Professional Documents
Culture Documents
TRADEMARK ATTRIBUTIONS
McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,
McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,
LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE
RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU
DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF
APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
Preface 7
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5 Adding a Sensor 53
Before you install Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Network topology considerations . . . . . . . . . . . . . . . . . . . . . . . . . 53
Safety measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Usage restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Unpack the Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Cable specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Console port pin-outs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Auxiliary port pin-outs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Response port pin-outs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
How to monitor port pin-outs . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configuration of a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Establishment of a Sensor naming scheme . . . . . . . . . . . . . . . . . . . . . . 58
Communication between the Sensor and the Manager . . . . . . . . . . . . . . . . . 59
Add a Sensor to the Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Configure the Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Verification of successful configuration . . . . . . . . . . . . . . . . . . . . . . . 62
How to change Sensor values . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
How to add a secondary Manager IP . . . . . . . . . . . . . . . . . . . . . . . . 63
Remove a secondary Manager IP . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Index 197
This guide provides the information you need to install your McAfee product.
Contents
About this guide
Find product documentation
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
• Administrators — People who implement and enforce the company's security program.
• Users — People who use the computer where the software is running and can access some or all of its
features.
Conventions
This guide uses these typographical conventions and icons.
Caution: Important advice to protect your computer system, software installation, network,
business, or data
Warning: Critical advice to prevent bodily harm when using a hardware product
Task
1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2 In the Knowledge Base pane under Content Source, click Product Documentation.
3 Select a product and version, then click Search to display a list of documents.
McAfee Network Security Platform [formerly McAfee IntruShield®] is a combination of network appliances and
software built for the accurate detection and prevention of intrusions, denial of service (DoS) attacks,
distributed denial of service (DDoS) attacks, malware download, and network misuse. Network Security
Platform provides comprehensive network intrusion detection and can block, or prevent, attacks in real time,
making it truly an intrusion prevention system (IPS).
This section describes the McAfee Network Security Manager (Manager) hardware and software requirements
and pre-installation tasks you should perform prior to installing the software.
In this section, unless explicitly stated, Central Manager and Manager are commonly referred to as "Manager."
Contents
Prerequisites
Recommended Manager specifications
Pre-installation recommendations
Download the Manager/Central Manager executable
Prerequisites
The following sections list the Manager installation and functionality requirements for your operating system,
database, and browser.
We strongly recommend that you also review Network Security Platform Release Notes.
If you are installing the Manager as part of an upgrade to the latest version of Network Security Platform, also
refer to Upgrading Network Security Platform on page 0 .
General settings
• McAfee recommends you use a dedicated server, hardened for security, and placed on its own subnet. This
server should not be used for programs like instant messaging or other non-secure Internet functions.
• You must have Administrator/root privileges on your Windows server to properly install the Manager software,
as well as the installation of an embedded MySQL database for Windows Managers during Manager
installation.
• It is essential that you synchronize the time on the Manager server with the current time. To keep time from
drifting, use a timeserver. If the time is changed on the Manager server, the Manager will lose connectivity
with all McAfee® Network Security Sensors (Sensors) and the McAfee® Network Security Update Server
[formerly IPS Update Server] because SSL is time sensitive.
• If Manager Disaster Recovery (MDR) is configured, ensure that the time difference between the Primary and
Secondary Managers is less than 60 seconds. (If the spread between the two exceeds more than two
minutes, communication with the Sensors will be lost.)
For more information about setting up a time server on Windows Servers, see the following Microsoft
KnowledgeBase article: http://support.microsoft.com/kb/816042/.
Once you have set your server time and installed the Manager, do not change the time on the Manager
server for any reason. Changing the time may result in errors that could lead to loss of data.
Wireshark (formerly known as Ethereal) is recommended for packet log viewing. WireShark is a network protocol
analyzer for Windows servers that enables you to examine the data captured by your Sensors. For information
on downloading and using Ethereal, go to www.wireshark.com.
Server requirements
The following table lists the 8.3 Manager server requirements:
Memory 8 GB >16 GB
CPU Intel Xeon ® CPU ES 5335 @ 2.00 GHz; Physical Processors – 2; Logical Processors – 8;
Processor Speed – 2.00 GHz
Memory Physical Memory: 16 GB
Internal Disks 1 TB
Memory 8 GB >16 GB
McAfee® Network Security Manager Watchdog runs as a Local System to facilitate restart of the Manager in
case of abrupt shutdown.
The Local Service account has fewer privileges on accessing directories and resources than the Local System. By
default, the Manager installation directory and database directory are granted full permission to the Local Service
account during installation or upgrade of Manager.
• Backup directory location: If the backup directory was different from the Manager installed directory before
upgrade to the current release, full permission on these directories for a Local Service should be granted.
• Notification script execution: If a user uses a script that accesses directories or resources located in
directories other than in Manager installed directories for notifications like alerts, faults etc.,full permission
on these directories for a Local Service should be granted.
• Database configuration: If a user has a MySQL database configured for using a directory for temporary files
other than the one provided during installation, then those directories should be given full permissions for a
Local Service.
Client requirements
The following are the system requirements for client systems connecting to the Manager application.
Minimum Recommended
Operating • Windows 7, English or Japanese
system
• Windows 8, English or Japanese
• Windows 8.1, English or Japanese
• Windows 10, English or Japanese
RAM 2 GB 4 GB
CPU 1.5 GHz processor 1.5 GHz or faster
Browser • Internet Explorer 10, 11, or Microsoft Edge • Internet Explorer 11
• Mozilla Firefox • Mozilla Firefox 20.0 or later
• Google Chrome (App mode in Windows 8 is not supported.) • Google Chrome 24.0 or
later
To avoid the certificate mismatch error and security warning,
add add the Manager web certificate to the trusted
certificate list.
For the Manager client, in addition to Windows 7, Windows 8, and Windows 8.1, you can also use the operating
systems mentioned for the Manager server.
If the Manager page does not load, clear the browser cache and re-launch the browser.
The following are Central Manager and Manager client requirements when using Mac:
• El Capitan
• Set your display to 32-bit color. Right-click on the Desk Top and select Screen Resolution and go to Advanced
Settings | Monitor, and configure Colors to True Color (32bit).
• McAfee recommends setting your monitor's screen area to 1440 x 900 pixels. Right-click on the Desk Top
and select Screen Resolution. Set Resolution to 1440 x 900.
• Browsers typically should check for newer versions of stored pages. For example, Internet Explorer, by
default, is set to automatically check for newer stored page versions. To check this function, open your
Internet Explorer browser and go to Tools | Internet Options | General. Click the Settings button under Browsing
History or Temporary Internet files, and under Check for newer versions of stored pages: select any of the four
choices except for Never. Selecting Never caches Manager interface pages that require frequent updating, and
not refreshing these pages might lead to system errors.
• If you are using Internet Explorer 8 or 9, then go to Tools | Compatibility View Settings and make sure Display
intranet sites in Compatibility View and Display all websites in Compatibility View checkboxes are not selected. \
Navigate to C:\WINDOWS\system32\drivers\etc on your client system and edit the hosts file. For example, if
your host name is manager-host1, and its IP address is 102.54.94.97, your entry would appear as:
102.54.94.97 manager-host1
Internet Explorer settings when accessing the Manager from the server
McAfee recommends accessing the Central Manager and Manager from a client system. However, there might
be occasions when you need to manage from the server itself. To do so, you must make the following changes
to the server's Internet Explorer options.
Regardless of whether you use a client or the server, the following Internet Explorer settings must be enabled. On
Windows client operating computers, these are typically enabled by default but disabled on server operating
systems.
1 In the Internet Explorer, go to Tools | Internet Options | Security | Internet | Custom Level and enable the following:
• ActiveX controls and plug-ins: Run ActiveX controls and plug-ins.
• ActiveX controls and plug-ins: Script ActiveX controls selected safe for scripting.
2 In the Internet Explorer, go to Tools | Internet Options | Privacy and ensure that the setting is configured as
something below Medium High. For example, do not set it at High or at Block all Cookies. If the setting is higher
than Medium High, you receive an Unable to configure Systems. Permission denied error and the Manager
configuration will not function.
Database requirements
The Manager requires communication with MySQL database for the archiving and retrieval of data.
The Manager installation set includes a MySQL database for installation (that is, embedded on the target
Manager server). You must use the supported operating system listed under Server requirements and must use
the Network Security Platform-supplied version of MySQL (currently 5.6.30). The MySQL database must be a
dedicated one that is installed on the Manager.
If you have a MySQL database previously installed on the Manager server, uninstall the previous version and
install the Network Security Platform version.
See also
Server requirements on page 14
The larger your deployment, the more high-end your Manager server should be. Many McAfee® Network
Security Platform issues result from an under-powered Manager Server. For example, to manage 40 or more
McAfee® Network Security Sensors (Sensors), we recommend larger configurations than the minimum-required
specifications mentioned in Server requirements.
The Manager client is a Java web application, which provides a web-based user interface for centralized and
remote Sensor management. The Manager contains Java applets. Because Java applets take advantage of the
processor on the host from which they are being viewed, we also recommend that the client hosts used to
manage the Network Security Platform solution exceed the minimum-required specifications mentioned in
Client requirements.
You will experience better performance in your configuration and data-forensic tasks by connecting to the
Manager from a browser on the client machine. Performance may be slow if you connect to the Manager using a
browser on the server machine itself.
• Aggregate alert and packet log volume from all Sensors — Many Sensors amount to higher alert volume and require
additional storage capacity. Note that an alert is roughly 2048 bytes on average, while a packet log is
approximately 1300 bytes.
• Lifetime of alert and packet log data — You need to consider the time before you archive or delete an alert.
Maintaining your data for a long period of time (for example, one year) will require additional storage
capacity to accommodate both old and new data.
As a best practice, McAfee recommends archiving and deleting old alert data regularly, and attempting to keep
your active database size to about 60% of the disk space.
For more information, see Capacity Planning, McAfee Network Security Platform Manager Administration Guide.
Pre-installation recommendations
®
These McAfee® Network Security Platform [formerly McAfee® IntruShield ] pre-installation recommendations
are a compilation of the information gathered from individual interviews with some of the most seasoned
McAfee Network Security Platform System Engineers at McAfee.
• The server, on which the Manager software will be installed, should be configured and ready to be placed
online.
• This server should be dedicated, hardened for security, and placed on its own subnet. This server should not
be used for programs like instant messaging or other non-secure Internet functions.
• Make sure your hardware requirements meet at least the minimum requirements.
• Ensure the proper static IP address has been assigned to the Manager server. For the Manager server,
McAfee strongly recommends assigning a static IP against using DHCP for IP assignment.
• Ensure that all parties have agreed to the solution design, including the location and mode of all McAfee®
Network Security Sensor, the use of sub-interfaces or interface groups, and if and how the Manager will be
connected to the production network.
• Get the required license file and grant number. Note that you do not require a license file for using
Manager/Central Manager version 6.0.7.5 or above.
• Accumulate the required number of wires and (supported) GBICs, SFPs, or XFPs. Ensure these are approved
hardware from McAfee or a supported vendor. Ensure that the required number of Network Security
Platform dongles, which ship with the Sensors, are available.
• Crossover cables will be required for 10/100 or 10/100/1000 monitoring ports if they are directly connected
to a firewall, router, or end node. Otherwise, standard patch cables are required for the Fast Ethernet ports.
• If applicable, identify the ports to be mirrored, and someone who has the knowledge and rights to mirror
them.
• Allocate the proper static IP addresses for the Sensor. For the Sensors, you cannot assign IPs using DHCP.
• Identify hosts that may cause false positives, for example, HTTP cache servers, DNS servers, mail relays,
SNMP managers, and vulnerability scanners.
See also
Server requirements on page 14
Functional requirements
Following are the functional requirements to be taken care of:
• Install Wireshark (formerly known as Ethereal http://www.wireshark.com) on the client PCs. Ethereal is a
network protocol analyzer for Unix and Windows servers, used to analyze the packet logs created by
Sensors.
• Ensure the correct version of JRE is installed on the client system, as described in the earlier section. This can
save a lot of time during deployment.
• Manager uses port 4167 as the UDP source port to bind for IPv4 and port 4166 for IPv6. If you have Sensors
behind a firewall, you need to update your firewall rules accordingly such that ports 4167 and 4166 are open
for the SNMP command channel to function between those Sensors and the Manager. This applies to a local
firewall running on the Manager server as well.
• Determine a way in which the Manager maintains the correct time. To keep time from drifting, for example,
point the Manager server to an NTP timeserver. (If the time is changed on the Manager server, the Manager
will lose connectivity with all Sensors and the McAfee® Network Security Update Server because SSL is time
sensitive.)
• If Manager Disaster Recovery (MDR) is configured, ensure that the time difference between the Primary and
Secondary Managers is less than 60 seconds. (If the spread between the two exceeds more than two
minutes, communication with the Sensors will be lost.)
• If you are upgrading from a previous version, we recommend that you follow the instructions in the
respective version's release notes or Upgrade path for the Central Manager and Manager on page 139.
• If a fresh installation of the Manager is needed on a machine where a Manager is already installed, ensure
that the existing Manager is uninstalled and the respective directories are removed prior to the fresh
installation.
Object Missing
This object is not available in the repository.
• <Manager installation directory>\MySQL and its sub-folders. If these folders are not excluded,
Network Security Platform packet captures may result in the deletion of essential MySQL files.
If you install McAfee VirusScan 8.5.0i on the Manager after the installation of the Manager software, the MySQL
scanning exceptions will be created automatically, but the Network Security Platform exceptions will not.
VirusScan avoids blocking outbound SMTP connections from legitimate mail clients, such as Outlook and
Eudora, by including the processes used by these products in an exclusion list. In other words, VirusScan ships
with a list of processes it will allow to create outbound TCP port 25 connections; all other processes are denied
that access.
The Manager takes advantage of the JavaMail API to send SMTP notifications. If you enable SMTP notification
and also run VirusScan 8.0i or above, you must therefore add java.exe to the list of excluded processes. If you
do not explicitly create the exclusion within VirusScan, you will see a Mailer Unreachable error in the Manager
Operational Status to each time the Manager attempts to connect to its configured mail server.
Task
1 Launch the VirusScan Console.
2 Right-click the task called Access Protection and choose Properties from the right-click menu.
3 Highlight the rule called Prevent mass mailing worms from sending mail.
4 Click Edit.
In this section we suggest some easy but essential steps, to ensure that Network Security Platform
responsiveness is optimal:
• During Manager software installation, use the recommended values for memory and connection allocation.
• You will experience better performance in your configuration and data forensic tasks by connecting to the
Manager from a browser on a client machine. Performance may be slow if you connect to the Manager
using a browser on the server machine itself.
• Perform monthly or semi-monthly database purging and tuning. The greater the quantity of alert records
stored in the database, the longer it will take the user interface to parse through those records for display in
the Attack Log. The default Network Security Platform settings err on the side of caution and leave alerts
(and their packet logs) in the database until the user explicitly decides to remove them. However, most users
can safely remove alerts after 30 days.
It is imperative that you tune the MySQL database after each purge operation. Otherwise, the purge process
will fragment the database, which can lead to significant performance degradation.
• Defragment the disks on the Manager on a routine basis, with the exception of the MySQL directory. The
more often you run your defragmenter, the quicker the process will be. Consider defragmenting the disks at
least once a month.
Do NOT attempt to defragment the MySQL directory using the operating system's defrag utility. Any
fragmentation issues in the tables are rectified when you tune the database. For more information on
database tuning, see the Manager Administration Guide.
• Limit the number of alerts to view when opening the Attack Log. This will reduce the total quantity of
records the user interface must parse and therefore potentially result in a faster initial response on startup.
• When scheduling certain Manager actions (backups, file maintenance, archivals, database tuning), set a time
for each that is unique and is a minimum of an hour after/before other scheduled actions. Do not run
scheduled actions concurrently.
Task
1 Keep the following information handy before you begin the installation process. You must have received the
following from McAfee via email.
• Grant Number and Password – If you have not received your credentials, contact McAfee Technical
Support [http://mysupport.mcafee.com/]
3 Go to McAfee Update Server [https://menshen1.intruvert.com/] and log on, using the Grant Number and
Password.
4 Go to Manager Software Updates | <required version number> folder and select the required Manager software
version.
Close any open browsers and restart your server after installation is complete. Open browsers may
be caching old class files and cause conflicts.
IIS (Internet Information Server) and PWS (Personal Web Server) must be disabled or uninstalled
from the target server.
This section contains installation instructions for the Central Manager and Manager software on your Windows
server, including the installation of a MySQL database.
In this section, unless explicitly stated, Central Manager and Manager are commonly referred to as "Manager."
Task
1 Prepare your target server for Manager software installation. See Preparing for the Manager installation.
3 Start the Manager program. During initial client login from the Manager server or a client machine, the
required Java runtime engine software must be present for proper program functionality. See Starting the
Manager/Central Manager.
Tasks
• Install the Manager on page 23
See also
Starting the Manager/Central Manager on page 3
Contents
Install the Manager
Installing the Central Manager
Log files related to Manager installation and upgrade
Notes:
• Ensure that the prerequisites have been met and your target server has been prepared before commencing
installation.
• You can exit the setup program by clicking Cancel in the setup wizard. Upon cancellation, all temporary setup
files are removed, restoring your server to its same state prior to installation.
• After you complete a step, click Next; click Previous to go one step back in the installation process.
• The Installation Wizard creates the default folders based on the Manager Type you are installing. For
example, for a first-time installation of Network Security Manager, the default location is C:\Program
Files\McAfee\Network Security Manager\App. For Network Security Central Manager, it is C:
\Program Files\McAfee\Network Security Central Manager\App. Similarly, the Wizard creates
default folders for the MySQL database as well. For the sake of explanation, this section mentions only the
folder paths for Network Security Manager unless it is necessary to mention the path for Network Security
Central Manager.
• Before you begin to install, make sure the Windows Regional and Language Options are configured
accordingly. For example, if you are installing it on Windows Server 2008 R2 Standard or Enterprise Edition,
Japanese Operating System, SP1 (64 bit) (Full Installation), ensure that the Windows Regional and Language
Options are configured for Japanese.
• When you install the Manager for the first time, it is automatically integrated with McAfee Global Threat
Intelligence to send your alert, general setup, and feature usage data to McAfee for optimized protection. If
you do not wish to send these data, then disable the integration with Global Threat Intelligence. However,
note that to be able to query McAfee GTI IP Reputation for information on the source or target host of an
attack, you need to send at least your alert data summary to McAfee. For details, see McAfee Network
Security Platform Integration Guide.
• If you plan to create a new installation of the Manager in a system that currently has the Manager installed,
follow these steps:
1 Uninstall the Manager.
4 Once the folders are removed restart the system then continue with the Manager installation.
Task
1 Log on to your Windows server as Administrator and close all open programs.
2 Run the Manager executable file that you downloaded from the McAfee Update Server.
The Installation Wizard starts with an introduction screen. See also the Manager/Central Manager
executable.
3 Confirm your acknowledgement of the License Agreement by selecting I accept the terms of the License Agreement.
4 From the Manager Type drop-down list, select Network Security Manager or Network Security Central Manager.
For an upgrade, Network Security Manager or Network Security Central Manager is displayed accordingly,
which you cannot change.
Once installed, the Network Security Central Manager cannot be converted to Network Security Manager or
vice versa.
Installing the Manager software on a network-mapped drive may result in improper installation.
