McAfee Enterprise Security Manager 10.1 · Find product documentation ... McAfee Enterprise Security Manager components ... 5 Setting up McAfee ESM network connections 39

Installation Guide

McAfee Enterprise Security Manager 10.1.0

COPYRIGHT

© 2017 McAfee LLC

TRADEMARK ATTRIBUTIONSMcAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, Foundstone, McAfee LiveSafe, McAfee QuickClean, McAfee SECURE,SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, TrustedSource, VirusScan are trademarks of McAfee LLC or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THEGENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASECONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVERECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOUDOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IFAPPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

2 McAfee Enterprise Security Manager 10.1.0 Installation Guide

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Installation overview 7McAfee Enterprise Security Manager components . . . . . . . . . . . . . . . . . . . . . . . 7Configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8McAfee ESM installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Installing McAfee ESM devices 13ESM console hardware and software requirements . . . . . . . . . . . . . . . . . . . . . . 13Identifying a location for installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Hardware setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Inspect packaging and device . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Mount hardware in a rack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3 Mounting ESM software on a VM 25Mounting ESM VM image overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25ESM VM system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Download the ESM VM image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27VMware ESXi VM ESM software mounting . . . . . . . . . . . . . . . . . . . . . . . . . 28

VMware ESXi VM requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 28Mount the VMware ESXi virtual machine . . . . . . . . . . . . . . . . . . . . . . . 28

Linux KVM ESM installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Linux KVM requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Deploy Linux KVM ESM software . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Configure the VM ESM software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Configure the virtual machine . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Key the VM device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4 Installing ESM on AWS 33Using ESM with AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Create the AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Create an ESM image and install it on AWS . . . . . . . . . . . . . . . . . . . . . . . . . 35Configure ESM AWS connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

5 Setting up McAfee ESM network connections 39Configure the ESM network interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Configure the ERC, ELM, ELS, or ACE network interface . . . . . . . . . . . . . . . . . . . . . 40Configure the DEM or ADM network interface . . . . . . . . . . . . . . . . . . . . . . . . 41

6 Initial ESM logon and configuration 43Log on to the McAfee ESM console . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

McAfee Enterprise Security Manager 10.1.0 Installation Guide 3

Connecting devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Add devices to the ESM console . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Confirm in ESM that all devices appear . . . . . . . . . . . . . . . . . . . . . . . . . . 45Key a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

7 Upgrading McAfee ESM software 47What you have and what you need . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Preparing to upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Back up ESM settings and system data . . . . . . . . . . . . . . . . . . . . . . . 50Check ERC high availability status . . . . . . . . . . . . . . . . . . . . . . . . . 51

Special upgrade scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Download the upgrade files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Upgrade the software on a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Upgrade the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Upgrade ESM, ESMREC, or ENMELM . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Upgrade HA Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Available VA vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

A Alternative installation scenarios 61Install the qLogic 2460 or 2562 SAN adapters on the ELM or ELS . . . . . . . . . . . . . . . . . 61Install DAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Common Criteria evaluated configuration . . . . . . . . . . . . . . . . . . . . . . . . . 63Regulatory notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

B Enabling FIPS mode 67Select FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Index 69

Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons used in thisguide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

ConventionsThis guide uses these typographical conventions and icons.

Italic Title of a book, chapter, or topic; a new term; emphasis

Bold Text that is emphasized

Monospace Commands and other text that the user types; a code sample; a displayed message

Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes

Hypertext blue A link to a topic or to an external website

Note: Extra information to emphasize a point, remind the reader of something, or provide analternative method

Tip: Best practice information

Caution: Important advice to protect your computer system, software installation, network,business, or data

Warning: Critical advice to prevent bodily harm when using a hardware product


Find product documentationOn the ServicePortal, you can find information about a released product, including product documentation,technical articles, and more.

Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.

2 In the Knowledge Base pane under Content Source, click Product Documentation.

3 Select a product and version, then click Search to display a list of documents.

PrefaceFind product documentation


https://support.mcafee.com

1 Installation overview

This document provides an overview of McAfee®

Enterprise Security Manager (McAfee ESM) components andinstructions on how to install and cable the hardware components. It also describes how to deploy the softwareon a virtual machine (VM) or upgrade the software on existing components, and how to configure thecomponents initially on your network.

Contents McAfee Enterprise Security Manager components Configuration scenarios McAfee ESM installation overview

McAfee Enterprise Security Manager componentsMcAfee ESM and its components are installed in your network and configured to identify vulnerabilities, andthreats.

If a threat occurs, the ESM can:

• Notify you using the user interface, email, SNMP, or a text message.

• Save the history of the threat for analysis.

• Automatically act on the treat based on configured policy.

The McAfee ESM components include:

• McAfee® Enterprise Security Manager (McAfee ESM) — Available as a hardware component or VirtualMachine (VM) software installation, the McAfee ESM displays threat data, reputation feeds, and vulnerabilitystatus and a view of the systems, data, risks, and activities inside your enterprise.

• McAfee Event Receiver (ERC) — Available as a hardware component or VM software installation, it collects upto tens of thousands of events per second, parses that data, and sends it to the ESM devices.

• McAfee Enterprise Log Manager (ELM) —Available as a hardware component or VM software installation, itcollects, compresses, signs, and stores all events to provide a proven audit trail of activity.

• McAfee Enterprise Log Search (ELS) — A hardware component that collects, indexes, and stores all events toprovide a proven audit trail of activity. The ELS searches the events faster using its indexes.

• McAfee Receiver/ELM (ELMERC) — Available as a hardware component or VM software installation thatincludes both ELM and ERC.

• McAfee Advanced Correlation Editor (ACE) — Available as a hardware component or VM software installationthat simplifies event correlation and startup to identify and score threat events in historical or real time,using both rule- and risk-based logic.

• McAfee Application Data Monitor (ADM) — A hardware component that monitors more than 500 knownapplications through the whole layer stack and captures full session detail of all violations.

1


• McAfee Database Event Monitor (DEM) — A hardware component that automates the collection,management, analysis, visualization, and reporting of database access for most database platforms.

• McAfee Direct Attached Storage (DAS) — A hardware component connected to the ESM, ELM, or ELS toexpand storage space.

In redundant solutions, one DAS device is required in each system. For example, two redundant ESMs andtwo redundant ELMs require four DAS devices.

• ESM Console — A computer with a browser used to configure and manage the ESM by securityadministrators.

You might use just one combination ESM, or many of these components, depending on your environment.

For detailed configuration information, see the McAfee Enterprise Security Manager Product Guide.

Configuration scenarios You can configure McAfee ESM with just one combination ESM, or you can add components to identify threatsin a large enterprise network.

Adding components to your network environment allows you to increase performance, add functionality, andincrease event storage capability. For example, adding the following components or more advanced models ofan existing component can scale your network protection.

VM installed ESM combination devices have limits to the number of components that you can add.

• ACE — Increases the events-per-second (EPS) capability, logs, network flows, and contextual informationsent to the ESM

• ADM — Listens to layer 7 traffic on the network to monitor applications that would normally be missedusing logging only, and it tracks the application transaction details you can store.

• DEM — Increases the database transactions you can store, how you access those transactions, anddiscovers unknown databases on the network for added security.

• ERC — Additional ERCs increase the EPS throughput from your network segments and the connected datasources.

The EPS throughput for an ERC depends on the model.

• ELM — The ELM increases the raw logs you can compress and store. The ELM is the only device that storesthe logs in compliant "Raw Format."

• ELS — The ELS, compared to the ELM, speeds searching event data using its index tags. But, it has a muchlower compression ratio than the ELM and is not meant to meet compliance requirements.

• ESM — Adding a redundant ESM allows you to quickly switch to the standby ESM if the active ESM ever failsor needs maintenance.

Simple ESM scenario

This figure shows that one ESM device allows you to gain visibility to your network events.

1 Installation overviewConfiguration scenarios


Complex ESM scenario

This figure shows a large enterprise network uses multiple ESM components to gain visibility into your networkevents. As the network grows and your events increase, you can add ESM components.

Installation overviewConfiguration scenarios 1


McAfee ESM installation overviewThis flowchart provides an overview of the steps required to install the ESM solution.

1 Installation overviewMcAfee ESM installation overview


Installation overviewMcAfee ESM installation overview 1


1 Installation overviewMcAfee ESM installation overview


2 Installing McAfee ESM devices

Installing your McAfee devices requires mounting them in the rack, cabling the devices, and powering them on.These installation instructions apply to all current models of McAfee ESM devices.

Contents ESM console hardware and software requirements Identifying a location for installation Hardware setup

ESM console hardware and software requirementsThe system you use for the McAfee ESM console must meet these minimum hardware and softwarerequirements.

• Processor — P4 class (not Celeron) or higher (Mobile/Xeon/Core2,Corei3/5/7) or AMD AM2 class or higher(Turion64/Athlon64/Opteron64,A4/6/8)

• RAM — 1.5 GB

• Windows operating system — Windows 2000, Windows XP, Windows 2003 Server, Windows Vista, WindowsServer 2008, Windows Server 2012, Windows 7, Windows 8, Windows 8.1, and Windows 10

• Browser — Internet Explorer 11 or later, Mozilla Firefox 42 or later, Google Chrome 48 or later

• Flash Player — Version 11.2.x.x or later

ESM features use pop-up windows when uploading or downloading files. Disable the pop-up blocker for the IPaddress or host name of your ESM.

Identifying a location for installationYou must analyze your existing network and identify the network and physical location for your devices. Properlocation impacts the effective use of your devices.

When selecting a location for your devices:

2


• Install your ESM device in a network location where it can manage devices and be accessible by any systemsneeding to reach it. If direct communication is restricted between devices managed by the ESM and systemsrunning ESM, configure your network to route network traffic between them.

