Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Next
Generation
Firewall
This
training
will
prepare
you
for
the
Proof
of
Concept
for
NGFW
by
familiarizing
you
with
the
new
technology,
working
with
common
use
cases
and
enabling
you
to
demonstrate
them.
It
will
also
ensure
you
are
able
to
articulate
features
and
functionality
to
effectively
conduct
POCs
and
demos
aligned
with
sales
messaging.
NEXT
GENERATION
FIREWALL
POC
Student
Guide
Introduction
.....................................................................................................
3
Agenda
Day
1
...................................................................................................
5
Agenda
Day
2
...................................................................................................
6
McAfee
Next
Generation
Firewall
(Stonesoft)
Management
Center
.................
7
Use
Case
1
–
NGFW
Management
Center
in
Demo
Mode
....................................
7
Getting
Started
.....................................................................................................................................
7
Lab
1
-‐
Installing
the
Management
Server
in
Demo
Mode
....................................
7
Logging
in
to
the
Management
Client
................................................................................................
10
Visualizing
Security
.........................................................................................
11
Use
Case
2
–
Visualizing
Security
.........................................................................
11
Lab
2
-‐
Using
Logs:
Visualizing
Security
................................................................
11
Taking
Action
on
Log
Data
..............................................................................
20
Use
Case
3
–
Taking
Action
on
Threat
Indications
...............................................
20
Lab
3
-‐
Taking
Action:
Security
from
Logging
.......................................................
20
Dashboard
Overviews
and
Reports
.................................................................
25
Use
Case
4
–
Overviews
and
Reporting
...............................................................
25
Lab
4
.....................................................................................................................
25
Advanced
Administration
...............................................................................
31
Use
Case
5
–
Making
Firewall
Administration
Easier
...........................................
31
Lab
5
–
Advanced
Administration
........................................................................
31
Program
Overview
This
POC
training
is
a
2-‐day
training
program
that
consists
of
Instructor-‐led
training.
• This
training
course
is
designed
to
prepare
you
to
conduct
a
POC
for
the
Next
Generation
Firewall.
You
will
learn
the
technology
by
working
with
common
use
cases
and
demonstrating
the
device
while
ensuring
you
are
able
to
articulate
features
and
functionality
to
effectively
conduct
POCs
aligned
with
sales
messaging.
Program
Objectives
• Drive
the
evaluation
of
the
product
to
include:
installation,
configuration
&
deployment
• Understand
the
value
of
McAfee
GTI
and
Interlock
• Uncover
customer
objections
(common
use
cases)
• Educate
customers
to
utilize
solution
• Locate
tools
and
resources
for
demonstrating
this
solution
You
will
also
learn
how
to
use
the
McAfee
NGFW
Management
Center.
By
the
end
of
this
course,
you
will
be
able
to:
• Use
the
navigation
tools
in
the
Management
Client
effectively
• Monitor
the
status
of
the
McAfee
NGFW
components
• Monitor
traffic
statistics
• View
and
filter
logs
• Manage
log
data
• Generate
predefined
and
custom
reports
• Define
administrator
roles
• Restrict
the
privileges
of
an
administrator
account
• Use
the
automated
alert
system
Training
activities:
o
Introduction
o
Opportunity
Development
o
Use
Cases
/
Hands-‐on
Labs
Agenda
Day
2
Start
of
Program
Approx.
Times
Recap
from
previous
day
8:00
–
8:30a
Use
Case/Hands-‐on
Labs
8:30
–
9:45a
Break
9:45
–
10:00a
Use
Case/Hands-‐on
Labs
10:00a
–
12:00p
Lunch
12:00
–
1:00p
POC
Resources
1:00
–
2:00p
Conclusion
/
Next
Steps
2:00
–
2:30p
Discussion:
Best
Ideas
/
Take
Aways
2:30
–
3:00p
Day
2
Goal
for
today:
Training
activities:
o
Recap
of
Day
1
o
Use
Cases
/
Hands-‐on
Labs
o
POC
Resources
and
Conclusion
7.
