this information to understand DKIM signing, and to view the available options for configuring DKIM signing. The Domain Keys Identified Mail (DKIM) technique uses RSA private and public keys and DNS TXT records to enable the recipient to verify the identity of an sender. The sender signs the message with a private key, by adding an extra header the DKIM Signature header. The header provides the message with a cryptographic signature. The signature is typically derived from the message body and headers such as From and Subject, then encrypted by the sender's private key. Recipients can verify that the message is genuine by making a query on the signer's domain to retrieve the signer's public key from a DNS TXT record. The recipient then verifies that the and its signature match. The recipient can therefore be confident that the was sent from the stated sender and was not altered during transit. The appliance can verify signatures from incoming mail and attach signatures to outgoing mail. For information about Domain Keys Identified Mail (DKIM), visit the Internet Engineering Task Force website, and Use this section to create a Domain Keys Identified Mail (DKIM) key. Enable DKIM signing When selected, adds a DKIM header (like a digital signature) to each message as it is sent. You must add a key before you can enable DKIM signing. Domain name and Selector Signing key DKIM signing keys Export View Public Key During verification, the recipient extracts your Domain Name and Selector from the signature to retrieve the public key associated with the appliance s private signing key. For example, if your Selector is mail and your Domain Name is example.com, the recipient must issue a DNS query for the TXT record of mail._domainkey.example.com. Select the key to be used to sign the messages. Allows you to create signing keys from numerous parameters. When clicked, allows you to save the private key to a file, in case the original private key is lost or erased. Place the public key on your DNS server or give it to your Internet Service Provider, so that recipients can verify from your organization. McAfee Gateway Appliances Administrators Guide 117

118 4 Overview of menu Configuration overview Import Key Advanced options Select this to import an existing DKIM key onto your system. This section enables you to select specific advanced options that relate to the way your appliance carries out DKIM checks. From this area, you can choose: What to sign either signing All headers or Selected headers. Click the linked text to select the individual headers to sign. Header canonicalization you can choose either Simple or Relaxed canonicalization for the headers. Body canonicalization you can choose either Simple or Relaxed canonicalization for the body text. Key expiry choose to either have a key that does not expire, or to set an expiry date for the key. Signing identity add an optional signing identity to your DKIM keys. definitions Queued delivery Use this information to understand how to specify the handling of delivery if the first attempt to send is not successful. You do not normally need to change these settings. Use the Per domain settings section to specify how the appliance delivers intended for known domains. The options outside this section apply to for all other destinations. Table 4-20 definitions Maximum number of connections open at any one time Time before an NDR is issued Domain Retry Interval (success) and Retry Interval (failure) Maximum open connections and s per connection Default value is 500. Specifies how long the appliance tries to deliver an message before sending a non delivery report (NDR) to its sender. Default value is 108 hours (4.5 days). Specifies a domain to which the appliance delivers many messages during a single connection. To organize priority for delivery, click the icons in the Move column. An asterisk (*) indicates all domains. Specifies how often to retry delivery to the specified domain. By default, further is sent every 1 minute if previous was sent successfully. If a previous attempt failed, the appliance waits 10 minutes before trying again. Specifies other options that control the rate for delivering to this domain. Task Deliver all using MX record delivery Use this task to deliver all using MX record delivery. By default, your Gateway uses MX records to deliver all . Task Use the default settings. Your Gateway uses MX records to deliver all by default. 118 McAfee Gateway Appliances Administrators Guide

119 Overview of menu Configuration overview 4 Task Deliver all to a specific domain using round robin delivery Use this task to deliver all to a specific domain using round robin delivery. Task 1 Go to Configuration Sending . 2 In Delivering , click Add Relay List. 3 In Domain name, type example.com. 4 Click Add Host and type internal1.mailserver.com and internal2.mailserver.com. 5 Click Round robin the above hosts. Your gateway is configured to deliver all to the specified domain using round robin delivery. Task Use MX to manage your delivery to a specific domain Use this task to use your own MX environment to deliver messages to a specific domain. You can use your own MX environment to manage your infrastructure externally. For example, mx.mailserver.com could be set up to either have priority or round robin delivery. Task 1 Go to Configuration Sending . 2 In Delivering , click Add MX Lookup. 3 In Domain name, type example.com. 4 In MX record, type mx.mailserver.com. Your messages sent to the specified domain are delivered using MX lookup. Task Use a specified LDAP server to deliver from a specific domain Use this task to specify that messages from a particular domain are handed by a specified LDAP server. Before you begin You must configure your appliance to use the required LDAP server using Group Management Directory Services Add Server before using this feature. You also need ensure that the Home MTA queries in the Add Server wizard match the configuration for your LDAP directory services. Task 1 Go to Configuration Sending . 2 In Delivering , click Add LDAP Lookup. 3 In Domain name, type example.com. 4 In Directory servers, select the LDAP directory server to be used to deliver messages to the domain specified in Domain name. The specified LDAP server is used to handle messages from the selected domain. McAfee Gateway Appliances Administrators Guide 119

120 4 Overview of menu Configuration overview Task Deliver all failed deliveries to a specific server Use this task to ensure that all failed message deliveries are sent to a specific server. Task 1 Go to Configuration Sending . 2 In Fallback relays for unreachable domains, click Add Relay List. 3 In Domain name, type *. 4 Click Add Host, and type internal3.mailserver.com. All failed message deliveries are now sent to the specified server. Task - Deliver the for a user to the Home MTA attribute defined in LDAP Use this task to deliver a message for a user to the Home Message Transfer Agent attribute defined in LDAP. Task 1 Go to Configuration Sending . 2 In the Domain Routing area under Delivering , select Add LDAP Lookup. 3 In the Domain name field, add the domain name of the recipients on which you want to perform the LDAP lookups. 4 Select the server from the list of directory servers, and click OK. Sending Add Relay List dialog box and Add MX Lookup dialog box Add a relay to the lists for sending , or use MX lookups. Table 4-21 Add Relay List dialog box Domain name Relay host Add Host Delete Selected Hosts Round robin the above hosts Table 4-22 Add MX Lookup dialog box Enter the domain name to which the new relay applies. Shows the relay hosts that are already configured. Click to add a new host to the relay Hosts list. To delete relays listed in the lists, select the relevant relays, and click Delete Selected Hosts. Select this to enable the hosts to be used in a round robin when sending . Domain name MX record Enter the domain name to which the lookup applies Enter the MX lookup information that determines the IP addresses for delivery. 120 McAfee Gateway Appliances Administrators Guide

121 Overview of menu Policies 4 Anti-Relay Settings Add Relay Domain dialog box and Add MX Lookup dialog box Add a relay to the lists for receiving , or use MX lookups. Table 4-23 definitions Add Domain dialog box Domain name Category Define the type of domain, either: Local domain Permitted domain Denied domain Table 4-24 definitions Add MX Lookup dialog box MX record Category To have McAfee Gateway do a mail exchange record lookup for domain example.dom, type server1.exmaple.dom where domain name is example.dom, and the MX record is server1.example.dom. Define the type of domain, either: Local domain Permitted domain Denied domain You can only enter one MX record per domain name. Policies Use this page to view and configure policies relating to your traffic. Introduction to policies The appliance uses policies which describe the actions that the appliance must take against threats such as viruses, spam, unwanted files, and the loss of confidential information. Policies Policies are collections of rules or settings that can be applied to specific types of traffic or to groups of users. McAfee Gateway Appliances Administrators Guide 121

122 4 Overview of menu Policies SMTP policies Gateway provides the following features when scanning the SMTP protocol: Policies SMTP Anti Virus, including: Anti virus McAfee GTI file reputation McAfee Anti Spyware Packer detection Spam, including: Spam Phish Sender Authentication McAfee GTI message reputation Compliance, including: File filtering Image filtering Data Loss Prevention Signed or encrypted content Mail size filtering McAfee GTI URL reputation Compliance Policy s, including: Scanning limits Notification and routing Content handling McAfee GTI feedback Alert settings Encryption POP3 policies Gateway provides the following features when scanning the POP3 protocol: Policies POP3 Anti Virus, including: Anti virus McAfee GTI file reputation McAfee Anti Spyware Packer detection 122 McAfee Gateway Appliances Administrators Guide

123 Overview of menu Policies 4 Spam, including: Spam Phish Compliance, including: Mail size filtering Image filtering Signed or encrypted content Scanner s, including: Scanning limits Content handling Alert settings Secure Web Mail policies McAfee Gateway provides the following policies when using the Secure Web Mail client to send messages. Policies (McAfee Secure Web Mail Anti Virus, including: Anti virus McAfee GTI file reputation McAfee Anti Spyware Packer detection Spam, including: Spam Phish Compliance, including: File filtering Compliance Data Loss Prevention Image filtering Mail size filtering Signed or encrypted content Scanner s, including: Scanning limits Notification and routing Content handling McAfee GTI feedback Alert settings Encryption McAfee Gateway Appliances Administrators Guide 123

124 4 Overview of menu Policies About Protocol Presets Protocol presets enable you to configure your appliance to cater for differences in parts of your network, or for specific devices on your network. Normally you design your connection settings to apply to all devices. However some parts of your network might need some differences because some devices operate differently. For example: Part of the network can handle larger or smaller files than normal. A slow connection requires a different time out value. Part of the network must use an alternative authentication service. By creating a protocol preset, you can cater for this exception to the connection settings. Where this feature is available, you can click this icon:. Primary and secondary actions McAfee Gateway can be configured to apply two levels of actions when a detection is made. In general, a client MTA sends an to McAfee Gateway. The message is then scanned. If no detections are found, the message is delivered to its intended recipients on the server MTAs. However, if a scanner triggers a detection, McAfee Gateway applies the selected primary action and a number of secondary actions to the message that contains the detection. When McAfee Gateway is configured in hybrid mode, messages from the inbound client MTA are scanned by the cloud based McAfee Protection (Hybrid). If no detections are found, the message is delivered to the McAfee Gateway for onward delivery to its intended recipients. However, the process taken when a scanner triggers a detection varies depending on the scanner. Primary Action The primary action is defined as What happens to the message coming from the client MTA to the server MTA?": Was it blocked? Was it modified and then delivered? Was it delivered to the recipient without modification? The message is scanned by all scanners. If multiple scanners trigger, the primary action that has the highest priority is applied. For example, if the file filtering policy is set to Allow Through (Monitor), and the anti spam policy was set to Accept and Drop the data (Block), then the Accept and Drop the data (Block) action applies. Table 4-25 Primary actions behavior in top down priority order Type Action Sender perspective Recipient perspective Blocking Deny Connection Blocking Refuse the data and return an error code 550 Message Rejected. Might receive notification that the message was delivered. 550 Message Rejected. Might receive notification that the message was delivered. No message is received. No message is received. Kernel mode blocking Yes No 124 McAfee Gateway Appliances Administrators Guide

125 Overview of menu Policies 4 Table 4-25 Primary actions behavior in top down priority order (continued) Type Action Sender perspective Recipient perspective Blocking Accept and drop the data Modify Replace the content with an alert 250 Message Rejected. Might receive notification that the message was delivered. 250 Message Accepted. It appears to the sender that the message is delivered. No message is received. Replacement message (alert received) Reroute Reroute 250 Message Accepted. Dependent on action taken by onward server Monitor Allow Through 250 Message Accepted. Message received No Kernel mode blocking No No No Only one primary action is taken per detection. Secondary Action A secondary action is defined as What additional actions will happen due to the scanner triggering a detection? : The message is scanned by all scanners. If multiple scanners trigger, the secondary actions are aggregated together. For example, if the file filtering policy is set to Annotate and deliver original to a list, and the anti spam policy is set to Annotate and deliver original to a list, then only one notification is sent. Available actions If a scanner triggers a detection, these primary actions are available: Deny Connection (Block) Blocks the message from being delivered, returns a 550 SMTP code to the sending MTA, places the connecting IP address in the Kernel Mode Block list. Refuse the data and return an error code (Block) Blocks the message from being delivered, returns a 550 SMTP code to the sending MTA. Accept and Drop the data (Block) Blocks the message from being delivered, returns a 250 SMTP code to the sending MTA. Replace the content with an alert (Modify) Replaces any detected content with a configurable alert and delivers the modified to its intended recipients. Allow Through (Monitor) Lets the message pass to its intended recipients, but information is retained within the logs and reports. You can also configure any or all of the following secondary actions: Actions applied to the original message: Quarantine Quarantines the message in the scanner's quarantine queue (for example, the anti virus scanner's quarantine). Annotate and deliver the original to sender McAfee Gateway sends an to the original sender of the message that contains a configurable notification message and has the original message included as an attachment. Annotate and deliver original to a list McAfee Gateway sends an to a configurable list of recipients that contains a configurable notification message, and has the original message as an attachment. McAfee Gateway Appliances Administrators Guide 125

126 4 Overview of menu Policies Notification actions: Deliver to the sender of the original McAfee Gateway generates an with a configurable notification. This is delivered to the original sender of the . Deliver to the recipient(s) of the original McAfee Gateway generates an with a configurable notification. This is delivered to the original recipient(s) of the . Deliver a notification to a list McAfee Gateway generates an with a configurable notification. This is delivered to a configurable list of recipient(s). Modification actions: Quarantine Quarantines the modified message in the scanner's quarantine queue (for example, the anti virus scanner's quarantine). When configured to use off box quarantine to a McAfee Quarantine Manager server, you can also configure custom quarantine queues and select the queues to which messages are quarantined. Forward modified to a list McAfee Gateway forwards the modified to a configurable list of recipient(s). Annotate and deliver modified to a list McAfee Gateway generates an with a configurable notification, with the modified as an attachment. This is delivered to the original sender of the . Deliver to the sender of the original McAfee Gateway delivers the modified to the original sender of the . Other actions: Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Deliver message using encryption McAfee Gateway delivers the using the settings defined in the policy s Encryption s. Policies Use this page as a single point where you can access the pages and dialog boxes you need to set up and configure your policies. Policies Scanning Policies Policy settings specify how the appliance handles threats to groups of users or devices. For example, a policy can apply to all computers on the same subnet, or all users in a department. Benefits of using the Scanning Policies page Use this information to gain an understanding of the benefits of using Scanning Policies to configure your Gateway. The Scanning Policies page enables you to access all the forms you need to configure and manage your policies for the SMTP and POP3 protocols and for McAfee Secure Web Mail policies. 126 McAfee Gateway Appliances Administrators Guide

127 Overview of menu Policies 4 The user interface provides an overview of your policy settings, giving you information about each policy such as the action taken when a virus is detected. The page to configure these settings is displayed when you click the relevant information. Some of the options described on this help page do not apply to POP3 or McAfee Secure Web Mail scanning policies. Where options only apply to one protocol, this is highlighted. definitions Scanning Policies Learn about the options present within the user interface for configuring scanning policies. The following information and controls are available to configure this feature: Table 4-26 definitions Select a protocol: Order Policy Name Anti Virus Use the drop down list to display, create or edit your policies for: SMTP POP3 McAfee Secure Web Mail Policies are used in a "top down" order. When more than one policy has been created, you can select the order in which they are applied. Displays the name of each policy. The appliance always has a default policy, which applies to everything in the network. You can change the default policy, but you cannot delete it. To see the users or devices that are affected by a policy, move the cursor over the policy name and wait for a yellow box to appear. To change any details of the policy, click the blue link to open another window. Applies to inbound traffic (SMTP protocol only) Applies to outbound traffic (SMTP protocol only) Displays brief details about the Anti Virus options settings. Click any link within the Anti Virus area of the relevant policy to open the Anti Virus Settings page. From the Anti Virus Settings page you can access: Anti Virus Settings Basic s Anti Virus Settings McAfee Anti Spyware Anti Virus Settings Packers Anti Virus Settings Custom Malware s McAfee Gateway Appliances Administrators Guide 127

128 4 Overview of menu Policies Table 4-26 definitions (continued) Spam Displays brief details about the Spam settings. Each link within the Spam area of each policy opens a separate page containing the features and options you need to configure your policy. Anti Spam Settings including: Anti Spam Settings Basic s Anti Spam Settings Advanced s Anti Spam Settings Blacklists and Whitelists Anti Spam Settings Spam Rules Anti Phish Settings Sender Authentication Settings (SMTP protocol only), including: Sender Authentication Settings Message Reputation You can enable this option for a higher detection threshold, a lower detection threshold, or both, based on GTI Message Reputation levels. Sender Authentication Settings RBL Configuration Sender Authentication Settings SPF Sender ID and DKIM Sender Authentication Settings Cumulative Score and Other s Compliance Displays brief details about the Compliance settings. Each link within the Compliance area of each policy opens a separate page containing the features and options you need to configure your policy. You can configure: File Filtering Settings (SMTP protocol only) Data Loss Prevention Settings (SMTP protocol only) Mail Size Filtering Settings, including information on: Mail Size Filtering Settings Message Size Mail Size Filtering Settings Attachment Size Mail Size Filtering Settings Attachment Count Compliance Settings Image filtering Signed or encrypted content URL reputation 128 McAfee Gateway Appliances Administrators Guide

129 Overview of menu Policies 4 Table 4-26 definitions (continued) Policy s Move Displays brief details about the Policy s settings. Each link within the Policy s area of each policy opens a separate page containing the features and options you need to configure your policy. You can configure: Scanner Limits, including information on maximum file size, maximum nesting depth and maximum scan time: Scanner Limits. Content Handling Settings, including information on: Content Handling Settings s Content Handling Settings HTML s Content Handling Settings Corrupt or Unreadable Content Alert Settings Notification and Routing Settings (SMTP protocol only), including information on: Notification and Routing Settings Notification s Notification and Routing Settings Audit Copies Notification and Routing Settings Routing Notification and Routing Settings SMTP Relays Notification and Routing Settings Recipients McAfee GTI feedback Encryption, including information on: When to Encrypt On box Encryption s On box Decryption s Use the arrow icons to move your policies higher or lower in priority order. Move the policy up Move the policy down The default policy always appears at the bottom of the list of policies. You cannot change its position. Delete After creating policies, you can choose to delete any that you no longer require, by clicking. You cannot delete the default policy. Add Policy When clicked, opens the Scanning s New Policy dialog box where you can create new policies, user groups, and network groups. Task Delete a scanning policy Use this task to understand how to delete a scanning policy that is no longer needed. You cannot delete the default scanning policy. McAfee Gateway Appliances Administrators Guide 129

130 4 Overview of menu Policies To delete a previously created policy: Task 1 Click Policies Scanning Policies. 2 Identify the policy to be deleted. 3 Click. 4 Confirm that you intend to delete the policy. The identified policy is deleted. Task View policies for SMTP, POP3 or McAfee Secure Web Mail View the scanning policies that exist for SMTP, POP3 or McAfee Secure Web Mail. You use this page to create, and manage your SMTP, POP3 or McAfee Secure Web Mail scanning policies. The POP3 protocol limits some of the scanning actions that can be applied to messages. s not available to scan POP3 messages are hidden from the POP3 protocol view. Task 1 Click Policies Scanning Policies. 2 Select either SMTP, POP3 or McAfee Secure Web Mail from the Select a protocol: drop down list. The Policies Scanning Policies page refreshes to show the policies that have been defined for the selected protocol. Task Change the scanning order of my policies Use this task to change the order in which your policies are used to scan traffic. The appliance uses the order of the policies to evaluate the messages being scanned. A message will first be evaluated against the rule with the Order value of 1, and if this does not trigger, it is then evaluated against policy 2 and so on until it is evaluated by the default scanning policy. If you have created more than two scanning policies, you can change the order that your appliance uses the policies to evaluate traffic. This is achieved by moving the relevant policies up or down the policy list. The default policy always appears at the bottom of the list of policies. You cannot change its position. Task 1 Click Policies Scanning Policies. 2 Identify the policy to move in the evaluation order. 3 In the Move column, click or to move the policy one step. If the identified policy is either at the top of the evaluation order, or is next to the default policy, then one or other of the icons will not be available for selection. 130 McAfee Gateway Appliances Administrators Guide

131 Overview of menu Policies 4 Task Turn on GTI message reputation for all users in the HR group defined in LDAP Use this task to enable GTI message reputation checks for all users in the Human Resources group defined in LDAP. Before you begin Before completing this task, you must do the following: Configure an LDAP server and at least one query ( Group Management Directory Services Define a user group for Human Resources ( Group Management Network Groups Task 1 Go to Policies. 2 Within the desired protocol, click Add Policy. The Scanning Policies New Policy dialog box opens. 3 Type a name for the new policy, and add a description if desired. 4 Select the policy from which this policy will inherit settings. 5 Indicate the direction for messages treated with this policy. 6 Select the match logic to use for this policy. 7 Select Add Rule. The Add Rule dialog box opens. 8 In the Add Rule dialog box, select the LDAP Query rule type and click OK. The Add Rule dialog box closes. 9 On the New Policies dialog box, click OK. The new policy appears on the Policies list. 10 In the Spam section for the new policy (or for the Default policy if you selected that), click the link for GTI message reputation. The Sender Authentication Settings dialog box opens. 11 Enable message reputation, then click OK. 12 Select the green check mark icon in the upper portion of the window to save and apply your configuration. McAfee Gateway Appliances Administrators Guide 131

132 4 Overview of menu Policies Task Re-write the Subject of all messages matching a policy Configure McAfee Gateway to re write the Subject line of all messages that match a specific policy. To configure your policy to re write the Subject line of messages requires that you follow each of the steps given within this task. Tasks Task Create a compliance dictionary to match all subject lines on page 132 Create a compliance dictionary that matches all messages with a valid subject line. Task Create a compliance dictionary to match subject lines that have already been modified on page 133 To prevent the subject line of a message being re written each time any other process modifies the subject, create a new compliance dictionary. Task Configure a policy to use the new compliance dictionaries on page 134 Link the new compliance dictionaries to a policy, so that your McAfee Gateway can re write the subject of messages matching the compliance dictionary, unless the subject line has already been modified. Task Create a compliance dictionary to match all subject lines Create a compliance dictionary that matches all messages with a valid subject line. Before you can configure a policy to match all messages with a valid subject line, create a compliance dictionary. Task 1 Browse to DLP and Compliance Compliance Dictionaries. 2 Under Dictionary List, click Add Dictionary. 3 Type a name for the new category. For example, type All Subjects in the Name field. 4 Type a description for the new dictionary. 5 Select Regular expressions from Match type. 6 Click OK. Under Dictionary details for 'All Subjects', a New term is added. 7 Click the Everything link from within Dictionary details for 'All Subjects'. 8 Unselect Everything. The File categories and Subcategories areas are enabled. 9 Select E Mail Messages from within File categories. 10 Select Subject line from within Subcategories 11 Click OK. The new dictionary, All Subjects, now is applied only to messages with a valid Subject line. 12 From the New term row of the Dictionary details for 'All Subjects' table, click the edit icon. 13 In the Term field, type.*. 14 Click OK. 15 Apply the new configuration. 132 McAfee Gateway Appliances Administrators Guide

133 Overview of menu Policies 4 The new compliance dictionary is created, and is configured to match any message with a valid subject line. Task Create a compliance dictionary to match subject lines that have already been modified To prevent the subject line of a message being re written each time any other process modifies the subject, create a new compliance dictionary. Before you begin Ensure that you have already created the compliance dictionary for the initial subject re write, and have configured your policies to successfully re write subject lines for s that match the policies. Task 1 Browse to DLP and Compliance Compliance Dictionaries. 2 Under Dictionary List, click Add Dictionary. 3 Type a name for the new category. For example, type Previously Modified Subjects in the Name field. 4 Type a description for the new dictionary. 5 Select Regular expressions from Match type. 6 Click OK. Under Dictionary details for 'Previously Modified Subjects', a New term is added. 7 Click the Everything link form within Dictionary details for 'Previously Modified Subjects'. 8 Unselect Everything. The File categories and Subcategories areas are enabled. 9 Select E Mail Messages from within File categories. 10 Select Subject line from within Subcategories 11 Click OK. The new dictionary, Previously Modified Subjects, now is applied only to messages with a valid Subject line. 12 From the New term row of the Dictionary details for 'Previously Modified Subjects' table, click the edit icon. 13 In the Term field, type ^((re fw):\s*)*policy match:. Repeat this step for any other modification patterns that you do not want to be re applied. 14 Click OK. 15 Apply the new configuration. The new compliance dictionary is created, and is configured to match any message with a subject line that includes re: or fw: This rule is not case sensitive, so it will match re: Re: RE: fw: Fw: or FW: McAfee Gateway Appliances Administrators Guide 133

134 4 Overview of menu Policies Task Configure a policy to use the new compliance dictionaries Link the new compliance dictionaries to a policy, so that your McAfee Gateway can re write the subject of messages matching the compliance dictionary, unless the subject line has already been modified. Before you begin Ensure that you have created the new compliance dictionaries before following this task. You can edit an existing policy to use the new compliance dictionaries, or you can create a new policy. Task 1 Create a new policy, or select the policy to be edited. 2 Click the Compliance link within the Compliance column. 3 Ensure that Compliance is enabled (Select Yes at the top of the dialog box.) 4 Click Create new rule. You will need to create a new rule for the "All Subjects" compliance dictionary and another new rule for the "Previously Modified Subjects" compliance dictionary. 5 Type a name for the new rule: (for example:) Match all messages for the All Subjects rule. Previously Modified Subjects for the rule to prevent multiple subject re writes. 6 Click Next. 7 Search for and select the compliance dictionaries you previously created (in the example, this was "All Subjects", and "Previously Modified Subjects".) 8 Click Next. 9 Click Next. 10 From the If the compliance rule is triggered drop down list, select Allow Through (Monitor). 11 From And also, select Modify subject from the Other actions sub category. 12 Click Manage templates. 13 Click Add from the Subject Templates dialog box. 14 Select or edit the required Subject templates: For the "All Subjects" rule, edit the subject template by adding the text you want to be displayed in the subject line for messages matching this policy. For example, type "Policy Match: " before the %SUBJECT% token. For the "Previously Modified Subjects" rule, select the %SUBJECT% option, and make sure that it has a higher priority than the "Policy Match: %SUBJECT%" template (by moving this to the top of the list). 15 Click OK. 16 Click OK. 17 Select the modified subject from the Select a template drop down list. 18 Click Finish. 134 McAfee Gateway Appliances Administrators Guide

135 Overview of menu Policies 4 19 Click OK. 20 Apply the changes. The subject line of all messages matching this policy are re written, unless the subject lines have already been modified. Task Modify the headers of all messages matching a policy Configure McAfee Gateway to modify the headers of all messages that match a specific policy. Tasks Task Create a compliance dictionary to match all messages on page 135 Create a compliance dictionary that matches all messages. One way to achieve this is to match messages with a valid subject line. Task Configure a policy to use the new compliance dictionaries on page 136 Link the new compliance dictionary to a policy, so that your McAfee Gateway can add a custom header to messages matching the compliance dictionary. Task Create a compliance dictionary to match all messages Create a compliance dictionary that matches all messages. One way to achieve this is to match messages with a valid subject line. Before you can configure a policy to match all messages, create a compliance dictionary. Task 1 Browse to DLP and Compliance Compliance Dictionaries. 2 Under Dictionary List, click Add Dictionary. 3 Type a name for the new category. For example, type All Subjects in the Name field. 4 Type a description for the new dictionary. 5 Select Regular expressions from Match type. 6 Click OK. Under Dictionary details for 'All Subjects', a New term is added. 7 Click the Everything link from within Dictionary details for 'All Subjects'. 8 Unselect Everything. The File categories and Subcategories areas are enabled. 9 Select E Mail Messages from within File categories. 10 Select Subject line from within Subcategories 11 Click OK. The new dictionary, All Subjects, now is applied only to messages with a valid Subject line. 12 From the New term row of the Dictionary details for 'All Subjects' table, click the edit icon. 13 In the Term field, type.*. McAfee Gateway Appliances Administrators Guide 135

136 4 Overview of menu Policies 14 Click OK. 15 Apply the new configuration. The new compliance dictionary is created, and is configured to match any message with a valid subject line. Task Configure a policy to use the new compliance dictionaries Link the new compliance dictionary to a policy, so that your McAfee Gateway can add a custom header to messages matching the compliance dictionary. Before you begin Ensure that you have created the new compliance dictionary before following this task. You can edit an existing policy to use the new compliance dictionary, or you can create a new policy. Task 1 Create a new policy, or select the policy to be edited. 2 Click the Compliance link within the Compliance column. 3 Ensure that Compliance is enabled (Select Yes at the top of the dialog box.) 4 Click Create new rule. You will need to create a new rule for the "All Subjects" compliance dictionary. 5 Type a name for the new rule: (for example:) Match all messages for the All Subjects rule. 6 Click Next. 7 Search for and select the compliance dictionary you previously created (in the example, this was "All Subjects".) 8 Click Next. 9 Click Next. 10 From the If the compliance rule is triggered drop down list, select Allow Through (Monitor). 11 From And also, select Modify headers from the Other actions sub category. 12 Click Manage templates. 13 Click Add from the Header Modification Templates dialog box. 14 Select or edit the required header templates, including defining the name for each header and specifying the tokens applicable to each header. To prevent multiple copies of a defined header being added to a message, select Remove Existing. 15 Click OK. 16 Click OK. 17 Select one or more Header Modification Templates from the list of currently configured templates. 18 Click Finish. 136 McAfee Gateway Appliances Administrators Guide

137 Overview of menu Policies 4 19 Click OK. 20 Apply the changes. Scanning Policies - Add Policy... Specify a new policy, including defining the group of users or devices to which you can apply the policy. Policies Add Policy... The Add Policy page enables you to specify the parameters that define the policy, add the users or user groups to which the policy will apply and specify the network groups. definitions Scanning Policies New Policy This information describes the options available on this dialog box. definitions New Policy dialog box Add user group Add network group Policy name Description Inherit settings from direction Match logic Add Rule Click to open the Add User Group dialog box. Click to open the Add Network Group dialog box Type the name of the new policy. ally add a description of the new policy to facilitate identification. Select the policy from which you want this policy to inherit its settings. Choose whether you want the policy to apply to inbound or outbound traffic only. By default, policies apply to both inbound and outbound traffic. Choose whether you want the match to be made on one or more of the rules, or all of the rules in the list. Opens a new dialog box where you can specify the type and match for the rule that you want to create, and specify the value. The network group and user group and LDAP query rules are not available until you create the items. Move Delete Selected Rules Reset Use the arrows to move the rules up and down the list. The rules are actions from the top of the list downwards. Click to remove a rule from the list. Resets the window to the default state. definitions Add User Group dialog box Group name Selected or unselected Type the name of the group Select a group and click Edit or Delete Selected Rules as appropriate. Use the arrow icons to move the rules up and down the list. McAfee Gateway Appliances Administrators Guide 137

138 4 Overview of menu Policies Rule type Choose from: Sender address Recipient address Sender user group Recipient user group LDAP Query (if configured) The LDAP query and user group options become available only when a user group or LDAP server has been created. Match Value Add Rule Choose from: is is not is like is not like Type the value that you want to associate with Match. Click to add a new rule to the list. definitions Add Network Group dialog box Group name Rule type Match Value Move Add Rule / Delete Selected Rules Reset Type the name of the network group Choose from: IP address VLAN identifier Network connection Host name Choose from: is is not is in is not in Type the value associated with the type of rule that you chose Use the arrows to move the rules up and down the list The rules are actions from the top of the list downwards. Click to add a new rule to the list Click Reset to clear all data from this form. 138 McAfee Gateway Appliances Administrators Guide

139 Overview of menu Policies 4 Task Create a new scanning policy Learn how to create a new scanning policy. Your appliance uses the policies you create to scan the messages sent through the appliance. You can create multiple policies to control the way different users use , or to specify different actions based on specific circumstances. Task 1 Select Policies Scanning Policies. 2 Select the required protocol using steps in Task View policies for SMTP, POP3 or McAfee Secure Web Mail. 3 Click Add policy. 4 In the Scanning Policies New Policy page, enter the following information: a Name for the policy. b c Write an optional description for the new policy. Specify where the new policy inherits its settings from. If you have a similar policy already set up, select this to allow its settings to be inherited by the new policy. d e f g Choose if the policy is to apply to inbound or outbound traffic. (SMTP only) Select the required Match logic for the policy. Select the type of rule, how it should match, and the value that the rule tests against. If required, add additional rules, and use the and buttons to correctly order the rules. 5 Click OK. The new policy is added to the top of the list of policies. Task - add a user group Use this task to create a user group that can be used in policy selection. Before you begin Ensure that you have a valid connection to a Generic LDAP Server, and its queries are providing output. Task 1 Go to Group Management Senders and Recipients. 2 Click Add and type a name for the group. 3 Click Add Rule. 4 In Rule type, select LDAP Query. The Values field is populated with the name of the LDAP group you selected. 5 Click OK to close the dialog box. 6 Go to Policies Add Policy... McAfee Gateway Appliances Administrators Guide 139

140 4 Overview of menu Policies 7 Click Add Rule. In Rule type, select User group. 8 In Value, select the user group you created, and click OK. Task Create a policy using a network group Use this task to create an policy using a network group of internal servers. This allows easy management of your internal network groups without having to change scanning policies. Task 1 Go to Group Management Network Groups. 2 Click Add, and type a name for the network group such as Internal Servers. 3 Click Add Rule. 4 In Rule type, select IP address. 5 In Match, select is, and type the IP address of one of your mail servers. 6 In Value, type the IP address of one of your servers, and click OK. 7 Repeat steps 3 through 6 to add the IP address of another server. 8 Click Policies Add Policy..., and type a name for the policy. If the network group that you want to use for the policy is not already created, click Add network group. 9 Configure the policy: Select the policy from which you want to inherit settings Select the direction Set the match logic. 10 Click Add Rule. 11 In Rule type, select Source network group, and in Value, select the Internal mail servers group. 12 Click OK. definitions Add Rule dialog box and Edit Rule dialog box Use this dialog box to set up or edit the type of rules that you want the policy to use. The options on this dialog box change depending on the rule type you choose. 140 McAfee Gateway Appliances Administrators Guide

141 Overview of menu Policies 4 Rule type Choose from: Source IP address use this rule to enforce a policy based on the IP address of the incoming network connection. The is match allows you to add a single IP address (for example, ). The is in match allows you to add a network address if the incoming connection may be from a collection of servers on a particular subnet (for example, /24). The source IP address is usually the IP address of the Senders MTA or of the Firewall/NAT in front of the MTA. This rule works with proxy or transparent connections. Destination IP address use this rule to enforce a policy based on the IP address of the outgoing network connection. The is match allows you to add a single IP address (for example, ). The is in match allows you to add a network address if the incoming connection may be from a collection of servers on a particular subnet (for example, /24). The destination IP address is usually the IP address of the Recipients MTA or of the Firewall/NAT in front of the MTA. This rule only works with transparent connections. Sender address use this rule to enforce a policy based on the address of the sender. The address to evaluate is taken from the 'MAIL FROM' of the SMTP conversation. The is match allows you to specify the exact address to match the rule. The is like match allows you specify an address pattern to match the rule. Use the wildcard character * to match any character in the address. Masqueraded sender address use this rule to enforce a policy based on an address after address masquerading is carried out. The address to evaluate is taken from 'MAIL FROM' of the SMTP conversation, after address masquerading has been applied. If the address has not been masqueraded the original Sender address is used. The is like match allows you specify an address pattern to match the rule. Use the wildcard character * to match any character in the address. This rule will be used regardless of masquerading has been successful. Recipient address use this rule to enforce a policy based on the address of the recipient of the . The address to evaluate is taken from the 'RCPT TO' of the SMTP conversation. Since an may be addressed to more than one recipient, the application of this rule differs between transparent and proxy connections: Proxy connections application of this rule causes the message to be split if a single policy does not match all of the recipients of the (as specified by the Recipient address or Aliased recipient address). The message will be scanned using each of policies for the recipients that match that policy. It is possible that recipients who match different policies will receive a different mail to other recipients, if policy settings cause modification of the mail. The number of times a message may be split is configured in Configuration Protocol Configuration Protocol Settings (SMTP) Message processing Advanced options Maximum number of policies per . If the message is split more that the configured number of times, no message split is performed and the message is scanned with the highest order common policy. Transparent connections by default a policy with this rule is only triggered if all recipients match the rules for the policy (as specified by the Recipient address or Aliased recipient address). McAfee Gateway Appliances Administrators Guide 141

142 4 Overview of menu Policies When a message has multiple recipients and multiple policies would have matched, the highest order policy that matched all rules up to the RCPT TO phase of the policy will be used for scanning. This behavior may be overridden in Configuration Protocol Configuration Protocol Settings (SMTP) Transparency options (router and bridge mode only) Advanced options Allow multiple policies per . Overriding this behavior will cause the original connection to the onward server to be ended, and a new mail delivered for each policy. The is match allows you to specify the exact address to match the rule. The is like match allows you specify an address pattern to match the rule. Use the wildcard character * to match any character in the address. If you have multiple policies based on recipient address and a message is intended for recipients in different policies, the message will be split and each recipient will get evaluated using their policy. A policy will never trigger, if 'Recipient address' rule type has been used more than once in the policy with 'Match all of the following rules' match logic. Recipient address list use this rule to enforce a policy based on the addresses of the complete set of recipients included in the delivery. This rule is evaluated after the complete set of recipients has been received at the 'RCPT TO' phase of the SMTP conversation. It will not cause the message to be split for different policies. This rule may be used to trigger a policy when you need to consider whether multiple recipients have been sent a message. The contains match allows you to specify the exact address to match the rule. The contains addresses like match allows you specify an address pattern to match the rule. Use the wildcard character * to match any character in the address. Aliased recipient address use this rule to enforce a policy based on the aliased address of the recipient. The address to evaluate is taken from 'MAIL FROM' of the SMTP conversation, after aliasing has been applied. If the address has not been aliased the original recipient address is used. Aliased recipient address list use this rule to enforce a policy based on a recipient address list after the recipient aliasing is carried out. The address to evaluate is taken from 'MAIL FROM' of the SMTP conversation, after aliasing has been applied. If the address has not been aliased the original recipient address is used. Once the policy is enforced based on the address list it will stop evaluating the policies in the later in the order for that . VLAN identifier use this rule to enforce a policy based on a VLAN identifier which uniquely identifies the VLAN to which the frame belongs. You can use a value between McAfee Gateway Appliances Administrators Guide

143 Overview of menu Policies 4 This rule applies to transparent connections only. Incoming network connection Outgoing network connection Source host name Destination host name Source network group Destination network group User group LDAP query Policy rules Operator Match This option is only available when you select the LDAP query rule type. Choose from: is is not is in is not in If you select the LDAP query rule type, two additional options appear: Contains and Does not contain. Value Enter the value associated with the type of rule that you chose. definitions Scanning Policies New Policy Add user group This information describes the options available on this dialog box. Group name Selected or unselected Rule type Type the name of the group. Select a group and click Edit or Delete Selected Rules as appropriate. Use the arrow icons to move the rules up and down the list. Choose from: Sender address Recipient address Sender user group Recipient user group LDAP Query (if configured) The LDAP query and user group options become available only when a user group or LDAP server has been created. McAfee Gateway Appliances Administrators Guide 143

144 4 Overview of menu Policies Match Value Add Rule Choose from: is is not is like is not like Type the value that you want to associate with Match. Click to add a new rule to the list. Task - add a user group Use this task to create a user group that can be used in policy selection. Before you begin Ensure that you have a valid connection to a Generic LDAP Server, and its queries are providing output. Task 1 Go to Group Management Senders and Recipients. 2 Click Add and type a name for the group. 3 Click Add Rule. 4 In Rule type, select LDAP Query. The Values field is populated with the name of the LDAP group you selected. 5 Click OK to close the dialog box. 6 Go to Policies Add Policy... 7 Click Add Rule. In Rule type, select User group. 8 In Value, select the user group you created, and click OK. definitions Scanning Policies New Policy Add network group This information describes the options available on this dialog box. Group name Rule type Type the name of the network group. Choose from: IP address VLAN identifier Network connection Host name 144 McAfee Gateway Appliances Administrators Guide

145 Overview of menu Policies 4 Match Value Move Add Rule / Delete Selected Rules Reset Choose from: is is not is in is not in Type the value associated with the type of rule that you chose. Use the arrows to move the rules up and down the list. Click to add a new rule to the list. Use the Reset button to clear the entries you have made in this dialog box. definitions Subject Templates Create or edit Subject templates as part of the subject re write feature. Template Priority Move Edit Delete Shows the text or tokens that will be used to re write the subject line. Shows the priority of the available templates. Use the arrow icons to move your subject template higher or lower in priority order. Move the template up Move the template down Click to make changes to the text that is used to re write the subject line. Click to remove the template. You cannot delete a template that is currently being used by a policy. Add Insert Create a new template at the bottom of the template list. Create a new template above the currently selected template. Anti-Virus policy settings Use the Anti Virus policy settings to specify the files you want to scan and the actions you want to take when a threat is detected, and create detection policies for viruses, spyware, packers, and malware threats such as worms and mass mailers. Anti-virus features The anti virus protection within Gateway provides many ways to protect your network and users. Policies Anti Virus McAfee Gateway Appliances Administrators Guide 145

146 4 Overview of menu Policies The anti virus software: Detects and cleans viruses. Protects your network from potentially unwanted programs (PUPs). The appliance can be configured to: Enable or disable detection of potentially unwanted programs. Detect specific types of potentially unwanted programs, such as mass mailers and Trojan horses. Detect named malware. Take specific actions when malware is detected. Protects your network from named packers. You can add and remove packer names from the list of packers that will be detected. Packers compress files and can effectively disguise executable programs. They can also compress Trojan horses and make them harder to detect. The appliance can be configured to: Detect named packers. Exclude named packers from detection. Take specific actions when a packer is detected. Protects your network from PUPs. A cautious user might want to be informed of PUPs, and might want to remove them. McAfee anti spyware software detects and, with your permission, removes potentially unwanted programs. Some purchased or intentionally downloaded programs act as hosts for other potentially unwanted programs. Removing these potentially unwanted programs may prevent their hosts from working. Review the license agreement for these host programs for further details. McAfee does not encourage nor condone breaking any license agreements. Read the details of license agreements and privacy policies carefully before downloading or installing any software. Automatically scans within compressed files. Automatically decompresses and scans files compressed in the packages that include PKZip, LHA, and ARJ. Detects macro viruses. Detects polymorphic viruses. Detects new viruses in executable files and OLE compound documents, using a technique called heuristic analysis. Upgrades easily to new anti virus technology. Settings for scanning viruses and similar threats The anti virus settings in a policy protect the network and its users. Policies Anti Virus Threats to your network and users may be from: Viruses Spyware 146 McAfee Gateway Appliances Administrators Guide

147 Overview of menu Policies 4 Adware Various kinds of malware (malicious software) and other potentially unwanted software. Spyware can steal information and passwords. This category includes potentially unwanted programs (PUPs), which are any software that a cautious network administrator might want to be informed of, and possibly remove, such as password crackers. Adware, too is among these nuisances, because it distracts employees from their normal work. What is a potentially unwanted program (PUP)? Potentially unwanted programs (PUPs) are not considered to be malware like viruses and Trojan horses. Policies Anti Virus McAfee Anti Spyware Some software programs written by legitimate companies might alter the security or privacy of the computer where they are installed. This software can include spyware, adware, and dialers, and might be downloaded unwittingly with a program that the user wants. Cautious users prefer to know about such programs, and in some cases, remove them. Customized anti-virus settings Besides giving you the levels of scanning (such as default file types, which scans only the most susceptible files), Gateway also allows you to specify various options when scanning for viruses. Policies Anti Virus Basic s Although more options can provide greater security, scanning will take longer. The scanning capabilities are: Detect possible new viruses in programs and documents. Documents that carry a virus often have distinctive features such as a common technique for replicating themselves. Using heuristics, the scanner analyzes the document to detect these kinds of computer instructions. Program file heuristics scans program files and identifies potential new file viruses. Macro heuristics scans for macros in the attachments (such as those used by Microsoft Word, Microsoft Excel, and Microsoft Office) and identifies potential new macro viruses. Scan inside archive files. By default, the scanner does not scan inside file archives such as.zip or.lzh files because any infected file inside them cannot become active until it has been extracted. Scan default file types. Normally, the scanner examines only the default file types it scans only those files that are susceptible to infection. For example, many popular text and graphic formats are not affected by viruses. Currently, the scanner examines over 100 file types by default, including.exe and.com. Scan all files. This option ensures that every file is scanned. Some operating systems, such as Microsoft Windows, use the extension names of files to identify their type. For example, files with the extension.exe are programs. However, if an infected file is renamed with a harmless extension such as.txt, it can escape detection and the operating system can run the file as a program if it is renamed later. McAfee Gateway Appliances Administrators Guide 147

148 4 Overview of menu Policies Scan files according to file name extension. You can specify the types of files you want to scan according to their file name extensions. Treat all macros as viruses. Macros inside documents are a popular target for virus writers. Therefore, for added security, consider scanning all files for macro viruses, and optionally removing any macros found, regardless of whether they are infected. Scan compressed program files. This is used to scan compressed files such as those compressed using PKLITE. If you are scanning selected file extensions only, add the appropriate compressed file extensions to the list. Special actions against packers and PUPs The appliance handles most detections according to the actions that you specify on the Basic s tab. Policies Anti Virus Custom Malware s To specify that a scanner on the appliance handles some packers and PUPs differently, use the Custom Malware s tab. Problems with alerts for mass mailers Normally, the appliance handles all potentially unwanted programs in the same way. However you can specify that certain types are handled differently. Policies Anti Virus Custom Malware s For example, you can configure the appliance to inform the sender, the recipient and an administrator with an alert message whenever a virus is detected in an message. This feature is useful because it shows that the anti virus detection is working correctly, but it can become a nuisance if a mass mailer virus is encountered. Mass mailer viruses (for example Melissa and Bubbleboy) propagate themselves rapidly using . Numerous alerts are generated, and these can be as annoying as the surge of detected messages that has been blocked. The appliance can handle any mass mailer virus separately from other types of virus. You example, you can choose to discard the detected document immediately, and thereby suppress any alert messages that will otherwise be generated. Configuring basic Anti-Virus settings Use the following information to understand the benefits and procedures to configure basic Anti Virus settings. Policies Anti Virus Basic s The Anti Virus Basic s page enables you to configure options such as the types of files that are scanned for viruses, the actions to take if a virus is identified, and what to do if an infected file cannot be cleaned. 148 McAfee Gateway Appliances Administrators Guide

149 Overview of menu Policies 4 Contents Benefits of configuring basic Anti-Virus options Benefits of using McAfee Global Threat Intelligence file detection definitions Anti-Virus Basic s Task Enabling McAfee Global Threat Intelligence file reputation Benefits of configuring basic Anti-Virus options This information describes the benefits associated with setting up the basic Anti Virus options. To provide the best combination of performance and detection of viruses, the Anti Virus Basic s page has settings to enable you to select the types of files that are scanned for viral content, and the actions to be taken when a viral detection is made. This page also give you the option of enabling McAfee Global Threat Intelligence file reputation. Benefits of using McAfee Global Threat Intelligence file detection This technique reduces the delay between McAfee's detection of a new malware threat and when a customer receives and installs a detection definitions (DAT) file. The delay can be hours. Policies Anti Virus Basic s Using McAfee Global Threat Intelligence file reputation enables your Gateway to provide protection against new threats, before they are included in detection definition (DAT) files. 1 The appliance scans each file, comparing its code against the information (or signatures) in the current detection definitions (DAT) file. 2 If the code is not recognized and is suspicious, for example, the file is packed or encrypted, the appliance sends a small definition (or fingerprint) of that code to McAfee Global Threat Intelligence an automated analysis system at McAfee. Millions of other computers with McAfee software also contribute fingerprints. 3 McAfee compares the fingerprint against a database of fingerprints collected worldwide, and informs the appliance of the likely risk within seconds. Based on settings in the scanning policies, the appliance can then block, quarantine, or try to clean the threat. If McAfee later determines that the code is malicious, a DAT file is published as usual. definitions Anti-Virus Basic s Use this page to specify basic options for anti virus scanning. Table 4-27 definitions Enable anti virus scanning for "policy name" Enable anti virus scanning When selected, enables anti virus scanning of messages. McAfee Gateway Appliances Administrators Guide 149

150 4 Overview of menu Policies Table 4-28 definitions Specify which files to scan Specify which files to scan Scan archive files (ZIP, ARJ, RAR...) Find unknown file viruses Find unknown macro viruses to Remove all macros from document files Enable McAfee Global Threat Intelligence file reputation with Sensitivity level Scan all files Offers the highest security. However, scanning takes longer and might affect performance. Some operating systems such as Microsoft Windows use the extension name of a file to identify its type. For example, files with the extension.exe are programs. However, if an infected file is renamed with a harmless extension such as.txt, it can escape detection. The operating system cannot run the file as a program unless it is renamed later. This option ensures that every file is scanned. Default file types The scanner examines only the default file types in other words, it concentrates its efforts on scanning those files that are susceptible to viruses. For example, many popular text and graphic formats are not affected by viruses. Currently the scanner examines over 100 types by default, which includes.exe and.com file types. Defined file types Scans only the types in the list. Using this option, you can specify the types of files that you want scanned. By default, the scanner does not scan inside file archives such as.zip or.lzh files because any virus infected file inside them cannot become active until it has been extracted. When selected, Gateway scans these types of files. However, scanning takes longer and might affect performance. As the contents of these files are harmful only when files inside are extracted, they can be scanned by the on access scanners on individual computers in your network. An anti virus scanner typically detects viruses by looking for the virus signature, which is a binary pattern that is found in a virus infected file. However, this approach cannot detect a new virus because its signature is not yet known, therefore the scanner uses another technique: heuristic analysis. Program file heuristics scans program files and identify potential new file viruses. Macro heuristics scans for macros in the attachments (such as those used by Microsoft Word, Microsoft Excel, and Microsoft Office) and identify potential new macro viruses. When selected, does extra analysis to find any virus like behavior. Macros inside documents are a popular target for virus writers. When selected, take actions against macros in documents. Macros inside documents are a popular target for virus writers. Enables McAfee Global Threat Intelligence file reputation on your appliance. McAfee Global Threat Intelligence file reputation complements the DAT based signatures by providing the appliances access to millions of cloud based signatures. This reduces the delay between McAfee detecting a new malware threat and its inclusion in DAT files, providing broader coverage. The sensitivity levels enable you to balance the risk of missing potentially harmful content (low settings) with the risk of false positive detections (high settings). For gateway appliances, the recommended sensitivity level is Medium. 150 McAfee Gateway Appliances Administrators Guide

151 Overview of menu Policies 4 Table 4-29 definitions Actions Attempt to clean If cleaning succeeds Notification and annotated options If cleaning fails When selected, the infection inside the item is removed, if possible. When deselected, the entire item is removed. Specify the secondary actions to take if the appliance successfully cleans the infection. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient(s) of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. When clicked, opens another window where you can specify who the appliance will notify when a threat is detected. Specify the secondary actions to take if the appliance cannot clean the infection. Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace detected item with an alert (Modify) Allow Through (Monitor) McAfee Gateway Appliances Administrators Guide 151

152 4 Overview of menu Policies Table 4-29 definitions Actions (continued) And also If a file is zero bytes after cleaning Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient(s) of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Provides an action against a file that is now empty. Zero byte files cannot carry threats, but you might prefer to remove the files if they confuse users. The available options are: Keep zero byte file Remove zero byte file Treat as a failure to clean 152 McAfee Gateway Appliances Administrators Guide

153 Overview of menu Policies 4 Table 4-30 definitions Obfuscated content Make deobfuscated content available to other scanners When selected, provides extra protection against unwanted content. The techniques that detect hidden viruses and malware are made available to content scanning. Table 4-31 definitions Additional anti virus engine Enable Commtouch Command anti virus When selected, enables the Commtouch Command anti virus engine within your policies. Scanning optimization Select how the Commtouch Command anti virus engine is used: Perform optimized scanning Objects are not passed to the Commtouch Command anti virus engine if the McAfee anti virus engine makes a detection that is then either replaced with an alert message, or that causes the message to be dropped. Depending on the actions configured for the McAfee anti virus engine, the additional anti virus engine might not be used to scan an message. Perform exhaustive scanning Objects are always passed to the Commtouch Command anti virus engine after the McAfee engine completes its scan. Exhaustive scanning might result in your McAfee Gateway reporting multiple detections for a single message. Task Enabling McAfee Global Threat Intelligence file reputation Use this task to enable McAfee Global Threat Intelligence file reputation on your McAfee Gateway. Task 1 Select Policies Anti Virus Basic s. 2 From within Specify which files to scan, select Enable McAfee Global Threat Intelligence file reputation. 3 Select your required Sensitivity level. A low setting means that the McAfee Gateway may miss some potentially harmful content, whereas a high setting means that the McAfee Gateway may detect some harmless files and wrongly label them as potentially harmful. 4 Click OK. 5 Click Apply. Configuring McAfee Anti-Spyware Use the following information to understand the benefits and procedures to configure McAfee Anti Spyware. Policies Anti Virus McAfee Anti Spyware The Anti Virus McAfee Anti Spyware page enables you to configure McAfee Anti Spyware to detect and take action against certain types of potentially unwanted programs being transmitted within messages. McAfee Gateway Appliances Administrators Guide 153

154 4 Overview of menu Policies Contents Benefits of using McAfee Anti-Spyware definitions Default Anti-Virus Settings McAfee Anti-Spyware Benefits of using McAfee Anti-Spyware This information describes the benefits associated with setting up the McAfee Anti Spyware options. Several types of software programs can be transmitted using . Some of these programs may be classed as potentially unwanted programs (PUPs). You can configure your Gateway to scan for potentially unwanted programs. A PUP (potentially unwanted program) is any program that may be unwanted, even though the user consented to downloading and installing the software. This may be because the user did not read the terms and conditions relating to the software, or because it was downloaded in conjunction with another piece of software that the user did want to install. Potentially unwanted programs can include spyware, adware, and dialers. To learn more about potentially unwanted programs, visit McAfee Labs Threat Library( s on the user interface enable you to select the categories of unwanted programs the appliance should detect. You can also specify the actions to use when a potentially unwanted program is detected, and some optional additional actions. definitions Default Anti-Virus Settings McAfee Anti-Spyware Use this page to specify the McAfee Anti Spyware settings for anti virus scanning. Table 4-32 definitions Potentially Unwanted Program (PUP) detection Enable anti virus scanning Enable detection Spyware to Other PUPs Exclude and Include When selected, scans for viruses and other threats such as worms and spyware. The option is normally set to Yes. Select No only if you have anti virus protection elsewhere in your network. Click the link to read the disclaimer. When selected, detects this type of program. Allows you to build a list of names of programs to scan or ignore. 154 McAfee Gateway Appliances Administrators Guide

155 Overview of menu Policies 4 Table 4-33 definitions Actions If detected And also If an action results in an alert Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Specify the secondary actions to take. Original options Replace the content with an alert (Modify) Allow Through (Monitor) Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Select to use the default alert. Click change the default alert text to view or change this alert message. McAfee Gateway Appliances Administrators Guide 155

156 4 Overview of menu Policies Configuring Packer detection Use this information to understand the threat posed by packers, and how you can configure your Gateway to deal with this threat. Policies Anti Virus Packers The Anti Virus Packers page enables you to configure Gateway to detect and take action against types of packers. Packers compress files, which changes the binary signature of the executable. Packers can compress Trojan horse programs and make them harder to detect. Contents Benefits of using Packer detection definitions - Default Anti-Virus Settings - Packers Benefits of using Packer detection This information describes the benefits associated with setting up the packer detection options. Packers compress files, which changes the binary signature of the executable. This can make it harder to detect Trojan horse or other potentially unwanted programs, as their true binary signatures are hidden. Enabling Packer detection helps defend against this type of threat, by scanning within the compressed files to check the true binary signatures of the files contained within. definitions - Default Anti-Virus Settings - Packers Use this page to specify the actions to take against packers. Table 4-34 definitions Packer detections Enable detection Exclude specified names and Include only specified names Select to enable detection of packers by the appliance. Allows you to build a list of names of packers to scan or ignore. 156 McAfee Gateway Appliances Administrators Guide

157 Overview of menu Policies 4 Table 4-35 definitions Actions If detected And also If an action results in an alert Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Specify the secondary actions to take. Original options Replace the content with an alert (Modify) Allow Through (Monitor) Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Select to use the default alert. Click change the default alert text to view or change this alert message. McAfee Gateway Appliances Administrators Guide 157

158 4 Overview of menu Policies Configuring Custom Malware s Use the following information to understand the benefits and procedures to configure customer malware options within Gateway. Policies Anti Virus Custom Malware s The Anti Virus Custom Malware s page enables you to configure Gateway to take different actions when certain types of malware are detected. Contents Benefits of using the Custom Malware options definitions Default Anti-Virus Settings Custom Malware s Benefits of using the Custom Malware options This information describes the benefits associated with using the custom malware options. The custom malware options enable you to select different actions for certain types of malware to those that you have selected for other detection types. definitions Default Anti-Virus Settings Custom Malware s Use this page to specify the actions to take when some types of malicious software ( malware ) are detected. Table 4-36 definitions Apply different actions to certain detection types Mass mailers to Trojan horses Specific detection name Do not perform custom malware check if the object has already been cleaned. When selected, applies the specified action to this type of malware. If the option is not selected, the malware is handled as described by the basic options. When selected, allows you to add names of specific detections. You can use * and? to represent multiple and single characters in the malware names. Enable this to prevent the appliance carrying out the custom malware checks if the object has already been successfully cleaned. 158 McAfee Gateway Appliances Administrators Guide

159 Overview of menu Policies 4 Table 4-37 definitions Custom actions If detected And also If a custom malware action results in an alert Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Specify the secondary actions to take. Original options Replace the content with an alert (Modify) Allow Through (Monitor) Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Select to use the default alert. Click change the default alert text to view or change this alert message. McAfee Gateway Appliances Administrators Guide 159

160 4 Overview of menu Policies Handling hybrid scan results When an message triggers an action during the scan by the cloud based McAfee SaaS Protection Service, the results of that scan are communicated to your Gateway appliance. You can configure the way hybrid scanning responds when it takes an action. Benefits of hybrid scanning Hybrid scanning reduces the workload for the Gateway appliances within your network. Hybrid scanning processes your inbound messages in the cloud, leaving your appliances free to scan outbound traffic. You maintain control over the way scan results are used, because you can configure policies for hybrid scanning like you can for scanning by your Gateway appliances. definitions - Hybrid scanning Use this page to enable and configure hybrid scanning. Table 4-38 definitions Hybrid Scanning Hybrid scanning options Enable hybrid anti virus scanning Re scan the locally if it is NOT found to be infected Actions If a virus is detected And also Enables or disables anti virus scanning by the SaaS Protection Service. Enables or disables additional scanning by the Gateway appliance for any that passes through the SaaS Protection Service without triggering an action. Sets the action to be taken by the Protection Service if it detects a virus. s are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace with an alert (Modify) Allow through (Monitor) Sets additional actions to be taken by the Protection Service for s that were not blocked as the primary action. s are: Original options Quarantine Annotate and deliver original to n lists. Notification options Deliver to the sender of the original Deliver to the recipient(s) of the original Deliver a notification to n lists Modified options Quarantine Forward modified to n lists Annotate and deliver modified to n lists Deliver to the sender of the original 160 McAfee Gateway Appliances Administrators Guide

161 Overview of menu Policies 4 Table 4-38 definitions Hybrid Scanning (continued) Notification and annotated options If an action results in an alert Change the default alert text If a potentially unwanted program is detected Link that opens the Notification s page where you can set options. Enables or disables use of the default text for virus alerts. If the default is disabled, the system uses alert text provided by the user. Opens the Alert Editor page for anti virus detection alerts. Sets the action to be taken by the Protection Service if it detects a potentially unwanted program. s are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace with an alert (Modify) Allow through (Monitor) And also Sets additional actions to be taken by the Protection Service for s that were not blocked as the primary action. s are: Original options Quarantine Annotate and deliver original to n lists. Notification options Deliver to the sender of the original Deliver to the recipient(s) of the original Deliver a notification to n lists Modified options Quarantine Forward modified to n lists Annotate and deliver modified to n lists Deliver to the sender of the original Notification and annotated options If an action results in an alert Change the default alert text Link that opens the Notification s page where you can set options. Enables or disables use of the default text for potentially unwanted program alerts. If the default is disabled, the system uses alert text provided by the user. Opens the Alert Editor page for potentially unwanted program alerts. Task - Configure scanning policy Follow this process to enable and configure hybrid anti virus scanning policy. Before you begin You should register your appliance with McAfee SaaS Protection Service (SaaS) and configure the domains for which traffic is to be scanned in the cloud. McAfee Gateway Appliances Administrators Guide 161

162 4 Overview of menu Policies Task 1 Select Policies, then in the Anti Virus column, click the Viruses: Clean or Replace link. The Default Anti Virus Settings (SMTP) page opens. 2 Select the Hybrid Scanning tab. The Hybrid scanning options tab opens. 3 In the Hybrid scanning options section of the page, select the checkbox to enable hybrid scanning. 4 If you want your Gateway appliance to scan any that passes through the hybrid scan without triggering an action, select the Rescan the mail locally checkbox. 5 Configure the actions you want the Protection Service to take when it detects a virus. a Select the primary action for virus detection from the drop down list. b c d e Select any secondary action or actions from the scrolling And also menu. Click the Notification and annotated options link to set options on the Notification s page. Specify the use of the default alert text for anti virus alerts by selecting the Use default text checkbox. If you want to change the text of the anti virus alert, click the Change the default alert text link. 6 Configure the actions you want the Protection Service to take when it detects a potentially unwanted program (PUP). a Select the primary action for PUP detection from the drop down list. b c d e Select any secondary action or actions from the scrolling And also menu. Click the Notification and annotated options link to set options on the Notification s page. Specify the use of the default alert text for PUP alerts by selecting the Use default text checkbox. If you want to change the text of the alert, click the Change the default alert text link. Anti-Spam policy settings Use the Anti Spam policies to manage spam and phish detection, and configure any sender authentication settings you want to apply. Anti-Spam features The anti spam protection within Gateway provides many ways to protect your users from unsolicited messages. The anti spam features include: score based spam reporting ability to add prefixes to the subject line of s identified as being unsolicited customizable message size options ability to add custom headers to the identified messages the use of blacklists and whitelists spam rules that can be disabled if they are incorrectly identifying legitemate s as spam 162 McAfee Gateway Appliances Administrators Guide

163 Overview of menu Policies 4 In addition, McAfee Gateway provides protection against phishing s. Phishing s are messages that proport to come from a users bank or other institution, but, in fact are aimed at tricking the user into disclosing sensitive financial data about their account and PIN numbers. Another method of reducing the amount of unsolicited is to use Sender Authentication to check that the messages have actually been sent from the source that it appears to have been sent. Configuing basic Anti-Spam options Use the following information to understand the benefits and procedures to configure basic Anti Spam options. Contents Policies Spam Basic s Benefits of using basic Anti-Spam options definitions Default Anti-Spam Settings Basic s Benefits of using basic Anti-Spam options This information describes the benefits associated with setting up the basic Anti Spam options. The basic options available within the Default Anti Spam Settings page allow you to specify settings such as the spam reporting threshold for messages. This is the accumulated score at which your Gateway marks messages as possibly being spam. From this dialog box, you can also choose how you want to inform your users that a message could possibly be spam. You can add a prefix to the subject line of s suspected of being spam, and can edit the text that appears within the subject, and can decide to add the spam score as well. You can also configure further spam based options, including defining stricter actions (monitor, block or reroute) for messages gaining a higher spam score. definitions Default Anti-Spam Settings Basic s Use this page to specify how to handle spam messages. Table 4-39 Enable anti spam scanning for "policy name" Enable anti spam scanning When selected, enables anti spam scanning of messages. Table 4-40 definitions Reporting options Spam reporting threshold Specifies a spam threshold. Messages that have a spam score below the threshold are not treated as spam. Typically, a spam score of 5 or more indicates spam. You need only change this threshold if its default value is not effective. You can enter numbers with decimal fractions, for example Default value is 5. Add a prefix to the subject line of spam messages and Prefix text When selected, adds some text that helps users to find suspicious messages in their inbox. Default value is [spam]. McAfee Gateway Appliances Administrators Guide 163

