NGFW POC Student Guide Day 1

Next Generation Firewall

This training will prepare you for the Proof of Concept for
NGFW by familiarizing you with the new technology,
working with common use cases and enabling you to
demonstrate them. It will also ensure you are able to
articulate features and functionality to effectively conduct
POCs and demos aligned with sales messaging.

NEXT GENERATION FIREWALL POC Student Guide

Introduction ..................................................................................................... 3
Agenda Day 1 ................................................................................................... 5
Agenda Day 2 ................................................................................................... 6
McAfee Next Generation Firewall (Stonesoft) Management Center ................. 7
Use Case 1 – NGFW Management Center in Demo Mode .................................... 7
Getting Started ..................................................................................................................................... 7
Lab 1 -‐ Installing the Management Server in Demo Mode .................................... 7
Logging in to the Management Client ................................................................................................ 10
Visualizing Security ......................................................................................... 11
Use Case 2 – Visualizing Security ......................................................................... 11
Lab 2 -‐ Using Logs: Visualizing Security ................................................................ 11
Taking Action on Log Data .............................................................................. 20
Use Case 3 – Taking Action on Threat Indications ............................................... 20
Lab 3 -‐ Taking Action: Security from Logging ....................................................... 20
Dashboard Overviews and Reports ................................................................. 25
Use Case 4 – Overviews and Reporting ............................................................... 25
Lab 4 ..................................................................................................................... 25
Advanced Administration ............................................................................... 31
Use Case 5 – Making Firewall Administration Easier ........................................... 31
Lab 5 – Advanced Administration ........................................................................ 31

2 Revision: 3/26/2014 McAfee Global Sales Learning and Development


Introduction

Welcome to McAfee. We are glad you are here!
This training is designed to develop your understanding of McAfee’s Next Generation Firewall
(NGFW) and includes classroom training, taking notes, use cases and collaboration.

Learning Discovery Process
We will ask you to engage in active listening and group discussion while identifying important
functionality, and competitive features and benefits that will be used in business environments.
You will discover how MWG operates and how to accentuate McAfee’s key components in
order to make businesses and communities more secure. Once more, welcome to McAfee! We
look forward to working together with you.
During this training you will learn about:
• Drive the evaluation of the product to include: installation, configuration & deployment
• Understand the value of McAfee GTI and Security Connected
• Uncover customer objections (common use cases)
• Educate customers to utilize solution

The course will equip you with the knowledge to discuss and drive the proof of concept (POC)
win for NGFW. You will have the opportunity to practice use case scenarios in a lab
environment. This course will provide extensive, in-‐depth hands-‐on experience with the
solution, including installation and configuration. Understanding the solution at this level will
ensure expert positioning of the product, strong demonstrations, and the ability to deliver a
technically winning POC.

Partner Sales Engineers who complete this training and achieve MWG ACE accreditation will get
exclusive benefits just for ACEs, such as:
• Engagement from McAfee Sales for POC opportunities
• Ongoing access to and communications from McAfee product and technical teams
• Enhanced incentives including generous rewards for achieving modest POC targets



Program Overview
This POC training is a 2-‐day training program that consists of Instructor-‐led training.
• This training course is designed to prepare you to conduct a POC for the Next
Generation Firewall. You will learn the technology by working with common use cases
and demonstrating the device while ensuring you are able to articulate features and
functionality to effectively conduct POCs aligned with sales messaging.

Program Objectives
• Drive the evaluation of the product to include: installation, configuration & deployment
• Understand the value of McAfee GTI and Interlock
• Uncover customer objections (common use cases)
• Educate customers to utilize solution
• Locate tools and resources for demonstrating this solution

You will also learn how to use the McAfee NGFW Management Center. By the end of this course, you
will be able to:
• Use the navigation tools in the Management Client effectively
• Monitor the status of the McAfee NGFW components
• Monitor traffic statistics
• View and filter logs
• Manage log data
• Generate predefined and custom reports
• Define administrator roles
• Restrict the privileges of an administrator account
• Use the automated alert system



Agenda Day 1

Start of Program Approx. Times
Introduction / Expectations / Agenda / What’s in it for You 8:00 – 8:45a
Opportunity Development 8:45 – 9:30a
Installation and Configuration
Build Your Own Use Case Activity 9:30 – 10:00a
Break 10:00 – 10:15a
Use Case/Hands-‐on Labs 10:15a – 12:00p
Lunch 12:00 – 12:45p
(CONTINUED) Use Case/Hands-‐on Labs 12:45 – 2:45p
Break 2:45 – 3:00p
(CONTINUED) Use Case/Hands-‐on Labs 3:30 – 5:00p

Day 1
Goal for today:

Most important lesson today:

Welcome to the NGFW POC Training!