Select
Demo
Mode
and
click
Next.
You
are
prompted
to
select
the
backup
to
restore
1.
8. Select
Demo
Standard
and
click
Next.
The
Demo
Mode
Installation
dialog
opens.
9. Click
Next.
The
Pre-‐Installation
Summary
opens.
10. Click
Install.
The
installation
begins.
When
the
installation
is
finished,
the
Demo
Mode
Installation
Complete
dialog
opens.
11. Make
a
note
of
the
login,
password,
and
server
address,
and
click
Next.
12. Click
Done
to
exit
the
installer.
The
Management
Client
login
dialog
opens.
2. Click
Accept.
The
Management
Client
opens,
showing
the
Getting
Started
tab.
3. Close
the
Getting
Started
tab.
Summary
In
this
lab,
you
have
installed
the
McAfee
NGFW
Management
Center
in
Demo
mode.
You
have
also
logged
in
to
the
Management
Client.
Viewing
Logs
To
view
logs:
1. Ctrl-‐click the Logs icon in the toolbar. The Logs view opens in a new tab.
2. Click
the
Current
Events
icon.
The
display
shows
the
logs
in
real
time
as
they
arrive.
Tip
–
Clicking
any
log
entry
pauses
the
logs.
3. Double-‐click
any
log
entry
to
see
further
details
4. Click
the
Records
icon
in
the
toolbar
to
return
to
the
Records
arrangement
Filtering
Logs
Filters
can
be
created
by
dragging
and
dropping
items
directly
from
the
log
entries
or
they
can
be
created
using
the
filter
editor.
You
will
create
a
manual
filter
that
shows
all
permitted
traffic
from
a
specific
sensor,
and
save
the
filter
for
later
use
in
the
Logs
view
and
in
other
views.
Manually
Creating
a
Filter
To
manually
create
a
filter:
1. Right-‐click
the
Query
Panel
and
select
New
-‐>
Filter.
2. Click
the
Require
All
Of
(And)
toolbar
button
3. Browse
to
All
Fields
and
type
sender.
The
list
automatically
jumps
to
the
first
field
that
contains
the
string
“sender”.
4. Double-‐click
Sender
to
add
it
to
the
filter.
5. Switch
to
the
Resources
tab.
4.
5.
6. Browse
to
Security
Engine
→Security
Engines
→Helsinki
IPS.
7. Drag
and
drop
Helsinki
IPS
on
top
of
<Operands>
next
to
Sender
in
the
filter.
8. Switch
back
to
the
Fields
tab.
9. Browse
to
Action
and
drag
and
drop
it
on
top
of
AND
in
the
filter.
10. Double-‐click
<Operands>
next
to
Action
and
select
Permit.
11. Click
Apply.
The
filter
appears
in
the
Query
panel
as
a
temporary
filter.
6.
12. Click
Apply
to
activate
the
filter.
13. Click
the
Save
icon
and
Name
the
filter
Permitted
Traffic
-‐
Helsinki
IPS.
Click
OK.
You
have
now
created
a
permanent
filter
that
can
be
reused
throughout
the
system.
This
filter
can
be
used
for
filtering
log
data
for
other
administrators,
generating
reports,
and
visualizing
data.
In
the
next
exercise,
you
will
see
how
individual
log
entries
can
be
transformed
into
meaningful
pictures,
enabling
you
to
quickly
see
trends
and
activity.
Here
you
can
see
the
situations
that
have
occurred
most
frequently
in
your
network.
By
default,
the
time
range
is
15
minutes,
but
more
information
from
a
longer
time
period
is
needed.
3. Change
the
diagram
type
to
Bar.
4. Change
the
Top
Limit
to
20
items.
5. Change
the
Time
Range
in
the
Query
panel
to
1
hour
and
click
Apply.
Now
the
top
20
Situations
from
the
past
hour
are
displayed.