164 4 Overview of menu Policies Table 4-40 definitions Reporting options (continued) Add a spam score indicator and Indicator text Attach a spam report Verbose reporting When selected, adds an indicator to each message's Internet headers. For example, a message that has a spam score between 6 and 7 can be given an indicator of six asterisks. This information is useful for later analysis. Default value is *. When selected, adds a report to the messages, showing the names of the anti spam rules that have triggered. We recommend that you select a spam report for initial testing only, because it can affect your server's performance. When you have collected the information, deselect the option. When selected, adds descriptions of the anti spam rules. 164 McAfee Gateway Appliances Administrators Guide

165 Overview of menu Policies 4 Table 4-41 definitions Additional score based actions When the spam score is at least Specify the actions to take when the spam score exceeds a user specified value. The available actions are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Route to an alternative relay (reroute) Allow Through (Monitor) If the action to take against is Route to an alternate relay, you can click a Manage the list of relays link to a list of other devices that will handle the instead. And also Notification and annotated options Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward original to x lists Forward the message to the specified distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver original to sender Deliver the original message to the sender, with annotations added. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the recipient(s) of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. When clicked, opens another window where you can specify who the appliance will notify when a threat is detected. McAfee Gateway Appliances Administrators Guide 165

166 4 Overview of menu Policies Table 4-42 Alert settings Use the default alert Select whether to use the default alert text when an anti spam action triggers. You can edit the alert text by clicking either: change the default alert text, or customize the alert text Configuring advanced Anti-Spam options Use the following information to understand the benefits and procedures to configure advanced Anti Spam options. Contents Policies Spam Advanced s Benefits of using the advanced Anti-Spam options definitions Default Anti-Spam Settings Advanced s Benefits of using the advanced Anti-Spam options This information describes the benefits associated with setting up the advanced Anti Spam options. The advanced options available for configuring Anti Spam options allow you to set rules for messages size and header width, as well as configuring the number of rule names that can be included in a spam report. You can also enable custom headers for messages. definitions Default Anti-Spam Settings Advanced s Use this page to specify advanced settings against spam . You do not need to change these settings often. Specify limits Use the default maximum message size Maximum message size Maximum width of spam headers Maximum number of reported rules Select to use the default message size limits. The default size is 250 KB. Deselect to set a custom Maximum message size. Specifies the maximum size of the message. Spam messages are typically small. Specifies the maximum width of headers that the appliance adds to messages. We do not recommend that you decrease the value. For example, Verbose reporting creates header lines, each with the name and description of a rule. A reduced width will truncate the rule descriptions, making them more difficult to read. Default value is 76 bytes. Specifies the maximum number of anti spam rule names that can be included in a spam report. Default value is McAfee Gateway Appliances Administrators Guide

167 Overview of menu Policies 4 Add a custom header Header name and Header value Add the header Use alternative header names when a mail is not spam Specifies the name and value of an extra header, that can be used for later processing. Specifies the type of message to which to add the header. For example, you can add the customized header to spam messages only. Default value is Never. If selected, appends the text Checked to the normal spam header names when the message did not contain spam. This option can be useful to other devices that handle the same message later. Configuring Blacklists and Whitelists Use the following information to understand the benefits and procedures to configure Blacklists and Whitelists on your Gateway. Contents Policies Spam Blacklists and Whitelists Benefits of using Blacklists and Whitelists definitions Blacklisted Senders definitions Blacklisted Recipients definitions Whitelisted Senders definitions Whitelisted Recipients definitions User Submitted Benefits of using Blacklists and Whitelists This information describes the benefits associated with using the blacklists and whitelists to help block spam messages from reaching your users. Blacklists and whitelists are useful tools in helping keep your user inboxes free from unsolicited (spam) messages. During "spam" campaigns, high volumes of messages can be generated in a short period of time. If each of these spam s that reach your servers have to be individually scanned to check the content, this can consume scanning resources on your Gateway. Using blacklists, you can block all s from a specific address, thereby removing the requirement to scan each of the s individually. If you find that people that send legitimate messages into your organization have their messagse erroneously tagged as being spam, adding their addresses to the whitelists can prevent the messages being tagged as spam. McAfee Gateway Appliances Administrators Guide 167

168 4 Overview of menu Policies definitions Blacklisted Senders Use this information to make lists of addresses that regularly send spam to your organization. Address Add Address Delete Selected Addresses Use this to make a list of addresses that often send spam. Specifies each address. You can use wildcards, for example: Click to add a new row to the list of addresses that often send spam. Type the address that you want added to the list. If you find that legitimate sender addresses have been added to the Blacklisted Senders list, select each legitimate address, and click Delete Selected Addresses. definitions Blacklisted Recipients Use this information to make lists of addresses that regularly receive spam messages. Address Add Address Delete Selected Addresses Use this to make a list of addressses that often receive spam. Specifies each address. You can use wildcards, for example: Click to add a new row to the list of addresses that often receive spam. Type the address that you want added to the list. If you find that legitimate addresses have been added to the Blacklisted Recipients list, select each legitimate address, and click Delete Selected Addresses. definitions Whitelisted Senders Use this information to make lists of addresses that are allowed to send from within to your organization. Address Add Address Delete Selected Addresses Use this to make a list of users who want to send messages that the appliance normally treats as spam. Specifies each address. You can use wildcards, for example: Click to add a new row to the list of addresses that are to be allowed to send . Type the address that you want added to the list. If you find that illegal sender addresses have been added to the Whitelisted Senders list, select each illegal address, and click Delete Selected Addresses. 168 McAfee Gateway Appliances Administrators Guide

169 Overview of menu Policies 4 definitions Whitelisted Recipients Use this information to make lists of users who want to receive messages that are normally identified as spam. Table 4-43 definitions Address Add Address Delete Selected Addresses Use this page to make a list of users who want to receive messages that are normally identified as spam. Specifies each address. You can use wildcards, for example: Click to add a new row to the list of addresses that are to be allowed to receive messages. Type the address that you want added to the list. If you find that illegal recipient addresses have been added to the Whitelisted Recipients list, select each illegal address, and click Delete Selected Addresses. definitions User Submitted Use this information to understand how to allow your users to blacklist or whitelist individual senders, and how to view and manage those lists. Use this to view and manage lists of blacklists and whitelists that have been submitted by users through quarantine digests. If the appliance is configured to use the McAfee Quarantine Manager, you can only view the lists. Table 4-44 definitions View Refresh and Clear Filter Click to view the lists of user submitted blacklists and whitelists. Click to either refresh the information shown on screen, or to clear all information from the screen. Specify the information that you want to filter the list by. Click Apply. The lists are filtered to only show those entries that match the entered filter string. Modify, Add and Delete Import Lists Export Lists Use these buttons to add, remove or edit entries within the user submitted lists. Take a previously exported list of blacklisted and whitelisted addresses, and import them onto your Gateway. Create a list of the user submitted blacklisted and whitelisted addresses, and export them as an xml file. Configuring Spam Rules Use the following information to understand the benefits and procedures available to configure Spam Rules. Contents Policies Spam Spam Rules Benefits of configuring Spam Rules definitions Spam Rules McAfee Gateway Appliances Administrators Guide 169

170 4 Overview of menu Policies Benefits of configuring Spam Rules Use the following information to understand the benefits of configuring Spam Rules. McAfee Gateway uses several methods to catch unsolicited (spam) messages and prevent them from reaching your users. One of these methods is to use a set of regularly updated rules to detect specific spam campaign messages. However, on occasion, one of these rules may wrongly detect legitimate messages as spam a false positive detection. In this situation, you can disable just the rule that is causing the false positive detections. definitions Spam Rules Use this page to remove any spam rules that are causing some to be wrongly detected as spam. It is unlikely that you will need to change this list. Make changes only if you understand the implications. Rule Name Displays the rule name that is seen in the spam report. Rule Score Displays the rule score, which is typically 1 5. Enabled Apply and Filter Specifies whether a rule is active. To disable a rule, deselect its checkbox. When Apply is clicked, the table shows only those numbers specified by Filter. You can type a regular expression here, for example: ^AA Find all terms that begin with AA. BB$ Find all terms that end with BB. CC Find all terms that contain CC. To see the full list again, clear Filter and click Apply. Configuring Anti-Phish settings Use this information to understand how to configure your gateway to protect your users from Phishing s. Contents Policies Spam Phish Benefits of Anti-Phish scanning definitions Anti-Phish Benefits of Anti-Phish scanning Learn about the benefits of enabling Anti Phish scanning on your Gateway. Phishing is the illegal activity of using spoofed messages to persuade unsuspecting users to disclose personal identity and financial information. Criminals can use the stolen identity to fraudulently obtain goods and services and to steal directly from bank accounts. Configuring the anti phish settings within your appliance helps to protect your users and your organization from the illegal phishing activities. 170 McAfee Gateway Appliances Administrators Guide

171 Overview of menu Policies 4 definitions Anti-Phish Use this page to specify how to handle phishing . Enable anti phish scanning for "policy name" Enable anti phish scanning When selected, enables anti phish scanning of messages. Reporting options Add a prefix to the subject line of phishing messages When selected, adds a prefix to help users to see phishing messages in their inbox quickly. Specifies text for the prefix. We recommend that you do not use characters from multi byte (extended) character sets here unless the re encoding is UTF 8. Default value is ****Possible Phish****. Add a phish indicator header to messages Attach a phish report Verbose reporting When selected, adds an indicator in the X header, which enables other software to process or analyze the message further. When selected, attaches a report to the message, which explains why the message was marked as phish. When selected, provides a fuller report, providing descriptions of the names of the rules that have triggered. McAfee Gateway Appliances Administrators Guide 171

172 4 Overview of menu Policies Actions If a phishing attempt is detected Provides a main action to take against the phish message. The options available are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace the content with an alert (Modify) Route to an alternate relay (Reroute) Allow Through (Monitor) If the action to take against is Route to an alternate relay, you can click a Manage the list of relays link to a list of other devices that will handle the instead. And also Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward original to x lists Forward the message to the specified distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver original to sender Deliver the original message to the sender, with annotations added. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the recipient(s) of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. 172 McAfee Gateway Appliances Administrators Guide

173 Overview of menu Policies 4 Notification and annotated options If an anti phishing action results in an alert When clicked, opens another window where you can specify who the appliance will notify when a threat is detected. Enables you to use the default anti phish alert message, or to change the text to create your own message. You can also choose the following options: Do not attach the original message Attach the original message in RFC822 format Attach the original message in plain text format Sender Authentication Settings McAfee Global Threat Intelligence message reputation Use this page to specify the actions to take against known senders of spam. The appliance uses McAfee Global Threat Intelligence message reputation to identify senders of spam messages. McAfee Gateway Appliances Administrators Guide 173

174 4 Overview of menu Policies Table 4-45 definitions Higher Detection Threshold Enable McAfee GTI Message Reputation at the higher detection threshold Detection threshold If the sender fails the check The feature is enabled by default. Select an appropriate detection threshold for the higher detections. The available options are: Highly suspect Suspect Custom The default threshold is Highly Suspect. When Custom is selected, you also need to enter the appropriate Threshold value. Provides actions to take. For example: Allow through (Monitor) lets the message pass to its intended recipients, but information is retained within the logs and reports. Tarpit delays the response to the message. By default, the delay is 5 seconds, and is configurable from the Default Sender Authentication Settings Cumulative score and other options tab. Add to score combines the results of several methods of sender authentication. Select the score to be added. Accept and drop (Block) accepts the connection, but blocks the message from being delivered, and returns the appropriate code to the sending MTA. Reject (Block) blocks the message from being delivered, and returns the appropriate code to the sending MTA. Reject and close (Block) blocks the message from being delivered, and closes the connection. Reject, close and deny (Block) Kernel Mode Blocking. This is an effective method of combating spam, as it deals with the message itself (reject), the connection (close) and adds the sending server to the deny list. The default action is Reject, close and deny (Block) 174 McAfee Gateway Appliances Administrators Guide

175 Overview of menu Policies 4 Table 4-46 definitions Lower Detection Threshold Enable McAfee GTI Message Reputation at the lower detection threshold Detection threshold The feature is disabled by default. Select an appropriate detection threshold for the lower detections. The available options are: Highly suspect Suspect Custom The default threshold is Highly Suspect. When Custom is selected, you also need to enter the appropriate Threshold value. This value should be lower than the value set for the Higher Detection Threshold. If the sender fails the check Provides actions to take. For example: Allow through (Monitor) lets the message pass to its intended recipients, but information is retained within the logs and reports. Tarpit delays the response to the message. By default, the delay is 5 seconds, and is configurable from the Default Sender Authentication Settings Cumulative score and other options tab. Add to score combines the results of several methods of sender authentication. Select the score to be added. Accept and drop (Block) accepts the connection, but blocks the message from being delivered, and returns the appropriate code to the sending MTA. Reject (Block) blocks the message from being delivered, and returns the appropriate code to the sending MTA. Reject and close (Block) blocks the message from being delivered, and closes the connection. Reject, close and deny (Block) Kernel Mode Blocking. This is an effective method of combating spam, as it deals with the message itself (reject), the connection (close) and adds the sending server to the deny list. The default action is Accept and drop (Block) Sender Authentication Settings RBL Configuration Use this page to specify the locations of lists of IP addresses that are known to send spam. By default the appliance is configured to use the McAfee Blackhole list, cidr.bl.mcafee.com. You are able to add as many RBL servers as you require. The appliance will query each server in the order they are shown in the user interface until a match is found, when it will take the specified action. McAfee recommends that you place the RBL servers in the order that they are most likely to trigger to reduce the number of lookups the appliance carries out for each incoming connection. McAfee Gateway Appliances Administrators Guide 175

176 4 Overview of menu Policies Table 4-47 definitions Enable RBL lookup Domain name If the sender fails the check The feature is enabled by default. Specifies locations of servers that maintain real time blackhole lists. Provides actions to take. For example: Allow through (Monitor) lets the message pass to its intended recipients, but information is retained within the logs and reports. Tarpit delays the response to the message. By default, the delay is 5 seconds, and is configurable from the Default Sender Authentication Settings Cumulative score and other options tab. Add to score combines the results of several methods of sender authentication. Select the score to be added. Accept and drop (Block) accepts the connection, but blocks the message from being delivered, and returns the appropriate code to the sending MTA. Reject (Block) blocks the message from being delivered, and returns the appropriate code to the sending MTA. Reject and close (Block) blocks the message from being delivered, and closes the connection. Reject, close and deny (Block) Kernel Mode Blocking. This is an effective method of combating spam, as it deals with the message itself (reject), the connection (close) and adds the sending server to the deny list. The default action is Reject, close and deny (Block) Sender Authentication Settings SPF, Sender ID and DKIM Use this page to specify settings for techniques that determine whether the sender of an message is genuine. These techniques reduce the workload for the appliance, because they reject suspicious without the need for scanning. The appliance can take various actions according to whether the passes or fails each check. You can use each type of authentication separately or combine the techniques by using scoring (or "weighting"). Table 4-48 definitions Enable SPF or Enable sender ID Add an SPF header to , Add a sender ID header to , Add a verification result header to s or Add a FCrDNS header to s When selected, enables Sender Policy Framework (SPF) or Sender ID on the appliance. If selected, adds an extra header line to the message. After verifying an message, the appliance attaches its own header to the message, which indicates to other mail servers in your organization that the message has been verified. The headers include: Received SPF header Received PRA header X NAI_DKIM_Results header 176 McAfee Gateway Appliances Administrators Guide

177 Overview of menu Policies 4 Table 4-48 definitions (continued) If the sender fails the check If the sender passes the check Enable DKIM verification Enable FCrDNS Provides actions to take. For example: Allow through (Monitor) lets the message pass to its intended recipients, but information is retained within the logs and reports. Tarpit delays the response to the message. By default, the delay is 5 seconds, and is configurable from the Default Sender Authentication Settings Cumulative score and other options tab. Add to score combines the results of several methods of sender authentication. Select the score to be added. Accept and drop (Block) accepts the connection, but blocks the message from being delivered, and returns the appropriate code to the sending MTA. Reject (Block) blocks the message from being delivered, and returns the appropriate code to the sending MTA. Reject and close (Block) blocks the message from being delivered, and closes the connection. Reject, close and deny (Block) Kernel Mode Blocking. This is an effective method of combating spam, as it deals with the message itself (reject), the connection (close) and adds the sending server to the deny list. Provides actions to take. For example: Allow through (Monitor) lets the message move to the next stage. Add to score combines the results of several methods of sender authentication. Select to enable DomainKeys Identified Mail (DKIM) verification of messages. Select to enable Forward Confirmed reverse DNS lookups to provide weak verification of messages. Sender Authentication Settings Cumulative Score and Other s Use this page to specify various options, including scoring techniques for authenticating senders. If no method is entirely effective against untrusted senders, or some methods work better than others in your network, you can associate scores to each method to refine the overall detection. To ensure scoring works correctly, select Add to score as the action for every method that is in use. Table 4-49 definitions Check the total added score, Score threshold, If this threshold is reached Delay period when tarpitting Parse the headers for sender address if behind an MTA and Number of hops to the MTA Uses scores from several methods of sender authentication to determine the action to take against an message when its sender cannot be authenticated. Specifies a delay when acknowledging the sending of an . The default value of 5 seconds is often effective in deterring a denial of service attack. If the appliance is preceded by Mail Transfer Agents (MTAs), specify the number of hops from the appliance to the MTA. The appliance can then parse the headers to find the original sender and check against that IP address. McAfee Gateway Appliances Administrators Guide 177

178 4 Overview of menu Policies Task Apply Sender Policy Framework checks to sub-policies Configure McAfee Gateway to apply Sender Policy Framework (SPF) checks to sub policies. If you create sub policies that include Sender/Recipient Address, Sender Policy Framework (SPF) is by default, triggered by the default policy rather than by the sub policy. This is because SPF checks are performed during the Mail From phase of the SMTP conversation. To change this default behavior, you need to force the SPF checks to be carried out after the DATA phase of the SMTP conversion starts. Task 1 Navigate to Policies Spam Sender Authentication Cumulative Score and Other s. Cumulative Score and Other s is available from the drop down list on the Default Sender Authentication Settings (SMTP) window tab bar. 2 Select Parse the headers for sender address if behind an MTA. 3 Click OK. 4 Apply changes. SPF checks are now carried out after the DATA phase of the SMTP conversation starts. Compliance policy settings Use the Compliance policies to manage file and mail size filtering, configure data loss prevention settings, ensure message compliance through the use of compliance dictionaries, and detect possible pornographic images using Image filtering or to specify settings for handling signed or encrypted content. Default File Filtering Settings (SMTP) Use this page to specify actions against different types of file. This is known as file filtering. Policies Compliance File filtering The default policy values are normally suitable, but you might need another policy to allow the occasional transfer of large, deeply nested files, or to investigate possible attacks. 178 McAfee Gateway Appliances Administrators Guide

179 Overview of menu Policies 4 Benefits of file filtering Use this topic to gain a better understanding of file filtering. When creating file filtering rules, you can detect files in many ways: You can configure the appliance to restrict the use of certain file types: By file name For example, some graphic file formats such as bitmap (.BMP) use large amounts of computer memory and can affect network speed when transferred. You might prefer that users work with other more compact formats such as GIF, PNG or JPEG. If your organization produces computer software, you might see executable (.exe) files moving around the network. Within another organization, those files might be games or illegal copies of software. Similarly, unless your organization regularly handles movie files (MPEG or MPG), they are probably for entertainment only. A file filtering rule that examines the file extension name can restrict the movement of these files. Financial information might have file names like Year2008.xls or 2008Results. A file filter that matches the text 2008 can detect the movement of these files. By file format For example, much of your organization's most valuable information such as designs and lists of customers is in databases or other special files, so it is important to control the movement of these files. The appliance examines files based on their true content. Any file can be made to masquerade as another. A person with malicious intent might rename an important database file called CUSTOMERS.MDB to NOTES.TXT and attempt to transfer that file, believing that it cannot be detected. Fortunately, you can configure the appliance to examine each file based on its content or file format, and not on its file name extension alone. By file size For example, although you might allow graphic files to moved around the network, you can restrict their size to prevent the service running too slowly for other users. When you create settings to control the use of any file, remember that some departments within your organization might need fewer constraints. For example, a marketing department might need large graphic files for advertising. This feature is not available to the POP3 protocol. definitions Default File Filtering Settings (SMTP) This information describes the options available on this page. Order Rule Name If Triggered Create new filtering rule Change the default alert text Display the order in which the filters are applied. To change the order, click icons in the Move column. Displays the rule name. Displays the action to take. Click the link to change the primary and secondary actions associated with the rule. If clicked, opens a further window where you can specify the types of file you want to detect. If clicked, opens a further window where you can change the alert message that is issued after a detection. Data Loss Prevention settings Use this page to create a policy that assigns data loss prevention actions against the registered document categories. Policies Compliance Data Loss Prevention McAfee Gateway Appliances Administrators Guide 179

180 4 Overview of menu Policies Benefits of using Data Loss Prevention (DLP) You can choose to restrict the flow of sensitive information sent in messages by SMTP through the appliance using the Data Loss Prevention feature. For example, by blocking the transmission of a sensitive document such as a financial report that is to be sent outside of your organization. Detection occurs whether the original document is sent as an attachment, or even as just a section of text taken from the original document. Configuring DLP takes place in two phases: Registering the documents that you want to protect Setting the DLP policy to action, and control the detection (this topic) If an uploaded registered document contains embedded documents, their content is also fingerprinted so the combined content is used when calculating the percentage match at scan time. To have embedded documents treated individually, they must be registered separately. definitions Data Loss Prevention Use this information to understand the controls available from within the Data Loss Prevention dialog box. Yes, No, or Use the same settings as the default policy Document match percentage Select to activate the Data Loss Prevention policy settings The percentage of the original registered document which must be seen in order to trigger DLP. For example, if you register two documents; one with 100 pages of content, and another with 10 pages, a setting of 30% would require 30 pages to match the document with 100 pages, and just 3 pages to match the document of 10 pages. The algorithm involved in DLP is sophisticated and involves text normalization, common word removal, and signature generation. These figures offer a guideline only. Number of consecutive signatures (advanced): Set the number of sequential signatures which will cause a trigger. For example, if you register two documents; one with 100 pages of content, and another with 10 pages, use this feature to detect a small section of the original content, irrespective of its original size. The algorithm involved in DLP is sophisticated and involves text normalization, common word removal, and signature generation. An approximate guide is that 1 signature represents 8 words of text after common words have been removed. Rules Create new rule Select the box to show or hide the list of existing DLP rules. This list is empty until you set up categories for registered documents. Click the link to create a new data loss prevention rule based on the categories that you set in Registered Documents. This opens a dialog box to allow you to select one or more DLP categories. Exclusions Select the box to show or hide the list of existing document exclusions. 180 McAfee Gateway Appliances Administrators Guide

181 Overview of menu Policies 4 Create document exclusion This list is empty until you register documents. Click the link to specify registered documents to exclude from this policy. This opens a dialog box to allow you to select one or more documents to be excluded from the rule. If a Data Loss Prevention action results in an alert When selected, issues the default alert upon detection. When deselected, allows you to click the link, then change the text of the alert. Task Prevent a sensitive document from being leaked Use this task to block sensitive financial documents from being sent outside your organization. Before you begin This example assumes that you have already created a Finance category. Task 1 Select Policies Compliance Data Loss Prevention. 2 In the Default Data Loss Prevention Settings dialog box, click Yes to enable the policy. 3 Click Create new rule, select the Finance category, and click OK to have the category appear in the Rules list. 4 Select the action associated with the category, change the primary action to Deny connection (Block), and click OK. 5 Click OK again, and apply the changes. Task Block a section of the document Use this task to block just a small section of the document from being sent outside your organization. Task 1 Select Policies Compliance Data Loss Prevention. 2 In the Default Data Loss Prevention Settings dialog box, click Yes to enable the policy. 3 Enable the consecutive signatures setting, and type the number of consecutive signatures against which the DLP policy will trigger a detection. The level is set to 10 by default. 4 Click Create new rule, select the Finance category, and click OK to have the category appear in the Rules list. 5 Select the action associated with the category, change the primary action to Deny connection (Block), and click OK. 6 Click OK again, and apply the changes. Task Exclude a specific document for a policy Use this task to prevent a specific financial document from triggering the DLP policy settings. Task 1 Select Policies Compliance Data Loss Prevention. 2 In the Default Data Loss Prevention Settings dialog box, click Yes to enable the policy. McAfee Gateway Appliances Administrators Guide 181

182 4 Overview of menu Policies 3 Click Create document exclusion, select the document you want to ignore for this policy, and click OK. 4 Click OK again, and apply the changes. Mail Size Filtering Settings Use the Mail Size Filtering Settings to specify maximum message size, attachment size, and number of attachments that can be scanned in any one message. Policies Compliance Mail size filtering Benefits of filtering messages based on their size or attachments Scanning messages based on their size or attachments can help to alert you to potential denial of service attacks entering your gateway. This policy contains the following options: Message Size Attachment Size Attachment Count s The default policy values are normally suitable, but you might need another policy to allow the occasional transfer of large numbers of large messages, or the occasional transfer of large attachments within messages, or the number of attachments within messages, or to investigate possible attacks. Changing these settings can affect scanning performance. If you are not sure about the impact of making any changes, ask your network expert. definitions Mail Size Filtering Settings Message Size Use this page to specify how to handle large messages. If the message size exceeds (Menu) Specifies the limit. The default values are: Message size KB (100MB). Use the message size only as a guide. When encoded, a message can become up to 33% larger. To use the actual size of the message, select Decode parts for the purposes of size calculation from the s tab. Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace the content with an alert (Modify) Allow Through (Monitor) 182 McAfee Gateway Appliances Administrators Guide

183 Overview of menu Policies 4 And also Notification and annotated options If attachments are replaced with an alert Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert. Click change the default alert text to view or change this alert message. McAfee Gateway Appliances Administrators Guide 183

184 4 Overview of menu Policies definitions Mail Size Filtering Settings Attachment Size Use this page to specify how to handle large attachments within messages. Table 4-50 definitions Specify a maximum attachment size If an attachment size exceeds (Menu) Specifies the limit. The default values are: Attachment size 32000KB (32MB). Use the attachment size only as a guide. When encoded as an attachment, a file can become up to 33% larger. To use the actual size of the attachments, select Decode parts for the purposes of size calculation from the s tab. Provides a main action to take. The available options are: Deny connection (Block) Replace the content with an alert (Modify) Refuse the data and return an error code (Block) Allow Through (Monitor) Accept and then drop the data (Block) And also Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. 184 McAfee Gateway Appliances Administrators Guide

185 Overview of menu Policies 4 Table 4-50 definitions Specify a maximum attachment size (continued) Notification and annotated options If attachments are replaced with an alert Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert. Click change the default alert text to view or change this alert message. Table 4-51 definitions Specify the maximum size of all attachments If the size of all attachments exceeds (Menu) Specifies the limit for the combined size of all attachments. The default values are: Size of all attachments 64000KB (64MB). Use the attachment size only as a guide. When encoded as an attachment, a file can become up to 33% larger. To use the actual size of the attachments, select Decode parts for the purposes of size calculation from the s tab. Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace all attachments with a single alert (Modify) Remove all attachments (Modify) Allow Through (Monitor) McAfee Gateway Appliances Administrators Guide 185

186 4 Overview of menu Policies Table 4-51 definitions Specify the maximum size of all attachments (continued) And also Notification and annotated options If attachments are replaced with an alert Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Deliver message using encryption Select to have the message delivered using the configured encryption settings. Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert. Click change the default alert text to view or change this alert message. 186 McAfee Gateway Appliances Administrators Guide

187 Overview of menu Policies 4 definitions Mail Size Filtering Settings Attachment Count Use this page to specify how to handle large numbers of attachments within messages. If the attachment count exceeds (Menu) Specifies the limit. The default values are: Attachment count 500. Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace all attachments with a single alert (Modify) Remove all attachments (Modify) Allow Through (Monitor) McAfee Gateway Appliances Administrators Guide 187

188 4 Overview of menu Policies And also Notification and annotated options If attachments are replaced with an alert Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Deliver message using encryption Select to have the message delivered using the configured encryption settings. Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert. Click change the default alert text to view or change this alert message. 188 McAfee Gateway Appliances Administrators Guide

189 Overview of menu Policies 4 definitions Mail Size Filtering Settings s Specify options relating to Mail Size Filtering. Table 4-52 definitions s Decode parts for the purposes of size calculation When selected, McAfee Gateway decodes the attachments and other parts within messages so that their actual size can be calculated. Compliance Settings Use this page to create and manage compliance rules. Policies Compliance Compliance Benefits of the compliance settings Use compliance scanning to assist with conformance to regulatory compliance and corporate operating compliance. You can choose from a library of predefined compliance rules, or create your own rules and dictionaries specific to your organization. Compliance rules can vary in complexity from a straightforward trigger when an individual term within a dictionary is detected, to building on and combining score based dictionaries which will only trigger when a certain threshold is reached. Using the advanced features of compliance rules, dictionaries can be combined using logical operations of any of, all of, or except. definitions Default Compliance Settings (SMTP) This information describes the options available on this page. Enable compliance Rules Create new rule Create new rule from template If a compliance action results in an alert Select to activate the Compliance policy settings. Lists the configured compliance rules. Click to open a wizard that creates a new compliance rule. Click to open a wizard that lists the predefined compliance rules. When selected, issues the default alert upon detection. When deselected, allows you to click the link, then change the text of the alert. Task Block messages that violate a policy Use this to task to block messages that violate a threatening language policy. Task 1 Select Policies Compliance. 2 In the Default Compliance Settings dialog box, click Yes to enable the policy. 3 Click Create new rule from template to open the Rule Creation Wizard. 4 Select the Acceptable Use Threatening Language policy, and click Next. 5 ally change the name of the rule, and click Next. 6 Change the primary action to Deny connection (Block), and click Finish. 7 Click OK and apply the changes. McAfee Gateway Appliances Administrators Guide 189

190 4 Overview of menu Policies Task Create a simple custom rule Use this task to create a simple custom rule that blocks messages that contain social security numbers. Task 1 Select Policies Compliance. 2 In the Default Compliance Settings dialog box, click Yes to enable the policy. 3 Click Create new rule to open the Rule Creation Wizard. 4 Type a name for the rule, and click Next. 5 In the Search field, type social. 6 Select the Social Security Number dictionary, and click Next twice. 7 Select the Deny connection (Block) action, and click Finish. Task Create a complex custom rule Use this task to create a complex rule that triggers when both Dictionary A and Dictionary B are detected, except when Dictionary C is also detected. Task 1 Select Policies Scanning Policies and select Compliance. 2 In the Default Compliance Settings dialog box, click Yes to enable the policy. 3 Click Create new rule to open the Rule Creation Wizard. 4 Type a name for the rule, and click Next. 5 Select two dictionaries to include in the rule, and click Next. 6 Select a dictionary that you want to exclude from the rule in the exclusion list. 7 Select the action that you want to take place if the rule triggers. 8 From the And conditionally drop down list, select All, and click Finish. Task Add a dictionary to a rule Use this task to add a new dictionary to an existing rule. Task 1 Select Policies Compliance. 2 Expand the rule that you want to edit. 3 Select Add dictionaries. 4 Select the new dictionary that you want to include, and click OK. Task Create a rule to monitor or block at a threshold For score based dictionaries you might want to monitor triggers that reach a low threshold, and only block the when a high threshold is achieved. 190 McAfee Gateway Appliances Administrators Guide

191 Overview of menu Policies 4 Task 1 Select Policies Compliance. 2 Click Create new rule, type a name for it such as Discontent Low, and click Next. 3 Select the Discontent dictionary, and in Threshold, type Click Next, and Next again. 5 In If the compliance rule is triggered, accept the default action. 6 Click Finish. 7 Repeat steps 2 through 4 to create another new rule but name it Discontent High and assign it a threshold of In If the compliance rule is triggered, select Deny connection (Block). 9 Click Finish. 10 Click OK and apply the changes. Task Edit the threshold associated with an existing rule Use this task to edit the threshold associated with an existing rule. Before you begin This task assumes that your rule includes a dictionary which triggers the action based on a threshold, such as the Compensation and Benefits dictionary. Task 1 Select Policies Compliance. 2 Expand the rule that you want to edit, then select the Edit icon next to the dictionary whose score you want to change. 3 In dictionary threshold, type the score on which you want the rule to trigger, and click OK. Task Restrict the score contribution of a dictionary term Use this task to restrict the score contribution of a dictionary term. Before you begin This task assumes that your rule includes a dictionary which triggers the action based on a threshold score, such as the Compensation and Benefits dictionary. You can restrict how many times a term can contribute to the overall score. For example, if testterm within a dictionary has a score of 10 and is seen five times within an , it will add 50 to the overall score. Alternatively you can restrict this, for example to contribute only twice by setting Maximum term count to 2. McAfee Gateway Appliances Administrators Guide 191

192 4 Overview of menu Policies Task 1 Select Policies Compliance. 2 Expand the rule that you want to edit, then click the Edit icon next to the dictionary whose score you want to change. 3 In Maximum term count, type the maximum number of times that you want a term to contribute to the score. Image Filtering The Image Filtering scanner analyzes images to determine attributes that indicate the image may be of a pornographic nature. Policies Compliance Image filtering The Image Filtering feature uses sophisticated, analytical processes that consist of thousands of algorithms. These include eleven different detection methods to provide enough information to reliably distinguish between pornographic and non pornographic images. The feature use the following techniques: Converts Image to BGR format Multi layer detection algorithms Advance surface luminosity curvature analysis Negative Curvature Rejection reduces false positives Face detection and body part composition analysis Benefits of image filtering This information describes the benefits associated with setting up image filtering on the appliance. Detecting potential pornographic material enables you, as an administrator, to enforce acceptable use policies around image content leaving and entering your company, and be able to monitor and block any deliberate or inadvertent infractions of your policy. definitions Image Filtering This information describes the options available in the Image Filtering policy. Table 4-53 definitions Higher Image Detection Threshold Detection threshold Confidence level Take the following action Choose from Highly Suspect, Suspect, and Custom. Set to Highly Suspect by default. Select Custom to set the Confidence level. In %, the level of confidence that an image is pornographic against each detection. Set to 75% by default. Provides a main action to take. The options are: Deny connection (Block) Replace the content with an alert (Modify) Refuse the data and return an error code (Block) Allow Through (Monitor) Accept and then drop the data (Block) 192 McAfee Gateway Appliances Administrators Guide

193 Overview of menu Policies 4 Table 4-53 definitions Higher Image Detection Threshold (continued) And also Notification and annotated options Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to sender Deliver the original message to the sender. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Deliver message using encryption Select to have the message delivered using the configured encryption settings. When clicked, opens another window where you can specify who the appliance will notify when a threat is detected. McAfee Gateway Appliances Administrators Guide 193

194 4 Overview of menu Policies Table 4-54 definitions Lower Image Detection Threshold Detection threshold Confidence level Take the following action Choose from Highly Suspect, Suspect, and Custom. Set to Suspect by default. Select Custom to set the Confidence level %. In %, the level of confidence that an image is pornographic against each detection. Set to 50% by default. Provides a main action to take. The options are: Deny connection (Block) Replace the content with an alert (Modify) Refuse the data and return an error code (Block) Allow Through (Monitor) Accept and then drop the data (Block) And also Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Other actions Deliver message using encryption Select to have the message delivered using the configured encryption settings. Notification and annotated options When clicked, opens another window where you can specify who the appliance will notify when a threat is detected. Table 4-55 definitions Alert Settings If an action results in an alert Change the default alert text Select to specify whether to use the default alert text or not. Click to open the Alert Editor. Task Block and quarantine highly suspicious images Use this task to block and quarantine highly suspicious images. Task 1 Go to Policies. 2 In the Compliance policy section, select Image Filtering. 194 McAfee Gateway Appliances Administrators Guide

195 Overview of menu Policies 4 3 Click Yes to enable the Image Filtering policy. 4 In the Higher Image Detection Threshold section, select the Accept and then drop the data (Block) action. 5 In And also, select Quarantine. Quarantined messages can be viewed in the Message Search feature (Reports Message Search), in the Image Filtering category. Task Monitor suspicious images and notify an administrator Use this task to monitor suspicious images and notify an administrator. Task 1 Go to Policies. 2 In the Compliance policy section, select Image Filtering. 3 Click Yes to enable the Image Filtering policy. 4 In the Lower Image Detection threshold section, select the Allow Through (Monitor) action. 5 In And also, select the Forward modified to... notification option. The message is sent to any lists you have created. a To change the recipients who will receive the forwarded message, click Edit. The Recipients dialog box opens. b Select the lists that you want to receive the message and click OK. 6 Click OK to activate the policy. Signed or encrypted content Specify how you want McAfee Gateway to handle content that is either signed or encrypted, or signed and encrypted, or in plain text. Policies Compliance Signed or encrypted content Benefits of the Encrypted Content Settings options Find out more about the type of signed or encrypted content settings, and actions that you can take when that type of content is detected. The Encrypted Content Settings options are divided into the following categories: Signed Content Encrypted Content Signed and Encrypted Content Plaintext Content For each category, you can choose a primary action to take when that type of content is detected, and optionally choose a secondary action. Additionally, you can set notification and alert actions too. McAfee Gateway Appliances Administrators Guide 195

196 4 Overview of menu Policies definitions Signed or encrypted content Define how you want the encryption settings to work when signed or encrypted content is detected. Table 4-56 definitions Signed Content When content that is signed but not encrypted is detected Select the primary action that you want the appliance to take in this circumstance. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Allow the changes to break the signed (Monitor) Do not allow the changes to break the signed (Monitor) Replace the content with an alert (Modify) Reroute to an alternative relay (Reroute) And also Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. Deliver message using encryption Select to have the message delivered using the configured encryption settings. Notification and annotated options Alert Settings Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert, or follow the link to make changes to the alert text. 196 McAfee Gateway Appliances Administrators Guide

197 Overview of menu Policies 4 Table 4-57 definitions Encrypted Content link When content that is encrypted but not signed is detected And also Notification and annotated options Alert Settings Select the primary action that you want the appliance to take in this circumstance. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace the content with an alert (Modify) Reroute to an alternative relay (Reroute) Allow Through (Monitor) Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Deliver message using encryption Select to have the message delivered using the configured encryption settings. Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert, or follow the link to make changes to the alert text. McAfee Gateway Appliances Administrators Guide 197

198 4 Overview of menu Policies Table 4-58 definitions Signed and Encrypted Content When content that is both signed and encrypted is detected And also Notification and annotated options Alert Settings Select the primary action that you want the appliance to take in this circumstance. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Allow the changes to break the signed (Monitor) Do not allow the changes to break the signed (Monitor) Replace the content with an alert (Modify) Reroute to an alternative relay (Reroute) Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. Deliver message using encryption Select to have the message delivered using the configured encryption settings. Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert, or follow the link to make changes to the alert text. 198 McAfee Gateway Appliances Administrators Guide

199 Overview of menu Policies 4 Table 4-59 definitions Plaintext Content When content that is neither signed nor encrypted is detected And also Notification and annotated options Alert Settings Select the primary action that you want the appliance to take in this circumstance. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Specify the secondary actions to take. Original options Replace the content with an alert (Modify) Reroute to an alternative relay (Reroute) Allow Through (Monitor) Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. Deliver message using encryption Select to have the message delivered using the configured encryption settings. Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert, or follow the link to make changes to the alert text. Classifying embedded URLs McAfee Global Threat Intelligence (McAfee GTI) performs lookups on URLs that are embedded in messages. Policies Compliance URL reputation URL Reputation McAfee Gateway Appliances Administrators Guide 199

200 4 Overview of menu Policies McAfee GTI provides reputation scores to the URL reputation database. Use the reputation scores to configure actions for suspected security risks. The URL blacklists and whitelists have an impact on the URL reputation scans. The URL reputation score has no appreciable effect on the overall score for the message. Benefits of classifying embedded URLs Classifying any embedded URLs within messages sent into your organization helps prevent your users visiting internet sites that may host malware or other undesirable content. messages can contain links to embedded URLs. Some of these links may be to sites with low reputation scores. By using your McAfee Gateway to classify these URLs, you help protect your organization from the effects of people following these links. You can enable URL reputation scanning when you run the Setup Wizard, or you can do it after initial setup. The URL database is not available until you enable URL reputation scans. URL scanning appears as a component of the Compliance features on the Policies page. The database appears under System Component Management Update Status. definitions - Default URL properties settings Configure the properties settings to determine how McAfee Gateway processes URL reputation scans. Table 4-60 URL reputation options Enable URL reputation Higher URL reputation threshold Detection threshold Select the proper radio button to enable or disable URL scanning. Select threshold level. s are: Highly suspect Confidence level Take the following action And also Notification and annotated options Lower URL reputation threshold Detection threshold Confidence level Take the following action And also Notification and annotated options Suspect Custom This field is pre populated with the proper score to trigger the higher threshold. Select the preferred action from the drop down list. If necessary, select one or more secondary actions from the scrolling menu. Click this link to configure default notifications and alerts. Select threshold level. s are: Highly suspect Suspect Custom This field is pre populated with the proper score to trigger the lower threshold. Select the preferred action from the drop down list. If necessary, select one or more secondary actions from the scrolling menu. Click this link to configure default notifications and alerts. 200 McAfee Gateway Appliances Administrators Guide

201 Overview of menu Policies 4 Table 4-60 URL reputation options (continued) Alert settings If an action results in an alert (change the default alert text) Select the checkbox to generate the default alert. Click this link to change the text in the default alert. Task - Configure URL reputation settings Use this page to set up parameters for detecting embedded URLs and taking action on them. Before you begin To detect embedded URLs in messages, enable URL reputation scanning. Task 1 Navigate to Policies. The Policies page opens, showing all currently configured policies and the evaluation order. 2 Select your protocol from the drop down list. 3 Under the Compliance column, select the URL reputations link. The Default URL Reputation Settings page opens. 4 If URL reputation scanning is not already enabled, click the Yes radio button. 5 Select the URL Reputation tab. 6 Configure the Higher URL Threshold. a b c d e Select the threshold designation from the drop down list. Verify the confidence level. Select the primary action for URLs that trigger the higher threshold. Select any secondary actions, if required. Set notification and alert options associated with the higher threshold. 7 Configure the Lower URL Threshold. a b c d e Select the threshold designation from the drop down list. Verify the confidence level. Select the primary action for URLs that trigger the lower threshold. Select any secondary actions, if required. Set notification and alert options associated with the lower threshold. 8 [al] Enable Alert Settings. 9 Click OK. The Default URL Reputation Settings page closes, and the URL reputations link shows the primary action. McAfee Gateway Appliances Administrators Guide 201

202 4 Overview of menu Policies URL reputation Blacklists and Whitelists Configuring blacklists and whitelists for URL classification enables you to fine tune how McAfee Gateway handles different URLs. Policies Compliance URL reputation Blacklists and Whitelists Benefits of using URL reputation blacklists and whitelists The blacklists and whitelists feature provides a method for handling specific URLs. Whitelisting allows through URLs that would otherwise be blocked by the URL reputation service. Blacklisting blocks URLs regardless of their reputation scores. If you know that a particular URL is not trustworthy, add it to the blacklist. When a URL reputation scan detects this URL, it will take your specified action immediately. On the other hand, if you know specific URLs that are always trusted, add them to the whitelist. The URL scan will not take action. In both cases, URL scans execute more efficiently. Blacklisting takes precedence over whitelisting. Parts of the URL A URL consists of a number of characteristic parts. The following table reflects these sample URLs: ftp://user:1234@ftp.domain.com:2021/docs/data.rtf;type=a Table 4-61 URL format Part Format Example Parsing string Scheme Protocol ftp:// Ends at '*://' Credentials User name and password user:1234 Starts after '*://' Ends at "@" Host Consists of one of the following: Starts after '*://', '@' or nothing Domain name IPv4 address ftp.domain.com:2021 Ends at '/', '?', '#' or end of string IPv6 address Square brackets are required. Can also include TCP port Path index.php Starts after '*/' docs/data,rtf Ends at '?' or '#' or end of string Type (only for FTP URLs) Transfer type (added to path) type=a Starts after path, begins with ';' Ends at end of string 202 McAfee Gateway Appliances Administrators Guide

203 Overview of menu Policies 4 Table 4-61 URL format (continued) Part Format Example Parsing string Query (not valid for FTP URLs) id=5678 Starts after '?' Ends at '#' or end of string Anchor (not valid for FTP URLs) Specifies a location within the document para1 Starts after '#' Ends at end of string Using expressions Global Threat Intelligence tests URLs found in s against regular expressions to determine if the URL is allowed or forbidden to enter the system. Gateway permits the user to specify patterns for the individual parts of the URL and then compile these parts into a regular expression that will match a complete URL. If the user does not enter a value for a part, the compiled expression matches anything or nothing for that part. You must enter a value for the Host part. A recognizable URL must have, at a minimum, a host name. You can specify parts as either simple DOS patterns or as regular expressions. Simple patterns Simple patterns allow you to enter much less information than regular expressions, but offer much less flexibility. You can use simple wildcards: '?' match single character '*' match any characters Certain matches are not possible with simple patterns. For example: In the Host field, '*' does not match '.' by design. This prevents possible unwanted matches. The pattern ' matches and but not You cannot match alternates, such as port 8080 or You cannot match just IPv4 addresses. Matching patterns like these requires regular expressions. Regular expressions The ability to specify the URL parts of interest as regular expressions overcomes any restrictions of simple patterns: www\.mcafee\.(?:com co\.uk) (?:[12]?\d{1,2}\.){3}[12]?\d{1,2} On the URL Expression Builder, each text field is a separate regular expression that follows Perl compatible regular expression (PCRE) syntax, and is validated as a regular expression. Regular expressions offer greater flexibility, but they are more complex than simple patterns. You are allowed to enter nothing for all fields, resulting in a generated regex that matches anything that sufficiently resembles a URL. McAfee Gateway Appliances Administrators Guide 203

204 4 Overview of menu Policies You must remember to escape characters that have significant meaning in a regular expression. These characters are: \. []{}()^$ +?* You must not use positional matches, otherwise known as anchors, in regular repressions. Examples of anchors are: '^', '$', '\A' and '\z'. Anyone who wants to use regular expressions in this feature should already be comfortable with regular expressions, due to their complexity. If you want to specify a regular expression that matches any number or character, avoid using '.* and '.+' as the expression. Either of these choices is likely to match more characters than you desire and will result in less efficient pattern matching. Use one of these combinations to 'match any character' based on the part you want to specify: Credentials '[^@]' (match anything apart from '@' ) Host '[^:/\?#]' (match anything apart from ':', '/', '?' and '#') Path '[^\?#]' (match anything apart from '?' and '#' ) Query string '[^#]' (match anything apart from '#' ) When you use these patterns, the matches stop at the next part of the URL. The best approach when constructing regular expressions is to use the URL parser tool which is regex aware and will do the necessary escaping for you. definitions URL reputation blacklists and whitelists Blacklists and whitelists enable you to fine tune the list of URLs that are blocked or allowed by McAfee Gateway. Table 4-62 Blacklist and whitelist options URLs that should always be blocked Search Type Description Pattern The upper table shows all URLs currently configured to be blacklisted. Type any portions of the URL as search parameters. Applies to the Description and Pattern columns. Simple pattern or regular expression Any descriptive text that identifies the URL. The entire regular expression (all fields concatenated). Simple patterns show '*' for any unspecified parts. Regular expressions show the entire pattern. Match Case Indicates whether the regular expression should evaluate the URL on a case sensitive basis. Edit Clicking this link opens the URL Expression Builder where you can edit this URL. Add Simple Pattern Add Regular Expression Delete Selected Patterns URLs that should always be allowed Search Click this button to open the URL Expression Builder to add a URL by entering a simple DOS pattern. Click this button to open the URL Expression Builder to add a URL by entering a regular expression. Click this button to delete any patterns you have checked in this table. The lower table shows all URLs currently configured to be whitelisted. Type any portions of the URL as search parameters. Applies to the Description and Pattern columns. 204 McAfee Gateway Appliances Administrators Guide

205 Overview of menu Policies 4 Table 4-62 Blacklist and whitelist options (continued) Type Description Pattern Simple pattern or regular expression Any descriptive text that identifies the URL. The entire regular expression (all fields concatenated). Simple patterns show '*' for any unspecified parts. Regular expressions show the entire pattern. Match Case Indicates whether the regular expression should evaluate the URL on a case sensitive basis. Edit Clicking this link opens the URL Expression Builder where you can edit this URL. Add Simple Pattern Add Regular Expression Delete Selected Patterns Click this button to open the URL Expression Builder to add a URL by entering a simple DOS pattern. Click this button to open the URL Expression Builder to add a URL by entering a regular expression. Click this button to delete any patterns you have checked in this table. Task - Configure blacklists and whitelists Follow this process to configure blacklist and whitelists for embedded URLs. Before you begin To use URL blacklisting and whitelisting, enable McAfee Global Threat Intelligence. Task 1 Navigate to Policies. The Policies page opens, showing all currently configured policies and the evaluation order. 2 Select your protocol from the drop down list. 3 Under the Compliance column, select the URL reputations link. The Default URL Reputation Settings page opens. 4 If URL reputation scanning is not already enabled, click the Yes radio button. 5 Select the Blacklists and Whitelists tab. The page displays tables of URLs that should always be blocked, or always be allowed. 6 To add a URL to either list: a Click the Add Simple Pattern button or the Add Regular Expression button. The URL Expression Builder page appears. b c In the data fields, type the required information. Repeat until you have added all desired URLs. 7 To delete a URL from either list, select the Delete check box associated with the URL. 8 [al] To parse a URL into its component parts: a Click the Parse a URL link on the URL Expression Builder page. The URL Parser dialog box opens. McAfee Gateway Appliances Administrators Guide 205

206 4 Overview of menu Policies b Type or paste the URL into the data field, then click OK. The URL Parser closes, and the component parts of the URL populate the URL Expression Builder. 9 [al] To encode or decode a URL: a Click the URL encode/decode link on the URL Expression Builder page. The URL Encode/Decode dialog box opens. b Type or paste a URL fragment into the data field. Encode only individual path segments and individual terms. Do not encode the entire path or multiple segments at the same time. c To encode the fragment to its canonical representation (% encoded sequence), click the Encode button. The encoded fragment appears in the data field. d To decode a % encoded fragment into readable form, click the Decode button. The decoded fragment appears in the data field. e To convert an improperly or partially encoded sequence into its canonical representation, click the Canonicalize button. The canonical representation of the sequence appears in the data field. f Close the dialog box. 10 Click OK. You return to the URL Expression Builder. The URL Expression Builder closes, returning you to Default URL Reputation Settings page which shows the results of your additions, edits, or deletions. 11 Save your changes before you log off. 12 Click OK. definitions - URL Expression Builder Use this page to add a URL by entering either a simple DOS pattern or a regular expression. Specify only the parts you want to match. Table 4-63 URL expression options Description Scheme Credentials Host Description Text that helps to define or identify the URL (optional) Protocol User name and password Consists of one of the following: Domain name IPv4 address IPv6 address Square brackets are required. 206 McAfee Gateway Appliances Administrators Guide

207 Overview of menu Policies 4 Table 4-63 URL expression options (continued) Port Path Query string Named anchor Match the credentials, path, query string and named anchor case sensitively. Compiled regular expression Test a URL Tools: Parse a URL Description TCP port Supplies parameters to the server. Not relevant for FTP URLs. Specifies a location within the document. Not relevant for FTP URLs. Selecting the check box causes McAfee GTI to match the URL case sensitively. If you leave this unchecked, whatever you type in the text fields is converted to lower case when you click OK. This dynamic table shows the regular expression you create as you enter one or more parts. Data field where you can type or paste a URL to test it against the regular expression. Icons indicate whether the URL matches or not. Link opens an additional dialog box where you can paste or type a URL and have it parsed into its component parts. If you click OK in this dialog, the URL will populate the fields in the URL Expression Builder. The URL is not validated. Parsing URLs The URL Expression Builder includes a link that allows you to parse a URL into its component parts. The parsed URL populates the appropriate fields on the page. URL normalization Certain characters, such as /',? and #, serve as delimiters in the URL. Other characters, such as control codes, are not printable. These characters must be escaped by encoding them as % followed by their hexadecimal ASCII value when they are used in the Credentials, Path, or Query string, or in the named Anchor field. For example, = must be represented by %3B so it will not be misinterpreted as a key value separator in the Query string. The ASCII characters A Z, a z, 0 9 and._~ never need to be escaped. Characters outside the ASCII range must be represented by the % encoding of their UTF 8 byte values. For example, a character is encoded as %E2%82%AC. Attackers can manipulate the % encoding rules to obfuscate the URL. Manipulations include: Escaping characters that do not need to be escaped to make part of the URL unreadable to humans. An example of this would be the sequence %2E%2E%2F/ in the path. Not escaping characters that should be escaped. For example, the glyph for the Unicode character U+2215, DIVISION SLASH, looks identical to an ASCII / character. If used in un escaped form in the path, it would look indistinguishable from a regular path separator. This is called a homograph attack. To overcome any issues from ambiguous representation, URLs found in s are normalized by decoding the individual parts and reapplying the % encoding so that it is in strict compliance with the encoding rules in RFC 3986, Uniform Resource Identifier (URI): Generic Syntax. The path is further normalized so that. (current directory) and.. (directory above the current directory) sequences are removed. For example /a/b/../c is normalized to the equivalent /a/c. McAfee Gateway Appliances Administrators Guide 207

208 4 Overview of menu Policies Address normalization Instead of a domain name in the host field, a URL may contain an IP address. An IPv4 address may be represented in many different ways, all of which offer an attacker opportunities to obscure the host that a URL points to. As well as the familiar a.b.c.d format where a, b, c and d represent base 10 numbers in the range 0 255, an IPv4 address may be represented by 1 to 4 numbers, each of which may be represented using base 10, octal (base 8) and hexadecimal (base 16). For example, it is not at all obvious that the following URLs point to the same resource: When testing URLs found in s, all variant representations of IPv4 addresses are normalized to the a.b.c.d format. IPv6 addresses have stricter rules for representation within a URL. However, the same address can vary in its representation depending on how empty quads are displayed and how many leading zeroes are used. Therefore, IPv6 addresses are normalized to their most compact form with hexadecimal values in uppercase. For example, is normalized to International Domain Names (IDNs) Some domain registrars allow Unicode characters in domain names that are registered with them. These domain names are presented to humans in human readable form but must be encoded into ASCII form when, for example, they are resolved through DNS. The domain name normalization rules and ASCII encoding algorithm are specified in RFC 3490, Internationalizing Domain Names in Applications (IDNA). An example of an IDN is méxico.icom.museum and its ASCII encoding is xn mxico bsa.icom.museum. The xn ACE (ASCII Compatible Encoding) label denotes an encoded IDN. When an IDN in its encoded form is encountered, it is decoded to its human readable, Unicode form. This decoding may fail if the encoded URL fails a TLD check. Top Level Domain (TLD) registrars who accept IDNs limit the Unicode characters that they will allow. For example, the.no (Norway) TLD will only allow Unicode characters that are part of the Norwegian alphabet. If the decoding fails, the domain name is left in its encoded form with a warning message stating why the decoding failed. If an IDN is encountered in its Unicode form, it is normalized. Without normalization, IDNs are subject to homograph attacks. For example, if the URL were blacklisted, an attacker might try to circumvent this by replacing μ (U+03BC, GREEK SMALL LETTER MU) with μ (U+00B5, MICRO SIGN). According to IDN rules these domain names are identical and encode to the same ASCII form: hxakkrmio1b.gr. However, a simple string match would not detect that the URLs were identical. Therefore, Unicode names are normalized by applying the RFC 3490 Nameprep algorithm which disambiguates visually identical string values. URL encoding and decoding Because URLs are canonicalized before they are checked against the blacklists and whitelists, it may be unclear what you should use to match a given value. The URL encode/decode tool provides a text field that you can paste a string into and either encode it to give its canonical representation or decode it so that you can see what a % encoded sequence actually matches. Clicking Canonicalize will turn an improperly or partially encoded sequence into its canonical representation. Keep the following information in mind when you use the encode/decode tool: 208 McAfee Gateway Appliances Administrators Guide

209 Overview of menu Policies 4 The encoded sequences %00 %1F and %7F are control characters any may render unpredictably when decoded. Two byte sequences starting with %C2 followed by %80 %A0 are also control characters. Do not use the URL encode tool to encode, for example, the entire path. This will result in a non canonical encoding. Encoding a/b will result in the string a%2fb which will no longer match a/b in the path. Only encode individual path segments and individual terms (the keys and values in key value pairs) in the Query string. definitions Create new rule (DLP Categories) This information describes the options available on this dialog box. Name Documents The name of the DLP category. Any documents associated with that category. definitions Create new rule This information describes the options available on this dialog box. Name Documents The name of the DLP categories available The number of documents contained in the category definitions Create document exclusion This information describes the options available on this dialog box. Search Name Size Trained on Search by name for documents that you want to exclude from the policy. The name of the document. The size of the document. The date on which the document was trained. definitions New Rule dialog box This information describes the options available on this dialog box. Table 4-64 Category Filtering Rule name Enable file category filtering Take action when the file category is: Extend this rule to unrecognized file categories Type the name of the rule. Select to open the list of files categories and subcategories. File categories Select the file category to which you want the rule to apply. Subcategories By default, all the subcategories in a file category are filtered. Use the CTRL key to select multiple subcategories to the file categories that you chose. The Clear selections link resets the list of subcategories to "all". Select this option to enable this rule to be used for file categories that are unrecognized. McAfee Gateway Appliances Administrators Guide 209

210 4 Overview of menu Policies Table 4-65 Files within some of the multimedia subcategories Multimedia subcategory Types of file in the subcategory MP3 MPEG Layer3 ID3 Ver 1.x MPEG Layer3 ID3 Ver 2.x MPEG 1 audio Layer 3 MPEG MPEG 1 audio Layer 1 MPEG 1 audio Layer 2 MPEG 2 audio Layer 1 MPEG 2 audio Layer 2 MPEG 2 audio Layer 3 MPEG 1 video MPEG 2 video MPEG 4 file MPEG 7 file Windows Sound Windows Video Windows Sound (WAV file) Windows Media Audio (WMA file) Windows Video (AVI file) Windows Media Video (WMV file) Microsoft Digital Video Recording (DVR file) Table 4-66 Name Filtering Enable file name filtering Take action when the file name matches Enable filtering based on the name of the file. Add the file name to match against when filtering. Table 4-67 Protected File Filtering Enable protected file filtering Take action when the file is: Enable filtering based on the protected status of the file. Select either: Protected Unprotected Table 4-68 Size Filtering Enable file size filtering Take action when the file size is Enable filtering based on the size of the file. Select to either take action when a file is: Less than Greater than the configured file size. 210 McAfee Gateway Appliances Administrators Guide

211 Overview of menu Policies 4 definitions Actions This information describes the options available on this dialog box. If the file filtering rule is triggered Select the primary action to take when the rule triggers. Choose from: Deny connection (Block) Refuse the data and return an error code (Block) Replace the content with an alert (Modify) Allow Through (Monitor) And also Notification and annotated options Select the secondary actions to take when the rule triggers on the original message, and set notification and ecryption options as necessary. When clicked, takes you to the Default Notification and Routing Settings (SMTP) set of options. Rule Creation Wizard Use this wizard to set the dictionaries that you want the rule to use, and the actions that you want the appliance to take when the rule triggers. definitions Customize the name for this rule This information describes the options available on this page of the wizard. Rule name Type the name of the rule that you want to create. definitions Dictionaries to include This information describes the options available on this page of the wizard. Search Name Threshold Max Term Count Search the list of dictionaries for the ones that you want to include in the rule. Displays the dictionary name as it appears in the Compliance Dictionaries list ( DLP and Compliance Compliance Dictionaries). Displays the threshold that will trigger a score based dictionary. To enable score based detection for a dictionary, go to DLP and Compliance Compliance Dictionaries. Displays the maximum number of times that terms in that dictionary can contribute towards a threshold score. definitions Dictionaries to be excluded This information describes the options available on this page of the wizard. Search Name Threshold Max Term Count Search the list of dictionaries for the ones that you want to exclude from the rule Displays the dictionary name as it appears in the Compliance Dictionaries list ( DLP and Compliance Compliance Dictionaries). Displays the threshold that will trigger a score based dictionary. To enable score based detection for a dictionary, go to DLP and Compliance Compliance Dictionaries. Displays the maximum number of times that terms in that dictionary can contribute towards a threshold score. McAfee Gateway Appliances Administrators Guide 211

212 4 Overview of menu Policies definitions If the compliance rule is triggered This information describes the options available on this page of the wizard. If the compliance rule is triggered And also Notification and annotated options And conditionally Select the primary type of action from the drop down list that you want the appliance to take when it triggers a compliance detection. ally, select secondary actions that can be applied to the detection, such as quarantining the original or modified message, notifying the sender, and sending the message to other people. The options displayed differ according to the primary action that you select. Opens the Default Notification and Routing Settings pages. See Policies Policy s Notifications and routing. Specify whether you want the actions to take place when Any or All of the dictionaries in the rule trigger a match. Rule Creation Wizard Use the wizard to create a new compliance rule based on settings from an existing rule, and the actions that you want the appliance to take when the rule triggers. definitions Select a predefined rule to configure This information describes the options available on this page of the wizard. Select a predefined rule to configure Search Expand the rule that contains the settings on which to base the new rule. Search the list of dictionaries for the rule on which you want to base your new rule. definitions Customize the name for this rule This information describes the options available on this page of the wizard. Rule name Edit the name of the rule. definitions If the compliance rule is triggered This information describes the options available on this page of the wizard. If the compliance rule is triggered And also Notification and annotated options And conditionally Select the primary type of action from the drop down list that you want the appliance to take when it triggers a compliance detection. ally, select secondary actions that can be applied to the detection, such as quarantining the original or modified message, notifying the sender, and sending the message to other people. The options displayed differ according to the primary action that you select. Opens the Default Notification and Routing Settings pages. See Policies Policy s Notifications and routing Routing. Specify whether you want the actions to take place when Any or All of the dictionaries in the rule trigger a match. 212 McAfee Gateway Appliances Administrators Guide

213 Overview of menu Policies 4 Policy s settings Use the Policy s settings to configure scanning limits and how to handle corrupt or unreadable content, and specify alert settings. Policies Policy s Scanner Limits Use this page to set limits on scanning to prevent attacks and other performance issues. Policies Policy s Scanning limits The default policy values are normally suitable, but you might need another policy to allow the occasional transfer of large, deeply nested files, or to investigate possible attacks. Table 4-69 definitions Maximum file size If expanded file size exceeds (menu) Specifies the limit. The default value is: File size 500MB Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace all attachments with an alert (Modify) Allow Through (Monitor) McAfee Gateway Appliances Administrators Guide 213

214 4 Overview of menu Policies Table 4-69 definitions Maximum file size (continued) And also Notification and annotated options If a denial of service action results in an alert Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to sender Deliver the original message to the sender. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert, or follow the link to make changes to the alert text. 214 McAfee Gateway Appliances Administrators Guide