The Manager software cannot be installed to a directory path containing special characters such as a
comma (,), equal sign (=), or pound sign (#).
• On the Desktop
You can include or remove multiple options by selecting the relevant checkboxes.
• Database Name: Type a name for your database. It is recommended you keep the default entry of lf intact.
The MySQL database name can be a combination of alphabets [both uppercase (A-Z) and lowercase
(a-z)], numbers [0-9] and/or, special characters like dollar and underscore [$ _].
• Database User: Type a user name for database-Manager communication; this account name is used by the
Manager. This account enables communication between the database and the Manager. When typing a
user name, observe the following rules:
- The MySQL database user name can be a combination of alphabets [both uppercase (A-Z) and
lowercase (a-z)], numbers [0-9] and/or, special characters like "~ ` ! @ # $ % - * _ + [ ] : ; , ( ) ? { }".
• Database Password: Type a password for the database-Manager communication account. This password
relates to the Database User account.
- The MySQL database password can be a combination of alphabets [both uppercase (A-Z) and lowercase
(a-z)], numbers [0-9] and/or, special characters like "~ ` ! @ # $ % - * _ + [ ] : ; , ( ) ? { }".
This password is not the root password for database management; you will set the root password in a
subsequent step.
• MySQL Installation Directory: Type or browse to the absolute location of your selected Manager database.
For a first-time installation, the default location is: C:\Program Files\McAfee\Network Security
Manager\MySQL. For upgrades, the default location is the previous installation directory. You can type or
browse to a location different from the default. However, the database must be on the same server as
the Manager.
9 Click Next.
If you are creating a new database, Network Security Platform a message appears asking to confirm that you
really want to create a new database. Click Continue to continue with the installation.
10 Type the root password for your database. If this is the initial installation, type a root password and then
type it again to confirm.
The MySQL Root Password is required for root access configuration privileges for your MySQL database. Use a
combination of alphabets [both uppercase (A-Z) and lowercase (a-z)], numbers [0-9] and/or, special
characters like "~ ` ! @ # $ % - * _ + [ ] : ; , ( ) ? { }".
Do not use null or empty characters.
For security reasons, you can set a MySQL Root Password that is different from the Database Password that you set
in a previous step.
11 Choose the folder in want you wish to install the Solr database.
The Manager uses Apache Solr for quick retrieval of data. Solr is an open-source search platform from the
Apache Lucene project. The Manager makes use of Solr to retrieve data to be displayed in the Manager
Dashboard and Analysis tabs.
For a first‑time installation, the default location is C:\Program Files\McAfee\Network Security
Manager\Solr.
• Restore Default Folder: Resets the installation folder to the default location.
Solr is used by the Manager to enhance database access. This helps in faster data refresh in the Manager
dashboard and monitors.
Verify that you have at least 20 GB of free space before you install Solr.
The Solr installation directory screen will not be displayed during the Network Security Central Manager
installation.
12 Click Next.
The 8.3 Manager installation is supported only on 64-bit OS. If you try installing in a 32-bit OS a warning
message will be displayed. Click Ok on the warning message to exit the Manager installation wizard.
The Recommended Maximum RAM Usage is Physical Server Memorydivided by 2 or 1170 MB - whichever is greater.
The Actual Maximum RAM Usage can be between 768 MB and three-fourth of the Physical Server Memory size.
• Actual Maximum DB connections: Enter the maximum number of concurrent database connections allowed
from the Manager. The default is 40. The recommended number indicated above is based on the Number
of Sensors.
14 If the Manager server has multiple IPv4 or IPv6 addresses, you can specify a dedicated address that it should
use to communicate with the Network Security Platform devices.
To specify an IP address, select Use IPV4 Interface? or Use IPV6 Interface? and then select the address from the
corresponding drop-down list.
In the Wizard, the option to specify a dedicated interface is displayed only if the Manager has more than one
IPv4 or IPv6.
• When configuring the Sensors, you need to configure the same IP that you selected here as the IP
address used to communicate with the Network Security Platform devices.
• If the Manager has an IPv6 address, then you can add Sensors with IPv6 addresses to it.
• If an IP address is not displayed in the drop-down list or if a deleted IP address is displayed, then cancel
the installation, restart the server, and re-install the Manager.
• Post-installation, if you want to change the dedicated IP address that you already specified, you need to
re-install the Manager.
15 In the Manager Installation wizard, review the Pre-Installation Summary section for accurate folder locations and disk
space requirements. This page lists the following information:
• Product Name: Shows product as Manager (for both Manager and Central Manager).
• Database: The type of database being used by Network Security Platform, which is MySQL.
• Database Installation location: The location on your hard drive where the database is to be located, which you
specified in Step 7.
• Dedicated Interface: The IPv4 and IPv6 addresses that you specified for Manager-to-Sensor communication
are displayed.
16 Click Install.
The Manager software and the MySQL database are installed to your target server. In case of an upgrade,
database information is synchronized during this process.
Post-installation, you can check the initdb.log (from <Manager install directory>\App) for any installation
errors. In case of errors, contact McAfee Support with initdb.log.
• Default username
18 Click Done.
If the installation wizard prompts for a restart, it is recommended to restart the system before logging onto
the Manager.
The restart option might be displayed if there are any pending OS flags reset required by the installer, for
proper removal/updates of temporary files used during installation.
19 Use the shortcut icon that you created to begin using the Manager.
The Manager program opens by default in HTTPS mode for secure communication.
All the Manager services will be started after clicking the Done button at the end of installation.
20 Type a valid login ID (default: admin) and password (default: admin123) for Network Security Manager and
login ID (default: nscmadmin) and password (default: admin123) for Network Security Central Manager.
Upon initial client logon, you are required to install Java applications. See Java installation for client systems.
21 You can use the Manager Initialization Wizard to complete the basic configuration steps.
See also
Prerequisites on page 13
Download the Manager/Central Manager executable on page 22
During installation, you need to select the Manager type as Network Security Central Manager. By default, Network
Security Manager is selected.
There can be only one active installation on a Windows machine. Every Central Manager and Manager
installation has its own MySQL database. No centralized database exists in an Central Manager setup.
Central Manager has to be of equal or later version than the corresponding Managers.
See also
Install the Manager on page 23
• mgrVersion.properties: Every fresh installation or upgrade of the Central Manager or Manager is logged to
this file. Each entry contains the version of the Central Manager or Manager that you installed or upgraded
to. It also contains the date and time of when you performed this action. This can help you troubleshoot
issues. For example, you can go through this log to correlate an issue with a specific Manager upgrade. This
file is stored at <Central Manager or Manager install directory>\App\config.
• dbconsistency.log: When you upgrade the Central Manager or Manager, the installed database schema is
compared against the actual schema of the version you are upgrading to. This comparison is to check for
any inconsistencies. The details of this comparison are logged to this file as error, warning, and
informational messages. This file is stored at <Central Manager or Manager install directory>
\App. You can verify this log to check if any database inconsistency is the cause of an issue. This file is
updated whenever you upgrade the Central Manager or Manager.
This section assumes you have permissions granting you access to the software. In Network Security Platform,
this translates to a Super User role at the root admin domain. Your actual view of the interface may differ,
depending on the role you have been assigned within Network Security Platform. For example, certain tasks
may be unavailable to you if your role denies you access. If you find you are unable to access a screen or
perform a particular task, consult your Network Security Platform Super User.
For testing purposes, you can access the Manager from the server. For working with the Manager/Central
Manager, McAfee recommends that you access the server from a client machine. Running the Manager/Central
Manager interface client session on the server can result in slower performance due to program dependencies,
such as Java, which may consume a lot of memory.
Task
1 Make sure the following services are running on the Manager server:
• McAfee Network Security Manager
• McAfee Network Security Manager Watchdog. The default Windows Startup Type for this service is manual.
So, you might have to manually start this service.
• McAfee Network Security Central Manager Watchdog. The default Windows Startup Type for this service is
®
Start the services using one of these methods to start the Manager, Database, and Watchdog services:
• Select Start | Settings | Control Panel. Double-click Administrative Tools, and then double-click Services. Locate
the services starting with McAfee Network Security Manager.
• Right-click on the Manager icon at the bottom-right corner of your server and start the required service.
The database service is not available with this option.
• Client machine -
Start your browser (Internet Explorer 8.0 9.0 or 10, or Firefox 7.0) and then type the URL of the Manager
server:
https://<hostname or host-IP>
If pop-up blocker settings is enabled in the browser, you will not be able to type your login credentials. In
such an instance, disable the pop-up blocker settings in your browser and then try to access the Manager
using your login ID and password. If the pop-up blocker is enabled, the login and password text boxes are
disabled and it remains disabled till you disable the pop-up blocker and refresh the browser.
The Manager software requires Java runtime engine software for some of its components. When you first
log onto the Manager from a client system, you are prompted to download and install the appropriate
version of the JRE software.
You must download and install these programs for proper functioning of the Manager program. See Java
runtime engine requirements.
Tasks
• Shut down the Manager/Central Manager services on page 48
Contents
Authentication of access to the Manager using CAC/PIV
Shut down the Manager/Central Manager services
Authentication to the Network Security Manager using CAC/PIV requires a smart card reader connected to the
Manager client workstation. The administrator inserts the CAC/PIV into the smart card reader and opens the
Manager UI through the web browser. The Manager sends an SSL certificate to the client and requests the
user’s certificate from the browser. The browser validates if the Manager's certificate is signed by a trusted
Certificate Authority. The browser then selects the user’s certificate by prompting the user if required. The
browser retrieves the selected certificate from the smart card which triggers the CAC/PIV interface software
(called middleware) to request the user PIN associated with the smart card. The user must correctly enter the
PIN to unlock the smart card.
The Manager extracts the common name from the user’s certificate and checks for a matching administrator
account in the Manager with that common name. If the match is successful, a secure session is established and
the user is logged into the Manager.
To validate the user’s certificate, the trust chain is validated by two CA certificates. The first validation is that the
client's certificate is signed by the intermediary CA. Then the intermediary CA certificate is validated by verifying
if it was signed by the root CA which is trusted. The root CA is a self-signed CA that is used to sign the
intermediary CA certificates.
At a high level, authenticating user access to the Manager through CAC/PIV can be brought about by a 4-step
process:
• Import CA certificates
• Set up user accounts using the Common Name (CN) from the CAC/PIV
Import CA certificates
Obtain the intermediate and root certificates in the certificate chain of your CAC cards. To obtain the CAC
certificates, perform the following steps:
Task
1 Plugin the CAC card reader in the Windows client machine which is used to access the Manager. The drivers
for the smartcard reader are automatically installed and detected. If the drivers are not installed
automatically, you have to manually install the drivers for the smartcard reader.
To troubleshoot problems with CAC card reader installation, see Installing and updating the CAC reader
driver/Firmware update/Check services to make sure Smart Card is running.
2 Once the CAC card reader is active, plugin the CAC card.
3 In the Internet Explorer browser, navigate to Internet Options | Content | Certificates | Personal.
The certificates of the card are available in the Personal tab. There are three certificates corresponding to the
card's user, two for email and one for ID.
6 Select the intermediate certificate which is the issuer of the leaf and click View Certificate to view the
intermediate certificate.
7 Go to the Details tab in the Certificate window and click Copy to File. This allows you to export the certificate.
Choose any of the .CER formats and save it to a file. McAfee recommends you to select Base-64 encoded
option as it is compatible with the Manager. Create a new folder for the certificates as "Saved intermediate
and root certificates".
8 Repeat the process for the root certificate and save that to a file as well.
The smart card reader can be connected to a Manager server, if the server doubles up as a Manager client.
a Refer the card reader manufacturer's recommendations for the necessary device drivers to be installed.
b Install the ActivIdentify and ActivClient CAC software on the Manager client.
These software are provided to you along with the card reader device and help validate the digital
certificate and user information stored in the card.
McAfee currently supports integration with smart card reader model SCR3310 from TxSystems.
3 Open the CAC Client software | Smart Card Info | User Name.
The user name is a combination of alphanumeric characters and a few special characters like "." or spaces.
For example, "BROWN.JOHN.MR.0123456789"
4 Log onto the Manager and create a user with the exact same name that is, "BROWN.JOHN.MR .0123456789".
CAC Authentication can be enabled only through the MySQL command line.
Task
1 Log onto the MySQL command line and enter:
update iv_emsproperties set value='TRUE' where
name='iv.access.control.authentication.requireClientCertificateBasedAuthentication'
b Locate Following connector open port 443 for CAC, uncomment it for using CAC to
comment and uncomment the blocks.
<Connector port="443"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keystoreFile="conf/my-server.keystore"
keystorePass="changeit"
keystoreType="jks"
compression="on"
compressableMimeType="text/html,text/xml,text/plain,text/
javascript,text/css,application/x-javascript,application/javascript"
address="${jboss.tomcat.bind.address}"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_
WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
clientAuth="false"
server=" "
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
maxPostSize="10485760" />
ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_
WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
clientAuth="want" sslProtocol="TLS"
server=" "
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
maxPostSize="10485760"/>
f To import the certificate to the ca.keystore file, you can install a freeware application like "KeyStore
Explorer" for example.
g Open the application and enter the password for the certificate.
The password for the keystore is snowcap.
h From the saved intermediate and root certificates folder, drag and drop the certificates that should be
added to the ca.keystore file.
The Certificate Details for File <certificate name> window opens.
Troubleshooting tips
• If the card is not inserted in the card reader, the Manager will not be accessible in this setup.
• When authenticating users through CAC, you do not have to enter your Manager user name and password
while logging on.
• If you are unable to view the Manager Login page after CAC authentication has been enabled, it means that
the CAC certificate was NOT signed by a trusted CA listed in the ca.keystore. To remedy the problem, import
the relevant CA into the ca.keystore trusted CA list.
• You have imported the relevant CA into the ca.keystore trusted CA list, and yet you are unable to view the
Manager Login page, then check whether a firewall is blocking your access to destination port 443 on the
Manager server.
• If you are able to view the Manager Login page but are unable to log onto the Manager, it means that the
user name on the CAC card does not match the user name in the Manager database. To remedy the
problem, verify that the user name on the CAC card exactly matches the Manager user name.
A proper shutdown of the Manager services requires the following steps be performed:
Task
1 Close all client connections. See Closing all client connections.
Tasks
• Shut down the Central Manager on page 49
• Close all the client connections on page 49
• Shut down using the Network Security Platform system tray icon on page 50
• Shut down using the Control Panel on page 51
See also
Close all the client connections on page 49
In a crash situation, the Manager/Central Manager will attempt to forcibly shut down all its services.
Task
1 Log onto the Manager/Central Manager server through a browser session.
2 In the Dashboard, view the Manager Summary to view the currently logged on users.
3 Ask the users to close all Manager windows such as the Manager Home page and log out of all open
browser sessions.
Shut down using the Network Security Platform system tray icon
Task
1 Right-click the Manager/Central Manager icon in your System Tray. The icon displays as an "M" enclosed
within a shield.
2 Select Stop Manager or Stop Central Manager. Once this service is completely stopped, continue to the next step.
5 Open Services.
6 Find and select McAfee® Network Security Manager Database or McAfee® Network Security Central Manager
Database in the services list under the "Name" column.
7 Click the Stop Service button. Once this service is completely stopped, continue to the next step.
3 Open Services.
4 Select Network Security Manager Service or Network Security Central Manager Service in the services list under the Name
column.
6 Find and select McAfee Network Security Manager Database or McAfee Network Security Central Manager Database in the
services list under the "Name" column.
7 Click the Stop Service button. Once this service is completely stopped, continue to the next step.
After installing the Manager software and a successful logon session, the next step is to add one or more
Sensors to the Manager. For more information on configuring a Sensor, see McAfee Network Security Platform CLI
Reference Guide and McAfee Network Security Platform IPS Administration Guide.
For information on adding and deploying a Virtual IPS Sensor, see Virtual IPS Sensor deployment, Network Security
Platform IPS Administration Guide.
Contents
Before you install Sensors
Cable specifications
Configuration of a Sensor
Topics include system requirements, site planning, safety considerations for handling the Sensor, and usage
restrictions that apply to all Sensor models.
Sensor specifications, such as physical dimensions, power requirements, and so on are described in each
Sensor model's Product Guide.
Deployment of McAfee® Network Security Platform [formerly McAfee® IntruShield ] requires basic knowledge of
your network to help determine the level of configuration and amount of installed Sensors and McAfee
Network Security Manager (Manager) required to protect your system.
The Sensor is purpose-built for the monitoring of traffic across one or more network segments.
Safety measures
Please read the following warnings before you install the product. Failure to observe these safety warnings
could result in serious physical injury.
Read the installation instructions before you connect the system to its power source.
To remove all power from the Sensor, unplug all power cords, including the redundant power cord.
Only trained and qualified personnel should be allowed to install, replace, or service this equipment.
The Sensor has no ON/OFF switch. Plug the Sensor into a power supply ONLY after you have completed rack
installation.
Before working on equipment that is connected to power lines, remove jewelry (including rings, necklaces, and
watches). Metal objects will heat up when connected to power and ground and can cause serious burns or weld
the metal object to the terminals.
This equipment is intended to be grounded. Ensure that the host is connected to earth ground during normal
use.
Do not remove the outer shell of the Sensor. Doing so will invalidate your warranty.
Do not operate the system unless all cards, faceplates, front covers, and rear covers are in place. Blank faceplates
and cover panels prevent exposure to hazardous voltages and currents inside the chassis, contain
electromagnetic interference (EMI) that might disrupt other equipment, and direct the flow of cooling air through
the chassis.
To avoid electric shock, do not connect safety extra-low voltage (SELV) circuits to telephone-network voltage (TNV)
circuits. LAN ports contain SELV circuits, and WAN ports contain TNV circuits. Some LAN and WAN ports both use
RJ-45 connectors. Use caution when connecting cables.
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part
15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference
when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate
radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause
harmful interference in which case the user will be required to correct the interference at his own expense.
Fiber-optic ports
• Fiber-optic ports (for example, FDDI, OC-3, OC-12, OC-48, ATM, GBIC, and 100BaseFX) are considered Class 1
laser or Class 1 LED ports.
• These products have been tested and found to comply with Class 1 limits of IEC 60825-1, IEC 60825-2, EN
60825-1, EN 60825-2, and 21CFR1040.
To avoid exposure to radiation, do not stare into the aperture of a fiber-optic port. Invisible radiation might be
emitted from the aperture of the port when no fiber cable is connected.
Usage restrictions
The following restrictions apply to the use and operation of a Sensor:
• You may not remove the outer shell of the Sensor. Doing so will invalidate your warranty.
• McAfee prohibits the use of the Sensor appliance for anything other than operating the Network Security
Platform.
• McAfee prohibits the modification or installation of any hardware or software in the Sensor appliance that is
not part of the normal operation of the Network Security Platform.
Task
1 Place the Sensor box as close to the installation site as possible.
5 Verify you have received all parts. These parts are listed on the packing list and in Contents of the Sensor
box, below.
8 Save the box and packing materials for later use in case you need to move or ship the Sensor.
See also
Contents of the Sensor box on page 55
• One Sensor
• One power cord. McAfee provides a standard, 2m NEMA 5-15p (US) power cable (3 wire). International
customers must procure a country-appropriate power cable with specific v/a ratings.
• Release notes.
Cable specifications
This section lists the specifications for all cables to use with McAfee Network Security Sensor (Sensor).