• Install the ESM device in a secure location that is only accessible by network security personnel.

• Your Receiver must be accessible to the devices it monitors. If direct communication isn't possible, you mustconfigure your network to allow proper routing of network traffic between them.

Hardware setupThese are the steps needed to physically install, connect, and power on your ESM devices.

Tasks• Inspect packaging and device on page 14

Before installing your equipment, make sure that there is no sign of damage or tampering.

Inspect packaging and deviceBefore installing your equipment, make sure that there is no sign of damage or tampering.

Task1 When you receive your device, inspect the packaging and the device for signs of damage or tampering,

including the tamper-evident packing tape that is securing the shipping container.

If there is any sign of damage, mishandling, or tampering contact McAfee Support immediately forinstructions, and do not install the product.

2 Verify that the package contains all items listed on the packing slip.

3 When performing a FIPS installation, find the tamper-evident seal in the shipping container's accessoriespackage. Apply the seal so it completely blocks the USB ports, preventing their use without leaving evidenceof tampering.

Figure 2-1 USB tamper seal

Contact Technical Support immediately if not fully satisfied with the inspection.

Mount hardware in a rackMount your ESM devices in a rack to protect them and their cabling from damage or from being disconnected.

2 Installing McAfee ESM devicesHardware setup


Tasks• Install AXXVRAIL rail set on page 15

An AXXVRAIL rail set is shipped with each device so you can install it in a rack.

• Remove the chassis on page 19You can remove the chassis from the rails to replace or move the device.

• Connect to network and start the devices on page 19After installing the devices, make the network connections and power on the devices.

Install AXXVRAIL rail setAn AXXVRAIL rail set is shipped with each device so you can install it in a rack.

The default rail set we ship is designed to work in most racking systems. If that rail system does not work, youmight need to buy a rail system designed for your server cabinet.

Installing McAfee ESM devicesHardware setup 2


Task1 Install rails in the rack.

a Pull the release button (F) to remove the inner member (D) from the slides.

ComponentsA - front bracket

B - outer member

C - rear bracket

D - inner member

E - safety locking pin

F - release button



b Align the brackets to a vertical position on the rack, then insert the fasteners.

c Move the ball retainer to the front of the slides.



2 Install the chassis.

a Align the inner member key holes to standoffs on the chassis.

b Move the inner member in the direction shown in the following picture.

c Install the chassis to the fixed slides by pulling the release button in the inner member to release the lockand allow the chassis to close.



Remove the chassisYou can remove the chassis from the rails to replace or move the device.

Task1 Fully extend the slides until the slides are in a locked position.

2 Pull the release button to release the lock and disconnect the inner member from the slides.

3 Press the safety locking pin to release the inner member from the chassis.

Connect to network and start the devicesAfter installing the devices, make the network connections and power on the devices.

Tasks• Connector and equipment types on page 19

You can connect your ESM devices to the network using standard Ethernet copper cables.

• Connect power and start devices on page 24Connecting the power and startup process is similar for all ESM hardware components.

Connector and equipment typesYou can connect your ESM devices to the network using standard Ethernet copper cables.

Connect your ESM, Receiver, ADM, and DEM devices to the network using copper connectors. The CAT5 coppercables have RJ-45 connectors. Use CAT5 or higher for your copper connections. For gigabit connections, useCAT5e.

The ADM and DEM require a network Switch Port Analyzer (SPAN) or Test Access Point (TAP) connection to listento the network traffic. This means that the connected switch must mirror the traffic from other switch portsusually on the connected switch.



You can connect Data Circuit-Terminating Equipment (DCE) and Data Terminal Equipment (DTE) to your ESMdevices.

• Firewall and routers are DTE and switches are DCE.

• ESM devices are DTE.

Network cablesThe ESM devices all use copper cable connections. They use either straight-through or crossover copper RJ-45male cables.

• To connect an ESM device RJ-45 port to DCE, use a straight-through cable.

• To connect to a DTE, use a crossover cable.

To distinguish between a straight-through and crossover cable, hold the two ends of the cable as shown:

• On a straight-through cable, the colored wires are the same sequence at both ends.

• On a crossover cable, the first (far left) colored wire at one end is the same color as the third wire at theother end of the cable.

Network portsIdentify the ports on the McAfee devices and connect those cables.

The devices contain management ports so they can be managed from McAfee ESM.

The following images identify the management and collection ports.

1U ERC



Monitor connection

Eth0 Connection varies by device:• ERC — MGMT 1

• ADM — MGMT 2

Eth1 Connection varies by device:• ERC — MGMT 2

• ADM — MGMT 1

Eth5 IPMI, use as follows:

• For non-HA configurations, use for remote management access

• For ERC, used for HA configuration connection

Eth4 Connection varies by device:• ERC — Can be used as addition MGMT port

• ADM — Collection (sniffer) ports





1U ERC HA connections



Monitor connection

Eth0 MGMT 1 configured with unique IP addresses

Eth1 MGMT 2 (Data port) configured with a shared IP address

Eth5 For HA:• Primary — Port 1 of 4-port NIC to secondary IPMI port

• Secondary — Port 1 of 4-port NIC to primary IPMI port

Eth4 For HA:• Primary — IPMI Port to secondary Eth5 port, 1 of 4-port NIC

• Secondary — IPMI Port to primary Eth5 port, 1 of 4-port NIC

Eth3 Heartbeat connection between HA devices

Eth2 Not used

Not used

2U ERC

Eth7 HA reserved for IPMI connection

Eth6 HA reserved for Heartbeat

Eth5 Can be used as addition MGMT port Shown on graphical user interface as"Interface 6

Eth4 IPMI, use as follows:

• For non-HA configurations, use for remotemanagement access

• For ERC, used for HA configuration connection

Shown on graphical user interface as"Interface 5

Eth0 MGMT 1 Shown on graphical user interface as"Interface 1"



Eth1 Can be used as addition MGMT port Shown on graphical user interface as"Interface 2"



2U ERC HA connections

Eth7 Can be used as addition MGMT port

Eth6 MGMT 1 configured with unique IP addresses


Eth4 For HA:• Primary — Port 1 of 4-port NIC to secondary IPMI port

• Secondary — Port 1 of 4-port NIC to primary IPMI port

Eth0 For HA:• Primary — Port 1 of 4-port NIC secondary IPMI port

• Secondary — IPMI port to primary port 1 of 4-port NIC



Eth1 Heartbeat connection



See also Identifying a location for installation on page 13

Connect power and start devicesConnecting the power and startup process is similar for all ESM hardware components.

Task1 Connect the power supply cable to the power source. Properly install and ground the equipment properly to

comply with national, state, and local codes.

Connect all ESM devices to separate uninterruptible power supplies (UPS). Connecting redundant powercords and power modules operating at normal conditions balances the load share through its parallel design,resulting in a reliable power system.

2 Turn on the device.



3 Mounting ESM software on a VM

You can mount the McAfee ESM software on an ESXi VM or on Linux Kernel-based Virtual Machine (KVM)servers.

Contents Mounting ESM VM image overview ESM VM system requirements Download the ESM VM image VMware ESXi VM ESM software mounting Linux KVM ESM installation Configure the VM ESM software

Mounting ESM VM image overviewMounting the ESM software on a VM is similar for an VMware ESXi VM and a Linux KVM.

This flowchart shows the major tasks used to install and configure the different VM software.

3


ESM VM system requirementsThe virtual machine (VM) you use for the McAfee ESM VM must be configured with these minimumrequirements.

• Processor — 8-core 64-bit, Dual Core2/Nehalem or higher, or AMD Dual Athlon64/Dual Opteron64 or higher

• RAM — Depends on the model (4 GB or more)

• Disk space — Depends on the model (250 GB or more)

3 Mounting ESM software on a VMESM VM system requirements


• ESXi 5.0 or later

• Thick versus thin provisioning — You must decide the hard disk requirements for your server. The minimumrequirement is 250 GB unless the VM purchased has more. See the specifications for your VM product.

Thick vs thin disk provisioning — When you configure your VM disk space, use thick provisioning, if you have theactual disk space available on your ESXi server. Using thin provisioning saves disk space but there is a slightperformance impact and you must be careful to never fill that disk space to capacity.

Download the ESM VM imageDownloading the ESM software VM image is similar for the ESXi VM and a Linux KVM.

Before you beginYou must have your McAfee Grant Number to download the ESM software VM image from thedownload site.

Task1 Use your browser and this URL to access the McAfee download site:

Product Downloads, Free Security Trials & Tools

2 Click Downloads, type your McAfee Grant Number and the Captcha code, then click Submit.

3 On the My Products page, scroll down the list and click one of the McAfee Enterprise Security Mgr VM**downloads.

The number in the download file name indicates the number of cores the ESM image allocates to the VM. Forexample, file "VM32" allocates 32 cores to the VM.

4 Click Current Version tab and select the McAfee Enterprise Security Mgr VM image.

5 Select one of these downloads:

• KVM Image — To download the tarball image file for a Linux Kernal VM

• OVF Deployment File — To download the .ova file for the VMware vSphere ESXi client.

6 Save the image file to a location on your local system.

Now you can install or deploy the VM image file to create your ESM VM.

Mounting ESM software on a VMDownload the ESM VM image 3


http://www.mcafee.com/us/downloads/downloads.aspx

VMware ESXi VM ESM software mountingAfter you have downloaded the ESM software, perform these tasks to mount the software on a VMware ESXiVM.

VMware ESXi VM requirementsThe VMware ESXi VM must meet these minimum requirements.