215 Overview of menu Policies 4 Table 4-70 definitions Maximum nesting depth If nesting depth exceeds (menu) And also Specifies the limit. The default value is: Nesting depth 100 Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace all attachments with an alert (Modify) Allow Through (Monitor) Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to sender Deliver the original message to the sender. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. McAfee Gateway Appliances Administrators Guide 215

216 4 Overview of menu Policies Table 4-70 definitions Maximum nesting depth (continued) Notification and annotated options If a denial of service action results in an alert Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert, or follow the link to make changes to the alert text. Table 4-71 definitions Maximum scan time If the scan time exceeds (menu) Specifies the limit. The default value is: Scanning time 8 minutes Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace all attachments with an alert (Modify) Allow Through (Monitor) 216 McAfee Gateway Appliances Administrators Guide

217 Overview of menu Policies 4 Table 4-71 definitions Maximum scan time (continued) And also Notification and annotated options If a denial of service action results in an alert Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to sender Deliver the original message to the sender. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert, or follow the link to make changes to the alert text. Content Handling Settings s Basic s Use this page to specify some basic settings when handling . Policies Policy s Content handling s Basic s McAfee Gateway Appliances Administrators Guide 217

218 4 Overview of menu Policies To cater for the needs of various departments, you might need several policies, each with its own disclaimer. Table 4-72 definitions Add a prefix to the subject of modified s Enable the use of disclaimers Disclaimer text Placement When re encoding attachments When re encoding modified subject lines If there's an error re encoding a modified subject line Specifies a prefix that the appliance adds to the subject line after a major modification to the message, for example when an alert message replaces an infected item. If this prefix is added to the subject line, it precedes other prefixes such as those that indicate spam or phish detections. If you add a disclaimer to a message, its subject line is not affected. When selected, adds extra text to each message. The appliance cannot add a disclaimer to an message that contains unsupported character sets, such as the Hebrew character set, ISO I. Specifies the text, which can be a legal disclaimer, or an advertisement, or general information such as addresses and telephone numbers. For the HTML disclaimer to appear in an , the must be received in HTML format. If you refer to an image (using <img>), the recipient will see the image only if it is publicly available. In other words, the image must be accessible via the Internet, with a full path such as Offers a choice of location for the attachment text. Offers a choice of re encoding if the message was cleaned. Offers a choice of re encoding. Offers a choice of re encoding. Content Handling Settings s Advanced s Use this page to specify advanced settings for handling . Policies Policy s Content handling s Advanced s Changing these settings can affect scanning performance. If you are not sure about the impact of making any changes, ask your network expert. Table 4-73 definitions Preferred transfer encoding for text But do not encode if the text is already 7 bit Offers a choice of encoding: 8 bit for SMTP servers that support the transport SMTP extension, 8BITMIME. Base64 for non text data and for messages that do not have much ASCII text. Quoted printable for messages that contain mainly ASCII characters and also some byte values outside that range. When selected, prevents encoding of 7 bit data. 218 McAfee Gateway Appliances Administrators Guide

219 Overview of menu Policies 4 Table 4-73 definitions (continued) Default decode character set Maximum number of MIME parts Treat corrupt message headers the same as corrupt content Treat NULL characters in message headers the same as corrupt content Remove any Received From headers to obscure.. Offers a set to use if one is not specified in the MIME headers. To specify further sets, see the Character Sets tab. Specifies a maximum, which can help prevent denial of service attacks. Default value is If selected, the message is handled according to the action that the policy applies to any corrupt content. When selected, acts on NULL characters. Select this to obscure any network information displayed in the Received headers. The Last Received header, added by your appliance, is not removed. Enabling Header Stripping prevents s being blocked due to the Maximum number of hops, as the Received headers are used to find the number of hops the message has taken. Content Handling Settings s Missing/Empty Headers Use this page to specify how the appliance handles an message that has empty or missing headers. Policies Policy s Content handling s Missing / Empty Headers In spam and spoofed , headers are sometimes altered to hide the identity of the sender. Table 4-74 definitions Take action under the following circumstances Never Select this option if you do not need the feature. When one or more headers have no value Select this option to detect any suspicious headers. When one or more of the following headers are missing or empty Select this option to specify the headers, such as From, Sender, and Reply to. For a full list of headers, see RFC Action Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace all attachments with an alert (Modify) Allow Through (Monitor) McAfee Gateway Appliances Administrators Guide 219

220 4 Overview of menu Policies Table 4-74 definitions (continued) And also Notification and annotated options If either of the above actions results in an alert Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to sender Deliver the original message to the sender. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert, or follow the link to make changes to the alert text. 220 McAfee Gateway Appliances Administrators Guide

221 Overview of menu Policies 4 Content Handling Settings s Text and binary MIME types Use this page to specify special MIME types as text or binary to improve the efficiency of the scanning. Policies Policy s Content handling s Text and binary MIME types The appliance handles common MIME types. You need only specify any new or unusual MIME types here. Table 4-75 definitions Treat the following MIME types as text attachments Treat the following MIME types as binary attachments Allows you to build a list of text MIME types. Allows you to build a list of binary MIME types. About MIME formats Multipurpose Internet Mail Extensions (MIME) is a communications standard that enables the transfer of non ASCII formats over protocols, like SMTP, that support only 7 bit ASCII characters. Policies Policy s Content handling s Text and binary MIME types Examples of non ASCII formats, include: 8 bit audio Video files Character sets of many non English languages MIME defines different ways of encoding the non ASCII formats so that they can be represented using characters in the 7 bit ASCII character set. MIME also defines extra headers that contain further information: Version of MIME used. Type of content in the MIME message. Type of encoding method used. Content part identifier for multi part MIME messages. The resulting MIME message can be "decoded" or "re encoded" after transmission. We say "re encoded", because the MIME messages can be converted into a different character set from the original message. Content Handling Settings s Character sets Use this page to specify one or more alternative character sets to try if you have problems decoding messages in the given character set. Policies Policy s Content handling s Character sets You can select a fixed mapping (always use the alternative character set) or a list of alternatives to be used only if decoding fails. McAfee Gateway Appliances Administrators Guide 221

222 4 Overview of menu Policies Table 4-76 definitions Character sets Fixed Alternatives Specifies the original character set in the message. If selected, you can choose one alternative character set. If deselected, provides any number of choices. To select several items, use Ctrl click, or click and Shift click. Specifies the alternative character encodings. Content Handling Settings HTML s Use this page to specify how the appliance handles certain elements and components embedded in HTML data. Policies Policy s Content handling HTML s Table 4-77 definitions Script elements to ActiveX components Comments to Raw HTML When selected, the item is removed. Flash objects are ActiveX objects, so you can choose to keep them. When selected, the items are scanned for inappropriate content. Content Handling Settings Corrupt or Unreadable Content Corrupt content Use this page to specify how to handle corrupt content. Policies Policy s Content handling Corrupt content Scanners and other applications can have difficulty reading corrupt content. You can specify the action to take when the appliance detects corrupt content in: 222 McAfee Gateway Appliances Administrators Guide

223 Overview of menu Policies 4 messages Archives Documents If corrupt content is detected And also Notification and annotated options If either of the above actions results in an alert Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Specify the secondary actions to take. Original options Replace all attachments with an alert (Modify) Allow Through (Monitor) Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to sender Deliver the original message to the sender. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert, or follow the link to make changes to the alert text. McAfee Gateway Appliances Administrators Guide 223

224 4 Overview of menu Policies Content Handling Settings Corrupt or Unreadable Content Encrypted content Use this page to specify how to handle encrypted content. Policies Scanning Policies Scanner s Content Handling Corrupt or Unreadable Content You can specify the action to take when the appliance scans an S/MIME or PGP encrypted message. If you allow encrypted content through, it must be scanned after it is decrypted, and this typically occurs at the user's computer. Alternatively, you can reroute the encrypted content to another device for decryption. Table 4-78 definitions If encrypted content is detected And also Provides a main action to take. Provides several further actions to take. To select several items, use Ctrl click or click and Shift click. Content Handling Settings Corrupt or Unreadable Content Protected files Use this page to specify what action to take against files that are protected in some way. Policies Policy s Content handling Protected files You can specify the action to take when the appliance is unable to scan into an attachment (either archive or document) or a file that is being requested from a website, because it has been password protected. If the content is protected by password, the appliance cannot examine the contents because they are encrypted. If you choose to allow such files into your network, you must ensure that their contents can be scanned later for any threats by an on access scanner. 224 McAfee Gateway Appliances Administrators Guide

225 Overview of menu Policies 4 Table 4-79 definitions If a read protected document is detected Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace all attachments with an alert (Modify) Allow Through (Monitor) The action associated with read protected documents will only trigger when compliance scanning is enabled, and the contents of the document can not be extracted. And also Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to sender Deliver the original message to the sender. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. McAfee Gateway Appliances Administrators Guide 225

226 4 Overview of menu Policies Table 4-79 definitions (continued) Notification and annotated options If an action results in an alert If a password protected archive file is detected If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert, or follow the link to make changes to the alert text. Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace all attachments with an alert (Modify) Allow Through (Monitor) Reroute to an alternative relay (Reroute) 226 McAfee Gateway Appliances Administrators Guide

227 Overview of menu Policies 4 Table 4-79 definitions (continued) And also Notification and annotated options If an action results in an alert Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to sender Deliver the original message to the sender. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert, or follow the link to make changes to the alert text. McAfee Gateway Appliances Administrators Guide 227

228 4 Overview of menu Policies Content Handling Settings Corrupt or Unreadable Content Partial/ external messages Use this page to specify the action to take against two types of message that can be difficult to scan. Policies Scanning Policies Scanner s Content Handling Corrupt or Unreadable Content A partial message. If a message has been divided into smaller parts for sending as several separate messages, each part is called a partial message. An external body message. The message contains a reference to an external resource and the scheme (usually FTP) that retrieves that resource. 228 McAfee Gateway Appliances Administrators Guide

229 Overview of menu Policies 4 Table 4-80 definitions If a message/partial type is encountered And also Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Specify the secondary actions to take. Original options Replace all attachments with an alert (Modify) Allow Through (Monitor) Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to sender Deliver the original message to the sender. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. McAfee Gateway Appliances Administrators Guide 229

230 4 Overview of menu Policies Table 4-80 definitions (continued) If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Notification and annotated options If a message/ external body type is encountered Follow the link to configure the options for notification messages and annotated messages. Provides a main action to take. The available options are: Deny connection (Block) Refuse the data and return an error code (Block) Accept and then drop the data (Block) Replace all attachments with an alert (Modify) Allow Through (Monitor) 230 McAfee Gateway Appliances Administrators Guide

231 Overview of menu Policies 4 Table 4-80 definitions (continued) And also Specify the secondary actions to take. Original options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Annotate and deliver original to sender Deliver the original message to the sender. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Annotate and deliver original to x lists Deliver the original message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Notification options Deliver to the sender of the original Send a notification message to the sender of the original message. Deliver to the recipient of the original Send a notification message to the recipients of the original message. Deliver a notification to x lists Send a notification message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Modified options Quarantine Select to have the message added to the Quarantine database. If you are using off box quarantine, you can also select the quarantine queue into which the message is placed. This includes custom quarantine queues that you have created. Forward modified to x lists Send the modified message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list. Annotate and deliver modified to x lists Deliver the modified message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list. Deliver to the sender of the original Send the modified message back to the original sender. Other actions Modify subject McAfee Gateway re writes the subject of the message using user definable templates, and then delivers the message to the intended recipients. Modify headers McAfee Gateway modifies the message headers using user definable templates, and then delivers the message to the intended recipients. You can select multiple header modification templates. Notification and annotated options If either of the above actions results in an alert Follow the link to configure the options for notification messages and annotated messages. Select to use the default alert, or follow the link to make changes to the alert text. McAfee Gateway Appliances Administrators Guide 231

232 4 Overview of menu Policies Content Handling Settings Corrupt or Unreadable Content Signed messages Use this page to specify how to handle content that is digitally signed. Policies Scanning Policies Scanner s Content Handling Corrupt or Unreadable Content You can specify the action to take when the appliance scans an S/MIME or PGP signed message, such as whether you allow the appliance to modify a signed . Table 4-81 definitions If a signed message is detected And also Provides a main action to take. Provides several further actions to take. To select several items, use Ctrl click or click and Shift click. Signed messages are quarantined only if a virus or banned content is detected within the message. Signed messages are not quarantined just because the appliance detects that the message has a digital signature. Alert Settings Use this page to control the format and appearance of the alert message that users receive when the appliance detects a threat. Policies Scanning Policies [Scanner s] Alert settings Benefits of configuring Alert Settings Understand the benefits of configuring the alert settings. The Alert Settings page enables you to configure extra text (a header and footer), which appears around the alert text. For example, you can include your company s name or logo, a legal statement, or contact information. You might need several alert settings for different groups in your network. definitions Alert Settings Understand the options presented on the Alert Settings page. Alert format Header text Show Footer text Show Restore Defaults Provides a choice of formats. Specifies the text for the top of each alert message. Shows the header text as HTML source (showing tags such as <p>) or as users see the text (WYSIWYG). This option is not applicable for text alerts. Specifies the text for the bottom of each alert message. Shows the footer text as HTML source (showing tags such as <p>) or as users see the text (WYSIWYG). This option is not applicable for text alerts. When clicked, displays the original text of the alert. 232 McAfee Gateway Appliances Administrators Guide

233 Overview of menu Policies 4 Character encoding Alert filename Offers a choice of encoding for the alert text. Numeric character references enables the use of special characters for alerts in HTML format. Big 5 to UTF 8 provides character encoding for plain texts. Default value is Numeric character references. Specifies the name of the file that contains the alert. Default value is warning.htm or warning.txt. definitions Alert Editor This information describes the options available in each policy's Alert Editor to create and view the policy's alert notification message. Style / Font / Size Tokens Show Use Default Select the paragraph style, size, and font that you want to apply to the text. Select the token variables that you want to appear in the message, such as the name of the attachment and the policy that it infringed. Choose how you want to view the notification text in the Alert Editor. Select to have the notification appear in the default format. Notification and Routing Settings Notification s Specify the addresses for messages from the appliance to users and to administrators. For example, the appliance can send a notification if it detects a threat in an message or it cannot deliver a message. Changing these settings can affect scanning performance. If you are not sure about the impact of making any changes, ask your network expert. Table 4-82 definitions Notification s Sender Subject Display (including Edit the alert text and Name:) Specifies the From address that the appliance uses when sending a response to the sender of that contained a threat. Define the subject line to be used in notification s Decide how the notification will be displayed: As an attachment Inline (default) Click Edit the alert text to make changes to the alert text to be used. When you select As an attachment, you can also specify the Name: of the attachment. Table 4-83 definitions Annotated s Sender Subject Specifies the From address that the appliance uses when sending a response to the sender of that contained a threat. Define the subject line to be used in annotated s. McAfee Gateway Appliances Administrators Guide 233

234 4 Overview of menu Policies Table 4-83 definitions Annotated s (continued) Content Decide the content of the notification to be displayed: Notification alert text Scanner specific alert Click Show example to see examples of the currently selected notification. Display (including Name:) Decide how the notification will be displayed: As an attachment Inline (default) Click Edit the alert text to make changes to the alert text to be used. When you select As an attachment, you can also specify the Name: of the attachment. Table 4-84 definitions Bounce messages Sender Subject Specifies the From address that the appliance uses when sending a response to the sender bounce messages. Define the subject line to be used in bounced messages. Table 4-85 definitions Modified messages returned to the sender Sender Subject Specifies the From address that the appliance uses when sending a response to the modified messages being returned to the sender. Define the subject line to be used in modified messages being returned to the sender. Table 4-86 definitions Forwarded s Sender Select the sender from whom forwarded s appear to come from. The options are: Original sender (default) Notification sender Notification and Routing Settings Audit Copies Specify that a copy must be kept of every that is sent. Policies Policy s Notifications and routing Audit Copies Select this feature if your organization needs to record all for auditing purposes. Table 4-87 definitions Sender address and Use the sender address of the original Recipient address To retain the name of the original sender, select the checkbox. If the sender name is not relevant, you can type an alternative address. Specifies the address to which the appliance sends the audit copy. The appliance does not change the content of the original message. 234 McAfee Gateway Appliances Administrators Guide

235 Overview of menu Policies 4 Notification and Routing Settings Routing Select a device to which the appliance can redirect . Policies Policy s Notifications and routing Routing Table 4-88 definitions Route the to an alternative SMTP relay Manage the list of relays Selects the relay from the list on the SMTP Relays page. When clicked, opens a window where you can make a list of SMTP relays. Notification and Routing Settings SMTP Relays Make a list of alternative relays for redirected . Policies Policy s Notifications and routing SMTP Relays Table 4-89 definitions Relay List Specifies the relays. To edit the list, click the blue link to open the Edit List window. Notification and Routing Settings Encryption Servers Make a list of encryption servers to use. Policies Policy s Notifications and routing Encryption Servers Table 4-90 definitions Server Group Specifies the name of the list of encryption servers. To edit the list, click the blue link to open the Edit List window. Notification and Routing Settings Recipients Build a list of recipients for that the appliance generates automatically. Policies Policy s Notifications and routing Recipients For example, you can make lists of addresses for administration and auditing. The lists are used by several pages in the interface, for example: Policies Scanning Policies [Scanner s] Notification and routing Audit Copies Table 4-91 definitions List Specifies the name of the list. To edit the list, click the blue link to open the Edit List window. McAfee Gateway Appliances Administrators Guide 235

236 4 Overview of menu Policies McAfee Global Threat Intelligence (GTI) Feedback Settings Use this page to submit threat detection feedback, and usage statistics from your product to McAfee. Policies Scanning Policies Scanner s McAfee GTI feedback System Setup Wizard Benefits of using McAfee Global Threat Intelligence feedback McAfee analyzes data about product detections and alerts, threat details, and usage statistics from a broad set of customers in order to combat electronic attacks, protect vulnerable systems from exploit, and thwart cyber crime. By enabling this feedback service in your product, you will help us improve McAfee Global Threat Intelligence, thereby making your McAfee products more effective, as well as help us work with law enforcement to address electronic threats. McAfee Global Threat Intelligence tracks the entire threat lifecycle, enabling predictive security to guard against the latest vulnerabilities, ensure regulatory and internal compliance, and lower the cost of remediation. Global Threat Intelligence was created and refined by McAfee Labs to power the next generation of security. Spanning the entire Internet, Global Threat Intelligence effectively uses millions of sensors to gather real time intelligence from host IP addresses, Internet domains, specific URLs, files, images, and messages. It seeks new and emerging threats, including malware outbreaks, zero day exploits, and malicious zombie senders generating spam and web attacks. McAfee Labs' team of more than 350 researchers in 30 countries is dedicated to providing the most relevant security information by tracking and analyzing the latest threats. Real time Global Threat Intelligence powers McAfee's groundbreaking threat technologies, including file and message reputation, which distribute continually tuned threat protection through McAfee's suite of endpoint and network security products. Any personal information that may be collected is subject to McAfee Privacy Policy. Table 4-92 definitions Enable threat feedback Select this option to allow your appliance to send information about threat detections, alerts, threat details and usage statistics to McAfee, to help improve detection rates within your McAfee products. Task Enable GTI feedback for outbound policies only 1 Go to Policies Scanning Policies Scanner s. 2 In the Scanner s column for the relevant outbound policy, and select McAfee GTI feedback. 3 Select Enable threat feedback. 4 Click OK, and apply the changes. 236 McAfee Gateway Appliances Administrators Guide

237 Overview of menu Policies 4 Task Enable GTI feedback during a new installation GTI feedback can be enabled from within the Setup Wizard: 1 Go to System Setup Wizard 2. Traffic. 2 Select Enable threat feedback and continue through the wizard. Task Turn off the 'GTI feedback disabled' warning By default, the appliance displays a warning message if you have not enabled GTI feedback because McAfee considers it best practice to enable the feedback. 1 On the appliance Dashboard, select Edit from the System Health area. 2 Deselect the Show a warning if McAfee GTI feedback is not enabled. 3 Click OK. Encryption settings Define the encryption settings for this policy. Benefits of configuring encryption This information describes the benefits associated with configuring encryption. These options allow you to configure, for this policy, whether a message should be encrypted, and the encryption method that you want to use. definitions Encryption Settings (SMTP) This information describes the options available on this page. When to Encrypt When to Encrypt Choose from: Only when triggered from a scanner action encrypts all messages that trigger any compliance scanner that have a secondary action of "encrypt". Always encrypts all messages that trigger this policy. Encryption server / server group Manage the server groups Prioritize encryption over reroute actions Selects where encryption occurs, either on the appliance, or externally. Click Manage the server groups to add other encryption servers. Click to open the Encryption Servers dialog box where you add lists of encryption servers. If a message triggers a reroute action, you can choose to override the reroute with the encryption action. McAfee Gateway Appliances Administrators Guide 237

238 4 Overview of menu Policies On box Encryption s Encrypt the message using one of Choose from: S/MIME PGP Secure Web Mail If more than one encryption option is chosen, the encryption methods are attempted in the order that you see here until one is successful. Prioritize TLS over content encryption If selected, McAfee Gateway attempts to use TLS to secure the link. If TLS is established, the content of the message is not encrypted. However, if TLS cannot be established, then the message content is encrypted using your chosen encryption methods. If none of the selected encryption methods are possible If the selected encryption method(s) fail, specify the action that you want to take: Attempt delivery using TLS and send an NDR if that is not possible TLS is enforced for delivery subject to your TLS settings Send an NDR without attempting delivery using TLS the is not delivered, and a report is sent to the sender. On box Decryption s Attempt to decrypt S/MIME encrypted s Attempt to decrypt PGP encrypted s Enable this to configure your appliance to attempt the decryption of messages encrypted using S/MIME. By default, this option is disabled. Enable this to configure your appliance to attempt the decryption of messages encrypted using PGP. By default, this option is disabled. The decryption settings are based on the highest order policy that applies to all recipients. Decryption cannot be configured for policies that only apply to a sub set of users. If these options are left disabled, or the appliance is unable to decrypt the message, the Encrypted Content settings are used. Task Enabling Secure Web Mail Enable Secure Web Mail on your McAfee Gateway. Before you begin If you are using port 443 for management traffic to your McAfee Gateway, you cannot enable Secure Web Mail. If you have the management port set to 443, the user interface provides a link to System Appliance Management Remote Access, where you can change this. Task 1 Navigate to Policies Policy s Encryption. 2 In On box Encryption s, select Secure Web Mail. 238 McAfee Gateway Appliances Administrators Guide

239 Overview of menu DLP and Compliance overview 4 3 If required, select Send an NDR if message encryption is not possible. 4 Click OK. 5 Apply the changes. Once you have enabled Secure Web Mail, you will need to configure your Policies to use this feature. definitions Recipients Use this dialog box to create lists of recipients who will receive notification messages. List Add Displays the lists of recipients. three lists come with the appliance by default: Administration List, Notification List, and Auditing List. The default lists cannot be removed from the list, even if they are empty. Click to open the Edit List dialog box where you can create a new notification list. Reset Click reset to remove the information within all fields in the dialog box. definitions Edit List Use this dialog box to edit a list of recipients who will receive notification of a detection. List name address Add Delete Displays the name of the list either Administration List, Notification List, or Auditing List, or a list that you created yourself. A list of addresses that belong to the list. Use the trashcan icon to remove a selected address from the list. The trashcan icon becomes active only when more than one address exists in the list. Click to open the Edit Address dialog box where you can either type or use a template to add a new address to the list. Deletes the selected user created notification lists. You cannot delete the built in lists provided with the appliance. definitions Edit Address Use this dialog box to create an address that will receive notification of a detection. Standard Template Reset Type in the address that you want to use. Use the template fields to create the address. Click to remove all information from the fields in this dialog box. DLP and Compliance overview The DLP and Compliances pages enable you to register documents that you want to prevent from data loss, create content categories, and set up the compliance dictionaries that you want to adhere to. Contents DLP and Compliance Registered Documents McAfee Gateway Appliances Administrators Guide 239

240 4 Overview of menu DLP and Compliance overview Compliance Dictionaries definitions Add Dictionary Details definitions Applicable File Formats definitions OR Condition definitions AND Condition definitions Edit Regular Expression Registered Documents Use this page to register documents for inclusion in the Data Loss Prevention policies. DLP and Compliance Registered Documents Benefits of Data Loss Prevention (DLP) Use this information to understand the benefits of using Data Loss Prevention with your Gateway. You can restrict the flow of sensitive information sent by through the appliance. For example, block the transmission of a sensitive document such as a financial report that is to be sent outside of your organization. Detection occurs whether the original document is sent as an attachment, or even as just a section of text taken from the original document. Configuring DLP takes place in two phases: Registering the documents that you want to protect (this topic) Setting the DLP policy to action, and control the detection Sensitive documents can be uploaded where the content is then transformed into a set of signatures representing the original content. Note that only the signatures are permanently stored on the appliance, not the original contents. Once the policy is set, these signatures are compared against all content sent by through the appliance to prevent data leakage occurring. If a document is used by a data loss prevention policy, you cannot delete either the document, or any categories that the document belongs to. To delete either the category, or the document, the document must first be removed from any associated policies. Hover the cursor over the Used by column to see the policies that use either the category, or the document. 240 McAfee Gateway Appliances Administrators Guide

241 Overview of menu DLP and Compliance overview 4 definitions DLP Registered Documents Use this information to understand the options available on the DLP Registered Documents pages of the user interface. Categories Status Used by Documents Add Clear Selection Groups of registered documents. Contains the Excluded Content category by default. Excluded Content is a system category for uploaded standard corporate text (boilerplate text), and corporate templates that you want the appliance to ignore in its data loss prevention checks. Documents in the Excluded Content category have a higher number of signatures than those in other categories. A document in the Excluded Content category can be copied to other categories, but retains its higher number of signatures. shows that there are two possible states, with appropriate tool tips: The category has been modified (renamed) Documents have been added or removed from the category indicates that the category is new and does not exist in the Data Loss Prevention database. This status disappears as soon as the configuration is applied. indicates that everything is normal Displays the number of data loss policies that use this category. Displays the number of documents to which this content category applies. Create a content category. Click to not have any category selected. definitions Documents Use this information to understand the options available on the Documents pages of the user interface. Copy selected documents to another category. When you select this option, it opens the Search feature which will look for categories without that document. Documents from other categories cannot be copied into the Excluded Content category. However, you can upload documents from other categories to the Excluded Content category. When you upload a document from another category to the Excluded Content category, the document's signatures increase. The version of the document in the other category has the same higher number of signatures as the version in the Excluded Content category. Look for documents by name in all categories, or just a selected category. Click on Clear Selection first, to select a document in all the categories, or select a category to search for a document only in that category. Delete multiple documents by name. When you select this option, it opens the Search feature which looks for documents by name in all categories or just a selected category. To delete documents from all the categories click on Clear Selection first. If no category is selected, the selected documents are deleted in every category so that the document is removed entirely from the registered documents database. File Name Lists all the documents associated with the selected document category. McAfee Gateway Appliances Administrators Guide 241

242 4 Overview of menu DLP and Compliance overview Status indicates that there is an error in the document. See the tooltip to see the reason, either: an error in the database an error occurred while uploading the document an error occurred during document training indicates that there are modifications that have not yet been applied. indicates that the document is new. Documents are trained when they are uploaded. indicates that the document is normal, either: the document is unchanged. the uploaded document was trained successfully. Digest Size Excluded by Referenced by Signatures Trained on Upload A unique identifier for a file. The size of a file. The number of policies that have this file in the exclusion list. The number of categories that contain this document. The number of signatures representing this document. The date the document was registered. Click to register documents against this category, either individually or within an archive. Supported archive formats are: Zip (*.zip) Gzip (*.gz) Bzip2 (*.bz2, *.bz) Tar (*.tar) gzipped tar (*.tar.gz, *.tgz) bzipped tar (*.tar.bz2, *.tar.bz, *.tbz2, *.tbz) The Character Encoding drop down list allows you to specify the character set used for filenames. To upload files in.txt format, McAfee recommends that you save them using Unicode or UTF 8 formats. Copy existing Click to copy an existing document from other categories into the selected category. When you select this option, it opens the Search feature which will look for documents that are not currently linked to the selected category, but that exist in other categories. Documents and Categories behavior Use this information to understand the behavior of documents and categories used by your Gateway. You might sometimes find that you are unable to edit or remove a content category, or remove a document within that category, and the icon appears unavailable. This is because the category or document is in use by a policy, or the category contains a document that is excluded by a policy. Hold your cursor over the icon to see why it is unavailable. See the following table to find out what you can do to edit or remove the category or document. 242 McAfee Gateway Appliances Administrators Guide

243 Overview of menu DLP and Compliance overview 4 Tooltip text/reason Cannot delete Document because it's excluded by policy Cannot edit/delete Category because it's non editable default Cannot edit/delete Category because it's in use by a policy Cannot edit/delete Category because it contains a document that is excluded by a policy Solution Identify the policy by hovering over the value in the Excluded by column, and remove the document from the policies listed in the tooltip. This is the default exclusion list. Identify the policy by hovering over the value in the Used by column, and remove the category from the policies listed in the tooltip. 1 Select the category to load the documents. 2 Sort the documents in descending order by clicking the column name. 3 For each document excluded by one or more policies, hover over the value in the Excluded by column, and remove the document from the policies listed in the tooltip. Task Register a document for the Finance group Understand how to register a document for the Finance group. Task 1 Go to DLP and Compliance Registered Documents. 2 Click Add, and type Finance. 3 Select the Finance category, and click Upload. 4 Browse to the file that you want to register in the Finance category, and click OK. 5 Apply the changes. Task Register multiple documents at the same time Understand how to register many documents at a time. Before you begin Create a zip file that contains several files that you want to register. Task 1 Go to Policies Registered Documents. 2 Either select a pre defined category from the list, or create a new one. 3 Select the category, and click Upload. 4 Browse to the zip file that you created, and click OK. 5 Apply the changes. Task Ignore corporate template text in registered documents Configure your Gateway to ignore corporate template text when scanning registered documents. Task 1 Go to Policies Registered Documents. 2 Select the Excluded Content category, and click Upload. McAfee Gateway Appliances Administrators Guide 243

244 4 Overview of menu DLP and Compliance overview 3 Browse to the template file that you want to ignore, and click OK. 4 Apply the changes. Task Put a single document in multiple categories Register a single document within multiple categories. Task 1 Go to Policies Registered Documents. 2 In the Documents section, select the document, and click the Copy icon. 3 Select the categories to which you want the document to be associated, and click OK. 4 Apply the changes. Task Remove a document that is excluded by a policy Remove a document that has been excluded by a policy. Task 1 Go to Policies Registered Documents. 2 In the document list, locate the file that you want to remove as registered document, and try to click the Delete icon. 3 Hover the mouse cursor over the Excluded by entry for that document to find out which policy excludes that document. 4 Go to Policy Catalog McAfee Gateway 7.5 Policies and click Edit Settings. 5 In the Compliance area, select the Data Loss Prevention policy. 6 Expand the policy that contains the excluded document. 7 Click the Delete icon next to the appropriate document in the Exclusions list. Compliance Dictionaries Use this page to view and edit compliance dictionaries. DLP and Compliance Compliance Dictionaries The compliance dictionaries contain words and phrases that might offend some readers. Benefits of using compliance dictionaries Use this information to understand the benefits of using compliance dictionaries. Use Compliance scanning to assist with conformance to regulatory compliance and corporate operating compliance. You can choose from a library of predefined compliance rules, or create your own rules and dictionaries specific to your organization. Compliance rules can vary in complexity from a straightforward trigger when an individual term within a dictionary is detected, to building on and combining score based dictionaries which will only trigger when a certain threshold is reached. Using the advanced features of compliance rules, dictionaries can be combined using logical operations of "any of", "all of", or "except". 244 McAfee Gateway Appliances Administrators Guide

245 Overview of menu DLP and Compliance overview 4 To get information about using dictionaries, see Compliance Settings. definitions Dictionary list Use this information to understand the options available from within the user interface for the Dictionaries. Language Filters the dictionaries by locale. Selecting a language selects all dictionaries available in that language, and any language neutral dictionaries. Dictionary Category Used by Edit Delete Add dictionary Displays the name of the dictionary and a symbol to indicate its type: Red book: Non score based Blue book: Score based Green book: User defined Open book: Currently selected item Dictionaries are grouped into related categories. For example, Profanity and Sex are in the Acceptable Use category. Displays the number of policies that use the dictionary. When the icon is clicked, a window opens where you can change the dictionary name and description. When the icon is clicked, the dictionary on that row is removed. When clicked, adds a new dictionary. Type a name and description for your dictionary, and select whether the dictionary will match on regular expressions, or simple strings. A new row for your dictionary appears at the bottom of the list of dictionaries. You can add words to the new dictionary later. Import dictionaries Export dictionaries When clicked, imports a file to replace your existing dictionaries. When clicked, exports the dictionaries as an XML file. You can send the file to other appliances, ensuring that content scanning is consistent. definitions New Condition Use this dialog box to enter new terms into a dictionary. DLP and Compliance Compliance Dictionaries Dictionary Add Condition Match type Applies to Term Select how the appliance matches terms within this dictionary. Select what the term applies to. Click the link and select from the available options. Enter the term that you want the appliance to search for. List of terms for selected dictionary Use this information to understand the supporting information given when you select a dictionary. Click a row within the dictionary list to display the contents of that dictionary. McAfee Gateway Appliances Administrators Guide 245

246 4 Overview of menu DLP and Compliance overview Table 4-93 definitions Opens a Locate a term window, where you can type text to locate in the terms of the currently selected dictionary. You can type a regular expression here using Boost Perl Regular Expression Syntax. Regular expressions are case sensitive; to make a pattern case insensitive, start it with (?I). Copy the listed terms within the selected dictionary Paste the copied terms into the selected dictionary. Open a window where you can change the description for the currently selected dictionary. You cannot change the name of dictionaries supplied by McAfee. Deletes the selected term. Conditions (OR) For dictionaries that are not score based, you can view lists of terms that are combined using the logical OR operator. The dictionary will trigger when 'any of' the term lists trigger. Individual term lists can apply to different contexts. For example, one term list might look for terms within message bodies whilst another might look for terms within the subject line. Term lists For dictionaries that are score based, you can view the individual lists of terms in the selected dictionary. Individual term lists can apply to different contexts. For example, one term list might look for terms within message bodies whilst another might look for terms within the subject line. Applies to Term Click the link to specify the category and subcategory against which the terms will be searched for, such as looking for terms within an message subject line. Displays the trigger word or phrase. The icon before the term indicates whether it is a regular expression, simple string or complex term. Hover your mouse cursor over the icon to see the term type. Score Case sensitive Wildcard Starts with Ends with Displays the score attributed to the term. To make the dictionary score based, click Add. To find out more about using thresholds and scores, see the tasks in Compliance Settings. If selected, the appliance responds only to text that matches the term exactly in letter case. Example: If the term is Abc, the appliance responds to the word Abc. However, the appliance ignores abc or ABC. When selected, allows the use of? and * in the term to represent unknown single or multiple characters. Example: If the term is ab?, the appliance responds to the word abc or abd. If the term is ab*f, the appliance responds to the word abcdef or abcf. When selected, matches the term when it appears at the start of a word. Example: If the term is bc, the appliance responds to the words bc, bcd or bcdef. However, the appliance ignores abc or abcd. When selected, matches the term when it appears at the end of a word. Example: If the term is bc, the appliance responds to the words bc or abc. However, the appliance ignores bcd or abcd. 246 McAfee Gateway Appliances Administrators Guide

247 Overview of menu DLP and Compliance overview 4 Table 4-93 definitions (continued) Edit Delete Add OR condition When used together, Starts with and Ends with match the term when it appears as a whole word. Example: If the term is bc, the appliance responds to the words bc. However, the appliance ignores bcd or abc. When clicked, opens a window that allows you to change the basic term properties, or create a complex term. Term details Edit the basic term properties including the actual text that you are looking for, as well as case sensitive, wildcard, and starts with and ends with as defined above. Contextual matching (advanced) Set triggers for terms based on proximity to other terms. To set these details, click Add Word or Phrase: Display string Sets the display name for the term in the list of dictionary terms. Enable near matching Enable or disable triggers based on proximity. Condition Specify the conditions under which you want the term to trigger. Within a block Set the proximity within which the terms must be found. Word or phrase The list of terms. Removes the term from the dictionary. For dictionaries that are not score based, click to add new lists that are combined using the logical OR operator using the following settings: Name The name that you want to apply to the list of terms. Description A unique description for the list. Match type Specify whether the list contains regular expressions, or simple strings. Applies to Click the link to specify the category and subcategory against which the terms will be applied, such as looking for terms within an message subject line. Term Provide the first term in the list. The dictionary will trigger when 'any of' the term lists trigger. Individual term lists can apply to different contexts. For example, one term list might look for terms within message bodies whilst another might look for terms within the subject line. Add AND condition For dictionaries that are not score based, click to add new lists that are combined using the logical AND operator using the following settings: Match type Specify whether the list contains regular expressions, or simple strings. Applies to Click the link to specify the category and subcategory against which the terms will be applied, such as looking for terms within an message subject line. Term Provide the first term in the list. The dictionary will trigger when 'all of' the conditions trigger. Individual term lists can apply to different contexts. For example, one term list might look for terms within message bodies whilst another might look for terms within the subject line. McAfee Gateway Appliances Administrators Guide 247

248 4 Overview of menu DLP and Compliance overview Table 4-93 definitions (continued) Add Term List For dictionaries that are score based, click to add a list of terms in the selected dictionary, using the following settings: Name The name that you want to apply to the list of terms. Description A unique description for the list. Match type Specify whether the list contains regular expressions, or simple strings. Applies to Click the link to specify the category and subcategory against which the terms will be applied, such as looking for terms within an message subject line. Term Provide the first term in the list. Individual term lists can apply to different contexts. For example, one term list might look for terms within message bodies whilst another might look for terms within the subject line. Insert term When clicked, opens a window where you can add a new term using the following settings: Term details Specify the basic term properties including the actual text that you are looking for, as well as case sensitive, wildcard, and starts with and ends with as defined above. Contextual matching (advanced) Set triggers for terms based on proximity to other terms. To set these details, click Add Word or Phrase: Display string Set the display name for the term in the list of dictionary terms. Enable near matching Enable or disable triggers based on proximity. Condition Specify the conditions under which you want the term to trigger. Within a block Set the proximity within which the terms must be found. Word or phrase The list of terms. This feature assumes that you have selected a dictionary and one of its terms. When you click OK in the Term Details window, the appliance adds the term to the dictionary and next to the selected term. Both terms have the same condition. Introduction to regular expressions Use this information to understand how your Gateway responds to regular expressions used when defining dictionary entries. Characters match themselves except for the following meta characters:.[{()\*+? ^$. matches any character \. matches a literal "." character \\ matches a literal "\" character (string1 string2) matches either string1 or string2 Anchors require that an expression is found in a particular place within a string, but do not match any characters (zero width assertions) \b matches a word boundary (start or end of a word) ^ matches the start of a line $ matches the end of a line 248 McAfee Gateway Appliances Administrators Guide

249 Overview of menu DLP and Compliance overview 4 Character classes match a particular type of character \s matches any whitespace character \w matches any word character (a z, A Z, 0 9 and "_") \d matches any digit [abc] matches any one character a, b or c Quantifiers apply to the previous term: * matches 0 or more of the previous term + matches 1 or more of the previous term For example: ^aa matches lines that start with aa bb$ matches lines that end with bb cc matches ccd, acc, and accd ab*c matches ac, abc and abbc a\d+b matches a2b and a23456b, but not ab a.c matches abc, but not ac or abbc a.*c matches ac, abc and adefghb a[bcd]e matches abe, ace and ade, but not abcde It is (lunch dinner) time matches "It is lunch time" or "It is dinner time" Introduction to Graymail Graymail is bulk that does not meet the definition of spam. Graymail messages could be considered either spam or legitimate , depending upon the opinion of the recipient. Characteristics of Graymail Graymail is sent to a large number of recipients, but it differs from spam in several ways: The user, at one time or another, requested to receive the messages, by such things as supplying an address. Graymail messages come from reputable sources who want a relationship with the recipient, such as a customer or client relationship. Graymail messages usually offer an unsubscribe option. Graymail typically contains content that might be of value to the recipients, and that might appeal to their interests. Graymail often includes an element of timeliness, such as an expiration date for an offer of goods or services. Requested or solicited messages become graymail when the recipient becomes less interested in receiving them. McAfee Gateway Appliances Administrators Guide 249

250 4 Overview of menu DLP and Compliance overview The Graymail dictionary In the Compliance policy settings of the Default policy, McAfee Gateway includes the Graymail dictionary. The dictionary contains a static list of terms, and is read only. It cannot be edited. You can copy terms from the Graymail dictionary to be used in a new dictionary if necessary. You can find in the list at DLP and Compliance Compliance Dictionaries. Using the Graymail dictionary When you enable Compliance ( Policies Compliance), the Graymail dictionary is available to be included in your policies. Treat it as you would any other dictionary. You can enable it in the Default policy, or create a new policy to apply it. You can also enable or disable the Graymail feature through the Setup Wizard. Graymail detections show in reports as Compliance detections triggered against the Graymail rule group, along with the term that triggered the detection. Task - Configure Graymail in the Setup Wizard You can enable or disable Graymail protection as part of setting up your appliance. You can enable Graymail protection in your original setup, or return to the Setup Wizard to enable or disable it. Task 1 Navigate to the Setup Wizard (System Setup Wizard). The Setup Wizard opens to the first page. 2 Complete the steps, or click Next for each step to leave them unchanged, to step 6, Configuration. 3 Click the Enable Graymail Protection check box. If you check the box, Graymail is enabled. If you do not check the box, Graymail is disabled. If you leave the check box unchanged from the way you found it, the Graymail configuration is not updated. 4 Complete the Setup Wizard to the Summary page. If you have modified the Graymail action from the default setting to another setting through policy management, and have left the check box unchanged, the Summary shows one of four status messages: Graymail is enabled you checked the check box. Graymail is already configured you did not check the box, but it was already checked. Graymail is enabled, but it is not using the default action the box was already checked, but the action has previously been modified from the default action. You can navigate back to the Configuration page in the Setup Wizard and uncheck then recheck the checkbox to enable Graymail protection with the default action. Graymail is disabled you unchecked the box, or it was already unchecked. 5 Review the Summary, then click Finish. The Setup Wizard completes and the appliance reconfigures. 250 McAfee Gateway Appliances Administrators Guide

251 Overview of menu DLP and Compliance overview 4 Graymail protection is configured. Task Adding a new dictionary Use this task to add a new dictionary for compliance terms. Task 1 Go to DLP and Compliance Compliance Dictionaries. 2 Click Add Dictionary and specify its details: Type the name of the dictionary ally provide a description Select whether you want to match simple strings or regular expressions 3 Click OK. The dictionary appears selected in the dictionary list, and its term list appears at the bottom of the page. 4 Click the edit icon next to the default term new term, replace it with the text you want to trigger on, and click OK. 5 Click Insert Term to add new terms to the dictionary. 6 Apply the changes. Task Adjust the scores associated with the Discontent dictionary Use this task to fine tune the scores associated with a specific dictionary. Task 1 Go to DLP and Compliance Compliance Dictionaries. 2 Select the Discontent dictionary. 3 In the Term List, select the term you want to adjust, and change its score. 4 Apply changes. Task Test the social security number regular expressions Use this task to check that the gateway is correctly interpreting the regular expressions used to identify social security numbers. Task 1 Go to DLP and Compliance Compliance Dictionaries. 2 Select the Social Security Number dictionary. 3 Select the first regular expression, click the edit icon, and click Test. 4 Type This is a social security number, and click OK. The Matches area shows the text that matches the regular expression. Click OK or Cancel twice. McAfee Gateway Appliances Administrators Guide 251

252 4 Overview of menu DLP and Compliance overview 5 Select the second regular expression, click the edit icon, and click Test. 6 Type Here is the number , and click OK. The Matches area shows the text that matches the regular expression. Click OK or Cancel twice. Task Add a complex term to find the word Poker only when it is close to the word Game Use this task to add a complex term to the dictionary. A complex term is a word or phrase that had a dependancy on another word or phrase. Task 1 Go to DLP and Compliance Compliance Dictionaries. 2 Either create a new or select an existing non score based dictionary (indicated by a red book). 3 In the Term List, click Insert Term, and type poker. 4 Select Contextual matching (advanced), and click Add Word or Phrase. 5 Type Game. In Display string, type Poker near Game. 6 In Within a block, change the value to Click OK, and apply the changes. definitions Add Dictionary Details Use this dialog box to enter or change details about a dictionary list. DLP and Compliance Compliance Dictionaries dictionary list Add Dictionary Name Description Language Match type Enter a name to identify the dictionary list by. If required, add a description for the dictionary list. Define the language for the content of the list. Select how the appliance matches terms within this dictionary. definitions Applicable File Formats This information describes the options available on this dialog box. Everything File categories Subcategories De select this to specify specific file categories and subcategories, or leave selected for all file types to be scanned. With the Everything check box de selected, choose the categories of files to be added into the DLP Compliance Dictionaries. Within the selected category of files, select the sub categories that you want included within each chosen category. 252 McAfee Gateway Appliances Administrators Guide

253 Overview of menu DLP and Compliance overview 4 definitions OR Condition This information describes the options available on this dialog box. Name Description Match type The name of the dictionary to which this condition applies. An optional text field to enable you to enter descriptive information about this condition and the categories/subcategories it contains. Choose from: Simple strings Regular expressions Applies to Term Set to Everything by default. Click to open the Applicable File Formats dialog box to choose the categories and subcategories to which you want the condition to apply. The term that you want to use for the condition. definitions AND Condition This information describes the options available on this dialog box. Match type Applies to Term Choose from: Simple strings Regular expressions Set to Everything by default. Click to open the Applicable File Formats dialog box to choose the categories and subcategories to which you want the condition to apply. The term that you want to use for the condition. definitions Edit Regular Expression This information describes the options available on this dialog box. Table 4-94 definitions Edit Regular Expression Term Test Case sensitive Description Enter the regular expression to be used to match content within the searched documents. Click the Test button to launch the Regular Expression Test Interface (see separate table below) Select to make the regular expression search case sensitive. Enter optional descriptive text for this regular expression. Table 4-95 definitions Regular Expression Test Interface Regular Expression Case sensitive Input text to test the Regular Expression Matches The regular expression entered in the Edit Regular Expression dialog box is displayed. Select to make the matching case sensitive. Copy and paste, or type in some text that you want to be detected by the regular expression. Information about the way the regular expression finds matches within the inputted test text is given. McAfee Gateway Appliances Administrators Guide 253

254 4 Overview of menu Encryption Encryption The Encryption pages enable you to set up McAfee Gateway to use the supported encryption methods to securely deliver your messages. Encryption The McAfee Gateway includes several encryption methodologies, and can be set up to provide encryption services to the other scanning features, or can be set up as an encryption only server used just to encrypt messages. Contents Types of Encryption Secure Web Mail S/MIME PGP encryption TLS Secure Web Mail Branding Task Encrypt all that triggers against the HIPAA compliance dictionaries Task Use S/MIME to encrypt all to a specific target domain Task Deliver all from a specific customer using S/MIME encryption Task Use PGP to encrypt all messages Task Deliver all from a specific customer using PGP encryption Types of Encryption Information about the types of encryption methods that are available on the McAfee Gateway. McAfee Gateway includes several different encryption methods to enable you to configure your appliance to best match your existing and network topography. These can be divided into the following groups: Server to server encryption Server to server encryption, as its name suggests uses encryption to secure the transmission of messages between servers. Many different methods of securing the server to server traffic are available. McAfee Gateway can be configured to use the following methods to secure the server to server link: Transport Layer Security S/MIME PGP Secure Web Mail You cannot always guarantee that the messages being sent from within your organization will be going to a secure destination server. In this circumstance, you can still send secure messages by using the Secure Web Mail options built into McAfee Gateway. You can use two methods of Secure Web Mail; push delivery and pull delivery. Pull delivery 254 McAfee Gateway Appliances Administrators Guide

255 Overview of menu Encryption 4 With pull delivery, the secure message is stored on the McAfee Gateway, and, after receiving a notification, the end user must log into their Secure Web Mail account and "pull" the message from the McAfee Gateway. Advantages of Pull delivery include: Good access to the message from hand held devices. Works well with low bandwidth connections. Can be used to transmit files that are larger than many server limits. Messages only cross the network once. Disadvantages of Pull delivery include: The McAfee Gateway has limited storage space, so the longevity of the message is limited. Messages cannot be accessed if the McAfee Gateway is offline. Push delivery With push delivery, the end user is sent a notification that contains the encrypted message as an attachment the encrypted message is "pushed" to the end users' system. To read the message, the user needs to log onto the McAfee Gateway. During this process, the encrypted message is returned to the McAfee Gateway where it is decrypted. The decrypted message is then viewed by the end user in a secure browser. Advantages of Push delivery include: As the encrypted messages are stored on the end users' system, the longevity of the message is unlimited. The McAfee Gateway handles all the encryption key and certificate generation for each recipient. The message is secure, as only the McAfee Gateway can decrypt the message. Disadvantages of Push delivery include: Push delivery of secure messages does not work well on handheld devices. Messages must cross the network three times to be read. Does not work well on low bandwidth connections. With a large number of end users concurrently accessing their secure messages, the CPU load on the McAfee Gateway can be high. Messages cannot be accessed if the McAfee Gateway is offline. Secure Web Mail Use this information to understand Secure Web Mail, and to know how to configure your McAfee Gateway to deliver messages securely. When a secure server to server connection cannot be made, it is still possible to deliver messages securely. This can be particularly useful when sending confidential information to end users that may not be using secure servers. McAfee Gateway can be configured to use both push and pull delivery methods to securely deliver messages. McAfee Gateway Appliances Administrators Guide 255

256 4 Overview of menu Encryption Contents Supported browsers for Secure Web Mail Secure Web Mail Basic Settings Secure Web Mail User Account Settings Secure Web Mail User Management Secure Web Mail Password Management Message Management Certificates Supported browsers for Secure Web Mail Discover the browsers that are supported by the Secure Web Mail Client within McAfee Gateway Within McAfee Gateway 7.5.0, the Secure Web Mail Client supports sending Secure Web Mail to end users accessing their secure from several desktop browsers and mobile operating systems Table 4-96 Compatible desktop browsers for Secure Web Mail Browser Version Microsoft Internet Explorer 7, 8, 9 Mozilla Firefox 3.6, 4, 5, 6 Apple Safari 4, 5 Table 4-97 Compatible operating systems for accessing Secure Web Mail using mobile devices Operating System Version Android 2.1, 2.2, 2.3 Apple ios iphone 3GS/ iphone 4 Blackberry OS 6 webos 1.4 Symbian S60 Windows Phone 7 5th Edition Secure Web Mail Basic Settings Use this information to understand the basic settings needed to configure Secure Web Mail. Encryption Secure Web Mail Basic Settings Benefits of configuring Secure Web Mail Learn about the benefits of configuring your McAfee Gateway to allow the Secure Web Mail of messages. Depending on the industry in which you engage, you may be bound by particular laws and rules about the transmitting of private information. One example of this is the Privacy rule within the Health Insurance Portability and Accountability Act (HIPAA) in the United States of America. This rule contains regulations relating to the use and disclosure of Private Health Information (PHI), and care must be taken not to violate this rule by sending PHI above that required for the specific need, or to send information in a format that could be easily intercepted and read by unauthorized persons. 256 McAfee Gateway Appliances Administrators Guide

257 Overview of menu Encryption 4 McAfee Gateway assists you by enabling compliance policies that meet the requirements of many of the laws and rules requiring the safeguarding of data. Having scanned your outgoing messages against the in built compliance libraries to identify if the content of your message breaches any of the relevant libraries, the McAfee Gateway can take specified actions, such as using a secure delivery method to attempt the delivery of the message. Most methods for the secure delivery of messages rely on both the sending and the receiving servers using the same encryption methods, such as S/MIME, PGP or SSL/TLS encryption. Although your McAfee Gateway can be configured to use these encryption methods, these settings are of no use if the receiving server is not configured to also use encryption. In this circumstance, McAfee Gateway uses Secure Web Mail to notify the recipient that an encrypted message has been sent to them, and provides the information that they need in order to set up a secure connection to the McAfee Gateway so that they can retrieve the message using Secure Web Mail. Using Secure Web Mail also gives other benefits, including: The messages are formatted so that they can be easily read on handheld devices. The messages are delivered using low bandwidth connections. Large messages can be delivered without hitting the typical server size limitations. s for Basic Settings Understand the options available for configuring the basic settings for Secure Web Mail. definitions Enabled Enable the Secure Web Mail Client Scan messages composed in the Secure Web Mail Client Secure Web Mail host name Select this to enable the Secure Web Mail Client on your McAfee Gateway. After enabling the Secure Web Mail Client, configure your Policies to set the triggers for using this feature. Select to force all messages composed from within the Secure Web Mail Client to be scanned for malicious content. Enter the hostname for the appliance. When configuring a cluster of appliances, or when configuring a blade server, ensure that you use the DNS host name associated with the virtual IP address that is shared by the master and failover devices. definitions Locale Default locale Select the default language that is to be displayed within the notifications. Once the end user receives their Secure Web Mail: Welcome message and clicks to activate their account, they are able to select their own preferred language. McAfee Gateway Appliances Administrators Guide 257

258 4 Overview of menu Encryption definitions Contact Details Postmaster name User the postmaster address as the support contact Support contact address Support contact name Use this field to define the address that is added to the notification messages received by the end user. By default, the end user will request support using the postmaster address details. By de selecting this option, you can then define a Support contact address and Support contact name. If you choose to define a separate support contact for your end users, enter the Support contact address that the end users will see. If you choose to define a separate support contact for your end users, enter the Support contact name that the end users will see. definitions Branding Within Secure Web Mail, you can create themes and notifications based around your company style and logo, so that the recipients of the messages are aware of your organization. Theme Select the theme that the und users will see when logging into Secure Web Mail. Create themes in Encryption Branding to add them to this drop down list. Notification messages Select the notification branding that the und users will see when they receive a Secure Web Mail notification. Create customized notifications in Encryption Branding to add them to this drop down list. Secure Web Mail User Account Settings Understand the user account settings needed to configure Secure Web Mail. Encryption Secure Web Mail User Account Settings Benefits of setting up encryption user accounts This information describes the benefits of creating encryption user accounts. To provide secure delivery of messages using the Secure Web Mail Client, you must first configure the user account settings within your McAfee Gateway. These options enable you to specify if your McAfee Gateway digitally signs the notification s, and if users are allowed to auto login to the Secure Web Mail Client. You can specify parameters relating to both the PULL and PUSH methods of delivering messages, including configuring the maximum message sizes and other method specific parameters. Additionally, you can configure how you allow the end users to read and compose messages using the Secure Web Mail Client. 258 McAfee Gateway Appliances Administrators Guide

259 Overview of menu Encryption 4 s for Secure Web Mail User Account Settings This information describes the options available on this page. definitions Enrolment and Notification Enable auto enrolment Digitally sign outgoing notifications Use HTML rather than plain text for notifications With Enable auto enrolment selected, a user will automatically have a Secure Web Mail account created on the McAfee Gateway if an is delivered to them through the McAfee Gateway that triggers a rule that enforced encryption. Selected by default. By default, all outgoing Secure Web mail notifications are digitally signed by the McAfee Gateway. By default, all Secure Web Mail notifications are sent in HTML format. However, to conserve bandwidth, you can deselect this option to form plain text notifications. definitions Message Encryption PULL Messages Allow messages to be stored on the gateway (PULL messages) Set message parameters for messages stored on the gateway: Maximum message size. Messages that exceed this size cannot be sent using the PULL mechanism. Expiry time for read messages. Set the time that each message will be stored on the appliance after it has been read. Expiry time for unread messages. Set the time that each message will be stored on the appliance in its unread state. Warning period for expiring messages. Configure when a warning will be sent to the user informing them that the message is about to expire. Notify recipients of unread PULL messages Choose whether to notify recipients of unread messages sent using the PULL method of encryption delivery. When selected, you can also configure the Interval between notifications in days. You can also specify a time period between unread message notifications. definitions Message Encryption PUSH Messages Allow messages to be stored on end users' systems (PUSH messages) Set message parameters for messages stored on end users' systems: Maximum message size. Messages that exceed this size cannot be sent using the PUSH mechanism. Follow the link to configure the encryption and escrow certificates to use for PUSH messages. McAfee Gateway Appliances Administrators Guide 259

260 4 Overview of menu Encryption definitions Reading and Composing Allow the user to Set the actions that the user can take on encrypted messages: Print messages Reply to messages Compose new messages Bcc messages Forward messages Maximum message size (including attachments) Set to 1MB by default. Restrict the generated Secure Web Mail notifications to plain text rather than HTML Use this task to send notification messages in plain text. Task 1 Click Encryption Secure Web Mail User Account Settings. 2 Deselect Use HTML rather than plain text for notifications. 3 Apply the changes. All Secure Web Mail notification messages are sent in plain text. Task Restrict Secure Web Mail encryption to be push only Use this task to have encrypted messages to be stored on end user's systems. Task 1 Click Encryption Secure Web Mail User Account Settings. 2 In Message Encryption PULL Messages, deselect Allow messages to be stored on the gateway. 3 In Message Encryption PUSH Messages, select Allow messages to be stored on end users' systems. 4 Apply the changes. Secure Web Mail User Management Manage the Secure Web Mail end users accounts on your McAfee Gateway. Encryption Secure Web Mail User Management Benefits of managing end user accounts Understand the benefits of managing the end user accounts on your McAfee Gateway. When using Secure Web Mail to ensure that your end users can securely receive encrypted messages, you will need to create, lock, unlock or delete these end user accounts from your McAfee Gateway. Some of the situations where you need to use these features include: Infrequent users of the Secure Web Mail system forgetting their passwords, and contacting the configured support address requesting help. Users who have expired passwords, needing to have their accounts reactivated. End users that request that their accounts are removed from your servers. 260 McAfee Gateway Appliances Administrators Guide

261 Overview of menu Encryption 4 definitions User Management Manage the Secure Web Mail end user accounts on your McAfee Gateway. User Search address To search for a particular Secure Web Mail end user, enter a full or partial address, and click Search. All user accounts matching your search are displayed in the User Search table. You can refine your search using the options in the Status drop down menu. For the selected users Reset account Sends an notification to the recipient so that they can reset their password and unlock their account Lock Account Prevents the user from accessing their account Delete Account Deletes the account and all the user's messages Domain Refresh Displays all unique domains that use Secure Web Mail. Refreshes the domain list. User Creation address Create Enter the address for the end user account you are creating. After entering and confirming the address for the end user account, click Create. The new user account information is displayed in the User Search table. Task Manage specific Secure Web Mail user accounts Use this task to. Task 1 Encryption Secure Web Mail User Management 2 In User Search, add the address of the user whose account you wish to lock, such as user@example.domain.com and click Search. Displays the status of the account, including information such as the number of read and unread messages, and the last time that user logged in, and provides a status of the account. The number of read and unread messages is updated every 15 minutes. 3 Select the address, and in For the selected users, select Lock account, then click Perform action. The next time you search for this user, the account shows its Status as Locked. To unlock the account, select it, and click Reset account. Secure Web Mail Password Management Configure your end user password management settings for Secure Web Mail. Encryption Secure Web Mail User Management McAfee Gateway Appliances Administrators Guide 261

262 4 Overview of menu Encryption Benefits of using passwords to get encrypted messages Understand why correctly setting the end user password complexity, frequency of change and the change process is important in maintaining the security of Secure Web Mail. To ensure that the messages sent using the Secure Web Mail Client software are only read by the intended recipient, the end user needs to set up an account on the McAfee Gateway. As with many accounts administered over the internet, this requires that the end user has a username (the address) and a password set up. Using a suitable password ensures that encrypted messages cannot be read by people other than the intended recipient. McAfee Gateway allows you to define a suitable end user password policy, which includes specifying how complex you require the chosen passwords to be, how long each password is valid for and the process required to update existing passwords. A complex password is more secure than a very simple one, but is more likely to create a greater volume of "forgotten password" reset requests from your end users. Therefore, you need to decide the balance between complex passwords that are likely to generate lots of reset requests, and simpler passwords that will require less maintenance. s for Secure Web Mail Password Management This information describes the options available on this page. definitions Password Complexity Minimum length Minimum number of ALPHA characters Minimum number of DIGIT characters Select the minimum length that you will allow for end user passwords. Longer passwords are more secure, but may result in more calls to your support address as end users find them more difficult to remember. Specify the minimum number of alphabetical characters to be used within the end users' passwords. To increase security, you can also Require a mixture of upper and lowercase characters to be used. The more different types of characters that may be used within an end users' password, the more secure that password can be made. Forcing your end users to use numbers within their passwords improves the security of the passwords. Minimum number of SPECIAL characters The more different types of characters that may be used within an end users' password, the more secure that password can be made. Forcing your end users to use special characters within their passwords improves the security of the passwords. Special characters are non alphanumeric characters such as underscores (_), hyphens ( ) and other punctuation. 262 McAfee Gateway Appliances Administrators Guide

263 Overview of menu Encryption 4 definitions Password Change Control Enable password expiry Enable password expiry reminders Number of recent passwords to disallow Minimum interval between password changes Decide whether your end users will need to periodically renew their passwords. Specify the Password lifetime in days, and also the Grace period they are allowed before the Password lifetime, during which they are allowed to still log into the Secure Web Mail system, but are then forced to change their password. Choose if you want your end users to be notified that their passwords are due to expire. Also, select the required Interval between reminders. Use this field to prevent end users from re entering their previous passwords. Specify any limits you want to place on the frequency with which end users can change their passwords. definitions Challenge / Response Enable challenge / response Number of answers held against a user Choose whether you want users to reset passwords without going through any security questions. Set the number of potential answers a user must provide to set up their challenge response questions. To provide secure password changing, McAfee recommends at least 5 challenge response questions are used. Number of questions to ask a user When challenge response is enabled, set how many questions each user must answer correctly to pass the security check. To provide secure password changing, McAfee recommends at least 2 challenge response questions are asked of the end user. Message Management The Message Management options provide information about the number of messages stored on your system, and the disk space you have available so you can remove some if necessary. Encryption Secure Web Mail Message Management The page is divided into these sections: Statistics Purge Messages Benefits of Message Management Use the Message Management options to find out how many messages are stored and remove any if necessary. Messages are categorized into Read, Unread, and Draft, and the amount of available disk space is shown, allowing you to choose whether you need to remove some messages. Messages can removed dependent on their type, or their age. McAfee Gateway Appliances Administrators Guide 263

264 4 Overview of menu Encryption definitions Message Management See the number of messages stored by type, and choose any that you want to remove. Statistics Purge Messages Shows the number of read, unread, and draft messages and the amount of available disk space. Choose the messages that you want to remove: Messages to delete: All One or more of Read messages Unread messages Draft messsages Older than x number of: Days Weeks Months Certificates Use this page to specify the contents of a self signed digital certificate for the appliance. Encryption Secure Web Mail Certificates To create a certificate that is signed by a Certification Authority, generate a Certificate Signing Request, and import the signed certificate. Useful web sites ISO 3166: Benefits of using certificates with the appliance This information describes the benefits of using certificates on your McAfee Gateway to transfer securely. Certificates allow the traffic from your McAfee Gateway to be trusted by other systems. They typically have a lifetime of several months or years, so they do not need to be managed often. definitions Certificates View information about certificates stored on your McAfee Gateway. The following information applies to the Web Client HTTPS Certificate and the Notification Signing Certificate. Country [C] Specifies a two letter code such CN, DE, ES, FR, JP, KR. (See ISO 3166) Default value is US. State or province [ST] Town or city [L] Specifies the location of your organization. Give a full name rather than an abbreviation. 264 McAfee Gateway Appliances Administrators Guide