The Console port is pinned as a DCE so that it can be connected to a PC's COM1 port with a straight-through
cable.
Category 5 Enhanced (Cat 5e) cable is required for transmission speeds up to 1 Gigabit per second (Gigabit
Ethernet). For Ethernet networks running at 10 or 100 Mbps, Category 5 (Cat 5) OR Cat 5e cable can be used.
Throughout this guide, cabling specifications will be mentioned as Cat 5/Cat 5e.
See also
Gigabit Ethernet (GE) ports on page 57
Fast Ethernet (FE) 10/100/1000 ports on page 57
Configuration of a Sensor
This section describes how to configure a McAfee Network Security Sensor (Sensor). This information is generic
to all Sensor appliance models.
The information presented in this chapter was developed based on devices in a specific lab environment. All
Sensors used in this document started with a cleared (default) configuration. If you are working in a live network,
please ensure that you understand the potential impact of any command before using it. For more information
on the available Sensor CLI commands, see the McAfee Network Security Platform CLI Guide.
Configuration overview
At a high level, the process of configuring the Sensor involves the following steps. Detailed instructions follow in
subsequent sections of this chapter.
Task
1 (Pre-installation) Establish a Sensor naming scheme for your Sensors.
2 Install and bring up the Sensor. (This information is described in detail in the Product Guide for each Sensor
model.)
3 Add the Sensor to Manager using the McAfee Network Security Manager (Manager) Configuration page.
4 Configuring the Sensor with a unique name and shared key value.
5 Configuring the Sensor's network information (for example, IP address and netmask, Sensor name, and so
on).
6 Verify that the Sensor is on the network. (See Configuring the Sensor)
7 Verify connectivity between the Manager and the Sensor. (See Verifying successful configuration)
See also
Establishment of a Sensor naming scheme on page 58
Add a Sensor to the Manager on page 59
Configure the Sensor on page 60
Verification of successful configuration on page 62
Sensors are represented by name in several areas of McAfee® Network Security Platform and its alert data: the
Manager Configuration page, alert and configuration reports, and the Attack Log. Thus, it is a good idea to make
your Sensor naming scheme clear enough to interpret by anyone who might need to work with the system or
its data.
For example, if you were deploying Sensors at a university, you might name your Sensors according to their
location on the campus:Sensor1_WeanHall, Sensor2_WeanHall, Sensor1_StudentUnion, Sensor1_Library, and so on.
The Sensor name is a case-sensitive alphanumeric character string up to 25 characters. The string can include
hyphens, underscores, and periods, and must begin with a letter.
All communication between the Manager and Sensor is secure. Refer to KnowledgeBase article KB55587 for
details.
Adding a physically installed and network-connected Sensor to the Manager activates communication between
them.
The process of installing and connecting a Sensor is described in the McAfee Network Security Platform Product
Guide for each Sensor model.
Task
1 Start the Manager software.
3 In the System page, select the Domain to which you want to add the Sensor and then select Global | Add and
Remove Devices | New.
The Add New Device form appears.
The exact same Sensor Name and Shared Secret must also be entered into the CLI of the Sensor during physical
installation. If not, the Manager will not recognize a Sensor trying to communicate with the Manager.
The first time you configure a Sensor, you must have physical access to the Sensor.
If you are moving a Sensor to a new environment and wish to wipe the Sensor back to its factory default
settings, start by typing factorydefaults from the CLI. See the McAfee Network Security Platform CLI Guide for
specific details on the usage of command.
Task
1 Open a hyperterminal session to configure the Sensor. (For instructions on connecting to the Console port,
see the section Cabling the Console Port, in the McAfee Network Security Platform Product Guide for your
Sensor model.)
2 At the login prompt, log on to the Sensor using the default username
admin and password admin123.
McAfee strongly recommends that you change the default password later for security purposes as
described in Step 9.
By default, the user is prompted for configuration set up, immediately after login. Else, the user can choose to
start the setup later from command prompt using the setup command. For more information, see the McAfee
Network Security Platform CLI Guide.
4 Set the IP address and subnet mask of the Sensor. At the prompt, type:
set sensor ip <A.B.C.D> <E.F.G.H>
Specify a 32-bit address written as four eight-bit numbers separated by periods as in
<A.B.C.D>
where:
• A,B,C or D is an eight-bit number between 0-255.
For example,
where:
• A:B:C:D:E:F:G:H> is a 64-bit address written as octet (eight groups) of four hexadecimal numbers,
separated by colons. Each group A,B,C,D (etc) represents a group of hexadecimal numbers between
0000-FFFF. This is followed by a prefix length I with value between 0 and 128. For example, set sensor
ipv6 2001:0db8:8a2e:0000:0000:0000:0000:0111/64
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::). For
example, set sensor ipv6 2001:0db8:8a2e::0111/64
Setting the IP address for the first time—that is, during the initial configuration of the Sensor—does not
require a Sensor reboot. Subsequent changes to the IP address will, however, require that you reboot the
Sensor for the change to take effect. If a reboot is necessary, the CLI will prompt you to do so. For information
on rebooting, see Conditions requiring a Sensor reboot, McAfee Network Security Platform Troubleshooting
Guide.
5 If the Sensor is not on the same network as the Manager, set the address of the default
gateway
Note that you should be able to ping the gateway (that is, gateway should be reachable). At the prompt,
type: set sensor gateway <A.B.C.D>
Use the same convention as the one for Sensor IP address. For example, set sensor gateway
192.34.2.8
Or Specify an IPv6 address of the gateway for the Manager server as given below:
set sensor gateway-ipv6 <A:B:C:D:E:F:G:H>
where:
• <A:B:C:D:E:F:G:H>is a 128-bit address written as octet (eight groups) of four hexadecimal numbers,
separated by colons. Each group A,B,C,D etc( ) is a group of hexadecimal numbers between
0000-FFFF. For example, set sensor gateway-ipv6 2001:0db8:8a2e:
0000:0000:0000:0000:0111
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::)
For example, set sensor gateway-ipv6 2001:0db8:8a2e::0111
The following are the default set of values for the management port:
IP Address : 192.168.100.100
Netmask : 255.255.255.0
Gateway : 0.0.0.0
This allows you an additional option of configuring the Sensor via the management port apart
from the console port.
where:
• <A:B:C:D:E:F:G:H> is a 128-bit address written as octet (eight groups) of four hexadecimal numbers,
separated by colons. Each group (A,B,C,D etc) is a group of hexadecimal numbers between 0000-FFFF.
For example: set manager ip 2001:0db8:8a2e:0000:0000:0000:0000:0111
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::). For
example: set manager ip 2001:0db8:8a2e::0111
7 Ping the Manager from the Sensor to determine if your configuration settings to this point have successfully
established the Sensor on the network. At the prompt, type: ping <manager IP address>
The success message " host <ip address> is alive " appears. If not, type show to verify your configuration
information and check to ensure that all information is correct. If you run into any difficulties, see McAfee
Network Security Platform Troubleshooting Guide.
8 Set the shared key value for the Sensor. This value is used to establish a trust relationship between the Sensor
and the Manager.
At the prompt, type:
set sensor sharedsecretkey
The Sensor then prompts you to enter a shared secret key value. Type the shared secret key value at the
prompt. The Sensor then prompts you to verify the value. Type the value again.
The shared secret key value must be between 8 and 25 characters of ASCII text. The shared secret key value is
case-sensitive. For example, IPSkey123
9 (Optional, but recommended) Change the Sensor password. At the prompt, type:
passwd
The Sensor prompts you to enter the new password and prompts you for the old password.
A password must be between 8 and 25 characters, is case-sensitive, and can consist of any alphanumeric
character or symbol.
McAfee strongly recommends that you choose a password with a combination of characters that is easy for
you to remember but difficult for someone else to guess.
• On the Sensor, type status (For more information on the status command, see the McAfee Network Security
Platform CLI Guide.)
• In the Manager Dashboard, check the System Health status. (See if the Sensor is active. If the link is yellow,
click on the cell to see the System Faults on the Sensor. For more information on this process, see McAfee
Network Security Platform Manager Administration Guide.)
• In the Manager, click System and select the Domain to which the Sensor belongs. Then click Devices and
select the Sensor. Then go to Setup | Monitoring Ports.. Look at the color of the button(s) representing the ports
on the Sensor, and check the color legend on the screen to see the status of the Sensor's ports. (For more
information on this process, see McAfee Network Security Platform Manager Administration Guide.)
If you have difficulty in troubleshooting the above, see McAfee Network Security Platform Troubleshooting Guide.
Also, see McAfee Network Security Platform CLI Guide for a description of all available CLI commands.
Changing any of these values requires you to "break trust" with the Manager:
• Sensor name
Changing a Sensor's name requires you to delete it from the Manager and re-add it, or in other words,
re-configure the Sensor from the beginning. For instructions, see Add the Sensor to Manager and then
Configuring the Sensor.
• Manager IP
See also
Add a Sensor to the Manager on page 59
Configure the Sensor on page 60
Task
1 On the Sensor, type deinstall.
This breaks the trust relationship with the Manager.
3 Type the Sensor Shared Secret. (This value must match the value set for the Sensor in the Manager interface.)
For example, set sensor sharedsecretkey. The Sensor then prompts you to enter a shared secret key
value. Type the shared secret key value at the prompt. The Sensor then prompts you to verify the value.
Type the value again.
The shared secret key value must be between 8 and 25 characters of ASCII text. The shared secret key value is
case-sensitive. For example, IPSkey123.
4 If you changed the Sensor IP address, then you must reboot the Sensor.
Type reboot. You must confirm that you want to reboot the Sensor.
Specify a 32-bit address written as four eight-bit numbers separated by periods, where A,B,C or D represents
an eight-bit number between 0-255.
Or
where <A:B:C:D:E:F:G:H> is a 128-bit address written as octet (eight groups) of four hexadecimal numbers,
separated by colons. Each group ( A,B,C,D etc.) is a group of hexadecimal numbers between 0000-FFFF.
If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::).
This section discusses the concepts and configuration instructions for managing devices like the Sensors and
the NTBA Appliance using the Manager resource tree.
The Devices page can be accessed from the menu bar of the Manager. This page allows you to manage the
group of Network Security Sensors and/or NTBA Appliances integrated with the Manager. The configuration
settings for a specific domain specified under the Global tab sets general rules that are applied by default to all
physical devices added within the Manager. These added devices appear in the list of devices visible in the
Device drop down. These devices adopt the parent domains' general rules.
See also
Deploy pending changes to a device on page 80
Contents
Install Sensors using the wizard
Possible actions from the device list nodes
Specify proxy server for internet connectivity
Configure NTP server for a domain
Configure NTP server for a device
To get McAfee® Network Security Platform up and running, you need to add a Sensor to the Manager and
configure them as well. The Sensor Installation Wizard guides you through the steps involved in adding and
configuring Sensors. The Wizard enables you to complete the required steps in a sequence.
To use this feature, you need to have Super User role in the root admin domain.
You can use the wizard only to install Sensors to the root admin domain.
• You can install M-series, and NS-series Sensors using the wizard. You can change port configuration (inline,
tap and span) and other configuration per port such as, full duplex, speed, and apply policy per port and
finally push configuration changes.
Task
1 From Manager, go to Devices | <Admin domain name> | Global | Add Device Wizard to invoke the Add New Device
wizard.
2 Click Next.
Task
1 Indicate how you want to obtain the latest signature set:
• Importing Signature sets from a Local Directory – You can import the signature set into Manager from a local
directory.
• Downloading the latest Signature set from McAfee Update Server -- You can download the latest signature set from
McAfee® Network Security Update Server (Update Server).
• Skip Update Server authentication and signature set download -- Use this option to continue with the default
signature set that you received along with the Manager installation.
• The Choose signature set method page displays the version of the current signature set available on the
Manager.
2 Click Next.
Tasks
• Download the latest signature set on page 66
• Import signature sets from a local directory on page 67
Task
1 In the Choose signature set update method page, select McAfee Update Server option.
2 Click Next.
The Authentication page is displayed.
4 Click Next.
The available signature sets are listed.
5 Select the required signature set version and then click Next.
The Signature set download status page is displayed.
Task
1 In the Choose signature set update method page, select the Import signature set from local directoryoption.
2 Click Next.
The Import Attack Set page is displayed.
4 Click Next.
The Import Status is displayed.
After the signature set has been pushed, the Add a Sensor page is displayed.
Task
1 Click Devices | <Admin Domain> | Global | Add and Remove Devices. Click New.
b Enter the Sensor Type, IPS Sensor, Virtual HIP Sensor, NTBA Appliance, or Load Balancer.
• 10 digits: 0 1 2 3 4 5 6 7 8 9
The Sensor name and shared secret key that you enter in the Manager must be identical to the
shared secret that you will later enter during physical installation/initialization of the Sensor (using
CLI). If not, the Sensor will not be able to register itself with Manager.
5 Click Save.
7 Click Next.
You can select the Sensor and click Edit to edit the Sensor settings.
Task
1 Open a HyperTerminal session to configure the Sensor. This task is performed to establish the trust with the
Sensor
For instructions, see Cabling the Console Port, McAfee Network Security Platform Sensor Product Guide for your
Sensor model.
2 At the login prompt, log on to the Sensor using the default username
admin and password admin123.
McAfee strongly recommends that you change the default password later for security purposes.
3 Set the name of the Sensor. At the prompt, type: set Sensor name <WORD>
Example: set Sensor name Engineering_Sensor1.
The Sensor name is a case-sensitive alphanumeric character string up to 25 characters. The string can include
hyphens, underscores, and periods, and must begin with a letter.
4 Set the IP address and subnet mask of the Sensor. At the prompt, type: set Sensor ip <A.B.C.D> <E.F.G.H>
Specify a 32-bit address written as four octets separated by periods: X.X.X.X, where X is a number between
0-255. For example: set Sensor ip 192.34.2.8 255.255.255.0
Setting the IP address for the first time-that is, during the initial configuration of the Sensor-does not require
a Sensor reboot. Subsequent changes to the IP address will, however, require that you reboot the Sensor for
the change to take effect. If a reboot is necessary, the CLI will prompt you to do so. For information on
rebooting, see the McAfee Network Security Platform Troubleshooting Guide.
5 If the Sensor is not on the same network as Manager, set the address of the default gateway. At the prompt,
type: set Sensor gateway <A.B.C.D>
Use the same convention as the one for Sensor IP address. For example: set Sensor gateway
192.34.2.8.
7 Ping Manager from the Sensor to determine if your configuration settings to this point have successfully
established the Sensor on the network. At the prompt, type:
ping <manager IP address>.
If the ping is successful, continue with the following steps. If not, type show to verify your configuration
information and check to ensure that all information is correct. If you run into any difficulties, see the McAfee
Network Security Platform Troubleshooting Guide.
8 Set the shared key value for the Sensor. This value is used to establish a trust relationship between the
Sensor and Manager. At the prompt, type:
set Sensor sharedsecretkey.
The Sensor then prompts you to enter a shared secret key value. Type the shared secret key value at the
prompt. The Sensor then prompts you to verify the value. Type the value again.
The shared secret key value must be between 8 and 25 characters of ASCII text. The shared secret key value is
case-sensitive. Example: IPSkey123
9 (Optional, but recommended) Change the Sensor password. At the prompt, type:
passwd.
The Sensor prompts you to enter the new password and prompts you for the old password.
The password must be a minimum of 8 characters in length, and can be upto 25 characters long.
The characters that can be used while setting a new password are:
• 26 alphabets: both upper and lower case are supported (a,b,c,...z and A, B, C,...Z)
• 10 digits: 0 1 2 3 4 5 6 7 8 9
11 Switch back to the Sensor Installation Wizard to continue with the Sensor installation. At this point you are
on the Sensor Discovery page.
12 Click Next.
If the Sensor has not been added or if you had entered an incorrect shared secret key, then click Re-try discovery
and provide the correct details.
Field Description
Back Brings you to the Add Sensor page.
Cancel Cancels the discovery process of a Sensor in the network.
Re-try Discovery Starts the discovery process once again.
Next Moves you to the Edit Port configuration to Sensor page to configure port for a Sensor.
You can edit the configuration for a particular port. To edit a port's configuration:
Task
1 Select a port from the list of ports displayed.
2 Click Edit.
3 Select the mode of operation for the port from the Operation Mode list:
• Inline Fail-Open
• Internal Tap
• Span or Hub
• Inline Fail-Close
4 Specify whether you want to connect the port from inside or outside using the Port Connected Network list.
• Port A (Inside) Port B (Outside)
• Not specified
5 Click Next.
The Assign policies to Sensor page is displayed. Select the policy from the list of policies and apply them to the
Sensor.
Task
1 Select a policy and apply them to Sensor, default policy applied is Default Prevention policy.
2 If required, change the applied policies for the interfaces on the Sensor.
All interfaces inherit a policy from the Sensor by default. The Sensor inherits the policy from the parent admin
domain, and takes the Default Prevention policy by default.
3 Click Next.
The Signature Set Push Status page is displayed.
Task
1 Click Next to push the configuration information to the Sensor.
The Signature Set Push Status page is displayed.
2 Click Next.
The Sensor Installation Summary page is displayed.
Field Description
Sensor Name Name of the Sensor
Sensor Model Model of Sensor
Trust Status The status of the trust: established or not
Applied Signature Set Signature set version number applied to the Sensor
Interface Name Ports on the Sensor
Operation Status Status of the port: enabled or disabled
IP Set the IP address of the Sensor
Mask Set the subnet mask of the Sensor
Gateway Set the address of the default gateway
VLAN ID Set the VLAN ID of the monitoring ports.
Task
1 Click Done.
Installation Wizard welcome page is displayed to enable you to install another Sensor.
Once deployed, XC Clusters are configured and managed through the command line and the Manager.
For more information, see McAfee Network Security Platform XC Cluster Administration Guide.
• Managing Devices — Add devices to the Manager; accept communication from an initialized, physically
installed and network-connected devices like IPS Sensors, NTBA Appliances or virtual HIP Sensors to the
Manager.
• Updating the configuration of all devices — All changes done via the Configuration page that apply to your
Sensors are not pushed until you perform a Device List | Configuration Update | Update (all Sensors in a domain)
or Device List | Sensor_Name | Configuration Update | Update (single Sensor) action.
• Updating software to all devices — Download software and signature files from the Manager via McAfee®
Network Security Update Server [formerly IPS Update Server]
See also
Deploy pending changes to a device on page 80
Update the latest software images on all devices on page 83
Using this page, you can configure physical devices like IPS Sensors, NTBA Appliance or Load Balancer to the
Manager. Once you add a device on the Device List node, you must establish between the device and the
Manager by executing the setup CLI command.
You can use this page to also add virtual HIP Sensors to the Manager. The trust establishment for the Virtual
HIP Sensor is done using McAfee ePO™ console.
See also
Edit device settings on page 79
McAfee recommends adding a device to the Manager first. The Add Device Wizard will be displayed once the Manager
Initialization Wizard is completed.
Task
1 Click Devices | <Admin domain name> | Global | Wizards | Add Device.
2 Click Next.
The Name must begin with a letter and can contain alphanumeric characters, hyphens, underscores and
periods. The length of the name is not configurable.
The shared secret must be a minimum of 8 characters in length: the length of the shared secret is not configurable.