Place a checkmark in the box (o) to show you have completed the activity item.
Training activities:
o
Introduction
o
Opportunity Development
o
Use Cases / Hands-‐on Labs



Agenda Day 2

Start of Program Approx. Times
Recap from previous day 8:00 – 8:30a
Use Case/Hands-‐on Labs 8:30 – 9:45a
Break 9:45 – 10:00a
Use Case/Hands-‐on Labs 10:00a – 12:00p
Lunch 12:00 – 1:00p
POC Resources 1:00 – 2:00p
Conclusion / Next Steps 2:00 – 2:30p
Discussion: Best Ideas / Take Aways 2:30 – 3:00p

Day 2
Goal for today:

Most important lesson today:

Welcome to the NGFW POC Training!
Place a checkmark in the box (o) to show you have completed the activity item.
Training activities:
o
Recap of Day 1
o
Use Cases / Hands-‐on Labs
o
POC Resources and Conclusion



McAfee Next Generation Firewall (Stonesoft) Management Center
NGFW Security Management Center in Demo Mode
You, as a SE and consultant, will have the requirement to demonstrate the McAfee Next Generation
Firewall to potential customers. With preconfigured virtual machines or hardware it is difficult to
simulate real data. The SMC in demonstration mode (Demo Mode) will allow you to show the flexibility
and comfort of the solution using simulated data.
Getting Started
You will install the McAfee NGFW Management Center (SMC) in Demo mode, and log in to the McAfee
NGFW Management Client with an unrestricted administrator account that allows you to perform all the
administration tasks for the McAfee NGFW components.

Lab 1 -‐ Installing the Management Server in Demo Mode
Demo mode installs preconfigured Management Center components and simulated McAfee NGFW
Firewall/VPN, IPS, and Layer 2 Firewall engines. It is a pre-‐populated environment and contains log
activity for a perfect demonstration environment. You will use this simulated environment for this
course.

To install McAfee NGFW Management Center in Demo mode:
1. Copy the installation files from the USB memory stick to the desktop.
2. Browse to Stonesoft_SW_installer\Windows and run setup.exe.
• First, the Java Runtime Environment (JRE) is installed. This may take a while.
• The Installation Wizard shows the Introduction screen.
3. Click Next to start the installation. The License Agreement is displayed.
4. Accept the License Agreement and click Next. The Select Installation Directory dialog opens.
5. Leave the default installation directory and click Next. The Select Shortcut Directory dialog
opens.
Tip – Shortcuts can be used to manually start components and to run some maintenance tasks.
6. Leave the default values as they are and click Next. The Select Components to Be Installed
dialog opens.



7. Select Demo Mode and click Next. You are prompted to select the backup to restore
1.

8. Select Demo Standard and click Next. The Demo Mode Installation dialog opens.
9. Click Next. The Pre-‐Installation Summary opens.



10. Click Install. The installation begins. When the installation is finished, the Demo Mode
Installation Complete dialog opens.

11. Make a note of the login, password, and server address, and click Next.
12. Click Done to exit the installer. The Management Client login dialog opens.



Logging in to the Management Client

To log in to the Management Client:
1. Log in with the demo account:
User Name: demo
Password: demo
Server Address: 127.0.0.1
The Confirmation dialog opens.

2. Click Accept. The Management Client opens, showing the Getting Started tab.
3. Close the Getting Started tab.

Summary

In this lab, you have installed the McAfee NGFW Management Center in Demo mode. You have also
logged in to the Management Client.



Visualizing Security
Use Case 1 – Visualizing Security
Administrators face a variety of security related challenges on a daily basis. Meeting these challenges
starts with having the information necessary to make well informed decisions on security related
matters.

Lab 2 -‐ Using Logs: Visualizing Security
In this lab you will become familiar with viewing the logs, looking for potentially problematic situations,
filtering the logs, visualizing the data, and taking action directly from the log data.
Getting Started
The NGFW Management Center provides logging capabilities that allow an Administrator to see real-‐
time, correlated information from all system components (Firewall/VPN, IPS, Layer 2 Firewall, SSL VPN,
and Authentication Server). In addition to providing information on McAfee NGFW components, the
SMC also provides for the collection of logs from third-‐party devices. Having information from all aspects
of a network in one location provides the Administrator with a clear picture of their security posture.
Logs can be used for a variety of purposes including intrusion detection, providing evidence for legal
action, or the justification of a network upgrade, to name a few. Because the typical installation
generates a great deal of logging information, a powerful method of filtering is required to suit the
needs of the administrator. The McAfee NGFW Management Center uses drag-‐and-‐drop filtering which
allows for the creation of filters directly from the log entries themselves.
After the logs have been filtered, the NGFW Management Center also provides powerful methods of
visualizing data, wherein trends and problems can be seen easily.
Beyond simple log entries generated from the Security Engines, the McAfee NGFW Management Center
also provides for the use of Alerts. These are events of interest that are designed to require the
administrator’s attention. Whenever a rule with an alert defined as the log option matches traffic, the
firewall or IPS node sends the specified Alert to the Log Server. The Management Server also sends
alerts in case of critical system events. You can handle both alerts from all engines through the same
interface.
Using Tabs and Windows
Tabs are an essential part of the Management Client interface. Tabs allow you to efficiently manage
information within the same window. Tabs in the Management Client operate in the same way as in
most modern web browsers. You can also use the forward and back buttons to undo and redo
operations, go back to previous views, or go forward through your workflow.

To open an item in a new tab:
1. Ctrl-‐click the item you want to open or right-‐click and select Open in New Tab.
2. To open an item in a new window
3. Shift-‐click the item you want to open or right-‐click and select Open in New Window.



