MOVE Firewall 3.5.0 Product Guide

Product Guide
McAfee MOVE Firewall 3.5.0
For use with ePolicy Orchestrator 4.6.7, 4.6.8, 5.1.0 Software
COPYRIGHT
Copyright © 2014 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy
Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource,
VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other
names and brands may be claimed as the property of others.
Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee MOVE Firewall 3.5.0
Product Guide
Contents
Preface
5
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1
Introduction
7
Components and what they do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2
Installation
9
Requirements . . . . . . . . . . . . .
Install the vShield Manager Virtual Appliance
Download the software extension . . . . .
Install the extension . . . . . . . . . .
Register a vShield Manager account . . . .
3
. . . .
options .
. . . .
. . . .
options .
. . . .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. . . 9
. .
10
. . 10
. . 11
. . 11
.
.
.
.
.
.
13
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. . 19
. 19
.
20
. 21
. 21
. 21
. 22
Resource and service groups
Configuring the resource groups
Add the IP address group . . .
Add the MAC address group . .
Add the security group resource
Group details and options . . .
Add a service or service group .
Create an exclusion list . . . .
5
. .
. .
. .
. .
. .
Resource isolation and firewall rules
Add an isolation rule . .
Isolation rule details and
Add a firewall rule . . .
Default firewall rules . .
Firewall rules details and
Debug firewall rules . .
4
. .
. .
. .
. .
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
13
15
15
16
16
17
19
Queries and reports
25
Predefined MOVE Firewall queries . . . . . . . . . . . . . . . . . . . . . . . . . . .
MOVE Firewall dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25
26
Create MOVE Firewall custom query . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Create the MOVE Firewall dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Index
McAfee MOVE Firewall 3.5.0
29
Product Guide
3
Contents
4
McAfee MOVE Firewall 3.5.0
Product Guide
Preface
This guide provides the information you need to work with your McAfee product.
Contents
About this guide
Find product documentation
About this guide
This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Conventions
This guide uses these typographical conventions and icons.
Book title, term,
emphasis
Title of a book, chapter, or topic; a new term; emphasis.
Bold
Text that is strongly emphasized.
User input, code,
message
Commands and other text that the user types; a code sample; a displayed
message.
Interface text
Words from the product interface like options, menus, buttons, and dialog
boxes.
Hypertext blue
A link to a topic or to an external website.
Note: Additional information, like an alternate method of accessing an
option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.
McAfee MOVE Firewall 3.5.0
Product Guide
5
Preface
Find product documentation
Find product documentation
After a product is released, information about the product is entered into the McAfee online Knowledge
Center.
Task
6
1
Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center.
2
Enter a product name, select a version, then click Search to display a list of documents.
McAfee MOVE Firewall 3.5.0
Product Guide
1
Introduction
®
McAfee MOVE Firewall includes the components that communicate with multiple vShield Manager
accounts using McAfee ePolicy Orchestrator (McAfee ePO ).
®
®
™
It provides an interface on McAfee ePO, where you can easily manage the firewall rules for data center
resources. MOVE Firewall also provides a status on whether the identified resources are isolated.
The isolation of resources in the data center means that the resources identified to be isolated have a
defined access criteria compared to other resources in the same data center of the cloud.
The vCloud Networking and Security (vCNS) App Firewall component intercepts traffic to and from
individual virtual machines to provide the firewall protection. It also understands logical grouping of
data center resources, which can be used as a criteria to define firewall rules to isolate the resources.
Components and what they do
Each component performs specific functions to isolate the data center resources and configure firewall
rules.
MOVE Firewall — A McAfee ePO extension, which is able to communicate with multiple vShield
Managers in a data center environment. The MOVE Firewall component provides an easy to use
interface in McAfee ePO, which can simplify the management of firewall rules for vCNS App Firewall.
ePolicy Orchestrator — Management software that allows you to register one or more vShield
Manager accounts, so that you can isolate the data center resources and configure the firewall rules.
vShield Manager — A management console that manages the vShield App Firewall component,
VMware vShield Endpoint, and VMware vShield applications.
