Administrative Domain Configuration Guide · AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), ... Sending

Administrative Domain Configuration Guide

McAfee® Network Security Platform 6.1

COPYRIGHTCopyright © 2011 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or byany means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSAVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE),MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registeredtrademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive ofMcAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee® Network Security Platform 6.1 Administrative Domain Configuration Guide

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Finding product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Configuring Administrative Domains 7

2 Child domains 9

3 Configuring and managing admin domains 11Viewing the details of an admin domain . . . . . . . . . . . . . . . . . . . . . . . . . 11Managing admin domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Creating an admin domain . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Editing child domain configurations . . . . . . . . . . . . . . . . . . . . . . . . . . 15

How to edit a domain's details or allocate/revoke more interfaces to an existing child admindomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Changing the root admin domain name . . . . . . . . . . . . . . . . . . . . . . 16

Deleting an admin domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4 Managing users and user roles 19Managing users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Adding a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Editing users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Changing the default administrator . . . . . . . . . . . . . . . . . . . . . . . 22Deleting users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Assigning a role to a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Defining Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Super User Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Managing user roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Adding roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Viewing your user account information . . . . . . . . . . . . . . . . . . . . . . . . . 31

5 Managing System Information Logs 33Viewing and exporting Manager activity log . . . . . . . . . . . . . . . . . . . . . . . 33

Viewing log information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Exporting log information . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Generating a user activity audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Managing long running processes . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Viewing long running processes . . . . . . . . . . . . . . . . . . . . . . . . . 38Viewing messages from McAfee . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

6 Setting up Fault Notification 41Viewing fault notification details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Forwarding faults to an SNMP server . . . . . . . . . . . . . . . . . . . . . . . . . . 42

McAfee® Network Security Platform 6.1 Administrative Domain Configuration Guide 3

Modifying or deleting SNMP forwarder settings . . . . . . . . . . . . . . . . . . . 45Forwarding faults to a Syslog server . . . . . . . . . . . . . . . . . . . . . . . . . . 45Common settings for fault notification . . . . . . . . . . . . . . . . . . . . . . . . . 47Sending alerts to an email or pager . . . . . . . . . . . . . . . . . . . . . . . . . . 48Specifying script parameters for fault notification . . . . . . . . . . . . . . . . . . . . . 50

7 Managing Audit Notification 53Configuring Syslog Forwarder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Customizing Syslog Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Index 59

Contents


Preface

This guide provides the information you need to configure, use, and maintain your McAfee product.

Contents

About this guide Finding product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

ConventionsThis guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code A code sample.

User interface Words in the user interface including options, menus, buttons, and dialogboxes.

Hypertext blue A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.


Finding product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFinding product documentation


http://mysupport.mcafee.com

1 Configuring Administrative Domains

An administrative domain, or admin domain for short, is an organizational tool used specifically togroup McAfee® Network Security Platform resources so that you can delegate resource management tospecific McAfee Network Security Platform users. An admin domain can contain other admin domains,Devices, and Device interfaces.

Administrative domains enable enterprises to create a central authority that is responsible for theoverall McAfee Network Security Platform system, and to allow the central authority to delegateday-to-day security operations to the appropriate entities, such as business units, geographic regions,and individual security personnel.

The top level admin domain is called the root admin domain. Users with Super User access to the rootadmin domain have complete control over the entire administrative domain and all resources within it,including any child domains, and thus all security resources in the system. To delegate managementfunctions to entities within your organization, you would create a sub domain (of the root or otherparent domain) representing each entity or department. These sub-domains are called child admindomains or child domains.

In , the functions that you can perform at the admin domain level are as follows:

• Configuring and managing admin domains: enables you to view details of admin domains andcreate child admin domain

• Managing users and user roles: enables the creation of users for various administrative functions

• Viewing system information logs: enables a privileged admin to create audits and logs to viewsystem information

• Setting up fault notifications: allows you to send system fault information to third-party machinessuch as SNMP servers and Syslog servers.

1


1 Configuring Administrative Domains


2 Child domains

Creating child domains enables you to delegate, monitor, and/or configure McAfee® Network SecuritySensors in that sub-domain to entities more familiar with the sub-domain's environment. You are notrequired to subdivide your admin domains into child domains; however, if you want to delegateresponsibilities for managing McAfee Network Security Platform resources among multiple individualswithin your organization, you do so by creating child domains. To delegate responsibilities, you createchild admin domains and user accounts, giving each user a role that defines how the user can interactwith the resources in the child admin domain.

For example, suppose you manage three McAfee Network Security Sensors (Sensors). You can createa child domain and allocate a single port (1A) from one of your Sensors to that domain. You cancreate a user and assign that person a Super User role in only that domain; that user has no role inthe root domain, and therefore cannot see or configure root domain resources. The child domain'sSuper User has been delegated full management responsibilities for the allocated interface.

A user's role determines his/her view of the Resource Tree; only resources the user is permitted toview are displayed in the tree. In the figure below, if a user is a Super User of the HR admin domain,the Resource Tree shows the HR domain at the top of the tree and all of its children; it does not displaythe root admin domain nor any other child domains of the root.

A child admin domain, such as HR, in left side of the figure below, can have other child admin domainscreated within, as seen with the child domain HR SF. Any domain with child domains is a parent; thus,a child domain can be a parent to other child domains. When you create a child domain you canenable or disable it to be a parent for other domains (enabled by default). The root can always havechild domains.

2


Table 2-1

Item Description

1 Root admin domain, parent domain of HR and QA

2 Child domain of My Company, parent of HR SF

3 Child domain of HR

4 Child domain of My Company

You configure admin domain node names, including that of the root, during domain creation. In theprevious example, the HR and QA admin domains were created under the root domain; HR SF wascreated under the HR domain node.

It is important to understand the relationship between parent and child admin domains because childadmin domains inherit policies from parent admin domains, and users inherit the same privileges inthe child domains as enabled by their roles in the parent domain.

Throughout this guide, named admin domain instances are represented as Admin-Domain-Name >. In theabove figure, the root Admin-Domain-Name is My Company, which is the default root admin-Domain-Name.

See also Defining Roles on page 24

2 Child domains


3 Configuring and managing admin domains

You can view details of admin domains, manage admin domains, edit child domain configurations, anddelete admin domains from the Admin Domain node of the resource tree of the Manager.

Contents

Viewing the details of an admin domain Managing admin domains Editing child domain configurations Deleting an admin domain

Viewing the details of an admin domainThe Summary action displays the currently configured information for the selected admin domain.

The information displayed for the selected admin domain varies according to the features available. Forinstance if the NTBA license is enabled, information on Default Anomaly Policy and Default Worm Policy isdisplayed in the Summary page.