Viewing Logs
To view logs:
1. Ctrl-‐click the Logs icon in the toolbar. The Logs view opens in a new tab.

2. Click the Current Events icon. The display shows the logs in real time as they
arrive.
Tip – Clicking any log entry pauses the logs.



3. Double-‐click any log entry to see further details
4. Click the Records icon in the toolbar to return to the Records arrangement



Filtering Logs
Filters can be created by dragging and dropping items directly from the log entries or they can be
created using the filter editor. You will create a manual filter that shows all permitted traffic from a
specific sensor, and save the filter for later use in the Logs view and in other views.
Manually Creating a Filter
To manually create a filter:
1. Right-‐click the Query Panel and select New -‐> Filter.

2. Click the Require All Of (And) toolbar button

3. Browse to All Fields and type sender. The list automatically jumps to the first field that contains
the string “sender”.
4. Double-‐click Sender to add it to the filter.
5. Switch to the Resources tab.


4.
5.
6. Browse to Security Engine →Security Engines →Helsinki IPS.
7. Drag and drop Helsinki IPS on top of <Operands> next to Sender in the filter.
8. Switch back to the Fields tab.



9. Browse to Action and drag and drop it on top of AND in the filter.
10. Double-‐click <Operands> next to Action and select Permit.
11. Click Apply. The filter appears in the Query panel as a temporary filter.
6.

12. Click Apply to activate the filter.
13. Click the Save icon and Name the filter Permitted Traffic -‐ Helsinki IPS. Click OK.

You have now created a permanent filter that can be reused throughout the system. This filter can be
used for filtering log data for other administrators, generating reports, and visualizing data. In the next
exercise, you will see how individual log entries can be transformed into meaningful pictures, enabling
you to quickly see trends and activity.



Viewing Log Statistics
The data now displayed in the log browser are filtered based on the last exercise. As you can see, there
are many lines of data. As such, seeing trends in this way is difficult. The data is more useful when
visualized. The NGFW Management Center allows you to represent the information in many different
ways. For this exercise, you will see the Top Situations occurring on the network, based on the filter you
created.
Viewing the Top Situations
To view the top Situations:
1. Click the Statistics icon in the toolbar and select Other. A selection dialog opens.
2. Select Top Situations. The Logs view changes to the Log Statistics arrangement.

Here you can see the situations that have occurred most frequently in your network. By default,
the time range is 15 minutes, but more information from a longer time period is needed.
3. Change the diagram type to Bar.
4. Change the Top Limit to 20 items.
5. Change the Time Range in the Query panel to 1 hour and click Apply. Now the top 20
Situations from the past hour are displayed.



Viewing Individual Event Records

For any situation displayed, it is possible to see the individual log records associated with that situation.
To view individual event records

1. Right-‐click SMB-‐TCPFailed-‐Session-‐Setup and select Show Records. The individual records are
displayed, clearly showing that there is IPv6 traffic on the network, when there should not be.
This is a potential attack, since an untrusted source is trying to authenticate on an internal host
using Samba.
7.

To ensure that there are not multiple sources, you can visualize this information another way: Top
Sources.

2. Click the Statistics icon in the toolbar and select Top Sources. A chart now appears showing the
top source addresses for this Situation. You can now see that there is one source address for this
traffic.
Tip – Because the Management Client navigation functions in a manner similar to a web browser, the
back and forward arrows on the top toolbar can be used to navigate through the history of what you
have done. This is very useful for repeating actions or undoing actions.
3. Click the Back arrow in the toolbar at the top to return to the log entries.


Summary
In this lab, you have learned how to see more information for a log entry with the help of the details
view. Then you have learned to create a filter in order to see only those log entries you are interested in
and finally you have used log statistics to find trends in the traffic flow.
Want to Go Further?
Try out the Log Analysis arrangement and analyze the traffic that has been generated in the past hour.
Once the log analysis has been computed, various tools help you to analyze the logs.
Open the Logs view in a new tab and select Application Usage in the Visualizations menu. This generates
a diagram of Application use. Zoom and filter the Application and User elements in the diagram to find
out the following:
• Who has been using the GoTOMeeting and Salesforce Applications?
• From which host(s)?
• What Application has the user Bill been using?

The Service map displays access to services in the network. You can see the IPv6 connections that have
been previously terminated in the lab. The IPv6 connections between the two hosts matched numerous
Situations and create a particular shape that can be seen on the map.
From the Aggregate menu, you can sort the logs by service. You can also aggregate several columns
together. Explore the aggregated data to find out the following:
• How many SSH connections have recorded by all firewalls?
• How many HTTP connections have been recorded by the Helsinki Firewall?



Taking Action on Log Data

Use Case 2 – Taking Action on Threat Indications
Having identified a possible threat to the network, the ability to react to it quickly is very important.
Traditionally, this would mean writing down the IP addresses of the source and destination, creating the
objects, and finally, creating the rules. This procedure can be costly in terms of both time and
reputation.