Virtual Machines (VMs) — A guest operating system installation within a normal host operating
system that supports both virtual desktops and virtual servers.
VMware vCenter — Console that manages the VMware ESXi servers, which host the guest VMs that
require protection.
vCloud Networking and Security (vCNS) App Firewall — A security application that protects and
isolates critical applications with security applied immediately to surround a virtual machine. vCenter
integration streamlines management and improves operational efficiency.
McAfee MOVE Firewall 3.5.0
Product Guide
7
1
Introduction
Components and what they do
8
McAfee MOVE Firewall 3.5.0
Product Guide
2
Installation
Before you set up your environment and configure the MOVE Firewall rules in McAfee ePO, make sure
that you have your vShield Manager account and its details ready.
You then install the extension and register the vShield Manager account in McAfee ePO.
Contents
Requirements
Install the vShield Manager Virtual Appliance
Download the software extension
Install the extension
Register a vShield Manager account
Requirements
Make sure that your environment includes these components and that they meet the requirements.
•
McAfee ePO 4.6.7, 4.6.8, 5.1.0
We recommend that your system, where the browser is used to access the McAfee ePO server, has
the screen resolution 1280/x.
•
VMware vShield Manager 5.1, 5.5
•
VMware Tools
We recommend that you install the latest version of the VMware Tools, so that the latest drivers are
installed.
•
Data Center Connector 3.5.0 for vSphere (Optional)
The Data Center Connector for vSphere extension integrates with Endpoint Security report to filter VMs
based on IP addresses while managing firewall rules. MOVE Firewall works without this extension.
For details about system requirements and instructions for setting up the McAfee ePO environment,
see McAfee ePolicy Orchestrator Installation Guide.
McAfee MOVE Firewall 3.5.0
Product Guide
9
2
Installation
Install the vShield Manager Virtual Appliance
Install the vShield Manager Virtual Appliance
The vShield Manager is the centralized network management component of vShield, and is installed as
a virtual appliance on any ESX host in your vCenter Server environment. A vShield Manager can run
on a different ESX host from your vShield agents.
Before you begin
From the VMware download site (https://my.vmware.com/web/vmware/downloads),
download the OVF.
Manually deploy the OVF to the selected hypervisor to ensure protection.
Task
1
From the vSphere Client, select the resource pool on the hypervisor where you want to deploy the
OVF, then click File | Deploy OVF Template to open the OVF wizard.
2
Apply these settings to deploy the OVF:
For this option...
Do this...
Source
Browse to and select the OVF.
OVF Template Details
Review details about the OVF.
End User License Agreement
(EULA)
Accept this to continue.
Name and Location
Specify the name of the SVA and the inventory location.
Storage
Select the datastore for the SVA.
This page is displayed only if the hypervisor has multiple datastores.
3
Disk Format
Select the required disk provisioning.
Network Mapping
Map the OVF networks to the existing networks on the selected
hypervisor.
Properties
If you specify the configuration information on the Properties page, then
the SVA is automatically configured during the initial start.
Ready to Complete
Review the options you selected.
Click Finish.
Download the software extension
You must download the MOVE Firewall extension before it can be installed into McAfee ePO.
Task
•
10
From the McAfee download site (http://www.mcafee.com/us/downloads/), download the package
MOVEFirewall.zip to an accessible location on your network.
McAfee MOVE Firewall 3.5.0
Product Guide
Installation
Install the extension
2
Install the extension
You must install the product extension on the McAfee ePO server to be able to isolate the data center
resources and configure the firewall rules.
Before you begin
Make sure that the extension file is in an accessible location on the network.
Task
For option definitions, click ? in the interface.
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Software | Extensions | Install Extension.
3
Browse to and select the extension file MOVEFirewall.zip, then click OK. The Install Extension page
displays the extension name and version details.
4
Click OK.
Register a vShield Manager account
Register a vShield Manager account with McAfee ePO, so that McAfee ePO establishes a connection
with vShield Manager before you configure the rules.
Before you begin
•
Make sure that your vShield Manager account and its details are ready.
•
The vShield Manager must work with the firewall rules before MOVE Firewall can start
managing it.
Task
For option definitions, click ? in the interface.