The shared secret cannot start with an exclamation mark or have any spaces. The characters that can be used
while creating a shared secret are as follows:
• 26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z)
• 10 digits: 0 1 2 3 4 5 6 7 8 9
IMPORTANT: The device name and shared secret are case-sensitive. The Device Name and Shared Secret must also
be entered on the device command line interface (CLI) during physical installation and initialization. If not,
the device will not be able to register itself with the Manager.
Devices with Online update mode will have the signature set/software directly pushed to the devices. Devices
for which you want the signature set/software to be manually pushed can be done by selecting the update
mode as Offline.
8 Click Next.
9 Follow the instructions on the page to complete the command line interface (CLI) setup and click Check Trust.
Using the command line interface (CLI), enter the necessary information for the device identification and
communication as described in Configure the Sensor. If you set up the device first, you will need to return to
the device after the Manager addition to reset the shared secret key and begin device-to-Manager
communication.
10 Click Next.
The Next button will be enabled once the trust between the device and the Manager is established.
The DNS Settings page is applicable only to M-series Sensor (software version above 7.0) and NS-series
Sensors.
The Application Identification page is applicable only to M-series Sensor (software version above 7.0) and
NS-series Sensors.
14 Select the Enable Application Identifier? check box for the required ports. Click Next.
16 Click Finish.
You will now be able to see the device when you click on the Device drop-down.
You can add a device by selecting Devices | <Admin Domain Name> | Global | Add and Remove Devices but it is
recommended to use the Add Device Wizard to add all devices (except Virtual HIP Sensors) and to establish the trust
between the Manager and the device.
Task
1 The Add Device Wizard window is displayed after the Manager Initialization Wizard is completed.
2 Click Next.
The name must begin with a letter and can contain alphanumeric characters, hyphens, underscores and
periods. The length of the name is not configurable.
The shared secret must be a minimum of 8 characters in length: the length of the shared secret is not
configurable. The shared secret cannot start with an exclamation mark or have any spaces. The characters
that can be used while creating a shared secret are as follows:
• 26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z)
• 10 digits: 0 1 2 3 4 5 6 7 8 9
8 Click Next.
9 Follow the instructions on the page to complete the command line interface (CLI) setup and click Check Trust.
Using the command line interface (CLI), enter the necessary information for the Appliance identification and
communication as described in “Configure the Sensor”. If you set up the Appliance first, you will need to
return to the Appliance after the Manager addition to reset the shared secret key and begin
Appliance-to-Manager communication.
10 Click Next.
The Next button will be enabled once the trust between the Appliance and the Manager is established.
The Port Settings page is displayed.
12 Define essential NTBA Appliance settings, including flow record listening port and Ethernet port IP settings.
Click Next.
The DNS Settings page is applicable only to M-series (software version above 7.0) and NS-series Sensors.
The Exporters page is displayed. You can add a new exporter or edit the existing one.
14 Define exporters that will forward records to the NBA Sensor for processing and click Next.
The Inside Zones page is displayed. You can add a new inside zone or edit the existing one.
The Outside Zones page is displayed. You can add a new outside zone or edit the existing one.
19 Click Finish.
The NTBA Appliance appears added under the Device drop-down list in the Devices tab. It also appears in the
Add and Remove Devices in the Global tab.
21 Skip the Chapter, Setting up Virtual NTBA Appliance on an ESX server, and proceed to Chapter, Configuring NTBA
Appliance settings.
McAfee recommends changing the Shared Secret from the Manager first. You do not have to immediately change
the shared secret in the device CLI; the Manager and the device will continue to communicate. However, when
you update the Shared Secret on the CLI, you must type the same value as entered in this action.
Task
1 Select Devices | <Admin Domain> | Global | Add and Remove Devices.
3 Click Edit.
Double asterisks indicate that the data for the field is missing or that data has been retrieved from the
database rather than from the device. This could indicate that the device is inactive or not initialized.
See also
Options available in the devices page on page 73
Notes:
• Do not delete the device from the Manager if you plan to generate reports with data specific to the device.
• If the device is in the middle of active communication with the database, deleting the device may not be
successful (the device still appears in the Resource Tree). If you experience this problem, check your device
to make sure communication to the Manager is quiet, then re-attempt the delete action.
• Configuration changes such as port configuration, non-standard ports and interface traffic types are
updated regardless of the changes made to the Sensor, interface/ subinterface.
• NTBA configuration updates refer to the changes done in the various tabs of the Devices node.
• Policy changes are updated on the Sensor or NTBA Appliance in case of a newly applied policy, or changes
made to the current enforced policy.
• Signature updates contain new and/or modified signatures that can be applied to the latest attacks.
• When policy and rule updates are applied to the devices, the current traffic analysis is not impacted until the
last phase of configuration updates (i.e the Manager status update is at 95%).
You can deploy the configuration changes to all the devices in the admin domain from the Global tab. The
navigation path for this is Devices | <Admin Domain Name> | Global | Deploy Pending Changes.
Alternatively, you can deploy the configuration changes at a device level by selecting Devices | <Admin Domain
Name> | Devices | <Device Name> | Deploy Pending Changes. In this case, the Deploy Pending Changes option is available
in the menu only if the device is active.
Task
1 Select Devices | <Admin Domain Name> | Global | Deploy Pending Changes.
The Deploy Pending Changes page is displayed.
To deploy the changes to a specific device, go to Devices | <Admin Domain Name> | Devices | <Device Name> |
Deploy Pending Changes.
2 Click Deploy.
The Manager processes these updates in three stages — Queued, Deploying, Completed — and displays the
current stage in the Status Column.
Status Description
Queued The Queued status indicates that the Manager is preparing to deploy updates to the devices. If
more than one device is being updated, devices are updated one at a time until all downloads
are complete. If you want to cancel the updates for certain devices, click the X. Consider the
following:
• The deployment of the configuration changes or signature file updates can be cancelled for
bulk updates only.
• Updates cannot be cancelled when deployed for individual devices.
• After you click Deploy, wait for five seconds before you start cancelling the updates for devices.
• Once cancelled, the checkbox is deselected, suggesting that the update was cancelled. There
is no status change to indicate the cancellation of an update.
Deploying In this state, the configuration changes are applied to the devices. There is no option to abort
the update process for devices in which the deployment of updates are already in progress.
When the deployment is cancelled for any device, the item will still be selected for future
updates unless it is explicitly deselected.
Completed Shows that all the configuration changes have been updated for the devices.
3 Click Offline Update Files to view and export the deployment changes file to offline Sensors. The changes can
then be deployed to the Sensors manually using the CLI command window.
Offline file update is not supported on the NS3200 and NS3100 Sensors.
4 Click Refresh to refresh the page and the status of the deployment.
Clearing the status does not cancel the deployment. The update process will be running in the background.
See also
Possible actions from the device list nodes on page 72
Configuration of devices using the Manager on page 4
After software download to your Sensors, you must reboot all updated Sensors.
Task
1 Select Devices | <Admin Domain Name> | Global | Deploy Device Software.
3 To select a Sensor for update, select the check boxes (for the specific Sensor) in the Upgrade column.
The Manager provides this option to concurrently perform the software upgrade for multiple Sensors.
4 To select a Sensor for reboot, select the check boxes (for the specific Sensor) in the Reboot column.
By default the Reboot option is disabled. It gets enabled only after you select the Sensor(s) in the Upgrade
column. This option triggers a full reboot even if hitless reboot option is available for the corresponding
Sensors. The Reboot option can also be disabled if required.
6 The Offline Upgrade Files is used to update and export Offline Sensors.
Refresh enables you to see the new Sensor software version after reboot.
Clear Status is used for clearing the cached status.
See also
Possible actions from the device list nodes on page 72
Download software update files for offline devices on page 84
The update files are encrypted using a symmetric key cipher. The download consists of the encrypted signature
set and/or image file and a meta information file that contains the details of the download created. These three
files are zipped together to create a download file that can be saved on CD and later be uploaded to the device
via TFTP. This is illustrated as follows:
See also
Configure a new device for offline signature set update on page 84
Update configuration for offline devices on page 85
Update software for offline devices on page 87
Configure an existing device for offline signature set update on page 85
Export software for offline devices on page 86
Export software for offline devices on page 88
Update the latest software images on all devices on page 83
You can select the device Update Mechanism mode while adding a new device. By default, all devices added to
the Manager have the update mode as Online. Devices with Online update mode will have the signature set /
software directly pushed to the devices as it has been done in the past. Devices for which you want the
signature set /software to be manually pushed can be done by selecting the update mode as Offline. You can
edit the update mode later, if required.
Task
1 Click Devices | <Admin Domain> | Global | Add and Remove Devices
2 Click New.
The Add New Device page is displayed.
3 Enter a name against Device Name, Select IPS Sensor against Device Type, Enter Shared Secret and Confirm Shared
Secret.
The Updating Mode configured on the Primary device of the Fail Over - Pair determines the signature file
generation for download.
If the Primary device is configured for OfflineUpdating Mode, then two individual signature files are generated for
Primary and Secondary devices, irrespective of the Secondary device configuration.
If the Primary device is configured for OnlineUpdating Mode, then signature file will be downloaded online to
both devices, irrespective of the Secondary device configuration.
See also
Download software update files for offline devices on page 84
Task
1 Click Devices | <Admin Domain> | Global | Add and Remove Devices to view the list of devices configured.
2 Select the device and click Edit. Select Offline against Updating Mode and click Save.
3 The information box confirms a successful edit. The device is configured for Offline update.
The Updating Mode configured on the Primary device of the Failover - Pair determines the signature file
generation for download.
If the Primary device is configured for Offline Updating Mode, then two individual signature files are generated
for Primary and Secondary devices, irrespective of the Secondary device configuration.
If the Primary device is configured for Online Updating Mode, then signature file will be downloaded online to
both devices, irrespective of the Secondary device configuration.
See also
Download software update files for offline devices on page 84
Task
1 Click Devices | <Admin Domain> | Global | Deploy Configuration Changes.
2 The list of devices for which configuration can be downloaded are listed under Configuration Update. Select the
Configuration Update check box against the device listed as Offline in the Updating Mode column. Click Update.
3 The update is listed under Sigfile for Offline Sensors in the Configuration Update tab on the Device List node and is
ready for export.
The Updating Mode configured on the Primary device of the Fail Over - Pair determines the signature file
generation for download.
If the Primary device is configured for OfflineUpdating Mode, then two individual signature files are generated for
Primary and Secondary device, irrespective of the secondary device configuration.
If the Primary device is configured for OnlineUpdating Mode, then signature file will be downloaded online to
both devices, irrespective of the secondary device configuration.
See also
Download software update files for offline devices on page 84
Task
1 Click Devices | <Admin Domain> | Devices | Maintenance | Export Configuration .
2 Select radio button under the Export File column in the device listed under Available Configuration Files for Offline
Devices. Click Export.
3 Select the Save File option. Click OK and save the signature file in the desired location in the local machine.
Tasks
• Perform an offline download of the signature set on page 86
See also
Download software update files for offline devices on page 84
Task
1 Copy the signature set to the tftp server.
2 Connect to the device through CLI and configure the tftp server IP.
4 Once the signature file is copied on to the device, check with "downloadstatus" command in the CLI to get
the status.
Task
1 Click Devices | <Admin Domain> | Global | Deploy Device Software.
2 The list of devices for which software can be downloaded are listed under Deploy Device Software table. Select
the checkbox against the device listed as Offline in the Upgrade column. Click Update.
3 The update is listed under Available Configuration Files for Offline Devices in the Configuration Update table is ready
for export.
See also
Download software update files for offline devices on page 84
Task
1 Click Devices | <Admin Domain> | Devices | <Device Name> | Maintenance | Export Configuration.
2 Select all required configuration that you wish to export and click Export column.
3 Select the Save File option. Click OK and save the device software in the desired location.
Tasks
• Import software for offline devices on page 88
See also
Download software update files for offline devices on page 84
Task
1 Set up the Manager and device.
2 Import the device image jar file on to the Manager, using Manage | Updating | Manual Import.
3 Click Deploy Device Software, which is also located under the Updating tab.
4 Select the device and image to apply and click Upgrade. The offline image is generated in the same page
below, under Available Upgrade Files for Offline Devices.
6 Once the imagefile copied on to the device (it takes some time), check with "downloadstatus" command in
the CLI to get the status.
However, for Gateway Anti-Malware, you must be aware about which versions of the malware engines are
compatible with specific Sensor and Manager versions. Refer to Gateway Anti-Malware Engine within the
section, How an Advanced Malware policy works.
• You must be using either an NS-series Sensor running Sensor software version 8.2 or above or
an NTBA Appliance to use this engine.
• Anti-Virus DAT
• Anti-Malware Engine
The update can either be an incremental update or a full update. The full update is approximately 150 Mb.
You can set up automatic updates for both these components using these steps. If you do not want to set up
automatic updates, you can use the existing process for manual updates.
Task
1 Click Devices | <Admin_Domain_Name> | Global | Common Device Settings | GAM Updating.
If you have not configured a DNS server for this domain, you will receive a notification prompting you to do
so.
You have now set up automatic updates for all devices that run Gateway Anti-Malware Engine in the domain.
• You must be using either an NS-series Sensor running Sensor software version 8.2 or above or
an NTBA Appliance to use this engine.
• Anti-Virus DAT
• Anti-Malware Engine
The update can either be an incremental update or a full update. The full update is approximately 150 Mb.
You can use these steps to set up automatic updates for both these components. If you do not want to set up
automatic updates, you can use the existing process for manual updates.
This page displays a grid that mentions that active version and latest available version of each component. If
you are using the latest version the circle is green. If a newer version is available, the circle is colored red.
Task
1 Click Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup | GAM Updating.
2 You can choose to inherit settings of the domain by selecting the check-box.
If you do not select this option, you can customize update settings for this device.
If you have not configured a DNS server for this device, you will receive a notification prompting you to do
so.
Figure 6-20 GAM Updating page shows versions for individual items
You have now set up automatic Gateway Anti-Malware Engine updates for this Sensor.
It is important that you download a compatible version of Gateway Anti-Malware Engine files to make sure the
update is successful. To ascertain which software versions are compatible with which versions of the Sensor
software, refer to Gateway Anti-Malware Engine within the section, How an Advanced Malware policy works.
Perform the steps listed below to manually download the Gateway Anti-Malware Engine update files and deploy
them to your Sensor.
Task
1 Using a recent version of your browser, go to the Gateway Anti-Malware Update Server URL: https://
contentsecurity.mcafee.com/update.
2 On the page that appears, review the terms and conditions and select the I accept the terms and conditions
checkbox, and click Next Step.
You are routed to the next page where you will need to select the appropriate McAfee product.
3 On this page, click the drop-down to select McAfee Network Security Appliance, and click Next Step.
You are routed to the next page where you must enter the appropriate version of Sensor software you are
using.
4 Enter 8.3 if your Sensor runs a pre-8.3.7.x version or enter 8.3.14 if your Sensor runs 8.3.7.x or later version,
and click Next Step.
The success or failure of the update will vary depending on the Sensor and Manager software versions you
are using. Review this table to know the various combinations and what version you must enter to make
sure you download the appropriate Gateway Anti-Malware Engine version.
After the package is generated, you are shown details about the file such as file-size and MD5 checksum.
7 After the file is downloaded, log on to the Manager and go to Manager | Updating | Manual Import.
8 In the Manual Import page, click Browse, navigate to the file location, and select it.
10 After the upload is complete, go to Devices | <Admin Domain Name> | Devices | <Device Name> | Deploy Pending
Changes.
In the Deploy Pending Changes page, the Pending Changes column displays New Gateway Anti-Malware Versions.
A pop-up window appears showing you the status of the update. If the update fails, it is likely that you might
have downloaded an incompatible version. Review the compatible versions and the combinations, listed in step
4 of this section, to ascertain if you have downloaded the appropriate version.
Using the Failover Pairs tab, you can enable failover configuration for two identical Network Security Sensor
models. The term "failover pair" refers to the pair of devices that constitute the Primary-Secondary
arrangement required for failover functionality. The Primary/Secondary designation is used purely for
configuration purposes and has no bearing on which device considers itself active. Primary device designation
determines which device's configuration is preserved and copied to the Secondary device by Manager. Both
devices receive configuration and update changes from Manager; however, the Secondary accepts the changes
as if they are coming directly from the Primary device. In the event of primary failure, the Secondary device will
see all changes as coming directly from Manager.
Two devices in a failover pair can have different fail-open/fail-closed settings. It is possible to configure, for
example, one device to fail open, and the second device to fail closed. The intended use of this option is in an
Active-Standby configuration with the Active link configured to fail closed (to force traffic to the standby link in
case of failure), and the Standby link configured to fail open (to provide uninterrupted traffic flow should both
devices fail).
For more information on high availability using failover pairing, see the McAfee Network Security Platform IPS
Administration Guide.
Task
1 Click Devices | <Admin Domain Name> | Global | Failover Pairs.
The Add button shows up in the UI only when there are at least two devices of the same model in the Device
List node and a failover pair has not been created using these two devices.
3 Select the Model. Both devices in a failover pair must be the same model.
4 Type a failover pair Name that will uniquely identify the grouping.
7 Enable or disable Fail open for the failover pair as per your requirement. By default, it is disabled.
8 Click Create; click Cancel to abort. Upon saving, a message informs you that the failover pair creation will take
a few moments. Click OK. The new failover pair will appear as a child node of the devices node under which
it was created.
If you have created a failover pair while maintaining an open Attack Log window, the Attack Log will continue
to report alerts from both the Primary and Secondary devices, respectively, identifying each device by the
given device name and not by the name of the failover pair. This may cause confusion in the event that both
devices detect identical alerts. (In true failover operation, if both devices detect the same alert, only one alert
instance is reported with the name of the failover pair as the identifying device.) Restart the Attack Log for
proper alert reporting. The same is true in reverse if a failover pair is deleted. You must restart the Attack Log
to view alerts separately from each device.
Tasks
• Changing reserved VLAN ID within a failover pair on page 95
Task
1 Select the Manage Cluster Configuration tab for the failover pair interface. (Failover-Pair-Name | Physical Failover Pair
| Cluster Settings)
3 Click Submit.
The Manager supports application-level HTTP/HTTPS proxies, such as Squid, iPlanet, Microsoft Proxy Server,
and Microsoft ISA.
To use Microsoft ISA, you must configure this proxy server with basic authentication. Network Security Platform
does not support Microsoft ISA during NTLM (Microsoft LAN Manager) authentication.
Task
1 Select Manage | <Admin Domain> | Setup | Proxy Server.
The Proxy Server page is displayed.
3 Enter the Proxy Server Name or IP Address. This can be either IPv4 or IPv6 address.
6 Provide the appropriate URL. You may test to ensure that the connection works by entering a Test URL and
clicking Test Connection.
If NTP is configured and Manager connectivity is established, then the Sensor receives time from both the NTP
server and the Manager. If there is loss of connectivity with either the Manager or NTP server, then the other
takes over as the time source.
The Manager should be synced with an NTP server, prior to starting NTP on the Sensor. Not doing this will
break the communication between the Sensors and the Manager.
If the Manager is not using the time received from the NTP server then while switching from NTP server to the
Manager and vice versa, there might be issues because of the time difference.
Task
1 Select Devices | <Admin Domain Name> | Global | Default Device Settings | Common | NTP.
2 To enable communication with the NTP server, select Enable NTP Server?
To stop NTP from the Manager, unselect this option.