Lab 3 -‐ Taking Action: Security from Logging
Getting Started
During this lab, you will learn how to add rules to policies directly from log entries, manipulate the rule
for maximum effectiveness, and organize these rules for future manageability.
Objectives
In this lab, you will:
1. Create a rule from the logs
2. Customize the rule
3. Organize the policy for future management
Creating a Rule Based on a Log Entry
In the last lab, we saw IPv6 traffic on the network, and further, it appeared that some of that may have
been an attack. Using the suspect log entries, you can directly create a rule that will, for example,
terminate a connection, alert on that connection, or prevent it from being logged. The primary
advantage of this approach is that all of the objects, such as the source and destination, are
automatically created. This saves time and allows for a much faster response to a possible security
situation.
To create a rule based on a log entry

1. Right-‐click any log entry (filtered from the previous lab) and select Create Rule -‐>Terminate
Connection.

2. Make sure that Training Policy -‐ Inspection is selected as the policy to which the new
preconfigured rule is added. The Comment field is automatically filled with information about
this rule.


3. Make sure that Add Rules and Edit the Policy is selected and click OK. The rule is added
to the Exceptions in the policy, and the policy opens for editing.
Customizing the Rule
When rules are added to the policy automatically, all relevant fields are configured. However,
you may want to change the parameters of the rule to suit your exact needs. In this exercise
you will change the comment that was generated automatically to be more informative.

To customize this rule
1. If the Comment cell is not visible, rearrange the policy view in one of the following ways:
• Maximize the Management Client window.
• Right-‐click a cell heading and select Minimize All.
• Resize individual columns.
2. Double-‐click the Comment cell. You can now edit the comment
3. Replace the comment with the following text: Suspicious IPv6 traffic detected from the
logs on <current date>.



Organizing the Policy

When adding rules to policies, it is important to maintain a well-‐organized policy. There are many
reasons for this, including legibility, audits and compliance, and basic organization. In this exercise, you
will add rule sections to the policy that will allow you to organize rules according to their function.
Adding a Rule Section
To add a rule section:

1. Right-‐click the ID of the Exception you just added and select Add Rule Section Before. A
rule section is added.

Note that the existing rule is now nested under this rule section. This is the primary means of
organizing rules.

Tip – Click the plus symbol (+) on the left to see the rule below the comment row.
2. Double-‐click the new rule section comment and enter Rules added from Log Entries.



Changing the Color of the Rule Section Comment
Visual information is very important in organization. For this reason, the color of the rule section
comments can be changed. For example, the section containing false positive rules could be green, and
the section containing rules added from logs could be red. In this exercise, you will change the color of
the rule section from the default to red.

To change the color of the rule section comment:
1. Right-‐click the rule section comment you just added and select Colors.

2. Select red from the palette. The color of the rule section comment changes to red, reflecting its
importance.
3. Click the Save icon in the toolbar.
4. Click the Configuration icon and select Security Engine.
5. Browse to IPS Policies


6. Right-‐click Training Policy and select Install Policy. The Policy Upload Task Properties
dialog opens.
7. Make sure that Helsinki IPS is selected in the Target panel and click OK.
• By default, Atlanta IPS and Helsinki IPS are selected. It is not necessary to remove Atlanta IPS
from the list.

Summary
In this lab, you have transformed real-‐time, unfiltered data into protection from a possible threat.
Additionally, you have created an environment where future rule additions can be managed and
maintained.



Dashboard Overviews and Reports
Use Case 3 – Overviews and Reporting
Statistical analysis, both current and historical, is important for both threat and compliance research.
Specifically for auditing, effective overviews and reports are essential.

Lab 4
Now you will take a look at additional ways to monitor your network. In addition to viewing the status of
the Firewall and IPS engines in the System Status view, you can get different kinds of statistical
information in the Overviews. You can view statistics on current activity or create reports of past
activity.
Getting Started
A basic task for an administrator is to monitor the status of the Security Engines. Many times this is not
enough; the administrators want to know more about the activity of their environment. In addition to
allowing or rejecting network traffic, McAfee NGFW engines collect information about the traffic in the
logs. Monitored traffic can be used to show live statistics of engine activity.
Viewing Statistics
The statistical charts can be found in the Overviews, which allow you to have several sections for
monitoring the system status and traffic statistics. You will customize the default overview to monitor
traffic allowed by the Firewall. You will also customize the layout of the overview and save it.
Viewing the Default Overview
To view the default overview

1. Click the Overviews toolbar icon and select New Overview. The Overview Properties dialog
opens.
2. Select Default and click OK. The default overview opens.


Customizing Overview Sections
The default time period for the Records by Data Type section is too short for your monitoring needs. In
this exercise, you will change the time period and the graph type for the Records by Data Type section.

To customize an overview section:
1. Right-‐click the Records by Data Type section and select Edit. The Section Properties panel opens
on the right side of the window.
8.
9. Select the Top Rate diagram type.
10. Select 1 hour as the Period. The changes are automatically applied to the section.


Adding a Firewall Allowed Traffic by Interface Section
To add a firewall allowed traffic by interface section:

1. Click the New icon in the toolbar and select Create from Item. The Select Item dialog opens.

11. Type allowed in the Search field. Items with “allowed” in their names are displayed.
12. Select Allowed traffic by interface, FW (Packets) and click Select.
13. In the Section Properties panel, select Progress as the Statistic Type
14. Switch to the Senders tab in the Section Properties panel.