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Configuration | Registered Servers, then click New Server to open the Registered Server Builder page.
3
From the Server type drop-down list on the Description page, select vShield Manager Server, and specify a
unique user-friendly name and some details that can help you identify the server, then click Next.
McAfee MOVE Firewall 3.5.0
Product Guide
11
2
Installation
Register a vShield Manager account
4
On the Details page, configure these settings:
For this option... Do this...
IP Addresses
Type the IP address or the host name of the available vShield Manager.
Admin User Name
Type the user name of the available vShield Manager. Make this account a
super user account.
Password
Type the password of the available vShield Manager.
Make sure that the credentials have administrative permissions.
5
Click Test Connection to validate the credentials of the vShield Manager and verify that the connection
to the vShield Manager works, then click Save to register the vShield Manager account.
From here, you can also edit or delete a registered vShield Manager account.
Deleting a vShield Manager account removes all information, including firewall rules and isolation
rules, from McAfee ePO. However, the firewall rules are not removed from vCNS App Firewall.
12
McAfee MOVE Firewall 3.5.0
Product Guide
3
Resource isolation and firewall rules
The isolation of resources in the data center means that the resources identified to be isolated have a
defined access criteria compared to other resources in the same data center of the cloud. This helps to
increase visibility and control over network communications between virtual machines, and protect
sensitive data.
These access criteria are enforced using vShield App Firewall. Using the MOVE Firewall application, the
administrator must create the firewall rules so that they provide access to what is defined in the rule.
Any other access is automatically blocked.
Make sure that you do not blacklist any ports or other resources that will affect other products.
Contents
Add an isolation rule
Isolation rule details and options
Add a firewall rule
Default firewall rules
Firewall rules details and options
Debug firewall rules
Add an isolation rule
The product component of MOVE Firewall can make a logical grouping of data center resources, which
can be used as a criteria to define the firewall rules.
Before you begin
•
Make sure that you installed the MOVE Firewall extension.
Isolation is a set of four firewall rules based on the source resource, destination resource, and service
details provided by the administrator.
Make sure that you do not add any security virtual appliance (SVA) in the isolation rule.
The access criteria is defined using these four firewall rules:
•
An outgoing rule permits the isolated resources to access a set of other resources.
•
An incoming rule permits a defined set of resources to access the isolated resources.
McAfee MOVE Firewall 3.5.0
Product Guide
13
3
Resource isolation and firewall rules
Add an isolation rule
•
An explicit rule blocks further access to the isolated resources and any other resources not defined
in the first rule.
•
An explicit rule blocks further access to the isolated resources and any other resources not defined
in the second rule.
The isolation rules are always created as L3Rules.
Task
For option definitions, click ? in the interface.
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Policy | MOVE Firewall, then click the Isolation Zone tab.
3
From the vShield Manager drop-down list, select the registered server and the data center.
4
Click Actions | Add to open the Create Isolation Details page.
5
Specify a unique user-friendly name and a rule description that can help you identify the rule and
configure these settings.
You can use the Advanced Filter icon
addresses.
to search for a resource using its IP address or range of
For this...
Do this...
Isolation
Details
From the Available drop-down list under Isolated Resources, select the required resource,
then click Select to move the resource to the Selected column. This setting defines the
resource to be isolated.
Inbound
Access
1 From the Available drop-down list under Resources, select the required resource, then
click Select to move it to the Selected column. This setting defines the incoming rule
for the isolation.
Use the Filter box under the Selected column to search a resource in the Selected
column.
2 From the Available drop-down list under Services, select the required service, then
click Select to move it to the Selected column. This setting defines the incoming rule
for the isolation.
Outbound
Access
1 From the Available drop-down list under Resources, select the required resource, then
click Select to move it to the Selected column.
2 From the Available drop-down list under Services, select the required service, then
click Select to move it to the Selected column.
6
14
Review the isolation Summary, then click Save to create these set of rules for this isolation and store it
in McAfee ePO.