Managing admin domainsManaging admin domain involves creating an admin domain, changing the root admin domain name,and deleting an admin domain.

See also Creating an admin domain on page 11Changing the root admin domain name on page 16Deleting an admin domain on page 17

Creating an admin domainThe procedure for creating an admin domain is the same for a domain created under the root or adomain created under a child of the root, and so on. You can create up to four levels of child domainsunder an admin domain. During child domain creation, you have the option of delegating McAfee®

Network Security Sensor (Sensor) interfaces from the parent for management by the child.

If you do not want at this time to allocate interfaces or allow Sensor addition, you may enable theseoptions later.

To create an admin domain

3


Task

1 From the Resource Tree, select the domain to which you want to add a child domain and then clickAdmin Domains.

2 Click New.

3 Configuring and managing admin domainsManaging admin domains


3 Type the required information. The red asterisks (*) denote required fields.

The following tables describe the fields.

Table 3-1

Field Description

Admin Domain Name Enter a unique name for identifying the domain. For an enterprise, namingyour domain after the specific network segment, department, or building issuggested: HR, Finance, Bldg1, Bldg1-Floor2.

Contact PersonName

Enter the name of the person responsible for the domain. This personshould be someone who can be reached in case of emergency or otherdomain questions.

E-mail Address The email address of the Contact Person.

You can choose the enter additional details like phone number, address as well while creating thedomain.

The following fields set restrictions on the child admin domain being created:

Table 3-2

Field Description

Allow ChildAdminDomains?

If you select this check box, the administrator of the domain you are currentlycreating can create child admin domains for the domain.

If you create a child admin domain and disallow the creation of further childadmin domains, the new child domain cannot have its own children due to ruleinheritance.

Allow Devices? If you select this check box, the administrator of the domain you are currentlycreating can add, edit, or delete physical Sensors. Otherwise, the domain is onlypermitted interface or sub-interface resources as allocated in Step5.If you create a child admin domain and disallow the adding of physical Sensors,any children of the new child domain are also disallowed from adding physicalSensors due to rule inheritance.

Configuring and managing admin domainsManaging admin domains 3


4 For the IPS mode and IPS with NAC mode, the following additional fields are displayed:

Table 3-3

Field Description

Default IPS Policy Sets the default IPS Policy to be inherited by child admin domainresources. Several pre-configured policies are provided thatencompass different network environments.

Default Reconnaissance Policy Sets the default Reconnaissance policy to be inherited by childadmin domains.

5 For the NTBA Policy and Worm Policy, the following fields are displayed:

Table 3-4

Field Description

Default NTBA Policy Sets the default NTBA Policy to be inherited by child admin domainresources. Several pre-configured policies are provided that encompassdifferent network environments.

Default Worm Policy Sets the default Worm policy to be inherited by child admin domains.

6 Click Save.

The Allocated Interfaces page appears.

7 Click Allocate.

8 Select a Sensor from the drop-down list to allocate interfaces/sub-interfaces to the child domain.You can allocate interfaces/sub-interfaces from one or more Sensors.

9 Click Allocate. You may only select one interface from one Sensor at a time.

10 Repeat until you have allocated all the interfaces you require.

11 Click Finish.

The child admin domain you created appears at the bottom of the resource list of the domain inwhich it was created.

3 Configuring and managing admin domainsManaging admin domains


See also Managing admin domains on page 11Editing child domain configurations on page 15

Editing child domain configurationsYou can use the Admin Domains action to do the following:

• Edit the details of a selected domain.

The root is the only domain that can be edited from its own node. All child nodes under the rootmust be edited directly from the parent domain where the child was created.

• Allocate or remove interfaces to/from an existing child domain:

• You can allocate additional Sensor interfaces from the parent to the child. You have anopportunity to allocate interfaces to a child domain during child domain creation. However, if inthe time after creating a child domain you decide to allocate more interfaces to the child, youmust perform that task from the parent admin domain where the child was created.

• You can revoke (that is, remove) interfaces from the child admin domain. This must beperformed from the parent domain where the child was created. Revoking an interface bringsthe interface back under full control of the parent domain; the child domain can then no longerconfigure the revoked interface.

See also Creating an admin domain on page 11

How to edit a domain's details or allocate/revoke moreinterfaces to an existing child admin domain

Task

1 Select the appropriate (named) parent domain by navigating to Admin-Domain-Name | Admin Domain |Admin Domains.

2 Select the child domain to be edited from the parent's "Admin Domains List" table.

3 Click Edit.

4 Change any of the general information fields that require updating/editing in the Edit AdminDomain page.

Configuring and managing admin domainsEditing child domain configurations 3


5 Click Next.

6 Do one of the following:

• Select an already allocated interface and click Revoke to remove the interface(s) from the childdomain.

• Select a Sensor and an interface and then click Allocate to allocate more interfaces to the childdomain.

7 Click Finish.

Changing the root admin domain nameYou can customize some of the settings of your root domain, including the name that appears on theResource tree and subsequent system configuration navigations. Customizing the admin domain namehelps to properly maintain the environment that is being protected.

Task

1 Select Admin-Domain-Name | Admin Domain | Admin Domains.

2 Select the root admin domain (My Company) from the Admin Domains List page in (Manager). ForMcAfee® Network Security Central Manager (Central Manager) there is only one admin domain,whose details are displayed.

3 Click Edit.

4 Clear the Admin Domain Name and type your new domain name.

5 Clear the Contact Person Name and type a name. This typically would be the Super User.

6 Clear the Email Address and type a new email address.

7 Optionally, change the fields that require updating/editing.

8 Click Save. In the Resource Tree, the root domain name changes from MyCompany to the name youprovided.

See also Managing admin domains on page 11

3 Configuring and managing admin domainsEditing child domain configurations


Deleting an admin domainTo delete an existing admin domain, do the following:

Task

1 Select Admin-Domain-Name | Admin Domain | Admin Domains.

2 Select an admin domain from the Admin Domains List page.

3 Click Delete and then click OK to confirm.

An admin domain with resources such as Sensors and interfaces cannot be deleted until allresources have been removed.

See also Managing admin domains on page 11

Configuring and managing admin domainsDeleting an admin domain 3


3 Configuring and managing admin domainsDeleting an admin domain


4 Managing users and user roles

McAfee Network Security Platform enables creation of users for various administrative functions. Thisenables selected entities (users/groups/business units) to manage specific domain resources.

User management in McAfee Network Security Platform environment consists of creating users andgranting them privileges. Network security requires careful planning when creating users to ensure theintegrity of the environment. All users must authenticate at (Manager) login prior to performing anyactivities. The username and password is securely stored in the database with matching privilegerules. A class of user privileges, termed roles, determines the authorized activities of the various usersin the system. Once a user logs in, Manager makes available activities based on the role. Rolespromote the integrity of security configuration by not allowing universal access to every securityresource deployed in the system.