265 Overview of menu Encryption 4 Organization [O] Organizational unit [OU] Common name [CN] address [ea] View Import Specifies the name of your organization such as Example, Inc. Default value is Gateway. Displays the domain name of your appliance such as server1.example.com Specifies an address, for example aaa@mcafee.com Click to view the certificate details. When clicked, opens a window where you can specify the file. To import a password protected certificate, type the passphrase to unlock the private key. The appliance stores the decrypted certificate in a secure internal location. The appliance only verifies the certificate, and makes it available to use, after you click the icon to apply your changes: Export Generate Certificate Signing Request Regenerate When clicked, opens a window where you can specify a passphrase, then download a file. The file name extension is CRT (base 64 encoded) or P12 (PKCS#12). The certificate is in PEM format. When clicked, opens a window where you can request that the Certificate Signing Request is signed by a Certificate Authority on the appliance or by an external Certificate Authority. The file name extension is CSR. When clicked, you are prompted to confirm that you want to regenerate the certificate and private key. Entries in the fields determine the information that appears in a subsequent certificate signing request (CSR). For internally self signed certificates, the information is used to regenerate the certificates. Subsequent viewing of these certificates reflect the changes, along with new valid to and valid from dates. For externally signed certificates, changing the option settings has no immediate effect on the viewable certificate details. You must regenerate the CSR, have it externally signed, and then import it in order to see the changed information. The View link opens the Certificate Details window, containing the detailed information about the certificate. S/MIME Understand how McAfee Gateway uses S/MIME to provide encrypted delivery of messages. Contents Encryption S/MIME S/MIME S/MIME Encryption Certificate S/MIME Sending McAfee Gateway Appliances Administrators Guide 265

266 4 Overview of menu Encryption S/MIME S/MIME Encryption Certificate Use this information to understand the settings needed to configure your S/MIME Encryption Certificate. Encryption S/MIME S/MIME Encryption Certificate Benefits of using S/MIME certificates Use S/MIME certificates to send and receive server based messages when the receiving server will not accommodate a secure session. Using S/MIME certificates, McAfee Gateway checks each incoming message to see if it is an S/ MIME message. If it is, Gateway checks for a key to decrypt the message. If the key exists, the message is decrypted; if not, it is treated as a normal message. Before you can use the S/MIME features, you must obtain and install your individual S/MIME certificate. You can obtain it from either your in house certificate authority (CA) or a public CA. definitions S/MIME Encryption Certificate Information about the encryption certificates used for S/MIME transmission of messages. Country [C] Specifies a two letter code such CN, DE, ES, FR, JP, KR. (See ISO 3166) Default value is US. State or province [ST] Town or city [L] Organization [O] Organizational unit [OU] Common name [CN] address [ea] Import Specifies the location of your organization. Give a full name rather than an abbreviation. Specifies the name of your organization such as Example, Inc. Default value is Gateway. Displays the domain name of your appliance such as server1.example.com Specifies an address, for example aaa@mcafee.com When clicked, opens a window where you can specify the file. To import a password protected certificate, type the passphrase to unlock the private key. The appliance stores the decrypted certificate in a secure internal location. The appliance only verifies the certificate, and makes it available to use, after you click the icon to apply your changes: Export Generate Certificate Signing Request When clicked, opens a window where you can specify a passphrase, then download a file. The file name extension is CRT (base 64 encoded) or P12 (PKCS#12). The certificate is in PEM format. When clicked, opens a window where you can request that the Certificate Signing Request is signed by a Certificate Authority on the appliance or by an external Certificate Authority. The file name extension is CSR. S/MIME Sending Understand the settings needed to configure your S/MIME Sending options. Encryption S/MIME Sending 266 McAfee Gateway Appliances Administrators Guide

267 Overview of menu Encryption 4 s Sending Specify and view the S/MIME information needed for sending using S/MIME. Escrow certificate Message encryption algorithm S/MIME Encryption Certificates for External Domains Domain S/MIME Certificate Add Domain View Certificate Delete Selected Domains Manage S/MIME Encryption Certificate Select from the available certificates. When you have selected a certificate, click View certificate to see the information within it. Select from the available algorithms. Selecting a larger key size is more secure, but will be slower each time the algorithm is used. See the currently stored S/MIME Encryption Certificates for External Domains. You can add or delete domains from this list, or view the certificates provided by each domain. Use Filter to help find a particular certificate Lists the domain to which each S/MIME encryption certificate applies. Shows detail about the S/MIME encryption certificate. Add a new external domain to the list. View information about the selected S/MIME encryption certificate. Delete the selected domains and their S/MIME encryption certificates. Click to move to Certificate Management Certificates S/MIME Encryption Certificates. PGP encryption Understand how McAfee Gateway uses PGP to provide encrypted delivery of messages. Contents Encryption PGP PGP PGP Encryption Key PGP Sending PGP PGP Encryption Key Understand the options available for the PGP encryption keys. Encryption PGP PGP Encryption Key Benefits of using PGP encryption PGP encryption is a data encryption/decryption system that provides cryptographic privacy and authentication for data communication. PGP is used by many companies to sign, encrypt and decrypt messages. PGP encryption uses combinations of methods of cryptography, file compression and other operations, each of which can use a variety of different algorithms. PGP includes the use of public key encryption, bound to a user name and/or an address, and private key encryption, maintained in secret, to encrypt outgoing messages and decrypt incoming messages. McAfee Gateway Appliances Administrators Guide 267

268 4 Overview of menu Encryption definitions PGP Encryption Key Information about the PGP encryption keys. Displayable name Comment address View Import Export Regenerate A user editable field, allowing you to choose the name that is displayed for this encryption key. A user editable field, allowing you to choose a comment for this encryption key. The address associated with this encryption key. Click to display the content of the encryption key. Click to open the Import Certificate and Key dialog box where you an upload a certificate to the appliance, and add a passphrase to open a private key. Click to open the Certificate and Key Export dialog box where you can choose whether you want to export with no private key, or export a complete chain, and the format of key that you want to export. Click to regenerate the PGP public and private keys, using the information on this page. PGP Sending Understand the options available for PGP sending . Encryption PGP Sending Benefits of using PGP Sending You can manage the PGP Encryption Keys from external domains that are installed on your McAfee Gateway. Manage the PGP Encryption Keys stored on your McAfee Gateway. definitions Sending Manage installed PGP keys. Escrow key PGP Encryption Keys for External Domains Domain PGP Key Add Domain View Key Delete Selected Domains Manage PGP keys Select from the available keys. When you have selected a key, click View key to see the information within it. See the currently stored PGP Encryption Keys for External Domains. You can add or delete domains from this list, or view the certificates provided by each domain. Use Filter to help find a particular key. Lists the domain to which each PGP encryption key applies. Shows detail about the PGP key. Add a new external domain to the list. View information about the selected PGP key. Delete the selected domains and their PGP Encryption Keys. Click to move to Certificate Management Certificates PGP Encryption Keys 268 McAfee Gateway Appliances Administrators Guide

269 Overview of menu Encryption 4 TLS Use this page to specify how devices use encrypted communications and to manage their digital certificates. Encryption TLS Import the trusted Certificates Authorities and certificates from the participating organizations before you begin this configuration. RSA keys can be used both for encryption and for signing. DSA keys can be used for signing only. How Transport Layer Security (TLS) works Use this information to understand how Transport Layer Security (TLS) works. Transport Layer Security works by communicating a set of parameters known as the handshake at the start of the connection process. Once these parameters have been defined, the communications that follow within that session are secure, in that they cannot be decoded by servers that did not partake in the handshake conversation. The process includes steps to discuss the ciphers to be used during the communications, and also authentication steps to prove the identity of the servers taking part in the communications. The handshake process includes the following main steps: The McAfee Gateway requests a secure connection to the receiving server and presents a list of cipher suites to the receiving server. The receiving server then selects the strongest supported cipher from that list, and then notifies the McAfee Gateway of the chosen cipher. The servers then use Public Key Infrastructure (PKI) to establish their authenticity. This is achieved by the exchanging of digital certificates. On occasions, these digital certificates may be validated against the Certificate Authority (CA) that issued the certificates. Using the server's public key, McAfee Gateway generates a random number as a session key, and sends it to the receiving server. The receiving server then decrypts this session key using its private key. Both the McAfee Gateway and the receiving server then use this encrypted session key to set up communications, completing the handshake process. Once the handshake has been completed, the secure connection is used to transfer the messages. The connection remains secure until the connection is closed. Enforcing inbound TLS using the sender address The Gateway appliance can act as the server for inbound , supporting forced and opportunistic TLS security. To avoid using the ehlo domain to enforce TLS, configure TLS to user the sender's envelope address to determine if TLS should be enforced. Select the TLS enforcement option under TLS s (Advanced). McAfee Gateway Appliances Administrators Guide 269

270 4 Overview of menu Encryption TLS Connections Use this area to define hosts that use TLS encryption. Table 4-98 definitions When receiving (gateway is acting as server) Client Domain / Subnet Use TLS Authenticate Client Server Certificate Add Domain View Certificate Delete Selected Domains Displays the details, such as: / / server1.example.net *.example.net Always rejects from participating organizations if their communication does not try to start encryption. Never configure connections to the source server to never use TLS encryption. When available if available, the connection uses TLS encryption. Specifies whether the other device must also authenticate. Selects the certificate to use for this TLS Connection. The name is one of the certificate IDs from the Certificate Management section. Enables you to specify new domains that are to use TLS. View the TLS certificate for the selected domains. Remove the selected domains from the list. Table 4-99 definitions When sending (gateway is acting as a client) Server Domain / Subnet Use TLS Authenticate Self Client Certificate Add Domain View Certificate Delete Selected Domains Displays the details, such as: / / server1.example.net *.example.net Always rejects from participating organizations if their communication does not try to start encryption. Never configure connections to the source server to never use TLS encryption. When available if available, the connection uses TLS encryption. Specifies whether the client must verify itself to the recipient before sending . The client then needs its own certificate. Selects the certificate to use for this TLS Connection. The name is one of the certificate IDs from the Certificate Management section. Enables you to specify new domains that are to use TLS. View the TLS certificate for the selected domains. Remove the selected domains from the list. Table definitions Manage TLS certificates and keys Manage TLS certificates and keys Click to jump to Certificate Management Certificates TLS Certificates and Keys. 270 McAfee Gateway Appliances Administrators Guide

271 Overview of menu Encryption 4 TLS options (advanced) Use this area to specify the type of ciphers for TLS encryption. Table definitions Cipher strength Allow no encryption Allow anonymous key exchange Provides a choice of cipher strengths. By default, ciphers with a full range of strengths are supported. If necessary, the range of supported cipher strengths can be limited to 128 bit or greater. If selected, ciphers without encryption are supported. McAfee does not recommend using unencrypted TLS connections, so this setting is disabled by default. If selected, ciphers without authentication are supported. McAfee does not recommend using unauthenticated TLS connections, so this setting is disabled by default. When unauthenticated ciphers are supported, some destination servers might choose these ciphers in preference to authenticated ciphers. TLS enforcement If selected, the appliance will enforce TLS using the sender's envelope address rather than the ehlo address for inbound . Secure Web Mail Branding Understand how to configure the branding for the Secure Web Mail features. Encryption Branding Benefits of the Secure Web Mail branding settings Use the Branding page to define the content and appearance of notification messages and the appearance of the Secure Web Mail Client user interface. The default theme cannot be edited. Click Copy Item to to create a customized theme or notification based on the currently active item. Specify images that appear as the logo for the desktop client, logo for the mobile client, and the favorites icon icon. View real time changes to the branding that you make in the previews available. Customize the product name that's displayed, or that is presented to the user as either a text string, or an image. Edit notification messages and view your changes immediately within the right hand screen. Description of tokens used in Secure Web Mail notifications When you configure Secure Web Mail, notification messages are sent to customers. Within these notification messages, tokens are used to provide relevant information. Table Tokens used in Secure Web Mail notifications Notification Token Description Welcome GATEWAY The fully qualified DNS name of the appliance. ACTIVATE_LINK URL link used to activate the account. Account activated GATEWAY The fully qualified DNS name of the appliance. McAfee Gateway Appliances Administrators Guide 271

272 4 Overview of menu Encryption Table Tokens used in Secure Web Mail notifications (continued) Notification Token Description LOGIN_LINK URL link used to sign into the account. Message received SUBJECT The original subject of the message. (PULL_MESSAGE token) (PULL_MESSAGE token) (PUSH_MESSAGE token) SENDER GATEWAY PULL_MESSAGE PUSH_MESSAGE PULL_LINK DAYS_LEFT PUSH_FILE The address of the sender of the message. The fully qualified DNS name of the appliance. A section inserted if this is a PULL (or PUSH/PULL) message. A section inserted if this is a PUSH (or PUSH/ PULL) message. URL link used to read a specific "PULL" message. The days left for which a PULL message will be held on the appliance, before being aged out. The name of the attached HTML file which is used to POST the encrypted PUSH message back to the appliance for reading. This file name is SecureMessage.html. Message read RECIPIENT The address of the original message recipient. SUBJECT DATE_SENT DATE_READ REPORT_FILE GATEWAY The original subject of the message. A localized string containing the date and time the message was sent. A localized string containing the date and time the message was read by the recipient. The name of the attached report text file. This file name is report.txt. The fully qualified DNS name of the appliance. Unread messages NUM_MESSAGES Numeric count of the number of unread PULL messages held on the appliance. Password reset requested GATEWAY The fully qualified DNS name of the appliance. UNREAD_MESSAGE_LIST Inserts a table of unread message details. GATEWAY REQUEST_ The fully qualified DNS name of the appliance. The address of the person who has requested the resetting of the password. (either the account owner or the support contact) PASSWORD_RESET_LINK URL link used to reset the account password. Password reset GATEWAY The fully qualified DNS name of the appliance. LOGIN_LINK URL link used to sign into the account. Password expiring GATEWAY The fully qualified DNS name of the appliance. LOGIN_LINK DAYS_LEFT URL link used to sign into the account. Numeric count of the number of days left before the account gets locked. Account locked GATEWAY The fully qualified DNS name of the appliance. Disclaimer text <none> 272 McAfee Gateway Appliances Administrators Guide

273 Overview of menu Encryption 4 Table Tokens used in Secure Web Mail notifications (continued) Notification Token Description Support contact SUPPORT_ The address of the support contact. (configured in encryption basic settings) Footnote <none> Copyright notice YEAR The current year as per the appliance's clock. Offline notice <none> definitions Branding Define the appearance and content of notification messages that users receive regarding their Secure Web Mail Client account. The default theme cannot be edited or removed. Edits are saved when you change selection. Name Usage Notification messages The name of the theme. Displays the number of times a theme or notification message is used. Displays the notification messages that you have created. Click Default notification set to view all default messages. Click on the notification on the left to get an expanded palette of all the notification messages, and other available components such as disclaimers. The notification contains a text area to edit content and a drop down list that allows you to insert tokens. Some messages contain tokens that can be edited. On the right hand screen, the content is updated to reflect your current selection. Also on the right is a language picker to choose a different language. The language is one of the basic settings of the virtual host. To change language, go to virtual host to change the language that users will see. Edits are saved when you change selection. Copy Item Delete Item Desktop Preview / Mobile Preview Images Click to create a new notification theme based on the currently active theme. Remove an unused theme. View the notification as it appears on a user's desktop or through a mobile phone. Import the logo that you want to use on the notification, and view how it appears on the desktop, mobile, and through a browser. Upload new images through a form submission. Supported file formats for logos and the favorites icon are.jpeg,.png, and.bmp. The.ICO format is also supported for the favorites icon. Images are scaled to the appropriate size, and converted to.png format for the logos, and.ico format for the favorites icon. The favorites icon should be the same height and width. McAfee Gateway Appliances Administrators Guide 273

274 4 Overview of menu Encryption Product Name Color Palette Set whether you want to use text or an image to display the product name. If you choose to use an image to display the product name, the same upload rules and supported formats apply as those that apply to Images. Define the appearance of the notification header and text. Click on a colored square in the palette to edit a color. Using a color picker, you can choose from a selection of standard colors, or you can specify the standard color as a six character HTML hexadecimal string, or as a red/green/blue triplet. Most recently used custom colors are added to a color palette at the bottom. Task Encrypt all that triggers against the HIPAA compliance dictionaries A common use of the encryption features is to configure a policy to only use encryption in particular circumstances. This group of tasks show how to configure your McAfee Gateway so that messages are only sent using encryption when they trigger against the HIPPA complinace dictionaries. Task Configure the encryption settings Configure your McAfee Gateway to use encryption. Task 1 Select Encryption Secure Web Mail Basic Settings. 2 Select Enable the Secure Web Mail Client. 3 Select Encryption Secure Web Mail User Account Settings. Recipients are automatically enrolled, and receive a digitally signed notification in HTML format. The administrator chooses whether to do push and/or pull encryption. 4 Select Encryption Secure Web Mail Password Management. The minimum password length is eight characters. The password expires after 365 days. Task Enable encryption within your policy Enable the required encryption features on your McAfee Gateway. Task 1 Select Policies Compliance. 2 Click Enable compliance, and select Create new rule from template. 3 Search for the HIPAA Compliance rule and select it. 4 Click Next to progress through the wizard. 5 Select the primary action to Allow Through (Monitor). 6 In And also, select Deliver message using encryption. 7 Click Finish, and click OK to close the dialog box. 8 Select Policies Policy s Encryption. 274 McAfee Gateway Appliances Administrators Guide

275 Overview of menu Encryption 4 9 In When to Encrypt, select Only when triggered from a scanner action. 10 In On box Encryption s, select Secure Web Mail, and click OK. 11 Apply the changes. Task Use S/MIME to encrypt all to a specific target domain This group of tasks show how to configure your McAfee Gateway so that messages are only sent using S/MIME encryption to a specific target domain, and set up encryption certificates. Task Set up encryption certificates Use this information to Task 1 Click Certificate Management Certificates CA Certificates. 2 Import any required certificate. 3 Click Certificate Management Certificates S/MIME Encryption Certificates. 4 Import your S/MIME certificate, such as example.<domainname>.com. 5 Click Encryption S/MIME Sending 6 Click Add Domain, and type example.<domainname>.com. 7 In S/MIME Certificate, select the certificate for example.<domainname>.com that you just imported. Task Encrypt all using S/MIME to a specific target domain Use this task to set up a policy that uses S/MIME encryption certificates. Task 1 Click Policies Add Policy... 2 In Policy name, type the name of the policy, such as Recipients for example.domainname.com. 3 Click Add Rule. 4 Select Recipient address in Rule type. 5 In Match select Is like. In Value, type *@example.<domainname>.com and click OK. 6 In direction, select Outbound and click OK. The policy is created. 7 In the new policy, select Encryption. 8 Deselect Use the same settings as the default policy. 9 In When to Encrypt, select Always. 10 In On box Encryption s, select S/MIME and click OK. 11 Apply the changes. McAfee Gateway Appliances Administrators Guide 275

276 4 Overview of menu Encryption Task Deliver all from a specific customer using S/MIME encryption Create a policy to deliver all received from a particular customer using S/MIME encryption. Before you begin Ensure that customer <abc> can use S/MIME to encrypt all messages to your organization. Let them know that you will be generating an S/MIME encryption certificate that they will need to install on their gateway. Task 1 Click Encryption S/MIME S/MIME Encryption Certificate. 2 Click Export. 3 Select Export the certificate only (no private key). 4 Click Next. This will generate a self signed certificate. 5 Save the file smime_encryptor_<machinename>.crt by right clicking on the link. 6 Click Finish. 7 Click Policies Policy s Encryption. 8 Select Attempt to decrypt S/MIME encrypted s in On box Decryption s. 9 Send the certificate smime_encryptor_<machinename>.crt to customer <abc>, to use for encrypting all of their messages to your organization. Once the customer successfully configures their system to use S/MIME encryption with the certificate you provided, McAfee Gateway will automatically decrypt all of the incoming S/MIME s from this customer using the private key. Task Use PGP to encrypt all messages Import a PGP key, and use PGP encryption to encrypt all outbound messages. This group of tasks show how to configure your McAfee Gateway so that messages are only sent using S/PGP encryption to a specific target domain, and set up encryption certificates. Task Import the PGP key Use this task to import a PGP for a specific target domain.. Task 1 Click Certificate Management Certificates PGP Encryption Keys and import your PGP key, such as example.<domainname>.com. 2 Click Encryption PGP Sending 3 Click Add Domain, and type example.<domainname>.com. 4 In PGP Key, select the key for example.<domainname>.com that you just imported. 276 McAfee Gateway Appliances Administrators Guide

277 Overview of menu Encryption 4 Specify when to encrypt outgoing messages to a target domain with PGP Use this task to add a policy that encrypts all messages going a to a specific external domain. Task 1 Click > Policies > Add Policy... 2 In Policy name, type the name of the policy, such as Recipients for example.domainname.com. 3 Click Add Rule. Select Recipient address in Rule type. 4 In Match, select Is like. In Value, type *@example.<domainname>.com and click OK. 5 In direction, select Outbound and click OK. The policy is created. 6 In the new policy, select Encryption. 7 Deselect Use the same settings as the default policy. 8 In When to Encrypt, select Always. 9 In On box Encryption s, select PGP and click OK. 10 Apply the changes. Task Deliver all from a specific customer using PGP encryption Create a policy to deliver all received from a particular customer using PGP encryption. Before you begin Ensure that customer <abc> can use PGP to encrypt all messages sent to your organization. Let them know that you will be generating an PGP encryption key that they will need to install on their gateway. Task 1 Click Encryption PGP PGP Encryption Key. 2 Click Export. 3 Select Export the public key only (no private key). 4 Click Next. This will generate a PGP public key. 5 Save the file pgp_encryptor_<machinename>.asc by right clicking on the link. 6 Click Finish. 7 Click Policies Policy s Encryption. 8 Select Attempt to decrypt PGP encrypted s in On box Decryption s. 9 Send the public key pgp_encryptor_<machinename>.asc to customer <abc>, to use for encrypting all of their messages to your organization. McAfee Gateway Appliances Administrators Guide 277

278 4 Overview of menu Certificate Management Once the customer successfully configures their system to use PGP encryption with the public key you provided, McAfee Gateway will automatically decrypt all of the incoming PGP s from this customer using its private key. Certificate Management The Certificate Management pages enable you to configure and view certificates for use with your appliance. Contents Certificate Management Certificates definitions Certificate Details dialog box Certificate Revocation Lists (CRLs) Certificates Use the linked pages to view and change important information about the certificates relating to your appliance. Contents Certificate Management Certificates CA certificates TLS certificates and keys S/MIME PGP encryption CA certificates Use this page to manage digital certificates from Certification Authorities. Certificate Management Certificates CA Certificates If a yellow exclamation point appears next to the certificate after you click the green checkmark to apply the change, the certificate is not currently trusted. Import the associated CA certificate before you use the new certificate. Description of the icons Icon Description Certificate is valid Certificate is invalid. For example, the certificate has expired. 278 McAfee Gateway Appliances Administrators Guide

279 Overview of menu Certificate Management 4 Benefits of using CA certificates This information describes the benefits to using CA certificates to transfer securely. Certificates allow the traffic from your appliance to be trusted by other systems. They are needed for the secure transfer of . Over 100 popular certificates from certificate authorities such as Thawte and Verisign are available. Certificates typically have a lifetime of several months or years, so they do not need to be managed often. RSA keys can be used both for encryption and for signing. DSA keys can be used for signing only. definitions - CA Certificates This information describes the options available on this page. Certificate ID Trusted Subject Issuer Expires Delete View Export Selected or Export All Mark All Certificates As Untrusted Import CA Certificate Displays the name of the certificate. Specifies whether a certificate is valid. For example, this option is deselected if the certificate has expired. Displays details about the certificate. Displays the certificate issuing authority, such as Thawte and Verisign. Displays the certificate's expiry date, such as May :15:00. If this date has passed, the certificate is not valid. When clicked, deletes the selected certificate. When clicked, displays details of the selected certificate. When clicked, opens a browser for saving a file. If you export a single certificate, the file name includes the certificate ID. The file name extension is crt (for Base64, PEM) or p7b (for PKCS#7). Defines all listed certificates as untrusted. When clicked, opens another window where you can select a file. The imported certificate can be in one of these formats: Binary (or DER encoded) certificate file PEM (Base64) encoded certificates Binary PKCS#7 file PEM encoded PKCS#7 file The appliance can accept certificate chains and certificates with password protected private keys. The appliance only verifies the certificate, and makes it available to use, after you click the icon to apply your changes: McAfee Gateway Appliances Administrators Guide 279

280 4 Overview of menu Certificate Management TLS certificates and keys Use this page to manage digital certificates for the secure transfer of using Transport Layer Security (TLS). Certificate Management Certificates TLS Certificates and Keys When requesting that your TLS certificates be created, McAfee recommends that you include the hostname and the IP address for the appliance that will be decrypting the TLS encrypted . If your appliance is part of a cluster, and is configured in Transparent Router or Explicit Proxy mode, ensure that you include the virtual hostname and virtual IP address for your cluster, rather than one of the physical IP addresses. Import the trusted Certificates Authorities and certificates from the participating organizations before you begin TLS configuration. RSA keys can be used both for encryption and for signing. DSA keys can be used for signing only. Description of the icons Icon Description Certificate is valid Certificate is invalid. For example, the certificate has expired. Benefits of using TLS certificates and keys This information describes the benefits of using TLS certificates and keys to transfer securely. Certificates allow the traffic from your appliance to be trusted by other systems. They typically have a lifetime of several months or years, so they do not need to be managed often. definitions - TLS Certificates and Keys This information describes the options available on this page. Certificate ID Subject Issuer Displays the name of the certificate. Displays details about the certificate. Displays the certificate issuing authority such as Thawte or Verisign. Expires Displays the certificate's expiry date, such as May :15:00. Delete View Export When clicked, deletes the selected certificate. When clicked, displays details of the selected certificate, such as its version, issuer, and public key. When clicked, opens another window, where you can choose to export the certificate or a complete certificate chain, and specify the certificate format. The file name extension is typically CRT. 280 McAfee Gateway Appliances Administrators Guide

281 Overview of menu Certificate Management 4 Import Certificate and Key When clicked, opens another window where you can select a file. The imported certificate can be in one of these formats: Binary (or DER encoded) certificate file PEM (Base64) encoded certificates Binary PKCS#12 file PEM encoded PKCS#12 file To import a password protected certificate, type the passphrase to unlock the private key. The appliance stores the decrypted certificate in a secure internal location. The appliance only verifies the certificate, and makes it available to use, after you click to apply your changes: Configure TLS for SMTP Click to jump to Encryption TLS. If a yellow exclamation point appears next to the certificate after you click the green checkmark to apply the change, the certificate is not currently trusted. Import the associated CA certificate before you use the new certificate. S/MIME Understand how McAfee Gateway uses S/MIME to provide encrypted delivery of messages. Encryption S/MIME Benefits of using S/MIME certificates Use S/MIME certificates to send and receive server based messages when the receiving server will not accommodate a secure session. Using S/MIME certificates, McAfee Gateway checks each incoming message to see if it is an S/ MIME message. If it is, Gateway checks for a key to decrypt the message. If the key exists, the message is decrypted; if not, it is treated as a normal message. Before you can use the S/MIME features, you must obtain and install your individual S/MIME certificate. You can obtain it from either your in house certificate authority (CA) or a public CA. definitions S/MIME Encryption Certificates This information describes the options available on this page. Certificate ID Subject Issuer Displays the name of the certificate. Displays details about the certificate. Displays the certificate issuing authority such as Thawte or Verisign. Expires Displays the certificate's expiry date, such as May :15:00. Delete View When clicked, deletes the selected certificate. When clicked, displays details of the selected certificate, such as its version, issuer, and public key. McAfee Gateway Appliances Administrators Guide 281

282 4 Overview of menu Certificate Management Export Import Certificate When clicked, opens another window, where you can choose to export the certificate or a complete certificate chain, and specify the certificate format. The file name extension is typically CRT. When clicked, opens another window where you can select a file. The imported certificate can be in one of these formats: Binary or base 64 (PEM) encoded certificate Binary PKCS#7 file You can choose to import any CA certificates in the file. The appliance only verifies the certificate, and makes it available to use, after you click to apply your changes: PGP encryption Understand how McAfee Gateway uses PGP to provide encrypted delivery of messages. Contents Encryption PGP PGP PGP Encryption Key PGP Sending PGP PGP Encryption Key Understand the options available for the PGP encryption keys. Encryption PGP PGP Encryption Key Benefits of using PGP Encryption PGP encryption is a data encryption/decryption system that provides cryptographic privacy and authentication for data communication. PGP is used by many companies to sign, encrypt and decrypt messages. PGP encryption uses combinations of methods of cryptography, file compression and other operations, each of which can use a variety of different algorithms. PGP includes the use of public key encryption, bound to a user name and/or an address, and private key encryption, maintained in secret, to encrypt outgoing messages and decrypt incoming messages. definitions PGP Encryption Key Information about the PGP encryption keys. Displayable name Comment address View A user editable field, allowing you to choose the name that is displayed for this encryption key. A user editable field, allowing you to choose a comment for this encryption key. The address associated with this encryption key. Click to display the content of the encryption key. 282 McAfee Gateway Appliances Administrators Guide

283 Overview of menu Certificate Management 4 Import Export Click to open the Import Certificate and Key dialog box where you an upload a certificate to the appliance, and add a passphrase to open a private key. Click to open the Certificate and Key Export dialog box where you can choose whether you want to export with no private key, or export a complete chain, and the format of key that you want to export. PGP Sending Understand the options available for PGP sending . Encryption PGP Sending Benefits of using PGP Sending You can manage the PGP Encryption Keys from external domains that are installed on your McAfee Gateway. Manage the PGP Encryption Keys stored on your McAfee Gateway. definitions Sending Manage installed PGP keys. Escrow key PGP Encryption Keys for External Domains Domain PGP Key Add Domain View Key Delete Selected Domains Manage PGP keys Select from the available keys. When you have selected a key, click View key to see the information within it. See the currently stored PGP Encryption Keys for External Domains. You can add or delete domains from this list, or view the certificates provided by each domain. Use Filter to help find a particular key. Lists the domain to which each PGP encryption key applies. Shows detail about the PGP key. Add a new external domain to the list. View information about the selected PGP key. Delete the selected domains and their PGP Encryption Keys. Click to move to Certificate Management Certificates PGP Encryption Keys definitions Certificate Details dialog box View detailed information about the certificates installed on your McAfee Gateway Details Certification path View the fully detailed information about the selected certificate. View information about the Certificate ID and the Subject of the certificate. Certificate Revocation Lists (CRLs) Understand the Certificate Revocation Lists on your appliance. Certificate Management Certificate Revocation Lists (CRLs) McAfee Gateway Appliances Administrators Guide 283

284 4 Overview of menu Certificate Management Contents Installed CRLs CRL Updates Installed CRLs Use this page to manage Certificates Revocation Lists. Certificate Management Certificate Revocation Lists (CRLs) Installed CRLs Benefits of using Certificate Revocation Lists This information describes the benefits of using Certificate Revocation Lists (CRLs) CRLs typically have a lifetime of several months, so they do not need to be managed often. definitions - Installed CRLs This information describes the options available on this page. ID Issuer Last Update and Next Update Delete Displays the name of the Certificate Authority. Displays the certificate issuing authority, such as Thawte or Verisign. Displays applicable dates for the CRL. When clicked, deletes the selected CRL. You cannot delete a CRL that is still current. When you delete a certificate, its CRL is deleted automatically. View When clicked, displays the contents of the selected CRL. Some CRLs are large. Export Selected Import CRL When clicked, opens a browser for saving a file. The file name extension is typically CRL. When clicked, opens a browser for selecting a file. The appliance can fetch a local file or a file from a website. The appliance only verifies the CRL, and makes it available to use, after you click to apply your changes: CRL Updates Use this page to specify how often the appliance fetches updates to its Certificate Revocation Lists. Certificate Management Certificate Revocation Lists (CRLs) CRL Updates 284 McAfee Gateway Appliances Administrators Guide

285 Overview of menu Hybrid configuration 4 Benefits of the CRL Updates feature This information describes the benefits of the CRL Updates features. Certificate Revocation Lists (CRLs) contain information about certificates that should no longer be relied upon. This may be for one of many reasons, including: The private key used by the certificate may have been compromised. The certificate may have been superceded. The certificate may contain an error. Being able to regularly update the CRLs on your McAfee Gateway enables you to be confident that the McAfee Gateway will not continue to use certificates that have been revoked. definitions - CRL Updates This information describes the options available on this page. Update now Specify the frequency Use the default proxy settings Configure defaults Proxy server to Proxy password Update the CRLs immediately. Specifies how often the appliance will collect CRL updates. Choose a time when your network is least busy. If you do not want to use this feature, select Never. If you intend to use a HTTP proxy that is not specified on the Default Server Settings page, deselect this checkbox. When clicked, opens the Default Server Settings page, where you can view or change the default settings for the HTTP proxy. To view proxy information at any other time, select System Appliance Management Default Server Settings from the navigation bar. Specifies the proxy details. Hybrid configuration Hybrid scanning uses the McAfee Gateway to scan your outbound traffic, and uses the cloud based McAfee Protection (Hybrid) to scan your inbound traffic. Contents Benefits of using hybrid scanning About the hybrid registration and configuration process Registration Domain Management Benefits of using hybrid scanning Hybrid scanning uses the McAfee Gateway appliances within your network and the cloud based McAfee Protection (Hybrid) to provide you with comprehensive scanning. When McAfee Gateway is configured to use hybrid scanning, your inbound traffic is scanned by the cloud based McAfee Protection (Hybrid) service, and your outbound is scanned by the McAfee Gateway appliance. Your inbound traffic is scanned within the cloud, providing a distributed scanning load and reduced bandwidth, as messages can be blocked in the cloud before they enter your network. McAfee Gateway Appliances Administrators Guide 285

286 4 Overview of menu Hybrid configuration Inbound messages from trusted partners can be send directly to your McAfee Gateway for scanning. All communications between the cloud service and your McAfee Gateway are encrypted. You configure and optimize the scanning of both inbound and outbound traffic from a single location the user interface of your McAfee Gateway. Figure 4-1 flow using Hybrid scanning When the McAfee Protection (Hybrid) makes detections within any messages, information about the message and the detection is sent to your McAfee Gateway appliance. Then, depending on your configuration, the McAfee Gateway can request the message data be sent for further actions or for delivery. If the action is to quarantine the message, the inbound messages are quarantined alongside quarantined outbound messages. This allows you to use Message Search or other system logging options on your appliance to investigate each message, regardless of whether it is scanned locally by your McAfee Gateway or by McAfee Protection (Hybrid). The communication between McAfee Protection (Hybrid) and the appliance must not pass through another MTA, as the communication uses a proprietary protocol and will not succeed if another SMTP gateway is involved in the conversation. 286 McAfee Gateway Appliances Administrators Guide

287 Overview of menu Hybrid configuration 4 About the hybrid registration and configuration process Understanding the end to end, purchase to final configuration process will enable you to best set up hybrid scanning. 1 The process to register your McAfee Gateway appliance and the McAfee Protection (Hybrid) service starts when you purchase hybrid scanning McAfee or a McAfee partner. 2 When you purchased your McAfee Protection (Hybrid), you were asked for information that is used to set up a cloud based account for you. As soon as this information has been entered, you receive an message containing the required links and credentials. 3 Install your McAfee Gateway appliance. When running through the Setup Wizard, select Use the McAfee SaaS Protection Service to process inbound from the Configuration page. After applying the Setup Wizard configuration and re loading the McAfee Gateway user interface, the Hybrid Configuration Registration page is displayed. 4 Clicking the link in the Hybrid Configuration Registration page displays information that outlines the registration process for your appliance and McAfee Protection (Hybrid) service. 5 Follow the information given to complete the registration, using the credentials provided by message. After you have successfully completed registration, a new tab appears at Configuration Domain Management. Hybrid 6 Before inbound traffic can be scanned by the McAfee Protection (Hybrid), you must first configure McAfee Protection (Hybrid) to accept for your domain(s), and then configure your public MX records for those domain(s) to point to the McAfee Protection (Hybrid) servers. Registration To enable and configure hybrid scanning, you must first register your McAfee Gateway appliances with the McAfee Protection (Hybrid) service. Contents Benefits of registering hybrid scanning definitions Registration Task Register with the McAfee Protection (Hybrid) service Task Cancel your registration with the McAfee Protection (Hybrid) service Benefits of registering hybrid scanning Enabling communication between your McAfee Gateway appliances and McAfee Protection (Hybrid) allows you to then configure settings for hybrid scanning and benefit from having your inbound traffic scanned in the cloud. With this information entered into the McAfee Gateway user interface, the initial communications between your McAfee Gateway and the McAfee Protection (Hybrid) can start, allowing the creation and exchange of the certificates and keys required to ensure secure communications between your appliance and the cloud based service. McAfee Gateway Appliances Administrators Guide 287

288 4 Overview of menu Hybrid configuration definitions Registration Use this page to register your McAfee Gateway appliances with the McAfee Protection (Hybrid) so they can communicate. Table definitions Registration page User name Password Configure this appliance to handle for the initial domain Address Not displayed when your appliance is epo managed. Not displayed when your appliance is epo managed. Enter the user name found in your welcome . Specifies the password found in your welcome . Configures the appliance you are currently logged onto to act as the initial McAfee Gateway for your McAfee Protection (Hybrid). After an message from your initial domain has been scanned by the McAfee Protection (Hybrid) service, communication is initiated to the McAfee Gateway at this address. If your McAfee Gateway does not have a publicly reachable IP address perhaps because it is behind a network address translation (NAT) setup you must configure your initial domain from the Hybrid Configuration Domain Management page. Port Specifies the port assigned to your initial McAfee Gateway. Not displayed when your appliance is epo managed. If the publicly exposed port of the McAfee Gateway is not the same as the port the McAfee Gateway is listening on perhaps if you are port mapping go to the Hybrid Configuration Domain Management page. Register Registers your McAfee Gateway with the McAfee Protection (Hybrid). After registration, a new tab, Hybrid Configuration Domain Management appears. Also, a new section, Cancel Registration, is displayed on this page. Table definitions Cancel Registration Cancel Registration Disables your registration and prevents the use of the McAfee Protection (Hybrid) to process your inbound . You do not need to enter any credentials. Before cancelling your registration, you should ensure that the MX records for your managed domains no longer point to the McAfee Protection (Hybrid) service. Task Register with the McAfee Protection (Hybrid) service You need to register your McAfee Gateway appliances with the McAfee Protection (Hybrid) before you can benefit from using hybrid scanning. Before you can register with the service, you must have received your welcome containing the user name and password you will use. 288 McAfee Gateway Appliances Administrators Guide

289 Overview of menu Hybrid configuration 4 Task 1 Select Hybrid Configuration. The hybrid configuration Registration page appears, and the system checks to ensure your appliance can connect to the McAfee Protection (Hybrid). This is the only page available under Hybrid Configuration before registration is complete. Guidance for completing your registration appears on the page. 2 Enter the user name and password from your welcome in the appropriate data fields. 3 (al) Configure your initial appliance for inbound , for use by the McAfee Protection (Hybrid) service. If your McAfee Gateway does not have a public IP address, use the Hybrid Configuration Domain Management page. a b c Select the Configure this appliance to handle for the initial domain checkbox. Select the appliance domain name and IP address from the drop down list. Select the port assigned to the appliance from the drop down list. You should configure a virtual address for the receiving appliance when the appliance is the cluster master. 4 Click Register. Your appliance is registered with McAfee Protection (Hybrid), and the Domain Management tab appears in the Hybrid Configuration window. The Registration window expands to show the Cancel Registration information. Task Cancel your registration with the McAfee Protection (Hybrid) service You can stop using the McAfee Protection (Hybrid) at any time. Before you begin Before you cancel your service, ensure that the MX records for any managed domain no longer point to the service. Task 1 Select Hybrid Configuration Registration. The Registration page appears. 2 Click Cancel Registration. A confirmation dialog appears. 3 Click OK to confirm your intention to cancel registration. Your registration is cancelled. You can re register with the protection service using your original credentials. McAfee Gateway Appliances Administrators Guide 289

290 4 Overview of menu Hybrid configuration Domain Management You can use the user interface to specify which domains you want scanned by McAfee Protection (Hybrid). Configure your domains after you have registered McAfee Protection (Hybrid). The Hybrid Configuration Domain Management tab is only visible after you have registered to use Hybrid scanning. The Domain Management window shows the list of domains you have configured for McAfee Protection (Hybrid), and their associated appliances. From this window, you can add domains, and edit or delete existing domains. Contents Benefits of using domain management definitions Domain Management page definitions Add/Edit domains page Task Manage your domains using Hybrid protection Benefits of using domain management Using hybrid scanning allows you to enjoy the benefits of both a cloud based scanning system, and an on site, dedicated scanning appliance. The Domain Management page enables you to specify and manage the domains for which inbound traffic is to be scanned by the McAfee Protection (Hybrid). By using the Domain Management page, you can quickly specify the domains that are to have inbound traffic scanned "in the cloud" from within the McAfee Gateway user interface. You do not need to go to separate interfaces to configure your inbound and outbound scanning; both are managed from the same user interface. As the inbound settings are transferred to the McAfee Protection (Hybrid) service when you make any changes to this page, these settings are changed in real time; you do not need to click the Apply button to save the changes to the McAfee Gateway configuration. definitions Domain Management page Use this page to manage the domains that you want scanned by McAfee Protection (Hybrid) service. The initial domain you registered for this service cannot be deleted. Table Domain Management option definitions Domain McAfee Gateways Edit Add Domain Shows the fully qualified domain names of all domains protected by the McAfee Protection (Hybrid) service. Shows the IP addresses for the McAfee Gateway appliances associated with each managed domain. Opens a window for modifying or deleting this existing domain. Opens the Edit Domain window, where you can add or modify domains where you want scanned. 290 McAfee Gateway Appliances Administrators Guide

291 Overview of menu Hybrid configuration 4 definitions Add/Edit domains page Use this page to add, edit, or delete domains you want scanned by the McAfee Protection (Hybrid) service. The initial domain you registered for this service cannot be deleted. Table Edit Domain option definitions Domain name Public addresses of McAfee Gateways Specifies the fully qualified domain name of the server you are adding or editing. Lists the McAfee Gateway appliances associated with the domain, showing: IP address or domain name (port optional) Current status Rank within the list of appliances for this domain You can rank the servers on your list to establish a preference order, with the lowest number being tried first. The McAfee Protection (Hybrid) service will try the appliances in rank order until it succeeds. If all servers are ranked equally, the service round robins among them. Add McAfee Gateways Test Connection Opens a window for adding a McAfee Gateway to the list. Tests if the selected host is accessible from McAfee Protection (Hybrid) service. The test verifies: A connection can be established to the service. The McAfee Gateway has been registered with the McAfee Protection (Hybrid) service. The test button is active when you select a single appliance. Delete Deletes selected McAfee Gateway appliances from the list. Task Manage your domains using Hybrid protection The Domain Management page shows the list of protected domains and their associated appliances. McAfee Protection (Hybrid) will process all inbound traffic for these domains. From this page, you can add, edit, or delete protected domains. Task Add a managed domain Add a domain that you want scanned by McAfee Protection (Hybrid) service. The first domain on your list is the initial domain you entered when you registered your appliance with the service. It cannot be deleted. Task 1 From the Domain Management window, click Add Domain. The Edit Domain window appears. 2 Enter the fully qualified domain name for the domain you want to add. 3 Click Add McAfee Gateways. Data fields for the new domain appear in the Public addresses of McAfee Gateways portion of the window. 4 Type the IP address or the fully qualified domain name for the appliance. ally, you can include the port identification. McAfee Gateway Appliances Administrators Guide 291

292 4 Overview of menu Hybrid configuration 5 To indicate the status of the appliance, select or deselect the Active? checkbox. Click Add McAfee Gateways again and repeat steps 4 and 5 if you want to add more than one appliance. 6 (al) If you add more than one appliance, you can indicate their rank (order) by typing a number in the Rank data field. 7 (al) You can test the connection between any single appliance and the McAfee Protection (Hybrid) service by clicking Test Connection. 8 When you have completed the information on this window, click OK. Your domain appears on the list on the Domain Management page Task Edit an existing domain You can modify the settings of domains that are scanned by McAfee Protection (Hybrid) service. The initial domain on your list is the domain you entered as part of your user name when you registered your appliance with the service. This domain name appears in boldface type. You can edit it, but you cannot change the domain name or delete it. Task 1 On the Domain Management page, click the Edit icon for the domain you want to change. The Edit Domain window appears, showing the current information about the selected domain. 2 Make your changes to the domain. You can change the domain name, add or delete appliances, change the status, and for multiple appliances change the rank. 3 (al) To test the connection between any single appliance and the McAfee Protection (Hybrid) service, click Test Connection. 4 When you have finished editing the domain, click OK. The changes you made appear on the Domain Management page. Task Delete an existing domain You can remove a domain you no longer want scanned by McAfee Protection (Hybrid) service. The first domain on your list is the initial domain you entered when you registered your appliance with the service. You cannot delete it. Task 1 On the Domain Management page, select the check boxes for one or more domains you want to delete. The Delete Selected Domains button becomes active. 2 Click Delete Selected Domains. A confirmation dialog appears. 3 Click OK to confirm your intention to delete the domain. The domain or domains are removed from the Domain Management page. 292 McAfee Gateway Appliances Administrators Guide

293 Overview of menu Group Management 4 Group Management The Group Management pages enable you to set up directory services to work with your LDAP servers, and create network groups, and user groups who relay on the appliances. Group Management Directory Services Use this page to build a group of directory services to work with your LDAP servers. Group Management Directory Services The page has these sections: Directory Services Directory Synchronization Benefits of the Directory Services options This information describes the benefits to using the Directory Services features to connect to your LDAP servers. Add directory service servers using the Directory Service wizard to set up a connection between the appliance and an LDAP server so that the attributes in the LDAP server define behavior in your flow. You can therefore define policies, and update your LDAP to change behavior. You can modify the following features in the appliance to work with LDAP: Recipient Authentication Address Masquerading Policy selection Delivery routes Custom queries can be created for use in policy selection using the Add Query option in the Add Directory Service wizard. The appliance supports the following types of LDAP servers: Microsoft Active Directory Lotus Domino Novell NDS Generic LDAP Server v3 Netscape/Sun iplanet Microsoft Exchange You can set up groups of LDAP servers to ensure high availability by adding secondary servers to the primary LDAP server. The name that you give the primary server Service name in the Add Directory Service wizard is the name of the group that you see when you come to select the LDAP group in the LDAP related features in McAfee Gateway, such as Address Masquerading. Directory Synchronization. Directory Synchronization is the mechanism to synchronize LDAP data on the appliance with remote LDAP servers. McAfee Gateway Appliances Administrators Guide 293

294 4 Overview of menu Group Management Once LDAP data has been synchronized, the appliance no longer performs LDAP lookups on the remote server and uses its own on box database, minimizing loading on the remote LDAP servers. To enable Directory synchronization, add the LDAP server to which you need to synchronize to the Directory Services page. You must also select the queries that need to be synchronized, by selecting Cache Result option on the Directory Service Queries page of the Add Directory Service wizard. The advantages of Directory synchronization are more apparent on cluster or blade server environments because each scanner no longer performs LDAP lookups, but uses the on box database. The Master is responsible for synchronizing the database with the remote LDAP servers. Once the synchronization is finished the database is synchronized with other members of the cluster and is then used for LDAP checks. Attributes on the LDAP server can be accessed in real time (allowing for the most up to date data to be available), or be cached on the appliance (a faster option that causes less impact to your network) by using the Cache Result checkbox in the Add Directory Services wizard. Use the Synchronization schedule feature to schedule when to update the cache. McAfee Gateway uses queries defined on the Directory Service Queries page to populate the local LDAP database. The 'List of Groups' and 'Synchronization' queries are mandatory and cannot be unselected, as they are used to get group and address information from the LDAP server. You can choose to cache all other queries. If you choose not to cache the results of any other query, McAfee Gateway will carry out a real time lookup when the SMTP features that use the query are used. By default LDAP caching is on for each query. When you apply configuration changes to the appliance, the synchronization process updates the local LDAP cache database. If the database has not been updated for a particular server, the LDAP lookup is done in real time. Additionally, if the query is missing or has been modified for a particular server, the LDAP lookup is done in real time. When you configure Directory Synchronization, the following information is stored in the on box database: The LDAP queries that you have configured to run against the LDAP servers. All the LDAP groups. User information, stored as a BLOB. This information includes the addresses of the users, the group membership of each user and any extra information collected by the LDAP queries. Running the LDAP synchronization LDAP synchronization automatically starts when you apply configuration changes that include adding a new LDAP server, or that include any changes to LDAP queries. You can manually start the LDAP synchronization process by clicking Group Management Directory Services Directory Synchronization Update Now. You can also schedule regular LDAP synchronization from Group Management Directory Services Directory Synchronization Synchronization schedule. You can check the current status of LDAP synchronization by looking at Group Management Directory Services Directory Synchronization Update Information. You can also view the LDAP synchronization data in the log files in /var/log/messages. Any LDAP synchronization failures are logged and can be sent to administrators by SNMP, or Syslog. 294 McAfee Gateway Appliances Administrators Guide

295 Overview of menu Group Management 4 definitions Directory Services This information describes the options available on this page. Directory Services This information describes the settings of any LDAP server that you have set up. To add a connection to an LDAP server, click Add Server. Name, Address and Type Add Server Displays information about each directory server such as a type like Domino or Active Directory. Click Edit to open the Add Directory Service wizard to change a server's settings. When clicked, starts the Add Directory Services wizard where you can add details of a directory service. The Service name that you give this server is what is shown when you set up features in the appliance to work with LDAP. The server at the top of the list is queried first. You can create groups of servers by using the Add Secondary Server option. Add Secondary Server Delete Server Perform server certificate verification on secure connections Use this option to create groups of LDAP servers by adding secondary servers that are queried should the primary server be unavailable, or not have the required information. From the features that work with LDAP, you will not see secondary servers listed, only the primary server in the group. Remove primary, or secondary servers from the list. Sets whether the appliance should attempt to validate a remote server certificate that is used to encrypt a secure connection between the appliance and an LDAP server. You can manage the certificates required from Certificate Management. Directory Synchronization This information describes the options available in the Directory Synchronization section of the page. Update information Update Now Synchronization schedule Displays the status of the information in the on box directory: Information is available for query. The time and date shows when the latest update occurred. The on box directory has no data, or is not up to date. When clicked, the appliance immediately copies directory information from the servers under Directory Services to its own directory. Specifies how often the appliance copies directory information from the LDAP servers to which you have connected to its own directory. Setting the schedule to Hourly can create a heavy load on your network. Optimizing the directory synchronization queries Correctly optimizing the queries improves the response between your McAfee Gateway and your LDAP servers. All queries against a particular server are accessed from the Directory Service Queries page. Test each query using the Test button to confirm that it gives you the expected results. McAfee Gateway Appliances Administrators Guide 295

296 4 Overview of menu Group Management The queries should only take a few seconds to complete. If the queries do not quickly return a response, check the following: Make sure that your LDAP queries are valid. Ensure all the LDAP attributes specified in the query are also available within the LDAP schemas on the server being queried. Make sure all LDAP attributes specified in the query are indexed on the remote LDAP server. Network Groups This page enables you to create network groups to use as a policy selection criteria. Group Management Network Groups Benefits of setting up network groups Creating network groups allows you to apply policies to a group of individuals at one time. You can define network groups based on any one of several parameters, such as IP addresses, host names, and so forth. All individuals who share that parameter will be included in policies you define. Network groups are not based directly on individual addresses. You can also define user groups based on sender addresses, recipient addresses, or LDAP queries. definitions Network Groups This information describes the options available on this page. Group Name, In use?, and Delete Add Displays the name of the group, whether it is in use, and provides the option to remove the group from the list. Click to open the Add Network Groups dialog box. definitions Add Network Group This information describes the options available in this dialog box. Group name Selected or unselected Rule type The name of the group. Defines whether the group is in use. Use the arrow icons to move the rules up and down the list. The rules are applied in a "top down" order. Choose from: IP address VLAN identifier Network connection Host name 296 McAfee Gateway Appliances Administrators Guide

297 Overview of menu Group Management 4 Match Value Add Rule / Delected Selected Rules Choose from: is is not is in is not in Type the value that you want to associate with Match. Adds a new line to the list where you can specify the name, type, and values to match on for a new network group. definitions Add Rule Provide information required to add a new Group Management rule. This dialog box is used for both Add Network Groups Add Rule and the Add User Groups Add Rule. Rule Type Match Value Define the type of rule. For Add Network Groups, options include: IP address (default) VLAN identifier Network connection Host name For Add User Groups, options include: Sender address (default) Recipeint address LDAP query Specify how this rule matches. s include: is (default) is not is in is not in Enter the Value for this rule. Senders and Recipients This page enables you to create groups of users who can relay messages on the appliance. Group Management Senders and Recipients Benefits of the Senders and Recipients options The senders and recipient (user group) options allow you to define groups of individuals to whom you can apply policies at once. You can define user groups based on several criteria: McAfee Gateway Appliances Administrators Guide 297

298 4 Overview of menu Group Management Sender or recipient address Pre established sender or recipient user groups LDAP authentication definitions Senders and Recipients This information describes the options available on this page. Group name, In use?, and Delete Add Displays the name of the group, whether it is in use, and provides the option to remove the group from the list. Opens the Add User Group dialog box. definitions Add User Group This information describes the options available in this dialog box. Group name Selected or unselected Rule type Type the name of the group. Select a group and click Edit or Delete Selected Rules as appropriate. Use the arrow icons to move the rules up and down the list. Choose from: Sender address Recipient address Sender user group Recipient user group LDAP Query (if configured) The LDAP query and user group options become available only when a user group or LDAP server has been created. Match Choose from: is is not is like is not like Value Type the value that you want to associate with Match. Add Rule Adds a new rule to the list. Task Add a user group Use this task to create a user group that can be used in policy selection. Before you begin Ensure that you have a valid connection to a Generic LDAP Server, and its queries are providing output. Task 1 Go to Group Management Senders and Recipients. 2 Click Add and type a name for the group. 298 McAfee Gateway Appliances Administrators Guide

299 Overview of menu Add Directory Service wizard 4 3 Click Add Rule. 4 In Rule type, select LDAP Query. The Values field is populated with the name of the LDAP group you selected. 5 Click OK to close the dialog box. 6 Go to Policies Add Policy... 7 Click Add Rule. In Rule type, select User group. 8 In Value, select the user group you created, and click OK. Add Directory Service wizard Use this wizard to add a connection between the appliance and any LDAP servers that you have. Attributes from the LDAP servers can be used by other features in the appliance such as Recipient Authentication and Address Masquerading. The appliance comes with a selection of queries already set up for you. Each query can be customized and the results tested to ensure that they are what you expect. the following queries are available: List of groups Valid recipient Group membership Delivery MTA Synchronization Address masquerade Use the Next > and < Back buttons to navigate through the screens. After you have successfully tested the group and member queries, click Finish to complete the wizard. Benefits of adding LDAP directory services This information describes the benefits of adding directory services. Use the Directory Service wizard to set up a connection between the appliance and an LDAP server so that the attributes in the LDAP server define behavior in your flow. You can therefore define policies, and update your LDAP to change behavior. You can modify the following features in the appliance to work with LDAP: Recipient Authentication Address Masquerading Policy selection Delivery routes Custom queries can be created for use in policy selection using the Add Query option in the Add Directory Service wizard. The appliance supports the following types of LDAP servers: McAfee Gateway Appliances Administrators Guide 299

300 4 Overview of menu Add Directory Service wizard Microsoft Active Directory Lotus Domino Novell NDS Generic LDAP Server v3 Netscape/Sun iplanet Microsoft Exchange You can set up groups of LDAP servers to ensure high availability by adding secondary servers to the primary LDAP server. The name that you give the primary server Service name in the Add Directory Service wizard will be the name of the group that you see when you come to select the LDAP group in the features in Gateway that you can use with LDAP, such as Address Masquerading. Directory Synchronization offers a choice of access. The appliance can query an external directory server in real time, or its own ("on box") cached directory. Attributes on the LDAP server can be accessed in real time (allowing for the most up to date data to be available), or be cached on the appliance (a faster option that causes less impact to your network) by using the Cache Result checkbox in the Add Directory Services wizard. Use the Synchronization schedule feature to schedule when to update the cache. definitions Directory Service Details page This information describes the options available on the Directory Service Details page of the wizard. Service name Secure Communication Enter a name for the service you are adding. This name is displayed in the list of Directory Services Choose from: Off not a secure connection. Data travels between the LDAP server and the appliance in clear text. Secure LDAP Encrypts the LDAP communication over SSL. By default this occurs on port 636. Use TLS Encrypts the LDAP communication over TLS. By default, this occurs on port 389. Server address Server type Enter the address for the server that hosts the directory service you are adding. Select the type of LDAP server to which you want to connect: Active directory Domino Novell NDS (edirectory) Generic LDAP Server v3 (RFC2251/RFC2307) Netscape/Sun iplanet Exchange Based on the server type you select, the default queries are modified to match with the default attributes. Different server types have different attributes associated with them depending on the schemas that you have specified. Base DN Username Password Enter the base distinguished name to be used by the directory service you are adding. Enter the user name needed for the appliance to connect to the directory service. Enter the password needed for the appliance to connect to the directory service. 300 McAfee Gateway Appliances Administrators Guide

301 Overview of menu Add Directory Service wizard 4 Referrals Page Size Select this to allow the appliance to follow LDAP referrals to other servers that hold a part of the directory tree. Shows the number of results per page. Set to 1000 by default. definitions Directory Service Queries page This information describes the options available on the Directory Service Queries page of the wizard. Query types Query Name List of groups Description Query to get a list of all groups used for selecting a policy. When the primary server and the secondary server have different set of groups, and if Stop on Result is selected on the primary server, only the groups from the primary server appear on the policy creation page. To avoid this, deselect Stop On Result for the List of Groups and Group membership queries. Group membership Query to get the list of groups that an address belongs to. When the primary server and the secondary server have different set of groups, and if Stop on Result is selected on the primary server, only the groups from the primary server appear on the policy creation page. To avoid this, deselect Stop On Result for the List of Groups and Group membership queries. Synchronization Valid recipient Delivery MTA Address masquerade Query to get all the addresses on the LDAP server to synchronize to the appliance. Query to find whether an recipient is valid on your LDAP server. Query to find the Message Transfer Agent (MTA) to which you want to deliver for a particular recipient. Query to find the address that you want to masquerade. Directory Service Query options and actions Each query has the following options and actions associated with it. Enabled Cache Result Fail Open Stop On Result Enables or disables the query. Specify whether you want to cache results on the appliance to reduce the time it takes to run the query, and reduce network load. Deselecting this option queries the LDAP server in real time. Select to query a secondary LDAP server (if set up) if the primary LDAP server fails. Select to stop a query on a secondary server when a successful result occurs. When the primary server and the secondary server have different set of groups, and if Stop on Result is selected on the primary server, only the groups from the primary server appear on the policy creation page. To avoid this, deselect Stop On Result for the List of Groups and Group membership queries. Add Query Edit Query Click to open a new page of the wizard that allows you to create a new query in addition to the queries already set up for you. Select a query, then click Edit Query to open a new page of the wizard that allows you to edit the query. McAfee Gateway Appliances Administrators Guide 301

302 4 Overview of menu Add Directory Service wizard Remove Query Test Query Finish Delete the selected query. Default queries cannot be removed. Click to open a new page of the wizard that allows you to test whether the query provides the results that you want before you apply the configuration to the appliance. When the results are returned, click Next to return to this page. Completes the wizard. The query becomes available to select in areas of the appliance that can work with LDAP, such as: Address Masquerading Recipient Authentication Creating a new policy Delivering You must apply the changes to the appliance for the LDAP query to register and become available to create a new policy. definitions Directory Service Query page Use this page of the wizard to add or edit directory service queries. It becomes available when you click Add Query or Edit Query on the Directory Service Queries page. Full Query String Query Name Primary Query Secondary Query Displays the default attributes associated with the query. The name of the query. Default query names cannot be edited. Specify the settings for the primary query: Filter displays the search filters that you want the query to use. Multiple search filters can be specified to make a request of the LDAP server. Identity attribute 1 through 4 contains the individual attributes that you want the query to return. If necessary, create a secondary query as a further query to the first. For example, if a primary query in the Group membership query is to locate a specific user, you can create a secondary query to discover which user group the user belongs to. s Test Directory Service Query page This information describes the options available on the Test Directory Service Query page of the wizard. This page becomes available when you click Test Query on the Directory Service Queries page. To ensure that your query returns the results you want, the wizard provides you with the opportunity to test the queries that you have defined. Query Name Full Query String Perform LDAP Query Query Results The name of the query that you want to test. Displays the search filters, and the attributes associated with them. Click to have the query tested with the LDAP server. The results are displayed within the Query Results area. 302 McAfee Gateway Appliances Administrators Guide

303 Overview of menu Add Directory Service wizard 4 Task Set up the appliance to use a Microsoft Exchange Server as an LDAP server Use this task to get user attributes from a Microsoft Exchange server. Before you begin McAfee recommends that you set up an update interval that is suitable to the amount of data transmitting. Choosing a too frequent update interval can impact your network load. Task 1 Go to Group Management Directory Services and click Add Server to open the Add Directory Service wizard. 2 On the Directory Service Details page of the wizard, add the following data: In Service name, type Exchange. In Secure Communication, keep the setting to Off. In Server address, type the IP address of the server to which you want to connect. In Server port, keep the setting to 389. In Server type, select Exchange. In Base DN, where the domain name is test.dom, type dc=test, dc=dom. 3 Type the username and password of the server to which you are connecting, and click Next. 4 On the Directory Service Queries page of the wizard, ensure that the following queries have the Enabled and Cache Results checkboxes selected: List of groups Group membership Valid recipient Delivery MTA Address masquerade 5 Click Test to verify the query returns the information you want, then click Finish. 6 In the Directory Synchronization section of the page, set the frequency to Hourly. 7 In the Directory Services section of the page, select the service you created, then select Add Secondary Server to open the Add Directory Service wizard again. 8 Specify the details of the secondary server that you want to add. Task Create a sample LDAP query This task describes how to create a sample LDAP query for use with a Generic LDAP Server v3 server. Task 1 Go to Group Management Directory Services. 2 Click Add Server, and type the name of the service such as generic. 3 In Server address, add the server IP address of the LDAP server to which you are connecting. McAfee Gateway Appliances Administrators Guide 303

304 4 Overview of menu Quarantine Configuration 4 In Server type, select the Generic LDAP Server v3. 5 In Base DN, where the domain name is test.dom, type dc=admin, dc=test, dc=dom. 6 Type the username and password of the server to which you are connecting. 7 Leave the other settings in their default state, and click Next. 8 Click Add Query and type a name for the query. 9 In Filter, add the query filter, such as mail=% %. 10 In Identity attribute, type the attributes that you want to retrieve, such as cn and click Next. 11 On the Directory Service Queries page, select the query you created, and click Test Query. 12 In Identity for query, type the address that you want to get the cn for, and click Perform LDAP Query. The cn of the address displays in the Query Results area. The query will be available to that directory service. Quarantine Configuration Use this page to set your quarantine configurations. From within this page of the user interface, you can access the settings for the quarantine options, quarantine digest options, the digest message content, and quarantine queue settings. Contents Quarantine s Quarantine Digest s definitions Digest Message Content Quarantine Queue Settings Quarantine s Use this page to configure your quarantine options. Quarantine Configuration Quarantine s 304 McAfee Gateway Appliances Administrators Guide