Rule
Source
Destination
Service
Allow Outgoing
Defined isolated set
Resource defined by the user
Define set of services
Allow Incoming
External resource
Isolated resource
Define set of services
Explicit Block
Isolated group
Any
Any
Explicit Block
Any
Isolated group
Any
McAfee MOVE Firewall 3.5.0
Product Guide
Resource isolation and firewall rules
Isolation rule details and options
3
Isolation rule details and options
After adding an isolation, you can access these isolation rule details and options.
Option Definition
Name
Name of the isolation rule.
Status
Specifies isolation status:
• OK — Specifies the default status of an isolation rule created.
• Modified — This status appears whenever the content of a rule is changed.
• Broken — This status appears whenever a rule is deleted or the order of the rule is
changed.
Actions
• Repair — When an individual rule that is part of isolation is deleted or moved up or down,
the isolation status appears as Broken. You can then click Repair to fix the isolation status.
• Edit — Clicking Edit opens a page that allows you to specify details about the isolation.
Using this option, you can define the resources to be isolated.
• Delete — Use this option to delete an isolation. This button is enabled only when an
isolation is selected.
Add a firewall rule
You must create the individual firewall rule as defined in this section, so that it specifically allows or
blocks access to the resources defined in the rule.
Before you begin
Make sure that you installed the MOVE Firewall extension.
It is not possible to manage the firewall rules when VMware NSX Manager is installed.
Task
For option definitions, click ? in the interface.
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Policy | MOVE Firewall, then click the Firewall Rules tab.
3
From the vShield Manager drop-down list, select the registered server and the data center.
4
Click Actions | Add to open the Add Firewall Rule page.
5
Specify a unique user-friendly Name and some Rule Description that can help you identify the rule.
6
From Rule Type, select L3Rule or L2Rule, as appropriate.
The IP addresses can be matched in L3Rules and the MAC addresses can be matched in L2Rules.
7
Configure these settings to add the firewall rules:
You can use the Advanced Filter icon
to search for a resource using its IP address or range of
addresses, or for a service using its port or port range.
McAfee MOVE Firewall 3.5.0
Product Guide
15
3
Resource isolation and firewall rules
Default firewall rules
For this...
Do this...
Sources
1 From the Available drop-down list under Resources, select the required resource, then
click Select to move it to the Selected column.
Use the Filter box under the Selected column to search the resource in the Selected
column.
2 Select Negate to exclude the selected source and the port from the rule.
3 Specify the source port details in SrcPort.
Destination
1 From the Available drop-down list under Resources, select the required resource, then
click Select to move it to the Selected column.
2 Select Negate to exclude the selected destination and the port from the rule.
Services
1 From the Available drop-down list under Services, select the required service, then
click Select to move it to the Selected column.
Log and Action 1 From Action, select Allow to allow access to the resource, or Block to block access to
the resource.
2 Select Enable Log to write the log to the log server.
8
Click Save to store the firewall rules.
Default firewall rules
MOVE Firewall includes four default rules, which cannot be edited or deleted. These rules take priority
in the rule hierarchy.
The firewall rules are created and placed in a position relative to the rule selected in the list. The
position of the default firewall rules and the default L2Rules and L3Rules cannot be changed.
•
DataCenterDNSRule — This rule allows communication from the managed data center to the DNS
IP over TCP and UDP (over the DNS port 53).This ensures that all the DNS related communication
is not blocked.
•
ConsoleTOEPORule — This rule allows communication to the McAfee ePO server from external
virtual machines over the TCP service (over ports as specified by McAfee ePO).
•
EPOToAgentRule — This rule allows communication between McAfee ePO and the McAfee Agent
on all virtual machines in the managed data center (over the TCP service on the Agent Ports
specified by McAfee ePO).
•
AgentToEPORule — This rule allows communication between the McAfee Agent to McAfee ePO
over any service.
Firewall rules details and options
After adding individual firewall rules, you can access these firewall rules details and options.
16
Option
Definition
Name
Name of the firewall rule.
Source
The resource that initiates the connection or the traffic to the destination resource.
McAfee MOVE Firewall 3.5.0
Product Guide
3
Resource isolation and firewall rules
Debug firewall rules
Option
Definition
Destination The resource to which the source initiates the connection.
Service
The protocol-port combination that is used for the rule.