Contents

Managing users Assigning a role to a user Defining Roles Viewing your user account information

Managing usersThe Users action enables the adding a user, changing the default administrator, deleting, or editing users.

4


The "Users" List only displays the users created within the current admin domain and any of its children.This list does not display users that were created in a higher admin domain level even if anadministrator has a role in that higher admin domain regardless of role. If a user's name is notdisplayed, the viewing user needs to move to the admin domain level where the user was created inorder to administer that user. Admin domain viewing is role dependent.

See also Adding a user on page 20Changing the default administrator on page 22Deleting users on page 22Editing users on page 22

Adding a userTo add a new user and optionally assign a domain role, do the following:

Task

1 Select Admin-Domain-Name | Users | Users.

2 Click New.

The following page is displayed.

Fill in the required fields. The fields marked with * are required fields.

4 Managing users and user rolesManaging users


3 Type the Login ID.

4 For Authentication Type choose one of the following (if available):

• Local: authenticate locally on Manager

• LDAP: authenticate using an LDAP server. If you select this option, also type the LDAP User DN(distinguished name).

Use the following format for the LDAP User DN:

uid=userName,ou=People,dc=DomainName,dc=com

If using Active Directory, use the following format:

[email protected]

or

cn=userName,ou=People,dc=DomainName,dc=com

Use a valid DN, as LDAP authentication may not operate correctly without a valid DN. Consultwith your system administrator to obtain the correct DN for your LDAP server.

• RADIUS: select one of the following RADIUS authentication protocols. If you select this option,also type a valid RADIUS ID, which will be used for authenticating your settings against theRADIUS server.

• RADIUS using PAP (Password Authentication Protocol)

• RADIUS using the CHAP (Challenge Handshake Authentication Protocol)

• RADIUS using the EAP-MD5 (Extensible Authentication Protocol-MD5)

If you have selected the Authentication Type as Local you will have to fill the Password and Confirm Passwordfield.

5 The Password must be a minimum of eight (8) characters in length. Password parameters that canbe used are as follow:

• 26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z)

• 10 digits: 0 1 2 3 4 5 6 7 8 9

• 32 symbols: ~ ` ! @ # $ % ^ & * ( ) _ + - = [ ] { } \ | ; : " ' , . <? /

If RADIUS or LDAP (Active Directory) authentication is enabled, you must also select the type ofauthentication to use for this new user.

6 Re-type the password in Confirm Password

7 Type First and Last Name (Example: John Doe).

8 Type the Email address of the user.

9 Type the relevant details, if required for the following fields: Company, Phone, State, Address, and Country.

10 In the Role Assignments section, select the Roles from the drop down list.

The Domain Name displays the user domain, by default.

11 Click Save; click Cancel to abort.

12 Select Users | Users to view your newly added user.

Managing users and user rolesManaging users 4


See also Managing users on page 19

Editing users

Editing a user in Central Manager is similar to that in the Manager, described below.

To edit an existing user, do the following:

Task


2 Select a user.

3 Click Edit.

4 Type your changes in the appropriate fields.

5 Click Save.


Changing the default administratorYou can change the default Super User username and password by performing the following steps:

Task


2 Select the default Super User account from the "User List" table (Name: Administrator, Login ID: admin).

3 Click Edit.

4 (Optional) Type a new Login ID. This changes the name used for logging to Manager.

5 Type a new password at Password. This changes the password used for logging on to Manager.

6 Re-type the password at Confirm Password.

7 (Optional) Type a new User Name. This is simply for identification in the "User List" table.

8 Type a valid Email address.

9 (Optional) Type any other changes in the appropriate fields.

10 Click Save to keep these changes and eliminate the default (admin/admin123) combination.

See also Managing users on page 19Super User Privileges on page 25

Deleting users

Deleting users in Central Manager is similar to that in Manager, described below.

4 Managing users and user rolesManaging users


To delete an existing user account, do the following:

Task


2 Select a user.

3 Click Delete. A pop-up with the following message appears: "You are about to permanently deletethis record. Do you wish to continue?"

4 Click OK to delete the user record; click Cancel to abort.


Assigning a role to a user You can assign or remove a role to/from a user at any time.

A user granted a role in a parent admin domain inherits the same role in any child domains below theparent, unless the user's role is altered in a child domain.

To assign a role to a user in a domain, do the following:

Task

1 Select Admin-Domain-Name | Users | Role Assignments.

2 Select a user in the Role Assignments table.

3 View the user's role in the field Roles(Current Domain). If no role has been assigned, this field is empty.

Managing users and user rolesAssigning a role to a user 4


4 Click Edit.

A user can have a different role in any or all admin domains regardless of the admin domain inwhich the user was created. If the user is to be granted a role in an admin domain higher than theone where created, then the administrator of that higher domain must assign that role. Anadministrator can only grant or deny roles in the admin domains where he/she has that privilege. Ifa user has been allotted a Super user role at the parent and the child domain, the user should selecta domain from the home page at the time of login. The home page displays a drop-down above themenu bar in such cases.

Current Assignments and Assign are displayed. If a role is already assigned to the user, the role inAssigned Role column is displayed in Current Assignments.

5 In Assign, the Login ID of the user is displayed by default.

6 Select the Domain Name from the drop down list.

7 Select the role(s) to be assigned to the user from the drop down list.

8 Click Save.

Defining RolesA role is a group of actions that a user is allowed to perform within a given administrative domain.McAfee Network Security Platform provides role-based authorization to the users.

Users authenticate themselves by logging into the Manager. For an admin domain, you can createusers and assign roles to the users in the Manager. You can also create users in the child admindomains and assign roles to them.

4 Managing users and user rolesDefining Roles


The role privilege indicates the actions that are allowed for a user with assigned with the particularrole. Each role has role privileges with Read Write, or Read Only (RW or RO) permissions. Forexample, Reports RW allows the user with that role to have Read and Write permissions for theReports in the Manager.

Note that users created for an admin domain are specific to that domain. But roles can be assigned tothe users across domains. That is, you can assign a role to a user in one domain, and another role tothe same user in the corresponding child domain.

The following table lists the various role types along with the corresponding role description.

Table 4-1

Role Description

NAC Administrator Administer the Network Access Control environment

IPS Administrator Administer the intrusion prevention environment

NTBA Administrator Administer the Network Threat Behavior Analyzer environment

Guest Portal Account Manager Administer local Guest Portal user accounts

NOC Operator Monitor the security environment

Report Generator Run reports

Security Expert Administer the NAC, NTBA and IPS environments

System Administrator Administer the Manager and the Device List

McAfee ePO™ Dashboard DataRetriever

Rights to retrieve information from McAfee Network SecurityPlatform to ePO, for displaying McAfee Network Security Platforminformation in the ePO.