• Processor — 4 cores or higher, depending on model, 64-bit, Dual Core2/Nehalem or higher, or AMD DualAthlon64/Dual Opteron64 or later

The number of CPU cores the image supports is indicated in the image filename. For example, image "McAfeeEnterprise Security Mgr VM4" supports 4 cores. You can not add or suptract processors from the VM orchange the VM ID number.

• RAM — 4 GB minimum (depends on the model)

• Disk — 250 minimum (depends on the model)

Sharing CPU or RAM with other VMs impacts the ESXi VM performance.

• ESXI — 5.0 or later

You can select the hard disk requirement needs for your server. But, the VM requirement depends on themodel of the device (at least 250 GB). If you don't have a minimum of 250 GB available, you receive an errorwhen deploying the VM.

This disk space is for the operating system and does not include the space needed for the database or logs.

The VM uses many features that require CPU and RAM. If the ESXi environment shares the CPU or RAMrequirements with other VMs, the performance of the VM is impacted.

McAfee recommends setting the provisioning option to Thick.

Mount the VMware ESXi virtual machineOnce you mount and key a VMware ESXi VM, it mimics normal ESM operation.

Task1 Access the root of the CD drive (for CD installation) or download the ESX .ova files from the download site.

2 In vSphere Client, click the server IP address in the device tree.

3 Click File and select Deploy OVF Template.

4 Designate the name, the folder to mount the VM, the disk provisioning setting, and the VM Networking option.

5 Deploy the files to the ESXi server, select the VM, and set the Edit Virtual Machine setting.

6 Select the correct networking settings for your VMware ESXi network switches/adapters, then click Play tostart the VM.

7 Using the VM menu, set MGT1 IP address, netmask, gateway, and DNS addresses, then press Esc to activatethe menu.

8 Configure the network interface on the VM, save the changes before exiting the Menu window, then key thedevice. See McAfee Enterprise Security Manager Product Guide for details about keying the devices.

3 Mounting ESM software on a VMVMware ESXi VM ESM software mounting



Linux KVM ESM installationAfter you have downloaded the ESM software, perform these tasks to install the software on a Linux KVM

Linux KVM requirementsThe Linux KVM where you install the ESM software must meet these minimum requirements.

Minimum requirements

• Processor — 4 cores or higher, depending on model, 64-bit, Dual Core2/Nehalem or higher, or AMD DualAthlon64/Dual Opteron64 or higher (for processors)

The number of CPU cores the image supports is indicated in the image filename. For example, image "McAfeeEnterprise Security Mgr VM4" supports 4 cores. You can not add or suptract processors from the VM orchange the VM ID number.

• RAM — Depends on the model (4 GB or more)

• Disk space — Depends on the model (250 GB or more)

Sharing CPU or RAM with other VMs impacts KVM performance.

• 2 Virtio Ethernet interfaces for ESM

• Receiver Class devices / 3 for IPS class devices

These interfaces use sequential MAC addresses.

• 1 Virtio/Virtio-SCSI Disk Controller, which controls the Virtio virtual hard drive

Deploy Linux KVM ESM softwareTo run McAfee ESM in a Linux KVM environment, you must import the hard drive image from the tarball (.tgzfile).

Task1 Obtain the current tarball (.tgz) file from the McAfee Enterprise Security Manager download page.

The tarball contains sample config files.

2 Move the tarball file to the directory where you want the virtual hard drive to reside.

3 Extract the tarball by running this command: tar –xf McAfee_ETM_VM4_250.tgz

tar –xf McAfee_ETM_VM4_250.tgz

To deploy multiple VMs of the same type in the same location, change the name of the virtual hard drive.

ERC-VM4-disk-1.raw, ERC-VM4-disk-2.raw to, for example, my_first_erc.raw,my_second_erc.raw.

4 Create a VM on your KVM hypervisor using:

(libvirt, qemu-kvm, proxmox, virt-manager, ovirt)

5 Point the VM image to the existing virtual hard drive (Virtio disk .raw file) where you extracted the tarball.

Mounting ESM software on a VMLinux KVM ESM installation 3


https://secure.mcafee.com/apps/downloads/my-products/login.aspx?region=us

Configure the VM ESM softwareOne you have mounted the ESM software on the VM, you must configure the VM network interface connection,connect to the ESM using the ESM console, then key the device to establish a connection.

Tasks

• Configure the virtual machine on page 30Once you have mounted the ESM software on the VM, configure the network interface.

• Key the VM device on page 31You must key the device to establish a link between the device and the ESM.

Configure the virtual machineOnce you have mounted the ESM software on the VM, configure the network interface.

Task

1 Connect a monitor and keyboard to the device and power it on.

The boot process completes in about two minutes, and this virtual LiquidCrystal display (LCD) page appears.

2 To start the configuration, press Esc twice, then scroll down to MGT IP Conf and press Enter.

3 To set the ESM VM IP address:

a Scroll down to Mgt1 and press Enter.

b Scroll down to IP Address and press Enter.

c Use the arrows to change the value of the current digit and to switch between digits, then when done,press Enter.

4 To set the IP netmask address:

a Scroll down to Netmask and press Enter.

b Use the arrows to change the value of the current digit and to switch between digits, then when done,press Enter.

5 To set the network gateway IP address:

a Scroll down to Gateway IP and press Enter.


6 To set the DNS IP address:

a Scroll down to DNS1 IP and press Enter.


3 Mounting ESM software on a VMConfigure the VM ESM software


7 To configure whether to use DHCP:

a Scroll down to DHCP and press Enter.

b Toggle the setting between Y(es) and N(o) , press Enter to select the correct setting.

8 To quit and save your changes:

a Scroll down to Done and press Enter to return to MGT IP Conf.

b Scroll down to Save Changes and press Enter.

9 Optional steps to configure FIPS, to change the communication port, press the down arrow twice, then pressEnter.

a Scroll down to Comm Port and press Enter.

b Change the port number, then press Enter.

Make note of the new port number; you'll need it when you key the device.

10 See Log on to the McAfee ESM console to begin configuring the ESM VM settings.

11 See Key the VM device to add the SSH key tp the EM VM.

To complete the configuration, log on to the ESM console using the configured the IP address and your browser.

Key the VM deviceYou must key the device to establish a link between the device and the ESM.

Before you beginPhysically connect the device to your network. see Installing McAfee ESM devices for details.

Task1 On the system navigation tree, click the system or a group, then click the Add Device icon in the actions

pane.

2 Enter the information requested on each page of the Add Device Wizard.

Mounting ESM software on a VMConfigure the VM ESM software 3


3 Mounting ESM software on a VMConfigure the VM ESM software


4 Installing ESM on AWS

Installing McAfee ESM on an Amazon Web Services (AWS) virtual server eliminates the chance of hardwarefailure.

Contents Using ESM with AWS Create the AWS Create an ESM image and install it on AWS Configure ESM AWS connections

Using ESM with AWSAn Amazon Web Services (AWS) virtual server provides the same features and performance as a locallyconfigured McAfee ESM VM.

The basic steps to create an AWS server in your network with McAfee ESM include:

1 Get an AWS account from http://aws.amazon.com/.

2 Log on to the AWS Management Console and configure your AWS instance.

3 Install the ESM, ERC, ELM, ELS, or ACE software.

4 Configure the ESM device.

Create the AWSBefore you can install ESM on an AWS server, you must create the server with the proper settings and create aconnection to your enterprise network.

Before you beginYou must have an Amazon Web Services account.

This example, and the selected values, describe creating a simple ESM server. The values you select might bedifferent.

4


http://aws.amazon.com/

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to the AWS console to display the AWS Console page.

2 Set the AWS data center region to the location closest to most of your networks.

3 Under Compute, double-click EC2 (Amazon Elastic Compute Cloud) to open Step 1: Choose an AmazonMachine Image (AMI), and select the server instance Amazon Linux AMI.

This type has the AWS/EC2 tools pre-installed. If you choose other Linux types, you have to install theAWS/EC2 tools.

4 Open Step 2: Choose an Instance Type, select m3.large, then click Next: Configure Instance Details.

When choosing the Instance Type for a McAfee device, make sure to select the correct CPU count.

5 Click Next: Configure Instance Details to select the network to use while running your instance.

Make sure you are able to connect to your instance using:

• Public address

• Private address

You can create your own Virtual Private Cloud in AWS. For more information, see VPC in Services from thedrop-down list.

6 Click Next: Add Storage to open Step 4: Add Storage page. Leave the defaults selected for the Amazon "build"instance.

The default for McAfee devices is 250 GB. You can add more volumes if you need them.

7 Click Next: Tag Instance to open Step 5: Tag Instance page. Type a name so you can find the instance under the"Value" column.

8 Click Next: Configure Security Group to open Step 6: Configure Security Group page, then select one:

• Create a new security group — A new security group limits who can log on to the instance.

Add your external-facing IP address range.

• Select existing security group.

9 Click Review and Launch to open Step 7: Review Launch Instance, then click Launch.

Disregard this warning that appears: Your instance configuration is not eligible for the free usage tier.

10 Select an existing key pair or create a new key pair, which you need to log on to your new instance.

11 Click Launch Instance and View Instances to confirm the status of the AWS server.

It might take 20–30 minutes before your instance is ready to access. When the Status Checks column next toyour new instance displays 2/2 checks, you are ready to start the installation process.

12 Make a note of the public IP address. Shown in this example as: cc.dd.ee.ff.

This IP address is needed to transfer the installer to the instance and to log on to.

You have created your AWS server. Continue with the AWS image creation and installation process.

4 Installing ESM on AWSCreate the AWS


Create an ESM image and install it on AWSInstalling ESM on an AWS server is different from installing the software on a physical server. These stepsdescribe the process.

Before you beginYou must have created the AWS server and connected to the server.

You must know the configured IP address of the AWS server.