3 Configure the two NTP servers: the Sensor will use one of the configured NTP severs based on least RTT
(Round-Trip Time).
a Type the IP Address. This can be an IPv4 or IPv6 address.
b Enter the Polling Interval. The range is 3 ~ 17. The configured polling interval is applied as 2^x seconds (2
power x).
f Click on the Test Connection button to check the connectivity to the NTP server. The status of the
connectivity tests is displayed in the NTP page.
The IPv4 and IPV6 addresses are mutually exclusive. At any configuration either the IPV4 or IPV6 address
will be used. For the IPV6 address to work, the Sensor management port should be assigned an IPV6
address.
If NTP is configured and Manager connectivity is established, then the Sensor receives time from both the NTP
server and the Manager. If there is loss of connectivity with either the Manager or NTP server, then the other
takes over as the time source.
The Manager should be synced with an NTP server, prior to starting NTP on the Sensor. Not doing this will
break the communication between the Sensors and the Manager.
If the Manager is not using the time received from the NTP server then while switching from NTP server to the
Manager and vice versa, there might be issues because of the time difference.
Task
1 Select Devices | <Admin Domain Name> | Devices | <Device Name> | Setup | NTP.
3 To enable communication with the NTP server, select Enable NTP Server?
To stop NTP from the Manager, unselect this option.
4 Configure the two NTP servers: the Sensor will use one of the configured NTP severs based on least RTT
(Round-Trip Time).
a Type the IP Address. This can be an IPv4 or IPv6 address.
b Enter the Polling Interval. The range is 3 ~ 17. The configured polling interval is applied as 2^x seconds (2
power x).
The parameters in steps d and e are provided by the NTP service provider.
f Click on the Test Connection button to check the connectivity to the NTP server. The status of the
connectivity tests is displayed in the NTP page.
The IPv4 and IPV6 addresses are mutually exclusive. At any configuration either the IPV4 or IPV6 address
will be used. For the IPV6 address to work, the Sensor management port should be assigned an IPV6
address.
The Devices tab in the Devices page represents the physical Sensor installed in your network. Each device is a
uniquely named (by you) instance of a Sensor. All actions available in the <Device_Name> page customize the
settings for a specific Sensor.
After properly installing and initializing a Sensor, then adding the Sensor to the Manager, it appears in the Device
drop down list, where it was added, and inherits all of the configured device settings. After adding a device, the
device can be specifically configured to meet user requirements by selecting the uniquely named device node.
For more information on interfaces and subinterfaces, see Network Security Platform IPS Administration Guide.
Many device configurations performed within the Devices page do not immediately update to the devices. You
must perform either update the configuration of all devices or the specific device to push the configuration
information from Manager to your device.
The <Device_Name> page for a Sensor in general contains Summary, Policy, Setup, Maintenance, Troubleshooting, Deploy
Configuration Changes, and IPS Interfaces pages.
Contents
Configuration and management of devices
Troubleshooting your device configuration
Management of device access
• Configuring device monitoring and response ports— View/edit the parameters of ports on a specific device.
You can schedule configurations to be pushed to the NTBA Appliances and Sensors from Manager | <Admin
Domain Name> | Automatic Updating | Signature Sets. The Automatic Signature Set Deployment options allow you to set the
time when these configurations can be deployed on Sensors and NTBA. Configurations are automatically
deployed based on schedule.
All configurations in the Policy page that apply to your Sensors or NTBA Appliance can also be manually pushed
from Devices | <Admin Domain Name> | Global | Deploy Pending Changes (all Sensors and NTBA Appliance in a domain)
or Devices | <Admin Domain Name> | Devices | <NTBA Appliance> | Deploy Pending Changes (to a single Sensor or NTBA
Appliance) action.
Scheduled deployment
1 Select Manager | <Admin Domain Name> | Automatic Updating | Signature Sets. The Signature Sets page is displayed.
2 From the Automatic Signature Set Deployment options set the schedule for deploying signature updates:
• For Deploy in Real Time, select Yes. (This option pushes signature sets update to all Sensors and NTBA
Appliances immediately after it is downloaded to the Manager.) By default, No is the default option.
• For Deploy at Scheduled Interval, select Yes to schedule for automatic deployment of signature sets.
• In Schedule, set the frequency by which you want the Manager to check for a newly downloaded signature
set. The choices are:
• Frequently — Several times a day during a specified period at interval indicated in the Recur every option
• Select the Start Time, End Time, and Recur every options to specify intervals. Based on Schedule frequency,
these fields allow you to select options.
3 Click Save.
On-demand deployment
Task
1 Select Devices | <Admin Domain Name> | Devices | <NTBA Appliance> | Deploy Pending Changes.
2 View the update information. If changes have been made, the Configuration & Signature Set column is checked
by default.
3 Click Update.
A pop-up window displays configuration download status.
You can only update online devices. Make sure it is discovered, initialized, and connected to the Manager.
You can switch between different minor versions of the device software. Consider the scenario where you
downloaded 6.0.1.1, 6.0.1.2, and 6.0.1.3 versions for M6050 Sensors from the update server onto the Manager.
Also, assume that currently the M6050 Sensor that you want to update is on 6.0.1.2. You can now update this
Sensor to either 6.0.1.1 or 6.0.1.3. Subsequently, you can also revert to 6.0.1.2. However, you cannot switch
between major versions of the software through the Manager. For example, you cannot switch between 6.0 and
5.1 versions of device software using the Manager.
After you update the software of a device, you must restart it.
Task
1 Click Devices | <Admin Domain Name> | Devices | <Device Name> | Maintenance | Deploy Device Software.
The Deploy Device Software page is displayed.
In case of Sensors in fail-over pair, select a Sensor under the fail-over pair name node, and then select
Upgrade.
2 Select the required version from the Software Ready for Installation section.
The Software Ready for Installation section lists the applicable versions of software that you downloaded from the
update server (Manager | Updating | Download Device Software).
3 Click Upgrade.
When a device is being updated, it continues to function using the software that was present earlier.
Task
1 Select Devices | <Admin Domain Name> | Devices | <Device Name> | Maintenance | Shut Down.
Task
1 Select Devices | <Admin Domain Name> | Devices | <Device Name> | Troubleshooting | Diagnostics Trace.
3 Click Upload.
The status appears in the Upload diagnostics Status pop-up window.
4 Click Close Window when the message "DOWNLOAD COMPLETE" appears. The trace file is saved to your
Manager server at:
<Install Dir> \temp \tftpin \< Device Name \trace\. Once downloaded, the file also appears in
the Uploaded Diagnostics Trace Files dialog box under this action.
5 [Optional] Export a diagnostics file to a client machine by selecting the file from the Uploaded Diagnostics Files
listed and clicking Export. Save this file to your client machine. Saving the file is particularly useful if you are
logged in remotely, need to perform a diagnostics trace, and send the file to technical support.
Task
1 Select Devices | <Admin Domain Name> | Devices | <Device_Name> | Setup | Remote Access | TACACS+.
3 Select Inherit from Parent Domain to use the TACACS+ settings in the parent domain.
4 Enter the TACACS+ Server IP Address in the IP Address fields; you can enter up to four IP Addresses for the
TACACS+ server. At least one IP Address is required if you enable TACACS+.
From the NMS menu, you can perform the following actions:
The device has to be in the active state to manage NMS users. The device can create its own NMS users or can
associate users from the domain. Only 10 users can be configured in the device.
During export and import of device configuration, only the users created in the device directly are considered,
the users allocated from the domain are not considered.
• Allocating users from domain— Add available users from domain to the device.
• Adding new NMS users to the Device— Add new users to the device.
• Deleting an NMS User— Delete allocated NMS users from device or delete new users from devices.
Task
1 Select Devices | <Admin Domain Name> | Devices | <Device_Name> | Setup | Remote Access | NMS | NMS Users.
The user list includes all the users defined in the domain in which the device is being added and it's parent
domain users.
Task
1 To add a new NMS user:
• From the Global tab, select Devices | <Admin Domain Name> | Global | Common Device Settings | Remote Access |
NMS | NMS Users.
• From the Device tab, select Devices | <Admin Domain Name> | Devices | <Device_Name> | Setup | Remote Access |
NMS | NMS Users.
2 Click New.
The length of the user name should be between 8 to 31 characters. It can consist of alphabets and numerals.
Special characters and spaces are not allowed.
The length of the Authentication and Private key should be between 8 to 15 characters.
Since the communication is over SNMP version 3, the supported authentication protocol is "SHA1" and
encryption algorithm is "AES128".
6 Click Save.
The user is now added to the device and is displayed in the NMS User table.
Task
1 To edit an existing NMS user:
• From the Global tab, select Devices | <Admin Domain Name> | Global | Common Device Settings | Remote Access |
NMS | NMS Users.
• From the Device tab, select Devices | <Admin Domain Name> | Devices | <Device_Name> | Setup | Remote Access |
NMS | NMS Users.
Users created only at the device level are editable from the Device Settings tab of the specific device.
2 Select the NMS user created in the device from the list.
3 Click Edit.
4 Enter the Authentication Key and Private Key (confirm at Confirm AuthenticationKey and Private Key).
Task
1 To delete an NMS user:
• From the Global tab, select Devices | <Admin Domain Name> | Global | Common Device Settings | Remote Access |
NMS | NMS Users.
• From the Device tab, select Devices | <Admin Domain Name> | Devices | <Device_Name> | Setup | Remote Access |
NMS | NMS Users.
3 Click Delete.
If an allocated user (user created at domain) is deleted, it is deleted only at the device settings level and not
from the domain.
• Adding new NMS IP address to the device— Allocate available IP addresses from the domain.
• Deleting NMS IP addresses— Delete NMS IP addresses from device and domain.
NMS will not work for default port 161 of M-series and NS-series Sensors.
Allocate an IP addresses
The device can inherit NMS IP address configuration from domain. To allocate an IP address, do the following:
Task
1 Select Devices | <Admin Domain Name> | Devices | <Device_Name> | Setup | Remote Access | NMS | NMS Devices
Task
1 To add a new NMS IP address:
• From the Global tab, select Devices | <Admin Domain Name> | Global | Common Device Settings | Remote Access |
NMS | NMS Devices.
• From the Device tab, select Devices | <Admin Domain Name> | Devices | <Device_Name> | Setup | Remote Access |
NMS | NMS Devices.
2 Click New.
3 In IP Address, enter the NMS IP address. You can enter either IPv4 or IPv6 address.
While adding NMS IP address, you can add a maximum of 10 IPv4 addresses and 10 IPv6 addresses.
4 Click Save.
Task
1 To delete an NMS IP address:
• From the Global tab, select Devices | <Admin Domain Name> | Global | Common Device Settings | Remote Access |
NMS | NMS Devices.
• From the Device tab, select Devices | <Admin Domain Name> | Devices | <Device_Name> | Setup | Remote Access |
NMS | NMS Devices.
3 Click Delete.
If allocated IP addresses are deleted, then it is deleted only from the device and not from the domain.
Users can communicate to the device from only the NMS IP addresses added above. User may be able to
communicate with the device until 180 inactive seconds from the deleted IP address, if a request is made
from the same IP address before 180 seconds, then the connection from that IP address is still valid for
another 180 seconds.
After installing the Manager software, one of the first tasks you will perform is setting the schedule for receiving
updates from the McAfee® Network Security Update Server (Update Server). These updates include signature
files for your Sensors and software for your Manager and/or Sensors.
You can only perform one download/upload at a time from any Network Security Platform component, including
the Update Server.
You can perform the following actions using the Update Server:
• Downloading software updates— Download the latest Sensor or NTBA Appliance software image file from
the Update Server to the Manager.
• Downloading signature set updates— Download the latest attack and signature information from the
Update Server to the Manager.
• Automating updates— Configure the frequency by which the Manager checks the Update Server for
updates, and the frequency by which Sensors and NTBA Appliances receive signature updates from the
Manager.
• Manually importing a Sensor and NTBA Appliance image or signature set— Manually import downloaded
Sensor or NTBA Appliance software image and signature files to the Manager.
For more information on the Update Server, see McAfee Network Security Platform Manager Administration
Guide.
You uninstall McAfee® Network Security Manager (Manager) and McAfee® Network Security Central Manager
(Central Manager) using the standard Windows Add/Remove Programs feature.
Contents
Uninstall using the Add/Remove program
Uninstall using the script
McAfee recommends you stop the Manager service and applicable Java services before starting an uninstall. If
not, you will have to manually delete files from the Network Security Platform program folder.
Task
1 Go to Start | Settings | Control Panel | Add/Remove Programs and select Network Security Platform.
3 After uninstallation, the message All items were successfully uninstalled is displayed.
Uninstallation of the Network Security Platform database (MySQL) is not part of this uninstallation.
Task
1 Navigate to the directory containing the uninstallation script. The default path is: <Network Security Platform
installation directory>\UninstallerData
2 Run
Uninstall ems.exe.
Chapter 10 Overview
Chapter 11 Management of a heterogeneous environment
Chapter 12 How to upgrade the Central Manager?
Chapter 13 How to Upgrade the Manager?
Chapter 14 How to perform signature set and Sensor software upgrade
Chapter 15 Upgrade information for NTBA and XC Cluster
Chapter 16 Uninstalling the upgrade
This guide primarily provides information on how to upgrade your McAfee® Network Security Platform setup to
the latest 8.3 release from the following versions:
• 7.1
• 7.5
• 8.1
• 8.2
Important Notes:
• If you have any M-series Sensors on 6.1 software, you can directly upgrade those Sensors from 6.1 to 8.1.
However, before you upgrade the 6.1 M-series Sensors to 8.1, you must first upgrade the Manager to 8.1.
For related information, refer to McAfee Network Security Platform 8.1 Upgrade Guide. When both the Manager
and the M-series Sensors are on a required version of 8.1, you can begin the 8.3 upgrade process.
• In case of Network Security Platform 8.0, first upgrade to a supported version of 8.1 or 8.2 to upgrade to the
latest version of 8.2.
• The Network Security Platform 8.3 release is specific to the Central Manager, Manager, M-series Sensors,
NS-series Sensors, Virtual IPS Sensors, Network Threat Behavior Analysis (NTBA) devices, and XC Cluster
devices.
• As with any upgrade, McAfee strongly recommends that you always first try the upgrade on a test
environment.
• The current version of 8.3 Manager software can be used to configure and manage the following appliances:
• M-series Sensors on 7.1, 7.5, 8.0, 8.1, 8.2, and 8.3 software.
• NS-series Sensors on 7.1, 7.5, 8.0, 8.1, 8.2, and 8.3 software.
• XC Cluster appliances on 7.1, 7.5, 8.0, 8.1, 8.2, and 8.3 software.
• NTBA appliances (physical and virtual) on 7.1, 7.5, 8.0, 8.1, 8.2, and 8.3 software.
• The upgrade involves the following phases that you must complete in the same order:
1 If applicable, McAfee® Network Security Central Manager upgrade.
3 McAfee® Network Security M-series, NS-series Sensor, or Virtual IPS Sensor software upgrade.
• No software is released for N-series (NAC-only) Sensors as part of Network Security Platform 8.3.
It is also strongly recommended that you read the Release Notes for the associated product before you upgrade
because this document makes references to several of the new features.
Contents
Important requirements and considerations
Migration from 1024-bit to 2048-bit encryption
• This document provides information on how to upgrade from Network Security Platform versions 7.1, 7.5,
8.1, or 8.2 to version 8.3. See the corresponding upgrade guide and release notes to first upgrade to the
minimum required version for 8.3, if you are on a version other than the ones mentioned here. Consider
that your current version is in the 7.1 release train but your current version is not supported for upgrade to
8.3. See the latest Network Security Platform 7.1 Upgrade Guide and upgrade to the latest 7.1 version before
you upgrade to 8.3.
• The minimum required software versions to upgrade to 8.3 are provided in the following sections:
• Sensor software upgrade requirements on page 181.
• After you upgrade the Central Manager or the Manager to 8.3, you might be prompted to restart the server.
If prompted, it is highly recommended that you restart the server.
• Currently port 4167 is used as the UDP source port number for the SNMP command channel
communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound
connectivity from SNMP ports on the Sensor. Older JRE versions allowed the Manager to bind to the same
source port 4167 for both IPv4 and IPv6 communication. But from JRE version 1.7.0_45, it is no longer
possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6.
The latest 8.3 Manager server does not come bundled with client-side JRE. However, your network might have
devices that run pre-8.3 software versions that you intend to manage with an 8.3 Manager. You might also
intend using features like the Central Manager Threat Analyzer. In such circumstances, you must download
the latest version of JRE from https://www.azul.com/downloads/zulu/.
• If you have IPv6 Sensors behind a firewall, you must update your firewall rules accordingly such that port
4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager.
This applies to a local firewall running on the Manager server as well. You must complete updating your
firewall rules before you begin the 8.3 upgrade.
• The following are the additional ports that are used for Sensor-to-Manager communication in release 8.3.
Before you begin the 8.3 upgrade process, make sure that your firewall rules are updated accordingly to
open up the required ports. This applies to a firewall that resides between the Sensor and the Manager
(including a local firewall on the Manager server).
The Manager and Sensor establish trust using 2048-bit encryption keys for Network Security Platform 8.1 or
later. To make sure that migration is seamless for existing deployments that might be heterogeneous or
homogeneous environments, your role in the migration is minimal. To learn about heterogeneous
environments, refer to Managing a Heterogeneous Environment
Heterogeneous deployments currently on earlier versions such as 7.x Sensor, which only support 1024-bit
encryption are capable of coexisting with 8.1 or later software which supports 2048-bit encryption.
This sequence assumes that both the Manager and the Sensor are currently installed with versions that only
support 1024-bit encryption to establish trust.
2 The Manager is upgraded to a version that supports 2048-bit encryption. After the upgrade is complete, the
Sensors continue to connect to the Manager by establishing trust using 1024-bit encryption.
3 One of the Sensors is upgraded to a version that supports 2048-bit encryption. After the upgrade is
complete, the Sensors continue to connect using 1024-bit encryption. The Sensor that is upgraded then
initiates and upgrades its certificates, and attempts to connect to ports assigned for 2048-bit encryption in
the Manager. After the certificates are updated, the Sensor and Manager can communicate using 2048-bit
certificates.
• Keep all essential ports open if you are using a firewall in your network. The following table
shows you the ports used to establish trust using 2048-bit certificates.
Table 10-1 Ports used to establish trust with 2048-bit encryption
Port Description
8506 Install channel (TCP)
8507 Alert channel (TCP)
8508 Packet log channel (TCP)
• If SSL decryption is enabled, the Sensor will continue to connect using 1024-bit certificates and
will not be able to transition to 2048-bit certificates. This happens because certificates stored in
the Sensor are, at present, 1024-bit encrypted and is not in a position to accept those that are
2048-bit encrypted. Therefore, to make sure that 2048-bit encryption is eventually successful
with SSL decryption, you must perform the following steps:
1 Uninstall and reinstall the Sensor. This restores the Sensor to default settings in which SSL
decryption is disabled.
OR
The following steps will explain the procedure to upgrade to 2048-bit certificates.
Task
1 Upgrade the Manager to a version that supports 2048-bit encryption.
You need to make sure that your current deployment supports this upgrade. For details on upgrading the
Manager, refer to Upgrade requirements for the Manager on page 149.
Once the Manager is upgraded, it continues to connect to the Sensors using 1024-bit certificates.
Once the Sensor has been upgraded, it continues to connect to the Manager using 1024-bit certificates. The
Sensor then initiates the upgrade to 2048-bit certificates. The Sensor checks to make sure the specific ports
on the Manager assigned for connection using 2048-bit certificates are reachable. If they are reachable, the
upgrade is complete.