Super User Full rights. Super Users must manage themselves within thedomain(s) they reside.

No Role The user cannot log on to Manager. This is the state when a user isfirst created but is yet to be assigned any role.

The Roles tab (Admin Domain | Users | Roles) lists the various default roles and allows you to create customroles.

Custom Roles

Custom roles can be created in the Manager, and assigned to users.

See also Child domains on page 3Adding roles on page 26Managing user roles on page 26

Super User PrivilegesMcAfee® Network Security Platform resources are governed by users with Super User access; a SuperUser is capable of configuring every resource and function in the system. Each shipped Manager isconfigured with one built-in Super User account, including a default password.

Managing users and user rolesDefining Roles 4


A Super User is only limited by domain boundaries. Only the Super Users created at the root domainhave full access; Super Users in a child domain only have Super User privileges in that domain and thesubsequently added child domains.

The default Super User account username is admin and password is admin123. McAfee strongly recommendsthat you change the default Super User password for security purposes.

A Super User can be defined at any level, and the role applies to the current domain and all of itschildren but not for its parent or sibling domains.

See also Changing the default administrator on page 22

Managing user rolesThe Roles action enables a user administrator to assign roles to users within an existing admin domain.Adding a user to a domain requires the application of a role, or privilege, thus limiting a user'sconfiguration abilities.


Adding rolesYou can add new roles (custom roles) in the Manager from the Roles tab.

Only users with 'Configure Admin User Accounts RW' role privilege can create users or roles, assignroles to users, and modify the user account settings.

Users with 'Configure Admin User Accounts RO' role privilege can only view the users, roles, or useraccounts.

Adding custom roles

Users with 'Configure Admin User Accounts RW' role privilege can add roles. Once added, the roles arelisted along with default roles available for the users.

To add a custom role in the Manager, do the following:

Task

1 From the Resource Tree, select Admin Domain | Users | Roles.

Roles tab can be accessed only from the parent administrative domain.



2 In Roles, the default roles are listed as per the Manager mode (IPS, NAC or IPS with NAC mode).Note that the default roles cannot be edited or deleted.

Role privileges

Role IPS mode NAC mode IPS with NAC mode

NACAdministrator

Nil Configure NAC SettingsRW Home

Operational Status RW

TA Summary DashboardNAC RW

TA Summary DashboardGeneral RW

TA Hosts RW

Reports NAC RW

Configure NAC Settings RWHome




TA Hosts RW

Reports NAC RW

IPSAdministrator

Configure IPS SettingsRW Home

Reports IPS RW


TA Summary DashboardIPS RW


TA Alerts RW

TA Hosts RW

Nil Configure IPS Settings RWHome

Reports IPS RW


TA Summary Dashboard IPSRW


TA Alerts RW

TA Hosts RW

SystemAdministrator

Configure IPS SettingsRW Home

Reports IPS RW




TA Alerts RW

TA Hosts RW

Configure Admin DomainRW

Configure Admin UserAccounts RO

Configure Manager RW

Configure Integration RO

Configure Device List RW

Configure NAC SettingsRO

Home

Reports NAC RW


TA Summary DashboardNAC RO

TA Summary DashboardGeneral RO

TA Alerts RO

TA Hosts RO

Configure Admin Domain RW

Configure Admin UserAccounts RO


Configure Integration RO


Configure IPS Settings RO

Configure NAC Settings RO

Home

Reports IPS RW

Reports NAC RW


TA Summary Dashboard IPSRO



TA Alerts RO

TA Hosts RO



Role privileges

ReportGenerator

Reports IPS RW Reports NAC RW Reports IPS RW

Reports NAC RW

Super User Configure AdminDomain RW

Configure Admin UserAccounts RW


Configure IntegrationRW


Configure IPS SettingsRW

Configure Guest PortalUser creation RW

Home

Reports IPS RW




TA Alerts RW

TA Hosts RW

TA Hosts ForensicsePolicy Orchestrator

TA Hosts ForensicsVulnerability Manager

Configure Admin DomainRW



Configure Integration RW


Configure NAC SettingsRW

Configure Guest PortalUser creation RW

Home

Reports NAC RW




TA Alerts RW

TA Hosts RW



Configure Admin Domain RW





Configure IPS Settings RW

Configure NAC Settings RW

Configure Guest Portal Usercreation RW

Home

Reports IPS RW

Reports NAC RW





TA Alerts RW

TA Hosts RW

TA Hosts Forensics ePolicyOrchestrator

TA Hosts Forensics

Vulnerability Manager

Guest PortalAccountManager

Configure Guest PortalUser Creation RW

Configure Guest PortalUser Creation RW

Configure Guest Portal UserCreation RW

NOC Operator Home

Reports IPS RO

Operational Status RO

TA Summary DashboardIPS RO


TA Alerts RO

TA Hosts RO

Home

Reports NAC RO




TA Alerts RO

TA Hosts RO

Reports NAC RO

Home

Reports IPS RO

Reports NAC RO


TA Summary Dashboard IPSRO



TA Alerts RO

TA Hosts RO



Role privileges

McAfee ePO™

DashboardData Retriever

Special role for McAfeeePO™ DashboardDataRetrieval

Special role for McAfeeePO™ DashboardDataRetrieval

Special role for McAfee ePO™

Dashboard DataRetrieval

NTBAAdministrator

Configure NTBA SettingsRW

Home


Reports NTBA RW

TA Alerts RW


TA Hosts Forensics

Vulnerability Scan

TA Summary Dashboard

General RW

TA Summary DashboardNTBA RW

Configure NTBA SettingsRW

Home


Reports NTBA RW

TA Alerts RW


TA Hosts Forensics

Vulnerability Scan


General RW


Configure NTBA Settings RW

Home


Reports NTBA RW

TA Alerts RW


TA Hosts Forensics

Vulnerability Scan


General RW


SecurityExpert

Configure IntegrationRW

Configure Device List RO

Configure IPS SettingsRW

Home

Reports IPS RW

Threat Analyzer RW




TA Alerts RW

TA Hosts RW

TA Hosts RO





Configure NAC SettingsRW

Home

Reports NAC RW

Threat Analyzer RW




TA Alerts RW

TA Hosts RW

TA Hosts RO





Configure IPS Settings RW

Configure NAC Settings RW

Home

Reports IPS RW

Reports NAC RW

Threat Analyzer RW





TA Alerts RW

TA Hosts RW

TA Hosts RO


TA Hosts Forensics

Vulnerability Manager

No Role Nil Nil Nil



3 To create a new custom role, click New.

Add Custom Role window is displayed.