1 Use scp or pscp (PuTTY Secure Copy Client) to convert the .pem file to .ppk.

For example, using Secure Copy Client, use this command to convert the key file and transfer it to the newAWS instance:

scp -i mykeypair.pem siem_install.sh [email protected]:

Using PuTTY Secure Copy Client, use this command to convert the file:

pscp -i mykeypair.pem siem_install.sh [email protected]>:

These are the variables in the previous examples:

• siem_install.sh — Conversion file name

• ec2-user — User name

• cc.dd.ee.ff — IP address

For Windows, use WinSCP to copy the file to your instance by converting the .pem file to .ppk for PuTTY orWinSCP. For more information, see this Amazon help page https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html.

To download and install the PuTTY SSH and telnet client, see http://www.putty.org/.

2 Log on to the new AWS instance using SSH or PuTTY with this command:

ssh -i mykeypair.pem [email protected] are the variables in the example:

• mykeypair.pem — Convert SSH file name

• ec2-user — User name

• cc.dd.ee.ff — IP address

3 Type this command to change to root, then press Enter:

sudo su

Installing ESM on AWSCreate an ESM image and install it on AWS 4


https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html

http://www.putty.org/

4 Run aws configure as root and provide the Access Key ID and Secret Access Key that you were given,using these commands:

[root@<IP address> <ec2-user name>]# aws configure

AWS Access Key ID [None]: <Access Key ID>

AWS Secret Access Key [None]: <Secret Access Key>

Default region name [None]: (Leave blank, and press Enter)

Default output format [None] (Leave blank, and press Enter)

For more information about these keys, see http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html.

5 Confirm that the installation script is executable. If needed, use chmod. For example:

chmod u+x siem_install.sh

6 Create an AMI image and an instance with this command:

./siem_install.sh

If you see an error that says the keys were not defined, you can add the keys on the command line. Forexample:

[root@ip-172-31-41-167 ec2-user]# ./install_McAfee_ETM_VM8.sh

The AWS access key or the AWS Secret key were not defined

[root@ip-172-31-41-167 ec2-user]# ./install_McAfee_ERU_VM8.sh -O <Access Key ID> -W

<Secret Access Key>

To access Help for the output options:

[root@ip-172-31-6-172 ec2-user]# ./install_McAfee_ETM_VM8.sh -h

install_McAfee_ETM_VM8.sh - install SIEM to Amazon EC2

install_McAfee_ETM_VM8.sh [options]

options:

-h, --help show brief help

-O AWS key

-W AWS Secret Key

Creating the AMI image takes about 20 minutes and is non-interactive. This is an example of the output:

[root@ip-172-31-6-172 ec2-user]# ./install_McAfee_ETM_VM8.sh Decompressing files Running installer Creating volume Attaching volume formatting volume 1+0 records in 1+0 records out 4194304 bytes (4.2 MB) copied, 0.0467013 s, 89.8 MB/s mke2fs 1.42.9 (28-Dec-2013) mke2fs 1.42.9 (28-Dec-2013) mounting main partition copying main files mounting boot partition copying boot files Updating fstab Updating grub unmounting boot partition unmounting main partition detaching volume Creating snapshot (this will take a while) Creating AMI Created AMI "ami-bb8afc81". To run, launch an instance of this AMI Deleting (temporary) volume Client.InvalidVolume.NotFound: The volume 'vol-9eb2ae81' does not exist. Done

4 Installing ESM on AWSCreate an ESM image and install it on AWS


http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html

http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html

7 Once the image is created, exit from the root shell, exit the instance, go to the EC2 Dashboard, andterminate the running instance.

Terminating the instance destroys the instance.

8 Log on to AWS, click the AMIs sidebar and find the AMI that you created.

This AMI now has the name from the installation script. In this example, McAfee_ETM_VM8.

9 Right-click the AMI name and click Launch.

10 Go through the launch options, then click Launch. For McAfee type devices, the key pair step is not needed.Select Proceed without a key pair and click the acknowledgment.

11 Once the AMI is launched and goes through the "status checks", open a browser and navigate to theassigned IP address. For this example, type http:\\172-31-6-172\ in the browser.

All McAfee devices in AWS are enabled using DHCP and the IP address is assigned to them automatically.

The IP address that you navigate to depends on how you set up networking in the AWS. You can have aprivate IP address or public IP address. For long-term use, we recommend using a private IP address.

The first time you log on to the ESM, this warning indicates that you are in the cloud and need to confirm thefeatures you are licensed to use.

In this example, the hash has been obfuscated.

12 Click Email Hash to populate your default email client with the created hash.

Installing ESM on AWSCreate an ESM image and install it on AWS 4


13 Add your grant number to the email and send it.

A Hash Accepted dialog box indicates that your hash was successfully sent.

A Support Representative looks at your grant number and verifies the features you are licensed to have.They then send you a hash string back to overwrite the previously displayed hash string. When you clickSend, you can log on for the first time.

14 When you log on to the AWS again, overwrite the existing hash with the hash sent by McAfee, then click Send.

Now you can log on to the AWS ESM successfully and configure, key, and start using your AWS device.

Configure ESM AWS connectionsAfter you configured the hash for the AWS ESM, you must connect and add the devices.

Before you beginYou must have created the AWS and installed ESM on the AWS.


1 After you have completed the hash verification with McAfee, you can use your configured IP address toinitially log on to the ESM. See Log on to the McAfee ESM console for details.

2 Connect both physical and virtual devices to the ESM.

3 Confirm that all various ESM devices appear in ESM before configuring the devices.

4 Key the devices to complete the device configuration.

4 Installing ESM on AWSConfigure ESM AWS connections


5 Setting up McAfee ESM network connections

Once the ESM device is installed and turned on, you must configure the network interface connection for eachdevice before it can connect to the McAfee ESM.

Contents Configure the ESM network interface Configure the ERC, ELM, ELS, or ACE network interface Configure the DEM or ADM network interface

Configure the ESM network interface Configure the network interface on an ESM.

Task1 Connect a monitor and keyboard to the device and power it on.

The boot process completes in about two minutes, and this virtual liquid crystal display (LCD) page appears.

2 Press Alt + F1 to go to the menu at the top left corner of the screen, press Esc twice, then scroll down to MGTIP Conf and press Enter.

3 Select Mgt 1 and press Enter, then select IP Address and press Enter.

4 Set the value and press Enter.

5 Scroll down to Netmask and set the value.

6 Scroll down to Done and press Enter.

7 Scroll down to Gateway and press Enter.

8 Set the gateway address, scroll down to Done, and press Enter.

9 Scroll down to DNS 1, press Enter, and set the value.


5


11 Scroll down to Save Changes and press Enter.

12 Log on to the McAfee ESM console to begin configuring the systems and device settings.

Configure the ERC, ELM, ELS, or ACE network interfaceConfigure the network interface on an ERC, ELM, ELS, or ACE device.


The boot process completes in about two minutes, and this virtual liquid crystal display (LCD) page appears.

2 Press Alt + F1 to go to the menu at the top left-hand corner of the screen, press Esc twice, then scroll downto MGT IP Conf and press Enter.

3 Select Mgt 1 and press Enter, then select IP Address and press Enter.

To configure an IPv6 address, scroll down to IPv6 Config.






9 Scroll down to DNS 1, press Enter, and set the value.


11 If in FIPS mode, scroll down to Port Number, change the value if needed, and press Enter.

Make note of the new port number. You need it when keying the device. Don't change the TCPcommunication port.


5 Setting up McAfee ESM network connectionsConfigure the ERC, ELM, ELS, or ACE network interface


Configure the DEM or ADM network interfaceConfigure the network interface on a DEM or ADM device.


The boot process completes in about two minutes, and this virtual LiquidCrystal display (LCD) page appears.

2 Press Alt + F1 to go to the menu at the top left corner of the screen, then press Esc twice.

3 Scroll down to MGT IP Conf and press Enter.

4 Select Mgt 1 and press Enter.

5 On the Active menu, select IP Address and press Enter.

To configure an IPv6 address, scroll down to IPv6 Config.






11 If in FIPS mode, scroll down to Port Number, change the value if needed, and press Enter.

Make note of the new port number. You need it when keying the device. Don't change the TCPcommunication port.


Setting up McAfee ESM network connectionsConfigure the DEM or ADM network interface 5


5 Setting up McAfee ESM network connectionsConfigure the DEM or ADM network interface


6 Initial ESM logon and configuration

Once the ESM devices are connected to the network and their interface connections configured, you can log onto the ESM console and finish the initial configuration.

See the McAfee Enterprise Security Manager Product Guide for detailed device configuration.

Contents Log on to the McAfee ESM console Connecting devices Confirm in ESM that all devices appear Key a device

Log on to the McAfee ESM consoleLog on the console to begin configuring the systems and device settings.

Before you beginVerify whether you are required to operate the system in Federal Information Processing Standard(FIPS) mode.

Task1 Open a web browser on a client computer and go to the IP address you set when you configured the ESM

network interface. For example, if the ESM IP address is 172.016.001.140, type the following in your browser:

https:\\172.016.001.140\

2 Click Continue to site, if a self-signed certificate error appears for your browser.

3 Click Login, select the language for the console, then type the default user name and password.

• Default user name: NGCP

• Default password: security.4u

4 Click Login, read the End User License Agreement, then click Accept.

5 When prompted, change your user name and password, then click OK.

6 Select whether to enable FIPS mode and if you select Yes, click the additional confirmation.

If you must work in FIPS mode, enable it the first time you log on so that all future communication withMcAfee devices is in FIPS mode. Do not enable FIPS mode if you are not required to. For more informationabout FIPS, see Appendix B.