To
ensure
that
there
are
not
multiple
sources,
you
can
visualize
this
information
another
way:
Top
Sources.
2. Click
the
Statistics
icon
in
the
toolbar
and
select
Top
Sources.
A
chart
now
appears
showing
the
top
source
addresses
for
this
Situation.
You
can
now
see
that
there
is
one
source
address
for
this
traffic.
Tip
–
Because
the
Management
Client
navigation
functions
in
a
manner
similar
to
a
web
browser,
the
back
and
forward
arrows
on
the
top
toolbar
can
be
used
to
navigate
through
the
history
of
what
you
have
done.
This
is
very
useful
for
repeating
actions
or
undoing
actions.
3. Click
the
Back
arrow
in
the
toolbar
at
the
top
to
return
to
the
log
entries.
2. Make
sure
that
Training
Policy
-‐
Inspection
is
selected
as
the
policy
to
which
the
new
preconfigured
rule
is
added.
The
Comment
field
is
automatically
filled
with
information
about
this
rule.
3. Make
sure
that
Add
Rules
and
Edit
the
Policy
is
selected
and
click
OK.
The
rule
is
added
to
the
Exceptions
in
the
policy,
and
the
policy
opens
for
editing.
Customizing
the
Rule
When
rules
are
added
to
the
policy
automatically,
all
relevant
fields
are
configured.
However,
you
may
want
to
change
the
parameters
of
the
rule
to
suit
your
exact
needs.
In
this
exercise
you
will
change
the
comment
that
was
generated
automatically
to
be
more
informative.
To
customize
this
rule
1. If
the
Comment
cell
is
not
visible,
rearrange
the
policy
view
in
one
of
the
following
ways:
• Maximize
the
Management
Client
window.
• Right-‐click
a
cell
heading
and
select
Minimize
All.
• Resize
individual
columns.
2. Double-‐click
the
Comment
cell.
You
can
now
edit
the
comment
3. Replace
the
comment
with
the
following
text:
Suspicious
IPv6
traffic
detected
from
the
logs
on
<current
date>.
Note
that
the
existing
rule
is
now
nested
under
this
rule
section.
This
is
the
primary
means
of
organizing
rules.
Tip
–
Click
the
plus
symbol
(+)
on
the
left
to
see
the
rule
below
the
comment
row.
2. Double-‐click
the
new
rule
section
comment
and
enter
Rules
added
from
Log
Entries.
2. Select
red
from
the
palette.
The
color
of
the
rule
section
comment
changes
to
red,
reflecting
its
importance.
3. Click
the
Save
icon
in
the
toolbar.
4. Click
the
Configuration
icon
and
select
Security
Engine.
5. Browse
to
IPS
Policies
6. Right-‐click
Training
Policy
and
select
Install
Policy.
The
Policy
Upload
Task
Properties
dialog
opens.
7. Make
sure
that
Helsinki
IPS
is
selected
in
the
Target
panel
and
click
OK.
• By
default,
Atlanta
IPS
and
Helsinki
IPS
are
selected.
It
is
not
necessary
to
remove
Atlanta
IPS
from
the
list.
Summary
In
this
lab,
you
have
transformed
real-‐time,
unfiltered
data
into
protection
from
a
possible
threat.
Additionally,
you
have
created
an
environment
where
future
rule
additions
can
be
managed
and
maintained.
Customizing
Overview
Sections
The
default
time
period
for
the
Records
by
Data
Type
section
is
too
short
for
your
monitoring
needs.
In
this
exercise,
you
will
change
the
time
period
and
the
graph
type
for
the
Records
by
Data
Type
section.
To
customize
an
overview
section:
1. Right-‐click
the
Records
by
Data
Type
section
and
select
Edit.
The
Section
Properties
panel
opens
on
the
right
side
of
the
window.
8.
9. Select
the
Top
Rate
diagram
type.
10. Select
1
hour
as
the
Period.
The
changes
are
automatically
applied
to
the
section.