During this step, the Sensor and Manager may not be able to connect using 2048-bit certificates if the
Manager is on a version that does not support it.
If you have upgraded Sensor software using the CLI command, loadimage, you will be notified
that 2048-bit connection has failed. You will also be prompted to confirm whether you wish to
proceed with existing 1024-bit certificates. If you do not wish to do this, you may type N to
discontinue the process and debug the problem.
However, if you have upgraded Sensor software from the Manager (which does not support
2048-bit encryption), the Sensor will proceed to establish trust using 1024-bit certificates.
To view the type of encryption used in establishing trust between the Sensor and Manager, you will need to
access the Sensor command line interface (CLI). The Sensor and Manager establish trust using 2048-bit
certificates ports separate from those used for 1024-bit encryption.
The steps that follow tell you how you can view the encryption type and ports in the CLI.
Task
1 Use a hyperterminal and enter the Sensor IP address to access its CLI.
3 Once you are in the CLI, enter status to view the type of encryption used to establish trust between the
Sensor and Manager.
The CLI displays RSA 2048-bit if the 2048-bit encryption was successful.
4 Enter show to bring up the ports used for 2048-bit encryption – 8506, 8507, and 8508.
If, at any point, you want to disable 2048-bit encryption in your deployment, you can do so by following these
steps.
Task
1 Locate the ems.properties file in your Manager server. It is available by default at C:\Program Files
\McAfee\Network Security Manager\App\config.
Once the Manager comes back up, all Sensors will disconnect from the manager and manual intervention of the
user will be required to connect the Sensor again. For information about establishing trust with Manager, refer
to Add a Sensor to the Manager on page 59.
Network Security Platform 8.3 enables you to manage a heterogeneous environment of Managers and Sensors.
If you do not require to manage a heterogeneous environment, you can skip this chapter. To know more about
heterogeneous environments, see What are heterogeneous environments? on page 127.
This note is applicable only if you have NTBA devices on 7.1 and 7.5 managed by a Manager on 8.3. For 7.1 NTBA,
the minimum version required for a heterogeneous NTBA environment is 7.1.3.26. For 7.5 NTBA, the minimum
version required for a heterogeneous NTBA environment is 7.5.3.35.
Contents
What are heterogeneous environments?
When would you need a heterogeneous environment?
Upgrade scenarios for heterogeneous environments
Enhanced Central Manager/Manager user interface
Feature support in a heterogeneous environment
Heterogeneous support for NTBA devices
Heterogeneous environment for XC Cluster
If the Manager and the Sensors are of the same major version, it is referred to as a homogeneous environment.
In a heterogeneous environment, the Manager and the Sensors are of different successive major versions. This
similarly applies to Central Manager and the Managers as well.
The terms heterogeneous and homogeneous environments are with respect to the software versions only and
have no relevance to the device model numbers.
Notes:
• A Manager must always be of the same or higher version than the corresponding Sensors. Therefore, a 8.2
Manager managing 8.3 Sensors is not a valid scenario. Similarly, the Central Manager must be of the same
or higher version than the corresponding Managers.
• The latest 8.3 Manager can manage only the M-series, NS-series, Virtual IPS Sensors, and NTBA devices on
the following software versions — 7.1.x.x, 7.5.x.x, 8.0.x.x, 8.1.x.x, 8.2.x.x, and 8.3.x.x. Similarly, an 8.3 Central
Manager can manage only 7.1.x.x, 7.5.x.x, 8.0.x.x, 8.1.x.x, 8.2.x.x, and 8.3.x.x Managers.
To use the information in this section, familiarize yourself with the following terms:
• Homogeneous Manager environment — The major version of the Central Manager and all the Managers are
the same.
• Heterogeneous Manager environment — At least one Manager is of an earlier major version than the
Central Manager.
• Homogeneous device environment — The major version of the Manager and all the devices are the same.
• Heterogeneous device environment — At least one device is of an earlier major version than the Manager.
McAfee strongly advises that you use the heterogeneous support feature only for the interim until you upgrade
all your Managers and Sensors to the latest version. This enables you to make use of the latest features in
Network Security Platform.
• Though the scenarios predominantly feature only the M-series and NS-series Sensors, an 8.3 Manager can
manage the Virtual IPS Sensors, NTBA, and XC-Cluster devices as well.
• An 8.3 Manager cannot manage N-series (NAC-only) Sensors and M-series Sensors, which have the NAC
feature enabled. Review the Important Notes section in Overview on page 5.
• 8.3 device software is available only for M-series Sensors, NS-series Sensors, Virtual IPS Sensors, NTBA
Appliances, and XC Cluster Appliances.
The subsequent sections discuss some sample scenarios. Proceed to the appropriate one for your deployment.
• Upgrade from a homogeneous 7.1, 7.5, 8.1, or 8.2 Manager environment to a heterogeneous 8.3 Manager
environment:
• Scenario 1 – Homogeneous, MDR setup on page 129
• Upgrade from a heterogeneous 7.1, 7.5, 8.1, or 8.2 Manager environment to a heterogeneous 8.3 Manager
environment:
• Scenario 3 - Heterogeneous, MDR setup on page 131
Review Upgrade path for the Central Manager and Manager on page 139 to know the version of the Central
Manager that you need to upgrade to 8.3.
1 Make sure the Central Managers, Managers, and Sensors meet the minimum required versions to upgrade
to the latest 8.3 version. If not, make sure you upgrade them to the required versions before you begin your
8.3 version.
2 Make sure your current Network Security Platform deployment is functioning as configured and without any
issues.
3 Upgrade the Central Manager MDR pair to the latest 8.3 version. See How to upgrade the Central Manager?
on page 5.
4 Upgrade the required Manager MDR pairs to the latest 8.3 version. See How to Upgrade the Manager? on
page 5.
5 Upgrade the required Sensors to the latest 8.3 version. See How to perform signature set and Sensor
software upgrade on page 5.
1 Make sure the Central Manager, Managers, and Sensors meet the minimum required versions to upgrade to
the latest 8.3 version. If not, make sure you upgrade them to the required versions before you begin your
8.3 version.
2 Make sure your current Network Security Platform deployment is functioning as configured and without any
issues.
3 Upgrade the standalone Central Manager to the latest 8.3 version. See How to upgrade the Central
Manager? on page 5.
4 Upgrade the required Managers to the latest 8.3 version. See How to Upgrade the Manager? on page 5.
5 Upgrade the required Sensors managed by the 8.3 Managers. See How to perform signature set and Sensor
software upgrade on page 5.
1 Make sure the Central Managers, Managers, and Sensors meet the minimum required versions to upgrade
to the latest 8.3 version. If not, make sure you upgrade them to the required versions before you begin your
8.3 version.
2 Make sure your current Network Security Platform deployment is functioning as configured and without any
issues.
3 Upgrade the Central Manager MDR pair to the latest 8.3 version. See How to upgrade the Central Manager?
on page 5.
4 Upgrade the required Manager MDR pairs to the latest 8.3 version. See How to Upgrade the Manager? on
page 5.
5 Upgrade the required Sensors to the latest 8.3 version. See How to perform signature set and Sensor
software upgrade on page 5.
1 Make sure the Central Manager, Managers, and Sensors meet the minimum required versions to upgrade to
the latest 8.3 version. If not, make sure you upgrade them to the required versions before you begin your
8.3 version.
2 Make sure your current Network Security Platform deployment is functioning as configured and without any
issues.
3 Upgrade the standalone Central Manager to the latest 8.3 version. See How to upgrade the Central
Manager? on page 5.
4 Upgrade the required Managers to the latest 8.3 version. See How to Upgrade the Manager? on page 5.
5 Upgrade the required Sensors to the latest 8.3 version. See How to perform signature set and Sensor
software upgrade on page 5.
• Upgrade from a homogeneous Sensor environment in 7.1, 7.5, 8.1, or 8.2 to a heterogeneous Sensor
environment in 8.3:
• Scenario 5 - Homogeneous, MDR setup on page 133
• Upgrade from a heterogeneous Sensor environment in 7.1, 7.5, 8.1, or 8.2 to a heterogeneous Sensor
environment in 8.3:
• Scenario 7 on page 135
See Minimum required Manager version to know the Manager versions that you need to upgrade to the latest
8.3.
1 Make sure that Managers and Sensors meet the minimum required versions to upgrade to the latest 8.3
version. If not, make sure that you upgrade them to the required versions before you begin your 8.3 version.
2 Make sure your current Network Security Platform deployment is functioning as configured and without any
issues.
3 Upgrade the Manager MDR pair to the latest 8.3 version. See How to Upgrade the Manager? on page 5.
4 Upgrade the required Sensors to the latest 8.3 version. See How to perform signature set and Sensor
software upgrade on page 5.
1 Make sure the Manager and Sensors meet the minimum required versions to upgrade to the latest 8.3
version. If not, make sure you upgrade them to the required versions before you begin your 8.3 version.
2 Make sure your current Network Security Platform deployment is functioning as configured and without any
issues.
3 Upgrade the standalone Manager to the latest 8.3 version. See How to Upgrade the Manager? on page 5.
4 Upgrade the required Sensors to the relevant 8.3 version. See How to perform signature set and Sensor
software upgrade on page 5.
Scenario 7
This section describes the upgrade for a heterogeneous Sensor environment managed by an MDR pair of
Managers.
1 Make sure Managers and Sensors meet the minimum required versions to upgrade to the latest 8.3 version.
If not, make sure you upgrade them to the required versions before you begin your 8.3 version.
2 Make sure your current Network Security Platform deployment is functioning as configured and without any
issues.
3 Upgrade the Manager MDR pair to the latest 8.3 version. See How to Upgrade the Manager? on page 5.
4 Upgrade the required Sensors to the latest 8.3 version. See How to perform signature set and Sensor
software upgrade on page 5.
1 Make sure the Manager and Sensors meet the minimum required versions to upgrade to the latest 8.3
version. If not, make sure you upgrade them to the required versions before you begin your 8.3 version.
2 Make sure your current Network Security Platform deployment is functioning as configured and without any
issues.
3 Upgrade the standalone Manager to the latest 8.3 version. See How to Upgrade the Manager? on page 5.
4 Upgrade the required Sensors to the latest 8.3 version. See How to perform signature set and Sensor
software upgrade on page 5.
• From release 7.5, McAfee began phasing out client-side Java for Central Manager and Manager. The
objective is to improve overall performance and user experience. Also, from release 7.5, the Central
Manager and Manager user interfaces follow a task-based approach. This design gives you the ability to view
and drill down into network issues easily throughout the interface. Therefore, if you are upgrading your
Central Manager or Manager from a pre-7.5 release, see the Network Security Platform Addendum I to 7.5
Documentation and familiarize yourself with the UI enhancements from release 7.5.
• Most of the features have been enhanced over the releases. So, the corresponding user interfaces have
been changed for those enhancements.
• This guide provides information on those enhancements, which have an upgrade impact. However, see
Network Security Platform 8.3 guides and Online Help for detailed information on functionality and
navigation paths in 8.3.
Take note if you are currently using a pre-7.5 Central Manager or Manager. Over the releases, the names of some
of the features and their functionality have changed for a better user-experience. The details of these
enhancements and changes are available in the upgrade guides and release notes of 7.0, 7.1, and 7.5 releases.
The following are relevant only if your Network Security Platform upgrade is from 7.x to 8.2:
• From release 8.0, additional Snort rule options are supported. See the Network Security
Platform-8.0.5.9-8.0.3.10-M-Series-Release-Notes for the list of newly supported rule options. In a
heterogeneous Sensor environment, the Snort custom attacks containing these rule options are supported
by the 8.x Sensors but not by the 7.1 and 7.5 Sensors. So, a Snort custom attack that showed no errors when
you used the Test Compile feature might still fail to compile on 7.1 and 7.5 Sensors.
• The IP Settings page in release 7.5 is renamed as IP Bindings in 8.x. However, the navigation path to this page is
the same.
• Several changes to the Manager UI and functionality have changed in Network Security Platform 8.3. Some
of these changes will be in effect in heterogeneous environments as well. See the following sections to
acquaint yourself with these changes if you are upgrading:
• Notes about the Analysis tab on page 152
Notes:
• In this section, the term NTBA device refers to physical as well as virtual NTBA.
• In the context of NTBA, a heterogeneous environment means 7.1, 7.5, 8.1, and 8.2 NTBA devices managed
by Manager 8.3.
This note is applicable only if you have NTBA devices on 7.1 and 7.5 managed by a Manager on 8.3. For 7.1 NTBA,
the minimum version required for a heterogeneous NTBA environment is 7.1.3.26. For 7.5 NTBA, the minimum
version required for a heterogeneous NTBA environment is 7.5.3.35.
• 7.1 • 8.2
• 7.1 • 8.2
Notes:
• If the Sensor version is 7.1 and NTBA version is 7.5 or later, the antimalware and network forensics features
are not supported.
• If the Sensor version is earlier than 8.2 and NTBA version is 8.2, the network forensics feature is not
supported.
If you have the Central Manager deployed, you must upgrade it to 8.3 before you upgrade the corresponding
Managers. That is, the Central Manager must be of the same or a higher version than the corresponding
Managers.
This chapter provides detailed explanation on how to upgrade the Central Manager to the latest 8.3. If you have
not deployed a Central Manager, proceed to How to Upgrade the Manager? on page 5.
Contents
Upgrade requirements for the Central Manager
Preparation for the upgrade
Central Manager and operating system upgrade
MDR Central Manager upgrade
Standalone Central Manager upgrade
If you are using a hotfix release, contact McAfee support for the recommended upgrade path.
All intermediate 8.1 Manager versions above 8.1.7.91 cannot upgrade to the latest Manager 8.3 version. All
intermediate 8.3 Manager versions can upgrade to the latest Manager 8.3 version.
These suggestions do not take into account the amount of disk space you require for alert and packet log
storage. See the McAfee Network Security Platform Manager Administration Guide for suggestions on calculating
your database capacity requirements.
Memory 8 GB >16 GB
The McAfee Network Security Platform Troubleshooting Guide provides a number of pre-installation tips and
suggestions with which McAfee recommends you familiarize yourself before you begin your upgrade. If you run
into any issues, we suggest you to check this guide for a possible solution.
The following are the system requirements for hosting Central Manager/Manager server on a VMware platform.
CPU Intel Xeon ® CPU ES 5335 @ 2.00 GHz; Physical Processors – 2; Logical Processors – 8;
Processor Speed – 2.00 GHz
Memory Physical Memory: 16 GB
Internal Disks 1 TB
Memory 8 GB >16 GB
Before you begin the upgrade, make sure that no processes related to McAfee® Network Security Platform (such
as automated database archival) are scheduled during the upgrade time frame. Any such concurrent activity
might cause conflicts and result in upgrade failure.
Make sure to review all considerations mentioned in this section before you proceed with the upgrade.
Save your entire backup in a different location than the current Central Manager or Manager to prevent data loss.
After you back up the Network Security Platform data, you can consider purging the Manager tables. Details on
how to purge the database tables are in the McAfee Network Security Platform Manager Administration Guide.
Purging the database tables can significantly shorten the Manager upgrade window. If you need the older alerts
and packet logs, you can restore the database backup on an offline Manager server for viewing and reporting
on that data.
All tables backup is time consuming (based upon the size of your database); however, it guarantees the integrity
of your existing data. All tables backup includes the entire database, that is, all configurations, user activity, alert
information, and custom attacks. However, McAfee recommends a separate all tables and config tables backup.
This provides you options if for some reason you want to roll back to your earlier version of the Central
Manager or Manager.
Notes:
• Preferably, stop the Central Manager or Manager service before you begin any backup process.
• For step-by-step information on all tables and config tables backup as well as archiving alerts and packet
logs, see the McAfee Network Security Platform Manager Administration Guide.
• Central Manager upgrade downtime window — How long the upgrade takes depends on the size of your
deployment and the size of your database. The Central Manager upgrade process alone can take an hour to
complete.
• Operating system upgrade downtime — The latest Central Manager 8.3 is supported on various
Windows operating systems as mentioned in Central Manager and Manager system requirements on
page 140.
If you want to upgrade the operating system of your Central Manager server, for example from Windows
Server 2008 R2, SP1, Standard or Enterprise Edition (Full Installation) to Windows Server 2012 Standard
(Server with a GUI), you must factor this in when you estimate the Central Manager downtime.
• Database backup before and after upgrade — It is critical that you perform a full backup of your database
using the All Tables as well as Config Tables options both before and after the upgrade. Backing up before
upgrading enables you to roll back to your earlier version should you encounter problems during upgrade.
Backing up immediately following upgrade preserves your upgraded tables and provides a baseline of the
8.3 database that you upgraded to. Importantly, when you are backing up the database, there should not be
any scheduled task running in the background.
You cannot restore the database from a lower version Central Manager on a higher version.
• If it is an upgrade from 7.1, see Note regarding Manager Users and Roles on page 160.
• If it is an upgrade from 7.1 or 7.5, see Change in the default database character set on page 144.
• See the sections applicable to Central Manager in Enhancements related to extJS migration in release 8.2.
Custom Attacks
Earlier, the custom attacks option was available when you went to Policy | <Admin Domain Name> | Intrusion
Prevention | Advanced | Custom Attacks. At the bottom of that page was the Custom Attacks Editor button to open a
pop-up window.
However, with migration to 8.3, this option is replaced with the option that blends Custom Attacks within the
context of IPS policies since the eventual impact is in IPS policies you assign. Going to the custom attacks editor
is now facilitated by clicking the Custom Attacks button the bottom of the IPS Policies page. An extJS pop-up
appears within the same window.
Custom McAfee Attacks are now referred to as Native McAfee Format attacks, while Snort Rules are now known as
Snort Attacks. Each of these two types of attacks is available in its specific tab.
For more details, refer to part, Custom Attacks, in the Network Security Platform 8.3 Manager Administration Guide.
Health Check
When you upgrade the Central Manager from version 7.5, 8.0, or 8.2, you notice a diagnostics tool known as the
Health Check present at Manager | Troubleshooting | Health Check.
The Health Check feature enables you to view and monitor important parameters in the Central Manager.
The Health Check feature is not available in previous versions of the Manager other than 8.1. All options you see
after an upgrade from versions other than 8.1 are new.
Disk Usage
If you are upgrading from 7.5, 8.0 or 8.2, you will notice this option has been moved to the Health Check page. It is
located within the Summary category.
You also notice that the Disk Usage checking option has been enhanced to explicitly mention disk used by alerts
and that used by the database.
This section provides the steps to upgrade the primary and secondary Central Managers configured for
Manager Disaster Recovery (MDR).
Task
1 Using the Switch Over feature, make the secondary Central Manager active.
• If your current Manager version is earlier than 7.5, select My Company | Central Manager | MDR | Manager Pair.
• For 7.5 and later, click Manage and select the root admin domain. Then go to Setup | MDR | Switch Over.
3 If not done already, upgrade to the latest 8.7 signature set in the primary, active Central Manager. See
Upgrade the signature set for the Central Manager on page 146.
6 Using the Switch Back feature, make the primary the active Central Manager.
• If you want to upgrade the RAM on the Central Manager server, make sure you do that before
you begin the Central Manager upgrade.
• You have reviewed and understood the implications of the upgrade considerations discussed in
Review the upgrade considerations on page 142.
• You have backed up your current Central Manager data. See Backing up Network Security
Platform data on page 142.