15. Click the Select icon. The Select Element dialog opens
16. Browse to Security Engines and select Helsinki FW



Organizing the Overview Sections

To organize the Overview sections:
1. Click the X of the Allowed Traffic (Bits) section to close the section.

17. Click the title of the Firewall Allowed Traffic by Interface section and move it to the space of the
section you just closed.
18. Click the X of the Records by dst IP section to close the section.

19. Click and hold the left side of the Firewall Allowed Traffic by Interface section and drag it to the
left to expand it across the space of the section you just closed.
Saving the Overview
To save the overview:

1. Select File-‐>Save As from the menu.
20. Name the Overview Helsinki Overview and click OK.



Generating Predefined Reports
First, you will generate a predefined daily summary report from the Firewall logs collected
To generate a report:

1. Click the Configuration toolbar icon and select Monitoring. The Monitoring Configuration view
opens.

2. Right-‐click Firewall Daily Summary and select Start. The Report Operation Properties dialog
opens.

3. Deselect 1 Day Period.
4. Enter yesterday’s date as the Period Beginning.
5. Enter the current date and current time as the Period End.
Tip – You can click the Current Time button to automatically fill in the current date and time.
6. Switch to the Task tab and make sure Store Report is selected.
7. Click OK. The report is generated. When the report is ready, it appears in the Stored Reports list.



Viewing the Report

To view the report:

1. Double-‐click the report name. The report opens as an Overview

2. Right-‐click the curve for the Helsinki FW in the Allowed connections by cluster section and select
Show Records. The logs used to generate the report data are shown.
Summary
During this lab, you have learned how to monitor your firewall and receive real-‐time statistical
information from it. You have viewed predefined Overviews and created your own customized
Overview. You have also generated a report based on a predefined report design, seen how to read the
generated reports to retrieve the desired information, and seen what conclusions can be made based on
the reports. In the next lab, you will become familiar with advanced administration tasks, such as log
data management, alert configuration, and role-‐based access control.
Want to Go Further?
1. The Default Overviews overview introduced in this lab is one of the multiple overview templates
provided by SMC. You can familiarize yourself with the different statistical information provided
by the Inspection Overview, Access control Overview, etc.
2. Create a custom report about Users and Applications based on the Application usage Report
Design provided. Edit the Application Usage Report Design to change the way data is visualized
in charts, and add new diagrams based on the statistic items provided.



Advanced Administration
Use Case 4 – Making Firewall Administration Easier
Firewalls are often geographically dispersed and some policy aspects of a decentralized deployment
must be controlled by the local IT organization. Log management tasks, alert configuration and role
based access control is part and parcel of the daily administration of the Firewall installation.
Lab 5 – Advanced Administration
In this lab, you will become familiar with advanced administration tasks. You will configure log data
management tasks, configure alerts, and use role-‐based access control to distribute the tasks for
different levels of administrators.
Getting Started with Log Data Tasks
If you let log data build up, the logs eventually fill up the Log Server's hard disk and the Log Server stops
receiving new logs. To prevent this, you can set up automatic scheduled tasks to export and remove the
old logs.
Creating an Archive Log Task
To prevent old data from using too much disk space on the Log Server, you will create an Archive Log
Task to export and delete the old log data.

To create an Archive Log Task:
1. Click the Configuration toolbar icon and select Administration. The Administration Configuration
view opens.

2. Browse to Tasks -‐> Task Definitions.
3. Right-‐click Task Definitions and select New -‐> Archive Log Task. The Archive Log Task Properties
dialog opens.



21. Name the task Archive IPS.
22. Select Log Server from the list of Log Task Servers and click Add.

Defining the Task Options
To define the task options:

1. Switch to the Task tab.

1. Select IPS Log as the Target Data.
2. Select Today as the Time Range.


Tip – You can use both relative and absolute definitions as the Time Range. There are also predefined
ranges available.
Defining the Operation Options
To define the operation options:

1. Switch to the Operation tab.

2. Select Filter for Copying.
3. Click Select and browse to All Filters.
4. Select Permitted Traffic -‐ Helsinki IPS and click Select.
Tip – Start typing the filter name to search for the filter.
5. Select Delete Source Data. This deletes the old log entries once they are archived.
6. Keep Primary archive as the Archive Target Directory.
7. Click OK. The Archive Log Task Properties dialog closes. The task you created appears in the Task
Definitions list.



Running the Archive Log Task

Now that you have defined the Export Log Data and Delete Log Tasks, you can start the Tasks.
To run the Archive Log Task:
1. Right-‐click Archive IPS and select Start. A Confirmation dialog opens.
2. Click Yes. The Archive Log Task starts.

3. Browse to Tasks -‐> Executed Tasks when the task is finished to view the details of the finished
task.
Tip – Log entries can also be exported directly in the Logs view. First select the log entries you want to
export. Then right-‐click one of the selected entries and select Export Logs (to export XML or CSV or
archive) or Print to PDF from the menu.

Scheduling the Archive Log Task
Log Data Tasks can also be scheduled to run automatically. To make sure that the Log Server hard disk
will not fill up, it is a good idea to create a scheduled task to delete old unnecessary log data. Archiving
log data regularly also speeds up fetching active and filtering log data.