4 Enter Role Name and Description.

5 Select and move the privileges that you want to assign to this new role, from the set of availableprivileges in Manager Privileges to Role Privileges. The Read, Write or Operate permissions (RO, RW, etc)for the privileges can be seen in the privilege name.

6 Select Save, to save the changes.

Tasks

• Assigning a custom role on page 30


Assigning a custom roleTo assign a custom role to a user, do the following:

Task

1 From the Resource Tree, select Admin Domain | Users | Users.

2 Select Add, to add a user.

3 Enter the user information, and select Save.

4 A pop-up is displayed asking if you want to assign a role to this user. Select OK.

5 You are re-directed to Assign page of Role Assignments tab, where the default roles as well as roles arelisted.



6 Select the custom role from the list.

7 Select Save, to save the changes. The assigned role is displayed in the Current Assignments section, inthe same window.

A custom role created in the Central Manager can be associated with a Manager user. If this role isdeleted or if the Manager is made a standalone, then the role will be deleted in the Manager. Eventhe role's association with the Manager. user also gets deleted.

Viewing your user account informationThe My Account action displays the My Account page, which lists the account information for thelogged-in user. The navigation path for this page is Admin-Domain-Name | Users | My Account.

If you wish to change your information (password, address, and so forth), clear the appropriate field,type the new information, and click Save; click Cancel to exit without saving changes.

Managing users and user rolesViewing your user account information 4


4 Managing users and user rolesViewing your user account information


5 Managing System Information Logs

The Logs tab enables a privileged admin to create audits and logs to view system information either byuser activity or general system information. Audits pull user-activity information from the databaseand system-activity information from the log files (such as ems.log files), thus providing a beneficialresource for analysis and/or problem-solving.

Contents

Viewing and exporting Manager activity log Generating a user activity audit Managing long running processes Viewing messages from McAfee

Viewing and exporting Manager activity logThe System Log tab enables you to view and export system activity entries immediately in (Manager) logfile, named ems.log. By default, this information includes performed actions, system faults, and debugdata. You can customize the log query to display only the data you want to see, such as debug dataonly or Warning-level faults only. Each log file is numbered incrementally for each megabyte ofrecorded data. The current log is seen in McAfee Network Security Platform directory as ems.log.Previous logs increment with every one megabyte of data (ems.log.1, ems.log.2, etc.).

By default, the ems.log file is located at <Network Security Manager install directory>/ems.log.

Note that in Central Manager, the System Log tab functions are similar to that in Manager described above.

Only Super Users, System Administrators, and Security Experts can view the system log.

Only ems.log files smaller than 4 MB can be viewed or exported from Manager.

See also Viewing log information on page 34Exporting log information on page 35

5


Viewing log information

Task

1 Select Admin-Domain-Name | Logs | System Log.

2 Select a Log File Name.

3 Select the level of messages to display from one the following:

Table 5-1

Field Description

ALL All actions performed/recorded by the system. This includes all of the topicsthat follow.

DEBUG Only debug information for the system.

INFO Only configuration information, such as when an action is performed.

WARN Only system warning (high severity) information.

ERROR Only system error (medium severity) information.

FATAL Only crash/failure information.

Or

INFO AND ABOVE Show INFO, WARN, ERROR, and FATAL. This range is useful when moredetailed logs, including information and warnings, are desired.

ERROR AND ABOVE Show ERROR and FATAL. This range is useful when only errors and crashinformation are needed.

4 Select the desired range of dates. The Begin Date and End Date must be different times.

5 Type a value for the Number of Messages to Display to limit the log output. The default value is 10.

6 Click View Messages to view the log.

See also Viewing and exporting Manager activity log on page 33

5 Managing System Information LogsViewing and exporting Manager activity log


Exporting log information

Task

1 Select Admin-Domain-Name | Logs | System Log.

2 Select a Log File Name.

3 Click Export.

The ems.log file is copied to your system. The exported log file contains all messages and is notfiltered.

See also Viewing and exporting Manager activity log on page 33

Generating a user activity auditThe User Activity Audit action (My Company | Logs | User Activity Audit) enables the admin to view anotheruser's actions in the management system. An audit can help to determine what a user has done inorder to determine mistakes, overwriting, or other issues concerning user activity.

Only messages belonging to the categories selected for audit in the Audit Log Setting window ( Manager |Audit Log Setting) are displayed.

To create an audit to view a user's activity, do the following:

Task

1 Select Admin-Domain-Name | Logs | User Activity Audit.

2 Select whether or not to include audit data from all child domains of the current domain (Include AuditData from Child Admin Domains?).

3 Select a user to audit. The drop-down list displays the login IDs of the users currently logged in(Administrative User to Audit:).

Managing System Information LogsGenerating a user activity audit 5


4 Select one or more Audit Categories. The Audit Categories are displayed as per the configured Managernodes.

5 Type the number of audit messages to show (Show x messages). The default is 10 messages.

6 Select from one of the following time options:

Table 5-2

Field Description

Until Now Displays the requested number of most recent messages.

Until a specified end time Specify the date and time before which you want to see the requestednumber of messages. That is, choosing this option displays therequested number of messages starting from this time and proceedingbackwards.

Within the following timerange

Select the desired range of dates for activity by a user.

7 Click View Messages to start the audit. The following figure displays an audit result.

The fields are as follows:

Table 5-3

Field Description

Include Child Admin Domains All child domains of the current domain are included in the audit ornot

Actions performed by User The user being audited.

Audit Categories Audit categories selected while generating messages.

Start Time Specified audit start time.

End Time Specified audit end time.

Number of Actions Performed between "Start Time" and "End Time".

5 Managing System Information LogsGenerating a user activity audit


Table 5-3 (continued)

Field Description

Date When action was performed.

Domain Which action was performed.

User Username

Category The audit category.

Action Performed action.

Result Status of performed action as either "Success" or "Failure".

Description Component affected by action.

Note that the User Activity Audit action (My Company | Logs | User Activity Audit) for the Central Manager issimilar to that described for the Manager above.

Managing long running processesMcAfee Network Security Platform helps you identify long running processes, including in-progressactivities within your active Manager(or Central Manager. You can view/track scheduled processes aswell as user initiated processes for activities. The long running processes that you can view in Managerare the ones that McAfee recommends you keep a track of.

If a long running activity includes several sub-activities, then McAfee Network Security Platformprovides an activity log for each of the sub-activities. For example, an activity like signature updateinvolves two long running sub-activities: downloading the signature set, and updating the signatureset on all (Manager)s that have the real time update enabled. These sub-activities are trackedseparately and the status for each is displayed separately as well.