305 Overview of menu Quarantine Configuration 4 definitions Quarantine s page Use this information to gain an understanding of the options available from the Quarantine s page. Table definitions Quarantine s page Use the on box quarantine Use an off box McAfee Quarantine Manager (MQM) service With this selected, the appliance uses its own database to hold quarantined messages. Select this to use a McAfee Quarantine Manager (MQM) service hosted on another server. When selected, the following fields are made active: Appliance ID Usually, you would use the default ID MQM server address The IP address of the server that is hosting your McAfee Quarantine Manager service. Listening port the port used by your McAfee Quarantine Manager service. Use HTTPS to communicate with the MQM server When selected, forces secure communications between the appliance and the McAfee Quarantine Manager server. Verify the MQM server certificate Configure the appliance so that it verifies the MQM server certificate before sending quarantined messages to the McAfee Quarantine Manager server. Enable user submitted blacklists and whitelists Allow your users to blacklist and whitelist quarantined messages from specific senders. Update interval specify the time between updates between the appliance and your McAfee Quarantine Manager service. The default value is 4 hours. When you select Use an off box McAfee Quarantine Manager (MQM) service, the Quarantine Digest s and Digest Message Content tabs are removed from the user interface. The relationship between quarantine categories displayed in Message Search and MQM Use this information to understand the differences between the categories used by Message Search within Gateway and McAfee Quarantine Manager. The following table shows what you will see in the McAfee Quarantine Manager queue for each Gateway category detection: Table The relationship between quarantine categories displayed in Message Search and MQM Message Search Anti Phish Anti Spam Anti Virus Anti Virus (Packer) Anti Virus (PUP) Compliance Corrupt Content Data Loss Prevention McAfee Quarantine Manager Phish Spam Viruses Potentially Unwanted Programs Packers Potentially Unwanted Programs Potentially Unwanted Programs Unwanted Content Banned Content Unwanted Content Encrypted or Corrupted Data Leakage Prevention McAfee Gateway Appliances Administrators Guide 305

306 4 Overview of menu Quarantine Configuration Table The relationship between quarantine categories displayed in Message Search and MQM (continued) Message Search Encrypted Content File Filtering Mail Filtering Mail Size Signed Content Directory Harvesting Image Filtering Denial of Service McAfee Quarantine Manager Encryption Compliance Unwanted Content Banned File Type Unwanted Content Mail Format Unwanted Content Mail Format Unwanted Content Encrypted or Corrupted Others Unwanted Content Image Analysis Unwanted Content Banned File Type Quarantine Digest s Use this page to specify how users will receive quarantine digests. Quarantine Configuration Quarantine Digest s definitions Enable digests Use this information to understand the options available to enable quarantine digests. A quarantine digest is an message that the appliance sends to an user. The digest describes messages that have been quarantined for the user because the messages contain unacceptable content or spam. The digest does not contain information about viruses and other potentially unwanted program detections. This page is only available when you have on box quarantine selected. Enable digest messages and message Protocol preset Specifies whether to enable digest messages for the selected protocol preset. Reminds you that digest messages are enabled for this protocol preset. Allows you to make settings for any exception to the default setting. For example, you can specify that some parts of the network do not use digest messages. definitions Digest message options Use this information to understand the options available to configure your digest messages. or and message Sender address for digest messages Message format Reminds you whether digest messages are enabled for this protocol preset. Specifies an address for an administrator to handle any queries from senders about the digest. We recommend that you assign someone who reads regularly. You can use the name of a single user or a distribution list. Specifies the format of the digest message. For interactive digests, choose HTML. 306 McAfee Gateway Appliances Administrators Guide

307 Overview of menu Quarantine Configuration 4 Generate interactive messages Add the digest as an attachment Message encoding Allow users to create and manage blacklists and whitelists Client server communication method Appliance IP address or domain name to use in digest messages Use the appliance's fully qualified domain name When selected, makes each message interactive. For example, users can release any of their messages that were incorrectly quarantined as spam. When selected, attaches the digest to the message as an HTML file. Otherwise the digest is embedded in the message. Specifies the character set encoding for the message that contains the digest. Default value is UTF 8. To view the settings for user submitted blacklists and whitelists, select Policies Scanning Policies [Spam] Blacklists and Whitelists User Submitted in the navigation bar. Specifies the communication method for interactive digests: HTTP POST Parameters are hidden, which means internal information is not visible. However, the users do not receive a response from the appliance when their requests are received. HTTP GET Works with any mail client. A user can receive a response from the appliance. However, information is displayed in the action URL, which means internal information is visible. Specifies an IP address or a domain name, to appear as the sending information for the digest messages. For example, example.com. When selected, uses the (FQDN) format (as specified in the appliance's basic settings) instead of an IP address. For example, appliance.example.com Message Preview Send When clicked, displays an example of the digest that users will see. When clicked, sends all digests that have not been sent since the last scheduled time or since you last pressed the Send button. Specify the frequency Specifies how often to send the digests, for example Weekly on Monday at 12 o'clock. We recommend that you select a time when the network is less busy. Default values are Daily at 3 a.m. If you select Never, you can send the digests by clicking Send. Quarantine digests might not be delivered exactly at your specified time. The appliance staggers the delivery times to prevent overloading the mail servers. definitions Digest Message Content Use this page to design the appearance of quarantine digests and the responses to users' requests. Quarantine Configuration Digest Message Content s McAfee Gateway Appliances Administrators Guide 307

308 4 Overview of menu Quarantine Configuration Message subject Use the default value (Several occurrences) Edit the stylesheet Edit the digest report Edit the body text Column headings used in the message body Select a response type Edit the response body Specifies the text of the subject line of the message that carries the digest. Default value is Quarantine Summary Digest. When selected, uses the default value. To change any item such as the subject line of the message that carries the digest, deselect its corresponding Use the default value checkbox. When clicked, opens a window that displays the stylesheet that controls the appearance of the digests when in HTML format. To edit the stylesheet, you need some knowledge of CSS (Cascading Style Sheets). When clicked, opens a window where you can edit the main text of the digest. When clicked, opens a window where you can edit the first sentence of the digest. You can edit the HTML content directly or at source. When Use the default value is deselected, you can change the column headings that the user sees in the digest. Selects the type of message that the appliance sends in response to a user's request. For example, a user can request a release of that was quarantined as spam, and will receive a message to acknowledge the request. When clicked, opens a window where you can edit the text of the response message, if it is in HTML format. You can edit the HTML content directly or at source. Quarantine Queue Settings The Quarantine Queues page displays information about all the quarantine queues configured on your McAfee Gateway appliance. When viewed from within McAfee epolicy Orchestrator (McAfee epo) the queues for all managed McAfee Gateway appliances are displayed. The list includes the default quarantine queues as well as any queues that have been added. Benefits of using multiple quarantine queues Use multiple quarantine queues to group quarantined messages for analysis. When you install the Gateway software, the system already includes a set of default quarantine queues: Viruses Other Potentially Unwanted Programs (PUPs) Phish Compliance Spam All quarantined messages go to at least one of these queues. However, a message may trigger more than one quarantine action, and be added to more than one quarantine queue. Role Restrictions Access to the quarantine queues is role based, and each queue can have specific roles assigned. The primary value of configuring multiple quarantine queues is to control the users that are permitted to access each queue. 308 McAfee Gateway Appliances Administrators Guide

309 Overview of menu Quarantine Configuration 4 Custom quarantine queues Using custom quarantine queues permits grouping quarantined messages to suit your organization's needs. Custom quarantine queues are available only for off box quarantine, using McAfee Quarantine Manager. You can add custom quarantine queues to your McAfee Gateway appliance. When an message triggers a quarantine action, you can direct the message to your custom queue. This action allows you to track quarantined messages in a more granular manner. You can more easily research the effectiveness of specific policies by isolating the results of the quarantine actions. Configuring custom queues requires two components: Creating the queue; Configuring policies to quarantine messages to the queue. Using custom quarantine queues If you are using custom queues, then the newly added queue is available for selection in policies straight away. You do not need to apply changes first. When you create or edit a policy that includes the Quarantine action, select the queue where McAfee Gateway quarantines messages. When you add a queue and apply your changes, the new queue appears with the other configured queues. When you create or edit a policy that includes the Quarantine action, select the queue where the McAfee Gateway appliances quarantine the messages. When you add a queue and apply your changes, the new queue appears with the other configured queues. definitions - Quarantine queue settings Use this page to define the settings for each of your configured quarantine queues. Table Quarantine queues settings Queue name Description Priority Permitted roles Lists the name of each configured quarantine queue. Explains the purpose or expected content for each queue. Shows the queue order that determines where the system quarantines messages that trigger multiple quarantine actions. Shows all configured roles that are permitted access to each queue. Permitted roles do not apply to custom quarantine queues. Edit This link allows you to change the properties for the selected queue. You cannot edit the name of any queue. Delete This icon allows you to delete the associated queue. You cannot delete any of the default queues delivered with McAfee Gateway, and can only delete custom quarantine queues that are not currently in use. McAfee Gateway Appliances Administrators Guide 309

310 4 Overview of menu Quarantine Configuration Table Quarantine queues settings (continued) Add Insert When McAfee Gateway is configured to use an off box McAfee Quarantine Manager (MQM) service, this button allows you to add a quarantine queue to the bottom of the list. When McAfee Gateway is configured to use an off box McAfee Quarantine Manager (MQM) service, this button allows you to add a quarantine queue and set the desired priority at the same time. Create a custom quarantine queue Use this process to add a quarantine queue and set its priority. Task 1 Navigate to Quarantine Configuration Quarantine Queue Settings. The window shows the list of quarantine queues on your appliance. 2 At the lower left of the page, click Add. The Queue Properties dialog appears. 3 Type the queue name and a brief description in the proper text fields. You cannot configure permitted roles for a custom quarantine queue. You cannot change the custom queue name after you have applied your changes. 4 Click OK. The dialog closes and your new quarantine queue appears at the bottom of the Quarantine Queues table. The queue is assigned the lowest priority. 5 If you want to change the assigned priority, use the arrows in the Move column to put the queue in its proper place. 6 Apply your changes by clicking the green checkmark at the upper right of the page. Your new quarantine queue is now ready to receive quarantined messages. If you select an existing queue from the list and then click Insert instead of Add, you can create a quarantine queue and set the desired priority. If you have configured your appliances to quarantine messages to a McAfee Quarantine Manager, the custom queue appears on the MQM after you apply the changes. 310 McAfee Gateway Appliances Administrators Guide

311 Overview of menu Quarantine Configuration 4 Change the permitted roles for a queue Use this task to reconfigure the roles associated with a specific quarantine queue. Before you begin Completing this task assumes you have defined required roles and have included access to quarantine configuration and Message Search in the appropriate roles. Even if the defined roles have the ability to access quarantine configuration, they will not be able to access the specific queues until permission is granted on this page. Permitted Roles do not apply to custom quarantine queues. If an message has been quarantined to multiple quarantine queues, the user will be able to see the message within Message Search. However, unless they have the relevant permissions for all queues to which the message has been quarantined, they will not be able to view or download the message, or perform any actions (delete, release, forward) on the message. Task 1 Navigate to Quarantine Configuration Quarantine Queue Settings. The Role Restrictions list displays. 2 For the quarantine queue you wish to change, select the Edit link. The Change Permitted Roles dialog displays, listing all configured roles that have access to Message Search. The roles assigned to the specific queue are indicated by selection of the check box in the Permitted column. 3 Make changes to the permitted roles by selecting or deselecting appropriate check boxes. 4 Click OK. The Change Permitted Roles page closes. Your reconfigured permissions now appear in the Permitted roles for Message Search on the Role Restrictions list. Delete a quarantine queue When a specific quarantine queue is no longer useful, you can delete it. You cannot delete any of the default queues included with the McAfee Gateway software. Only custom quarantine queues that are not currently in use can be deleted. Task 1 Navigate to Quarantine Configuration Quarantine Queue Settings. The window shows the list of quarantine queues on your appliance. 2 Find the user defined quarantine queue you want to delete. Click the associated Delete icon to the far right of the queue name. A confirmation dialog box appears. If the queue is in use by one or more policies, the icon is unavailable. McAfee Gateway Appliances Administrators Guide 311

312 4 Overview of menu Quarantine Configuration 3 To confirm the deletion, click OK. The selected queue disappears from the page. 4 Complete the deletion by applying your changes. The quarantine queue is deleted. 312 McAfee Gateway Appliances Administrators Guide

313 5 Overview 5 of System menu Overview topic for the System menu chapter Contents Appliance Management System Administration Users Virtual Hosting Logging, Alerting and SNMP Component Management Setup Wizard Appliance Management The Appliance Management pages enable you to reset basic and network settings for the appliance, and specify settings such as remote access, and DNS and Routing. System Appliance Management Use these pages to define settings for the appliance, such as the domain name and default gateway. General Use this page to specify basic settings for the appliance like those you defined in the Setup Wizard. The appliance can handle IP addresses in IPv4 and IPv6 formats. System Appliance Management General The page has these sections: Basic Settings displays settings such as the default gateway and domain name. Network Interface Settings displays the current network interface settings for NIC 1 and NIC 2. Some sections are relevant only when the appliance is in the appropriate mode. Benefits to the appliance settings Use this page to specify basic settings for the appliance like those you defined in the Setup Wizard, change the operating mode, and set up the IP address and adapter settings for NIC 1 and NIC 2. The appliance can handle IP addresses in IPv4 and IPv6 formats. McAfee Gateway Appliances Administrators Guide 313

314 5 Overview of System menu Appliance Management definitions Basic Settings This information describes each option in this section. Table 5-1 definitions Basic Settings Appliance name Specifies a name, such as appliance1. Domain name Specifies a name, such as domain.example.com Default gateway (IPv4) Specifies an address, such as Next hop router (IPv6) Specifies an address, such as FD4A:A1B2:C3D4::1. Operational language Selects the language that will be used for internal reporting and error messages. Network Settings page Use these options to view and configure the IP address and network speeds for the appliance. You can use IPv4 and IPv6 addresses, separately or in combination. To prevent duplication of IP addresses on your network and to deter hackers, give the appliance new IP addresses, and disable the default IP addresses. The IP addresses must be unique and suitable for your network. Specify as many IP addresses as you need. <mode> Network Interface 1 Network Interface 2 Change Network Settings View Network Interface Layout The operating mode that you set during installation or in the Setup Wizard Expands to show the IP address and netmask associated with Network Interface 1, the auto negotiation state, and the size of the MTU. Expands to show the IP address and netmask associated with Network Interface 2, the auto negotiation state, and the size of the MTU Click to open the Network Interface Wizard to specify the IP address and adapter settings for NIC 1 and NIC 2, and change the chosen operating mode. Click to see the <?> associated with LAN1, LAN2, and the out of band interface Network Interfaces Wizard Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address and adapter settings for NIC 1 and NIC 2. The options you see in the Network Interfaces Wizard depend on the operating mode. On the first page of the wizard, you can choose to change the operating mode for the appliance. You can change the settings by clicking Change Network Settings to start a wizard. Click Next to progress through the wizard. In Explicit Proxy mode, some network devices send traffic to the appliances. The appliance then works as a proxy, processing traffic on behalf of the devices. In Transparent Router or Transparent Bridge mode, other network devices, such as mail servers, are unaware that the appliance has intercepted and scanned the before forwarding it. The appliance's operation is transparent to the devices. If you have a standalone appliance running in transparent bridge mode, you will have the option to add a bypass device in case the appliance fails. 314 McAfee Gateway Appliances Administrators Guide

315 Overview of System menu Appliance Management 5 If the appliance is operating in Transparent Bridge mode, and the Spanning Tree Protocol (STP) is running on your network, make sure that the appliance is configured according to STP rules. Additionally, you can set up a bypass device in transparent bridge mode. To configure your McAfee Content Security Blade Server to failover from the management blade to the failover management blade, you must specify at least one virtual IP address, shared between the management and failover management blades. Network Interfaces Wizard Explicit Proxy mode Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address and adapter settings for NIC 1 and NIC 2. This version of the Network Interfaces Wizard becomes available when you select the Explicit Proxy mode. Specify the details for Network Interface 1, then use the Next button to set details for Network Interface 2 as necessary. Network Interface 1 or Network Interface 2 page IP Address Specifies network addresses to enable the appliance to communicate with your network. You can specify multiple IP addresses for the appliance s network ports. The IP address at the top of a list is the primary address. Any IP addresses below it are aliases. You must have at least one IP address in both Network Interface 1 and Network Interface 2. However, you can deselect the Enabled option next to any IP addresses that you do not wish to listen on. Network Mask Enabled Virtual Specifies the network mask. In IPv4, you can use a format such as , or CIDR notation, such as 24. In IPv6, you must use the prefix length, for example, 64. When selected, the appliance accepts connections on the IP address. When selected, the appliance treats this IP address as a virtual address. This option only appears in cluster configurations, or on a McAfee Content Security Blade Server. McAfee Gateway Appliances Administrators Guide 315

316 5 Overview of System menu Appliance Management New Address/ Delete Selected Addresses NIC 1 Adapter s or NIC 2 Adapter s Add a new address, or remove a selected IP address. Expand to set the following options: MTU size specifies the Maximum Transmission Unit (MTU) size. The MTU is the maximum size (expressed in bytes) of a single unit of data (for example, an Ethernet Frame) that can be sent over the connection. The default value is 1500 bytes. Autonegotiation state either: On allows the appliance to negotiate the speed and duplex state for communicating with other network devices. Off allows you to select the speed and duplex state. Connection speed provides a range of speeds. Default value is 100MB. This value is fixed at 1GB for fiber connected systems. Duplex state provides duplex states. Default value is Full duplex. Enable IPv6 auto configuration Select this option to allow the appliance to automatically configure its IPv6 addresses and IPv6 default next hop router, by receiving Router Advertisement messages sent from your IPv6 router. This option is unavailable by default if your appliance is running in transparent router mode, or is part of a cluster configuration, or running as part of a Blade Server installation. Network Interfaces Wizard Transparent Router mode Use the Network Interfaces Wizard to change the chosen operating mode, then specify the IP address and adapter settings for NIC 1 and NIC 2. Network Interface 1 or Network Interface 2 pages IP Address Network Mask Enabled Virtual Specifies network addresses to enable the appliance to communicate with your network. You can specify multiple IP addresses for the appliance s ports. The IP address at the top of a list is the primary address. Any IP addresses below it are aliases. Specifies the network mask, for example: In IPv4, you can use a format such as , or CIDR notation, such as 24. In IPv6, you must use the prefix length, for example, 64. When selected, the appliance accepts connections on that IP address. When selected, the appliance treats this IP address as a virtual address. This option only appears in cluster configurations, or on a McAfee Content Security Blade Server. 316 McAfee Gateway Appliances Administrators Guide

317 Overview of System menu Appliance Management 5 New Address/ Delete Selected Addresses NIC 1 Adapter s or NIC 2 Adapter s Add a new address, or remove a selected IP address. Expand to set the following options: MTU size Specifies the Maximum Transmission Unit (MTU) size. The MTU is the maximum size (expressed in bytes) of a single unit of data (for example, an Ethernet Frame) that can be sent over the connection. The default value is 1500 bytes. Autonegotiation state either: On allows the appliance to negotiate the speed and duplex state for communicating with other network devices. Off allows you to select the speed and duplex state. Connection speed provides a range of speeds. Default value is 100MB. This value is fixed at 1GB for fiber connected systems. Duplex state provides duplex states. Default value is Full duplex. Enable IPv6 auto configuration Select this option to allow the appliance automatically configure its IPv6 addresses and IPv6 default next hop router, by receiving Router Advertisement messages sent from your IPv6 router. This option is unavailable by default if your appliance is running in transparent router mode, or is part of a cluster configuration, or running as part of a Blade Server installation. Enable sending IPv6 router advertisements on this interface When enabled, allows IPv6 router advertisements to be sent to machines on the sub net that require a router response to complete auto configuration. Network Interfaces Wizard Transparent Bridge mode Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address and adapter settings for NIC 1 and NIC 2. Specify the details for the Ethernet Bridge, then use the Next button to set details for the Spanning Tree Protocol and Bypass Device as necessary. definitions Ethernet Bridge page Select all IP Address Network Mask Enabled Click to select all the IP addresses. Specifies network addresses to enable the appliance to communicate with your network. You can specify multiple IP addresses for the appliance s ports. The IP addresses are combined into one list for both ports. The IP address at the top of a list is the primary address. Any IP addresses below it are aliases. Use the Move links to reposition the addresses as necessary. Specifies the network mask, for example: In IPv4, you can use a format such as , or CIDR notation, such as 24. In IPv6, you must use the prefix length, for example, 64. When selected, the appliance accepts connections on that IP address. McAfee Gateway Appliances Administrators Guide 317

318 5 Overview of System menu Appliance Management New Address/ Delete Selected Addresses NIC Adapter s Add a new address, or remove a selected IP address. Expand to set the following options: MTU size specifies the Maximum Transmission Unit (MTU) size. The MTU is the maximum size (expressed in bytes) of a single unit of data (for example, an Ethernet Frame) that can be sent over the connection. The default value is 1500 bytes. Autonegotiation state either: On allows the appliance to negotiate the speed and duplex state for communicating with other network devices. Off allows you to select the speed and duplex state. Connection speed provides a range of speeds. Default value is 100MB. This value is fixed at 1GB for fiber connected systems. Duplex state provides duplex states. Default value is Full duplex. Enable IPv6 auto configuration select this option to allow the appliance to automatically configure its IPv6 addresses and IPv6 default next hop router, by receiving Router Advertisement messages sent from your IPv6 router. This option is unavailable by default if your appliance is running in transparent router mode, or is part of a cluster configuration, or running as part of a Blade Server installation. definitions Spanning Tree Protocol Settings page Enable STP Bridge priority Advanced parameters STP is enabled by default. Sets the priority for the STP bridge. Lower numbers have a higher priority. The maximum number that you can set is Expand to set the following options. Change the settings only if you understand the possible effects, or you have consulted an expert: Forwarding delay Hello interval (seconds) Maximum age (seconds) Garbage collection interval (seconds) Ageing time (seconds) definitions Bypass Device Settings page The bypass device inherits settings from those you entered in NIC Adapter s Select bypass device Watchdog timeout (seconds). Choose from two supported devices. For the bypass device, the time, in seconds, that can elapse before the system bypasses the appliance. 318 McAfee Gateway Appliances Administrators Guide

319 Overview of System menu Appliance Management 5 Heartbeat interval (seconds) Advanced parameters Set to monitor heartbeat by default. This option becomes active when you select a bypass device. Mode choose to monitor the heartbeat or the heartbeat and the link activity. Link activity timeout (seconds) becomes active when you select Monitor heartbeat and link activity in Mode Enable buzzer enabled by default. If the bypass device fails to detect the heartbeat signal for the configured Watchdog timeout, the buzzer sounds. DNS and Routing Use this page to configure the appliance s use of DNS and routing. System Appliance Management DNS and Routing The page has these sections: DNS Servers Routing Benefits of specifying DNS servers and adding routes Use this page to understand the benefits of using DNS and routing. When you first log on to the appliance, the DNS and Routing page displays the servers and routes that you specified in the Setup Wizard. Use this page to review the entries, add or remove routes and servers, and change their priority. Domain Name System (DNS) servers translate or map the names of network devices into IP addresses. Use the arrows to move the servers up and down the list. The first server in the list must be your nearest, or most reliable server. If the first server cannot resolve the request, the appliance contacts the second server. If no servers in the list can resolve the request, the appliance forwards the request to the DNS root name servers on the Internet. You can set the appliance to use dynamic routing, if: McAfee Gateway Appliances Administrators Guide 319

320 5 Overview of System menu Appliance Management The appliance is in transparent router mode Your network supports it By default, the appliance uses the common dynamic routing protocol called Routing Information Protocol (RIP). definitions DNS Servers This information describes each option in this section. Server Address New Server/ Delete Selected Servers Only send queries to these servers Displays the IP addresses of the DNS servers. The first server in the list must be your fastest or most reliable server. If the first server cannot resolve the request, the appliance contacts the second server. If no servers in the list can resolve the request, the appliance forwards the request to the DNS root name servers on the Internet. If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a local device that provides name resolution Adds a new server to the list, or removes one when, for example, you need to decommission a server due to network changes. Use the arrows to move the servers up and down the list. Selected by default. McAfee recommends that you leave this option selected because it might speed up DNS queries as the appliance sends the queries to the specified DNS servers only. If they don't know the address, they go to the root DNS servers on the Internet. When they get a reply, the appliance receives it and caches the response so that other servers that query that DNS server can get an answer more quickly. If you deselect this option, the appliance first tries to resolve the requests, or might query DNS servers outside your network. definitions Routing This information describes each option in this section. Network Address Type the network address of the route. Mask Specifies how many hosts are on your network, for example, Gateway Metric New Route / Delete Selected Routes Enable dynamic routing Specifies the IP address of the router used as the next hop out of the network. The address (IPv4), or :: (IPv6) means that the router has no default gateway. Specifies the preference given to the route. A low number indicates a high preference for that route. Add a new route to the table, or remove one. Use the arrows to move the route up and down the list. The routes are chosen based on their metric value. Use this option in transparent router mode only. When enabled, the appliance can: receive broadcast routing information received over RIP (default) that it applies its routing table so you don't have to duplicate routing information on the appliance that is already present in the network. broadcast routing information if static routes have been configured through the user interface over RIP. 320 McAfee Gateway Appliances Administrators Guide

321 Overview of System menu Appliance Management 5 Setting up a list of DNS servers Use this ask to set up a list of DNS servers. Task 1 Click System Appliance Management DNS and Routing. 2 Click New Server and type the IP address. The appliance sends requests to DNS servers in the order that they are listed. 3 If necessary, click Only send queries to these servers, and choose the servers. Setting up a static route Use this task to set up a static route. Task 1 Go to System Appliance Management DNS and Routing. 2 Click New Route, and add the following information: Network Address Gateway Metric 3 Apply the changes. Time and Date Use this page to configure time and date settings on the appliance. System Appliance Management Time and Date Useful websites (for current UTC time) Benefits to setting the time and date options This topic describes the benefits of the time and date settings. Correct time settings are important to ensure the appliance keeps its logs, reports and schedules accurate. You can provide the details manually, or from your own computer, or via the Network Time Protocol (NTP). McAfee Gateway Appliances Administrators Guide 321

322 5 Overview of System menu Appliance Management definitions Time and Date This information describes each option on this page. Appliance Time Zone Appliance Time (UTC) Set Now Client Time Synchronize appliance with client Specifies the time zone of the appliance. You might need to set this twice each year if your region observes daylight saving time. Specifies the date and UTC time for the appliance. To select the date, click the calendar icon. You can determine the UTC time from websites such as When clicked, applies the date and UTC time that you specified in this row. Displays the time according to the client computer from which your browser is currently connected to the appliance. When selected, the time in the Appliance Time (UTC) immediately takes its value from Client Time. You can use this checkbox as an alternative to manual setting of Appliance Time (UTC). The appliance calculates the UTC time based on the time zone that it finds on the client's browser. Ensure that the client computer is aware of any daylight savings adjustments. To find the setting on Microsoft Windows, right click the time display in the bottom right corner of the screen. Enable NTP Enable NTP client broadcasts NTP Server New Server When selected, accepts NTP messages from a specified server or a network broadcast. NTP synchronizes timekeeping among devices in a network. Some Internet Service Providers (ISPs) provide a timekeeping service. Because NTP messages are not sent often, they do not noticeably affect the appliance's performance. When selected, accepts NTP messages from network broadcasts only. This method is useful on a busy network but must trust other devices in the network. When deselected, accepts NTP messages only from servers specified in the list. Displays the network address or a domain name of one or more NTP servers that the appliance uses. For example, time.nist.gov. If you specify several servers, the appliance examines each NTP message in turn to determine the correct time. Type the IP address of a new NTP Server. Task Using an NTP Server to set the appliance date and time Use this task to add an NTP server to manage the appliance time and date. Task 1 Click System Appliance Management Time and Date. 2 Select Enable NTP and click New Server. 3 Type the IP address of the server that you wish to add. Remote Access Use this page to provide the methods of accessing the appliance remotely. System Appliance Management Remote Access 322 McAfee Gateway Appliances Administrators Guide

323 Overview of System menu Appliance Management 5 The page has these sections: Secure Shell Configuration User Interface Access Configuration Out of Band Management You can still access the user interface using the IP address of the appliance itself. Benefits of using the remote access feature This topic describes the benefits of using the remote access feature. This feature controls the access to the user interface and the secure shell, and provides an extra layer of protection in addition to that provided by username and password authentication. Use the out of band interface if you do not want the user interface or secure shell to be accessible on the same network as the data traffic that is being scanned. McAfee Gateway Appliances Administrators Guide 323

324 5 Overview of System menu Appliance Management definitions Secure Shell Configuration This information describes each option in this section. Enable the secure shell Click to enable the use of Secure Shell (SSH) to connect remotely to your appliance. By default, when you enable the use of SSH, it allows all hosts or networks that can access the appliance. Click Allow permitted hosts / networks listed below, then select New Address to add only the specified devices access. You can use your SSH client to access the support account on the appliance. Use the same password that you use to access the interface from a remote computer. If you are using out of band management and have blocked port 22, change the SSH configuration to allow Secure Shell access. Permitted Host / Network Displays details of devices that can access the appliance. By default, access is available to ALL hosts or networks that can use Secure Shell (SSH). The entries here are added to the /etc/hosts.allow file, and therefore must follow its conventions. We recommend that you allow access to known domains or users initially. Click New Address / Delete Selected Addresses to add or remove permitted hosts or networks from the list. To add a network use the following notation formats: IPv4: /24 or / (allows every host with a network address beginning to access the secure shell) IPv6: [3ffe:505:2:1::]/64 (allows every address in the range `3ffe:505:2:1:: through `3ffe:505:2:1:ffff:ffff:ffff:ffff ) domain wildcards: *.example.com (allows all hosts in the example.com domain to access the secure shell) To add an individual host, use the following notation formats: IPv4: (only allows the particular IP address to access the secure shell) IPv6: [2001:470:921b:7896::3c]. The [ ] must be typed. hostname: host1.example.com (only allows host1 in the example.com domain to access the secure shell) To add individual hosts, netmasks can not be used. definitions User Interface Access Configuration This information describes each option in this section. Management Port This field allows you to specify the port used to access the User Interface. When the McAfee Gateway is first installed, port 443 is used. However, during the configuration process, this value is changed by default to If you intend using any of the encryption features within McAfee Gateway, you must change the management port to and apply these settings. Allow all hosts/ networks Allows anyone to connect to the user interface 324 McAfee Gateway Appliances Administrators Guide

325 Overview of System menu Appliance Management 5 Allow permitted hosts/networks listed below Displays details of devices that can access the appliance through its web based interface (IPv4 addresses only). Restricts access to the user interface to the hosts or networks that you specify here. By default, access is available to ALL devices. Click New Address / Delete Selected Addresses to add or remove permitted hosts or networks from the list. Type the IP addresses or domains carefully, otherwise the appliance can become inaccessible. To add a network use the following notation formats: IPv4: /24 or / (allows every host with a network address beginning to access the secure shell) domain wildcards: *.example.com (allows all hosts in the example.com domain to access the secure shell) To add an individual host, use the following notation formats: IPv4: (only allows the particular IP address to access the secure shell) hostname: host1.example.com (only allows host1 in the example.com domain to access the secure shell) Administrator's Address The address of the main appliance administrator. This address appears if someone tries to access an invalid page on the appliance user interface in the form of the webmaster's address. definitions Out of Band Management This information describes each option in this section. Normally, the commands you issue to the appliance are part of the network traffic. With out of band management, your commands are directed to a third port on the appliance, and become separate (or out of band) from the other network traffic. Before enabling out of band management, make sure you have first connected the external USB Ethernet adapter to your appliance and to a suitable network. Some later appliances have inbuilt out of band management already, and do not need to have it separately enabled. To find out whether this applies to your appliance, see the Gateway Quick Start guide. Enable the out of band interface Ethernet adapter IP Address / netmask When selected, allows you to control the appliance through a direct connection. Offers a choice of Ethernet adapter, such as Belkin F5D5050 for a USB network adapter, or Gb4(mb3) for in built network adapter. Specifies the IP address and network mask for the port. You cannot type an IP address that is on the same subnet as the normal operational ports. McAfee Gateway Appliances Administrators Guide 325

326 5 Overview of System menu Appliance Management NIC Adapter s Specifies various details for the out of band connection, which is effectively a third NIC connection for the appliance. MTU size the maximum size (expressed in bytes) of a single unit of data (for example, an Ethernet Frame) that can be sent over the connection. Default value is 1500 bytes. Autonegotiation state on by default. Connection speed 100Mbps by default. Duplex state Full by default. Enable IPv6 auto configuration Select this option to allow the appliance automatically configure its IPv6 addresses and IPv6 default next hop router, by receiving Router Advertisement messages sent from your IPv6 router. This option is grayed out by default if your appliance is running in transparent router mode, or is part of a cluster configuration. Enable in band management Specifies ports to prevent any attempts to access the appliance via ports over the main (non management) interface. New Port Delete Selected Port definitions Remote Access Card This information describes each option in this section. In 3300 and 3400 versions of the appliance, there is a built in remote access card installed. This section of the interface will not appear on other appliance models. Enable remote access card configuration Listening port Obtain an IP address dynamically using DHCP IP address / netmask Select to have the appliance manage the remote access card through the user interface. Set the listening port. Set to 443 by default. Select whether you want the appliance to obtain an IP address dynamically using DHCP Specifies the IP address and network mask for the port. You cannot type an IP address that is on the same subnet as the normal operational ports. 326 McAfee Gateway Appliances Administrators Guide

327 Overview of System menu Appliance Management 5 DRAC Network s Expand this option to: Specify the default gateway Select whether you want the appliance to obtain DNS information dynamically using DHCP Add the primary and secondary DNS servers DRAC Adapter s Expand this option to: See the version of Firmware Set the MAC address Set the size of the MTU (1500 by default). That is, the maximum size (expressed in bytes) of a single unit of data (for example, an Ethernet Frame) that can be sent over the connection. Use autonegotiation (on by default) Check the connection speed (100 Mb by default) Set the duplex state (Full by default) Task To manage the appliance from a management network Use this task to set up a management network to manage the appliance. Task 1 Go to System Appliance Management Remote Access. 2 Click Enable the out of band interface. 3 Use the drop down box to select the USB driver, or in built ethernet adapter. 4 Type the IP address and netmask of the out of band interface. 5 Expand the NIC Adapter s area (optional), and change any necessary information. 6 Apply the changes and log off the appliance. 7 Go to the IP address you specified earlier to access the user interface. Task Restrict management access to the appliance to the management network Use this task to restrict access to the appliance from the management network. Task 1 Access the appliance through the out of band interface, and go to System Appliance Management Remote Access. 2 Deselect Enable in band management. By default, the user interface (port 443), the secure shell (port 22), and SNMP (port 161) are blocked on the appliance IP address. 3 Click New Port to add any new ports that you want to block on the main appliance IP address and only access through the management network. 4 Apply the changes. To monitor your appliance using mechanisms such as the off box syslog feature, go to System Logging, Alerting and SNMP, and configure the remote server, ensuring that it can be routed through the out of band network. McAfee Gateway Appliances Administrators Guide 327

328 5 Overview of System menu Appliance Management Gateway Certificate Specify the certificate that is used to verify the administrator appliance login credentials, and the default certificate that is used with TLS. System Appliance Management Gateway Certificate Benefits of Gateway Certificate Gateway Certificates are used to verify the identity of your McAfee Gateway By verifying the identity of your McAfee Gateway 7.5.0, other systems can be used to provide secure communications to and from your system. definitions Gateway Certificate This information describes the options available on this page. Country [C] Specifies a two letter code such CN, DE, ES, FR, JP, KR. (See ISO 3166) Default value is US. State or province [ST] Town or city [L] Organization [O] Organizational unit [OU] Common name [CN] address [ea] Import Specifies the location of your organization. Give a full name rather than an abbreviation. Specifies the name of your organization such as Example, Inc. Default value is Gateway. Displays the domain name of your appliance such as server1.example.com Specifies an address, for example aaa@mcafee.com When clicked, opens a window where you can specify the file. To import a password protected certificate, type the passphrase to unlock the private key. The appliance stores the decrypted certificate in a secure internal location. The appliance only verifies the certificate, and makes it available to use, after you click the icon to apply your changes: Export Generate Certificate Signing Request Regenerate When clicked, opens a window where you can specify a passphrase, then download a file. The file name extension is CRT (base 64 encoded) or P12 (PKCS#12). The certificate is in PEM format. When clicked, opens a window where you can request that the Certificate Signing Request is signed by a Certificate Authority on the appliance or by an external Certificate Authority. The file name extension is CSR. When clicked, you are prompted to confirm that you want to regenerate the certificate and private key. 328 McAfee Gateway Appliances Administrators Guide

329 Overview of System menu Appliance Management 5 Certificate and Key Export wizard Export the certificate and key from your McAfee Gateway. Table 5-2 Certificate and Key Export wizard page 1 s Format Select if you want to export the certificate only, without including your private keys. Select to export your certificate and keys in: Base 64 encoding, or as a PKCS#12 secure key file. By default a Base 64 encoding is used. This page only appears if you have not selected Export the certificate only (no private keys) on page 1 of this wizard. Table 5-3 Certificate and Key Export wizard page 2 Protect the private key with the following passphrase Confirm the passphrase Password protect the private key within the exported file. Re enter the password to ensure it matches your first attempt. Table 5-4 Certificate and Key Export wizard page 3 Download To download the exported certificate, click the link provided. Depending on your browser, you may need to right click the link and select the option to save the file locally. When the file has been downloaded locally, click Finish to close this wizard. UPS Settings Understand how to configure your McAfee Gateway to work with third party Uninterruptible Power Supply (UPS) systems. System Appliance Management UPS Settings Benefits of specifying UPS The appliance can monitor the status of any number of UPS systems, allowing a graceful shutdown if the main power supply fails. The appliance can also notify other devices about the event. Using a name and password, other devices (called "clients") can access information from the appliance about the UPS systems, allowing the clients to respond to an imminent loss of power. McAfee Gateway Appliances Administrators Guide 329

330 5 Overview of System menu Appliance Management definitions UPS Device Configuration This information describes each option in this section. Delay before shutting down the appliance when switching to UPS power Status Specifies the number of minutes before the appliance shuts down. The default As long as possible option means that the power stays on until the UPS signals that the battery is low. If you set the minutes value to zero, the appliance shuts down immediately. Displays the status of the device: Operating normally. Needs attention. Needs immediate attention. Devices and Driver Type New Device Displays the type (model) of the UPS device and driver. Displays the type of connection between the appliance and the UPS USB Cable, Serial Cable, or Network. When clicked, opens the Add UPS Device wizard where you can specify UPS settings for the (master) appliance that connects to the UPS, or settings for one or more appliances (slaves) that connect to the master appliance via the network. definitions Accept UPS status requests from the following addresses This information describes each option in this section. This section appears when you add a new UPS device. Appliance Name or Address Type New Client Displays the IP address of the monitoring device. Displays the status of the monitoring device. Every added device is defined as Slave. This list always contains one Master entry. When clicked, opens a window, where you can specify the address of the client, and a user name and password that the client must specify to access the UPS information. The user name and password are those specified when you set up the master device. Task Add a USB UPS device Use this task to specify a USB UPS device. Task 1 Connect the USB UPS to the appliance to ensure the list displays the UPS. 2 Go to System Appliance Management UPS Settings. 3 Click Enable UPS support, and click New Device. 4 Select USB Device, then click Next. 5 Select the appropriate values for Vendor Name, UPS Device Model, and Attached USB Device. To begin with, you can keep the default Off delay and On delay settings. 6 Click Finish and apply the changes. 330 McAfee Gateway Appliances Administrators Guide

331 Overview of System menu Appliance Management 5 7 Click Edit, then click Next to change more configuration options. These options appear when the UPS is working (shown by a green tick in the Status column). 8 Edit the settings for the following options as applicable for more information: Remaining battery level when UPS switches to low battery Remaining battery runtime when UPS switches to low battery Interval to wait after shutdown with delay command Interval to wait before (re)starting the load 9 Click Finish, then apply the changes. Task Add a serial UPS device Use this task to add a serial UPS device. Task 1 Connect the serial UPS to the appliance using the serial cable supplied with the UPS. 2 Go to System Appliance Management UPS Settings. 3 Click Enable UPS support, and click New Device. 4 Select Serial Device, then click Next. 5 Select appropriate values for Vendor Name, UPS Device Model, and Serial Port. 6 Click Finish, then apply the changes. 7 Click Edit to change the settings for the following options as applicable for more information: Remaining battery level when UPS switches to low battery Remaining battery runtime when UPS switches to low battery Interval to wait after shutdown with delay command Interval to wait before (re)starting the load These options appear when the UPS is working (shown by a green checkmark in the Status column). 8 Click Finish, then apply the changes. Task Configure your appliance to accept UPS status requests from other appliances Use this task to have the appliance accept UPS status requests from other appliances. Task 1 Ensure that your UPS is working (a green checkmark shows in the Status column). 2 Go to System Appliance Management UPS Settings. 3 Select New Client. 4 In Client Address, type the IP address of the client that you wish to allow queries from. McAfee Gateway Appliances Administrators Guide 331

332 5 Overview of System menu Appliance Management 5 Note the information in the Username and Password fields; you will need them later to enter into the client machine. 6 Select OK. Task Set up a client appliance to monitor a UPS on another appliance Use this task to have a client appliance to monitor a UPS on another appliance. Task 1 Complete the steps in Configure your appliance to accept UPS status requests from other appliances. 2 Go to System Appliance Management UPS Settings. 3 Click Enable UPS support, and click New Device. 4 Select Get Power status from another appliance and click Next. 5 Type in the name or IP address of the appliance that has the UPS connected to it. 6 Add the username and password displayed that you made a note of in Configure your appliance to accept UPS status requests from other appliances. 7 Click Test Authentication to check that the communication is working, then click Finish and apply changes. Add UPS Device Wizard Use this wizard to select the type of UPS device that you want to add, and specify its details. System Appliance Management UPS Settings New Device definitions UPS Device Connection Use this page of the wizard to specify how you are going to connect to the UPS device. Table 5-5 definitions USB device Serial device Get power status from another appliance This option is unavailable until you add a USB device The options you see in the wizard depend on the type of device that you choose. definitions USB Device Details screen This information describes the options available on this page of the wizard. Vendor name UPS device model Attached USB device Lists supported vendors Select from the list of supported USB models supplied by the vendor you chose Details of the USB device 332 McAfee Gateway Appliances Administrators Guide

333 Overview of System menu Appliance Management 5 Off delay On delay The length of time, in seconds, that the UPS waits before turning off the UPS after it receives the "turn off" command The length of time, in seconds, that the UPS waits before restoring power after the mains power returns definitions Serial Device Details screen This information describes the options available on this page of the wizard. Vendor name UPS device model Serial port Lists supported vendors Select from the list of supported USB models supplied by the vendor you chose Select the serial port that you want to use. COM1 is the built in serial port on the appliance definitions Get power status from another appliance This information describes the options available on this page of the wizard. Appliance name or address User name Password Test Authentication The host name or IP address of the master appliance The username given to the master appliance The password assigned to the master appliance Click to test the connection between the appliance and the master device defined above Default Server Settings Use this page to specify details of HTTP and FTP proxy servers, through which the appliance receives updates, and to set up a remote backup server. System Appliance Management Default Server Settings The page has these sections: Default HTTP proxy settings Default FTP proxy settings Default remote backup settings There are three options to choose from to back up to a remote server: FTP SSH with password authentication SSH with public key authentication Benefits of configuring default server settings This information describes the benefits of specifying a remote FTP or HTTP server to get updates, and set up a remote backup server. The default remote backup server that you specify here is used by the appliance as the default server to: McAfee Gateway Appliances Administrators Guide 333

334 5 Overview of System menu Appliance Management get threat detection file updates (anti virus, and anti spam) install package updates (patches and hotfixes) You can set the appliance to use different servers for each of those actions in their related configuration wizards. definitions Default HTTP proxy settings This information describes each option in this section. Proxy server Proxy port Proxy username Proxy password Enter the proxy server address. Enter the port used to transfer updates over HTTP. By default, this is port 80. Enter the username used to log onto the proxy server. Enter the password used to log onto the proxy server. definitions Default FTP proxy settings This information describes each option in this section. Proxy server Proxy port Proxy username Proxy password Enter the proxy server address. Enter the port used to transfer updates over FTP By default, this is port 21. Enter the username used to log onto the proxy server. Enter the password used to log onto the proxy server. 334 McAfee Gateway Appliances Administrators Guide

335 Overview of System menu System Administration 5 definitions Default remote backup settings This information describes each option in this section. Transfer to FTP Server Selected by default: Server Port Directory Username (default value is anonymous) Password (default value is anonymous) Proxy server Proxy port Proxy username Proxy password Transfer via SSH Click to specify the settings to transfer the backup using SSH: Server Port Directory Username (default value is anonymous) Password Authentication/Password (default value is anonymous) Public Key Authentication/Public key (links to the public key) If you use either FTP or SSH with password authentication, your passwords are stored in the appliance configuration files, in plain text format. The most secure option is to use SSH with public key authentication. To use this feature, you must click the link to generate a key file, which you must then copy and paste into your authorized keys file so that the appliance can perform the backup. System Administration The System Administration pages provide you with the features you need to enable you to set up and maintain your McAfee Gateway. System System Administration From these pages you can backup and restore your configurations, push configurations from one appliance to others, and set up the cluster management for your groups of McAfee Gateway appliances. You can also carry out database maintenance and access the rescue image features for your appliance. Use the system administration pages to access the system commands for shutting down and rebooting your McAfee Gateway. Contents Configuration Management Configuration Push Cluster Management definitions MAC Addresses Resilient Mode Configure Automatic Configuration Backups wizard Database Maintenance McAfee Gateway Appliances Administrators Guide 335

336 5 Overview of System menu System Administration Rescue Image System Commands Configuration Management Use this page to back up and restore the information about the appliance s configuration. System System Administration Configuration Management The page contains these sections: Backup Configuration Restore Configuration Configuration Report Review Configuration Changes Benefits of backing up and restoring configuration Use this page to create immediate and automatic backups of a configuration file, and produce configuration reports. You can copy the configuration from one appliance to another, or use the backup copy to restore your appliance to former settings. definitions Configuration Management This information describes each option on this page. Backup Configuration Save the config When clicked, puts all the appliance s configuration settings into a file, and allows you to download the file. You can safely store configuration details about the appliance offline, and restore that information later if the original appliance fails. The system configuration files are saved to a.zip file, which contains mainly XML files and associated DTD files. The.zip file size is typically less than 1MB. When clicked, allows you to download the configuration file. The link is active only after the configuration file has been generated. Include the Data Loss Prevention database When selected, automatically includes information in the backup file about any DLP categories and file fingerprints. To find the contents of the DLP database, go to DLP and Compliance. Selecting this option uses large amounts of disk space. Include TLS certificates and private keys When selected, includes information in the backup file about any digital certificates and private keys that are stored on the appliance. You need to consider the security of your private keys. To find the certificates, go to Certificate Management Certificates TLS Certificates and Keys. By default, the TLS certificates and private keys are not encrypted when stored in the backup file. 336 McAfee Gateway Appliances Administrators Guide

337 Overview of System menu System Administration 5 Encrypt private keys Include Hybrid configuration When Include TLS certificates and private keys is selected, choose to encrypt the private keys. You will need to specify the Passphrase. When selected, includes information in the backup file about any digital certificates and private keys relating to Hybrid implementation that are stored on the appliance. The Hybrid private key is not encrypted when stored in the backup file. Include Secure Web Mail user and system data When selected, includes information in the backup file about any public certificates and private keys, as well as configuration details for each domain and each user that are configured for Secure Web Mail. messages are not included in the configuration backup. Enable automatic backup Backup scheduled When selected, configuration backups are made periodically and sent to a server whose details you can specify. If no server is configured already, the Configure Automatic Configuration Backups wizard starts. Otherwise, click the link next to Backup Scheduled to specify the server. When enabled, you can select the following options: Include the Data Loss Prevention database Include TLS certificates and private keys Include Secure Web Mail user and system data Include Hybrid configuration Automatically backup when you apply configuration Click to open the Configure Automatic Configuration Backups. Table 5-6 definitions Restore Configuration Restore From File When clicked, imports configuration settings from a backup file. You can choose which details you need. If the file came from an earlier version of the software, some details are not available. Table 5-7 definitions Configuration Report Produce Report View the report Create an online report that details changes and settings in each area of the appliance configuration and status pages. View the online report generated using the Produce Report button. McAfee Gateway Appliances Administrators Guide 337

338 5 Overview of System menu System Administration Table 5-8 definitions Review Configuration Changes Review Configuration Changes Show Differences Rollback Changes Displays details of changes made to the appliance. Date The date and time that the configuration change was made. Comment The comment is generated automatically by the appliance or is the text typed at the Configuration change comment window seen after clicking the green checkmark. Client IP address The default value is (or home ). User This is typically admin or other users. To see the list of users, select System Users Users and Roles in the navigation bar. Session A PID is a number that identifies a process. Select more than one configuration change, and click to display the files that have been changed. Select a file, and click Show Difference to display the configuration differences in code view between them. Select a configuration change, and click to select the values to restore. Secure Web Mail user and system data configuration changes are not rolled back. Configuration Push Use this page to copy the settings on one appliance to other appliances. System System Administration Configuration Push Parameters that are not pushed to other appliances The following configuration parameters are not pushed to the other appliances: Network settings: Hostname and domain name Default routes IP addresses Ethernet settings such as MTU and duplex Appliance operating mode; explicit proxy, transparent bridge, transparent router Spanning tree protocol settings (transparent bridge mode only) DNS server addresses DHCP server settings (applies to cluster configurations) Load balancing settings Static routes Proxy settings Remote Access Card settings: IP address(es) assigned to DRAC 338 McAfee Gateway Appliances Administrators Guide

339 Overview of System menu System Administration 5 Management port settings: Whether out of band management is enabled (IP address, driver) Benefits of pushing a configuration This information describes the benefits to pushing a configuration onto another appliance If you manage multiple appliances, you can specify that all of your appliances have the same settings by pushing configuration from one to another. This can be further automated using one of the following methods: Automatic configuration push Scheduled configuration push definitions Configuration Push This information describes each option on this page. Table 5-9 definitions Managed Appliance List Hostname/ Address Push enabled Platform Last Push Update Progress Add Appliance / Remove Appliance Refresh Apply Configuration to enabled appliances Apply Configuration to selected appliances Displays the IP address of this appliance. Check this option to allow configurations to be pushed to this appliance either automatically or via a schedule. Displays information about the appliance. Displays when you last pushed a configuration file to another appliance. Displays the status of the configuration update and is updated every two seconds. Add or remove an appliance from Managed Appliance List. Refresh the Managed Appliance List after adding or removing an appliance. When clicked, sends the settings to the other appliances in the list that have been enabled (see Push enabled above). When clicked, sends the settings to the appliances in the list that have been selected. Table 5-10 definitions Configuration push settings Username to use for push Password to use for push Use this username when pushing configuration to the remote appliances. Use this password when pushing configuration to the remote appliances. This password will be stored in plaintext within in the configuration. McAfee Gateway Appliances Administrators Guide 339

340 5 Overview of System menu System Administration Table 5-10 definitions Configuration push settings (continued) Advanced settings By changing the following, it is possible to alter the settings that will be pushed across to the other appliances in the Managed Appliance List. If the checkbox is checked then the settings will be pushed to the remote appliances. These options apply when performing a push by clicking the button in the user interface, and when performing the automatic/scheduled configuration pushes. Automatic Configuration push Scheduled Configuration push Push the configuration push setting and the managed appliance list Push the managed appliance list and configuration push settings. Do not use this option if you have chosen to automatically push configuration changes. Push Secure Web Mail user and system data If you have Secure Web Mail configured select this option to push the user and system data. Push the SNMP monitor name Push appliance specific settings, for example, the SNMP monitor name. Push the MQM settings Push the Quarantine Manager system identifier. Push the UPS settings Push the details of any UPS systems attached to the appliance. Push your TLS certificates and private keys Push the certificates and private keys used for by your appliance to allow TLS connections. Push Hybrid configuration Push configuration settings that enable your McAfee Gateway to operate as a hybrid solution with the SaaS service. Check this to automatically push configurations to other appliances each time you apply configuration changes to this appliance. Specify how often you want this appliance to carry out a scheduled configuration push. The options are: Never Hourly Daily Weekly Cluster Management Use this page to specify the cluster and load balancing requirements for the McAfee Gateway when acting as part of a cluster. System System Administration Cluster Management When configuring a group of appliances or a McAfee Content Security Blade Server the current master uses a "least used" algorithm to assign connections to the appliances or blades configured to scan traffic. The scanning appliance or blade that is currently showing the least number of connections, at that moment in time, is assigned the next connection. For a cluster of appliances: 340 McAfee Gateway Appliances Administrators Guide

341 Overview of System menu System Administration 5 If you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. If you have scanning appliances, and scanning enabled on the master and failover, then the scanning appliances will receive the most traffic to scan, then the failover, with the master receiving the least. If you have more than three appliances in a cluster, McAfee recommends that you do not enable scanning on the master appliance. You cannot configure the master or the failover blades of the McAfee Content Security Blade Server to scan traffic. McAfee recommends that when using your appliance in a cluster environment, you use McAfee Quarantine Manager to quarantine messages. Benefits of configuring Cluster Management This information describes the benefits of configuring Cluster Management. By configuring Cluster Management, you enable a group of McAfee Gateway appliances, or the individual blades within a McAfee Content Security Blade Server to function as a single scanning system. Additionally, by setting the cluster features, you are also providing redundancy in the event of hardware failure; by configuring a master and a failover master appliance, and also by having several scanning appliances (or blades) your traffic can still be scanned in the event of a single appliance or blade failing. definitions - Cluster Management This information describes the options available in this section. The content of this page can vary. Depending on the chosen cluster mode, some of the options are not available. definitions Cluster Mode Cluster mode Specifies the clustering mode of the appliance: Off This is a standard appliance. Cluster Scanner The appliance receives its scanning workload from a master appliance. Cluster Master The appliance controls the scanning workload for several other appliances. Cluster Failover If the master fails, this appliance controls the scanning workload instead. For a McAfee Content Security Blade Server, this specifies the type of blade as follows: Cluster Master The master management blade controls the scanning workload for several scanning blades. Cluster Failover If the master management blade fails, this failover management blade controls the scanning workload instead. DHCP address range (Content Security Blade Servers only) The management blade is responsible for issuing IP addresses to any attached scanning blades via DHCP (Dynamic Host Configuration Protocol). Specify the range of address that will be issued to scanning blades. The DHCP range is limited to a single subnet. The permissible range for the starting address is while that for the ending address is McAfee Gateway Appliances Administrators Guide 341

342 5 Overview of System menu System Administration definitions Cluster Configuration Cluster identifier If you have more than one McAfee Gateway cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Address to use for load balancing Enable scanning on this appliance (Not applicable on Content Security Blade Servers) Configure New Management Device (Content Security Blade Server only) Specify the IP address used for load balancing within the cluster. If not selected, this appliance distributes all scanning workload to the scanning appliances. For a cluster of appliances, if you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. Clicking this button allows you to configure another blade as a management blade. The available options are: Configure next device the next blade that is PXE booted will be imaged as a management blade. A device with the following MAC address when the blade with the MAC address you specify is PXE booted, it will be imaged as a management blade. Once the chosen blade is imaged as a management blade, this option is reset. definitions Advanced scanning device settings Use this area for fine grained control of attached scanning devices. You can also configure the devices to share hard disk space for the storage of Secure Web Mail Messages. Devices in a cluster are identified by their MAC (Media Access Control) addresses. When you add a MAC address to the table you may opt to disable it, meaning that scanning requests will not be sent to the device, and share hard disk space. MAC Address Disabled Encryption Storage Add MAC Address Manage MAC Addresses Specifies the device's Media Access Control (MAC) address as 12 hexadecimal digits in the format: A1:B2:C3:D4:E5:F6. Select to remove this device from the pool of scanning devices. If the scanning device is in a ready state, you can choose to include the device in the Encryption Storage pool. Click to add the MAC address of a new device. Opens the MAC Addresses dialog box that enables you to manage the list of available MAC addresses. Although you can add the MAC addresses of management and failover devices to this table, they always contribute hard disk space for Secure Web Mail messages and cannot be disabled. Network Interfaces Wizard Cluster Management Use the Network Interfaces Wizard to specify the IP addresses and adapter settings for setting up clusters of appliances. System System Administration Cluster Management Network Interfaces Wizard 342 McAfee Gateway Appliances Administrators Guide

343 Overview of System menu System Administration 5 This wizard steps you through the process to configure the network interfaces when configuring your appliance as part of a cluster. The options that are displayed as you progress through the wizard depend on the operating mode and other selections that you make. This means that you may not see all the controls and fields detailed in this topic. Table 5-11 Operating Mode definitions Select operating mode Select the mode of operation for the cluster of appliances, or for your McAfee Content Security Blade Server. When configuring a cluster in either explicit proxy mode or transparent router mode, you need to configure a virtual IP address that is on the same subnet as both the real IP addresses for the master and the failover appliances. This ensures that traffic is directed to whichever appliance is currently acting as the master appliance. Network Interface 1 or Network Interface 2 Network Interface 2 is not shown if you select explicit proxy as your operating mode. Table 5-12 definitions IP Address Specifies network addresses to enable the appliance to communicate with your network. You can specify multiple IP addresses for the appliance s network ports. The IP address at the top of a list is the primary address. Any IP addresses below it are aliases. You must have at least one IP address in both Network Interface 1 and Network Interface 2. However, you can deselect the Enabled option next to any IP addresses that you do not wish to listen on. Network Mask Specifies the network mask. In IPv4, you can use a format such as , or CIDR notation, such as 24. In IPv6, you must use the prefix length, for example, 64. Enabled Virtual When selected, the appliance accepts connections on the IP address. When selected, the appliance treats this IP address as a virtual address. This option only appears in cluster configurations, or on a McAfee Content Security Blade Server. McAfee Gateway Appliances Administrators Guide 343

344 5 Overview of System menu System Administration Table 5-12 definitions (continued) New Address/ Delete Selected Address NIC 1 Adapter s or NIC 2 Adapter s Add a new address, or remove a selected IP address. Expand to set the following options: MTU size specifies the Maximum Transmission Unit (MTU) size. The MTU is the maximum size (expressed in bytes) of a single unit of data (for example, an Ethernet Frame) that can be sent over the connection. The default value is 1500 bytes. Autonegotiation state either: On allows the appliance to negotiate the speed and duplex state for communicating with other network devices. Off allows you to select the speed and duplex state. Connection speed provides a range of speeds. Default value is 100MB. Duplex state provides duplex states. Default value is Full duplex. Enable IPv6 auto configuration Select this option to allow the appliance automatically configure its IPv6 addresses and IPv6 default next hop router, by receiving Router Advertisement messages sent from your IPv6 router. This option is unavailable by default if your appliance is running in transparent router mode, or is part of a cluster configuration, or running as part of a Blade Server installation. definitions MAC Addresses Add and remove multiple MAC addresses for other appliances within the cluster or blade server. Attached devices Unknown devices (not available from within the Setup Wizard) The section contains a list of devices that are currently members of the cluster. Each device is identified by its MAC address and hostname and you can check the items that you want to be included in the MAC address table. If you are setting up your cluster, this section will be empty. The section contains a list of MAC addresses that are not currently in the cluster. Only the MAC address is shown since the device is unrecognized. If you are setting up your cluster all MAC addresses will appear in this section. If the cluster has already been configured, a device may be unknown because the appliance is currently unreachable over the network. You can check the items that you want to be removed from the MAC address table. 344 McAfee Gateway Appliances Administrators Guide

345 Overview of System menu System Administration 5 Additional devices The section offers a convenient way of adding the MAC addresses of devices that you intend to add to the cluster at a future time. You may enter any number of addresses separated by spaces. You will not be able to configure the Encryption Storage option for these unless they are the addresses of devices that are currently members of the cluster. Lock DHCP server to MAC addresses (Content Security Blade Servers only) Check this option to prevent the management blade from acknowledging DHCP requests sent by arbitrary hosts on its network. If selected, you should add the MAC addresses of all scanning blades that you intend adding to your cluster to the MAC address table. Failing to do this will prevent a scanning blade from acquiring the correct IP address. Since the state of the cluster updates periodically, it is possible for a device to move from the unknown section to the attached section (or vice versa) while you are working in this dialog. This may happen if a device has just rebooted, for example. Resilient Mode Use this page of the user interface to enable resiliency mode on your blade server. System System Administration Cluster Management Resilient Mode This page only applies to the McAfee Content Security Blade Server. Benefits of setting up resilient mode This information describes the benefits associated with setting up resilient mode. In resilient mode, all connections between your network, the McAfee Content Security Blade Server, and also the connections within the blade server enclosure are made in such a way that multiple paths are used. These multiple pathways provide enhanced resiliency to the failure of any one component either within the blade server, or of the network devices or cabling needed to route traffic between your network and the blade server. McAfee Gateway Appliances Administrators Guide 345

346 5 Overview of System menu System Administration definitions Resilient Mode This information describes the options available on this page. Enable Resilient Mode Within this area, you can check the current status regarding resiliency of your blade server. You can also enable or disable resiliency mode. Ensure that you have downloaded the chassis configuration files before enabling resiliency mode. After clicking Enable Resilient Mode or Disable Resilient Mode, and clicking OK on the warning dialog box, your blade server will automatically be shut down, allowing you to make the required cabling changes. Configuration Files From the user interface, you can view or download the interconnect configuration files for both resilient and non resilient mode operation for all the interconnects. To download all the configuration files, click interconnect_config.zip, as this file contains all the other configuration files. Configure Automatic Configuration Backups wizard This information describes the Configure Automatic Configuration Backups wizard. System System Administration Configuration Management Automatic configuration backup Benefits of the Configure Automatic Configuration Backups wizard Use this information to understand the benefits of using automatic configuration backups, and of using the wizard provided to configure them. 346 McAfee Gateway Appliances Administrators Guide

347 Overview of System menu System Administration 5 definitions Default remote backup settings This information describes each option in this section. Transfer to FTP Server Selected by default: Server Port Directory Username (default value is anonymous) Password (default value is anonymous) Proxy server Proxy port Proxy username Proxy password Transfer via SSH Click to specify the settings to transfer the backup using SSH: Server Port Directory Username (default value is anonymous) Password Authentication/Password (default value is anonymous) Public Key Authentication/Public key (links to the public key) If you use either FTP or SSH with password authentication, your passwords are stored in the appliance configuration files, in plain text format. The most secure option is to use SSH with public key authentication. To use this feature, you must click the link to generate a key file, which you must then copy and paste into your authorized keys file so that the appliance can perform the backup. definitions Configure Updates (Time) Use this page to schedule automatic configuration backups, and set up scheduled updates to the detection definitin (DAT) files, anti spam, and package updates. System Component Management Update Status System System Administration Configuration Management System Logging, Alerting and SNMP System Log Settings Introduction to Scheduled update settings You can schedule updates for the following components: Automatic configuration backups Spam rules and anti spam engine System Log Appliance software updates (HotFixes and patches) Anti virus engine and database McAfee recommends that you update all scanning components on a new appliance using the Update Now feature, then use the Schedule feature for each component to create regular updates at a time when traffic is low, such as during the night. McAfee Gateway Appliances Administrators Guide 347