11. Type
allowed
in
the
Search
field.
Items
with
“allowed”
in
their
names
are
displayed.
12. Select
Allowed
traffic
by
interface,
FW
(Packets)
and
click
Select.
13. In
the
Section
Properties
panel,
select
Progress
as
the
Statistic
Type
14. Switch
to
the
Senders
tab
in
the
Section
Properties
panel.
15. Click
the
Select
icon.
The
Select
Element
dialog
opens
16. Browse
to
Security
Engines
and
select
Helsinki
FW
17. Click
the
title
of
the
Firewall
Allowed
Traffic
by
Interface
section
and
move
it
to
the
space
of
the
section
you
just
closed.
18. Click
the
X
of
the
Records
by
dst
IP
section
to
close
the
section.
19. Click
and
hold
the
left
side
of
the
Firewall
Allowed
Traffic
by
Interface
section
and
drag
it
to
the
left
to
expand
it
across
the
space
of
the
section
you
just
closed.
Saving
the
Overview
To
save
the
overview:
1. Select
File-‐>Save
As
from
the
menu.
20. Name
the
Overview
Helsinki
Overview
and
click
OK.
2. Right-‐click
Firewall
Daily
Summary
and
select
Start.
The
Report
Operation
Properties
dialog
opens.
3. Deselect
1
Day
Period.
4. Enter
yesterday’s
date
as
the
Period
Beginning.
5. Enter
the
current
date
and
current
time
as
the
Period
End.
Tip
–
You
can
click
the
Current
Time
button
to
automatically
fill
in
the
current
date
and
time.
6. Switch
to
the
Task
tab
and
make
sure
Store
Report
is
selected.
7. Click
OK.
The
report
is
generated.
When
the
report
is
ready,
it
appears
in
the
Stored
Reports
list.
2. Right-‐click
the
curve
for
the
Helsinki
FW
in
the
Allowed
connections
by
cluster
section
and
select
Show
Records.
The
logs
used
to
generate
the
report
data
are
shown.
Summary
During
this
lab,
you
have
learned
how
to
monitor
your
firewall
and
receive
real-‐time
statistical
information
from
it.
You
have
viewed
predefined
Overviews
and
created
your
own
customized
Overview.
You
have
also
generated
a
report
based
on
a
predefined
report
design,
seen
how
to
read
the
generated
reports
to
retrieve
the
desired
information,
and
seen
what
conclusions
can
be
made
based
on
the
reports.
In
the
next
lab,
you
will
become
familiar
with
advanced
administration
tasks,
such
as
log
data
management,
alert
configuration,
and
role-‐based
access
control.
Want
to
Go
Further?
1. The
Default
Overviews
overview
introduced
in
this
lab
is
one
of
the
multiple
overview
templates
provided
by
SMC.
You
can
familiarize
yourself
with
the
different
statistical
information
provided
by
the
Inspection
Overview,
Access
control
Overview,
etc.
2. Create
a
custom
report
about
Users
and
Applications
based
on
the
Application
usage
Report
Design
provided.
Edit
the
Application
Usage
Report
Design
to
change
the
way
data
is
visualized
in
charts,
and
add
new
diagrams
based
on
the
statistic
items
provided.
2. Browse
to
Tasks
-‐>
Task
Definitions.
3. Right-‐click
Task
Definitions
and
select
New
-‐>
Archive
Log
Task.
The
Archive
Log
Task
Properties
dialog
opens.
21. Name
the
task
Archive
IPS.
22. Select
Log
Server
from
the
list
of
Log
Task
Servers
and
click
Add.
Defining
the
Task
Options
To
define
the
task
options:
1. Switch
to
the
Task
tab.
1. Select
IPS
Log
as
the
Target
Data.
2. Select
Today
as
the
Time
Range.
2. Select
Filter
for
Copying.
3. Click
Select
and
browse
to
All
Filters.
4. Select
Permitted
Traffic
-‐
Helsinki
IPS
and
click
Select.