Archived logs can be viewed in the Logs view.
To schedule the Archive Log Task:
1. Browse to Tasks -‐> Task Definitions.
2. Right-‐click Archive IPS and select Schedule. The Task Properties dialog opens.


3. Configure the properties as follows:
• Repeat: Daily
• Start at: <today’s date> 23:59:00
4. Click OK. The Archive IPS Task is scheduled to run daily.
Backing up the Management Server
The Management Server is a repository for the configurations of all managed devices. As such, part of a
well-‐managed system is ensuring that a backup of the Management Server is done periodically. This will
ensure that, in the event of a problem, there is always a backup available. This is one of the most
important tasks that an Administrator performs.

To back up the Management Server:
1. Browse to File -‐> System -‐> Tools -‐> Backup. The backup dialog opens.
2. Select the Management Server and click Add.
3. Click OK. The progress window for the management backup opens.

Tip – When a manual backup or an automated backup completes, the backup file is stored in
/usr/local/stonesoft/management_center/backups on Linux and
C:\Stonesoft\Management_Center\backups on Windows Platforms by default.



Scheduling a Management Server Backup

Management and Log server backups can be scheduled to run automatically, ensuring that there is a
current backup available if there is a problem critical to business continuity and security.

To schedule a Management Server backup:
1. Browse to Tasks-‐>Task Definitions.
2. Right-‐click Task Definitions and select New-‐>Backup Task. The Backup Task Properties dialog
opens.

3. Name the task Management Server Backup.
4. Select the Management Server and click Add.
5. Click OK. A new Backup Task is created.
6. Right-‐click Management Server Backup and select Schedule. The schedule dialog opens.

• Repeat: Weekly
• Start at: <today’s date> 23:59:00
8. Click OK. The Management Server backup is scheduled to run weekly.


Getting Started with Alert Management
Configuring Alert Channels
Alert channels define how alert notifications are sent to administrators. For example, they specify which
mail server is used to send the alerts. The alert channel is used in the configuration of the alert chain.

To configure alert channels:
1. Browse to Alert Configurations -‐> Alert Senders -‐> Servers and open the properties of the Log
Server.

2. Switch to the Alert Channels tab.
• SMTP Server: mail.demo.example.com
• Mail Sender Name: admin
• Mail Sender Address: admin@mail.demo.example.com
4. Click Add and select COM to add an SMS Alert Channel with the following properties:
• Name: COM1
• GSM COM Port: COM1
• PIN Code: 1234
5. Click OK.
6. Click OK to exit the Log Server properties.

Note – You may see a warning that the IP address is not unique. You can safely ignore this warning in the
demo environment.



Creating an Alert Chain

An Alert Chain defines the escalation chain for alerts. Alert chains are used in the configuration of alert
policies.
Creating the Office Alert Chain
To create the office alert chain:
1. Browse to Alert Configuration -‐> Alert Chains.
2. Right-‐click Alert Chains and select New Alert Chain. The Alert Chain Properties dialog opens.
3. Name the alert chain Office and click OK. The Alert Chain opens for editing in a new tab.
4. Right-‐click the Final Action row and select Rule -‐> Add Rule. A new row appears in the Alert
Chain.
5. Configure the rule with the following properties:
• Channel: SMTP
• Destination: admin@mailserver.com
• Threshold to block: 10 alerts in 1h, notify blocking (default value)
• Delay: 30
6. Right-‐click the rule and select Rule -‐> Add Rule After. A new row appears.
• Channel: SMS
• Destination: 03584012345678
• Delay: 0 min (default value)
8. Double-‐click the Threshold to block cell. The Threshold to Block dialog opens.



9. Fill in 2 alerts during 30 min and click OK. The finished alert chain should look like the illustration
below.

10. Click the Save icon in the toolbar and close the Office alert chain.
Creating the Home Alert Chain

To create the home alert chain:
1. Right-‐click Alert Chains and select New Alert Chain. The Alert Chain Properties dialog opens.
2. Name the alert chain Home and click OK. The Alert Chain opens for editing in a new tab.
3. Right-‐click the Final Action row and select Rule -‐> Add Rule. A new row appears in the alert
chain.
• Channel: SMS
• Destination: 03584087654321
• Threshold to block: 2 alerts in 1 h, notify blocking
• Delay: 0 min (default value)

5. Select Acknowledge as the Final Action.
6. Click the Save icon in the toolbar and close the Home alert chain.



Creating an Alert Policy

An Alert Policy allows you to specify how different alerts are directed to different escalation chains.

To create an alert policy:
1. Browse to Alert Policies.
2. Right-‐click Alert Policies and select New Alert Policy. The Alert Policy Properties dialog opens.
3. Name the policy Helsinki Alerts and click OK. The Alert Policy opens for editing.
Adding a Rule for the Office Alert Chain
To add a rule for the office alert chain:
1. Right-‐click the rule table and select Rule®Add Rule.
2. Drag and drop the following elements from the Alert Senders list to the Sender cell:
• Helsinki FW
• Helsinki IPS
• Helsinki L2 FW
3. Click the Alert and Situation cell. The System Situations and Alerts folders are displayed on the
left.
4. Browse to Alerts and drag and drop the System Alert to the Alert and Situation cell.
5. Double-‐click the Time cell. The Alert Rule Validity Time dialog opens.