348 5 Overview of System menu System Administration Hourly to Weekly Next / Finish Specifies the schedule. If you do not need this feature, select Never. Moves to the next page of the wizard, or closes it and applies the settings. definitions Test Configuration This information describes the options available on this page of the wizard. Test Checks that the backup configuration works, and provides the desired information. Database Maintenance Use this page to manage the number of events contained in the reporting database, and the number of items identified using the Message Search feature, and to enable external devices to access information about events via SQL. System System Administration Database Maintenance The page has these sections: Retention Limits Event s External Access Maintenance Benefits of the database maintenance options This information describes the benefits of the database maintenance options. Over time, databases tend to increase in size, consuming available resources and becoming slower to access to save information or to run reports. Regular maintenance of databases helps to avoid these problems. Retention Limits The appliance uses information from this database to display the reports that you can view from Reports on the navigation bar. Information about earlier events is removed periodically. Retention limits are dependent on the type of hardware and the size of the appliance hard disk space. McAfee recommends that you do not change these values unless directed to do so by your McAfee Support representative. Event s You can choose the following options relating to information about events: Insert events into the database. Doing this can provide useful information in reports, but will increase the amount of data that is written to, or read from the database. Insert only primary events into the database. Allow only the most important events data to be logged to the database. Pass on events to the logging channels. Select to allow data about events to be available to other logging methods available from the appliance. 348 McAfee Gateway Appliances Administrators Guide

349 Overview of System menu System Administration 5 External Access External access to a limited set of views in the reports database on an appliance can be configured. Enable off box sql access. Select to allow access to the appliance' database. Enable external database access for this address range. Limit the systems that can access the external database to machines within a specified IP address range. Allow external database to user. Select the level of user that can configure external database access. Set Reporting Password. Secure the access to the database. Maintenance When run, the maintenance tasks trim the contents of the reporting database and items identified using the Message Search feature according to the settings in the Retention Limits area. McAfee recommends that you clean up the reporting database and message search items regularly to prevent the database from becoming too large. definitions Retention Limits Use this area to set the limits on the maximum time or number of reporting or message items retained within the database. Retention limits are dependent on the appliance model, the type of hardware and the amount of appliance hard disk space. McAfee recommends that you do not change these values unless directed to do so by your McAfee Support representative. Events Quarantined s Delivery status (delivered, blocked, bounced) Items shown in the reporting database. Please refer to the user interface for these retention limits. Maximum number or length of time that messages can be held in the quarantine database. Please refer to the user interface for these retention limits. Maximum number or length of time that delivered, blocked or bounced messages can be stored in the database for use by the Message Search feature. Please refer to the user interface for these retention limits. definitions Event s Use this area to define the events that are stored in the database. Insert events into the database Select to add information about reporting events into the database. Be aware that the database can fill quickly when reporting events are stored. McAfee recommends that Content Security Blade Server users use the offbox syslog feature for reporting events and deselect this option. Insert only primary events into the database Select to add information only about primary reporting events into the database, such as virus detections. A message that triggers both a virus and spam "hit" is logged twice in the database. If you deselect this option, only the detection that caused the primary action on the message is logged in the database. Pass on events to the logging channels Select to allow events to be passed to the logging channels from logging and alerting sources such as syslog, SNMP, and detections. McAfee Gateway Appliances Administrators Guide 349

350 5 Overview of System menu System Administration definitions External Access Use this area to configure your appliance to allow limited access from an off box SQL client to view information about detections and configuration change events, stored available in three separate views. Enable off box sql access Allow external database access for this address range Allow external database access to user Set Reporting Password Select to allow an off box SQL client to access the appliance. Define the address and subnet mask for the external hosts to which you want to allow access. Define the user that the external client uses to log into the appliance. This is set to reporter by default. Define the password that the external database uses to log into the appliance. This is set to reports by default. definitions Maintenance Use this area to configure the frequency of database maintenance tasks, and to manually trigger these tasks on the appliance. Maintenance schedule Reset Database Select the frequency that the appliance carries out database maintenance tasks. The default is every 30 minutes. Enter the password and then click Reset Database to return the database to its default state. All information within the database will be lost. Maintain Database Click to manually start the database maintenance tasks ever X minutes. The database checks for items in the reporting database or identified using the Message Search feature have reached the retention limit that you set. Task View information about detections from an off-box client using Postgres' PSQL Use this task to view information about detections from an off box client using Postgres' PSQL interactive application. Task 1 Open the command line on the computer from which you want to view the database. 2 Type psql U <username> d reports h <host address> and press the Enter key. 3 Type the password for the user to whom you gave access. 4 Press the Enter key to see the list of report view that you have available. Choose from: _details Configuration_change_view. 350 McAfee Gateway Appliances Administrators Guide

351 Overview of System menu System Administration 5 Rescue Image Use this section to force the McAfee Gateway to boot from a rescue image stored on a protected partition on the hard disk. You can also manage your rescue images and create a bootable USB drive containing the rescue image from here. System System Administration Rescue Image You can store a rescue image: On a protected partition on the appliances' hard disk On a USB drive: attached to one of the external USB connectors on the appliance mounted internally within the appliance if you have fitted an optional internal USB drive to your appliance. (Applies to appliances based on the Dell R610 hardware only.) Creating a bootable rescue image on a USB drive will result in the loss of all files located on the USB device. To prevent tampering or accidental stopping, you must type the appliance password to operate these features. Benefits of using the internal rescue image features Use this page to force the appliance to boot from a rescue image stored on a protected partition on the hard disk. You can also manage your rescue images and create a bootable USB drive containing the rescue image from here. When managing your Gateway appliances, having the image for each appliance stored on a protected partition on the hard disk or USB drive for each appliance enables you to remotely reimage your appliances without needing to locate a CD containing the correct version of the software. The rescue image negates the requirement for remote access cards to be fitted to your appliance (if you have suitable appliance models) in order for the appliances to be reimaged from a remote location. By creating a library of stored rescue images on your local network or on a local FTP or HTTP server, you can use the rescue images to roll back your appliance to a previous.iso release of the software, or to upgrade to a newer version. You do this by importing the required image to the rescue partition on your appliance and then forcing your appliance to boot from the newly imported rescue image using the Perform a full installation overwriting existing data option. To roll back, you need to use the option 2 or 3 settings; to upgrade you need to use option 2, 3 or 4 settings. McAfee Gateway Appliances Administrators Guide 351

352 5 Overview of System menu System Administration definitions Manage Internal Rescue Image This information describes the options in this section. Rescue image details Force Boot from Rescue Image Provides details of the rescue image currently stored within the rescue partition of your appliance. Provides options to reboot your appliance from a rescue image: Boot to menu If you select Boot to menu, ensure that you are either local to the appliance, or that you have access to the appliance using a DRAC card. Perform a full installation overwriting existing data Install software preserving configuration and messages Install software preserving network configuration only Install software preserving configuration only Import Image Download Image from Server Export Image Refresh USB Device List Burn Image to USB Browse to a rescue image stored on your local drive, and copy this image onto the rescue partition on your appliance. Browse to a rescue image stored on a local FTP or HTTP server, and copy this image onto the rescue partition on your appliance. Save a rescue image to a file, or select a USB drive to create a bootable copy of the rescue image on the USB drive. Click to refresh the USB devices shown in the drop down list on the left of this option. Click to copy the rescue image onto a USB. Task - Checking the current rescue image version Use this task to verify the version of the currently stored rescue image. When you install a new version of the software (from an.iso image) onto your appliance, the system automatically loads this image to the rescue partition on the hard disk of the appliance. Task 1 Click System System Administration Rescue Image. 2 Verify the version information displayed under Rescue image details, or from the About the Appliance window. Task Updating the rescue image held on the appliances' hard disk from a local network or drive Use this task to update the rescue image on the appliance hard disk from a local drive. The software allows you to overwrite the rescue partition with a new image, without re installing the software. You can import an image from a local network or drive. Task 1 Click System System Administration Rescue Image. 2 Click Import Image. 3 Browse to the relevant file. 4 Click OK. 352 McAfee Gateway Appliances Administrators Guide

353 Overview of System menu System Administration 5 Task Updating the rescue image held on the appliances' hard disk from a local FTP or HTTP server Use this ask to update the rescue image from a local FTP or HTTP server without re installing the software. You can import an image from a local FTP or HTTP server. Task 1 Click System System Administration Rescue Image. 2 Click Download Image from Server. 3 Specify the server settings, and if required, your proxy settings and passwords. 4 Click OK. Your appliance saves these server and proxy settings. Task Installing from the rescue image on the appliances' hard disk Use this task to install a rescue image on an appliance. When you have verified that you have the correct version of the rescue image stored on the protected partition of the appliances' hard disk, you can use this image to reimage your appliance Task 1 Click System System Administration Rescue Image. 2 Click Force Boot from Rescue Image. 3 Select from: Boot to menu If you select Boot to menu, ensure that you are either local to the appliance, or that you have access to the appliance using a DRAC card. Perform a full installation overwriting existing data Perform a full installation overwriting existing date but preserving network settings If you select either of the full installation options, you will need to take further action to import saved configurations, or to re configure the appliance. Install software preserving configuration and messages 4 Enter the appliance password. 5 Click OK. The appliance reboots, and uses the rescue image to reimage the appliance, using the installation options you selected. Task Export a rescue image to a USB drive Use this task to export a rescue image to a USB drive. Before you begin To use an external USB drive, it needs to be connected on one of the USB connectors on the appliance. McAfee Gateway Appliances Administrators Guide 353

354 5 Overview of System menu System Administration To create an image on a USB drive, you can export the image to any suitable USB drive connected to your appliance. You cannot export a rescue image to a USB drive from the VMtrial version of the software. If you have fitted an optional internal USB drive to your appliance, you can select this USB drive. (Applies to appliances based on the Dell R610 hardware only.) Task 1 Click System System Administration Rescue Image. 2 Click Refresh USB Device List. 3 Select the required USB device from the USB device drop down list. 4 Click Burn Image to USB. The rescue image is copied to the USB drive, overwriting any existing files, and creates a bootable image. Task Installing from the rescue image on the appliance USB drive Use this task to install from the rescue image on the appliance USB drive. You can use the bootable rescue image stored on an external USB drive, or on an internal USB drive (hardware dependant) to reimage your appliance. Task 1 Click System System Administration Rescue Image. 2 Ensure that the USB drive with the correct version of the rescue image is attached to your appliance. 3 Ensure that a monitor and keyboard are connected to the appliance. 4 Enter the appliance password into the text box next to Reboot Appliance in the System Commands section. 5 Click Reboot Appliance from the System Commands area. 6 As the appliance reboots, choose Boot Menu using the appliances' keyboard and monitor. 7 From the menu, select the USB drive to boot from. The appliance reboots, and uses the rescue image found on the USB drive to reimage the appliance, using the installation options you select in the standard license and console displayed on the monitor connected to the appliance. Task - Create a bootable USB drive rescue image without using the appliance Use this task to create a bootable rescue image on a USB drive without using your appliance. Before you begin You need a computer that has Internet access, your McAfee Grant Number for your Gateway appliance, and third party software that enables you to create a bootable image onto a USB drive. 354 McAfee Gateway Appliances Administrators Guide

355 Overview of System menu System Administration 5 Task 1 Browse to the McAfee download site, and enter your Grant Number. 2 Download the.iso file for the version of the Gateway appliance software. 3 Create a bootable image on the USB drive from the downloaded file, using suitable system commands or disk imaging software. System Commands Use this page to safely turn off the appliance, reboot the appliance, or revert to factory default settings. System System Administration System Commands To prevent tampering or accidental stopping, you must type the password to operate these features. Benefits of using the system commands This information describes the benefits to using the system commands features. On occasion, you may need to shut down your appliance, perhaps due to work being carried out on your power distribution system, or changes to your network topography. You may also need to reboot the appliance, either as part of a software upgrade, or to restart all services. Occasionally, you may want to clear all configured options from your appliance, and to revert to the factory default settings. definitions System Commands This information describes each option in this section. Shutdown Appliance Reboot Appliance Revert to Default Configuration When clicked, turns off the power to the appliance or takes the appliance to a state where you can safely turn off its power. When clicked, restarts the appliance. When clicked, restores all the original out of the box settings to the appliance. Task Shutting down the appliance Use this task to shut down the appliance. Before you begin Before shutting down the appliance, ensure that you have the relevant permissions and network outage plans in place. To prevent tampering or accidental stopping, you must type the password to operate this feature. McAfee Gateway Appliances Administrators Guide 355

356 5 Overview of System menu System Administration Task 1 Navigate to System System Administration System Commands. 2 Enter the system password next to the Shutdown Appliance button. 3 Click Shutdown Appliance. The appliance commences its shut down process, and will switch off in a few minutes. Task Rebooting the appliance Use this task to restart the appliance. Before you begin Before rebooting your appliance, ensure that you have the relevant permissions and network outage plans in place. To prevent tampering or accidental stopping, you must type the password to operate this feature. Task 1 Navigate to System System Administration System Commands. 2 Enter the system password next to the Reboot Appliance button. 3 Click Reboot Appliance. The appliance commences its shut down process, and reboots after about 5 minutes. Task Reverting to the default configuration Use this task to reapply the default configuration to the appliance. Before you begin Before reverting to the factory default settings for your appliance, ensure that you have the relevant permissions and network outage plans in place. We recommend that you create a backup of your existing configuration before reverting to the factory settings. To prevent tampering or accidental stopping, you must type the password to operate this feature. Task 1 Navigate to System System Administration System Commands. 2 Enter the system password next to the Revert to Default Configuration button. 3 Click Revert to Default Configuration The appliance warns you that your settings will be overwritten and that you will be logged off. 4 Click OK to revert your configuration. 356 McAfee Gateway Appliances Administrators Guide

357 Overview of System menu Users 5 Users The Users pages enable you to set up your users and roles, and perform session management tasks. System Users From these pages you can configure the appliance to set up and administer your role based user accounts to perform tasks such as viewing or managing reports, and managing and system settings. Additionally, you can tell the appliance how you want to manage session timeouts, and whether you want your users to see your company usage policy as they log on. The policy notification text can be edited. Contents Users and Roles definitions New Role dialog box definitions Role Details dialog box Password Management Login Services Add Login Services wizard Session Management DoD CAC Authentication definitions CAC Certificate Attribute Mapping definitions Custom Text dialog box definitions User Details Users and Roles This information describes the benefits and features of the Users and Roles options. System Users Users and Roles Benefits of the Users and Roles options This information describes the benefits of creating roles that have specific access and management rights associated with them. Use this feature to create accounts for user who can access the appliance and assign each user account specific rights. Creating specific user roles allows you to define standard sets of access rights that can be assigned quickly and easily. McAfee Gateway Appliances Administrators Guide 357

358 5 Overview of System menu Users definitions Users and Roles This information describes the options available on this page. Role The name of the role. By default, the appliances comes with the following roles already created: Super Administrator has the ability to view and manage all aspects of the appliance's and system settings. Administrator has the ability to view and manage all related configuration and reports settings. Reports Administrator has the ability to view and manage the reports settings. Description Edit Delete Add Role Contains any optional description text you entered when you created the role. Click to open the Role Details dialog box and view the role's specifications. The Role Details dialog box is read only and cannot be saved. Remove the selected role from the list. Click to open the New Role dialog box. Task - Control user access by role Create a new user category for people who can only create and view reports on the appliance activity. Task 1 Go to System Users Users and Roles. 2 Click Add User. 3 Type the Login ID name for this user. 4 Type the Full name for this user. 5 If required, add a description for this user. 6 From User role, select Reports Administrator. 7 From Account type, select Local user. 8 Enter a password for this user. 9 Confirm the password for this user. 10 Click OK. The new user is created with the selected privileges. 358 McAfee Gateway Appliances Administrators Guide

359 Overview of System menu Users 5 definitions New Role dialog box This information describes the options available on this dialog box. Role name / Description Privileges Type the name of the new role, and optionally add a description to help you identify it in the User Roles list. Under the type of role that you want to create, select the privileges that you want to associate with it for example, to have the rights to view report results, or set the data that the report contains. The following role types are available: General Dashboard Reporting and Queues Administration System Administration definitions Role Details dialog box This information describes the options available on this dialog box. Role name / Description Privileges The name of the role you created. The access, management, and viewing rights associated with the role. The information in this dialog box is based on the information you entered when you created the role. It is read only, and cannot be saved. Password Management The Password Management page defines the complexity and change control that you want to apply to the passwords that can access the appliance. System Users Password Management The page has these sections: Password Complexity Password Change Control Benefits of using complex passwords to access the appliance Understand why correctly setting the end user password complexity, frequency of change and the change process is important in maintaining the security of McAfee Gateway. Using a suitable password ensures that the appliance cannot be accessed by people other than those authorized to do so. McAfee Gateway allows you to define a suitable end user password policy, which includes specifying how complex you require the chosen passwords to be, how long each password is valid for and the process required to update existing passwords. Rules for reuse and change frequency are only enforced when you set passwords to expire. If you choose not to use this feature, default passwords of eight characters can be specified. McAfee Gateway Appliances Administrators Guide 359

360 5 Overview of System menu Users A complex password is more secure than a very simple one, but is more likely to create a greater volume of "forgotten password" reset requests from your end users. Therefore, you need to decide the balance between complex passwords that are likely to generate lots of reset requests, and simpler passwords that will require less maintenance. When a user changes their password, an expiry date is always set even when password expiry is not enabled. This does not apply to resetting the password when the expiry date is set to 0 (zero). If the user changes the password while completing the Setup Wizard, enabling password expiry will not cause the password to expire. If you set the reminder period to >0, the user starts to receive expiry reminders as the expiry date approaches. A password change is enforced at the login screen when the expiry time is reached. If you set the minimum period between changes to >0, the user has to wait that many days before the password can be changed again so that it cannot be immediately changed to be the same password that has been used for the past six months. The appliance maintains a history of the past ten password for each user so any reuse policy can be applied retroactively. When changing their password, a dialog box informs the user that complexity constraints that are currently in force. An administrator can still reset passwords for other users. The generated passwords will not necessarily meet the exact complexity requirements. If password expiry is in force they will only be good for one login. definitions Password Management Set the minimum number of alpha, digit, and special characters you want to include in each password, and how you want to manage password change control. Password Complexity Minimum length Minimum number of ALPHA characters Minimum number of DIGIT characters Minimum number of SPECIAL characters Select the minimum length that you will allow for end user passwords. Longer passwords are more secure, but may result in more calls to your support address as end users fine them more difficult to remember. Specify the minimum number of alphabetical characters to be used within the end users passwords. To increase security, you can also Require a mixture of upper and lowercase characters to be used. The more different types of characters that may be used within an end users password, the more secure that password can be made. Forcing your end users to use numbers within their passwords improves the security of the passwords. The more different types of characters that may be used within an end users password, the more secure that password can be made. Forcing your end users to use special characters within their passwords improves the security of the passwords. Special characters are non alphanumeric characters such as underscores (_), hyphens ( ) and other punctuation. Minimum difference from the previous password Specify how different a new password must be from the existing password. This is based on the minimum number of characters that must change between the passwords. This option is case sensitive, so changing the case of existing characters within the password is seen as a difference. 360 McAfee Gateway Appliances Administrators Guide

361 Overview of System menu Users 5 Password Change Control Enable password expiry Enable password expiry reminders Number of recent passwords to disallow Minimum interval between password changes Decide whether your end users will need to periodically renew their passwords. Specify the Password lifetime in days, and also the Grace period they are allowed after the Password lifetime, during which they are allowed to still log into the appliance, but are then forced to change their password. Choose if you want your end users to be notified that their passwords are due to expire. Also, select the required Interval between reminders. Use this field to prevent end users from re entering their previous passwords. Specify any limits you want to place on the frequency with which end users can change their passwords. Login Services Use the Login Services options to manage user authentication and authorization using either Kerberos or RADIUS authentication servers. System Users Login Services The gateway can integrate with any existing Kerberos or RADIUS authentication management system. Kerberos only provides password authentication which means that you will need to define users on the gateway as well. The RADIUS service can be configured to handle user authorization as well as password authentication. This means that the gateway can link various attributes to specific roles to determine access privileges without having to define users on the gateway. Contents Benefits of using the Login Services options definitions Login Services Benefits of using the Login Services options This information describes the benefits to using the Login Services options. Login Services provides a single place for identity management on the gateway using either Kerberos or RADIUS authentication servers. For example, you can change information on the RADIUS server such as passwords, without having to replicate the change on the gateway as well. definitions Login Services This information describes the options available on this page. The information is populated by details that you specify in the Add Login Service wizard. Service Name Service Type Realm The name for the service definition that you create in the Add Login Service wizard. Choose from either Kerberos authentication or RADIUS authentication. An authentication realm, such as <companyname corp>. McAfee Gateway Appliances Administrators Guide 361

362 5 Overview of System menu Users Role Determination Shows how the user's privileges for managing the gateway are determined. This can be done either by referencing locally defined users whose name matches the login name, or for RADIUS, the gateway can examine the attributes in the Access Accept response to determine the role that the user assumes. This contents of this field is determined by the option you choose on the Role Mappings page of the Add Login Service wizard. Default Role Add Service If at login time, it is not possible to determine the role from other information available, this is the role that an authenticated user will assume. The login will fail if it is not possible to determine the user's role from data returned that is returned from the authentication server, or from user information defined on the gateway. Starts the Add Login Service wizard. After you have created a service, you can edit its details using the standard edit button. Add Login Services wizard The Add Login Services wizard allows you set up user authentication and authorization using either the Kerberos or RADIUS authentication servers. The Add Login Services wizard sets up the following details for your chosen authentication server, and test that they work as you want them to: The IP address of the authentication server A backup server The TCP port A shared secret The authentication realm, its notation, and delimiter Role mappings Contents definitions Basic Settings definitions Type-Specific Settings definitions Role Mappings definitions Test definitions Basic Settings This information describes the options available on this page of the wizard. Service name Description (optional) Service type Server address Backup server (optional) Port Define the name that you want to give the service. al field to add further information to identify the service. Choose from RADIUS or Kerberos. After defining the service, you cannot change this value. The IP address or domain name of the authentication server. For RADIUS only, the address of a server that can be used if the primary server is unavailable. The TCP port used by the authentication server. This defaults to port 88 for Kerberos, or to port 1812 for RADIUS. 362 McAfee Gateway Appliances Administrators Guide

363 Overview of System menu Users 5 definitions Type-Specific Settings This information describes the options available on this page of the wizard. Shared secret Set the key that will be used for encrypting data sent between the gateway and the RADIUS server to prevent passwords, for example, from being sent by the RADIUS server in clear text. This field does not appear if you chose the Kerberos server type on the Basic Settings page. Realm The authentication realm in RADIUS you can use it to partition your users database. If you are linking to a Kerberos server, this field is mandatory because user names are not globally unique. This field is optional if you chose the RADIUS server type on the Basic Settings page. Realm notation Choose from either Postfix (such as user@realm), or Prefix (such as realm\user). This field does not appear if you chose the Kerberos server type. Realm delimiter Typically, this is for postfix notation, or \ for prefix notation. The character that is used to join the user name and the realm to form a fully qualified user name. This field does not appear if you chose the Kerberos server type. definitions Role Mappings This information describes the options available on this page of the wizard. Role mapping controls how a user privileges are determined during login. The Kerberos server type does not support Role Mappings. To allow authentication against an external Kerberos server, either create locally defined users, or select a default role. Use locally defined user details... Use data returned from the server... RADIUS Attribute Attribute Value Select to have the gateway look for a user in its own database with the same name as the login name to determine access privileges. Select to have the gateway use data returned by the authentication server to determine access privileges. A RADIUS server returns name value pairs called attributes. You can define RADIUS attribute to gateway role mappings. For example, Service Type. For example, Administrative User. You can use a regular expression to match multiple values. Role Add Mapping Default role Includes any role that has been created in Users and Roles, as well as the default roles. If an attribute with the specified name and value is found in the Access Accept response, the authenticated user is assigned that role. Opens the RADIUS Attribute Mapping dialog box where you can set a name and value for the attribute, and select the type of user role that you want to associate with it. If it is not possible to determine a user's role through other means (either a user defined on the gateway, or by examining data from the authentication server), this is the role that an authenticated user is assigned. You can select any defined role, or None. If you select None and it is not possible to determine a user's role, login fails even if authentication is successful. McAfee Gateway Appliances Administrators Guide 363

364 5 Overview of System menu Users definitions Test This information describes the options available on this page of the wizard. Username Password Status Output A valid user who can access the authentication server. The password associated with that username. The result of the last authentication test, either success or failure. If you have not yet performed a test, the status shows as Unknown. The response from the authentication server in a readable format. For RADIUS, some attributes are binary values and are shown using hexadecimal notation. Test Finish Click to start the test authentication against the authentication server. Click to exit the wizard. The details you entered are displayed on the Login Services page. Session Management This information describes the benefits and features of the Session Management options. System Users Session Management Benefits of the Session Management options This information describes the benefits of using the Session Management options. Session management provides the means to control the amount of time a user can remain logged on to the appliance. This option prevents the user interface from remaining accessible inadvertently, providing additional security. definitions Session Management This information describes the options available on this page. Enable session managemnt Action to perform after session timeout Timeout Display custom user notification Choose whether to allow session management settings to apply to the appliance. This option is selected by default. Choose from: Prompt for password Log off Set the length of time, in minutes, before the appliance times out. Select to have the appliance display a notification to your users that details your usage policy. Click Edit to open the Custom Text dialog box and view the default notification message, or change it. DoD CAC Authentication Understand the benefits and features of the DoD CAC Authentication options. System Users DoD CAC Authentication 364 McAfee Gateway Appliances Administrators Guide

365 Overview of System menu Users 5 Benefits of using DoD CAC Authentication Understand the benefits of configuring DoD CAC Authentication. The United States Department of Defense use Common Access Card (CAC) technology to access many of its core IT systems. McAfee Gateway can be configured to use this method of authentication. Once configured to use DoD CAC Authentication, your users will only be able to log onto the McAfee Gateway after inserting their CAC into the reader, and then being authenticated against the Department of Defense certificate authority. definitions DoD CAC Authentication Understand the options relating to DoD CAC Authentication within the user interface. Table 5-13 DoD CAC Authentication Enable DoD CAC authentication Select to enable CAC authentication. Once CAC authentication has been configured and applied, you will only be able to log onto the McAfee Gateway user interface after inserting your CAC into the reader, and being authenticated against the DoD certificate authority. Link to import CA certificates Click the link to move to Certificate Management Certificates, to view, import or export a Department of Defense CA certificate. Table 5-14 Role Mapping CAC Certificate Subject Field Field Value Role Add Mapping Default role Shows the Distinguished Name (DN) component used to map a user to a specific role. Shows the value used to identify the user. The role selected for the user. Click to open the CAC Certificate Attribute Mapping dialog box, to create a new role mapping. You can configure a default role if a role cannot be established when a user logs into McAfee Gateway using DoD CAC Authentication. Default value is None. McAfee Gateway Appliances Administrators Guide 365

366 5 Overview of System menu Users definitions CAC Certificate Attribute Mapping Configure your McAfee Gateway to automatically map a DoD CAC authenticated user to a particular role. Table 5-15 CAC Certificate Attribute Mapping dialog box CAC Certificate Subject DN Component Attribute Value Role To create the roll mapping, select the Distinguished Name (DN) component to use as the identifier. s are: C CN D G I L O OU S ST T UID Enter the Attribute Value to be used to identify the user when mapping them to a role. Select the required role. By default, the options are: Administrator Reports Administrator Super Administrator definitions Custom Text dialog box This information describes the options available on this dialog box. NOTICE TO USERS Use this text as the banner text on the appliance console Reset Displays the system usage policy text that your users see when they log on to the appliance. Deselect to edit the NOTICE TO USERS. Click to return the text to the default. definitions User Details Understand the options available when you are editing user details. Login ID Full name Description (optional) Edit the Login ID for this user. Change the information displayed in the Full name field for this user. Provide or change the optional description field. 366 McAfee Gateway Appliances Administrators Guide

367 Overview of System menu Virtual Hosting 5 Primary role Account type Reset password Specify the Primary role. The options are: Super Administrator. Administrator. Reports Administrator. Select the Account type. The options are: Local user. External user. Click the link to reset the password for this user to the default value. After a short time, a message displays the new password for that user. Virtual Hosting The Virtual Hosting pages enable you to configure the virtual hosts and virtual networks that the appliance needs to scan. System Virtual Hosting From these pages, you can enable virtual hosting on the appliance, add a new virtual host, edit any virtual networks. Contents Virtual Hosts Virtual Networks definitions - Edit Virtual Network Add Virtual Host wizard definitions New Scanning Policy definition - New Protocol Preset Virtual Hosts Use this page to add, edit, or delete virtual hosts and show available virtual hosts. System Virtual Hosting Virtual Hosts You can specify the addresses where the appliance receives or intercepts traffic on the Inbound Address Pool. At least one IP address must be present. These addresses must be unique. They must not be referenced in the Inbound addresses for any other virtual host. However, they are allowed in the Outbound addresses of any other virtual host. McAfee Gateway Appliances Administrators Guide 367

368 5 Overview of System menu Virtual Hosting An overview of virtual hosting This information describes the concept of virtual hosting. Using virtual hosts, a single appliance can appear to behave like several appliances. Each virtual appliance can manage traffic within specified pools of IP addresses, enabling the appliance to provide scanning services to traffic from many customers. This enables you to: Separate each customer's traffic. Create policies for each customer or host, which simplifies configuration and prevents clashes that might occur in complex policies. Provide reports for each customer or host in the appliance's Favorite reports feature (Reports Scheduled Reports Favorite, which removes the need for complex filtering. If any behavior places the appliance on a reputation black list, only a single virtual host is affected not the whole appliance. There are two types of virtual host: Transparent This type of virtual host can only be created on an appliance configured for bridge or router mode. A transparent virtual host intercepts traffic passing through the appliance destined for an address in the range specified for the virtual host. To configure a transparent virtual host, simply specify the IP address (or range) of the SMTP servers for which traffic should be intercepted. Proxy This type of virtual host configures the appliance to listen for SMTP connections on the IP address ranges specified for the virtual host. A proxy mode virtual host can be configured to have any number of addresses used for delivering mail from the appliance (Outbound address pool). Configuring a proxy mode virtual host is more complex, because the appliance needs to have some knowledge of the routing to the networks for each of the IP addresses it intercepts. Virtual hosts behave differently depending on whether the virtual host is running in proxy mode which listens on the inbound addresses, while virtual hosts running in transparent mode intercept traffic going to the IP addresses listed. If you create outbound IP address pools on both the LAN1 and LAN2 NICs, the virtual host uses the IP addresses on the appliance interface as determined by the routing table. The following constraints apply when you create virtual hosts and virtual networks: Virtual Host IP address ranges must not overlap All Virtual Host IP address ranges must be contained within a Virtual Network Virtual Networks must not overlap Virtual networks The concept of a virtual network is used to bind a subnet to a specific interface of the appliance. With this knowledge the appliance knows to route traffic to or from that subnet via the appropriate network interface. Virtual network configuration is handled automatically by the Add Virtual Host wizard, which selects (or suggests) the appropriate virtual network and populates the Network address field accordingly when you specify an inbound or outbound address. 368 McAfee Gateway Appliances Administrators Guide

369 Overview of System menu Virtual Hosting 5 definitions Virtual Hosts This information describes the options available on this page. Enable virtual hosting on this appliance Name Click to allow your appliance to have virtual hosting configured. Displays the name of the virtual host. The name must be unique, and is used in other locations on the appliance user interface, such as: Configuration Policies Message Search Reports The icons indicate the type of host: Physical host Virtual host The policy name must be unique across all virtual hosts. Host Name Domain name Inbound/Intercept Address Pool Outbound Address Pool Add Displays the host name of the virtual host. Displays the domain name of the virtual host. Displays the number of addresses available. The range is shown as a tooltip. Displays the number of addresses available. The range is shown as a tooltip. This option is available to virtual hosts running in proxy mode. The addresses are used in a round robin fashion. When clicked, opens a wizard where you can type the details of a new virtual host. Task Creating a new virtual host Use this task to create a new virtual host. Before you begin Before creating a new virtual host, ensure that you have the relevant information (Host name, Domain name, IP address ranges) needed to correctly configure the virtual host available. Task 1 Go to System Virtual Hosting Virtual Hosts. 2 Ensure that Enable virtual hosting on this appliance is checked. 3 Click Add. The Add Virtual Host dialog box appears. 4 Type a Virtual host name. 5 Type a Description for this virtual host. This step is optional, but enables you to quickly identify further information about this virtual host. 6 Type the Host name. 7 Type the Domain name. This is in the format example.com. McAfee Gateway Appliances Administrators Guide 369

370 5 Overview of System menu Virtual Hosting 8 Click Next. 9 Click Add to specify addresses in the Inbound/Intercept Address Pool. a Specify the Address range, Network address and Network interface for the Inbound/Intercept Address Pool. b c Click OK. Click Next. 10 Click Add to specify addresses in the Outbound Address Pool. This step is optional. a Specify the Address range, Network address and Network interface for the Outbound Address Pool. b Click OK. 11 Click Finish. Task Creating a new virtual policy Use this task to create a new virtual policy. Virtual policies can be used as a template policy for similar kinds of virtual hosts. Task 1 Go to System Virtual Hosting Virtual Hosts. 2 Ensure that Enable virtual hosting on this appliance is checked. 3 Apply the changes to the appliance. 4 Go to policies Scanning policies. 5 Click Add policies, and type a policy name. The same policy name cannot be used across virtual hosts. 6 Select the Virtual policy type. 7 Go to System Virtual Hosting Virtual Hosts. 8 In Base scanning policy, select the Virtual policy in a new virtual host, or an existing one. Virtual Networks Use this page to specify virtual networks. System Virtual Hosting Virtual Networks Benefits of configuring virtual networks This information describes the benefits of managing virtual networks, such as deleting virtual networks that you no longer need. Virtual networks permit you to subdivide traffic by allowing a single network to appear as multiple networks. Virtual hosts assigned to these virtual networks make creating and applying policies to specific groups much easier. 370 McAfee Gateway Appliances Administrators Guide

371 Overview of System menu Virtual Hosting 5 definitions - Virtual Networks This information describes the options available on this page. Network address Displays a virtual network address such as /24. Network interface Edit Delete Add Delete Unused Networks Displays the network interface for that virtual network address Bridge, LAN1 or LAN2. When clicked, opens the Edit Virtual Network dialog box. When clicked, deletes the network in that row. You cannot delete networks that are in use. When clicked, opens the Edit Virtual Network dialog box. Removes unused networks from the list. definitions - Edit Virtual Network This information describes the options available on this dialog box. Network address Network interface Enter the required IP address and range for the virtual network, such as /24. Select the network interface to associate with the virtual network. Add Virtual Host wizard Use this wizard to set up a virtual host. System Virtual Hosting Virtual Hosts Add Virtual Host definitions Basic Host Settings page This information describes the options available on this page. Virtual host name and Description Host name Domain name Specify a unique name and description of the virtual host that is used by other locations on the appliance user interface, such as: Configuration Policies Message Search Reports ( Icon for virtual appliance.) This value is used with the domain name to generate the SMTP greeting banner. If the domain name is a Fully Qualified Domain Name (FQDN), the host name does not appear in the SMTP greeting banner. The domain name has the form domain.dom and must be unique across all virtual hosts. If the domain name is a Fully Qualified Domain Name (FQDN), the host name does not appear in the SMTP greeting banner. McAfee Gateway Appliances Administrators Guide 371

372 5 Overview of System menu Virtual Hosting Mode This option is only available when the appliance runs in a transparent mode. There are two types of Virtual Host: Transparent This type of virtual host can only be created on an appliance configured for bridge or router mode. A transparent virtual host intercepts traffic passing through the appliance destined for an address in the range specified for the virtual host. To configure a transparent virtual host, simply specify the IP address (or range) of the SMTP servers for which traffic should be intercepted. Proxy This type of virtual host configures the appliance to listen for SMTP connections on the IP address ranges specified for the virtual host. A proxy mode virtual host can be configured to have any number of addresses used for delivering mail from the appliance (Outbound address pool). Configuring a proxy mode virtual host is more complex, because the appliance needs to have some knowledge of the routing to the networks for each of the IP addresses it intercepts. Base scanning policy Base protocol preset Base McAfee Secure Web Mail policy relaying Enable logical virtual hosting Offers a choice of policies from the physical host, or allows you to specify a new policy. To view all the policies at any time, select Policies Scanning Policies on the navigation bar. Offers a choice of presets from the physical host, or allows you to specify a new preset. Presets are the connection based policies. Offers a choice of policies from McAfee Secure Web Mail, or allows you to specify a new policy. Configures the virtual host domain as a local relay domain. Logical virtual hosting allows you to configure virtual hosts on different appliances with the same policies, but with different network configuration. When you push a configuration to another appliance within the same cluster: If a virtual host with the same logical identifier has not yet been defined, an empty virtual host entry will be created. If a virtual host with the same logical identifier has been defined, then the IP addresses for the virtual host are preserved. A logical identifier can be a combination of characters and numbers. 372 McAfee Gateway Appliances Administrators Guide

373 Overview of System menu Virtual Hosting 5 definitions Inbound / Intercept Address Pool This information describes the options available on this page. Address range Add Displays the address range for this virtual host. At least one IP address must be specified. Click Add to display the Edit IP Address Range dialog box. This enables you to define the inbound IP address pool for the virtual host. These are the addresses that the appliance intercepts traffic on. Address range You must specify at least one inbound IP address. These addresses must be unique, and cannot be used as the inbound addresses for any other physical or virtual host. The addresses, can, however, be used as outbound addresses for other virtual hosts. The range of addresses can be specified in formats such as: a single IP address a range of IP addresses from to a range of IP addresses from to /24 all host IP addresses in the /24 subnet The IP addresses are created on the network driver, so you cannot ping or see the IP address by running the ip addr show commands. Network address Specify the subnet for the address range. The appliance auto fills this field, based on the information you enter in Address range. Check that this is appropriate for your infrastructure, and edit the value if necessary. Network interface Select the interface on which you need to create the IP addresses. Choose from the available network interfaces. You cannot ping the IP address externally, or see the address by running the ip addr show commands. To test that the virtual host is listening on the expected address, telnet to the configured SMTP port. definitions Outbound Address Pool page This information describes the options available on this page. The outbound address pool feature enables the appliance to deliver mail for a specific Virtual Host (or the Physical Host) from a range of IP addresses. The IP address selected for the outbound is chosen using a round robin. McAfee Gateway Appliances Administrators Guide 373

374 5 Overview of System menu Virtual Hosting Outbound address pool Address range Add Displays the address range for this virtual host. At least one IP address must be specified. Click Add to display the Edit IP Address Range dialog box. This enables you to define the outbound IP address pool for the virtual host. These are the addresses on which the appliance will deliver scanned . If you do not specify any outbound IP addresses, the appliance will use the physical host IP address. The addresses are used in a round robin fashion. The addresses can be used as outbound addresses for other virtual hosts. Address range The range of addresses can be specified in the following formats: a single IP address a range of IP addresses from to a range of IP addresses from to /24 all host IP addresses in the /24 subnet The IP addresses are created on the network driver, so you cannot ping or see the IP address by running the ip addr show commands. Host name (for SMTP HELO) Network address Network interface Specifies the name that appears in the SMTP HELO greetings, using one of the following options: Resolve at runtime This option can impact performance Use an IP address literal The IP address of a host used in place of its domain name. To indicate that it is an address literal, it is in [square] brackets. Fr example, [ ]. Literal IP addresses are used because no DNS lookup needs to be done, so it is always correct. n Use the following value Click Look Up to resolve the IP address to a name Specify the subnet for the address range. The appliance auto fills this field, based on the information you enter in Address range. Check that this is appropriate for your infrastructure, and edit the value if necessary. Select the interface on which you need to create the IP addresses. Choose from the available network interfaces. You cannot ping the IP address externally, or see the address by running the ip addr show commands. To test that the virtual host is listening on the expected address, telnet to the configured SMTP port. 374 McAfee Gateway Appliances Administrators Guide

375 Overview of System menu Virtual Hosting 5 definitions New Scanning Policy Use this dialog box to create a new virtual host policy. Policy name Description Inherit settings from direction Type a name for the virtual host policy ally type a description for the policy to help you identify it. Select the policy from which you want to inherit settings. Apply the policy to either inbound or outbound messages. definition - New Protocol Preset Use this dialog box to create a protocol preset to apply to a policy. Some of these options may not be available in all instances of creating a new protocol preset. Policy name Description Inherit settings from Policy type Type a name for the virtual host policy ally type a description for the policy to help you identify it. Select the protocol preset from which you want to inherit the settings, that is, any settings that are not overridden by this protocol preset will be taken from the protocol preset specified here. Select either: Physical A standard policy that has rules available. A physical policy can be triggered when its rules are matched and can also be used for inheritance. Virtual A virtual policy can be considered to be a collection of settings available for the purposes of inheritance. A virtual policy can never be triggered. This option is only available when you create a protocol preset from Configuration when virtual hosting has been enabled on the appliance. Match logic Select either: Match one or more of the following rules this policy triggers if any of the specified rules are matched. Match all of the following rules this policy triggers if all of the specified rules are matched. This option is only available when you create a protocol preset from Configuration. Rule type / Move / Edit Lists the rules associated with the preset, and allows you to move or edit them as appropriate. This option is only available when you create a protocol preset from Configuration. McAfee Gateway Appliances Administrators Guide 375

376 5 Overview of System menu Logging, Alerting and SNMP Add Rule Click to specify the type of rule that you want to apply to the preset, and set its Match and Value. This option is only available when you create a protocol preset from Configuration. Add network group Click to create a network group to associate with the preset. This option is only available when you create a protocol preset from Configuration. Logging, Alerting and SNMP The Logging, Alerting and SNMP pages help you configure the options within the appliance to log information, and provide alerts. System Logging, Alerting and SNMP You can configure the appliance to send s containing information about viruses and other detected threats, and to use SNMP to transfer information from your appliance. Contents Alerting SNMP Alert Settings SNMP Monitor Settings System Log Settings Logging Configuration Logging Configuration Override events dialog boxes Configure System Log Archive wizard Alerting Use this page to decide who receives an message when events such as a virus detection occur. System Logging, Alerting and SNMP Alerting See Alert tokens for alert messages on page 377 for information on the usage of each substitution variable. Benefits of the Alerting features alerting is a mechanism by which you can ensure that designated individuals are notified when specific events occur. This is particularly helpful when any event warrants immediate attention. 376 McAfee Gateway Appliances Administrators Guide

377 Overview of System menu Logging, Alerting and SNMP 5 definitions - Alerting This information describes the options available on this page. Anti virus events to Aggregated data events Alert Settings When selected, sends messages when this type of event occurs. To change the message, click Edit to open an alert window. Specifies the sender name and sender address that appears in the From field of the message. This does not have to be a real address. Default value is MEG. Subject Specifies the subject line of the message. Default value is MEG Alert. Recipients Click Add to specify the addresses of recipients who receive the alerts. We recommend that you choose people who often read their and can respond quickly to these alerts. Alert tokens for alert messages You can customize alert messages with alert tokens. For example, the message: Virus detected at %LOCALTIME% might become: Virus detected at 10:31. System Logging, Alerting and SNMP Alerting Alert tokens (also known as replacement tokens or substitution variables) allow you to create meaningful alert messages for your users. The following tables list the available alert tokens for different circumstances. These tables contain: The alert token names begin and end with the % character. Description type of information that replaces the substitution variable. The following tables provide information on: Alert tokens for Scanner alerts information about the actions that have been triggered on your McAfee Gateway. For example, these tokens can be used to provide information about why a message triggered an action or what action was taken. Alert tokens for notifications information that is often used in the notifications that are sent to your users. Alert tokens for Quarantine digest messages when you configure Quarantine digest messages you can select tokens to provide information to your users about the messages being quarantined. Alert tokens for alerts (Logging and Alerting) these tokens are useful when configuring your logging and alerting messages. Table 5-16 Alert tokens for Scanner alerts Token name %ACTIONNAME%: %ACTIVECONTENT%: %ATTACHMENTCONTEXT%: %ATTACHMENTNAME%: Description The action being taken (AV) The list of active content found in the item (HTML) A detailed description of the sub contexts that triggered (only different from %ATTACHMENTNAME% when have multiple condition rules) (Compliance) Name of the item being scanned McAfee Gateway Appliances Administrators Guide 377

378 5 Overview of System menu Logging, Alerting and SNMP Table 5-16 Alert tokens for Scanner alerts (continued) Token name %AVDATVERSION%: %AVENGINENAME%: %AVENGINEVERSION%: %BLOCKED_URL%: %CONTENTREPORT%: %CORRUPTIONTYPE%: %DESTINATIONHOST%: %DESTINATIONIP%: %DETECTIONS%: %DICTIONARYGROUP%: %DLP_FINGERPRINTSOURCE%: %DLP_REPORT%: %DLP_RULE%: %DOSLIMIT%: %FILTERCONTEXT%: %FILTERNAME%: %FILTERNAME%: %FORMAT%: %ID%: %LOCALTIME%: %POLICY%: %POLICY_ID%: %PROTOCOL%: %REASON%: %RECIPIENTS%: %SENDER%: %SITEADVISOR%: %SIZE%: %SOURCEHOST%: %SOURCEIP%: %SUBJECT%: %TOTALSCORE%: %URL_CATEGORY%: Description The DAT version used by the anti virus engine (AV) The name of the anti virus engine (AV) The version of the anti virus engine (AV) The URL that has been requested and blocked by the URL filtering engine. (URL) A detailed report of the rule(s) triggered; including the term(s), matching text and contextual text (Compliance) The type of corruption that has occurred (Corrupt Content) Destination Hostname Destination IP address List of detections in the item The name(s) of the content scanning rule(s) that triggered (Compliance) Protected Document Name (DLP) A detailed report of the rule(s) triggered; including the name, category, size and digest of the protected documents (DLP) Name of triggered DLP rule (DLP) The DoS limit value that has been exceeded (DOS) The name(s) of the rule(s) that triggered (Compliance) The name of the file filtering rule that has triggered (File Filtering) The name(s) of the top level rule(s)/group(s) that triggered (as per policy statement) (Compliance) Description of the type of blocked message format. (Mail Filtering) Gateway unique message ID (SMTP) Local time Policy which triggered the event Policy identity which triggered the event Protocol Description of the DoS limit that has been exceeded. E.g. max nesting depth, file size or AV scanner timeout (DOS) Envelope recipient list. Available in SMTP (SMTP) Envelope Sender. Available in SMTP (SMTP) The SiteAdvisor web reputation of the requested URL. (URL) Size of data Source host name Source IP address Subject. Available in SMTP (SMTP) Total accumulated score for the stream (Compliance) The filtered category that has matched the requested URL. (URL) 378 McAfee Gateway Appliances Administrators Guide

379 Overview of System menu Logging, Alerting and SNMP 5 Table 5-16 Alert tokens for Scanner alerts (continued) Token name Description %URL_REQUEST_DISPLAY_NAME%: Contact name for queries regarding URL alerts (URL) %URL_REQUEST_ _ADDR%: Contact address for queries regarding URL alerts (URL) %UTCTIME%: UTC time %WEB_REPUTATION_INFO%: The SiteAdvisor web reputation of the requested URL. (URL) %WEBSHIELDIP%: McAfee Gateway IP address %WEBSHIELDNAME%: McAfee Gateway appliance name %WEBSHIELDVIRTUALIP%: Virtual IP address Table 5-17 Alert tokens for notifications Token name %ATTACHMENTNAME%: %AVDATVERSION%: %AVENGINENAME%: %AVENGINEVERSION%: %DESTINATIONHOST%: %DESTINATIONIP%: %DETECTIONS%: %ID%: %LOCALTIME%: %POLICY%: %POLICY_ID%: %PROTOCOL%: %RECIPIENTS%: %SCANNER%: %SENDER%: %SIZE%: %SOURCEHOST%: %SOURCEIP%: %SPAMENGINEVERSION%: %SPAMSCORE%: %SUBJECT%: %UTCTIME%: %WEBSHIELDIP%: %WEBSHIELDNAME%: %WEBSHIELDVIRTUALIP%: Description Name of the item being scanned The DAT version used by the anti virus engine The name of the anti virus engine The version of the anti virus engine Destination Hostname Destination IP address List of detections in the item McAfee Gateway unique message ID Local time Policy which triggered the event Policy identity which triggered the event Protocol Envelope recipient list. Available in SMTP Scanner name(s) Envelope Sender. Available in SMTP Size of data Source host name Source IP address Spam Engine Version. Available in SMTP Spam Score. Available in SMTP Subject. Available in SMTP UTC time McAfee Gateway IP address McAfee Gateway appliance name Virtual IP address Table 5-18 Alert tokens for Quarantine digest messages Token name Message body: %SPAM_LIST%: Description A list of messages quarantined as spam since last digest McAfee Gateway Appliances Administrators Guide 379

380 5 Overview of System menu Logging, Alerting and SNMP Table 5-18 Alert tokens for Quarantine digest messages (continued) Token name %FULL_SPAM_LIST%: %CONTENT_LIST%: Description A full list of messages quarantined as spam A list of messages quarantined because of content violations since the last digest %FULL_CONTENT_LIST%: A full list of messages quarantined because of content violations %WHITE_LIST%: %BLACK_LIST%: %SENDER%: %RECIPIENT%: %EXP_DELAY%: %MAX_EXP_DELAY%: %PRODUCT_NAME%: %POST_MASTER%: %DIGEST_DATE%: %ADD_WHITE_LIST%: %ADD_BLACK_LIST%: %SET_EXP_DELAY%: Responses: %REQUEST_RESULTS%: Error response: %ERR_TEXT%: A list of addresses in the whitelist A list of addresses in the blacklist The address of the digest sender The address of the recipient The user expiration delay in days The maximum expiration delay in days The product name of the appliance that generated the digest The address of the postmaster The date on which the digest was generated An HTML form for adding addresses to the whitelist (interactive HTML) An HTML form for adding addresses to the blacklist (interactive HTML) An HTML form for setting the expiration delay (interactive HTML) An HTML table displaying the results of the actions performed Text describing the error Table 5-19 Alert tokens for alerts (Logging and Alerting) Token name Anti Virus: %PRODUCT%: %EVENT%: %REASON%: %SOURCEIP%: %SOURCEHOST%: %DESTINATIONIP%: %DESTINATIONHOST%: %SERVERUSERNAME%: %LOCALTIME%: %UTCTIME%: %WEBSHIELDNAME%: %WEBSHIELDIP%: %APPLICATION%: %SENDER%: %RECIPIENTS%: Description The product name The name of the event The reason for the event Source IP address Source host name Destination IP address Destination host name The login name of the user (POP3) Local time UTC time McAfee Gateway appliance name McAfee Gateway IP address The name of the process that generated the event Envelope Sender (SMTP) Envelope recipient list (SMTP) 380 McAfee Gateway Appliances Administrators Guide

381 Overview of System menu Logging, Alerting and SNMP 5 Table 5-19 Alert tokens for alerts (Logging and Alerting) (continued) Token name %DETECTIONS%: %POLICY%: %POLICY_ID%: %SUBJECT%: %SIZE%: %LDAP_ADDRESS% %LDAP_SYNC_ERROR% %LDAP_SYNC_ERROR_TEXT% %LDAP_SYNC_SERVER% %AVDATVERSION%: %AVENGINEVERSION%: %ATTACHMENTNAME%: %IASCORE% %IATHRESHOLD% %DLP_RULE%: %DLP_CATEGORY% %DLP_FILEDIGEST% %DLP_FILESIZE% %DLP_FINGERPRINTDATE% %DLP_FINGERPRINTSOURCE%: %DLP_REPORT%: %LB_APPLIANCE_IP_ADDRESS% %LB_APPLIANCE_IP_NAME% %LB_APPLIANCE_MAC_ADDRESS% %FILESYSTEM%: %FILTERCONTEXT%: %SPAMSCORE%: %SPAMRULESBROKEN%: %SPAMTHRESHOLD%: Aggregated data: %PRODUCT%: %EVENT%: %PROTOCOL% %SMTPNUMMESSAGES%: %SMTPVIRUSDETECTED%: %SMTPPUPSDETECTED%: %SMTPANTIRELAYDETECTED% Description List of detections in the item The name of the policy that triggered the event The ID of the policy that triggered the event Subject (SMTP) Size of data The address queried from LDAP A synchronization error occurred The text for the synchronization error The name server that encountered the synchronization error The DAT version used by the anti virus engine (AV) The version of the anti virus engine (AV) Name of the item being scanned (AV, DLP) The score assigned to an image by Image Analysis scanning The score that triggers an Image Analysis detection The DLP rule that triggered The registered document categories that triggered Checksum for the trained document that resulted in the DLP detection Size of the trained document Date when the trained document was fingerprinted The registered document name Detailed report containing the document name, the category name, the size and the digest as per the registered documents IP address of the scanning appliance Domain name of the scanning appliance MAC address of the scanning appliance The name of the filesystem on the appliance (system events) The name or names of the rules that triggered (compliance) Spam score (AS) The name or names of the spam rules that triggered the detection (AS) Spam reporting threshold (AS) The product name The name of the event The mail protocol, SMTP or POP3 The number of messages received via SMTP The number of viruses detected (SMTP) The number of PUPs detected (SMTP) The number of items that triggered anti relay measures McAfee Gateway Appliances Administrators Guide 381

382 5 Overview of System menu Logging, Alerting and SNMP Table 5-19 Alert tokens for alerts (Logging and Alerting) (continued) Token name %SMTPBATVDETECTED% %SMTPCONTENTDETECTED%: %SMTPCOMPLIANCEDETECTED% %SMTPDENYSENDERDETECTED% %SMTPDHDETECTED% %SMTPDKIMDETECTED% %SMTPDLPDETECTED% %SMTPFILEFILTERDETECTED% %SMTPGREYLISTDETECTED% %SMTPGTIMSGREPDETECTED% %SMPTIADETECTED% %SMTPLDAPRCPTDETECTED% %SMTPMAILFILTERDETECTED% Description The number of messages that failed BATV signature verification The total number of content detections The number of compliance detections (SMTP) The number of s that triggered the denied senders list The number of s that triggered directory harvest detections The number of s that included DKIM signature failures The number of DLP violations detected (SMTP) The number of s that triggered file filtering The number of s that triggered Greylisting The number of TrustedSource lookups reported as being malicious The number of s that triggered Image Analysis The number of recipients that failed LDAP verification The number of s that triggered message/partial, message/external body, and missing/empty header detections %SMTPMAILSIZEFILTERDETECTED% The number of detections based upon message size (SMTP) %SMTPPACKERSDETECTED% %SMTPPHISHDETECTED% %SMTPRBLDETECTED% %SMTPRECIPIENTDETECTED% %SMTPSENDCONNECTDETECTED% %SMTPSENDERIDDETECTED% %SMTPSPAMDETECTED% %SMTPSPFDETECTED% %SMTPTOTALDETECTED% %POP3NUMMESSAGES%: %POP3VIRUSDETECTED%: %POP3PUPSDETECTED%: %POP3IADETECTED% %POP3MAILSIZEFILTERDETECTED% %POP3PACKERSDETECTED% %POP3PHISHDETECTED% %POP3SPAMDETECTED% %POP3TOTALDETECTED% %SPAMBLOCKEDRBL%: %SPAMDETECTED%: The number of packers detected (SMTP) The number of phishing messages (SMTP) The number of s that failed to pass testing the origin against an RBL The number of s that failed recipient ID verification The number of s failed sender connection verification The number of s that failed Sender ID verification The number of spam messages detected (SMTP) The number of messages that failed Sender Policy Framework (SPF) verification The total number of detections (SMTP) The number of messages scanned (POP3) The number of viruses detected (POP3) The number of PUPs detected (POP3) The number of Image Analysis detections (POP3) The number of detections based upon message size (POP3) The number of packers detected (POP3) The number of phishing messages (POP3) The number of spam messages (POP3) The total number of detections (POP3) The number of spam messages detected using RBLs The number of spam messages detected 382 McAfee Gateway Appliances Administrators Guide

383 Overview of System menu Logging, Alerting and SNMP 5 Table 5-19 Alert tokens for alerts (Logging and Alerting) (continued) Token name %SPAMBLOCKED%: %SPAMQUAR%: %CONTENTQUAR%: %VIRUSQUAR%: %SOURCEIP%: %SOURCEHOST%: %DESTINATIONIP%: %DESTINATIONHOST%: %LOCALTIME%: %UTCTIME%: %WEBSHIELDNAME%: %WEBSHIELDIP%: %GATEWAYIP% %GATEWAYNAME% %APPLICATION%: Description The number of spam messages discarded The number of spam messages quarantined The number of messages quarantined through compliance The number of viral messages quarantined Source IP address Source host name Destination IP address Destination host name Local time UTC time McAfee Gateway appliance name McAfee Gateway IP address The gateway IP address The gateway host name The name of the process that generated the event SNMP Alert Settings Use this page to configure the SNMP alerts sent by the appliance. System Logging, Alerting and SNMP SNMP Alert Settings The SNMP alerts are cumulative and are derived by adding data from the real time logs. The real time logs are updated every 24hours. The page is divided into these sections: SNMP Alert Settings Trap Manager Settings Benefits of SNMP Alerts SNMP alerts provide alert messages directly to specified computer workstations. You can configure one or more workstations to receive the various types of alerts Gateway generates. definitions - SNMP Alert Settings This information describes the options available on this page. Anti virus events to System events Trap manager, Community name, Protocol version When selected, specifies the types of events that will be sent. Specifies various details for SNMP trap managers. McAfee Gateway Appliances Administrators Guide 383

384 5 Overview of System menu Logging, Alerting and SNMP SNMP Monitor Settings Use this page for settings that allow other devices to communicate with the appliance via SNMP. System Logging, Alerting and SNMP SNMP Monitor Settings Benefits of the SNMP Monitor Settings Use SNMP monitor settings to enable other devices to access your appliance. You can allow queries from all devices in your network, or restrict access to specific devices. definitions - SNMP Monitor Settings This information describes the options available on this page. Basic settings Name to Community name Versions 1 and 2 of the SNMP protocol use the community name like a password. The community name is required with each SNMP Get request to allow access to the appliance. The default Community Name is public. If you have several appliances, change the default name. Security s (v3 only) Username for authentication to Store for configuration push (plain text) Version 3 incorporates both authentication and privacy. You need to set the user name, and the protocols and passwords for authentication and privacy. These settings will not be included in configuration pushes between your appliances unless you select Store for configuration push (plain text). Be aware, however, that if you select this option, the configuration settings for the SNMP v3 protocol are stored on the appliance in plain text. Access control list Access control list The appliance is set to allow SNMP queries from all devices. We recommend that you change the settings to allow access from known devices only. Specify the IP address numbers of the devices that can read the appliance s MIB parameters. System Log Settings Use this page to specify standard or extended system logging and the events to be recorded in the system log. You can also send logs to off box servers. System Logging, Alerting and SNMP System Log Settings Syslog provides log information about the system itself, rather than about messages the system processes. Extended logging allows you to use external software to generate reports. 384 McAfee Gateway Appliances Administrators Guide

385 Overview of System menu Logging, Alerting and SNMP 5 Benefits of the System Log Settings System Log (Syslog) is a method for delivering log information across a network, usually via UDP port 514. Extended logging creates a structured output log file using the syslog protocol. The extended logging provides name value pairs for each logged event. The syslog protocol and message format are defined in RFC definitions - System Log Settings This information describes the options that are available on this page. Enable system log events Enables system logging (syslog) information to be collected and delivered to the on appliance logging system, or sent to an off box solution. Select the type of logging format that you want to use. This option creates an output log file that is structured so that it can be easily read by third party applications and used to generate custom reports. Due to the amount of data generated, we recommend that this option is only enabled when using TCP syslog. Choose from: Original Splunk Common Event Format Content Security Reporter McAfee Enterprise Security Manager Conversation events and Aggregated data events are not reported in the extended logging format. Click View the system logs to see the log files on the appliance. Log events to the syslog for the following event types: Off box system log Specify the events to capture within the syslog. To prevent very large log files, we recommend that you record only events that you want to monitor closely, and deselect the events when you have finished. The appliance cannot store the transport events produced by heavy traffic for long periods. We recommend that you use the off box syslog option to forward the transport events to a central syslog server. Enable off box system log To send system logs for storage off box, enable this setting and define the receiving server parameters: Receiving server Specifies the IP address or host name of the server that receives the syslog information. Use IPv6 protocol Check this option when sending system logging information over an IPv6 network. Port Specify the port on the receiving server to be used to transfer the system log information. When using off box system logging, you can specify different ports for each configured off box syslog server. Protocol Either TCP or UDP. Specifies the packet type. UDP has a limit of 1024 bytes per packet. Add Server You can configure multiple off box servers. System Log Archive Send archive copies of the mail logs to another server, and set up a schedule for this to happen. Click Enable log archive to open the Configure System Log Archive wizard. After the wizard is complete, this section displays a summary of the schedule settings you entered. McAfee Gateway Appliances Administrators Guide 385

386 5 Overview of System menu Logging, Alerting and SNMP Extended Syslog attributes for Splunk Using the extended Syslog functions within the appliance, you can use external, third party software such as Splunk to generate Syslog reports. Table 5-20 Extended Syslog attributes for Splunk Syslog Entry Notes Example Time and Appliance Name app Protocol Smtp name policy_name dvc_host A description of the event Name of in force policy Host responsible for scanning in a blade environment Dec 30 10:58:10 Appliance1 Anti virus engine detection My policy Note: smtp_master refers to the default policy Appliance1 event_id Event ID reason_id Reason ID 145 Clean 146 Replace 624 PuP Detection 625 Packer Detection direction src_ip src_host dest_ip dest_host is_primary_action scanner Whether inbound (0) or outbound(1) as defined by the administrator for the policy Originating client IP address of the host sending the Originating client host name if available Destination client IP address of the host sending the Destination client host name if available Indicates if the action taken is the main action defined for the event. 1 indicates primary action Which scanner detected the event 0, 1 0,1 AV Anti Virus 386 McAfee Gateway Appliances Administrators Guide

387 Overview of System menu Logging, Alerting and SNMP 5 Table 5-20 Extended Syslog attributes for Splunk (continued) Syslog Entry Notes Example action status sender recipient msgid nrcpts relay subject size attachments number_attachments virus_name file_name spamscore spamthreshold spamrules URL contentrule The action taken for the event A descriptive message for the event The sender of the A list of recipient addresses A unique id assigned to each mail message Number of the recipients for the mail Address of the next MTA the mail would be sent to if known The subject of the Size of the message in bytes The attachments of the (optional) The number of attachments of the (optional) The name of the detected virus Filename in which the detection occurred The score this message achieved The threshold it exceeded A list of the rules to determine it's status as spam Url which caused the event to be generated The rule that caused the event ESERVICES:REPLACE Replace with an alert WEBSHIELD:REFUSEORIGINAL Refuse the WEBSHIELD:ACCEPTANDDROP Accept the and then drop it ESERVICES:ALLOWTHRU Allow the through WEBSHIELD:DENYCONNECTION Refuse the and deny the connection for a period of time The content was categorized as uncleanable content <a@somewhere.com> <testuser@domain.com>, <anotheruser@domain.com>, <user@domain.com> A subject line here 231 file1.doc, file2.doc 2 EICAR test file eicar_com.zip McAfee Gateway Appliances Administrators Guide 387

388 5 Overview of System menu Logging, Alerting and SNMP Table 5-20 Extended Syslog attributes for Splunk (continued) Syslog Entry Notes Example content_terms tz tz_offset dlpfile The terms that caused the content filter event The timezone where the event is generated The timezone offset in use where the event is generated The registered document file name that matched the DLP trigger UTC dlprules The DLP category Finance dlpclassification The DLP category Finance TestSpecTemplate.doc dlpfileuploaded Upload time in UTC :13:47 dlpfiledigest dlpfilesize url_filter_categorization The digest of the registered document The file size of the registered document in bytes For a URL detection, the category it was detected for. 6e70e63d3dadfc331b917696bda46c04ed2c8de Pornography 388 McAfee Gateway Appliances Administrators Guide