Tip
–
Start
typing
the
filter
name
to
search
for
the
filter.
5. Select
Delete
Source
Data.
This
deletes
the
old
log
entries
once
they
are
archived.
6. Keep
Primary
archive
as
the
Archive
Target
Directory.
7. Click
OK.
The
Archive
Log
Task
Properties
dialog
closes.
The
task
you
created
appears
in
the
Task
Definitions
list.
3. Browse
to
Tasks
-‐>
Executed
Tasks
when
the
task
is
finished
to
view
the
details
of
the
finished
task.
Tip
–
Log
entries
can
also
be
exported
directly
in
the
Logs
view.
First
select
the
log
entries
you
want
to
export.
Then
right-‐click
one
of
the
selected
entries
and
select
Export
Logs
(to
export
XML
or
CSV
or
archive)
or
Print
to
PDF
from
the
menu.
Scheduling
the
Archive
Log
Task
Log
Data
Tasks
can
also
be
scheduled
to
run
automatically.
To
make
sure
that
the
Log
Server
hard
disk
will
not
fill
up,
it
is
a
good
idea
to
create
a
scheduled
task
to
delete
old
unnecessary
log
data.
Archiving
log
data
regularly
also
speeds
up
fetching
active
and
filtering
log
data.
Archived
logs
can
be
viewed
in
the
Logs
view.
To
schedule
the
Archive
Log
Task:
1. Browse
to
Tasks
-‐>
Task
Definitions.
2. Right-‐click
Archive
IPS
and
select
Schedule.
The
Task
Properties
dialog
opens.
3. Configure
the
properties
as
follows:
• Repeat:
Daily
• Start
at:
<today’s
date>
23:59:00
4. Click
OK.
The
Archive
IPS
Task
is
scheduled
to
run
daily.
Backing
up
the
Management
Server
The
Management
Server
is
a
repository
for
the
configurations
of
all
managed
devices.
As
such,
part
of
a
well-‐managed
system
is
ensuring
that
a
backup
of
the
Management
Server
is
done
periodically.
This
will
ensure
that,
in
the
event
of
a
problem,
there
is
always
a
backup
available.
This
is
one
of
the
most
important
tasks
that
an
Administrator
performs.
To
back
up
the
Management
Server:
1. Browse
to
File
-‐>
System
-‐>
Tools
-‐>
Backup.
The
backup
dialog
opens.
2. Select
the
Management
Server
and
click
Add.
3. Click
OK.
The
progress
window
for
the
management
backup
opens.
Tip
–
When
a
manual
backup
or
an
automated
backup
completes,
the
backup
file
is
stored
in
/usr/local/stonesoft/management_center/backups
on
Linux
and
C:\Stonesoft\Management_Center\backups
on
Windows
Platforms
by
default.
3. Name
the
task
Management
Server
Backup.
4. Select
the
Management
Server
and
click
Add.
5. Click
OK.
A
new
Backup
Task
is
created.
6. Right-‐click
Management
Server
Backup
and
select
Schedule.
The
schedule
dialog
opens.
7. Configure
the
properties
as
follows:
• Repeat:
Weekly
• Start
at:
<today’s
date>
23:59:00
8. Click
OK.
The
Management
Server
backup
is
scheduled
to
run
weekly.
2. Switch
to
the
Alert
Channels
tab.
3. Configure
the
properties
as
follows:
• SMTP
Server:
mail.demo.example.com
• Mail
Sender
Name:
admin
• Mail
Sender
Address:
admin@mail.demo.example.com
4. Click
Add
and
select
COM
to
add
an
SMS
Alert
Channel
with
the
following
properties:
• Name:
COM1
• GSM
COM
Port:
COM1
• PIN
Code:
1234
5. Click
OK.
6. Click
OK
to
exit
the
Log
Server
properties.
Note
–
You
may
see
a
warning
that
the
IP
address
is
not
unique.
You
can
safely
ignore
this
warning
in
the
demo
environment.