McAfee Network Security Platform identifies the following as long-running activities:

• Signature set download from McAfee Update Server

• Signature set update on all active Sensors

• Sensor software download from McAfee Update Server

• Sensor software update on all Sensors

• Cumulative policies update due to signature set download or editing of overriding rules

• Custom Attack Editor export to the Manager

• Report generation

• Data Backup using the Manager

• Data Restore using the Manager

• Database dump transfer/import for an MDR pair

• Database tuning using the Manager

• File maintenance

• Alert archival using the Manager

Managing System Information LogsManaging long running processes 5


• Archived alerts restore using the Manager

• Alert data purge using the Manager

McAfee Network Security Platform records the above mentioned activities for both scheduled as wellas user initiated processes.

Viewing long running processesSelect <Owner Admin Domain> | Logs | Long Running Processes.

The display of long running processes is governed by the admin domain ownership. For example, if yourManager setup has a child admin domain, then select <Child Admin Domain> | Logs | Long Running Processes toview the long running processes for that child admin domain.

McAfee Network Security Platform logs the long running processes against the <Owner AdminDomain> and the user who performs the activity. The result for each activity is displayed as "Failure,""Success," or "In Progress" if still running. You can also view a summary of the activity in theDescription field.

Once an activity is completed, the entry for that long running activity is removed from the LongRunning Processes page and displayed under <Owner Admin Domain> | Logs | User Activity Audit page.

The information displayed on the User Activity Audit page is based on your search criterion.

Viewing messages from McAfeeThe Messages from McAfee action enables you to view any product or security-related messages fromMcAfee. The messages can be related to operating system patches, signature set releases, Managersoftware updates, Sensor software updates, and so on. Network Security Manager checks the UpdateServer for such messages every 15 minutes and displays messages that are relevant to the version ofManager and signature set that you are using. This feature ensures that all relevant messages fromthe McAfee Network Security Platform support team reach you on time.

Manager displays the release date and the message description of the relevant messages in theMessages from McAfee window. The release date is the date on which the message was posted on theUpdate Server. You can acknowledge the messages that you have already seen and they will not belisted again. The latest four unacknowledged messages are displayed on the McAfee Network SecurityPlatform home page as well. Click the View All Messages link on the home page to navigate to theMessages from McAfee window where all the unacknowledged messages are displayed.

5 Managing System Information LogsViewing messages from McAfee


Table 5-4

Item Description

1 Messages from McAfee on Home page

Though all users can view the messages, only users with the role of Super User in the root Admindomain can acknowledge messages.

Child Admin Domain users can view only the latest 4 messages.

For Manager to be able to check the Update Server for messages, you should have authenticated yourcredentials with the Update Server. For more information on how to authenticate, see Settingauthentication for communication with the Update Server.

You can view unacknowledged messages from the Messages from McAfee tab in the nsm ( or CentralManager).

To view all unacknowledged messages:

Task

1 From the Resource Tree, select Root Admin Domain | Logs | Messages from McAfee. Alternatively, click theView All Messages link on the home page.

The Messages from McAfee window is displayed.

2 To acknowledge a message, select it and click Acknowledge.

Messages that are once acknowledged are not displayed again.

You can acknowledge 10 messages at a time. The first 10 selected messages are acknowledged.

The acknowledged messages are logged, and you can view this information in the User Activity Logreport. For information on this report, see Audit Report.

Managing System Information LogsViewing messages from McAfee 5


5 Managing System Information LogsViewing messages from McAfee


6 Setting up Fault Notification

(Manager) can send system fault information to third-party machines such as SNMP servers andsyslog servers. You can also configure Manager to notify you—via email, pager, or script—for systemfaults based on fault severity. You can view fault notification details, forward faults to an SNMP orSyslog server, configure fault notification, send alerts to an email or pager, and specify scriptparameters for fault notifications.

Contents

Viewing fault notification details Forwarding faults to an SNMP server Forwarding faults to a Syslog server Common settings for fault notification Sending alerts to an email or pager Specifying script parameters for fault notification

Viewing fault notification detailsThe Summary action (My Company | Fault Notification | Summary) displays a summary of configured faultnotification settings for the Manager(or Central Manager). The summary reflects configurations madewithin the other Fault Notification group actions.

6


Forwarding faults to an SNMP serverThe Fault Notification | SNMP action enables you to specify an SNMP server to which system faultinformation will be sent from the Manager. You can configure more than one SNMP server where youwant to send fault messages. The SNMP Servers page displays the SNMP servers that have beenconfigured. The fields in this page are described within the configuration steps that follow.

6 Setting up Fault NotificationForwarding faults to an SNMP server


To configure an SNMP server to receive system faults from your Manager, do the following:

Task

1 Select Admin-Domain-Name | Fault Notification | SNMP.

2 Check Enable SNMP Notification (default is Yes) and click Save.

3 Click New.

The SNMP window is displayed.

4 Fill in the following fields:

Table 6-1

Field Description

Admin Domains Select the below options to enable admin domain notification:

• Current: Send notifications for alerts in the current domain. Always enabledfor the current domain.

• Children: Include alerts for all child domains of the current domain.

IP Address IP address of the target SNMP server. This can be an IPv4 or IPv6 address.

Target Port Target server's SNMP listening port. The standard port for SNMP, 162, ispre-filled in the field.

Setting up Fault NotificationForwarding faults to an SNMP server 6



Field Description

SNMP Version Version of SNMP running on the target SNMP server. Version options are 1,2c, and Both 1 and 2c, and 3.

Community String Type an SNMP community string to protect your McAfee Network SecurityPlatform data. SNMP community strings authenticate access to ManagementInformation Base (MIB) objects and functions as embedded passwords.

Forward Faults Choose the severity level for forwarding faults. The options are Critical, Error andabove, Warning and above, and Informational and above.Choose the severity of alerts that will have information forwarded. Limitingyour alert severities to Critical or Error and above is recommended for focusedanalysis.

The following fields appear only when SNMP Version 3 is selected.

User Name Type a username that will be used for authentication

Authoritative Engine ID (Hex Values) The Authoritative (security) Engine ID of the Managerused for sending SNMP version 3 REQUEST messages.

The hex value of the Authoritative Engine ID shouldhave only even pairs (For example, you can have hexvalue of 4 pairs like 00-1B-3F-2C).

Note: MAC address can also be used as AuthoritativeEngine ID

Authentication Level: This specifies the authentication level and has thefollowing categories:

• No Authorization, No Privileges: Uses a user namematch for authentication.