389 Overview of System menu Logging, Alerting and SNMP 5 Table 5-20 Extended Syslog attributes for Splunk (continued) Syslog Entry Notes Example encryption_type The encryption type of the , shown as a number: PG P 2 SM IM E 4 Pu sh del ive ry 8 Pul l del ive ry 16 Bo th pu sh an d pul l del ive ry 32 8 orig_subject orig_sender Table 5-21 Glossary The original subject of the The original sender of the Meeting report exampleuser@example.com event_id Name Scanner Status Anti virus engine detection AV (Anti Virus) Anti spam classification AS (Anti Spam) Anti spam classification AP (Anti Phish) File format detection FF (Format Blocking) MIME format detection MF (Mime Format) URL request denied UF (URL Filtering) Compliance detection PX (Compliance) Data Loss Prevention detection DL (Data Loss Prevention) McAfee Gateway Appliances Administrators Guide 389

390 5 Overview of System menu Logging, Alerting and SNMP Table 5-21 Glossary (continued) event_id Name Scanner Mail Size detection MS(Mail Size) URL has been blocked due to categorization SA (Site Advisor) reason_id Text 77 Delivered 83 Deferred 142 Access to the requested URL is not permitted 145 clean 146 replace 161 Content categorized as spam 206 Content was categorized as non spam 305 blocked with SMTP Code accepted and dropped 420 blocked with SMTP Code 550. Connection closed 611 URL categorized by URL filter 623 Phish Detection 624 PuP 625 Packer 689 DLP 728 Compliance 737 The undeliverable has been bounced Extended Syslog attributes for Common Event Format Using the extended Syslog functions within the appliance, you can use external, third party software to generate Syslog reports. Table 5-22 Events for Common Event Format Event ID Event Description Logging of the status during processing Logging of the status during processing Logging of the status during McAfee Quarantine Manager processing Anti Virus Engine Detection Content rule detection Anti spam classification File format detection Mail Filtering detection Compliance detection Data Loss Prevention detection Mail Size detection Regular expression scanning failure Image Filtering detection 390 McAfee Gateway Appliances Administrators Guide

391 Overview of System menu Logging, Alerting and SNMP 5 Device Event Mapping to Common Event Format Data Fields Information contained within vendor specific event definitions is sent to the Common Event Format SmartConnector, then mapped to a data field for the third party software. The following table lists the mappings from Common Event Format data fields to the supported vendor specific event definitions. Table 5-23 McAfee Gateway Appliance Connector Field Mappings McAfee Specific Event The Action taken for the event: ESERVICES:REPLACE Replace with an alert WEBSHIELD:REFUSEORIGINAL Refuse the WEBSHIELD:ACCEPTANDDROP Accept the and then drop it ESERVICES:ALLOWTHRU Allow the through WEBSHIELD:DENYCONNECTION Refuse the and deny the connection for a period of time Protocol A descriptive message for the event Host responsible for scanning Destination IP address of the connection (if available) Destination hostname of the connection (if available) Originating IP address of the host making the connection Originating hostname of the host making the connection The sender of the A list of recipient addresses Whether inbound (0) or outbound(1) as defined by the administrator for the policy Name of active policy Filename in which the detection occurred A unique id assigned to each mail message Size of the message in bytes Time of the event, in milliseconds since epoch Reason ID for event. See 'msg' field for textual description 'reason id' The definition of this field depends on the value of the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU': The name of the detected virus/packer/pup. If cs5 is 'AS': The spam rules that triggered the event If cs5 is 'DL': The file that triggered the DLP rule If cs5 is 'FF': The file rule that triggered the event If cs5 is 'PX': The content rule that triggered the event The definition of this field depends on the value of the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU': 'virus names' If cs5 is 'AS': 'spam rules broken' If cs5 is 'DL': 'dlpfile' If cs5 is 'FF': 'content rules' If cs5 is 'PX': 'content rules' The definition of this field depends on the value of the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU': The version of the Anti Virus engine If cs5 is 'AS': The spam score If cs5 is 'DL': The DLP categories that triggered If cs5 is 'PX': The terms that caused the content filter event Third party Event Data Field act app msg dvc dst dhost src shost suser duser devicedirection sourceservicename filepath fileid fsize rt flexnumber1 flexnumber1label cs1 cs1label cs2 McAfee Gateway Appliances Administrators Guide 391

392 5 Overview of System menu Logging, Alerting and SNMP Table 5-23 McAfee Gateway Appliance Connector Field Mappings (continued) McAfee Specific Event The definition of this field depends on the value of the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU': 'av engine version' If cs5 is 'AS': 'spam score' If cs5 is 'DL': 'dlp rules' If cs5 is 'PX': 'compliance terms' The definition of this field depends on the value of the field 'cs5': If cs5 is 'AS': The threshold the message exceeded The definition of this field depends on the value of the field 'cs5': If cs5 is 'AS': 'spam threshold score' The attachments of the (if available) ' attachments' For a detection event, the scanner which triggered the event: 'AP' Anti Phish 'AS' Anti Spam 'AV' Anti Virus 'DL' Data Loss Prevention 'FF' File Filtering 'MF' Mail Filtering 'MS' Mail Size 'PA' Packer 'PU' Potentially Unwanted Program 'PX' Compliance 'IA' Image Filtering 'master scan type' The subject of the ' subject' Indicates if the action taken is the main action defined for the event. 1 indicates primary action 'is primary action' The number of attachments in the (if available) 'num attachments' The number of recipients of the 'num recipients' The original subject of the The original sender of the The original message ID number, such as 5f84_00f8_48fd8314_29f1_472b_9c9f_1adff The encryption type of the , shown as a number: PGP 2 Pull delivery 16 SMIME 4 Push delivery 8 Both push and pull delivery 32 Third party Event Data Field cs2label cs3 cs3label cs4 cs4label cs5 cs5label cs6 cs6label cn1 cn1label cn2 cn2label cn3 cn3label Mcafee gatewayOriginalSubject Mcafee gatewayOriginalSender Mcafee gatewayOriginalMessageId Mcafee gateway EncryptionType Logging Configuration Use this page to specify which events are recorded in the appliance s logs System Logging, Alerting and SNMP Logging Configuration Although the appliance can record many types of events in the logs, normally only the most serious events are needed. 392 McAfee Gateway Appliances Administrators Guide

393 Overview of System menu Logging, Alerting and SNMP 5 Benefits of the Logging Configuration features Use the logging configuration features to configure and to adjust the kinds of events logged. You can set logging configuration for both SMTP and POP3 settings. definitions - Logging Configuration This information describes the options available from the linked pages. Table 5-24 SMTP Settings Protocol events Communication events Detection events Advanced Provides a list of types of protocol events. High severity events include a suspected denial of service attack. Provides a list of types of communication events. High severity events include failure of a scanner. Provides a choice of events, such as virus detections. When clicked, opens another window where you can examine the settings for each event and choose which events to log or ignore. The information includes: Enabled Whether the event is being recorded in the log now. ID The event number, such as 50012, which is recorded in the log with the time and date of the event. Level A symbol that indicates the severity of the event: High Severity. We recommend that this event is recorded in the log. Medium Severity Low Severity. High Volume A symbol that indicates how often this event occurs: The event can generate a high volume of log records. Description A description of the event, such as Quarantine. Table 5-25 POP3 Settings Protocol events Communication events Provides a list of types of protocol events. High severity events include a suspected denial of service attack. Provides a list of types of communication events. High severity events include failure of a scanner. McAfee Gateway Appliances Administrators Guide 393

394 5 Overview of System menu Logging, Alerting and SNMP Table 5-25 POP3 Settings (continued) Detection events Advanced Provides a choice of events, such as virus detections. When clicked, opens another window where you can examine the settings for each event and choose which events to log or ignore. The information includes: Enabled Whether the event is being recorded in the log now. ID The event number, such as 50012, which is recorded in the log with the time and date of the event. Level A symbol that indicates the severity of the event: High Severity. We recommend that this event is recorded in the log. Medium Severity Low Severity. High Volume A symbol that indicates how often this event occurs: The event can generate a high volume of log records. Description A description of the event, such as Quarantine. Table 5-26 Non proxy Settings System events User interface events Advanced Provides a list of types of system events. High severity events include a suspected denial of service attack. Provides a list of types of user interface events. High severity events include failure of a scanner. When clicked, opens another window where you can examine the settings for each event and choose which events to log or ignore. The information includes: Enabled Whether the event is being recorded in the log now. ID The event number, such as 50012, which is recorded in the log with the time and date of the event. Level A symbol that indicates the severity of the event: High Severity. We recommend that this event is recorded in the log. Medium Severity Low Severity. High Volume A symbol that indicates how often this event occurs: The event can generate a high volume of log records. Description A description of the event, such as Quarantine. Logging Configuration Override events dialog boxes Use these dialog boxes to edit protocol and communications events for the SMTP and POP3 protocols, and system and user interface events for the non proxy settings. Enabled ID Shows whether the event is logged The ID associated with the event 394 McAfee Gateway Appliances Administrators Guide

395 Overview of System menu Logging, Alerting and SNMP 5 Level High Volume Description Restore defaults Displays the level of severity of the event Displays a warning icon if the event is likely to produce a high volume of alerts A more detailed description of the event Revert the list of events and their status to the original Configure System Log Archive wizard Use this wizard to configure the server to which you want to send the system log archive, set up a regular update schedule, and test the configuration you created. definitions Default remote backup settings This information describes each option in this section. Transfer to FTP Server Selected by default: Server Port Directory Username (default value is anonymous) Password (default value is anonymous) Proxy server Proxy port Proxy username Proxy password Transfer via SSH Click to specify the settings to transfer the backup using SSH: Server Port Directory Username (default value is anonymous) Password Authentication/Password (default value is anonymous) Public Key Authentication/Public key (links to the public key) If you use either FTP or SSH with password authentication, your passwords are stored in the appliance configuration files, in plain text format. The most secure option is to use SSH with public key authentication. To use this feature, you must click the link to generate a key file, which you must then copy and paste into your authorized keys file so that the appliance can perform the backup. definitions Configure Updates (Time) Use this page to schedule automatic configuration backups, and set up scheduled updates to the detection definitin (DAT) files, anti spam, and package updates. System Component Management Update Status System System Administration Configuration Management System Logging, Alerting and SNMP System Log Settings Introduction to Scheduled update settings You can schedule updates for the following components: McAfee Gateway Appliances Administrators Guide 395

396 5 Overview of System menu Component Management Automatic configuration backups Spam rules and anti spam engine System Log Appliance software updates (HotFixes and patches) Anti virus engine and database McAfee recommends that you update all scanning components on a new appliance using the Update Now feature, then use the Schedule feature for each component to create regular updates at a time when traffic is low, such as during the night. Hourly to Weekly Next / Finish Specifies the schedule. If you do not need this feature, select Never. Moves to the next page of the wizard, or closes it and applies the settings. definitions Test Configuration This information describes the options available on this page of the wizard. Test Checks that the backup configuration works, and provides the desired information. Component Management The Component Management pages enable you to view the status of your updates, to specify Package Installer and epolicy Orchestrator options, and to enable additional anti virus engines. System Component Management Through the Component Management pages, you can schedule and perform anti virus and anti spam detection file updates, as well as updates to software packages through hotfixes and patches. Additionally, you can set up how packages are updated, or use epolicy Orchestrator. You can also configure your McAfee Gateway to use additional anti virus engines when scanning your traffic. Contents Update Status Package Installer epo Anti-virus engines Configure Anti-Virus Updates wizard Configure Anti-Spam Updates wizard Configure Automatic Package Updates Edit Preferences (Warning Thresholds) 396 McAfee Gateway Appliances Administrators Guide

397 Overview of System menu Component Management 5 Update Status Use this page to check that each scanning component is using the most up to date threat detection data to maintain your appliance security. System Component Management Update Status From the Update Status page, you can manage updates for the following scanning components: Anti virus engine and database Spam rules and anti spam engine Appliance software updates (HotFixes and patches) Extra DAT emergency update file Default anti virus engine and database update settings By default, the appliance is set to update the anti virus engine and database every day at 03:00 hours using first HTTP to download the update file, then using FTP if the HTTP update failed. Benefits of using Update Status This information describes the benefits of using the Update Status features. You can choose to update scanning components immediately, and create schedules to regularly update the components when the server traffic is low. Additionally, you can have the appliance import anti virus engine and database files from the update server, and export them onto other appliances that do have Internet access. If you are using the Commtouch Command anti virus engine, updates for that engine are downloaded and applied at the same time as those for the McAfee anti virus engine. McAfee recommends that you update all scanning components on a new appliance using the Update Now options, then use the scheduling options for each component to create regular updates at a time when traffic is low, such as during the night. To update appliance software updates such as HotFixes and patches, go to System Component Management Package Installer. McAfee Gateway no longer supports the v1 detection definition (DAT) files. The appliances now use the McAfee Agent to handle the updating of the v2 DAT files and scanning engine files even without having an epolicy Orchestrator server configured on your network. When not using an epolicy Orchestrator server, you can now configure your appliance to use ftp or http to download the v2 DAT files and scanning engine files. These DAT files and scanning engine updates can be obtained by epolicy Orchestrator and pulled from the epolicy Orchestrator repository using the McAfee Agent. You can also manually download the files and install them onto your appliance. You cannot use the Update Status pages to update the Hardware Acceleration PDB files used by older hardware fitted with Hardware Acceleration cards. McAfee Gateway Appliances Administrators Guide 397

398 5 Overview of System menu Component Management definitions - Update Status This information describes the options available on this page. Table 5-27 Version information and updates Edit warning thresholds Component name When clicked, opens a dialog box where you can specify the warning thresholds for various component updates. When applied, these thresholds are used in the Dashboard and within Version information and updates to bring any missing or failed updates to your attention. Displays the component name, preceded by an icon that indicates whether the component is up to date: Up to date. Out of date. We recommend that you update soon. Out of date. We recommend that you update immediately. Version Update Status Last Updated Displays the component version. Displays information about the status of each installed component. Displays the date and time that each installed component was last updated. Scheduled Displays the schedule, such as Every day at 03:00. To change the location where the appliance collects the component and the schedule, click the link, which opens a wizard. Action Import Export Update Now When clicked, updates a component immediately rather than wait for the scheduled update. Configure opens the Configure Anti Spam Updates dialog box where you can specify a proxy server from which the appliance downloads the update, or accept any default server settings that you have already entered. Click Import to install the Engine and Database files previously exported from this, or another appliance. Click Export to create a zip file containing the Engine and Database files currently installed on the appliance. You can include: Anti virus engine Anti virus database Spam engine Spam rules within the exported file. When you import the updates zip file, all updates that are contained within it are imported to your appliance. If you do not want a particular update to be applied, then McAfee recommends that you do not include that update when you export the update file. 398 McAfee Gateway Appliances Administrators Guide

399 Overview of System menu Component Management 5 Table 5-28 Automatic package updates Update scheduled Update now When clicked, the link opens a wizard, where you can specify the type, source and schedule for installing packages, such as hot fixes and service packs. Installs packages immediately. You can select options about how the package update is handled. When first configuring your appliance, using Update now confirms that the user settings are configured correctly and working. Alternatively, you can browse to Troubleshoot Tests and run the System Tests to confirm these settings. Table 5-29 Anti virus Extra DAT Install Extra DAT Remove Extra DAT Opens a file browser to install any Extra DAT files. If you have existing Extra DAT files installed, allows you to remove them once the additional protection has been added to the standard DATs. Table 5-30 Anti virus DAT roll back Roll back to previous installed version When specifically instructed to do so by McAfee Technical Support, click to roll back to the previous installed version of the Anti virus DAT file. The currently installed version of the Anti virus DAT file will be removed from your McAfee Gateway. The proxies will also be restarted. definitions Configure Anti-Spam Updates dialog box This information describes the options available on this dialog box. Use the default proxy settings configure defaults Proxy Server to Proxy Password Uses the FTP proxy settings set up on the Default Server Settings page (System Appliance Management Default Server Settings). Opens the Default Server Settings page where you can edit the default FTP proxy settings. Displays the settings of the FTP proxy server. Task Update the anti-virus engine and database daily at 04:00 over HTTP using a proxy server Use this task to update the anti virus engine using detailed settings. Task 1 Go to System Component Management Update Status. 2 Click the link in the Scheduled column for the Anti virus engine component. 3 On the Specify the server settings for downloading the update via HTTP page, keep the default settings, and click Next. The update will use the proxy server that you set up in System Appliance Management Default Server Settings. 4 In Select how the McAfee FTP update site should be used, select Not Used, and click Next. 5 In Time to schedule update for, select the Daily option, and set the time to 0400, and click Finish. McAfee Gateway Appliances Administrators Guide 399

400 5 Overview of System menu Component Management Task - Disable updates for the additional anti-virus engine Updates for the Commtouch Command anti virus engine occur simultaneously with the updates for the McAfee anti virus engine. You can choose to disable updates for the additional anti virus engine. Task 1 Navigate to System Component Management Update Status. 2 In the Scheduled column under Version information and updates, click the scheduled update link on the row with the McAfee anti virus engine. A series of Configure Anti Virus Updates pages opens. 3 Click Next on the first and second pages that appear, to get to the third page labeled Time to schedule update for. 4 Uncheck the Enable updates for Commtouch Command anti virus check box, then click Finish. Updates for Commtouch Command anti virus engine are now disabled. Task Update the spam engine daily at 05:00 Use this task to update the anti spam engine files every day at a regular time. Task 1 Go to System Component Management Update Status. 2 Click the link in the Scheduled column for the Spam engine component. 3 Click Next to have the update use the default FTP update server settings. 4 In Time to schedule update for, select the Daily option, and set the time to 0500, and click Finish. Task Roll back to the previous installed Anti-virus DAT file Remove the currently installed Anti virus DAT file, and use the previously installed version. If instructed by McAfee Technical Support, use this task to roll back to the previous installed version of the Anti virus DAT file, and remove the existing file from your McAfee Gateway. Task 1 Go to System Component Management Update Status. 2 Click Roll back to previous installed version, in Anti virus DAT roll back. 3 Click OK to roll back to the previous installed version of the Anti virus DAT file. Package Installer Use this page to examine and install new software packages. System Component Management Package Installer McAfee recommends that you update the software packages manually on a new appliance using the Update From File option, then go to the System Component Management Update Status scheduling options in Automatic package updates to create regular updates at a time when traffic is low, such as during the night. 400 McAfee Gateway Appliances Administrators Guide

401 Overview of System menu Component Management 5 Benefits of the Package Installer This information describes the benefits of the Package Installer. From the Package Installer page, you can view information about installed appliance software packages such as patches and Hotfixes, and update them immediately to ensure that your appliance remains as up to date as possible. definitions - Package Installer This information describes the options available on this page. Update From file Package Type Name Severity Status Required Actions Notes When clicked, opens another window where you can select a file from a local source to upload to the appliance. Displays the type of package, such as a Service Pack or Hotfix. Displays a name that uniquely identifies the package. Displays information such as whether we recommend that you install the package, or allow you to decide. Displays information such as whether the package has been downloaded or installed. Displays information such as whether the appliance needs to be restarted when the package is installed. Describes any dependencies or requirements, for example, whether the patch supersedes a previous installation. Click any Details link for more information, such as the resolved issues and KnowledgeBase information. Install Download Export Refresh Apply When clicked, makes the selected patch ready to install. The patch is installed when you click Apply. When clicked, makes the selected patch ready to download. The patch is downloaded when you click Apply. When clicked, exports the downloaded file to another location so that another appliance can use it via Manual Package Install When clicked, sends a request to the FTP server for any changes. When clicked, installs or downloads the patches that you specified. epo Use this page to manually set up the appliance to be managed by epolicy Orchestrator. System Component Management epo The information and settings in this page provide similar features to those found in the epo Managed Setup pages of the Setup Wizard Benefits of using epolicy Orchestrator This information describes the benefits of using epolicy Orchestrator to manage your appliances. McAfee epolicy Orchestrator enables you to unify your security management, making risk and compliance management simpler and more successful for organizations of all sizes. Using McAfee epolicy Orchestrator enables you to manage multiple McAfee Gateway appliances from a single location; sharing policies across each appliance. McAfee Gateway Appliances Administrators Guide 401

402 5 Overview of System menu Component Management definitions epo Understand the options available when configuring your appliance to function with epolicy Orchestrator. epo Server Configuration Export Appliance Configuration Migrate epo Configuration Use this to create an.xml file containing your McAfee Gateway configuration that you can then load directly into the Policy Catalog within epolicy Orchestrator. Use this to select the configuration file from your epo server, to import your epo settings into McAfee Gateway. Settings for epo Management Import epo connection settings Enable epo management Click to browse to the epolicy Orchestrator connection settings file, to import the epolicy Orchestrator connection information into the appliance. Select to allow reporting and monitoring of your Gateway events to be sent to your epolicy Orchestrator server. You can then compile statistics from all your epolicy Orchestrator managed Gateway appliances. You can enable the reporting and monitoring of your Gateway appliance from your epolicy Orchestrator v4.5 (or higher) software. Allow configuration to be applied from epo When Enable epo management is selected, you can use your epolicy Orchestrator server to create, edit and manage all policies, and to have them pushed to all your epo managed Gateway appliances. To create, edit and manage policies for your Gateway appliance, you must use epolicy Orchestrator v4.5 (or higher) software. Task Configuring the appliance to work with epolicy Orchestrator Set up the appliance to be managed by epolicy Orchestrator. Task 1 From your McAfee Gateway appliance, select Resources and then click epo Extensions and epo Help Extensions to download the extension files. 2 On the epo server, install the extensions using Menu Software Extensions Install Extensions. 3 On the epo server, save the connections settings from Menu Gateway Protection and Web Gateway Actions Export Connection Settings. 4 Choose one of the following options: On the McAfee Gateway appliance, return to the Settings for epo Management page in the appliance Setup Wizard, and click Import epo connection settings. Click System Component Management epo page, and click Import epo connection settings. 5 Browse to the epo connections settings file and click OK to upload it. 402 McAfee Gateway Appliances Administrators Guide

403 Overview of System menu Component Management 5 6 Choose one of the following options: From the Setup Wizard, click Next to continue to the Basic Settings page and complete the setup. From System Component Management epo, select Enable epo management and Allow configuration to be applied from epo and apply the changes to the appliance. When a policy is sent from epolicy Orchestrator and is then enforced on your McAfee Gateway, events are sent back from your McAfee Gateway to epolicy Orchestrator giving indications of the success or failure of that enforcement, and of any warnings that may have been generated. You can view these events from within epolicy Orchestrator by browsing to Menu Reporting Threat Event Log. When you have configured your appliance to enable it to be managed by epolicy Orchestrator, you will be reminded each time that you make a configuration change using the appliance's user interface that the appliance is under epolicy Orchestrator management, and that your changes will be overwritten the next time that epolicy Orchestrator updates the configuration. Task Upgrade from McAfee Gateway 7.0 appliances managed by McAfee epolicy Orchestrator Use this task to upgrade to McAfee Gateway from McAfee Gateway 7.0 appliances managed by McAfee epolicy Orchestrator (McAfee epo). Before you begin Your McAfee Gateway 7.0 appliance must have been upgraded to McAfee Gateway and configured and running correctly. This upgrade process automatically disconnects the appliance from being managed by McAfee epo. The inbuilt McAfee Gateway migration tools migrate many of your McAfee Gateway 7.0 settings for you. However, some settings will need to be recreated. Task 1 In McAfee epo, click Policy Catalog and select the McAfee Gateway 7.0 product. 2 Click Export to export the product policies. 3 Right click the Policies_for_McAfee_ _Gateway_7.0.xml link, and save the file. 4 Go to your McAfee Gateway appliance. 5 Go to System Component Management epo. 6 Select Migrate epo Configuration. 7 Import the Policies_for_McAfee_ _Gateway_7.0.xml file you just created. The import process can take a few minutes to complete. 8 Select the epo_config_<date_stamp>.xml file produced at the end of this process, and save the file. 9 From the McAfee Gateway Resources link, download the epo Extensions and epo Help Extensions files. 10 From McAfee epo, install the epo Extensions and epo Help Extensions files. 11 In McAfee epo, click Policy Catalog and select the McAfee Gateway product. McAfee Gateway Appliances Administrators Guide 403

404 5 Overview of System menu Component Management 12 Click Import, and import the epo_config_<date_stamp>.xml you saved in step 8. The policies and settings within the configuration file are migrated across to your McAfee epo server. After you have imported the settings into McAfee Gateway managed by McAfee epo, you need to re assign the migrated policies to the correct groups in the System Tree in McAfee epo. 13 On McAfee epo, navigate to Menu Gateway Protection and Web Gateway. 14 From Actions, select Export Connection Settings. Save the epoconfig<xxxxxxx>.zip file. 15 On your McAfee Gateway 7.5.0, navigate to System Component Management epo, click Import epo connection settings. Browse to the epoconfig<xxxxxxx>.zip file, and click OK. Your McAfee epo configuration settings are imported into your McAfee Gateway appliance. 16 Select both Enable epo management, and Allow configuration to be applied from epo. 17 Apply changes within your McAfee Gateway Your upgraded appliance is again under McAfee epo control. If you had documents registered for Data Loss Prevention in your McAfee Gateway 7.0 appliance, the document fingerprints for these are copied to your McAfee Gateway McAfee epo installation. If you chose to create a scheduled task to push your McAfee Gateway 7.0 DLP database to your appliance, you will need to create an equivalent scheduled task to push your McAfee Gateway DLP database to your appliance. Anti-virus engines Configure your McAfee Gateway to additionally use the Commtouch Command anti virus engine. System Component Management Anti Virus Engines The information and settings in this page provide options about how you enable the additional Commtouch Command anti virus engine within McAfee Gateway. When enabled, the Commtouch Command anti virus engine works in series with the McAfee anti virus engine, rather than in place of it. Benefits of using the additional anti-virus engine Configuring McAfee Gateway to use an additional anti virus engine enables you to provide a further layer of protection to your traffic. Many security vendors provide anti virus engines and signature files to detect a wide range of viruses and other malware. These anti virus engines use different methods to identify and detect the unwanted files. Because of these different methods, anti virus engines for each vendor have different strengths and weaknesses when detecting unwanted content. To provide a stronger and wider level of protection for your users, McAfee Gateway enables you to enable and configure an additional anti virus engine. 404 McAfee Gateway Appliances Administrators Guide

405 Overview of System menu Component Management 5 This additional anti virus engine is produced by Commtouch Command. Although enabling an additional anti virus engine can provide stronger protection, it will also use more resources within the McAfee Gateway, and might impact overall performance and mail throughput. Configure Anti-Virus Updates wizard Use this wizard to specify how and when you want to update the detection definition (DAT) files. Benefits of the Configure Anti-Virus Updates wizard This information describes the benefits of updating anti virus protection using the Anti Virus Updates wizard. Using the wizard to update your anti virus database and anti virus engine ensures updates are applied correctly and completely. definitions Configure Updates (HTTP) Use this page to specify anti virus engine and anti virus database update settings over HTTP. System Component Management Update Status Introduction to the HTTP update settings You can choose to have the HTTP update server as the primary, or secondary update site, or switch off HTTP as an update method altogether. If the HTTP update method fails, you can continue to the next page of the wizard, and set up an FTP update site. Table 5-31 definitions How HTTP update site should be used Server Default value is Primary Site. If the appliance receives its updates from an epo server, the value is Not Used. Default value is update.nai.com. Port Default value is 80. Directory For anti virus updates, the default value is /virusdef/4.x For anti spam updates, the default value is spamdefs/1.x Products/CommonUpdater Username Password Use the default proxy settings (configure defaults) Proxy server to Proxy Password Default value is anonymous. Default value is anonymous. The appliance uses information that you type here or the default settings from another page. To access that page at any other time, select System Appliance Management Default Server Settings on the navigation bar. If the appliance obtains updates via a proxy server, type the details here. definitions Configure Updates (FTP) Use this page to specify anti virus engine, anti spam, and package update settings over FTP. System Component Management Update Status McAfee Gateway Appliances Administrators Guide 405

406 5 Overview of System menu Component Management Introduction to the FTP update settings You can choose to perform an anti virus update using an FTP server if an HTTP update fails, or switch off FTP as an update method altogether. Table 5-32 definitions How FTP update site should be used Server Default value is Secondary Site. If the appliance receives its updates from an epo server, the value is Not Used. Default value is ftp.nai.com. Port Default value is 21. Directory Username Password Use the default proxy settings (configure defaults) Proxy server to Proxy Password For anti virus updates, the default value is /virusdef/4.x Default value is anonymous. Default value is anonymous. The appliance uses information that you type here or the default settings from another page. To access the page at any other time, select System Appliance Management Default Server Settings on the navigation bar. If the appliance obtains updates via a proxy server, type the details here. definitions Configure Updates (Time) Use this page to schedule automatic configuration backups, and set up scheduled updates to the detection definitin (DAT) files, anti spam, and package updates. System Component Management Update Status System System Administration Configuration Management System Logging, Alerting and SNMP System Log Settings Introduction to Scheduled update settings You can schedule updates for the following components: Automatic configuration backups Spam rules and anti spam engine System Log Appliance software updates (HotFixes and patches) Anti virus engine and database McAfee recommends that you update all scanning components on a new appliance using the Update Now feature, then use the Schedule feature for each component to create regular updates at a time when traffic is low, such as during the night. Hourly to Weekly Next / Finish Specifies the schedule. If you do not need this feature, select Never. Moves to the next page of the wizard, or closes it and applies the settings. Configure Anti-Spam Updates wizard Use this page to specify anti spam rules, and anti spam engine update settings. 406 McAfee Gateway Appliances Administrators Guide

407 Overview of System menu Component Management 5 Benefits of the Configure Anti-Spam Updates wizard This information describes the benefits of updating anti spam protection using the Anti Spam Updates wizard. Using the wizard to update your anti spam rules and spam engine ensures updates are applied correctly and completely. definitions Configure Updates (FTP) Use this page to specify anti virus engine, anti spam, and package update settings over FTP. System Component Management Update Status Introduction to the FTP update settings You can choose to perform an anti virus update using an FTP server if an HTTP update fails, or switch off FTP as an update method altogether. Table 5-33 definitions How FTP update site should be used Server Default value is Secondary Site. If the appliance receives its updates from an epo server, the value is Not Used. Default value is ftp.nai.com. Port Default value is 21. Directory Username Password Use the default proxy settings (configure defaults) Proxy server to Proxy Password For anti virus updates, the default value is /virusdef/4.x Default value is anonymous. Default value is anonymous. The appliance uses information that you type here or the default settings from another page. To access the page at any other time, select System Appliance Management Default Server Settings on the navigation bar. If the appliance obtains updates via a proxy server, type the details here. definitions Configure Updates (Time) Use this page to schedule automatic configuration backups, and set up scheduled updates to the detection definitin (DAT) files, anti spam, and package updates. System Component Management Update Status System System Administration Configuration Management System Logging, Alerting and SNMP System Log Settings Introduction to Scheduled update settings You can schedule updates for the following components: McAfee Gateway Appliances Administrators Guide 407

408 5 Overview of System menu Component Management Automatic configuration backups Spam rules and anti spam engine System Log Appliance software updates (HotFixes and patches) Anti virus engine and database McAfee recommends that you update all scanning components on a new appliance using the Update Now feature, then use the Schedule feature for each component to create regular updates at a time when traffic is low, such as during the night. Hourly to Weekly Next / Finish Specifies the schedule. If you do not need this feature, select Never. Moves to the next page of the wizard, or closes it and applies the settings. Configure Automatic Package Updates Use this wizard to configure update settings for the appliance software package updates. Benefits of the Configure Automatic Package Updates wizard This information describes the benefits of the Configure Automatic Package Updates wizard. You can choose to tell the appliance how you want to retrieve the package, the type of package that you want to apply, and what you want the appliance to do when it's downloaded the update. definitions Configure Updates (FTP) Use this page to specify anti virus engine, anti spam, and package update settings over FTP. System Component Management Update Status Introduction to the FTP update settings You can choose to perform an anti virus update using an FTP server if an HTTP update fails, or switch off FTP as an update method altogether. Table 5-34 definitions How FTP update site should be used Server Default value is Secondary Site. If the appliance receives its updates from an epo server, the value is Not Used. Default value is ftp.nai.com. Port Default value is 21. Directory Username Password Use the default proxy settings (configure defaults) Proxy server to Proxy Password For anti virus updates, the default value is /virusdef/4.x Default value is anonymous. Default value is anonymous. The appliance uses information that you type here or the default settings from another page. To access the page at any other time, select System Appliance Management Default Server Settings on the navigation bar. If the appliance obtains updates via a proxy server, type the details here. 408 McAfee Gateway Appliances Administrators Guide

409 Overview of System menu Component Management 5 definitions Configure Automatic Package Updates (Update action) This information describes the options available on this page. Update action Allow automatic reboot and Allow automatic services restart Feature packs to Hotfixes Choose from: Update database Download Download and install Specifies the action that the appliance will take on receiving the new software. Specifies the type of new software to download. definitions Configure Updates (Time) Use this page to schedule automatic configuration backups, and set up scheduled updates to the detection definitin (DAT) files, anti spam, and package updates. System Component Management Update Status System System Administration Configuration Management System Logging, Alerting and SNMP System Log Settings Introduction to Scheduled update settings You can schedule updates for the following components: Automatic configuration backups Spam rules and anti spam engine System Log Appliance software updates (HotFixes and patches) Anti virus engine and database McAfee recommends that you update all scanning components on a new appliance using the Update Now feature, then use the Schedule feature for each component to create regular updates at a time when traffic is low, such as during the night. Hourly to Weekly Next / Finish Specifies the schedule. If you do not need this feature, select Never. Moves to the next page of the wizard, or closes it and applies the settings. McAfee Gateway Appliances Administrators Guide 409

410 5 Overview of System menu Setup Wizard Edit Preferences (Warning Thresholds) Edit the time before you are warned or alerted about update files being out of date. Table 5-35 definitions Parameter You can configure the warning thresholds for the following updates: McAfee anti virus engine McAfee anti virus database Spam Spam engine If you have installed the additional Commtouch Command anti virus engine, the following rows will appear: Commtouch Command anti virus engine Commtouch Command anti virus database Warn After Alert After Specify the time between the last update and when an amber warning is shown within the Dashboard. Specify the time between the last update and when a red "critical level" alert is shown within the Dashboard. Setup Wizard The Setup Wizard is available from the user interface to allow you to edit settings that you made in the configuration console when you first installed the appliance. System Setup Wizard Introducing the Setup Wizard options The following describe pages that you might see when you complete the Setup Wizard. The options differ depending on the setup option that you select. Welcome Use this page to select the type of installation that you want to follow. This is the first page of the Setup Wizard. Use this page to select the type of installation you want to perform. Standard Setup (default) use this option to set up your device in transparent bridge mode, and configure it to protect your network. The SMTP protocol is enabled by default. You can choose to enable scanning of POP3 traffic. Choosing Standard Setup forces the device to run in transparent bridge mode. Custom Setup use this option to select the operating mode for your device. You can choose to protect mail traffic using SMTP and POP3 protocols. You should use this if you need to configure IPv6 and to make other changes to the default configuration. 410 McAfee Gateway Appliances Administrators Guide

411 Overview of System menu Setup Wizard 5 Restore from a file (not available from the Configuration Console) use this to set up your device based on a previously saved configuration. Following the import of the file you will be able to check the imported settings before finishing the wizard. If the file came from an earlier McAfee and Web Security Appliance, some details are not available. epolicy Orchestrator Managed Setup use this to set up your device so that it can be managed by your epolicy Orchestrator (McAfee epo ) server. Only minimal information is needed, as the device will get most of its configuration information from your epolicy Orchestrator server. Encryption Only Setup use this option to set up your appliance as a standalone encryption server. The appliance operates in one of the following modes transparent bridge, transparent router, or explicit proxy. The mode affects how you integrate the appliance into your network and how the appliance handles traffic. You will need to change the mode only if you restructure your network. Explicit Proxy mode Use this page to specify the type of installation. In Explicit Proxy mode, some network devices send traffic to the appliance. The appliance then works as a proxy, processing traffic on behalf of the devices. Explicit Proxy mode is best suited to networks where the client devices connect to the appliance through a single upstream and downstream device. For example, you can configure your network to have your web cache logically connected on one side of the appliance and a firewall on the other side, with both physically connected through the LAN1 port. The advantage of this scenario is that you need to reconfigure only the web cache and firewall. You do not need to reconfigure the clients. Transparent Router mode Use this page to specify the type of installation. In Transparent Router mode, other network devices, such as mail servers, are unaware that the appliance has intercepted and scanned the before forwarding it. The appliance's operation is transparent to the devices. Transparent Router mode is suitable for networks that have firewall rules, because the firewall still sees the IP addresses of the clients and can therefore apply the Internet access rules to client traffic. McAfee Gateway Appliances Administrators Guide 411

412 5 Overview of System menu Setup Wizard Transparent Bridge Mode This information describes the Transparent Bridge appliance operating mode. In Transparent Bridge mode, other network devices, such as mail servers, are unaware that the appliance has intercepted and scanned the before forwarding it. The appliance's operation is transparent to the devices. Transparent Bridge mode requires the least configuration. You do not need to reconfigure your clients or default gateway to send traffic to the appliance. You do not need to update a routing table. Standard Setup Use the Standard Setup wizard to set up your appliance in Transparent Bridge mode, and configure it to protect your network. The Standard Setup wizard consists of the following pages: Contents Benefits of the Standard Setup wizard Configuration page (Standard Setup) Basic Settings page (Standard Setup) Summary page (Standard Setup) Benefits of the Standard Setup wizard This information describes the benefits to setting up an appliance using the Standard Setup wizard. Standard Setup enables you to quickly set up your McAfee Gateway using the most common options. Use this option to set up your device in transparent bridge mode, and configure it to protect your network. The SMTP protocol is enabled by default. You can choose to enable scanning of POP3 traffic. Choosing Standard Setup forces the device to run in transparent bridge mode. Configuration page (Standard Setup) This information describes the options available on this page. Enable protection against Potentially Unwanted Programs Enable URL Reputation checking Click to activate protection against Potentially Unwanted Programs. Read the advice from McAfee about the effects that activating this protection can have. Click to activate Global Threat Intelligence scanning of URLs embedded in messages. 412 McAfee Gateway Appliances Administrators Guide

413 Overview of System menu Setup Wizard 5 Use the McAfee SaaS Protection Service to process inbound Enable Graymail Protection Enable McAfee Global Threat Intelligence feedback Local relay domain Click to activate hybrid protection, with McAfee Protection (Hybrid) scanning your inbound traffic. After enabling McAfee Protection (Hybrid), the configuration pages for this service are displayed automatically when you next log into the user interface. Click to activate graymail protection. Select this option to enable McAfee Global Threat feedback. Click What is this? to read about how the feedback is used, and view the McAfee Privacy Policy. Enter both the IP address and netmask for your local relay domain. Basic Settings page (Standard Setup) Use this page in the Standard Setup wizard, to specify basic settings for the appliance in transparent bridge mode. Device name Domain name Specifies a name, such as appliance1. Specifies a name, such as domain1.com. IP address Specifies an address, such as The fully qualified domain name (Device name.domain name) must resolve to this IP address when the DNS server (specified here) is called. We recommend that this IP address resolves to the FQDN in a reverse lookup. Subnet Specifies a subnet address, such as Gateway Address DNS Server IP Mode User ID Current Password/New Password Specifies an address, such as This is likely to be a router or a firewall. You can test later that the appliance can communicate with this device. Specifies the address of a Domain Name Server that the appliance uses to convert website addresses to IP addresses. This can be an Active Directory or a Domain Name Service server. You can test later that the appliance can communicate with this server. Specifies the mode Transparent Bridge, Transparent Router or Explicit Proxy. The scmadmin user is the super administrator. You cannot change or disable this account and the account cannot be deleted. However, you can add more login accounts after installation. The original default password is password. Specify the new password. Change the password as soon as possible to keep your appliance secure. You must type the new password twice to confirm it. Appliance Time zone Appliance Time (UTC) Set Now Client Time Specifies the time zone of the appliance. You might need to set this twice each year if your region observes daylight saving time. The zones are organized from west to east to cover mid Pacific, America, Europe, Asia, Africa, India, Japan, and Australia. Specifies the date and UTC time for the appliance. To select the date, click the calendar icon. You can determine the UTC time from websites such as When clicked, applies the date and UTC time that you specified in this row. Displays the time according to the client computer from which your browser is currently connected to the appliance. McAfee Gateway Appliances Administrators Guide 413

414 5 Overview of System menu Setup Wizard Synchronize appliance with client When selected, the time in the Appliance Time (UTC) immediately takes its value from Client Time. You can use this checkbox as an alternative to manual setting of Appliance Time (UTC). The appliance calculates the UTC time based on the time zone that it finds on the client's browser. Ensure that the client computer is aware of any daylight savings adjustments. To find the setting on Microsoft Windows, right click the time display in the bottom right corner of the screen. NTP server address To use Network Time Protocol (NTP), specify the server address. Alternatively, you can configure NTP later. Summary page (Standard Setup) Use this page in the Standard Setup wizard, to review a summary of the settings that you have made for the network connections and scanning of the network traffic. To change any value, click its blue link to display the page where you originally typed the value. After you click Finish, the setup wizard has completed, and the appliance is configured as a transparent bridge. Use the IP address shown here to access the interface. For example The address begins with https, not http. When you first log on to the interface, type the user name, admin and the password that you gave on the Basic Settings page. Table 5-36 Basic settings The value is set according to best practice. The value is probably not correct. Although the value is valid, it is not set according to best practice. Check the value before continuing. No value has been set. The value has not been changed from the default. Check the value before continuing. Custom Setup Use the Custom Setup Wizard to choose the operating mode when you set up your appliance. You can also make other choices, such as setting up IPv6 networking. The Custom Setup Wizard consists of the following pages: Contents Benefits of the Custom Setup wizard Important considerations for the Custom Setup Wizard Basic Settings page (Custom Setup) Network Settings page Cluster Management page DNS and Routing page Configuration page (Custom Setup) Time Settings page Password page Summary page 414 McAfee Gateway Appliances Administrators Guide

415 Overview of System menu Setup Wizard 5 Benefits of the Custom Setup wizard This information describes the benefits of setting up an appliance using the Custom Setup wizard. Use the Custom Setup to give you greater control in the options that you can select, including the operating mode for your device. You can choose to protect mail traffic using SMTP and POP3 protocols. You should use this configuration option if you need to configure IPv6 and to make other changes to the default configuration. Important considerations for the Custom Setup Wizard This information describes important considerations before you complete the Custom Setup Wizard Cluster Management When configuring a group of appliances or McAfee Content Security Blade Servers, the current master uses a "least used" algorithm to assign connections to the appliances or blades configured to scan traffic. The scanning appliance or blade that is currently showing the least number of connections, at that moment in time, is assigned the next connection. For a cluster of appliances: If you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. If you have scanning appliances, and scanning enabled on the master and failover, then the scanning appliances will receive the most traffic to scan, then the failover, with the master receiving the least. If you have more than three appliances in a cluster, McAfee recommends that you do not enable scanning on the master appliance. You cannot configure the master or the failover blades of the McAfee Content Security Blade Server to scan traffic. McAfee recommends that when using your appliance in a cluster environment, you use McAfee Quarantine Manager to quarantine messages. Delivering Using the recipient's domain, the appliance uses the following logic to decide how it will deliver messages: If the recipient's domain matches those listed in Known Domains and relay hosts, it uses those relays to deliver the message. If the recipient's domain does not match those listed in Known Domains and relay hosts, it can be configured to use an MX record lookup to deliver using DNS. If no MX records are available, it attempts to make the delivery using an A record lookup. MX delivery is attempted to hosts in the order of priority that is returned by the DNS server. If it cannot deliver using one of the previous methods, it uses fallback relays to make the delivery (providing the recipient's domain matches those listed in the Fallback relays field). McAfee Gateway Appliances Administrators Guide 415

416 5 Overview of System menu Setup Wizard If the domain does not exist, the appliance generates a non delivery report and sends it to the originator. If the receiving server cannot accept delivery, or there are no IP addresses to complete the delivery, the message is queued. Basic Settings page (Custom Setup) Use this page when selecting the Custom Setup wizard, to specify basic settings for the appliance. The appliance tries to provide some information for you, and shows the information highlighted in amber. To change the information, click and retype. Cluster mode Device name Domain name Default Gateway Next Hop Router Defines the options that appear on the Cluster Management page of the Setup Wizard. Off This is a standard appliance. Cluster Scanner The appliance receives its scanning workload from a master appliance. Cluster Master The appliance controls the scanning workload for several other appliances. Cluster Failover If the master fails, this appliance controls the scanning workload instead. Specifies a name, such as appliance1. Specifies a name, such as domain1.com. Specifies an IPv4 address, such as You can test later that the appliance can communicate with this server. Specifies an IPv6 address, such as FD4A:A1B2:C3D4::1. This IPv6 address must be a link local address. Network Interface Becomes available when you set the Next Hop Router for IPv6. Network Settings page Use these options to view and configure the IP address and network speeds for the appliance. You can use IPv4 and IPv6 addresses, separately or in combination. To prevent duplication of IP addresses on your network and to deter hackers, give the appliance new IP addresses, and disable the default IP addresses. The IP addresses must be unique and suitable for your network. Specify as many IP addresses as you need. <mode> Network Interface 1 Network Interface 2 Change Network Settings View Network Interface Layout The operating mode that you set during installation or in the Setup Wizard Expands to show the IP address and netmask associated with Network Interface 1, the auto negotiation state, and the size of the MTU. Expands to show the IP address and netmask associated with Network Interface 2, the auto negotiation state, and the size of the MTU Click to open the Network Interface Wizard to specify the IP address and adapter settings for NIC 1 and NIC 2, and change the chosen operating mode. Click to see the <?> associated with LAN1, LAN2, and the out of band interface 416 McAfee Gateway Appliances Administrators Guide

417 Overview of System menu Setup Wizard 5 Cluster Management page Use this page to specify cluster management balancing requirements. Depending on the cluster mode you selected on the Basic Settings page, the options that appear on the Cluster Management page change. Cluster Management Configuration (Standard appliance) Do not use. Cluster management is disabled. Table 5-37 Cluster Management (Cluster Scanner) Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Cluster Management (Cluster Master) In explicit proxy mode or transparent router mode, you can enable failover between two appliances in a cluster by assigning a virtual IP address to this appliance and configuring another appliance as a Cluster Failover appliance using the same virtual address. In transparent bridge mode, this is achieved by setting a high STP priority for this appliance and configuring another appliance as a Cluster Failover appliance with a lower STP priority. Cluster identifier Address to use for load balancing Cluster identifier Address to use for load balancing Enable scanning on this appliance If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Specifies the appliance address. If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Specifies the appliance address. If not selected, this appliance distributes all scanning workload to the scanning appliances. For a cluster of appliances, if you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. definitions Advanced scanning device settings Use this area for fine grained control of attached scanning devices. You can also configure the devices to share hard disk space for the storage of Secure Web Mail Messages. Devices in a cluster are identified by their MAC (Media Access Control) addresses. When you add a MAC address to the table you may opt to disable it, meaning that scanning requests will not be sent to the device, and share hard disk space. McAfee Gateway Appliances Administrators Guide 417

418 5 Overview of System menu Setup Wizard Table 5-38 Advanced scanning device settings (appliances) MAC Address Disabled Add MAC Address Manage MAC Addresses Specifies the device's Media Access Control (MAC) address as 12 hexadecimal digits in the format: A1:B2:C3:D4:E5:F6. Select to remove this device from the pool of scanning devices. Click to add the MAC address of a new device. Opens the MAC Addresses dialog box that enables you to manage the list of available MAC addresses. Table 5-39 Advanced scanning device settings (blade servers) MAC Address Disabled Add MAC Address Manage MAC Addresses Lock DHCP server to MAC addresses Specifies the device's Media Access Control (MAC) address as 12 hexadecimal digits in the format: A1:B2:C3:D4:E5:F6. Select to remove this device from the pool of scanning devices. Click to add the MAC address of a new device. Opens the MAC Addresses dialog box that enables you to manage the list of available MAC addresses. Select to prevent the management blade from acknowledging DHCP requests sent by arbitrary hosts on its network. If selected, add the MAC addresses of any scanning blades to be added to your Content security Blade Server to the MAC address table. Failing to do this will prevent a scanning blade from acquiring the correct IP address. Although you can add the MAC addresses of management and failover devices to this table, they always contribute hard disk space for Secure Web Mail messages and cannot be disabled. Table 5-40 Cluster Management (Cluster Failover) Address to use for load balancing Cluster identifier Enable scanning on this appliance Specifies the appliance address. Provides a list of all subnets assigned to the appliance. If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is If not selected, this appliance distributes all scanning workload to the scanning appliances. For a cluster of appliances, if you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. Table 5-41 Cluster Management (Cluster Failover) Address to use for load balancing Cluster identifier Specifies the appliance address. Provides a list of all subnets assigned to the appliance. If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is McAfee Gateway Appliances Administrators Guide

419 Overview of System menu Setup Wizard 5 DNS and Routing page Use this page to configure the appliance's use of DNS and routes. Domain Name System (DNS) servers translate or "map" the names of network devices into IP addresses (and the reverse operation). The appliance sends requests to DNS servers in the order that they are listed here. DNS server addresses Server Address New Server/ Delete Selected Servers Only send queries to these servers Displays the IP addresses of the DNS servers. The first server in the list must be your fastest or most reliable server. If the first server cannot resolve the request, the appliance contacts the second server. If no servers in the list can resolve the request, the appliance forwards the request to the DNS root name servers on the Internet. If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a local device that provides name resolution Adds a new server to the list, or removes one when, for example, when you need to decommission a server due to network changes. Selected by default. McAfee recommends that you leave this option selected because it might speed up DNS queries as the appliance sends the queries to the specified DNS servers only. If they don't know the address, they go to the root DNS servers on the Internet. When they get a reply, the appliance receives it and caches the response so that other servers that query that DNS server can get an answer more quickly. If you deselect this option, the appliance first tries to resolve the requests, or might query DNS servers outside your network. Routing Settings Network Address Type the network address of the route. Mask Specifies how many hosts are on your network, for example, Gateway Metric New Route / Delete Selected Routes Enable dynamic routing Specifies the IP address of the router used as the next hop out of the network. The address (IPv4), or :: (IPv6) means that the router has no default gateway. Specifies the preference given to the route. A low number indicates a high preference for that route. Add a new route to the table, ore remove routes. Use the arrows to move routes up and down the list. The routes are chosen based on their metric value. Use this option in transparent router mode only. When enabled, the appliance can: receive broadcast routing information received over RIP (default) that it applies its routing table so you don't have to duplicate routing information on the appliance that is already present in the network. broadcast routing information if static routes have been configured through the user interface over RIP. McAfee Gateway Appliances Administrators Guide 419

420 5 Overview of System menu Setup Wizard Configuration page (Custom Setup) This information describes the options available on this page. Initial configuration Enable protection against Potentially Unwanted Programs Enable URL Reputation checking Use the McAfee SaaS Protection Service to process inbound Enable Graymail Protection Enable McAfee Global Threat Intelligence feedback Scan SMTP traffic / Scan POP3 traffic Click to activate protection against Potentially Unwanted Programs. Read the advice from McAfee about the effects that activating this protection can have. Click to activate Global Threat Intelligence scanning of URLs embedded in messages. Click to activate hybrid protection, with McAfee Protection (Hybrid) scanning your inbound traffic. After enabling McAfee Protection (Hybrid), the configuration pages for this service are displayed automatically when you next log into the user interface. Click to enable graymail protection. Click What is this? to read about how the feedback is used, and view the McAfee Privacy Policy. Both protocols are selected by default. Deselect a protocol to prevent scanning occurring. definitions Domains for which the appliance will accept or refuse Use these options to define how the appliance will relay . After you complete the Setup Wizard, you can manage the domains from Configuration Receiving Domain Name/ Network Address/MX Record Type Displays the domain names, wildcard domain names, network addresses, and MX lookups from which the appliance will accept or refuse . Domain name for example, example.com. The appliance uses this to compare the recipient's address and compare the connection against an A record lookup. Network Address for example, /32 or /24. The appliance uses this to compare the recipient's IP literal address such as user@[ ], or the connection. MX Record Lookup for example, example.com. The appliance uses this to compare the connection against an MX record lookup. Wildcard domain name for example, *.example.com. The appliance only uses this information to compare the recipients address. Category Local domain Permitted domain Denied domain 420 McAfee Gateway Appliances Administrators Guide

421 Overview of System menu Setup Wizard 5 Add Domain Click to specify the domains that can relay messages through the appliance to the recipient. Choose from: Local domain These are the domains or networks for which is accepted for delivery. For convenience, you can import a list of your local domain names using the Import Lists and Export Lists options. McAfee recommends that you add all domains or networks that are allowed to relay messages as local domains. Permitted domain is accepted. Use permitted domains to manage exceptions. Denied domain is refused. Use denied domains to manage exceptions. Hold your mouse cursor over the field to see the recommended format. You must set up at least one local domain. Add MX Lookup Delete Selected Items Click to specify a domain that the appliance will use to identify all mail server IP addresses from which it will deliver messages. Remove the selected item from the table. You must apply the changes before the item is completely removed from the appliance configuration. definitions Domain Routing Configure hosts that the appliance will use to route . After you complete the Setup Wizard, you can manage the domains from Configuration Sending . Domain name / Network Address / MX Record Type Displays a list of domains. This list allows you to specify specific relays/sets of relays to be used to deliver messages destined for specific domains. Domains can be identified using exact matches, or using pattern matches such as *.example.com. To specify multiple relays for a single domain, separate each with a space. If the first mail relay is accepting , all is delivered to the first relay. If that relay stops accepting , subsequent is delivered to the next relay in the list. Domain name for example, example.com. The appliance uses this to compare the recipient's address and compare the connection against an A record lookup. Network Address for example, /32 or /24. The appliance uses this to compare the recipient's IP literal address such as user@[ ], or the connection. MX Record Lookup for example, example.com. The appliance uses this to compare the connection against an MX record lookup. Wildcard domain name for example, *.example.com. The appliance only uses this information to compare the recipients address. Category Add Relay List Local domain Permitted domain Denied domain Click to populate the Known domains and relay hosts table with a list of host names, or IP addresses for delivery. Delivery will be attempted in the order specified unless you select the Round robin the above hosts option which will distribute the load between the specified hosts. Host names/ip addresses may include a port number. McAfee Gateway Appliances Administrators Guide 421

422 5 Overview of System menu Setup Wizard Add MX Lookup Click to populate the Known domains and relay hosts table with an MX record lookup to determine the IP addresses for delivery. Delivery will be attempted to host names returned by the MX lookup in the order of priority given by the DNS server. Delete Selected Items Enable DNS lookup for domains not listed above Remove the selected item from the table. You must apply the changes before the item is completely removed from the appliance configuration. If selected, the appliance uses DNS to route for other, unspecified domains. DNS delivery attempts an MX record lookup. If there are no MX records, it does an A record lookup. If you deselect this checkbox, the appliance delivers only to the domains that are specified under Known domains and relay hosts. Time Settings page Use this page to set the time and date, and any details for the use of the Network Time Protocol (NTP). Appliance Time Zone Appliance Time (UTC) Set Now Client Time Synchronize appliance with client Specifies the time zone of the appliance. You might need to set this twice each year if your region observes daylight saving time. Specifies the date and UTC time for the appliance. To select the date, click the calendar icon. You can determine the UTC time from websites such as When clicked, applies the date and UTC time that you specified in this row. Displays the time according to the client computer from which your browser is currently connected to the appliance. When selected, the time in the Appliance Time (UTC) immediately takes its value from Client Time. You can use this checkbox as an alternative to manual setting of Appliance Time (UTC). The appliance calculates the UTC time based on the time zone that it finds on the client's browser. Ensure that the client computer is aware of any daylight savings adjustments. To find the setting on Microsoft Windows, right click the time display in the bottom right corner of the screen. Enable NTP Enable NTP client broadcasts NTP Server New Server When selected, accepts NTP messages from a specified server or a network broadcast. NTP synchronizes timekeeping among devices in a network. Some Internet Service Providers (ISPs) provide a timekeeping service. Because NTP messages are not sent often, they do not noticeably affect the appliance's performance. When selected, accepts NTP messages from network broadcasts only. This method is useful on a busy network but must trust other devices in the network. When deselected, accepts NTP messages only from servers specified in the list. Displays the network address or a domain name of one or more NTP servers that the appliance uses. For example, time.nist.gov. If you specify several servers, the appliance examines each NTP message in turn to determine the correct time. Type the IP address of a new NTP Server. 422 McAfee Gateway Appliances Administrators Guide

423 Overview of System menu Setup Wizard 5 Password page Use this page to specify a password for the appliance. For a strong password, include letters and numbers. You can type up to 15 characters. User ID Password This is admin. You can add more users later. Specifies the new password. Change the password as soon as possible to keep your appliance secure. You must enter the new password twice to confirm it. The original default password is password. Summary page Review a summary of the settings that you have made for the network connections and scanning of the traffic. To change any value, click its blue link to display the page where you originally typed the value. After you click Finish, the Setup Wizard has completed. Use the IP address shown here to access the interface. For example The address starts with https, not http. If you have configured your McAfee Gateway to provide Secure Web Mail, then you need to access the appliance using port So, using the example above, you would need to enter : When you first log on to the interface, type the user name, admin and the password that you gave on the Password page. Table 5-42 Basic settings The value is set according to best practice. The value is probably not correct. Although the value is valid, it is not set according to best practice. Check the value before continuing. No value has been set. The value has not been changed from the default. Check the value before continuing. Network Interfaces Wizard Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address and adapter settings for NIC 1 and NIC 2. The options you see in the Network Interfaces Wizard depend on the operating mode. On the first page of the wizard, you can choose to change the operating mode for the appliance. You can change the settings by clicking Change Network Settings to start a wizard. Click Next to progress through the wizard. In Explicit Proxy mode, some network devices send traffic to the appliances. The appliance then works as a proxy, processing traffic on behalf of the devices. McAfee Gateway Appliances Administrators Guide 423

424 5 Overview of System menu Setup Wizard In Transparent Router or Transparent Bridge mode, other network devices, such as mail servers, are unaware that the appliance has intercepted and scanned the before forwarding it. The appliance's operation is transparent to the devices. If you have a standalone appliance running in transparent bridge mode, you will have the option to add a bypass device in case the appliance fails. If the appliance is operating in Transparent Bridge mode, and the Spanning Tree Protocol (STP) is running on your network, make sure that the appliance is configured according to STP rules. Additionally, you can set up a bypass device in transparent bridge mode. To configure your McAfee Content Security Blade Server to failover from the management blade to the failover management blade, you must specify at least one virtual IP address, shared between the management and failover management blades. Network Interfaces Wizard Explicit Proxy mode Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address and adapter settings for NIC 1 and NIC 2. This version of the Network Interfaces Wizard becomes available when you select the Explicit Proxy mode. Specify the details for Network Interface 1, then use the Next button to set details for Network Interface 2 as necessary. Network Interface 1 or Network Interface 2 page IP Address Specifies network addresses to enable the appliance to communicate with your network. You can specify multiple IP addresses for the appliance s network ports. The IP address at the top of a list is the primary address. Any IP addresses below it are aliases. You must have at least one IP address in both Network Interface 1 and Network Interface 2. However, you can deselect the Enabled option next to any IP addresses that you do not wish to listen on. Network Mask Enabled Virtual Specifies the network mask. In IPv4, you can use a format such as , or CIDR notation, such as 24. In IPv6, you must use the prefix length, for example, 64. When selected, the appliance accepts connections on the IP address. When selected, the appliance treats this IP address as a virtual address. This option only appears in cluster configurations, or on a McAfee Content Security Blade Server. 424 McAfee Gateway Appliances Administrators Guide

425 Overview of System menu Setup Wizard 5 New Address/ Delete Selected Addresses NIC 1 Adapter s or NIC 2 Adapter s Add a new address, or remove a selected IP address. Expand to set the following options: MTU size specifies the Maximum Transmission Unit (MTU) size. The MTU is the maximum size (expressed in bytes) of a single unit of data (for example, an Ethernet Frame) that can be sent over the connection. The default value is 1500 bytes. Autonegotiation state either: On allows the appliance to negotiate the speed and duplex state for communicating with other network devices. Off allows you to select the speed and duplex state. Connection speed provides a range of speeds. Default value is 100MB. This value is fixed at 1GB for fiber connected systems. Duplex state provides duplex states. Default value is Full duplex. Enable IPv6 auto configuration Select this option to allow the appliance to automatically configure its IPv6 addresses and IPv6 default next hop router, by receiving Router Advertisement messages sent from your IPv6 router. This option is unavailable by default if your appliance is running in transparent router mode, or is part of a cluster configuration, or running as part of a Blade Server installation. Network Interfaces Wizard Transparent Router mode Use the Network Interfaces Wizard to change the chosen operating mode, then specify the IP address and adapter settings for NIC 1 and NIC 2. Network Interface 1 or Network Interface 2 pages IP Address Network Mask Enabled Virtual Specifies network addresses to enable the appliance to communicate with your network. You can specify multiple IP addresses for the appliance s ports. The IP address at the top of a list is the primary address. Any IP addresses below it are aliases. Specifies the network mask, for example: In IPv4, you can use a format such as , or CIDR notation, such as 24. In IPv6, you must use the prefix length, for example, 64. When selected, the appliance accepts connections on that IP address. When selected, the appliance treats this IP address as a virtual address. This option only appears in cluster configurations, or on a McAfee Content Security Blade Server. McAfee Gateway Appliances Administrators Guide 425

426 5 Overview of System menu Setup Wizard New Address/ Delete Selected Addresses NIC 1 Adapter s or NIC 2 Adapter s Add a new address, or remove a selected IP address. Expand to set the following options: MTU size Specifies the Maximum Transmission Unit (MTU) size. The MTU is the maximum size (expressed in bytes) of a single unit of data (for example, an Ethernet Frame) that can be sent over the connection. The default value is 1500 bytes. Autonegotiation state either: On allows the appliance to negotiate the speed and duplex state for communicating with other network devices. Off allows you to select the speed and duplex state. Connection speed provides a range of speeds. Default value is 100MB. This value is fixed at 1GB for fiber connected systems. Duplex state provides duplex states. Default value is Full duplex. Enable IPv6 auto configuration Select this option to allow the appliance automatically configure its IPv6 addresses and IPv6 default next hop router, by receiving Router Advertisement messages sent from your IPv6 router. This option is unavailable by default if your appliance is running in transparent router mode, or is part of a cluster configuration, or running as part of a Blade Server installation. Enable sending IPv6 router advertisements on this interface When enabled, allows IPv6 router advertisements to be sent to machines on the sub net that require a router response to complete auto configuration. Network Interfaces Wizard Transparent Bridge mode Use the Network Interfaces Wizard to change the chosen operating mode, and specify the IP address and adapter settings for NIC 1 and NIC 2. Specify the details for the Ethernet Bridge, then use the Next button to set details for the Spanning Tree Protocol and Bypass Device as necessary. definitions Ethernet Bridge page Select all IP Address Network Mask Enabled Click to select all the IP addresses. Specifies network addresses to enable the appliance to communicate with your network. You can specify multiple IP addresses for the appliance s ports. The IP addresses are combined into one list for both ports. The IP address at the top of a list is the primary address. Any IP addresses below it are aliases. Use the Move links to reposition the addresses as necessary. Specifies the network mask, for example: In IPv4, you can use a format such as , or CIDR notation, such as 24. In IPv6, you must use the prefix length, for example, 64. When selected, the appliance accepts connections on that IP address. 426 McAfee Gateway Appliances Administrators Guide