• You have the latest 8.3 Central Manager installable file at hand. You can download it from the
McAfee Update Server. See Download the Manager/Central Manager executable on page 22 for
information.
• You have stopped all third-party applications such as Security Information and Event
Management (SIEM) agents. It is especially important that you stop any such third-party
application that communicates with the MySQL database. The Central Manager cannot upgrade
the database if MySQL is actively communicating with another application.
If this is an upgrade of a Central Manager in an MDR pair, switch it to standby mode before you
proceed. Make sure you are following the steps in MDR Central Manager upgrade on page 144.
Task
1 Stop the McAfee Network Security Central Manager service.
Right-click on the Central Manager icon at the bottom-right corner of your server and stop the service.
Alternatively, go to Windows Control Panel | Administrative Tools | Services. Then right-click McAfee Network Security
Central Manager and select Stop.
2 Stop the McAfee Network Security Central Manager Watchdog service using the same method as described in step 1.
Make sure the McAfee Network Security Manager Database service remains started.
3 Exit the Central Manager tray from the Windows Task Bar.
4 Close all open applications. (If any application is interacting with Network Security Platform, your installation
might be unsuccessful.)
5 Move any saved report files from the server to some other location.
The reports are saved at <Central Manager install directory>\App\REPORTS.
7 Install the Central Manager as described in Installing the Central Manager on page 39.
8 At the end of the upgrade process, you might be required to restart the server. If prompted, it is highly
recommended that you restart the server.
In the Install Complete page of the Installation Wizard, select one of the following:
• Select Yes, restart my system to restart the server immediately.
• Select No, I will restart my system myself to complete the upgrade process without restarting the server. You
can restart the server at a later point in time. Clicking Done in the Manager Installation Wizard will start
the Central Manager services.
11 Check the Status page to ensure that the Central Manager database and the Managers are up.
To complete the Central Manager upgrade, you must upgrade to the latest 8.7 Signature Set. See Upgrade
the signature set for the Central Manager on page 146.
Tasks
• Upgrade the signature set for the Central Manager on page 146
2 If you created McAfee custom attacks prior to upgrade, verify that those attacks are present in the Custom
Attack Editor.
3 Select Manage | Troubleshooting | System Faults to see if Incompatible custom attack fault is raised.
This fault could be because of Custom Snort Rules that contain unsupported PCRE constructs. See Note
regarding Custom Snort Rules.
Signature Set upgrade is now complete for the Central Manager. For a list of currently supported protocols, see
KnowledgeBase article KB61036 at mysupport.mcafee.com.
• In you have an Central Manager MDR, upgrade the secondary Central Manager.
• If you have upgraded both primary and secondary or if you have only a standalone Central Manager,
upgrade the corresponding Managers.
This chapter provides detailed explanation on how to upgrade the Manager to the latest 8.3 version. You must
upgrade the Manager before you can upgrade the devices.
Contents
Upgrade requirements for the Manager
Preparation for the upgrade
Operating system upgrade scenarios
MDR Manager upgrade
Standalone Manager upgrade
If you are using a hotfix release, contact McAfee support for the recommended upgrade path.
All intermediate 8.1 Manager versions above 8.1.7.91 cannot upgrade to the latest Manager 8.3 version. All
intermediate 8.3 Manager versions can upgrade to the latest Manager 8.3 version.
These suggestions do not take into account the amount of disk space you require for alert and packet log
storage. See the McAfee Network Security Platform Manager Administration Guide for suggestions on calculating
your database capacity requirements.
Memory 8 GB >16 GB
The McAfee Network Security Platform Troubleshooting Guide provides a number of pre-installation tips and
suggestions with which McAfee recommends you familiarize yourself before you begin your upgrade. If you run
into any issues, we suggest you to check this guide for a possible solution.
The following are the system requirements for hosting Central Manager/Manager server on a VMware platform.
CPU Intel Xeon ® CPU ES 5335 @ 2.00 GHz; Physical Processors – 2; Logical Processors – 8;
Processor Speed – 2.00 GHz
Memory Physical Memory: 16 GB
Internal Disks 1 TB
Memory 8 GB >16 GB
Before you begin the upgrade, make sure that no processes related to McAfee® Network Security Platform (such
as automated database archival) are scheduled during the upgrade time frame. Any such concurrent activity
might cause conflicts and result in upgrade failure.
Make sure to review all considerations mentioned in this section before you proceed with the upgrade.
• Operating system upgrade downtime — The latest Manager 8.3 is supported on various Windows operating
systems as mentioned in Central Manager and Manager system requirements on page 140.
If you want to upgrade the operating system of your Manager server, for example from Windows Server
2008 R2, SP1, Standard or Enterprise Edition (Full Installation) to Windows Server 2012 Standard (Server with
a GUI), you must factor this in when you estimate the Manager downtime.
• How a Sensor functions during the upgrade downtime — While the Manager upgrades, the Sensor (which has not yet
been upgraded, and which loses connectivity to the Manager during the Manager upgrade) continues to
inspect traffic and accumulate the latest alerts (up to 100,000 alerts) while the Manager is offline during
upgrade. Note that the Sensor sends these queued alerts to the Manager when it re-establishes connectivity
with the Manager after the upgrade.
You cannot restore the database from a lower version Manager on a higher version Manager.
• Security Monitors
• Attacks Over Time • Top Files
• Top Destinations
• Operational monitors
• CPU Usage
• Flow Usage
• Throughput Usage
In general, many column labels have been changed to align with the increased focus on “attacks” rather than
“events”. Because of the migration to extJS, the Real-Time Threat Analyzer is replaced by the Attack Log, which readily
shows you unacknowledged attacks to reduce the noise from relatively trivial alerts. However, you are able to
remove the filter and view all alerts if you want to.
For more information regarding the updates in the Analysis tab, see McAfee Network Security platform 9.1
Manager Administration Guide.
Threat Explorer
At the top of the page, the View Alerts and PCAPs button is now relabeled View Attacks. This is in keeping with the
replacement of the Threat Analyzer with the Attack Log.
Malware Files
Since the all malware detections point to malicious files entering the network, this page has been renamed as
the Malware Files page. Since you do not need to open the Real-Time Threat Analyzer anymore, the lower pane
that existed in the Malware Detections page is no more necessary. In release 8.3, you are able to double-click any
file-hash for which you want to view a detailed report of all attacks. Clicking the file-hash opens a pop-up
window of the Attack Log with all alerts for that file-hash listed. A filter is placed on that specific file-hash.
More subtle changes you will notice in the Malware Files page is that of the columns labels and the columns
displayed in the page by default.
• Last Attack column replaced the Last Detection column. There is no apparent change in the data presented and
this column still carries a date and time stamp of the last attack.
• Total Attacks column replaces the Total Detections column to keep the changes for the rest of the UI consistent.
Here too, there is no change in the data and the number is representative of the number of attacks from
that particular file-hash in the selected duration.
• Columns displayed now are fewer than those displayed in previous versions. You must now manually
activate the File Size (bytes) and the Comment columns.
Callback Activity
The columns are relabeled to reflect the naming convention adopted in release 8.3.
• Activity column replaces the Botnet column.
Double-clicking any of the rows in the Callback Activity pane, opens the Attack Log as a pop-up window with all
attacks by that bot family listed.
Selecting any of the rows displays all compromised endpoints or zombies in the Zombies for pane controlled by
that bot.
Double-clicking any of the rows in the Zombies for pane, opens the Attack Log as a pop-up window with all attacks
by that bot family listed.
Attack Log
The Threat Analyzer – Historical and Real-Time – is a dashboard of system parameters, latest attacks, and
informational alerts. However, with the migration to extJS, the Threat Analyzer has been dismantled to separate
screens that relate to attacks from screens that do not relate to attack information. An effort has also been
made to include screens that provide device information within those tabs.
This section describes some of the prominent changes in the Attack Log, which replaces the Alerts tab in the Threat
Analyzer. The Attack Log can be accessed at Analysis | <Admin Domain Name> | Attack Log.
• The Akka framework increases the ability of the Manager to process over 30 attacks per second depending
on available hardware resources.
• A fundamental improvement in relation to the Real-Time Threat Analyzer is that the Attack Log does not refresh
automatically. It enables you to analyze an attack without the page constantly refreshing, which is especially
true in a busy network. This means you get to choose when to refresh the list of attacks.
• By default, only attacks that are unacknowledged appear in the Attack Log. Selecting the drop-down at the
top of the page enables you to toggle between acknowledged attacks, unacknowledged attacks, and all
attacks. However, this does not refresh the list of attacks in the Attack Log.
• Double-clicking any attack brings up the attack details pane on the right. This pane offers a view of all
information pertinent to the attack across three tabs – Summary, Details and Description. It even offers you the
option to blacklist or whitelist a file hash.
• Depending on the privileges you assign to a user, the Packet Capture column appears in the Attack Log. Clicking
Export is a direct hyperlink to the .pcap file.
• Ack and Unack options are available at the bottom of the page. All attacks that are acknowledged appear with
a green checkmark under a column with the same icon (which was the Acknowledged column in the Threat
Analyzer). Those that are not, appear blank.
• A Delete button at the bottom enables you to select an attack and clear it from the list.
• In addition to the columns displayed by default, several columns can be enabled by clicking the arrow of any
of the displayed columns and hovering the mouse over Columns.
• A column specific to callback activity is displayed under the Callback Activity column.
For more details about the Attack Log, refer to the chapter, Attack Log, in the McAfee Network Security Platform
8.3 Manager Administration Guide.
So for example, to create a new advanced malware policy you must now go to Policy | <Admin Domain Name> |
Intrusion Prevention | Policy Types | Advanced Malware Policies .
Custom Attacks
Earlier, the custom attacks option was available when you went to Policy | <Admin Domain Name> | Intrusion
Prevention | Advanced | Custom Attacks. At the bottom of that page was the Custom Attacks Editor button to open a
pop-up window.
However, with migration to 8.3, this option is replaced with the more concise option mentioned here. Going to
the custom attacks editor is now facilitated by clicking the Custom Attacks button the bottom of the IPS Policies
page. An extJS pop-up appears within the same window.
Custom McAfee Attacks are now referred to as Native McAfee Format attacks, while Snort Rules are now known as
Snort Attacks. Each of these two types of attacks is available in its specific tab.
For more details, refer to part, Custom Attacks, in the Network Security Platform 8.3 Manager Administration Guide.
To accommodate this change the PDF / Flash Analysis engine has been relabeled the NSP Analysis engine. This
engine is now capable of analyzing the following files for threats:
• JavaScript in PDF files
So when you upgrade the Manager, in addition to PDF Files and Flash Files, the MS Office Files option is also
selected under NSP Analysis in the Scanning Options section of the page
The current limit for user-configurable file hashes is 100,000. From this release onward, the number of
user-configurable whitelisted and blacklisted file hashes is 99,000. In addition to this, another 1000 file hashes
will be provided through the McAfee callback detector file, bringing the total number to 100,000 per
Manager-instance.
McAfee-provided file hashes cannot be viewed in the Manager and are constantly updated.
If you have configured McAfee DAT file update, more relevant file hashes get added to the DAT file in favor of
obsolete ones.
Hypothetically, if you had 100,000 file hashes between the two lists in a previous version, upgrading to 8.3 will
remove 1000 of the most recent file hashes added to make way for McAfee-supplied file hashes.
To view this list, go to Policy | <Admin Domain Name> | Intrusion Prevention | Exceptions | Domain Name Exceptions and
click the IPS Inspection Whitelist tab.
The number of callback detection domain names remains unchanged at 700 with the same options to import,
export, and delete. However, this version enables you to be able to save the list to a CSV file. All options are now
provided at the bottom of the page.
Further, in this release you can delegate other users to add exceptions to the callback detection whitelist.
Previous releases only allowed the administrator.
To view or modify this list, go to Policy | <Admin Domain Name> | Intrusion Prevention | Exceptions | Domain Name
Exceptionsand click the Callback Detection Whitelist tab.
Auto-Acknowledgement Rules
Manager, version 8.3, has a revamped user-interface to configure auto-acknowledgement of attacks.
• Firstly, it introduces a tab to configure specific rules for auto acknowledgement of attacks. This was earlier
available as the Automatic Alert Acknowledgement Rules option that was available in the Threat Analyzer under
Create Exceptions.
• When you enable automatic acknowledgement of attacks, the default severity it now picks up is Medium (5).
To add specific rules for auto acknowledgement of attacks, go to Policy | Admin Domain Name> | Intrusion Prevention
| Exceptions | Auto-Acknowledgement and click the Auto-Acknowledgement Rules tab.
NTBA Policies
When you upgrade the Manager from 7.x or 8.x, default NTBA policies reflect the new nomenclature. The
Default NTBA Policy continues to be located at Policy | <Admin Domain Name> | Network Threat Behavior Analysis |
NTBA Policies but is nestled below Master NTBA Attack Repository, which is a repository of all attack definitions.
Any NTBA policy you create in the Manager will be nestled below this category.
However, this category is visible only when you access the root admin domain in the Manager.
If you are running a pure 8.3 deployment, the Worm Policies node at Policy | <Admin Domain Name> | Network Threat
Behavior Analysis | Worm Policies disappears after you complete the upgrade. Instead, all 6 types of worm attacks
are available within the NTBA policies.
Communication Rules
So far, Communication Rules have been a part of NTBA Policies. When you upgrade to Manager, version 8.3, it
appears in the menu as a separate workflow. The following notes will enable you to transition to the new
format:
• While you were able to add Communication Rules from a tab in the Add an NTBA Policy window in previous
Manager versions, you must now go to Policy | <Admin Domain Name> | Network Threat Behavior Analysis |
Communication Rules.
• Currently, Communication Rules are designated to CIDR zones. With release 8.2, they are designated to a
domain but can contain a source zone and destination zone.
• Communication Rules are evaluated for each flow and the order in which they are displayed in the
Communication Rules page does not matter.
• For the Risk / Address column, each parameter is evaluated as a logical OR condition. For example, consider a
rule which has the following parameters in the Risk / Address column:
• a medium or higher risk,
• present in France,
• present in China.
The flow is marked malicious if it the host has a medium or higher risk OR is found in France OR is found in
China.
• When you upgrade the Manager or the NTBA Appliance, all existing Communication Rules are removed from
the NTBA Policies. You must recreate all Communication Rules using the new user-interface and logic.
If you had enabled automatic updating for Gateway Anti-Malware Engine in version 8.2, those settings are
carried forward and 8.3 devices are updated automatically. The same logic applies to a heterogeneous
environment in which version 8.2 devices managed by a version 8.3 Manager.
Gateway Anti-Malware Engine was not available in pre-8.2 NS-series Sensors, so if you upgraded from 8.1 or prior
versions you Gateway Anti-Malware is disabled by default and must be configured at either of the locations
mentioned below:
• Devices | <Admin Domain Name> | Global | Common Device Settings | GAM Updating
• Devices | <Admin Domain Name> | Devices | <Device Name> | Setup | GAM Updating
Manual updating continues to be made available like it was in Network Security Platform 8.2, with the caveat
that a version 8.3 Manager will only be able to update version 2014 of Gateway Anti-Malware Engine. Sensors
running version 8.2 software will need to be configured in the Manager for automatic updating.
To use this feature, go to one of these paths depending on whether you want to configure it for a Sensor or a
domain:
• Devices | <Admin Domain name> | Global | IPS Device Settings | Advanced Device Settings
• Devices | <Admin Domain name> | Devices | <Device name> | IPS Device Settings | Advanced Device Settings
CLI Auditing, which is a configuration page replaced by CLI logging, is only available for pre-8.3 Sensors in the
Manager. So if you had configured a pre-8.3 Sensor for CLI auditing, after an upgrade to 8.3 the Sensor reflects
Log to Device Only in the CLI Activity Logging field.
However, all other settings in this page are disabled in their default state and need to be configured manually.
2 Click New to create a new policy or select an existing policy and click Edit.
3 In the Inspection Options tab, click the look for the Miscellaneous section.
In addition to layer 7 data collection changes in the Policy tab, layer 7 data collection has been modified in the
page located in the L7 Data Collection page at Devices | <Admin Domain Name> | Devices | <Device Name> | Setup |
Advanced | L7 Data Collection. Some of the options have only been enabled partially or disabled to improve
performance. The list below shows the default configuration status in Manager, version 8.3:
• ftp – Customize • smtp – Customize
• netbios-ss – Disable
Traffic Statistics
Traffic Statistics provide data for different traffic parameters to maintain and improve Sensor health. The
various Sensor performance details that were available as monitors in the Threat Analyzer, are now available in
the Traffic Statistics page. The Sensor CLI data and data displayed in the Traffic Statistics page are the same.
The following Threat Analyzer monitors are now migrated and available in the Traffic Statistics page:
To view the traffic data, go to Devices | <Admin Domain Name> | Devices | <Device Name> | Troubleshooting | Traffic
Statistics.
Performance Charts
The Sensor performance charts that were available in the Threat Analyzer are now migrated to Performance
Charts in the Manager, version 8.3. You can monitor Sensor performance metrics depending on the Sensor’s
port throughput utilization, flow usage, and CPU usage.
To view the Sensor performance charts, go to Devices | Admin Domain Name> | Devices | <Device Name> |
Troubleshooting | Performance Charts.
For more information regarding the updates in the Manager tab, see McAfee Network Security Platform 9.1
Manager Administration Guide.
Release 8.3 empowers you to automatically import non-MVM reports to the Manager to be used to compute
alert relevance. You are able to view alert relevance in the Attack Log.
To configure automatic import of non-MVM reports, go to Manager | <Admin Domain Name> | Integration | Vulnerability
Assessment | Non-MVM Report Import.
Since the Alert Relevance feature was introduced in version 7.5, you have had the option of using scan reports
from McAfee Vulnerability Manager or similar products to decide relevance of an attack on an endpoint. If you
have made any configurations for this, there will be no changes after an upgrade.
Options for vulnerability scanning are now available in the following locations:
• Manager | <Admin Domain Name> | Integration | Vulnerability Assessment | MVM | | Vulnerability Scanning.
Options for alert relevance are now available in the following locations:
• Manager | <Admin Domain Name> | Integration | Vulnerability Assessment | MVM | Alert Relevance .
Health Check
When you upgrade from Manager, version 8.1, you will notice options to select check based on the following
criteria:
• Summary Only
The Health Check feature is not available in the Manager versions other than 8.1. All options you see after an
upgrade from versions other than 8.1 are new.
Disk Usage
If you are upgrading from 7.5, 8.0 or 8.2, you will notice this option has been moved to the Health Check page. It is
located within the Summary category.
You also notice that the Disk Usage checking option has been enhanced to explicitly mention disk used by alerts
and that used by the database.
• To match with the extensive enhancements, from release 7.5, the Manager has a new and enhanced list of
privileges. There is no mapping between the privileges in the earlier releases and the privileges in 7.5 and
later.
• The names of the default roles are unchanged in 7.5 and later. However, these roles now have the new
privileges assigned to them. To view a comparison between the list of privileges in 7.1 and 7.5, refer to the
Network Security Platform 7.5 Addendum I.
• The users, custom roles, and the roles assigned to users are all preserved during the upgrade. However, the
upgrade process removes all the privileges assigned to custom roles. This is because of the new privileges in
7.5 and later. Therefore, you must reassign the privileges to your custom roles post-upgrade. Until then
those privileges are denied to the corresponding users. Consider a user Jane to whom you have assigned
Custom Role 1 prior to upgrade. Assume that you had also assigned a few privileges to Custom Role 1. Post
upgrade, Custom Role 1 has no privileges assigned. Unless you reassign the new privileges to Custom Role 1,
Jane is denied access to the Manager.