• Authorization, No Privileges: Providesauthentication based on the MD5 or SHA algorithms

• Authorization, Privileges: Provides authenticationbased on the MD5 or SHA algorithms. It alsoprovides encryption in addition to authenticationbased on the DES or AES standards.

The following fields appear only when Authorization, No Privileges or Authorization and Privileges is selectedin Authentication Level.

Authentication Type The authentication protocol (MD5 or SHA) used forauthenticating SNMP version 3 messages.

Authentication Password The authentication pass phrase used forauthenticating SNMP version 3 messages.

Encryption Type The privacy protocol (DES or AES) used forencrypting SNMP version 3 messages.

Privacy Password The privacy pass phrase used for encrypting SNMPversion 3 messages.

5 Click Save.

Tasks

• Modifying or deleting SNMP forwarder settings on page 45

6 Setting up Fault NotificationForwarding faults to an SNMP server


Modifying or deleting SNMP forwarder settingsTo modify or delete SNMP Forwarder settings, do the following:

Task

1 Select Admin-Domain-Name | Fault Notification | SNMP.

2 Select the configured SNMP server instance from the SNMP Forwarder List page.

3 Do one of the following:

a To edit the settings, click Edit, modify the fields as required, and then click Save.

b To delete the settings, click Delete and then click OK to confirm the deletion.

Forwarding faults to a Syslog serverThe Fault Notification | Syslog action enables the forwarding of McAfee Network Security Platform faults toa syslog server. Syslog forwarding enables you to view the forwarded faults via a third-party syslogapplication. For syslog forwarding, the root domain and parent domains have the option to includefaults from all corresponding child domains.

To enable syslog forwarding for fault notification, do the following:

Task

1 Select Admin-Domain-Name | Fault Notification | Syslog.

The Syslog window is displayed.


Setting up Fault NotificationForwarding faults to a Syslog server 6


Table 6-2

Field Description

Enable SyslogNotification

Yes is enabled; No is disabled

Admin Domains Select the below options to enable admin domain notification:

• Current: Send notifications for alerts in the current domain. Always enabled forcurrent domain.

• Children: Include alerts for all child domains of the current domain.

Server Name orIP Address

Type either the Host IP Address or Host Name of the syslog server where alerts will besent.

For Host IP address, you can enter either IPv4 or IPv6 address.

Port Port on the target server which is authorized to receive syslog messages. Thestandard port for syslog, 514, is pre-filled in the field.

Facilities Standard syslog prioritization value. The choices are as follows:

• Security/authorization (code 4) • Local user 2 (local2)


• Log audit (note 1) • Local user 4 (local4)

• Log alert (note 1) • Local user 5 (local5)

• Clock daemon (note 2) • Local user 6 (local6)

• Local user 0 (local0) • Local user 7 (local7)

• Local user 1 (local1)

SeverityMapping

You can map each fault severity (Informational, Error, Warning, and Critical) to one ofthe standard syslog severities listed below (default severity mappings are notedin parentheses):

• Emergency: system is unusable

• Alert: action must be taken immediately

• Critical: (HIGH) critical conditions

• Error: error conditions

• Warning: (MEDIUM) warning conditions

• Notice: (LOW) normal but significant condition

• Informational: (INFORMATIONAL) informational messages

• Debug: debug-level messages

Forward Faults Select the severity of the faults that you want to be forwarded to the syslogserver. The options are:

• Critical: only Critical faults

• Error and above: both Error and Critical faults

• Warning and above: Warning, Error, and Critical faults

• Informational and above: all faults

3 Click Save.

You must click Save before you will be able to customize the message format sent to your syslog server.

6 Setting up Fault NotificationForwarding faults to a Syslog server


4 Select the Message Preference to send as the syslog forwarding message. The choices are:

• System Default: the default message is a quick summary of a fault with two fields for easyrecognition: Attack Name and Attack Severity. A default message reads:

Attack $IV_ATTACK_NAME$ ($IV_ATTACK_SEVERITY$)

• Customized: create a custom message. To create a custom message, do the following:

1 Click Edit to create a custom message.

2 Type a message and select (click) the parameters for the desired alert identification format.The following figure displays a custom message. You can type custom text in the Message fieldas well as click one or more of the provided elements below the field box.

3 Click Save when finished to return to the Syslog page. The Customized button is automaticallyselected after you have customized the Message Preference.

Table 6-3

Item Description

1 Custom typed text

2 Selected token

For syslog information to appear correctly, ensure that you use the dollar-sign ($) delimiterimmediately before and after each element. Example: $ATTACK_TIME$

5 Click Save.

Common settings for fault notificationThe Common Settings action enables you to determine the breadth and detail of fault information that willbe sent via email, pager, or script. You can configure a suppression time within which faults are heldpending Acknowledge or Delete actions—or automatic clearing events from the source—withinOperational Status.

Setting up Fault NotificationCommon settings for fault notification 6


To manage fault notification details, do the following:

Task

1 Select Admin-Domain-Name | Fault Notification | Common Settings.


• Admin Domains• Current: send only faults for the current domain. This is always selected for the current domain.

• Children: send faults for all child domains of the current domain.

• Notification Scope :If McAfee® Network Security Sensor (Sensor) interfaces have been delegated toa child domain, faults can be set to display by the Admin domain in which the delegatedinterface resides, rather than by the domain where the Sensor is controlled.

• Entire Device: faults based on Sensor-domain relationship.

• Individual interface:faults based on interface-domain relationship.

• Suppression Time: the amount of time to suppress system faults before forwarding.

Suppression Time can only be set within the root admin domain.

3 Click Save.

Sending alerts to an email or pagerUsers can be alerted by email or email pager when a fault occurs that matches a specified severity.

You must also identify a mail server for email notifications. For more information, see Specifying a mailserver for notifications.

Email and pager notifications are configured per admin domain.

6 Setting up Fault NotificationSending alerts to an email or pager


To enable email or pager fault notification, do the following:

Task

1 Select Admin-Domain-Name | Fault Notification | Email or Admin-Domain-Name | Fault Notification | Pager.

2 Select the enabled status (Enable Email/ Pager Notification). Yes is enabled; No is disabled.

3 Select a fault Severity Level to be notified of:

Table 6-4

Field Description

Informational and above Notifies for all faults.

Warning and above Notifies for Warning, Error, and Critical faults.

Error and above Notifies for Error and Critical faults.

Critical Notifies only for Critical faults.

4 Select a Message Preference. The message preference is a preset response sent with the notificationwith information pertaining to the fault.

• System Default: The system default message provides the notified admin with the most basic faultdetails so that an immediate response can be made. Details include the fault type (severity) andthe component source. The subject line of the default message contains the fault name.

You cannot edit the System Default message.