427 Overview of System menu Setup Wizard 5 New Address/ Delete Selected Addresses NIC Adapter s Add a new address, or remove a selected IP address. Expand to set the following options: MTU size specifies the Maximum Transmission Unit (MTU) size. The MTU is the maximum size (expressed in bytes) of a single unit of data (for example, an Ethernet Frame) that can be sent over the connection. The default value is 1500 bytes. Autonegotiation state either: On allows the appliance to negotiate the speed and duplex state for communicating with other network devices. Off allows you to select the speed and duplex state. Connection speed provides a range of speeds. Default value is 100MB. This value is fixed at 1GB for fiber connected systems. Duplex state provides duplex states. Default value is Full duplex. Enable IPv6 auto configuration select this option to allow the appliance to automatically configure its IPv6 addresses and IPv6 default next hop router, by receiving Router Advertisement messages sent from your IPv6 router. This option is unavailable by default if your appliance is running in transparent router mode, or is part of a cluster configuration, or running as part of a Blade Server installation. definitions Spanning Tree Protocol Settings page Enable STP Bridge priority Advanced parameters STP is enabled by default. Sets the priority for the STP bridge. Lower numbers have a higher priority. The maximum number that you can set is Expand to set the following options. Change the settings only if you understand the possible effects, or you have consulted an expert: Forwarding delay Hello interval (seconds) Maximum age (seconds) Garbage collection interval (seconds) Ageing time (seconds) definitions Bypass Device Settings page The bypass device inherits settings from those you entered in NIC Adapter s Select bypass device Watchdog timeout (seconds). Choose from two supported devices. For the bypass device, the time, in seconds, that can elapse before the system bypasses the appliance. McAfee Gateway Appliances Administrators Guide 427

428 5 Overview of System menu Setup Wizard Heartbeat interval (seconds) Advanced parameters Set to monitor heartbeat by default. This option becomes active when you select a bypass device. Mode choose to monitor the heartbeat or the heartbeat and the link activity. Link activity timeout (seconds) becomes active when you select Monitor heartbeat and link activity in Mode Enable buzzer enabled by default. If the bypass device fails to detect the heartbeat signal for the configured Watchdog timeout, the buzzer sounds. Network Interface Layout Look at the detail provided regarding the layout of the Network interfaces. This dialog box shows the current assignments for the network interfaces. Use it to confirm that the assignments are as you expect. Table 5-43 definitions LAN 1 LAN 2 Out of band interface This shows how LAN 1 is described. This shows how LAN 2 is described. This shows how the Out of band interface is described. Restore from a file Setup Use the Restore from a file Setup wizard to configure your appliance based on the settings saved from another appliance. The Restore from a file Setup wizard consists of the following pages: Contents Import Configuration Values to Restore Basic Settings page (Custom Setup) Cluster Management page DNS and Routing page Time Settings page Password page Summary page Import Configuration Use this dialog to import the configuration file containing the details that you want to use to configure your appliance. Table 5-44 definitions Browse Locate the configuration file to use as a basis for your new settings. The configuration filename is in the format: config_<date and time stamp>.zip 428 McAfee Gateway Appliances Administrators Guide

429 Overview of System menu Setup Wizard 5 Values to Restore Use this dialog to choose the areas of the configuration that you want to restore. By default, the setup wizard attempts to restore all settings found within the configuration file onto your appliance. You can choose not to restore settings in particular areas by deselecting them before continuing with the installation. The setup wizard enables you to review and change all setting before you apply then to the appliance. Table 5-45 definitions Protocol configuration Information about the protocols the appliance uses. This information is always restored. Network configuration The reporting configuration The user preferences Role based user accounts Information about the IP addresses, host names and other details that are specific to your appliance and your network. Information about how you have configured your Favorite Reports and Scheduled Reports. Information about how you have configured user interface options, such as the Dashboard configuration. Selecting this re installs information about the role based user accounts that you have set up. This does not include the passwords for default accounts. epo configuration If the appliance that generated the configuration file was under epolicy Orchestrator management, this option applies these epo configuration settings. Basic Settings page (Custom Setup) Use this page when selecting the Custom Setup wizard, to specify basic settings for the appliance. The appliance tries to provide some information for you, and shows the information highlighted in amber. To change the information, click and retype. Cluster mode Device name Domain name Default Gateway Defines the options that appear on the Cluster Management page of the Setup Wizard. Off This is a standard appliance. Cluster Scanner The appliance receives its scanning workload from a master appliance. Cluster Master The appliance controls the scanning workload for several other appliances. Cluster Failover If the master fails, this appliance controls the scanning workload instead. Specifies a name, such as appliance1. Specifies a name, such as domain1.com. Specifies an IPv4 address, such as You can test later that the appliance can communicate with this server. McAfee Gateway Appliances Administrators Guide 429

430 5 Overview of System menu Setup Wizard Next Hop Router Specifies an IPv6 address, such as FD4A:A1B2:C3D4::1. This IPv6 address must be a link local address. Network Interface Becomes available when you set the Next Hop Router for IPv6. Cluster Management page Use this page to specify cluster management balancing requirements. Depending on the cluster mode you selected on the Basic Settings page, the options that appear on the Cluster Management page change. Cluster Management Configuration (Standard appliance) Do not use. Cluster management is disabled. Table 5-46 Cluster Management (Cluster Scanner) Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Cluster Management (Cluster Master) In explicit proxy mode or transparent router mode, you can enable failover between two appliances in a cluster by assigning a virtual IP address to this appliance and configuring another appliance as a Cluster Failover appliance using the same virtual address. In transparent bridge mode, this is achieved by setting a high STP priority for this appliance and configuring another appliance as a Cluster Failover appliance with a lower STP priority. Cluster identifier Address to use for load balancing Cluster identifier Address to use for load balancing Enable scanning on this appliance If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Specifies the appliance address. If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Specifies the appliance address. If not selected, this appliance distributes all scanning workload to the scanning appliances. For a cluster of appliances, if you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. 430 McAfee Gateway Appliances Administrators Guide

431 Overview of System menu Setup Wizard 5 definitions Advanced scanning device settings Use this area for fine grained control of attached scanning devices. You can also configure the devices to share hard disk space for the storage of Secure Web Mail Messages. Devices in a cluster are identified by their MAC (Media Access Control) addresses. When you add a MAC address to the table you may opt to disable it, meaning that scanning requests will not be sent to the device, and share hard disk space. Table 5-47 Advanced scanning device settings (appliances) MAC Address Disabled Add MAC Address Manage MAC Addresses Specifies the device's Media Access Control (MAC) address as 12 hexadecimal digits in the format: A1:B2:C3:D4:E5:F6. Select to remove this device from the pool of scanning devices. Click to add the MAC address of a new device. Opens the MAC Addresses dialog box that enables you to manage the list of available MAC addresses. Table 5-48 Advanced scanning device settings (blade servers) MAC Address Disabled Add MAC Address Manage MAC Addresses Lock DHCP server to MAC addresses Specifies the device's Media Access Control (MAC) address as 12 hexadecimal digits in the format: A1:B2:C3:D4:E5:F6. Select to remove this device from the pool of scanning devices. Click to add the MAC address of a new device. Opens the MAC Addresses dialog box that enables you to manage the list of available MAC addresses. Select to prevent the management blade from acknowledging DHCP requests sent by arbitrary hosts on its network. If selected, add the MAC addresses of any scanning blades to be added to your Content security Blade Server to the MAC address table. Failing to do this will prevent a scanning blade from acquiring the correct IP address. Although you can add the MAC addresses of management and failover devices to this table, they always contribute hard disk space for Secure Web Mail messages and cannot be disabled. Table 5-49 Cluster Management (Cluster Failover) Address to use for load balancing Cluster identifier Enable scanning on this appliance Specifies the appliance address. Provides a list of all subnets assigned to the appliance. If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is If not selected, this appliance distributes all scanning workload to the scanning appliances. For a cluster of appliances, if you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. McAfee Gateway Appliances Administrators Guide 431

432 5 Overview of System menu Setup Wizard Table 5-50 Cluster Management (Cluster Failover) Address to use for load balancing Cluster identifier Specifies the appliance address. Provides a list of all subnets assigned to the appliance. If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is DNS and Routing page Use this page to configure the appliance's use of DNS and routes. Domain Name System (DNS) servers translate or "map" the names of network devices into IP addresses (and the reverse operation). The appliance sends requests to DNS servers in the order that they are listed here. DNS server addresses Server Address New Server/ Delete Selected Servers Only send queries to these servers Displays the IP addresses of the DNS servers. The first server in the list must be your fastest or most reliable server. If the first server cannot resolve the request, the appliance contacts the second server. If no servers in the list can resolve the request, the appliance forwards the request to the DNS root name servers on the Internet. If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a local device that provides name resolution Adds a new server to the list, or removes one when, for example, when you need to decommission a server due to network changes. Selected by default. McAfee recommends that you leave this option selected because it might speed up DNS queries as the appliance sends the queries to the specified DNS servers only. If they don't know the address, they go to the root DNS servers on the Internet. When they get a reply, the appliance receives it and caches the response so that other servers that query that DNS server can get an answer more quickly. If you deselect this option, the appliance first tries to resolve the requests, or might query DNS servers outside your network. Routing Settings Network Address Type the network address of the route. Mask Specifies how many hosts are on your network, for example, Gateway Metric Specifies the IP address of the router used as the next hop out of the network. The address (IPv4), or :: (IPv6) means that the router has no default gateway. Specifies the preference given to the route. A low number indicates a high preference for that route. 432 McAfee Gateway Appliances Administrators Guide

433 Overview of System menu Setup Wizard 5 New Route / Delete Selected Routes Enable dynamic routing Add a new route to the table, ore remove routes. Use the arrows to move routes up and down the list. The routes are chosen based on their metric value. Use this option in transparent router mode only. When enabled, the appliance can: receive broadcast routing information received over RIP (default) that it applies its routing table so you don't have to duplicate routing information on the appliance that is already present in the network. broadcast routing information if static routes have been configured through the user interface over RIP. Time Settings page Use this page to set the time and date, and any details for the use of the Network Time Protocol (NTP). Appliance Time Zone Appliance Time (UTC) Set Now Client Time Synchronize appliance with client Specifies the time zone of the appliance. You might need to set this twice each year if your region observes daylight saving time. Specifies the date and UTC time for the appliance. To select the date, click the calendar icon. You can determine the UTC time from websites such as When clicked, applies the date and UTC time that you specified in this row. Displays the time according to the client computer from which your browser is currently connected to the appliance. When selected, the time in the Appliance Time (UTC) immediately takes its value from Client Time. You can use this checkbox as an alternative to manual setting of Appliance Time (UTC). The appliance calculates the UTC time based on the time zone that it finds on the client's browser. Ensure that the client computer is aware of any daylight savings adjustments. To find the setting on Microsoft Windows, right click the time display in the bottom right corner of the screen. Enable NTP Enable NTP client broadcasts NTP Server New Server When selected, accepts NTP messages from a specified server or a network broadcast. NTP synchronizes timekeeping among devices in a network. Some Internet Service Providers (ISPs) provide a timekeeping service. Because NTP messages are not sent often, they do not noticeably affect the appliance's performance. When selected, accepts NTP messages from network broadcasts only. This method is useful on a busy network but must trust other devices in the network. When deselected, accepts NTP messages only from servers specified in the list. Displays the network address or a domain name of one or more NTP servers that the appliance uses. For example, time.nist.gov. If you specify several servers, the appliance examines each NTP message in turn to determine the correct time. Type the IP address of a new NTP Server. Password page Use this page to specify a password for the appliance. For a strong password, include letters and numbers. You can type up to 15 characters. McAfee Gateway Appliances Administrators Guide 433

434 5 Overview of System menu Setup Wizard User ID Password This is admin. You can add more users later. Specifies the new password. Change the password as soon as possible to keep your appliance secure. You must enter the new password twice to confirm it. The original default password is password. Summary page Review a summary of the settings that you have made for the network connections and scanning of the traffic. To change any value, click its blue link to display the page where you originally typed the value. After you click Finish, the Setup Wizard has completed. Use the IP address shown here to access the interface. For example The address starts with https, not http. If you have configured your McAfee Gateway to provide Secure Web Mail, then you need to access the appliance using port So, using the example above, you would need to enter : When you first log on to the interface, type the user name, admin and the password that you gave on the Password page. Table 5-51 Basic settings The value is set according to best practice. The value is probably not correct. Although the value is valid, it is not set according to best practice. Check the value before continuing. No value has been set. The value has not been changed from the default. Check the value before continuing. epo Managed Setup Use the epo Managed Setup wizard to configure your appliance so that it can be managed from your epolicy Orchestrator server. The epo Managed Setup wizard consists of the following pages: Contents Settings for epolicy Orchestrator Management Basic Settings page (epolicy Orchestrator Managed Setup) Network Settings page Cluster Management page (epolicy Orchestrator Managed Setup) DNS and Routing page Time Settings page Password page Summary epolicy Orchestrator Managed Setup 434 McAfee Gateway Appliances Administrators Guide

435 Overview of System menu Setup Wizard 5 Settings for epolicy Orchestrator Management Select epolicy Orchestrator Managed Setup within the Setup Wizard to configure your appliance for management by McAfee epolicy Orchestrator. epo Extensions Download the epolicy Orchestrator extensions for McAfee Gateway products, including McAfee Gateway The file MEGv7.x_ePOextensions.zip contains both the EWG and the MEG epolicy Orchestrator extensions. The EWG extension allows reporting from within epolicy Orchestrator for the following products: McAfee and Web Security appliances McAfee Web Gateway appliances McAfee Gateway appliances The MEG Extension provides full epolicy Orchestrator management for McAfee Gateway For you to use epolicy Orchestrator for either reporting or management, the epolicy Orchestrator Extensions need to be installed on your epolicy Orchestrator server. epo Help Extensions Import epo connection settings Download the epolicy Orchestrator help extensions. The file MEGv7.x_ePOhelpextensions.zip contains the online help information for the above epolicy Orchestrator Extensions. This file installs the help extensions relating to the epolicy Orchestrator extensions for McAfee and Web Gateway and McAfee Gateway appliances onto your epolicy Orchestrator server. Click to browse to the epolicy Orchestrator connection settings file, to import the epolicy Orchestrator connection information into the appliance. Task Configure the appliance to work with epolicy Orchestrator Use this task to set up the appliance to be managed by epolicy Orchestrator: 1 From your McAfee Gateway, on Settings for epo Management, select epo Extensions and click Save to download the extension file. 2 From your McAfee Gateway, on Settings for epo Management, select epo Help Extensions and click Save to download the help extension file. 3 On your epolicy Orchestrator server, install these extensions using Menu Software Extensions Install Extensions. 4 On the epolicy Orchestrator server, save the connections settings from Menu Gateway Protection and Web Gateway Actions Export Connection Settings. McAfee Gateway Appliances Administrators Guide 435

436 5 Overview of System menu Setup Wizard 5 On the McAfee Gateway, return to the Settings for epo Management page in the Setup Wizard, and click Import epo connection settings. Browse to the epolicy Orchestrator connections settings file. 6 Click Next to continue to the Basic Settings page in the Setup Wizard. Basic Settings page (epolicy Orchestrator Managed Setup) Use this page to configure the basic settings for the appliance that will be managed by epolicy Orchestrator. Cluster mode The options are: Off (Standard appliance) Cluster scanner Cluster Master Cluster failover Device Name Domain Name Default Gateway (IPv4) Next Hop Router (IPv6) Network Interface Specifies a name, such as appliance1. Specifies a name, such as domain1.com. Specifies an IPv4 address, such as You can test later that the appliance can communicate with this server. Specifies an IPv6 address, such as FD4A:A1B2:C3D4::1. Becomes available when you set the Next Hop Router for IPv6. Network Settings page Use these options to view and configure the IP address and network speeds for the appliance. You can use IPv4 and IPv6 addresses, separately or in combination. To prevent duplication of IP addresses on your network and to deter hackers, give the appliance new IP addresses, and disable the default IP addresses. The IP addresses must be unique and suitable for your network. Specify as many IP addresses as you need. <mode> Network Interface 1 Network Interface 2 Change Network Settings View Network Interface Layout The operating mode that you set during installation or in the Setup Wizard Expands to show the IP address and netmask associated with Network Interface 1, the auto negotiation state, and the size of the MTU. Expands to show the IP address and netmask associated with Network Interface 2, the auto negotiation state, and the size of the MTU Click to open the Network Interface Wizard to specify the IP address and adapter settings for NIC 1 and NIC 2, and change the chosen operating mode. Click to see the <?> associated with LAN1, LAN2, and the out of band interface Cluster Management page (epolicy Orchestrator Managed Setup) Use this page to specify load balancing requirements that apply to epolicy Orchestrator Managed appliances. Cluster Management Configuration (Standard appliance) Do not use this page. Cluster management is disabled. 436 McAfee Gateway Appliances Administrators Guide

437 Overview of System menu Setup Wizard 5 Cluster Management (Cluster Scanner) Use this page to specify information for a scanning appliance. Cluster identifier Specifies an identifier. Range is Cluster Management (Cluster Master) Use this page to specify information for a master appliance. Address to use for load balancing Specifies the appliance address. Cluster identifier Specifies an identifier. Range is Enable scanning on this appliance If not selected, this appliance distributes all scanning workload to the scanning appliances. Cluster Management (Cluster Failover) Use this page to specify information for a failover appliance. Address to use for load balancing Specifies the appliance address. Provides a list of all subnets assigned to the appliance. Cluster identifier Specifies an identifier. Range is Enable scanning on this appliance If not selected, this appliance distributes all scanning workload to the scanning appliances. DNS and Routing page Use this page to configure the appliance's use of DNS and routes. Domain Name System (DNS) servers translate or "map" the names of network devices into IP addresses (and the reverse operation). The appliance sends requests to DNS servers in the order that they are listed here. DNS server addresses Server Address New Server/ Delete Selected Servers Only send queries to these servers Displays the IP addresses of the DNS servers. The first server in the list must be your fastest or most reliable server. If the first server cannot resolve the request, the appliance contacts the second server. If no servers in the list can resolve the request, the appliance forwards the request to the DNS root name servers on the Internet. If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a local device that provides name resolution Adds a new server to the list, or removes one when, for example, when you need to decommission a server due to network changes. Selected by default. McAfee recommends that you leave this option selected because it might speed up DNS queries as the appliance sends the queries to the specified DNS servers only. If they don't know the address, they go to the root DNS servers on the Internet. When they get a reply, the appliance receives it and caches the response so that other servers that query that DNS server can get an answer more quickly. If you deselect this option, the appliance first tries to resolve the requests, or might query DNS servers outside your network. McAfee Gateway Appliances Administrators Guide 437

438 5 Overview of System menu Setup Wizard Routing Settings Network Address Type the network address of the route. Mask Specifies how many hosts are on your network, for example, Gateway Metric New Route / Delete Selected Routes Enable dynamic routing Specifies the IP address of the router used as the next hop out of the network. The address (IPv4), or :: (IPv6) means that the router has no default gateway. Specifies the preference given to the route. A low number indicates a high preference for that route. Add a new route to the table, ore remove routes. Use the arrows to move routes up and down the list. The routes are chosen based on their metric value. Use this option in transparent router mode only. When enabled, the appliance can: receive broadcast routing information received over RIP (default) that it applies its routing table so you don't have to duplicate routing information on the appliance that is already present in the network. broadcast routing information if static routes have been configured through the user interface over RIP. Time Settings page Use this page to set the time and date, and any details for the use of the Network Time Protocol (NTP). Appliance Time Zone Appliance Time (UTC) Set Now Client Time Synchronize appliance with client Specifies the time zone of the appliance. You might need to set this twice each year if your region observes daylight saving time. Specifies the date and UTC time for the appliance. To select the date, click the calendar icon. You can determine the UTC time from websites such as When clicked, applies the date and UTC time that you specified in this row. Displays the time according to the client computer from which your browser is currently connected to the appliance. When selected, the time in the Appliance Time (UTC) immediately takes its value from Client Time. You can use this checkbox as an alternative to manual setting of Appliance Time (UTC). The appliance calculates the UTC time based on the time zone that it finds on the client's browser. Ensure that the client computer is aware of any daylight savings adjustments. To find the setting on Microsoft Windows, right click the time display in the bottom right corner of the screen. Enable NTP Enable NTP client broadcasts When selected, accepts NTP messages from a specified server or a network broadcast. NTP synchronizes timekeeping among devices in a network. Some Internet Service Providers (ISPs) provide a timekeeping service. Because NTP messages are not sent often, they do not noticeably affect the appliance's performance. When selected, accepts NTP messages from network broadcasts only. This method is useful on a busy network but must trust other devices in the network. When deselected, accepts NTP messages only from servers specified in the list. 438 McAfee Gateway Appliances Administrators Guide

439 Overview of System menu Setup Wizard 5 NTP Server New Server Displays the network address or a domain name of one or more NTP servers that the appliance uses. For example, time.nist.gov. If you specify several servers, the appliance examines each NTP message in turn to determine the correct time. Type the IP address of a new NTP Server. Password page Use this page to specify a password for the appliance. For a strong password, include letters and numbers. You can type up to 15 characters. User ID Password This is admin. You can add more users later. Specifies the new password. Change the password as soon as possible to keep your appliance secure. You must enter the new password twice to confirm it. The original default password is password. Summary epolicy Orchestrator Managed Setup Use this page when using the epolicy Orchestrator Managed Setup Wizard, to review a summary of the settings that you have made for the network connections and scanning of the network traffic, clustering status, and the scanning settings that epolicy Orchestrator will manage for the appliance. To change any value, click its blue link to display the page where you originally typed the value. After you click Finish, the setup wizard has completed. Use the IP address shown here to access the interface. For example Note that the address begins with https, not http. When you first log onto the interface, type the user name, admin and the password that you gave to this setup wizard. The appliance is now managed by epolicy Orchestrator. Log onto the epolicy Orchestrator server to manage your appliance. Table 5-52 Basic settings The value is set according to best practice. The value is probably not correct. Although the value is valid, it is not set according to best practice. Check the value before continuing. No value has been set. The value has not been changed from the default. Check the value before continuing. McAfee Gateway Appliances Administrators Guide 439

440 5 Overview of System menu Setup Wizard Encryption Only Setup Use the Encryption Only Setup wizard to configure your appliance to act as an encryption server, working alongside other McAfee Gateway scanning appliances. The Encryption Only Setup wizard consists of the following pages: Basic Settings page (Encryption Only Setup) Use this page when selecting the Encryption Only Setup Wizard, to specify basic settings for the appliance. The appliance tries to provide some information for you, and shows the information highlighted in amber. To change the information, click and retype. Cluster mode Defines the options that appear on the Cluster Management page of the Setup Wizard. Off This is a standard appliance. Cluster Scanner The appliance receives its scanning workload from a master appliance. Cluster Master The appliance controls the scanning workload for several other appliances. Cluster Failover If the master fails, this appliance controls the scanning workload instead. Device name Domain name Default Gateway Next Hop Router Network Interface Select management port Specifies a name, such as appliance1. Specifies a name, such as domain1.com. Specifies an IPv4 address, such as You can test later that the appliance can communicate with this server. Specifies an IPv6 address, such as FD4A:A1B2:C3D4::1. Becomes available when you set the Next Hop Router for IPv6. Specifies the port that manages the gateway. By default, McAfee Gateway uses port Network Settings page (Encryption Only Setup) Use these options to view and configure the IP address and network speeds for McAfee Gateway as an encryption only appliance. You can use IPv4 and IPv6 addresses, separately or in combination. To prevent duplication of IP addresses on your network and to deter hackers, give the appliance new IP addresses, and disable the default IP addresses. The IP addresses must be unique and suitable for your network. Specify as many IP addresses as you need. <mode> Network Interface 1 Network Interface 2 Change Network Settings View Network Interface Layout The operating mode that you set during installation or in the Setup Wizard. Expands to show the IP address and netmask associated with Network Interface 1, the auto negotiation state, and the size of the MTU. Expands to show the IP address and netmask associated with Network Interface 2, the auto negotiation state, and the size of the MTU. Click to open the Network Interface Wizard to specify the IP address and adapter settings for NIC 1 and NIC 2, and change the chosen operating mode. Click to see the <?> associated with LAN1, LAN2, and the out of band interface. 440 McAfee Gateway Appliances Administrators Guide

441 Overview of System menu Setup Wizard 5 Cluster Management page (Encryption Only Setup) Use cluster management to specify load balancing requirements. Depending on the cluster mode you selected on the Basic Settings page, the options that appear on the Cluster Management page change. Cluster Management Configuration (Standard appliance) Do not use. Cluster management is disabled. Cluster Management (Cluster Scanner) Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Cluster Management (Cluster Master) In explicit proxy mode or transparent router mode, you can enable failover between two appliances in a cluster by assigning a virtual IP address to this appliance and configuring another appliance as a Cluster Failover appliance using the same virtual address. In transparent bridge mode, this is achieved by setting a high STP priority for this appliance and configuring another appliance as a Cluster Failover appliance with a lower STP priority. Cluster identifier Address to use for load balancing Cluster identifier Address to use for load balancing Enable scanning on this appliance If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Specifies the appliance address. If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is Specifies the appliance address. If not selected, this appliance distributes all scanning workload to the scanning appliances. For a cluster of appliances, if you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. McAfee Gateway Appliances Administrators Guide 441

442 5 Overview of System menu Setup Wizard Cluster Management (Cluster Failover) Address to use for load balancing Cluster identifier Enable scanning on this appliance Specifies the appliance address. Provides a list of all subnets assigned to the appliance. If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is If not selected, this appliance distributes all scanning workload to the scanning appliances. For a cluster of appliances, if you have only a master and a failover appliance, with both configured to scan traffic, the master will send most connections to the failover appliance for scanning. Address to use for load balancing Cluster identifier Specifies the appliance address. Provides a list of all subnets assigned to the appliance. If you have more than one cluster or McAfee Content Security Blade Server on the same subnet, assign each a different Cluster identifier to ensure the clusters do not conflict. The allowable range is DNS and Routing page (Encryption Only Setup) Use this page to configure the appliance's use of DNS and routes. Domain Name System (DNS) servers translate or "map" the names of network devices into IP addresses (and the reverse operation). The appliance sends requests to DNS servers in the order that they are listed here. DNS server addresses Server Address New Server / Delete Selected Servers Only send queries to these servers Displays the IP addresses of the DNS servers. The first server in the list must be your fastest or most reliable server. If the first server cannot resolve the request, the appliance contacts the second server. If no servers in the list can resolve the request, the appliance forwards the request to the DNS root name servers on the Internet. If your firewall prevents DNS lookup (typically on port 53), specify the IP address of a local device that provides name resolution Adds a new server to the list, or removes one when, for example, when you need to decommission a server due to network changes. Selected by default. McAfee recommends that you leave this option selected because it might speed up DNS queries as the appliance sends the queries to the specified DNS servers only. If they don't know the address, they go to the root DNS servers on the Internet. When they get a reply, the appliance receives it and caches the response so that other servers that query that DNS server can get an answer more quickly. If you deselect this option, the appliance first tries to resolve the requests, or might query DNS servers outside your network. 442 McAfee Gateway Appliances Administrators Guide

443 Overview of System menu Setup Wizard 5 Routing Settings Network Address Type the network address of the route. Mask Specifies how many hosts are on your network, for example, Gateway Metric New Route / Delete Selected Routes Enable dynamic routing Specifies the IP address of the router used as the next hop out of the network. The address (IPv4), or :: (IPv6) means that the router has no default gateway. Specifies the preference given to the route. A low number indicates a high preference for that route. Add a new route to the table, or remove routes. Use the arrows to move routes up and down the list. The routes are chosen based on their metric value. Use this option in transparent router mode only. When enabled, the appliance can: receive broadcast routing information received over RIP (default) that it applies its routing table so you don't have to duplicate routing information on the appliance that is already present in the network. broadcast routing information if static routes have been configured through the user interface over RIP. Configuration page (Encryption Only Setup) Define how the appliance will relay and configure the hosts that the appliance will use to route . Domains for which the appliance will accept or refuse After you complete the Setup Wizard, you can manage the domains from Configuration Receiving . Domain Name / Network Address / MX Record Type Category Displays the domain names, wildcard domain names, network addresses, and MX lookups from which the appliance will accept or refuse . Domain name for example, example.dom. The appliance uses this to compare the recipient's address and compare the connection against an A record lookup. Network Address for example, /32 or /24. The appliance uses this to compare the recipient's IP literal address such as user@[ ], or the connection. MX Record Lookup for example, example.dom. The appliance uses this to compare the connection against an MX record lookup. Wildcard domain name for example, *.example.dom. The appliance only uses this information to compare the recipients address. Local domain Permitted domain Denied domain McAfee Gateway Appliances Administrators Guide 443

444 5 Overview of System menu Setup Wizard Add Domain Click to specify the domains that can relay messages through the appliance to the recipient. Choose from: Local domain These are the domains or networks for which is accepted for delivery. For convenience, you can import a list of your local domain names using the Import Lists and Export Lists options. McAfee recommends that you add all domains or networks that are allowed to relay messages as local domains. Permitted domain is accepted. Use permitted domains to manage exceptions. Denied domain is refused. Use denied domains to manage exceptions. Hold your mouse cursor over the field to see the recommended format. You must set up at least one local domain. Add MX Lookup Delete Selected Items Click to specify a domain that the appliance will use to identify all mail server IP addresses from which it will deliver messages. Remove the selected item from the table. You must apply the changes before the item is completely removed from the appliance configuration. Domain Routing After you complete the Setup Wizard, you can manage the domains from Configuration Sending . Domain Type Relay List/MX Record Add Relay List Displays a list of domains. Domain name for example, example.dom. The appliance uses this to compare the recipient's address and compare the connection against an A record lookup. Network Address for example, /32 or /24. The appliance uses this to compare the recipient's IP literal address such as user@[ ], or the connection. MX record lookup for example, example.dom. The appliance uses this to compare the connection against an MX record lookup. Wildcard domain name for example, *.example.dom. The appliance only uses this information to compare the recipients address. Displays either the Relay List of the MX record for the selected domain. Click to populate the Known domains and relay hosts table with a list of host names, or IP addresses for delivery. Delivery will be attempted in the order specified unless you select the Round robin the above hosts option which will distribute the load between the specified hosts. Host names/ip addresses may include a port number. Add MX Lookup Click to populate the Known domains and relay hosts table with an MX record lookup to determine the IP addresses for delivery. Delivery will be attempted to host names returned by the MX lookup in the order of priority given by the DNS server. 444 McAfee Gateway Appliances Administrators Guide

445 Overview of System menu Setup Wizard 5 Delete Selected Items Enable DNS lookup for domains not listed above. Remove the selected item from the table. You must apply the changes before the item is completely removed from the appliance configuration. If selected, the appliance uses DNS to route for other, unspecified domains. DNS delivery attempts an MX record lookup. If there are no MX records, it does an A record lookup. If you deselect this checkbox, the appliance delivers only to the domains that are specified under Known domains and relay hosts. Time Settings page (Encryption Only Setup) Set the time and date, and any details for the use of the Network Time Protocol (NTP). Table 5-53 definitions Appliance Time Zone Appliance Time (UTC) Set Now Client Time Synchronize appliance with client Specifies the time zone of the appliance. You might need to set this twice each year if your region observes daylight saving time. Specifies the date and UTC time for the appliance. To select the date, click the calendar icon. You can determine the UTC time from websites such as When clicked, applies the date and UTC time that you specified in this row. Displays the time according to the client computer from which your browser is currently connected to the appliance. When selected, the time in the Appliance Time (UTC) immediately takes its value from Client Time. You can use this checkbox as an alternative to manual setting of Appliance Time (UTC). The appliance calculates the UTC time based on the time zone that it finds on the client's browser. When selected, the time in the Appliance Time (UTC) immediately takes its value from Client Time. You can use this checkbox as an alternative to manual setting of Appliance Time (UTC). The appliance calculates the UTC time based on the time zone that it finds on the client's browser. Ensure that the client computer is aware of any daylight savings adjustments. To find the setting on Microsoft Windows, right click the time display in the bottom right corner of the screen. Enable NTP Enable NTP client broadcasts NTP Server New Server When selected, accepts NTP messages from a specified server or a network broadcast. NTP synchronizes timekeeping among devices in a network. Some Internet Service Providers (ISPs) provide a timekeeping service. Because NTP messages are not sent often, they do not noticeably affect the appliance's performance. When selected, accepts NTP messages from network broadcasts only. This method is useful on a busy network but must trust other devices in the network. When deselected, accepts NTP messages only from servers specified in the list. Displays the network address or a domain name of one or more NTP servers that the appliance uses. For example, time.nist.gov. If you specify several servers, the appliance examines each NTP message in turn to determine the correct time. Type the IP address of a new NTP Server. McAfee Gateway Appliances Administrators Guide 445

446 5 Overview of System menu Setup Wizard Password page (Encryption Only Setup) Specify a password for the appliance. For a strong password, include letters and numbers. You can type up to 15 characters. User ID Current Password New Password / Confirm New Password This is admin. You can add more users later. The existing password. The original default password is password. Change the password as soon as possible to keep your appliance secure. Specifies the new password. You must enter the new password twice to confirm it. Summary page (Encryption Only Setup) Review a summary of the settings that you have made for the network connections and scanning of the traffic. To change any value, click its blue link to display the page where you originally typed the value. After you click Finish, the Setup Wizard has completed. Use the IP address shown here to access the interface. For example The address starts with https, not http. If you have configured your McAfee Gateway to provide Secure Web Mail, then you need to access the appliance using port So, using the example above, you would need to enter : When you first log on to the interface, type the user name, admin and the password that you gave on the Password page. Table 5-54 Basic settings The value is set according to best practice. The value is probably not correct. Although the value is valid, it is not set according to best practice. Check the value before continuing. No value has been set. The value has not been changed from the default. Check the value before continuing. 446 McAfee Gateway Appliances Administrators Guide

447 6 Overview 6 of Troubleshoot features This topic provides an overview of the features within the Gateway that assist you in troubleshooting the appliance. Troubleshoot If you are experiencing problems, read the Troubleshooting section, which answers some frequently asked questions. The appliance includes many diagnostic tools for identifying problems. The Resources link at the top of the window provides links to the following information: Contacting support. Submitting a sample. The Virus Information Library. Additional resources, including links to a list of McAfee addresses and to the SNMP MIB definitions. Contents Troubleshooting Tools Troubleshooting Reports Tests Troubleshooting Tools Use these topics to learn about the troubleshooting tools included within the appliance. Contents Troubleshoot Troubleshooting Tools Ping and Trace Route Generate Test System Load Route Information Disk Space Hardware Status FIPS Status McAfee Gateway Appliances Administrators Guide 447

448 6 Overview of Troubleshoot features Troubleshooting Tools Ping and Trace Route Use this page to test whether the appliance can reach other devices over the network. Troubleshoot Troubleshooting Tools Ping and Trace Route If a response comes back, that device can be reached. If the request times out, that device cannot be reached. This test rules out physical problems with the network connection and ensures that other devices are switched on. Table 6-1 definitions Target IP and Domain Name Ping count Use IPv6 protocol Ping Target Trace Route Specifies the target device or domain. Specifies the number of times to send the request. When selected, uses IPv6 protocol. When not selected, uses IPv4 protocol. When clicked, sends the request and provides information about the packets. When clicked, sends the request and provides information about route taken. Generate Test Use this page to generate a test message. Troubleshoot Troubleshooting Tools Generate Test Recipient address Subject Generate Type the name of the mailbox that you want to receive the test notification message. Type the subject line that you want to appear in the test notification message. Click to send the test notification message to the mailbox you specified. System Load Use this page to display information about the processor s state. Troubleshoot Troubleshooting Tools System Load The display is updated every few seconds. The information is similar to that from the Linux top command. Table 6-2 definitions Pause Uptime Info Load Averages When clicked, stops the information being updated, Click Resume to return to normal updating. Displays how long the system has been running. Displays the load averages, which are the average number of processes that are ready to run during the last 1, 5 and 15 minutes. 448 McAfee Gateway Appliances Administrators Guide

449 Overview of Troubleshoot features Troubleshooting Tools 6 Table 6-2 definitions (continued) CPU Processes Memory Swap Command State Displays the percentage of CPU time in user mode, system mode, and idle. (Niced tasks are only those whose nice value is positive.) Time spent in niced tasks is included in system and user time, so the total will be more than 100%. Displays the total number of processes running at the time of the last update, and shows the components of the total as processes that are running, sleeping, stopped, or undead (zombie). Displays statistics on memory usage, including total available memory, free memory, used memory, shared memory, and memory used for buffers. Displays statistics on swap space, including total swap space, available swap space, and used swap space. Displays information about each process. Route Information Use this page to see information about routes used to access certain networks and hosts. Troubleshoot Troubleshooting Tools Route Information Use this page to see information about: Routes used to access certain networks. Routes used to access hosts that have recently received IP packets from the appliance. This host information is stored in the appliance s local cache. The information might take a few minutes to display. The information is similar to that from the Linux route command. Table 6-3 definitions Display Routing Cache Use Numeric Addresses Refresh Destination Gateway or Next Hop Genmask When selected, can provide address information that the appliance derives from conversations with other devices. Click Refresh to see the information. When selected, can provide IP addresses instead of domain names in the Source, Destination and Gateway columns. Click Refresh to see the information. When clicked, provides the information requested by the settings of Display Routing Cache and Use Numeric Addresses. Displays the network where IP packets are sent for this route. A destination of means that the default route, specified by the Setup Wizard, is used. Displays IP address of the router used as the next hop out of the network. The address means that route has no default gateway. Displays network mask that determines whether an IP address is the address of a network or of a specific host. McAfee Gateway Appliances Administrators Guide 449

450 6 Overview of Troubleshoot features Troubleshooting Tools Table 6-3 definitions (continued) Flags Displays information about the route, for example: A route has been rejected, probably in preference for an alternative route. (!) Installed by addrconf. (A or addrconf) An entry in the appliance s cache. (C) A dynamically installed route. (D) The destination is a gateway or network (excluding the appliance s internal network). (G or Gateway) The destination is a host. (H) The route uses the loopback interface. (I or internal) The destination is an address of this appliance. (L or local) A dynamically modified route. (M) The route was reinstated by dynamic routing. (R) The route is available and operational. (U or Up) Metric Displays the preference given to the route. A low number indicates a high preference for that route. Ref Displays the number of references to this route, and is usually 0. Use Interface Displays the number of times that the appliance recently selected the route. Displays the port where the IP packets are sent. lo loopback interface. ibr0 network interface when in Transparent Bridge mode. eth0 equivalent to LAN1. eth1 equivalent to LAN2. Disk Space Use this page to see how disk space is being used. Troubleshoot Troubleshooting Tools Disk Space Table 6-4 definitions Mounted on Size to Percentage used Displays the name of each directory. Click a name to open another window, then click the arrows next to more names to see the size of the subdirectories. Displays information about each main directory. Percentages are rounded to the nearest whole number. 450 McAfee Gateway Appliances Administrators Guide

451 Overview of Troubleshoot features Troubleshooting Tools 6 Hardware Status Use this page to find out more about issues or potential hardware related issues highlighted on the Hardware Summary portlet on the Dashboard. Troubleshoot Troubleshooting Tools Hardware Status The content of this page varies with the hardware upon which you are running McAfee Gateway If you are running a virtual instance of the software, there will be no information displayed within this page. The information displayed for the appliance hardware platforms that include hardware monitoring will differ from the information displayed for a Content Security Blade Server. The data used to provide hardware information on this page is refreshed every 10 minutes. However, it can take some time for the hardware to report its hardware status to the user interface. To be sure that the latest information is being displayed within this page, reload the page if it has been displayed for some time. Table 6-5 definitions Power Supplies Cooling Temperature Other Modules Voltage Displays information about the power supplies within the hardware. Provides the status and current fan speed for the components in the cooling system within the hardware. Displays the temperature at various points within your hardware. Provides information on other modules included within your hardware. These can include intrusion detection information, as well as information about memory usage within the hardware. Lists the measured voltages at key points within the hardware. FIPS Status Find out about FIPS compliance issues highlighted on the System Summary portlet on the Dashboard. Troubleshoot Troubleshooting Tools FIPS Status The FIPS standards govern which encryption algorithms are approved for the purposes of secure communications. If the appliance is configured to use algorithms not approved by the FIPS standards, this page shows warnings. Other warnings relating to concerns about your high security installation such as shell access to the appliance being enabled are also displayed. In addition to compliance warnings, any compliance failures relating to security critical software libraries are also displayed. You should contact your McAfee Technical Representative for assistance in resolving these issues. McAfee Gateway Appliances Administrators Guide 451

452 6 Overview of Troubleshoot features Troubleshooting Reports Troubleshooting Reports Use these topics to learn about the troubleshooting reports included within the appliance. Contents Troubleshoot Troubleshooting Reports Minimum Escalation Report Capture Network Traffic Save Queues Save Log Files Error Reporting Tool Minimum Escalation Report If requested by McAfee Technical Support, use this page to create a minimum escalation report to help them diagnose a problem with your appliance. Troubleshoot Troubleshooting Reports Minimum Escalation Report The report provides the minimum information they need. You might be asked to provide further information later. The report goes to a ZIP file and can take a few minutes to produce. The file size is several megabytes. Table 6-6 definitions Include TLS certificates and private keys in the configuration backup Include Hybrid configuration in the backup When selected, includes certificates and keys in the Minimum Escalation Report. The TLS Certificates and private keys are not encrypted when stored in the Minimum Escalation Report. When selected, includes the Hybrid configuration in the Minimum Escalation Report. The Hybrid private key is not encrypted when stored in the Minimum Escalation Report. Run network tests Collect appliance logs Collect system logs Collect SMTP dump files Collect reporting database Collect MTA database When selected, runs the network tests and includes the results in the Minimum Escalation Report. When selected, includes the appliance logs in the Minimum Escalation Report. When selected, includes the system logs in the Minimum Escalation Report. When selected, includes any SMTP dump files in the Minimum Escalation Report. When selected, includes the reporting database in the Minimum Escalation Report. When selected, includes the Mail Transfer Agent database in the Minimum Escalation Report. 452 McAfee Gateway Appliances Administrators Guide

453 Overview of Troubleshoot features Troubleshooting Reports 6 Table 6-6 definitions (continued) Generate report Save the report Delete the report When clicked, collects the specified items into a.zip file. While data is collected, a new window shows the progress of the collection. To hide the window, click Close. To reopen the window, click Display Current Progress. When clicked, allows you to view the information as several HTML files on the appliance, or save the information as a ZIP file. The file name includes the date and time. When clicked, removes the report from the appliance. Capture Network Traffic Use this page to capture the TCP traffic coming in and out of the appliance for later analysis. Troubleshoot Troubleshooting Reports Capture Network Traffic This tool will not work correctly if the appliance is running in transparent router mode or transparent bridge mode. The output file is gzip compressed tcpdump capture file. You can analyze the output with a tool such as Wireshark or WinDump. Table 6-7 definitions Everything Selected Protocols Duration of capture Maximum size of output file Generate report When selected, collects information about TCP packets in all protocols. When selected, collects only information about TCP packets that are from or to a port corresponding to the selected protocols. The file can become large, therefore do not collect from more protocols than you need. Specifies how long to run the capture. Default value is 30 minutes. Specifies a limit to the size of the report. Default value is 50 MB. When clicked, begins capturing information about network traffic. While data is collected, a new window shows the progress. To hide the window, click Close. To reopen the window, click Display Current Progress. The capture stops when one of the following events occurs: The duration ends. The maximum file size is exceeded. You click Stop Capture in the Network capture progress window. The disk on the appliance is nearly full. McAfee Gateway Appliances Administrators Guide 453

454 6 Overview of Troubleshoot features Troubleshooting Reports Table 6-7 definitions (continued) Save the report Delete the report When clicked, allows you to view the information as a several files on the appliance, or save the information as a zipped tar file. The file name includes the date and time. When clicked, removes the report from the appliance. Save Queues Use this page to specify queues to save offline. Troubleshoot Troubleshooting Reports Save Queues The items are saved to a.zip file, which can take a few minutes to produce. To view the lists of queues on the appliance, select Message Search on the navigation bar. To view the queued , select Overview. Table 6-8 definitions Quarantine viruses to MQM deferred Generate report Save the report Delete the report When selected, specifies which items to include in the report. If you select Quarantine viruses, Quarantine queue or MQM deferred, the report will contain infected files. When clicked, collects the specified items into a.zip file. While data is collected, the status window shows the progress. When clicked, allows you to view the information as a several files on the appliance, or save the information as a ZIP file. The file name includes the date and time. When clicked, removes the report from the appliance. Save Log Files Use this page to save the log files for later analysis or to view them within the user interface. Troubleshoot Troubleshooting Reports Save Log Files You might want to regularly save your log files, because the appliance automatically removes log entries after some time, or when the log files are nearly full. You can also use this page to view logs currently stored on your appliance. 454 McAfee Gateway Appliances Administrators Guide

455 Overview of Troubleshoot features Troubleshooting Reports 6 definitions Save Log Files Date ranges Limit total size of log file to Backup Logs Save the logs Select the date ranges that you are interesting in saving. You can either select All Dates, or you can specify a Date Range using the controls provided. Specifies the maximum size of the file when backing up the logs. Default value is 30MB. The output file is a collection of compressed files, containing information about system activity, performance history, web server activity, and version numbers. For more information about performance history, specify a large file size. When clicked, collects all the appliance s log settings into a file, and allows you to download the file. You can safely store configuration details about the appliance offline, and restore that information later if the original appliance fails. The system configuration files are saved to a ZIP file. When clicked, allows you to download the logs. The link is active only after the log files have been generated. definitions System Log Viewer Log file to view Number of lines to retrieve Update view as the logs change Get Logs Stop Getting Logs Configure off box system logs and system log archive From the drop down list, select the log file that you want to view. System log this shows the contents of the system log stored at /var/log/ messages. Mail log with on box syslog enabled, this shows the contents of mail log stored at /var/log/mail. With off box syslog enabled, this log is empty. UI error log this shows the log file of the web server that is hosting the appliance user interface. Select the number of lines to display at a time. When selected, the displayed logs are updated as new entries are recorded by the appliance. Click to display the selected logging information using the selected options. Click to stop displaying the log files. The current screen is retained, but no further updates are shown until you select a further action. Click this link to move to the System Logging, Alerting and SNMP System Log Settings page, where you can configure your system logging options. Error Reporting Tool Use this page to create a report to help McAfee Technical Support diagnose any problems with your appliance. Troubleshoot Troubleshooting Reports Save Log Files McAfee Technical Support might ask for this report in addition to the Minimum Escalation Report. The report goes to a ZIP file and can take a few minutes to produce. The file size is several megabytes. McAfee Gateway Appliances Administrators Guide 455

456 6 Overview of Troubleshoot features Tests McAfee recommend that you select Enable error monitor. Table 6-9 definitions Enable error monitor Add content data Auto submit error events Event lifetime Submit selected events to McAfee Delete selected events This allows the appliance to capture information about any errors it encounters. When the appliance encounters an error, selecting Add content data will allow the appliance to store information about the data that was being handled by the appliance at the time of the error. This can greatly assist McAfee in diagnosing the problem. Allows the appliance to automatically submit information about error events to McAfee. The number of days that the appliance will store events for, if an error is detected. Use this to send error reports to McAfee for further analysis. Use this to remove events that are no longer needed. Tests Use these topics to learn about the troubleshooting tests that you can carry out from the appliance. Troubleshoot Tests definitions System Tests Test that the appliance is correctly connected to other devices, such as servers that provide DNS services and the McAfee update servers. Troubleshoot Tests System Tests The list of tests that you see depends on the features that you have enabled in the appliance. Start Tests Starts the tests. They can take several minutes to complete. The results appear in place of this symbol. Indicates that the test was successful. Indicates that the test failed. Click the Details link for more information. Indicates that a test is still running. Stop Tests Stops the tests. Any test that has already started runs to completion. 456 McAfee Gateway Appliances Administrators Guide

457 Overview of Troubleshoot features Tests 6 Gateway tests DNS servers tests NTP servers test(s) Off box syslog servers tests MQM server test Appliance name and domain tests McAfee Global Threat Intelligence File Reputation Servers test McAfee Global Threat Intelligence Feedback Server test Sender Authentication Servers tests LDAP Servers test McAfee SaaS Protection Service test Component Updates tests Ping the gateway States whether the gateway can be pinged for every static route. Ping by itself is not a reliable test of connections, because some devices might be configured to ignore ping requests. However, even if the ping test fails, the gateway must always appear in the ARP routing table. Look for the gateway in the ARP table States whether the gateway is listed in the ARP routing table. Ping the DNS server States whether the appliance can contact the DNS servers. Query the DNS server for the external address States whether each DNS server can resolve the address into the correct set of IP addresses. Time Synchronization status with server <servername> Displays the status of each NTP server that you have configured. Ping UDP syslog server <servername> Checks that the UDP syslog server is responding. Check connectivity to TCP syslog server <servername>check for connectivity to the TCP syslog server. Check if the MQM server is available Sends a health check request to the McAfee Quarantine Manager (MQM) server. Query the appliance domain name and Query the appliance address States whether each DNS server can find the appliance, given its domain address and its fully qualified domain name. Check for McAfee GTI file reputation connectivity Confirms that the servers can be accessed using a test sample. Query the McAfee GTI feedback server States whether the appliance can contact the McAfee GTI feedback server. Query the McAfee GTI message reputation lookup server States whether the appliance can contact the server. Query the RBL server/test the RBL server If you have defined an RBL server, the appliance checks that: A name server record exists for the RBL domain name. An A (address) record for @RBL_DOMAIN exists. Most RBL servers use the address for testing. The appliance performs a static query against the servers and tests the connection. Check for connectivity to LDAP server States whether the appliance can connect to the LDAP server. Connect to the web service Verifies that the appliance can connect to the McAfee SaaS web service. Talk to the AV update ftp server Checks that the ftp anti virus update site can be accessed. Talk to the AV update http server Checks that the anti virus update http site can be accessed. Talk to the Commtouch Command update server Checks that the Commtouch Command update site can be accessed. Talk to the SPAM update server Checks that the anti spam update sites can be accessed. (Only available when is scanned.) McAfee Gateway Appliances Administrators Guide 457

458 6 Overview of Troubleshoot features Tests epo tests SNMPD client tests Updater running Checks that the updater has started. Updater listening to epo Checks that the appliance is listening to the McAfee epo server. Initiating communication to epo Checks that the appliance can send data to the McAfee epo server. Sending events to epo Checks that the number of McAfee epo events waiting to be sent to the McAfee epo server does not exceed a predefined threshold. Snmpd client running Checks that the snmpd process is running. Snmpd listening for snmp requests Checks that snmpd is listening for snmp requests. 458 McAfee Gateway Appliances Administrators Guide

459 7 Overview 7 of Gateway appliances and epolicy Orchestrator Integration This topic provides an overview of the integration of McAfee Gateway appliances with McAfee epolicy Orchestrator. Contents How appliances work with epolicy Orchestrator Differences in Gateway appliance administration under epolicy Orchestrator Configuring your appliance for epolicy Orchestrator management Managing your appliances from within epolicy Orchestrator Task Upgrade from McAfee Gateway 7.0 appliances managed by McAfee epolicy Orchestrator How appliances work with epolicy Orchestrator This topic give a top level overview of how you can integrate your McAfee Gateway appliance with your McAfee epolicy Orchestrator server. With this release, you can monitor the status of your appliances and also directly manage your appliances from within epolicy Orchestrator, without needing to launch the interface for each appliance. Within epolicy Orchestrator, the user interface pages that you use to configure and manage your Gateway appliances have a familiar look and feel to the pages that you find within the appliances. When you enable epolicy Orchestrator management on Gateway appliances, the McAfee Agent that is pre packaged as part of each appliance is given the configuration information server name, IP address, passwords to access the epolicy Orchestrator update repositories, and the public keys needed to gain access for your epolicy Orchestrator server. The agent then starts communication between your appliance and the epolicy Orchestrator server. You can download the epolicy Orchestrator extensions from the Resources link within the Gateway appliances user interface. This zip file contains two epolicy Orchestrator extensions: the EWG 2.0 extension that provides the monitoring and reporting capabilities for and Web Security Appliances versions 5.5 and 5.6, McAfee Web Gateway and McAfee Gateway products, The MEG 7.5 extension that provides the method to push policy configuration from the epolicy Orchestrator server to your Gateway appliances and blade servers. In addition, you can also download the help extensions for each of these epolicy Orchestrator extensions. These are also available from the Resources link within the Gateway appliances user interface. McAfee Gateway Appliances Administrators Guide 459

460 7 Overview of Gateway appliances and epolicy Orchestrator Integration Differences in Gateway appliance administration under epolicy Orchestrator Working from within epolicy Orchestrator, you can push configurations to all your 'epolicy Orchestrator enabled" appliances using the standard epolicy Orchestrator workflows and features. Further information about configuring your appliance for epolicy Orchestrator management can be found within the Setup Wizard epo Managed Setup help page. Differences in Gateway appliance administration under epolicy Orchestrator This information describes differences in the Gateway appliance software when it is run from McAfee epolicy Orchestrator. Introduction When McAfee epolicy Orchestrator manages Gateway appliance, there are some noticeable differences in the available features, and their behavior: Data that is generated from "live" information for an Gateway appliance is not available in epolicy Orchestrator. Some Gateway appliance features and options have different menu paths under epolicy Orchestrator. The following tables provide a breakdown of the Gateway appliance 5.6 features that are not part of epolicy Orchestrator management, or located in a different place in the interface. The menu paths are those used in Gateway appliance. The Troubleshooting tab available in Gateway appliance does not appear in epolicy Orchestrator. Table 7-1 Report information Menu path Dashboard Reports Scheduled Reports Reports Reports Reports System Reports Description Dashboard information is based on live information, and is not available from epolicy Orchestrator. The Favorite report, and the Now, and Download reporting actions are based on live information from the appliances, and are not available in epolicy Orchestrator. Live reporting information is based on live information, and is not available from epolicy Orchestrator. Live reporting information is based on live information, and is not available from epolicy Orchestrator. Table 7-2 tab Menu path Message Search Overview Configuration Protocol Configuration Transport Layer Security (SMTP) Description Live reporting information is based on live information, and is not available from epolicy Orchestrator. Live reporting information is based on live information, and is not available from epolicy Orchestrator. The Transport Layer Security (SMTP) tab is available from the Certificate Management category in epolicy Orchestrator. 460 McAfee Gateway Appliances Administrators Guide

461 Overview of Gateway appliances and epolicy Orchestrator Integration Differences in Gateway appliance administration under epolicy Orchestrator 7 Table 7-2 tab (continued) Menu path Configuration Protocol Configuration Receiving Permit and Deny Lists Configuration Virtual Host Configuration Configuration Protocol Settings (SMTP) and Configuration Connection and Protocol Settings (POP3) Policies Scanning Policies: Spam Settings User Submitted Blacklists and Whitelists Policies Scanning Policies: Spam Settings Rules Policies Scanning Policies Virtual Host Configuration Policies Dictionaries Description The Blocked connections list is based on live information, and is not available in epolicy Orchestrator. Virtual hosts cannot be configured for and Web Security Appliance in epolicy Orchestrator. You can configure virtual hosts in parallel with epolicy Orchestrator management of the physical host settings. Virtual host configuration inherits from the physical host unless overridden in the appliance user interface on a per virtual host basis. Network groups cannot be added to Protocol Presets in epolicy Orchestrator. User blacklists and whitelists contain live information, and are not shown in epolicy Orchestrator. Spam rules are based on live information and are not shown in epolicy Orchestrator. However, you can manually exclude individual rules by name from epolicy Orchestrator. Virtual hosts cannot be configured for and Web Security Appliance in epolicy Orchestrator. You can configure virtual hosts in parallel with epolicy Orchestrator management of the physical host settings. Virtual host configuration inherits from the physical host unless overridden in the appliance user interface on a per virtual host basis. In epolicy Orchestrator, compliance dictionaries are located in Gateway Protection EWS 5.6 DLP and Compliance Dictionaries. All and Web Security Appliances managed by epolicy Orchestrator share the same set of dictionaries, and dictionaries are shared across all epolicy Orchestrator policies. Policies Registered Documents Quarantine Configuration Quarantine s Quarantine Configuration Quarantine Digest s In epolicy Orchestrator, documents registered for data loss prevention are uploaded and trained in Gateway Protection EWS 5.6 DLP and Compliance Registered Documents. When using McAfee Quarantine Manager, the Appliance ID is specific to an individual and Web Security Appliance, and not managed by epolicy Orchestrator. To enable quarantine digest messages in epolicy Orchestrator, go to Sending Quarantine digest messages in the Configuration policy category. The Message Preview and Send options relate to messages in and Web Security Appliances, and cannot be performed in epolicy Orchestrator. McAfee Gateway Appliances Administrators Guide 461

462 7 Overview of Gateway appliances and epolicy Orchestrator Integration Differences in Gateway appliance administration under epolicy Orchestrator Table 7-3 System tab Menu path System Appliance Management General System Appliance Management Time and Date System Appliance Management Remote Access System Appliance Management UPS Settings System Appliance Management Database Maintenance System Appliance Management System Administration System Appliance Management Default Server Settings System Cluster Management System Users, Groups and Services Directory Services System Users, Groups and Services Web User Authentication System Users, Groups and Services Policy Groups System Users, Groups and Services Role Based User Accounts System Virtual Hosting Description This tab contains information that is appliance specific, and is not available in epolicy Orchestrator. Setting the Appliance Time is a dynamic action, and cannot be set in epolicy Orchestrator. The Out of band management option needs appliance specific information, and is not available in epolicy Orchestrator. This setting is appliance specific, and is not available in epolicy Orchestrator. Setting the Reporting Password in the External Access section is a dynamic action, and cannot be set through epolicy Orchestrator. Manually resetting and maintaining the database in Maintenance cannot be performed from epolicy Orchestrator. The epolicy Orchestrator interface allows the database Retention Limits to be left blank. When no data is entered, the appliance hardware specific defaults are used. These are empty by default in epolicy Orchestrator. This tab contains actions that are appliance specific, and is not available in epolicy Orchestrator. Obtaining the appliance's public key in the Remote Backup section cannot be done through epolicy Orchestrator. Cluster management is based on appliance specific information, and cannot be set up in epolicy Orchestrator. Authentication services cannot be set up in epolicy Orchestrator. Authentication services cannot be set up in epolicy Orchestrator. Configure Network Groups in the Policy Groups area of the Policies or Web Policies category in epolicy Orchestrator. Configure Senders and Recipients in the Policy Groups area of the Policies category in epolicy Orchestrator. Configure Web Users and URL Groups in the Policy Groups area of the Web Policies category in epolicy Orchestrator. Role based user accounts contain appliance specific information, and cannot be set up in epolicy Orchestrator. You can set and apply physical host configuration in epolicy Orchestrator. However, virtual hosts cannot be configured for and Web Security Appliance in epolicy Orchestrator. You can configure virtual hosts in parallel with epolicy Orchestrator management of the physical host settings. Virtual host configuration inherits from the physical host unless overridden in the appliance user interface on a per virtual host basis. 462 McAfee Gateway Appliances Administrators Guide

463 Overview of Gateway appliances and epolicy Orchestrator Integration Configuring your appliance for epolicy Orchestrator management 7 Table 7-3 System tab (continued) Menu path System Certificate Management Certificates CA Certificates System Certificate Management Certificates TLS certificates and keys System Certificate Management Certificates Appliance HTTPS Certificate System Certificate Management Certificate Revocation Lists (CRLs) Installed CRLs System Certificate Management Certificate Revocation Lists (CRLs) CRL updates System Component Management System Setup Wizard Description All and Web Security Appliances managed by epolicy Orchestrator share the same lists of certificates. All and Web Security Appliances managed by epolicy Orchestrator share the same lists of certificates. Importing, exporting, and generating certificate signing request for an and Web Security Appliance HTTPS certificate is not available in epolicy Orchestrator. Certificate Revocation lists relate to actual appliances, and cannot be set up in epolicy Orchestrator. Configuring specific HTTP proxy settings for CRL updates is not available in epolicy Orchestrator. The default proxy settings are managed in epolicy Orchestrator. Manually updating the CRL list cannot be performed from epolicy Orchestrator. These settings are appliance specific, and cannot be managed from epolicy Orchestrator. These settings are appliance specific, and cannot be performed from epolicy Orchestrator. Configuring your appliance for epolicy Orchestrator management To enable your appliance to be managed by your McAfee epolicy Orchestrator software, you need to configure your appliance to accept management by epolicy Orchestrator, and you also need to import the epolicy Orchestrator extensions to your epolicy Orchestrator software, and import your epolicy Orchestrator configuration to your and Web security appliance. To configure your Gateway appliance to allow it to be managed by epolicy Orchestrator, you need to import the configuration details from your epolicy Orchestrator software. In addition, you also need to install the Gateway extension available from the Resources link within the Gateway appliances user interface onto your epolicy Orchestrator software. To assist you with setting up your Gateway appliances for epolicy Orchestrator management, the Setup Wizard within Gateway appliances (System Setup Wizard) includes a set of pages aimed specifically at configuring your appliance to be managed by epolicy Orchestrator. If you have both your McAfee Gateway and your McAfee epolicy Orchestrator software configured to use a language other than English, when you register your McAfee Gateway within McAfee epolicy Orchestrator, the default locale for the Secure Web Mail Client and the default language for all notifications will return to English. You must re configure these to your required language. McAfee Gateway Appliances Administrators Guide 463

464 7 Overview of Gateway appliances and epolicy Orchestrator Integration Managing your appliances from within epolicy Orchestrator Removing the epolicy Orchestrator extension The standard epolicy Orchestrator workflow allows the removal of the epolicy Orchestrator extensions. This topic discusses important notes about the effects of doing so. From within the epolicy Orchestrator user interface, navigate to Menu Software Extensions to remove extension. If you remove the Gateway appliance extension from your epolicy Orchestrator server, all data relating to your Gateway appliances will be deleted. To upgrade to a later version of the Gateway appliance extension, you should install the newer extension without removing the existing extension. This preserves the Gateway appliances data held within your epolicy Orchestrator server. Managing your appliances from within epolicy Orchestrator Use this topic to give an overview of the process to manage your Gateway appliances from within epolicy Orchestrator. When you have configured your McAfee Gateway appliances to be managed by McAfee epolicy Orchestrator, most configuration changes that you want to make to your appliances should be made via your epolicy Orchestrator server. If you have enabled epolicy Orchestrator management on your appliance, making configuration changes from within the appliance' user interface will make the required changes, but these changes are likely to be overwritten with the next configuration push from your epolicy Orcestrator server. Within epolicy Orchestrator, the configuration pages for your appliances can be found by browsing to Menu Gateway Protection and then selecting either Gateway or DLP and Compliance. Management of your Gateway appliances follows the standard epolicy Orchestrator workflows. Please refer to the McAfee epolicy Orchestrator 4.5 Product Guide or McAfee epolicy Orchestrator 4.6 Product Guidefor further information. Task Upgrade from McAfee Gateway 7.0 appliances managed by McAfee epolicy Orchestrator Use this task to upgrade to McAfee Gateway from McAfee Gateway 7.0 appliances managed by McAfee epolicy Orchestrator (McAfee epo). Before you begin Your McAfee Gateway 7.0 appliance must have been upgraded to McAfee Gateway and configured and running correctly. This upgrade process automatically disconnects the appliance from being managed by McAfee epo. The inbuilt McAfee Gateway migration tools migrate many of your McAfee Gateway 7.0 settings for you. However, some settings will need to be recreated. 464 McAfee Gateway Appliances Administrators Guide