6. Define the time settings as follows:
• Days: Mon, Tue, Wed, Thu, Fri
• Start Time: 08:00
• End Time: 18:00

Note – Time is defined in UTC.



7. Define the remaining settings as follows:
• Severity: ANY
• Chain: Office
The completed rule should look like the following illustration:

Adding a Rule for the Home Alert Chain
To add a rule for the home alert chain:
1. Right-‐click the rule you just created and select Rule -‐> Copy Rule.
2. Right-‐click the rule again and select Rule -‐> Paste. A duplicate rule is added.
3. Change the following properties in the second rule:
• End Time: 23:59
• Chain: Home
4. Copy the rule you just created and paste it as the last rule.
5. Double-‐click the Time cell in the last rule and change the following settings:
• End Time: 07:59
Note – The end time for a rule must be on the same calendar day as the start time. For this reason, you
created one rule that is valid from 18:01-‐23:59 and another that is valid from 00:00-‐07:59 to cover the
time range between 18:01-‐07:59.
The Alert Policy should now look like the illustration below.

6. Save and install the Alert Policy on the Log Server.
7. Close the upload progress tab and the Alert Policy editing tab.


Getting Started with Role-‐Based Access Control

The privileges of administrators are defined flexibly with Administrator accounts. An administrator
account specifies what kinds of actions the administrator can take (for example, create new elements,
and browse logs).
There are three predefined permission levels for administrators: unrestricted permissions, restricted
permissions, and no permissions. An administrator with unrestricted permissions can create and modify
all elements.
Creating an Administrator Role
There are three predefined Administrator Roles: Operator, Editor, and Owner, which each contain
certain rights. You can also create new Administrator Role elements and select the rights for them. The
permissions that an Administrator Role gives apply only to the granted elements selected for the role. In
this exercise, you will create an Administrator Role for the administrators in Helsinki that gives
administrators permissions for all actions, except managing administrator accounts.

To create an Administrator Role:
1. Browse to Access Rights -‐> Administrator Roles.
2. Right-‐click Administrator Roles and select New Administrator Role. The Administrator Role
Properties dialog opens.


3. Name the Administrator Role Helsinki Administrator.
4. Select the following permissions:
• Element Rights for Granted Elements: select all.
• Action Rights: select all.
• Administrative Rights: select all except Manage Administrators.
Tip – Select All at the top of the tree, then deselect Manage Administrators.
5. Click OK.

Creating an Administrator Account
Once you have created the new Administrator Role, you can create a new administrator account and
use the Administrator Role to grant permissions for the administrator. An administrator account is
defined with an Administrator element.

To create an Administrator:
1. Right-‐click Administrators and select New Administrator. The Administrator Properties dialog
opens.

2. Name the Administrator HelsinkiAdmin.
3. Make sure Local Authentication is selected.
4. Enter and confirm the password:
• For this exercise, use Pass1234
Caution – Always use a strong password in a production environment
5. Make sure Always Active is selected.



6. Switch to the Permissions tab.

7. Leave Restricted Permissions selected and click Add Role. A new row appears with the Operator
as the role and ALL Simple Elements as the granted elements.
8. Click Operator and select the Helsinki Administrator you created earlier.
Tip – If the role you want to select is not listed, select Other and browse to the role.
9. Select Permitted Traffic -‐ Helsinki IPS as the Log Filter.
Tip – The log filters define which logs the administrator sees in the Logs view.



Selecting Granted Elements
To select granted elements:
1. Right-‐click ALL Simple Elements and select Edit Granted Elements. The Select Element(s) dialog
opens.

2. Browse to Security Engines and add Helsinki FW, Helsinki IPS, and Helsinki L2 FW.
3. Browse to Policies and add the following policies:
• Firewall Policies -‐> HQ Policy
• IPS Policies -‐> Training Policy
• Layer 2 Firewall Policies -‐> Layer 2 FW Policy
• Inspection Policies -‐> Training Policy -‐ Inspection and Layer 2 FW Inspection
4. Click OK. The Select Element dialog closes.
5. Click OK. The Administrator properties dialog closes.
Testing Administrator Privileges
Once you have created the new administrator account, you can log in to the Management Client as that
administrator and see how the SMC manages the actions that the administrator is allowed to perform.

To test the administrator’s privileges:
1. Close the Management Client.
2. Open the Management Client and log in with administrator account you just defined:
• User Name: HelsinkiAdmin
• Password: Pass1234
3. Click OK.
4. Right-‐click the Helsinki firewall and select Current Policy -‐> Refresh.
What is the result?

5. Click the Configuration icon and select Administration. The Administration Configuration view
opens.
6. Browse to Administration -‐> Access Rights -‐> Administrators.


What is the result? Why?

7. Close the Management Client and log in again with the Demo account.
Summary
During this lab, you have seen how to manage large amounts of log data with log management tasks.
You have defined alert channels, alert chains, and an Alert Policy. You have seen how the SMC’s flexible
multi-‐level administrator configuration enables effective distribution of management tasks.
Want to Go Further?
Web Portal
1. Open a web browser and log into the Web Portal at 127.0.0.1:8080 with the following
credentials:
• User name: demo
• Password: demo
2. View the current Policy on the Helsinki L2 Firewall and compare the policy snapshots to see the
changes that have been performed between the different policy uploads.
3. Browse logs, display the log details as a PDF, and view the report that you generated in lab 4.