6


7 For Rules Update Access, click OK and follow the instructions that appear to obtain your user name andpassword, which are needed for access to rule updates.

8 Perform initial ESM configuration:

a Select the language to be used for system logs.

b Select the time zone where this ESM is and the date format used with this account, then click Next.

9 Enter the server information for the ESM.

a Type the primary IPv4 and netmask addresses, or IPv6 address. If needed, click Advanced.

b (Optional) Type the secondary IPv4 and netmask addresses, or IPv6 address. If needed, click Advanced.

c Under General Settings, type the gateway, DNS servers, and any additional information needed toconnect your ESM to your network.

d Click Next.

10 (Optional) If needed to connect through a proxy server, type its IP address, port number, credentials, and setthe local network setting, then click Next.

11 (Optional) If needed, enter any static routes that the ESM needs to communicate with the network. Whencompleted, click Next.

12 Add your network time protocol (NTP) servers to synchronize the ESM system time. Type these settings asneeded:

• NTP Server IP address

• Authentication Key

• Key ID

To achieve best results in the ESM, it’s important to have a common time reference across the enterprise. Asdefault, the ESM uses a set of Internet-based NTP servers. Enter your own enterprise NTP server, then clickNext.

13 To automatically check the ESM server for rule updates:

• Type your customer ID and password to verify your identity.

• Configure your Auto check interval in hours and minutes.

• Click Check Now or Manual Update.

14 Click Finish.

15 In the Network settings change dialog box, click Yes to restart the ESM service.

The restart takes about 90 seconds to complete. Then you might be required to log back on to the ESM.

6 Initial ESM logon and configurationLog on to the McAfee ESM console


Connecting devicesTo enable application and database monitoring, advanced rule- and risk-based correlation, and compliancereporting, connect both physical and virtual devices to McAfee ESM.

Add devices to the ESM consoleAfter you set up and install the physical and virtual devices, add them to the ESM console.

Before you beginSet up and install the devices.

Complete the following steps only for a complex ESM installation with multiple ESM devices. Do not completethis task for a simple ESM installation using a combination ESM.

Task1 On the system navigation tree, click Local ESM or a group.

2 Click .

3 Select the type of device you are adding, then click Next.

4 In the Device Name field, enter a unique name in this group, then click Next.

5 Provide the information requested:

• For McAfee ePO devices — Select a Receiver, type the credentials required to log on to the web interface,then click Next. To use for communicating with the database, type the settings.

Select Require user authentication to limit access to those users who have the user name and password forthe device.

• For all other devices — Type the target IP address or URL for the device.

6 Select whether to use Network Time Protocol (NTP) settings on the device, then click Next.

7 Enter a password for this device, then click Next.

ESM tests device communication and reports on the status of the connection.

Confirm in ESM that all devices appearIn the ESM console, confirm that all various ESM devices appear before you begin detailed configuration of thedevices.For detailed information about performing these confirmation steps, see McAfee Enterprise Security ManagerProduct Guide.


1 Log on to the McAfee ESM console, and find the System navigation pane to view the devices on the system.

2 Click Menu | Configuration to view the physical display.

3 Confirm that you can click the Add devices icon to see the devices that you installed in the racks andconfigured with their network settings.

Initial ESM logon and configurationConnecting devices 6


Once the devices are added, you must key the device to enable communication and complete the installation.See the McAfee Enterprise Security Manager Product Guide for detailed device configuration.

Key a deviceYou must key the device to establish a link between the device and the ESM.

Before you beginPhysically connect the device to your network.

Task1 Log on to the ESM console using a browser. See Log on to the McAfee ESM console for details.

2 On the system navigation tree, click a device, then click the Properties icon .

3 Click Key Management | Key Device.

If the device has an established connection and can communicate with the ESM, the Key Device Wizard opens.

4 Type a new password for the device, then click Finish.

6 Initial ESM logon and configurationKey a device


7 Upgrading McAfee ESM software

Upgrading the software on your ESM devices provides, for example new and upgrading features, interfacechanges, or support for additional browsers and browser versions.

To prepare your systems for the upgrading, download the files for the components, then upgrade them in theorder described.

Contents What you have and what you need Preparing to upgrade Special upgrade scenarios Download the upgrade files Upgrade the software on a device Upgrade the system Upgrade ESM, ESMREC, or ENMELM Upgrade HA Receivers Available VA vendors

What you have and what you need List the current security software and hardware that you have on your network.

Complete the following network questionnaire, before you begin upgrading your McAfee ESM devices andsoftware.

McAfee Security Professional Services requires this same information to help you order and configure yourexisting network security.

7


Current network questionnaire

Questions Enter information

Which McAfee ESM devices do you have? Enter the quantity:• Enterprise Security Manager (ESM) — ________

• Event Receiver (ERC) — ________

• Receiver and ELM Combination (ELMERC) — ________

• Enterprise Log Manager (ELM) — ________

• Enterprise Log Search (ELS) — ________

• Advanced Correlation Engine (ACE) — ________

• Direct Attached Storage (DAS) — ________

• Application Data Monitor (ADM) — ________

• Database Event Monitor (DEM) — ________

• Storage Area Network (SAN) card — ________

Do you have an All-in-One McAfee ESM? Yes

No

Will you need an ACE to integratewith your ESM?

Yes

No

Is your McAfee ESM solution installed on a virtualmachine (VM), physical devices, or a combinationof both?

Virtual Machine (VM)

Physical device

Combination of VM and devices

What are the model numbers of your ESMcomponents?

Enter the model number:• ESM — _____________________________

• ELM — _____________________________

• ERC — _____________________________

• ACE — _____________________________

Do you have a hierarchical architecture? Yes

No

In addition to port 22, can youopen port 9092 between yourERCs and ESMs?

Yes

No

In addition to port 22, can youopen port 2181 between yourELSs and ESMs?

Yes

No

Are you, or will you be, a Managed SecurityService Provider (MSSP)?

Yes

No

7 Upgrading McAfee ESM softwareWhat you have and what you need


Questions Enter information

What is your current events per second (EPS) bydevice?

Enter the count:• ESM — ________ EPS

count• ERC — ________ EPS

count

• ELM — ________ EPScount

• ERC — ________ EPScount

• ELS — ________ EPScount

What software version are you running on yourESM?

You must be using McAfee ESM version 9.6to upgrade to version 10.0.

Version — _______

What browsers are you using for your ESMconsole?

Chrome version 48 or higher

Firefox version 42 or higher

Internet Explorer version 11 or higher

Preparing to upgradeYou must do several things before you can upgrade your ESM devices.

1 Make sure that the ESM database rebuild from a previous build (9.6.x or later) is complete, and that you canschedule the outage window for this upgrade.

2 Complete a database backup of the ESM. Export or back up the following items to ensure ease of recovery ifan upgrade renders a rule, event, or other content unusable:

Alarms: In System Properties, click Alarms, highlight each alarm, then click Export and save the file.

Watchlists: In System Properties, click Watchlists, highlight each watchlist, then click Export and save the file.

Custom rules: In Default Policy on the Policy Editor, follow this process for each rule type except Data Source,Windows Events, ESM, Normalization, Variable, and Preprocessor.1 In the Rule Types pane, click a rule type.

2 In the Filters/Tagging pane, click the Advanced tab, select user defined in the Origin field, thenclick Refresh .

3 Highlight the rules, click File | Export | Rules, then save them in XML format.

Policies: In Default Policy on the Policy Editor, click File | Export | Policy, then select All custom rules andcustom variables.

Type ofinformation

Details

Device typessupported

The ESM, ESM/Event Receiver, or ESM/Log Manager (ENMELM) only communicates with9.6.x devices. To check the model of your device, issue the cat /proc/cpuinfocommand. The output includes the CPU number on the model name line.

Save receiversettings

Make sure all Receiver settings are saved before updating from versions 9.x to 9.6.x. If youdon't save the settings, a problem occurs that can cause issues on the receiver and otherdevices. Make sure all settings for every device are saved before updating to any version.

Upgrading McAfee ESM softwarePreparing to upgrade 7


Type ofinformation

Details

Rebuild time Table rebuild time varies for ESM, Event Receiver, and ENMELM. To speed up the upgradeof the ESM database:

• Set collection duration of events, flows, and logs to a longer pull time, allowing moretime for the rebuild. On the ESM console, click System Properties | Events, Flows & Logs,then set Auto check interval.

• Turn off collection of events, flows, and logs until the rebuild finishes. Complete thisstep only if the number of events and flows sent to the ESM is low. On the ESM console,click System Properties | Events, Flows & Logs, then deselect Auto check interval.

Upgrade paths You must upgrade prior versions to 9.4.2 or later before you can upgrade to the 9.6.xrelease.

UpgradeReceiver-HAdevices

To upgrade Receiver-HA devices, you must first check the Receiver's high availabilitystatus.

Make sure all device settings are saved before updating to any version.

Back up ESM settings and system dataBack up and save the ESM configuration files before you start any software upgrades.

When you add an ESM device, Backup & Restore is enabled to back up every seven days. You can disable it orchanges the default settings. See KB article, Backup process for McAfee [ESM] devices for details.

We recommend you make a Full Backup of all devices before you start an upgrade. A full backup contains:

• Settings for the ESM, ERC, DEM, ADM, and ACE devices.

ELM full backups only include configuration settings. The database settings must be backed up separately oryou lose all database connections to your local shares, remote shares, and SANs.

• Stop CPService and then DBServer and create a copy of the contents of: /usr/local/ess/data/, /etc/NitroGuard, and other folders on a remote share.

If anything goes wrong during the upgrade, you can:

• Reinstall the software to the existing version.

• Reinstall the backup files.

• Try upgrading to the next version again.

Backups are only compatible with the current version of the ESM device. You can't install a backup of a previousversion on an upgraded ESM device.