Action
• Allow — Specifies that the action of this rule is to allow access to the resource.
• Deny — Specifies that the action of this rule is to deny access to the resource.
Status
Specifies whether the individual firewall rule is enabled or disabled.
Options
• Add — Define the individual firewall rule.
• Edit — Enabled when an individual rule that is not part of an isolated set is selected, or
when an isolation name is selected.
• Delete — Enabled when an individual firewall rule is selected. This option deletes the rule
from the vShield App Firewall.
• Move Up — Enabled only when a rule or an isolation name is selected. Move Up is not
enabled when a rule is part of a selected isolation. When an isolation is moved, all four
rules are moved together. The rule order inside the isolation does not change.
• Move Down — Enabled only when a rule or an isolation name is selected. Move Down is not
enabled when a rule is part of a selected isolation. When an isolation is moved, all four
rules are moved together. The rule order inside the isolation does not change.
• Enable/Disable — Used to enable or disable a rule, as appropriate.
• Save Changes — Saves the changes.
The default firewall rules cannot be edited or deleted. They take priority in the rule hierarchy. The
firewall rules are created and placed in a position relative to the rule selected in the list. The position
of the default firewall rules and the default L3Rules and L2Rules cannot be changed.
Debug firewall rules
After creating the firewall rules and traffic between the resources, collect the vApp logs from the
vShield Manager Web User Interface, so that you can use them for debugging your firewall rules and
policies.
Task
1
Log on to the vShield Manager.
2
Click the datacenter IP under Datacenters, then click the Summary tab.
3
Click Download Support Log under Service Virtual Machines. This generates and downloads the log file.
4
Open the log file and search for VMWALL Logs. You can now check for details like source and
destination IP, Proto, and packet drop status.
McAfee MOVE Firewall 3.5.0
Product Guide
17
3
Resource isolation and firewall rules
Debug firewall rules
18
McAfee MOVE Firewall 3.5.0
Product Guide
4
Resource and service groups
The data center resources are categorized and grouped for defining the firewall rules.
Contents
Configuring the resource groups
Add the IP address group
Add the MAC address group
Add the security group resource
Group details and options
Add a service or service group
Create an exclusion list
Configuring the resource groups
The resource groups must be defined and created before you include them in the isolation groups and
create the firewall rules.
These resources are available under the Groups tab:
•
IP Addresses — Resources grouped based on their IP addresses.
•
MAC Addresses — Resources grouped based on their machine addresses.
•
Security Group — Objects that are used in defining the individual firewall rules. They can also contain
a list of other resources including other security groups.
Add the IP address group
The data center resources can be categorized and grouped based on their IP addresses. Add an IP
address group so that you can include it for configuring the firewall rules.
Before you begin
Make sure that you installed the MOVE Firewall extension.
Task
The IP address group can also contain hosts that are external to the data center. For example, an IP
address of a public FTP.
For option definitions, click ? in the interface.
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Policy | MOVE Firewall, then click the Groups tab.
McAfee MOVE Firewall 3.5.0
Product Guide
19
4
Resource and service groups
Add the MAC address group
3
From the vShield Manager drop-down list, select the registered server and the data center.
4
Click Actions | Add | IPset to open the Add IPset page.
5
Specify a unique user-friendly Name and some Description that can help you identify the group
6
From Scope, select Datacenter or Global.
7
•
Datacenter — These resources can be used in the particular data center only.
•
Global — These resources can be used in other data centers as well.
Specify the valid IP address or a range of addresses.
You can add multiple IP addresses or a range, separated by a comma.
8
Review the group details and click Save to save the group configuration.
Add the MAC address group
The data center resources can be categorized and grouped based on their MAC addresses. Add a MAC
address group so that you can include it for configuring the firewall rules.
Before you begin
Make sure that you installed the MOVE Firewall extension.
Task
The MAC address group is used for creating L2Rules only, because L3Rules do not check for MAC address.
For option definitions, click ? in the interface.
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Policy | MOVE Firewall, then click the Groups tab.
3
From the vShield Manager drop-down list, select the registered server and the data center.
4
Click Actions | Add | MACset to open the Add Macset page.