Authentication Server
1. Click the Configuration icon in the toolbar and select Authentication. The Authentication
Configuration view opens.
• You can browse the Authentication Server properties, define new Authentication Methods
and check the user linking properties. In demo mode, the Authentication Server is already
linked with the external directory demo.example.com.
• The Authentication Server Users are stored in the Domain for Authentication Server.
2. Add a new Authentication Server User from demo.example.com to see how the properties of
the users are automatically retrieved from the external directory server.
3. Retrieve User Groups information from the directory server. You can add User Groups in the
Authentication Server Users by Linking User Groups in the Authentication Server properties.
Remember that once you have performed your changes in the Authentication Server properties,
you must apply the configuration again.
4. Define your own custom attribute group to group the Authentication Users according to your
own criteria. You need to create your own group criteria in Authentication Server properties,
and the group membership in the Authentication User properties.

END of DAY 1 SMC Training

Notes


NGFW POC Student Guide Day 1

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

NGFW POC Student Guide Day 1

Caricato da

Copyright:

Formati disponibili

2 Revision: 3/26/2014 McAfee Global Sales Learning and Development

3 Revision: 3/26/2014 McAfee Global Sales Learning and Development

4 Revision: 3/26/2014 McAfee Global Sales Learning and Development

Most important lesson today:

5 Revision: 3/26/2014 McAfee Global Sales Learning and Development

Most important lesson today:

6 Revision: 3/26/2014 McAfee Global Sales Learning and Development

7 Revision: 3/26/2014 McAfee Global Sales Learning and Development

8 Revision: 3/26/2014 McAfee Global Sales Learning and Development

9 Revision: 3/26/2014 McAfee Global Sales Learning and Development

Logging in to the Management Client

10 Revision: 3/26/2014 McAfee Global Sales Learning and Development

11 Revision: 3/26/2014 McAfee Global Sales Learning and Development

12 Revision: 3/26/2014 McAfee Global Sales Learning and Development

13 Revision: 3/26/2014 McAfee Global Sales Learning and Development

14 Revision: 3/26/2014 McAfee Global Sales Learning and Development

15 Revision: 3/26/2014 McAfee Global Sales Learning and Development

16 Revision: 3/26/2014 McAfee Global Sales Learning and Development

17 Revision: 3/26/2014 McAfee Global Sales Learning and Development

Viewing Individual Event Records

To view individual event records

18 Revision: 3/26/2014 McAfee Global Sales Learning and Development

19 Revision: 3/26/2014 McAfee Global Sales Learning and Development

Taking Action on Log Data

To create a rule based on a log entry

20 Revision: 3/26/2014 McAfee Global Sales Learning and Development

21 Revision: 3/26/2014 McAfee Global Sales Learning and Development

Organizing the Policy

22 Revision: 3/26/2014 McAfee Global Sales Learning and Development

23 Revision: 3/26/2014 McAfee Global Sales Learning and Development

24 Revision: 3/26/2014 McAfee Global Sales Learning and Development

To view the default overview

25 Revision: 3/26/2014 McAfee Global Sales Learning and Development

26 Revision: 3/26/2014 McAfee Global Sales Learning and Development

27 Revision: 3/26/2014 McAfee Global Sales Learning and Development

Organizing the Overview Sections

28 Revision: 3/26/2014 McAfee Global Sales Learning and Development

29 Revision: 3/26/2014 McAfee Global Sales Learning and Development

Viewing the Report

30 Revision: 3/26/2014 McAfee Global Sales Learning and Development

31 Revision: 3/26/2014 McAfee Global Sales Learning and Development

32 Revision: 3/26/2014 McAfee Global Sales Learning and Development

33 Revision: 3/26/2014 McAfee Global Sales Learning and Development

Running the Archive Log Task

34 Revision: 3/26/2014 McAfee Global Sales Learning and Development

35 Revision: 3/26/2014 McAfee Global Sales Learning and Development

Scheduling a Management Server Backup

36 Revision: 3/26/2014 McAfee Global Sales Learning and Development

37 Revision: 3/26/2014 McAfee Global Sales Learning and Development

Creating an Alert Chain

38 Revision: 3/26/2014 McAfee Global Sales Learning and Development

Creating the Home Alert Chain

39 Revision: 3/26/2014 McAfee Global Sales Learning and Development

Creating an Alert Policy

40 Revision: 3/26/2014 McAfee Global Sales Learning and Development

41 Revision: 3/26/2014 McAfee Global Sales Learning and Development

Getting Started with Role-­‐Based Access Control

42 Revision: 3/26/2014 McAfee Global Sales Learning and Development

43 Revision: 3/26/2014 McAfee Global Sales Learning and Development

6. Switch to the Permissions tab.

44 Revision: 3/26/2014 McAfee Global Sales Learning and Development

What is the result?

45 Revision: 3/26/2014 McAfee Global Sales Learning and Development

What is the result? Why?

Getting Started with Role-‐Based Access Control