1 On the system navigation tree, select System Properties, then click ESM Management | Maintenance | Backup.

2 Define the settings for the backup.

3 Click OK to close the Backup & Restore page.

7 Upgrading McAfee ESM softwarePreparing to upgrade


https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/80000/KB80012/en_US/Backup%20process%20for%20McAfee%20devices.pdf

Table 7-1 Option definitions

Option Definition

BackupFrequency

When new ESM devices are added to the system, the Backup & Restore function is enabledto perform a backup every seven days. You can change the frequency or disable backup.

Backup Data For Select what you want to include in the backup.

Backup Location Select where you want the backup saved:• ESM — It is saved on the ESM and accessed on the File Maintenance page.

• Remote Location — It is saved in the location you define in the fields that become active. Ifyou are saving a copy of the ESM and all system data manually, you must select thisoption.

When you back up to a CIFS share, use a slash (/) in the remote path field.

Backup Now Manually back up ESM settings and events, flows, and logs (if selected). Click Close whenthe backup is completed successfully.

Full Backup Now Manually save a copy of the device settings and the system data. This can't be saved tothe ESM, so you must select Remote Location in the Backup Location field and enter thelocation information.

We highly recommended you make a full backup before any major version update toavaoid data loss.

Using the Common Internet File System (CIFS) share type with Samba server versionsgreater than 3.2 can result in data loss.

Check ERC high availability statusDetermine the status of a high availability (HA) ERC pair before performing an upgrade.

Before you beginYou must have Administrator privileges to complete this task.


1 On the system navigation tree, select the primary ERC-HA device, then click the Properties icon .

2 In the Status and Secondary Status fields, verify that the status is OK; HA Status: online.

3 Secure shell, or SSH, to each of the HA ERCs and run the ha_status command from the command lineinterface on both ERCs. The resulting information shows the status of this ERC and what this ERC thinks thestatus of the other ERC is. It looks similar to this:

OK

hostname=McAfee1 mode=primary McAfee1=online McAfee2=online sharedIP=McAfee1 stonith=McAfee2 corosync=running hi_bit=no

Upgrading McAfee ESM softwarePreparing to upgrade 7


4 Verify the following in the status:

• The first line of the response is OK.

• Host name is the same as the host name on the command line minus the ERC model number.

• Mode is primary if the value of sharedIP is this ERC's host name; otherwise the mode is secondary.

• The next two lines show the host names of the ERCs in the HA pair and list the running status of eachERC. The status for both is online.

• corosync= shows the running status of corosync, which should be running.

• hi_bit is no on one ERC and yes on the other ERC.

Make sure that only one of the HA ERCs is set with the hi_bit value. If both HA ERCs are set to the samevalue, call McAfee Support before upgrading to correct this misconfigured setting.

5 Secure shell, or SSH, to each of the HA ERCs and run the ifconfig command from both ERCs.

6 Verify the following in the data that is generated:

• The MAC addresses on eth0 and eth1 are unique on both ERCs.

• The primary ERC has the shared IP address on eth1 and the secondary ERC has no IP address on eth1.

If both HA ERCs are set to the same value, call Technical support before upgrading to correct thismisconfigured setting.

This spot check ensures the system is functional and that no duplication of IP addresses exists, which meansthat the devices can be upgraded.

Special upgrade scenariosIn special situations, you must take additional steps before or after upgrading.

Situation Action

Installing a newMcAfee ESM model

Register your hardware in 30 days to ensure that you receive policy, parser, and ruleupdates as part of your maintenance contract. If you don't register, you can't receiveupgrades.To get your permanent user name and password, email [email protected] with thefollowing information:• McAfee grant number • Contact name

• Account name • Contact email address

• Address

Obtaining offlinerule updates

1 Go to Product Downloads, Free Security Trials, and Tools.

2 Click Download, enter your grant number, type the letters as displayed, then submit.

3 Select McAfee Enterprise Security Manager and click the All Versions tab.

4 Download the rules for your version of McAfee ESM.

7 Upgrading McAfee ESM softwareSpecial upgrade scenarios



Situation Action

Resolving devicecommunicationissues

If you upgraded a McAfee device before upgrading McAfee ESM or the ESM is in themiddle of upgrading, this message might appear: The device needs to be upgraded beforethe operation can be performed. Verify that McAfee ESM has the correct version.

1 On the McAfee ESM console, select the device in the system navigation tree, then click

the Properties icon .

2 Click Connection, then click Status.

3 Retry the operation that resulted in the message.

Upgrading aredundant ESM

Upgrade the primary McAfee ESM first, then upgrade the redundant McAfee ESM.

1 On the primary McAfee ESM, select the ESM on the navigation tree and click theProperties icon.

2 Click Events, Flows & Logs and deselect Auto check interval.

3 After upgrading the redundant McAfee ESM, re-enable the collection of events, flows,and logs on the primary McAfee ESM.

McAfee ePO withPolicy Auditor

If the McAfee ePO device is already on the McAfee ESM, you must refresh it.

1 If you are not on an all-in-one device, upgrade the McAfee Event Receiver where theMcAfee ePO device is connected.

2 On the McAfee ESM console, click ePO Properties | Device Management, then click Refresh.

You can set up auto-retrieval on the Device Management tab.

3 Click Receiver Properties, then click the Vulnerability Assessment tab.

4 Click Write.

5 Repeat step 2 to get VA data on the McAfee ESM.

6 Log off the McAfee ESM console, then log back on.

Upgrading highavailability (HA)Event Receivers

Before you upgrade, set your preferred primary Event Receiver to No Preference, whichallows you to use the Fail-Over option.

You must upgrade the secondary Event Receiver, click Fail-Over, then upgrade the newsecondary Event Receiver. In this way, a primary Event Receiver collects data throughoutthe process, ensuring minimal data loss. After you upgrade both Event Receivers, reapplyyour preferred primary Event Receiver.

Upgrading McAfee ESM softwareSpecial upgrade scenarios 7


Situation Action

Rebuilding the ELMmanagementdatabase

Indexing your ELM management database can require additional time, depending onyour ELM model. For example, the number of storage pools you have, the amount ofdata sent from logging devices, and your network bandwidth can increase the time ittakes to complete indexing.

But, this background task minimally impacts your performance and, when complete,provides improved querying on your historical data.

To check the status of the rebuild, go to ELM Properties | ELM Information.

If the message Database is rebuilding appears in the Active Status field, do not stop or startthe ELM database. The system indexes all new ELM data on the sending device beforesending that data to the ELM.

If you have event receiver logging to the ELM and they are near maximum capacity,contact Support.

Upgrading aredundant ELM

Upgrade the standby ELM first, then upgrade the active ELM.

Never turn off a device during a rebuild.

The upgrade process suspends the ELM redundancy. After upgrading both ELMs, youmust restart the ELM redundancy.

1 Upgrade the standby ELM.

2 Upgrade the active ELM.

3 On the system navigation tree, select the standby ELM and go to ELM Properties | ELMRedundancy | Return to Service.

4 Go to ELM Properties | ELM Information and click Refresh. Both the active and standby ELMsdisplay an OK status.

5 If the standby ELM displays a Not OK status, click Refresh again. After a few minutes, thestandby ELM status changes to OK, redundant ELM resync is 100% complete. You might needto click Refresh several times.

Download the upgrade filesWhen the system is ready to upgrade, download the upgrade files to your local system.

Task1 Go to Product Downloads, Free Security Trials, and Tools.

2 Click Download, enter your grant number, type the letters as displayed, then submit.

3 Select McAfee Enterprise Security Manager and click the All Versions tab.

4 Download the release file to your local system, then upgrade your ESM and devices.

7 Upgrading McAfee ESM softwareDownload the upgrade files



Upgrade the software on a deviceIf the software on your device is out of date, upload a new version of the software from a file on the ESM oryour local computer.

Before you beginIf you have had your system for more than 30 days, you must obtain and install your permanentcredentials to access the updates.

If you must comply with Common Criteria and FIPS regulations, do not upgrade the ESM in this way.Call Technical support to obtain a FIPS certified update.


1 On the system navigation tree, select a device, then click the Properties icon .

2 Click device Management | Update Device.

3 Select an update from the table or click Browse to locate the update software on your local system.

The device restarts with the updated software version.

Table 7-2 Option definitions

Option Definition

File Name Select one of the updates listed.

Browse Browse to a file obtained from a McAfee security engineer or from the McAfee rules and updatesserver.

OK If you are updating a device using the device management Update Device option, this starts the updateprocess. If you are updating multiple devices using the Multi-Device Management option, this returns youto the Multi-Device Management page.

Upgrade the systemUpgrade the ESM and its devices in a specific order, based on your FIPS mode. After you upgrade, rewrite thedevice settings and roll out the policy.

Before you begin• Read the entire release notes before beginning the upgrade.

• Make sure that your system is running version 9.6 or later.

• If you recently upgraded to 9.6, verify that the database rebuild is complete.

When upgrading, all active collectors (such as Windows, eStreamer, and Checkpoint) stop collecting data until yourewrite the device settings and roll out the policy.

Task1 Depending on your FIPS mode, upgrade all devices in the following order.

Upgrading McAfee ESM softwareUpgrade the software on a device 7


Mode Order

Non-FIPS 1 Upgrade standalone ESMs first, then ESM combo devices you might have.

2 Wait for the database to build.

3 Upgrade the ELM.

4 Upgrade the McAfee Event Receiver, ACE, DEM, and ADM.

This process differs from the process to upgrade a redundant ESM.

FIPS 1 Upgrade standalone ELMs.