5
Specify a unique user-friendly name and a description that can help you identify the group.
6
From Scope, select Datacenter or Global.
7
•
Datacenter — These resources can be used in the particular data center only.
•
Global — These resources can be used in other data centers as well.
Specify the valid MAC addresses or MAC address range.
You can add multiple MAC addresses, separated by a comma.
8
20
Review the group details and click Save to save the group configuration.
McAfee MOVE Firewall 3.5.0
Product Guide
4
Resource and service groups
Add the security group resource
Add the security group resource
Security group is an object that is used in defining firewall rules. It can also contain a list of other
resources including other security groups.
Before you begin
Make sure that you installed the MOVE Firewall extension.
Add a security group resource so that you can include it for configuring the firewall rules.
Task
For option definitions, click ? in the interface.
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Policy | MOVE Firewall, then click the Groups tab.
3
From the vShield Manager drop-down list, select the registered server and the data center.
4
Click Actions | Add | Security Group to open the Add Security Group page.
5
Specify a unique user-friendly name and a description that can help you identify the group.
6
From Scope, select Datacenter.
7
From the Available drop-down list under Security Groups, select the required resource, then click Select
to move it to the Selected column.
Use the Filter box under the Selected column to search for a security group in the Selected column.
8
Review the group details, then click Save to save the group configuration.
Group details and options
After adding the resource groups, you can access these group details and options.
Option Definition
Name
Specifies the name of the resource group.
Type
Specifies the type of the resource group.
Details
Specifies the group details such as IP address, MAC address, and Security Group.
Scope
Specifies whether the Scope is Datacenter or Global.
Actions
• Edit — Use this option to edit any resource group. This button is enabled only when a
resource group is selected.
• Delete — Use this option to delete any resource group. This button is enabled only when a
resource group is selected.
Add a service or service group
A service is a protocol-port combination, which is used in configuring the firewall rules.
Before you begin
Make sure that you installed the MOVE Firewall extension.
McAfee MOVE Firewall 3.5.0
Product Guide
21
4
Resource and service groups
Create an exclusion list
Task
For option definitions, click ? in the interface.
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Policy | MOVE Firewall, then click the Services tab.
3
From the vShield Manager drop-down list, select the registered server and the data center.
4
Click Actions | Add | Service to open the Add Service page.
For Service Group, select the Service Group option.
5
Specify a unique user-friendly name and a description that can help you identify the group
6
From Scope, select Datacenter or Global.
7
•
Datacenter — These resources can be used in the particular data center only.
•
Global — These resources can be used in other data centers as well.
From the Protocol drop-down list, select the required protocol, then type the valid port number for
the selected protocol.
Service Group — from the Available drop-down list under Service Group Members, select the required service
group member, then click Select to move it to the Selected column.
Use the Filter box under the Selected column to search for a service group in the Selected column.
8
Click Save.
Create an exclusion list
Using the MOVE Firewall policy in McAfee ePO, you can create a list that includes a list of virtual
machines to be excluded from vShield App protection.
Before you begin
Make sure that you installed the MOVE Firewall extension.
If a virtual machine has multiple vNICs, all are excluded from being protected.
The exclusion feature is recommended for troubleshooting purposes only. You can narrow any possible
network and firewall rule issues, because the exclusion bypasses any firewall rule even if explicitly
defined for the excluded resource.
Task
For option definitions, click ? in the interface.
22
1
Log on to the ePolicy Orchestrator server as an administrator.
2
Click Menu | Policy | MOVE Firewall, then click the Exclusion List tab.
3
From the vShield Manager drop-down list, select the registered server and the data center.
4
Click Actions | Add to open the Add Exclusion Members page.
McAfee MOVE Firewall 3.5.0
Product Guide
4
Resource and service groups
Create an exclusion list
5
From the Available drop-down list under Members, select the required VMs, and click Select to move it
to the Selected column.
Use the Filter box under the Selected column to search for the VM in the Selected column.
6
Click Save.