10. Click
the
Save
icon
in
the
toolbar
and
close
the
Office
alert
chain.
5. Select
Acknowledge
as
the
Final
Action.
6. Click
the
Save
icon
in
the
toolbar
and
close
the
Home
alert
chain.
6. Define
the
time
settings
as
follows:
• Days:
Mon,
Tue,
Wed,
Thu,
Fri
• Start
Time:
08:00
• End
Time:
18:00
Note
–
Time
is
defined
in
UTC.
Adding
a
Rule
for
the
Home
Alert
Chain
To
add
a
rule
for
the
home
alert
chain:
1. Right-‐click
the
rule
you
just
created
and
select
Rule
-‐>
Copy
Rule.
2. Right-‐click
the
rule
again
and
select
Rule
-‐>
Paste.
A
duplicate
rule
is
added.
3. Change
the
following
properties
in
the
second
rule:
• Start
Time:
18:01
• End
Time:
23:59
• Chain:
Home
4. Copy
the
rule
you
just
created
and
paste
it
as
the
last
rule.
5. Double-‐click
the
Time
cell
in
the
last
rule
and
change
the
following
settings:
• Start
Time:
00:00
• End
Time:
07:59
Note
–
The
end
time
for
a
rule
must
be
on
the
same
calendar
day
as
the
start
time.
For
this
reason,
you
created
one
rule
that
is
valid
from
18:01-‐23:59
and
another
that
is
valid
from
00:00-‐07:59
to
cover
the
time
range
between
18:01-‐07:59.
The
Alert
Policy
should
now
look
like
the
illustration
below.
6. Save
and
install
the
Alert
Policy
on
the
Log
Server.
7. Close
the
upload
progress
tab
and
the
Alert
Policy
editing
tab.
2. Name
the
Administrator
HelsinkiAdmin.
3. Make
sure
Local
Authentication
is
selected.
4. Enter
and
confirm
the
password:
• For
this
exercise,
use
Pass1234
Caution
–
Always
use
a
strong
password
in
a
production
environment
5. Make
sure
Always
Active
is
selected.
7. Leave
Restricted
Permissions
selected
and
click
Add
Role.
A
new
row
appears
with
the
Operator
as
the
role
and
ALL
Simple
Elements
as
the
granted
elements.
8. Click
Operator
and
select
the
Helsinki
Administrator
you
created
earlier.
Tip
–
If
the
role
you
want
to
select
is
not
listed,
select
Other
and
browse
to
the
role.
9. Select
Permitted
Traffic
-‐
Helsinki
IPS
as
the
Log
Filter.
Tip
–
The
log
filters
define
which
logs
the
administrator
sees
in
the
Logs
view.
2. Browse
to
Security
Engines
and
add
Helsinki
FW,
Helsinki
IPS,
and
Helsinki
L2
FW.
3. Browse
to
Policies
and
add
the
following
policies:
• Firewall
Policies
-‐>
HQ
Policy
• IPS
Policies
-‐>
Training
Policy
• Layer
2
Firewall
Policies
-‐>
Layer
2
FW
Policy
• Inspection
Policies
-‐>
Training
Policy
-‐
Inspection
and
Layer
2
FW
Inspection
4. Click
OK.
The
Select
Element
dialog
closes.
5. Click
OK.
The
Administrator
properties
dialog
closes.
Testing
Administrator
Privileges
Once
you
have
created
the
new
administrator
account,
you
can
log
in
to
the
Management
Client
as
that
administrator
and
see
how
the
SMC
manages
the
actions
that
the
administrator
is
allowed
to
perform.
To
test
the
administrator’s
privileges:
1. Close
the
Management
Client.
2. Open
the
Management
Client
and
log
in
with
administrator
account
you
just
defined:
• User
Name:
HelsinkiAdmin
• Password:
Pass1234
3. Click
OK.
4. Right-‐click
the
Helsinki
firewall
and
select
Current
Policy
-‐>
Refresh.