2 Upgrade the McAfee Event Receiver, ACE, DEM, and ADM.

3 Upgrade ESM, Event Receiver, or ELM combo devices. You can begin when all device upgradesstart.

Failure to upgrade the devices before upgrading McAfee ESM when in FIPS mode can affect ELMlog collection.

2 Verify that you have communication with the devices.

3 Download the manual rules update to McAfee ESM.

4 Apply the updated rules.

a On the system navigation tree, select the system, then click the Properties icon .

b On the System Information page, click Rules Update, then click Manual Update.

c Browse to the update file, click Upload, then click OK.

5 To rewrite device settings for each device, follow this process to apply all release settings.

a On the McAfee ESM console, select the device in the system navigation tree, then click the Properties icon.

b Follow these steps for each device.

Device type Process

McAfee EventReceiver or ESM/Event Receivercombo

• For data sources: Click Data Sources | Write.

• For VA sources: Click Vulnerability Assessment | Write.

ACE • For risk correlation: Click Risk Correlation Management | Write.

• For historical correlation: Click Historical | Enable Historical Correlation | Apply. If it'salready selected, deselect it, select it again, then click Apply.

• For rule correlation: Click Rule Correlation, select Enable Rule Correlation, and click Apply.If it's already selected, deselect it, select it again, then click Apply.

DEM or ADM • For virtual devices (ADM): Click Virtual Devices | Write.

• For database servers: Click Database Servers | Write.

6 Roll out the policy to all upgraded devices.

7 Upgrading McAfee ESM softwareUpgrade the system


7 To take the selected device out of bypass mode, click Device Configuration | Interfaces.

8 If you have an ELM or ELMERC collecting logs from a device, sync the ELM (Device Properties | DeviceConfiguration | Sync ELM).

Upgrade ESM, ESMREC, or ENMELMWhen your system is ready, upgrade your ESM, ESMREC, or ENMELM.

Before you begin• Complete the steps in the Instructions for upgrading section.

• Verify that all devices attached to the ESM are supported.

Task1 On the ESM console, select the ESM device, then click the Properties icon .

2 Select ESM Management, then click Update ESM.

3 On the Select Software Update File page, browse to one of these files.

Device type File

Standalone McAfee Enterprise Security Manager (ESM) ESS_Update_10.0.0.signed.tgz

McAfee Enterprise Security Manager with a built-in Receiver (ESMREC) ESSREC_Update_10.0.0.signed.tgz

McAfee Enterprise Security Manager with a built-in Receiver andMcAfee Enterprise Log Manager (ENMELM), also known as aCombination Box

ESSREC_Update_10.0.0.signed.tgz

4 Select the file, then click Upload.

You are informed that the ESM restarts and there is a loss of connection for all users.

5 Click Yes to continue, and when prompted to close the browser, click OK.

The upgrade begins, and can take several hours.

6 When the upgrade is complete, log back on to the console through a new browser session.

Upgrade HA ReceiversThe Receiver-HA upgrade process upgrades both Receivers sequentially, starting with the secondary Receiver.

Before you beginBefore starting the upgrade process, complete the Check Receiver high availability status process tomake sure that the Receiver-HA devices are ready to be upgraded. Failure to do so can result inproblems with the device upgrade and downtime.

Upgrading McAfee ESM softwareUpgrade ESM, ESMREC, or ENMELM 7



1 On the system navigation tree, select the Receiver-HA device, then click the Properties icon .

2 Upgrade the secondary Receiver:

a Click Receiver Management, then select Secondary.

b Click Update Device, then select or browse to the file you want to use and click OK.

The Receiver restarts and the version of software is updated.

c On Receiver Properties, click High Availability | Return to Service.

d Select the secondary Receiver, then click OK.

3 Change the secondary Receiver to primary by clicking High Availability | Fail-Over.

4 Upgrade the new secondary Receiver by repeating step 2.

Available VA vendorsThe ESM can integrate with these VA vendors.

VA vendor Version

Digital Defense Frontline 5.1.1.4

eEye REM (REM events server) 3.7.9.1721

eEye Retina

The eEye Retina VA source is like the Nessus data source. You can usescp, ftp, nfs, or cifs to grab the .rtd files. You must manually copythe .rtd files to an scp, ftp, or nfs share to pull them. The .rtd files arenormally located in the Retina Scans directory.

5.13.0, Audits: 2400

McAfee Vulnerability Manager 6.8, 7.0

Critical Watch FusionVM 4-2011.6.1.48

LanGuard 10.2

Lumension Support PatchLink SecurityManagement Console 6.4.5 and later

nCircle 6.8.1.6

Nessus Support Tenable Nessus versions3.2.1.1 and 4.2 and file formatsNBE, .nessus (XMLv2), and .nessus(XMLv1); also, OpenNessus 3.2.1 XMLformat

NGS

OpenVAS 3.0, 4.0

Qualys

Rapid7 Nexpose — Recommended VA partner vendor

7 Upgrading McAfee ESM softwareAvailable VA vendors


VA vendor Version

Rapid7 Metasploit Pro — Recommended VA partner vendor

You can deduce the severity of a Metasploit exploit that starts withthe name Nexpose by adding a Rapid7 VA source to the sameReceiver. If it can't be deduced, the default severity is 100.

4.1.4-Update 1, file format XML

Saint

GFI Languard

NGS SQuirrel

iScan Online?

Tripwire/nCircle IPS360?

Upgrading McAfee ESM softwareAvailable VA vendors 7


7 Upgrading McAfee ESM softwareAvailable VA vendors


A Alternative installation scenarios

Use this information to configure specific adapters and other important information.

Contents Install the qLogic 2460 or 2562 SAN adapters on the ELM or ELS Install DAS Common Criteria evaluated configuration Regulatory notices

Install the qLogic 2460 or 2562 SAN adapters on the ELM or ELSThe qLogic QLE2460 is a single, Fibre Channel PCIe x4 adapter, rated at atransfer rate of 4-GB. The QLE2562 is asingle, Fiber Channel PCIe x8 adapter, rated at 8 GB. They can connect directly to the SAN device or through aSAN switch.

Before you begin• Make sure that the SAN device or SAN switch you are attaching to auto-negotiates.

• Make sure that the SAN administrator allocates and creates space on the SAN and assigns it tothe channel where the qLogic adaptor is attached. Use the World Wide Port Name (WWPN) forthe adaptor. The WWPN is on the adapter's card, anti-static bag, and box.

Task1 Turn off the device where you are installing the SAN adapter.

2 Insert the adapter, then place the device back on the rack and connect the cables.

For a 3U device, insert the adapter in the slot closest to the protective memory cover.

The adapter BIOS boot message informs you that the adapter is installed and functioning. If you do not seethis message or if the card does not have red, yellow, or green lights, the card is not recognized. If so, makesure that the card is seated correctly or insert it into a different PCI slot.

3 Start the device.

The operating environment detects it and loads the QLAXXX driver. The Mounting Storage Facilities messagedisplays OK and continues.

4 Using the ESM console, key the device.

When the device is keyed, the Properties page includes the SAN Volumes option.


Install DASThe direct attached storage (DAS) adapter is an add-on device to a 4xxx/5xxx/6xxx series ESM or ELM.

The DAS unit ships with a chassis and an LSI 9280-8e RAID card for:

• ETM-5205 • ENMELM-5205

• ETM-5510 • ENMELM-5510

• ETM-5600 • ENMELM-5600

• ETM-5750 • ENMELM-6000

• ETM-6000 • ELM-4600

• ETM-X3 • ELM-5205

• ETM-X4 • ELM-5510

• ETM-X5 • ELM-5600

• ETM-X6 • ELM-5750

• ESMREC-5205 • ELM-6000

• ESMREC-5510 • ELS-<TBD>

• ENMELM-4600

You can add a DAS (50 TB or 100 TB), to provide additional storage. These instructions are the same for ESM,ELM, or ELS chassis.

Task1 Turn off the device following a normal shutdown procedure.

2 Pull the device from the rack and open the top case. You might need to remove a small screw at the front orrear of the top case.

3 Depending on your chassis, install the DAS card in one of these slots.

• For 1U or 3U, install LSI 9280-4e RAID card in slot 4

• For 2U, install LSI 9280-4e RAID card in slot 1

4 Depending on your chassis, install the DAS cables into these slots:

• For ESM, ELM, or ELS, insert cables into slots 1 and 2 of the card.

• For DAS, insert cables into slots 1 and 3 of the card.

5 Install the LSI 9280-8e RAID card in slot 4 of the ESM.

• For devices with an orange face, if the Areca or 3Ware RAID card is in slot 4, move it to slot 6. If theMcAfee ESM device has an Areca or 3Ware RAID card and also has an SSD card installed, install the LSI9280-8e RAID card in slot 5.

• For devices with a black face, install the card in an open slot.

6 Insert power cables, then turn on the device.

7 Enter BIOS utility and look for the LSI 9280-8e RAID card BIOS utility.

8 Exit BIOS utility and verify DAS disk space with the command: df –h

A Alternative installation scenariosInstall DAS


On System Properties of the ESM console, the Hardware field on the System Information tab reflects the increased sizeof the hard drive labeled /data_hd.

Common Criteria evaluated configurationThe McAfee device needs to be installed, configured, and operated in a specific way to be in compliance withthe Common Criteria evaluated configuration. Consider these requirements when you are setting up yoursystem.

Type Requirements

Physical andvirtualmachine

The McAfee device must be:• Protected from unauthorized physical modification.

• Located in controlled access facilities, which prevent unauthorized physical access.

Intendedusage

The McAfee device must:• To be able to perform its functions, have access to all network traffic.

• Be managed to allow for address changes in the network traffic that the Target of Evaluation(TOE) monitors.

• Be scaled to the network traffic that it monitors.