McAfee MOVE Firewall 3.5.0
Product Guide
23
4
Resource and service groups
Create an exclusion list
24
McAfee MOVE Firewall 3.5.0
Product Guide
5
Queries and reports
With the MOVE Firewall software, you can quickly generate a summary view of all data center
resources configured and protected with firewall rules.
The predefined queries and dashboards provide out‑of‑the‑box functionality, because they are added to
your McAfee ePO server when the software is installed. You can configure these queries to display
results in charts or tables, which you can use as dashboard monitors. Query results can be exported to
several formats, which can be downloaded or sent as an attachment to an email message.
You can also create custom queries based on the properties collected by the MOVE Firewall software.
For details about how to use custom queries, see the product documentation for your version of
McAfee ePO.
Contents
Predefined MOVE Firewall queries
MOVE Firewall dashboard
Create MOVE Firewall custom query
Create the MOVE Firewall dashboard
Predefined MOVE Firewall queries
You can use predefined queries as is, edit them, or create queries from events and properties stored in
the McAfee ePO database.
You can't edit predefined queries in McAfee ePO version 5.1 and later.
To create custom queries, your assigned permission set must include the ability to create and edit
private queries.
McAfee MOVE Firewall 3.5.0
Product Guide
25
5
Queries and reports
MOVE Firewall dashboard
The default query that appears for MOVE Firewall under the data center query is:
Query
Endpoint
Security
Report
Definition
To get accurate data in the Endpoint Security Report, run the server task Data Center: Compute
Dashboard data from Menu | Automation | Server Tasks before running this report.
• Endpoint — Displays the name of the endpoint.
• IP Address— Displays the IP address of the endpoint.
• Virtual — Specifies whether the endpoint is a virtual system.
• Power Status — Specifies the power status of the endpoint.
• Category — Displays the group/resource pool/host of the endpoint.
• Operating System — Displays the operating system details.
• AntiVirus/Antimalware — Displays the name of the McAfee anti-virus and antimalware
software installed on the endpoint.
• Firewall — Displays the name of the McAfee software with firewall protection active on the
endpoint.
• Whitelisting — Specifies whether the whitelisting feature is enabled.
• Access Protection — Displays the name of the McAfee software that provides access
protection.
• Memory Protection — Displays the name of the McAfee software that provides memory
protection.
• Last Communication — Displays the time details of the last server-client communication.
MOVE Firewall dashboard
The data center dashboard is added to your McAfee ePO server when you install the data center
software.
The dashboard displays a collection of monitors based on the results of the default data center
software queries.
The default monitor that appears for MOVE Firewall under the Data Center dashboard is:
•
26
Endpoint Security Report
•
Endpoint — Displays the name of the endpoint.
•
IP Address— Displays the IP address of the endpoint.
•
Virtual — Specifies whether the endpoint is a virtual system.
•
Power Status — Specifies the power status of the endpoint.
•
Category — Displays the group/resource pool/host of the endpoint.
•
Operating System — Displays the operating system details.
•
AntiVirus/Antimalware — Displays the name of the McAfee anti-virus and anti-malware software
installed on the endpoint.
•
Firewall — Displays the name of the McAfee software with firewall protection active on the
endpoint.
McAfee MOVE Firewall 3.5.0
Product Guide
5
Queries and reports
Create MOVE Firewall custom query
•
Whitelisting — Specifies whether the whitelisting feature is enabled.
•
Access Protection — Displays the name of the McAfee software that provides access protection.
•
Memory Protection — Displays the name of the McAfee software that provides memory protection.
•
Last Communication — Displays the time details of the last server-client communication.
Create MOVE Firewall custom query
You can create queries that retrieve and display the details like number of endpoints and firewall
status. With this wizard you can configure which data is retrieved and displayed, and how it is
displayed.
Before you begin
You must have appropriate permissions to perform this task.
Task
For option definitions, click ? in the interface.
1
Click Menu | Reporting | Queries & Reports, then click Actions | New. The Query Builder wizard opens.
2
On the Result Type page, select Data Center, then select Endpoint Security for the query, and click Next. The
Chart page appears.
This choice determines the options available on subsequent pages of the wizard.