• Customized: Type a message and select (click) the parameters for the desired attack identificationformat. The following figure displays a custom message. You can type custom text in the Subjectfield or Body section, as well as click one or more of the provided elements at Subject Line Content orBody Text to add to the description. When you are finished formatting your message template,click Save. The Customized button is selected if you have customized the message.

Setting up Fault NotificationSending alerts to an email or pager 6


Table 6-5

Item Description

1 Custom typed text

2 Selected tokens

5 Click Save, to save your notification settings.

6 Specify the email or pager address of the intended recipient(s).

7 Scroll to the bottom of the Email or Pager page.

a Click New.

b In SMTP Address, type an email address or email pager address.

c Click Save when complete.

d Repeat steps a through d to add additional recipient addresses.

Specifying script parameters for fault notificationUsers can be alerted via executed script when a system fault occurs that matches a configured severity.

Script notifications are configured per admin domain.

To enable alert notification by script, do the following:

Task

1 Select Admin-Domain-Name | Fault Notification | Script.

2 Select the enabled status (Enable Script Execution). Yes is enabled; No is disabled.

6 Setting up Fault NotificationSpecifying script parameters for fault notification


3 Select a Severity Level to be notified of:

Table 6-6

Field Description

Informational and above Notifies for all faults.

Warning and above Notifies for Warning, Error, and Critical faults.

Error and above Notifies for Error and Critical faults.

Critical Notifies only for Critical faults.

4 Configure Script Contents. This is a preset response sent with the notification with informationpertaining to the fault.

a Click Edit.

b Type a name for the script at Description.

c For the Script Contents section, type the text and select the content specific variables for the attackinformation you want to see.

d Click Save to return to the notification form. The script is saved to your installation directory at:<Network Security Manager install directory>\temp\scripts\0\<script-name>. Thescript file name is appended with ".bat".

5 Click Save to save your notification settings.

Setting up Fault NotificationSpecifying script parameters for fault notification 6


6 Setting up Fault NotificationSpecifying script parameters for fault notification


7 Managing Audit Notification

Every action that is performed by Manager and the Manager server is audited with all information.Every audit information contains the following:

• action performed • user information

• result of the action (success or failure) • category of the action performed

• time of action • admin domain

• action message • comments in detail

Manager can forward this audit information to syslog server.

Contents

Configuring Syslog Forwarder Customizing Syslog Message

Configuring Syslog ForwarderThe Audit Notification action enables the forwarding of McAfee Network Security Platform auditinformation to a syslog server. Syslog forwarding enables you to view the forwarded audit informationvia a third-party syslog application. For syslog forwarding, the root domain and parent domains havethe option to include audit information from all corresponding child domains.To enable syslogforwarding for audit notification, do the following:

7


Task

1 Select Admin-Domain-Name | Audit Notification.

The User Activity Audit Syslog page is displayed.


Table 7-1

Field Description

Enable SyslogForwarder

Yes is enabled; No is disabled

Enable DomainNotification

• Current Admin Domain: Send notifications for audit information in the currentdomain. Always enabled for current domain.

• All Child Domain(s): Include audit information for all child domains of the currentdomain.

Syslog Server(IP Address ORHost Name)

Type either the Host IP Address or Host Name of the syslog server where auditinformation will be sent.

For Host IP address, you can enter either IPv4 or IPv6 address.

Port Port on the target server which is authorized to receive syslog messages. Thestandard port for syslog, 154, is pre-filled in the field.

7 Managing Audit NotificationConfiguring Syslog Forwarder



Field Description

Facilities Standard syslog prioritization value. The choices are as follows:



• Log audit (note 1) • Local user 4 (local4)

• Log alert (note 1) • Local user 5 (local5)

• Clock daemon (note 2) • Local user 6 (local6)

• Local user 0 (local0) • Local user 7 (local7)

• Local user 1 (local1)

Result Mapping You can map each audit result (Failed to, Successful to, and In Progress to) to one ofthe standard syslog severities listed below (default result severities are noted inparentheses):

• Emergency: system is unusable

• Alert: action must be taken immediately

• Critical: (HIGH) critical conditions

• Error: error conditions

• Warning: (MEDIUM) warning conditions

• Notice: (LOW) normal but significant condition

• Informational: (INFORMATIONAL) informational message

• Debug: debug-level messages

Forward Audit Select the severity of the audit that you want to be forwarded to the syslogserver. The options are:

• Allow all Auditlogs

• Failed only

• Successful only

• In Progress only

MessagePreference

Select the preference of the message. The options are:

• System default: this is available by default

• Customized: this is available once the notification is enabled

3 Click Apply.

Customizing Syslog MessageFor customizing syslog message, ensure that Enable Syslog forwarder is enabled in the User Activity AuditSyslog. If it is enabled and updated(by clicking Apply) the User Activity Audit Syslog page is displayed as follows:

Managing Audit NotificationCustomizing Syslog Message 7


The page displays the message: Update successful: The changes have been updated.

In Message Preference, the default option is selected as Customized.

Do the following steps to customize syslog message.

Task

1 Click Edit.

The Customize User Activity Syslog Forwarder Message page is displayed.

By default, the following audit information parameters are included in Messages:

• audit action

• audit result

• audit time

These parameters are displayed as: Audit $IV_AUDIT_ACTION$ $IV_AUDIT_RESULT$ at$IV_AUDIT_TIME$

2 Type a message and select (click) the parameters that should be included in Message Content.Thefollowing are the list parameters that are available in the Message Content field.

• audit action

• audit result

• audit time

7 Managing Audit NotificationCustomizing Syslog Message


• audit message

• audit user

• audit category

• audit domain

• audit detail comment

• audit detail delta

For syslog message to appear correctly, ensure that you use the dollar-sign ($) delimiterimmediately before and after each parameter. Example: $ATTACK_TIME$

3 Click Save to save the customized syslog message.

Managing Audit NotificationCustomizing Syslog Message 7


7 Managing Audit NotificationCustomizing Syslog Message


Index

A

about this guide 5admin domains

overview; 7Root Admin Domain; 11

C

child domainsWorking with child domains 15, 17

conventions 35

conventions and icons used in this guide 5custom roles 9, 15, 24, 26, 53, 55

D

documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5

F

fault notifications 41, 42

L

log information 33, 34

long running processes 37, 38, 45

M

McAfee ServicePortal, accessing 6

R

rolestypes of;user roles 23, 26

root admin domain 16

S

ServicePortal, finding product documentation 6Super User privileges 25, 31

Syslog forwarder 19, 20, 45, 47, 48, 50

system information logs 33

T

Technical Support, finding product information 6

U

user activity audit 35

users 22


700-2368-00

Documents

Administrative Domain Configuration Guide · AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), ... Sending