Personnel • There must be one or more competent individuals assigned to manage the McAfee deviceand the security of the information it contains. Onsite assistance with installation andconfiguration and onsite training for the operation of the device is provided by McAfeeengineers for each McAfee customer.

• The authorized administrators are not careless, willfully negligent, or hostile, and follow andabide by the instructions provided by the McAfee device documentation.

• Only authorized users can access the McAfee device.

• Those responsible for the McAfee device must ensure that all access credentials are protectedby users in a manner that is consistent with IT security.

Other • Do not apply software updates to the McAfee device because it results in a configurationother than the Common Criteria-evaluated configuration. Contact Technical Support to obtaina certified update.

• Enabling the Login Security feature with a RADIUS server results in secure communication. TheIT environment provides for secure transmission of data between the TOE and externalentities and external sources. A RADIUS server provides external authentication services.

• Using the Smart Dashboard functionality of the Check Point firewall console is not part of theTOE.

• Using Snort Barnyard is not part of the TOE.

• Using the MEF Client is not part of the TOE.

• Using the Remedy Ticket System is not part of the TOE.

Regulatory noticesThis regulatory information applies to the different platforms you might use.

Alternative installation scenariosCommon Criteria evaluated configuration A


Table A-1 SuperMicro-based platforms

McAfee 1U McAfee 2U or 3U

Electromagnetic emissions FCC Class B, EN 55022 Class B,

EN 61000-3-2/-3-3

CISPR 22 Class B

FCC Class B, EN 55022 Class B,

EN 61000-3-2/-3-3

CISPR 22 Class B

Electromagnetic immunity EN 55024/CISPR 24,

(EN 61000-4-2, EN 61000-4-3,

EN 61000-4-4, EN 61000-4-5,

EN 61000-4-6, EN 61000-4-8,

EN 61000-4-11) 55024

EN 55024/CISPR 24,

(EN 61000-4-2, EN 61000-4-3,

EN 61000-4--4, EN 61000-4-5,

EN 61000-4-6, EN 61000-4-8,

EN 61000-4-11) 55024

Safety EN 60950/IEC 60950-Compliant,

UL Listed (USA)

CUL Listed (Canada)

TUV Certified (Germany)

CE Marking (Europe)

EN 60950/IEC 60950-Compliant,

UL Listed (USA)

CUL Listed (Canada)

TUV Certified (Germany)

CE Marking (Europe)

Table A-2 DAS-based platforms

DAS-50, DAS-100

Input voltage 100/240 VAC

Input frequency 50/60 Hz

Power supply 1400 W X3

Power consumption 472W@120VAC

461W@240VAC

Amps (Max) 9.4A

Altitude (Max) –45 to 9,500 feet

Temperature (Max) 10º to 35º C (operating)

–40º to 70º C (non-operating)

Altitude –45 to 9500 feet (operating) –45 to 25,000 feet (non-operating)

BTU BTU/HR 1609

Humidity Operating — 10% to 85%

(non-condensing)

non-operating — 10% to 90%

Table A-3 Intel-based platform 1U

Parameter Limits

Operating temperature +10° C to +35° C with the maximum rate of change not to exceed 10° C perhour

Non-operating temperature –40° C to +70°

Non-operating humidity 90%, non-condensing at 35° C

Acoustic noise Sound Power: 7.0 BA in an idle state at typical office ambient temperature.(23 ± 2 degrees C)

A Alternative installation scenariosRegulatory notices


Table A-3 Intel-based platform 1U (continued)

Parameter Limits

Shock, operating Half sine, 2-g peak, 11 msec

Shock, unpackaged Trapezoidal, 25 g, velocity change 136 inches/sec (≧ 40 lbs to > 80 lbs)

Shock, packaged Non-palletized free fall in height 24 inches (≧40 lbs to > 80 lbs)

Shock, operating Half sine, 2-g peak, 11 mSec

Vibration, unpackaged 5 Hz to 500 Hz, 2.20 g RMS random

ESD ±12 kV for air discharge and 8 K for contact

System cooling requirement inBTU/Hr

1660 BTU/hour

Table A-4 Intel-based platform 2U

Parameter Limits

Temperature Operating • ASHRAE Class A2 — Continuous operation. 10°C to 35°C (50°F to95°F) with the maximum rate of change not to exceed 10°C per hour.

• ASHRAE Class A3 — Includes operation up to 40°C for up to 900 hrsper year

• ASHRAE Class A4 — Includes operation up to 45°C for up to 90 hrsper year

Shipping –40°C to 70°C (–40°F to 158°F)

Altitude (Operating) Support operation up to 3050 m with ASHRAE class deratings

Humidity (Shipping) 50% to 90%, non-condensing with a maximum wet bulb of 28°C (attemperatures from 25°C to 35°C)

Shock Operating Half sine, 2 g, 11 mSec

Unpackaged Trapezoidal, 25 g, velocity change is based on packaged weight

Packaged Product Weight: ≥ 40 to < 80

Non-palletized free fall height = 18 inches

Palletized (single product) free fall height = NA

Vibration 5 Hz to 500 Hz2.20 g RMS random

Packaged 5 Hz to 500 Hz1.09 g RMS random

AC-DC Voltage 90 Hz to 132 V and 180 V to 264 V

Frequency 47 Hz to 63 Hz

Source Interrupt No loss of data for power line drop-out of 12 mSec

Surge non-operatingand operating

Unidirectional

Alternative installation scenariosRegulatory notices A


A Alternative installation scenariosRegulatory notices


B Enabling FIPS mode

The Federal Information Processing Standard (FIPS) consists of publicly announced standards developed by theUnited States Federal government. If you are required to meet these standards, you must operate this systemin FIPS mode.

FIPS mode must be selected the first time you log on to the system and can't be changed later.

Select FIPS modeThe first time you log on to the system you are prompted to select whether you want the system to operate inFIPS mode. Once this selection is made, it can't be changed.


1 The first time you log on to the ESM:

a In the Username field, type NGCP.

b In the Password field, type security.4u.

You are prompted to change your password.

2 Enter and confirm your new password.

3 On the Enable FIPS page, click Yes.

The Enable FIPS warning displays information requesting confirmation that you want this system to operatein FIPS mode permanently.

4 Click Yes to confirm your selection.


B Enabling FIPS modeSelect FIPS mode


Index

Aabout this guide 5ACE, configure network interface 40

ADM, configure network interface 41

Amazon Web Servicesconfigure connections 38

create the AWS 33

install ESM 35

installation overview 33

AWS, See Amazon Web Services AXXVRAIL rails

install 15

remove chassis 19

Bback up

ESM settings 50

browsersused during planning 47

Ccables, identify network 20

Common Criteria configuration 63

communication issue between device and ESM 52

connect device 19

connector type, identify 19

consoleadd device 45

initial log in 43

conventions and icons used in this guide 5

DDAS, install 62

DEM, configure network interface 41

devicesadd device 45

add to console 45

connect 19, 24

identify network ports 20

inspect 14

remove 49

remove from rack 19

devices (continued)rewrite settings 55

set up 39

software, update 55

start 19, 24

types supported 49

update software 55

documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5

download upgrade files 54

EELM, configure network interface 40

EPS, See events per second equipment type, identify 19

ERCsimple and complex network scenarios 8

ERC-HAcheck status 51

error message when upgrading device 52

ESMback up settings 50

configure network interface 39

installing new 52

redundant ESM 50

upgrade 57

events per seconddetermines ERC throughput 8per device 47

FFIPS mode

enable 43, 67

select 67

Hhardware, minimum requirements 13

Iinspect packaging and device 14


install deviceidentify location 13

overview 10

rack mount 15

Kkey

initial device configuration 46

virtual machine 31

KVMdeploy 29

requirements 29

Llocation for installation 13

log on to ESM console 43

MManaged Security Service Provider, during planning 47

McAfee ServicePortal, accessing 6minimum requirements for hardware and software 13

MSSP, See Managed Security Service Provider

Nnetwork cables

connect 20

identify type 19

network cables, identify 20

network interfaceconfigure DEM and ADM 41

configure ESM 39

network interface, configureACE 40

ELM 40

Receiver 40

network ports, identify for each device 20

network time protocol, configure 43

NTP, See network time protocol

Ooffline rule updates, obtain 52

Ppackaging, inspect 14

password for ESM console 43

planningquestionnaire 47

platforms, regulatory notices for 63

portsidentify network for each device 20

used during planning 47

ports, identify network for each device 20

QqLogic 2460 SAN adapter, install 61

Rrebuild time 49

Receiver-HAcabling 20

upgrade 57

Receiver-HA, upgrade 49

Receiver, configure network interface 40

redundant ESMset up 50

upgrade 52

regulatory notices for platforms 63

remove a device 49

rewrite device settings 55

rule updates, obtain offline 52

SSAN adapter, install 61

Security Analystin ESM scenarios 8

ServicePortal, finding product documentation 6software

minimum requirements 13

update device 55

start device 19, 24

statusERC-HA 51

supported devices 49

syslog type, used during planning 47

Ttechnical support, finding product information 6time to rebuild 49

Uuninterruptible power supply connection 24

update device software 55

upgradedownload files 54

ENMELM 57

ESM 57

ESMREC 57

path 49

prepare to 49

Receiver-HA 49, 57

redundant ESM 52

upgrade the systemFIPS mode 55

UPS, See uninterruptible power supply user name for ESM console 43

Index


VVA vendors available on ESM 58

virtual machineconfigure 30

install 28

key 31

virtual machine (continued)overview flowchart 25

planning 47

requirements 28

VM, See virtual machine

Index


0-00

Documents

McAfee Enterprise Security Manager 10.1 · Find product documentation ... McAfee Enterprise Security Manager components ... 5 Setting up McAfee ESM network connections 39