3
Select the type of chart as Pie Chart and configure these criteria to include in the query, then click
Next.
a
Select Number of Endpoint from the Pie slice values are drop-down list.
b
Select Firewall from the Labels are drop-down list.
4
(Optional) Select the columns to be included in the query, then click Next. The Filter page appears.
5
Select property Firewall equals MOVEFirewall and HIPS to narrow the search results, then click Run. The
Unsaved Query page displays the results of the query, which is actionable, so you can take any
available actions on items in any tables or drill‑down tables.
Selected properties appear in the content pane with operators that can specify criteria used to
narrow the data that is returned for that property.
6
•
If the query didn’t appear to return the expected results, click Edit Query to go back to the Query
Builder and edit the details of this query.
•
If you don’t need to save the query, click Close.
•
If this is a query you want to use again, click Save and continue to the next step.
The Save Query page appears. Type a name for the query, add any notes, and select one of the
following:
•
New Group — Type the new group name and select either:
•
Private group (My Groups)
•
Public group (Shared Groups)
McAfee MOVE Firewall 3.5.0
Product Guide
27
5
Queries and reports
Create the MOVE Firewall dashboard
•
7
Existing Group — Select the group from the list of Shared Groups.
Click Save.
Create the MOVE Firewall dashboard
Dashboards are collections of user‑selected and configured monitors that provide current data about
your environment. You can create your own dashboards from query results or use ePolicy
Orchestrators default dashboards.
Before you begin
You must have appropriate permission to perform this task.
Task
For option definitions, click ? in the interface.
1
Click Menu | Reporting | Dashboards, then click Options | Manage Dashboards. The Manage Dashboards page
appears.
2
Click New Dashboard and type a name.
3
For each monitor, click Add Monitor, select the custom query you created for MOVE Firewall to display
in the dashboard, then click OK.
4
Click Save.
5
Optionally, you can make this dashboard public by editing the dashboard and choosing PUBLIC.
All new dashboards are saved to the private My Dashboards category. For more information on
creating dashboard, see the product documentation for your version of McAfee ePO.
28
McAfee MOVE Firewall 3.5.0
Product Guide
Index
A
about this guide 5
access protection 25, 26
anti-malware status 26
application control 25
C
change control 25
components
MOVE Firewall 7
conventions and icons used in this guide 5
creating
firewall rules 15, 16
isolation rules 13
D
dashboard, MOVE Firewall
creating 28
dashboards, MOVE Firewall
security reports 26
status 26
Data Center Connector, requirements 9
details
default rules 16
firewall rules 16
isolation rules 15
details and options
firewall 16
isolation 15
security group 21
documentation
product-specific, finding 6
typographical conventions and icons 5
E
extensions
downloading 10
installing 11
F
firewall rules
adding 16
creating 15
debugging 17
details and options 16
I
inbound access
isolation 13
incoming rule
isolation 13
installation
extension 11
requirements 9
IP address group, adding 19
isolation
adding 13
vShield App Firewall 13
isolation rules
details and options 15
M
machine address group, adding 20
McAfee ServicePortal, accessing 6
memory protection 25
MOVE Firewall
default rules 16
status 26
O
ePolicy Orchestrator
management 7
requirements 9
ESXi
components 7
outbound access
isolation 13
outgoing rule
isolation 13
exclusion list, creating 22
McAfee MOVE Firewall 3.5.0
Product Guide
29
Index
Q
queries, MOVE Firewall
creating 27
predefined 25
R
requirements
software 9
resource
filter 13
resource groups
configuring 19
resources
isolation 13
rules
creating 15, 16
default 16
firewall 13, 15
isolation 13
S
security group, adding 21
service group, adding 21
ServicePortal, finding product documentation 6
services 13
status (continued)
isolation 15
power 25
T
technical support, finding product information 6
types 16
V
vCenter 7
vCloud Networking and Security (vCNS) 7
vCNS App Firewall 7
virtual machines 11
VMware 7
VMware vShield Manager, requirements 9
vShield App Firewall 7
isolation 13
vShield Manager
deleting 11
downloading 10
installing 10
registering 11
requirements 9
status
firewall 25
30
McAfee MOVE Firewall 3.5.0
Product Guide
0-00