In release 7.5 and later, the Traffic Management feature is greatly enhanced and referred to as Quality of
Service (QoS). The enhancements are as follows:
• In the earlier releases, you enable the Traffic Management feature at the Sensor level. Then you configure
the criteria and the corresponding queues at the port level. From release 7.5.x, QoS is policy-based and
similar to the Internal Firewall feature. You define the QoS policy and the component rules for Rate Limiting,
DiffServ tagging, and VLAN 802.p tagging. Then you assign this policy to inline ports. These QoS rules are
similar to Firewall rules in functionality.
• QoS Policies are of two types – Advanced and Classic. Advanced QoS policies provide you more options to
acutely classify traffic. Classic QoS policies correspond to the Traffic Management feature of the earlier
releases.
• In the earlier releases, you specify the Rate limiting queues for each inline port. From release 7.5, the
equivalent of Rate Limiting queues are the Rate Limiting Profiles. Functionality wise there is no difference
between the Rate Limiting queues of the earlier releases and the Rate Limiting Profiles. You define the Rate
Limiting Profiles for an admin domain and apply it to all required inline ports of that domain.
• In the earlier releases, for each inline port, you define queues for DiffServ tagging and VLAN 802.1p tagging.
From release 7.5.x, the queues for DiffServ and 802.1p are replaced by firewall-like rules. That is, you define
separate sets of rules for DiffServ and 802.1p that the Sensor executes in a top-down fashion. When the
traffic matches a rule, the Sensor tags the traffic with the corresponding DiffServ or 802.1p value specified in
the rule.
To understand the information in this section, you must be familiar with the Traffic Management feature of
earlier releases as well as the QoS feature in 8.x.
Going forward in this section, the terms Traffic Management and Queues implicitly refer to the feature in
Network Security Platform 7.1. The terms QoS, QoS Rules, Rate Limiting Profiles refer to the feature in Network
Security Platform 7.5 and later.
Notes:
• When you upgrade the Manager, it identifies the ports where you have configured Traffic Management. For
each port that you have configured Traffic Management, it creates an editable Classic QoS Policy that
matches with your Traffic Management configuration.
• The Manager creates these policies at the corresponding admin domain and assigns them a random name
beginning with TMPolicy.
• The Manager assigns these policies to the corresponding monitoring ports and in the correct direction as
well. For example, you had configured Traffic Management for port 7A, which is connected to your inside
network. Post-upgrade, the QoS Policy that the Manager created is assigned to 7A-7B/Inbound.
• In a QoS Policy that it created for a port, the Manager includes the rules for each technique. That is, it
creates the Rate Limiting Rules for the Rate Limiting Queues. Similarly, it creates the rules for DiffServ and
VLAN 802.1p.
• To create these QoS Rules, the Manager uses the default Service Rule Objects for the protocols that you had
specified in your Traffic Management configuration. If an equivalent Service Rule Object does not exist, it
creates a custom Service Rule Object. For the TCP ports, UDP ports, and IP Protocol Numbers that you had
specified, the Manager creates custom Service Rule Objects.
• Consider the Traffic Management Queues as shown in the graphic below. The protocol and port numbers
used in the graphic are purely for explanation purpose only.
In the QoS Policy, the Manager creates separate Rate Limiting Rules for each set of Protocols, TCP Port, UDP
Port, and IP Protocol Numbers. These rules are created in the same order as indicated in the graphic. Since,
the Sensor executes these rules in a top-down fashion, it is important that you understand the order in
which these rules are created. You can rearrange this order post-upgrade. Similarly, the Manager creates the
rules for DiffServ and VLAN 802.1p tagging.
In a QoS Rule, you can specify only up to 10 Rule Objects for Service. Therefore, only the first 10 Protocols
that you specified in the Queue are considered. Similarly, only the first 10 TCP Ports are considered.
Therefore, post-upgrade create additional QoS Rules to accommodate the additional Protocols or Port
numbers. Also, review these Classic QoS Policies to make sure that your Traffic Management configuration is
preserved.
• The Manager creates the QoS policies for every port for which you have configured Traffic Management.
Even if the configuration is the same, separate policies are created.
• For all Rate Limiting Queues you defined for a monitoring port, the Manager creates one Rate Limiting
Profile. In this Profile, it defines the Classes with the corresponding bandwidth limit. For example, if you had
created two Rate Limiting Queues with the values 1024 Kbps and 50 Mbps, the Manager creates a Rate
Limiting Profile with Class 1 assigned 1024 Kbps and Class 2 assigned 50 Mbps.
• The Manager names this Profile with a random name starting with QueueProfile. It also assigns this Profile on
the corresponding port and in the correct direction.
In Manager 8.2 and later, you can assign QoS policies to Sensor interfaces when you save the QoS policy or
through the Policy Manager. This applies to other policies as well.
Device Profiling
This note is relevant only for upgrades from releases earlier than 7.5 with OS Fingerprinting configured.
Notes:
• Passive Device Profiling using DHCP, TCP, and HTTP profiling techniques.
5 Select Setup | Advanced | Passive Device Profiling for Sensors. For NTBA, select Setup | Active Device Profiling
• After upgrade of both the Manager and the Sensor, the OS Fingerprinting option name changes to Passive
Device Profiling, with TCP profiling technique selected and enabled device wide. For the other fields such as
Profile Expiration, the default values apply.
• In the earlier releases, you can only enable OS Fingerprinting at the Sensor level. In 7.5 and later, you configure
Device Profiling at the Sensor level and enable it for the required interfaces and subinterfaces.
• From 8.2, you enable passive device profiling in the Traffic Inspection tab of an Inspection Option policy and
apply that Inspection Option policy to the required interfaces and subinterfaces.
Notes:
• The Relevance feature is referred to as Alert Relevance in release 7.5 and later.
• If you had enabled Relevance Analysis in the earlier release, post-upgrade Active Relevance is enabled.
• Previously, in the Threat Analyzer and Reports, relevance is indicated as relevant, not relevant, or unknown.
From release 7.5, relevance is score based.
Beginning with version 8.0, the Manager displays a default relevance score of 50% in certain conditions.
When an attack cannot be assigned a relevance score using conventional methods, the Manager uses the
attack signature to identify the application in which the vulnerability exists and which operating systems that
application runs on.
The Manager then correlates the operating system of the affected endpoint with the operating system that
the application is compatible with to determine the score. If the two match, a default score of 50% is
assigned. If the two do not match, a score of 0% is assigned. For more information, see Network Security
Platform 8.1 IPS Administration Guide.
If you have 1 million alerts or more, in addition to the two SQL scripts, you must also run a separate script for Solr
after you have run Alertproc_offline_2.sql. To run the Solr script, you must stop the Manager service. This script,
under test conditions, might take around 2 minutes for 1 million alerts. See Run additional scripts on page 177.
In the 8.2 Manager, the Whitelisted and Blacklisted Hashes page is renamed to File Hash Exceptions. In the latest 8.2
Manager, File Hash Exceptions is available at Policy | <domain name> | Intrusion Prevention | Advanced Malware | File Hash
Exceptions.
The rest of this note is relevant only for upgrades from release 7.1 with File Reputation configured.
The File Reputation feature in Network Security Platform 7.1 is part of the Advanced Malware policies from
release 7.5. So, after you upgrade the Sensors from 7.1 to 8.x, Advanced Malware policies are automatically
created with these settings and also applied to the corresponding Sensor interfaces and subinterfaces.
After you upgrade, some of the File Reputation configurations are preserved, but not all. Post-upgrade, review
the Advanced Malware policies and change them according to your requirements.
Notes:
• After you upgrade the Manager to 8.x, the Custom Fingerprints, DNS server settings, and HTTP Response
Scanning settings are preserved.
• When you upgrade the Sensor to 8.x, the following Advanced Malware policies are created and applied to
the corresponding Sensor resources:
• If you had enabled only GTI File Reputation, an Advanced Malware policy called GTI File Reputation Policy
is created.
• If you had enabled only Custom Fingerprints, an Advanced Malware Policy called Custom Finger Prints
Policy is created.
• If you had enabled both, an Advanced Malware policy called GTI File Reputation and Custom Finger Prints
Policy is created.
• Regardless of the domain where you have enabled GTI File Reputation or Custom Fingerprints, these
policies are created at the root admin domain.
• You can customize these policies from the root admin domain.
• These policies are created only once. Consider that you enabled GTI File Reputation on resources of two
different Sensors. When you upgrade the first Sensor, the GTI File Reputation Policy is created. When you
upgrade the second Sensor, the same policy, in its current state, is applied on the resources of the
second Sensor as well.
The Sensitivity configuration is not preserved and this field is not available post-upgrade. The Action
Thresholds are disabled after the upgrade. For example, if you had enabled blocking prior to upgrade, it is
disabled post-upgrade. So, review the Advanced Malware policies after upgrade and make changes as
required. In 7.5 and later, you must specify the threshold for each Sensor response action.
• In 7.1, you could send a TCP reset to the source of the traffic, destination, or both. In 7.5 and later, if you
configure TCP reset, the Sensor sends it to both the source and destination and it is not
user-configurable.
• In 7.1, you could configure the Sensor response actions separately for GTI File Reputation and Custom
Fingerprints. In 7.5 and later, you configure the Sensor response actions (Action Thresholds) based on
file type. However, these response actions apply to both GTI File Reputation and Blacklist and Whitelist.
• In 7.1, the list of File Types for Custom Fingerprints consisted of file extensions such as exe, doc and
pptx. In 7.5 and later, these File Types are categorized as executables, Microsoft Office files, and so on.
You only select these categories and not individual file types. In the 3 default upgrade Advanced Malware
policies, these categories are automatically selected based on the file types that you had selected in 7.1.
For example, if you had selected doc in 7.1, after upgrade the Microsoft Office Files File Type is selected
for Blacklist and Whitelist. In 7.1, you could not select the File Types for GTI File Reputation. In 7.5 and
later, you can select the required category for File Type.
The following table compares the changes to the File Reputation feature in versions 7.1 and 8.x:
Response • You configure the response in the File You configure the Sensor response actions, such as
Action Reputation Attacks using the Policy blocking and TCP reset, in the Advanced Malware
Editor. policies (in the Action Thresholds section). These
options are not available in the IPS malware attack
• For File Reputation, configure the definitions.
response in the Malware: Potential For the Manager response actions, such as Email
Malicious File Transfer Detected by GTI File notification, you use the same attack definitions as
Reputation (Artemis) attack. in 7.1.
Enabling the You can even enable GTI File Reputation You can assign the different Advanced Malware
feature and Custom Fingerprints at the interface policies for the interfaces and subinterfaces.
and subinterface levels.
In release 7.1, there are two options related to malware detection: File Reputation - Custom Fingerprints and File
Reputation - GTI Fingerprints. Both these options are available as part of Protection Options. From release 7.5, these
File Reputation options are part of Advanced Malware Policies.
Consider that you have a Manager 7.1 managing a Sensor running on 7.1 and you have configured the File
Reputation options. When you upgrade the Manager to 8.2, an inspection option policy is created with the File
Reputation options preserved. These File Reputation options are available in the Legacy Malware Detection tab of
the inspection option policy.
Assume that different File Reputation configurations are applied to interfaces 1A-1B and 2A-2B. Therefore,
during the Manager upgrade, the Manager creates two inspection option policies and applies these policies to
the corresponding interfaces. Until you upgrade this 7.1 Sensor, you use the Legacy Malware Detection tab in these
inspection option policies to manage the File Reputation settings. The path to inspection option policies is Policy
| <domain name> | Intrusion Prevention | Inspection Options Policies.
Later, when you upgrade the 7.1 Sensor to 8.2, the Manager creates Advanced Malware policies based on the
settings in the Legacy Malware Detection tab. The Manager also applies these Advanced Malware policies to the
corresponding Sensor resources. So, post upgrade, you use the Advanced Malware policies to manage these
settings. Regardless of the domain where you enabled the File Reputation options in Manager 7.1, the default
Advanced Malware policies are created at the root admin domain.
Post upgrade to 8.2, review the Advanced Malware policies to make sure that your pre-8.2 configuration is
preserved.
Top Applications
From 8.0, the Top Applications monitor has been moved from the Threat Analyzer to the Dashboards page. The
monitor can provide application summary for a specified time. In the Top Applications monitor, you can:
• Toggle between any risk and high risk (an icon is displayed to indicate if it is a high risk).
Three existing traffic-related NTBA monitors are moved out of the Threat Analyzer:
These monitors are now available in Devices | <admin domain name> | Devices | <NTBA Appliance> | Troubleshooting |
Traffic Throughput.
These monitors provide data per NTBA appliance, which can be used to check if traffic is going through the
device (default), a zone, or an exporter interface.
For more information, refer to the Manager Administration Guide and NTBA Administration Guide.
From release 8.0, Network Security Platform validates standard ports used across various protocols using the
signature set. If the assigned non-standard port is a standard port for another protocol, the Manager displays
an error message prompting you to enter a different port number. If you upgrade to 8.x from an older version
of the Manager, and if there is a conflict between the non-standard port assigned and the standard port in the
signature set, the signature set update will fail. In this scenario, manually update the conflicting port number.
For more information, refer to the Manager Administration Guide.
In Manager 8.2 and later, you can assign the policies directly to Sensor interfaces. Use the Policy Manager or click
in the Assignments column in the corresponding policies page. For more information assigning policies, refer to
the Network Security Platform IPS Administration Guide. Also, see the note on reconnaissance policies -
Deprecation of reconnaissance policies.
• Since Network Access Control (NAC) is not available from release 8.1, common configurations such as NAZ
and NAC Exclusion List now apply only to IPS Quarantine.
4 Select the device from the Device 4 Select the device from the Device
drop-down list. drop-down list.
5 Select Policy | IPS Quarantine | Logging.. 5 Select Setup | Quarantine | Logging.
Manage quarantine Page name: IPS Quarantine Configuration Page name: Quarantine Configuration
settings for an Wizard Wizard
admin domain using Path: Policy | <domain_name> | Intrusion Path:
the Quarantine Prevention | IPS Quarantine | Default Port Settings
Wizard 1 Click the Devices tab.
2 From the Domain drop-down list, select the 2 From the Domain drop-down list, select
domain you want to work in. the domain you want to work in.
3 On the left pane, click the Devices tab. 3 On the left pane, click the Devices tab.
4 Select the device from the Device 4 Select the device from the Device
drop-down list. drop-down list.
5 Select Policy | IPS Quarantine | Summary.. 5 Select Setup | Quarantine | Summary.
Enable quarantine Page name: Port Settings Page name: Port Settings
for an inline Path: Path:
monitoring port
1 Click the Devices tab. 1 Click the Devices tab.
2 From the Domain drop-down list, select the 2 From the Domain drop-down list, select
domain you want to work in. the domain you want to work in.
3 On the left pane, click the Devices tab. 3 On the left pane, click the Devices tab.
4 Select the device from the Device 4 Select the device from the Device
drop-down list. drop-down list.
5 Select Policy | IPS Quarantine | Port Settings.. 5 Select Setup | Quarantine | Port Settings..
• Edit Reconnaissance attack detail: Policy | Intrusion Prevention | Advanced | Default IPS Attack Settings
• Bulk Edit exploit attack detail: Policy | Intrusion Prevention | IPS Policies
• Bulk Edit Reconnaissance attack detail: Policy | Intrusion Prevention | Advanced | Default IPS Attack Settings
Therefore, if you had enabled this option in the earlier version, these are permanently removed post-upgrade.
For more information, see the Manager Administration Guide.
From 8.1, the Manager provides the flexibility to separately schedule download and deploying of IPS signature
sets and botnet detectors.
From 8.2, IPS Signature Sets is renamed as Signature Sets and Botnet Detectors is renamed as Callback Detectors.
Because of these terminology changes, other relevant options and page names in the Manager are also
renamed accordingly.
• Signature sets: Manage | <root admin domain> | Updating | Automatic Updating | Signature sets
• Callback detectors: Manage | <root admin domain> | Updating | Automatic Updating | Callback Detectors
From release 8.1, the automatic signature set deployment applies to the corresponding Sensors and NTBA
Appliances.
If the executables are auto-whitelisted in 8.0, after upgrading to 8.2, NTBA will reclassify these executables. The
new classification values are sent to the Manager.
The IP settings were previously configured on the Collection Port Settings page, which is now removed. These
can be now set on the Devices | <domain name> | Devices | <NTBA Appliance> | Setup | Physical Ports page.
Additional columns for speed and IP address for a collection port are displayed in Physical Ports/ Collection Ports.
Port status displays whether a port is Up, Down, or Disabled. You can set the speed and IP address for each
collection port. For virtual NTBA appliances, the assigned network adapters are displayed.
You can now directly configure these settings from the Devices | <Domain name> | Devices | <IPS Sensor> | Setup |
NTBA Integration page. The NTBA Integration drop-down has options to enable integration for flow exporting and
advanced malware analysis. You can use the View Connectivity button to view data about records sent between
the IPS Sensor and the configured NTBA Appliance. You can view ports that are up and assigned IP addresses to
easily configure ports for integration.
When NTBA integration is enabled for an IPS Sensor and set to Enabled for Advanced Malware Analysis Only, you only
need to select a target NTBA Appliance.
If NTBA was integrated with a Sensor, and you upgrade from 7.5 or 8.1 to 8.2, the NTBA Integration option must
show Enabled for Flow Exporting and Advanced Malware Analysis as selected. If you upgrade from 7.1 to 8.2, it must
display Enabled for Flow Exporting only.
You can now define the inside and outside zones, and zone elements by selecting Devices | <admin domain> |
Devices | <NTBA Appliance> | Zones.
This page has a lower panel that allows you to add multiple elements for an interface type for a zone.
You can view the collection port status and assigned IP address while you define a route. You can configure
static routes on an NTBA Appliance for diagnostic purposes and to check for connectivity between NTBA and IPS
Sensor ports. A static route is also required if you want to route outbound traffic from a collection port.
If you upgrade from 7.1 or 7.5 to 8.2, the communication rules that have Not Equal to qualifiers are removed. Only
the rules that have Equal to qualifier for the matched condition are retained.
Save your entire backup in a different location than the current Central Manager or Manager to prevent data loss.
After you back up the Network Security Platform data, you can consider purging the Manager tables. Details on
how to purge the database tables are in the McAfee Network Security Platform Manager Administration Guide.
Purging the database tables can significantly shorten the Manager upgrade window. If you need the older alerts
and packet logs, you can restore the database backup on an offline Manager server for viewing and reporting
on that data.
All tables backup is time consuming (based upon the size of your database); however, it guarantees the integrity
of your existing data. All tables backup includes the entire database, that is, all configurations, user activity, alert
information, and custom attacks. However, McAfee recommends a separate all tables and config tables backup.
This provides you options if for some reason you want to roll back to your earlier version of the Central
Manager or Manager.
Notes:
• Preferably, stop the Central Manager or Manager service before you begin any backup process.
• For step-by-step information on all tables and config tables backup as well as archiving alerts and packet
logs, see the McAfee Network Security Platform Manager Administration Guide.
The following sections discuss some possible scenarios that involve an operating-system upgrade for your
Manager. These are based on your current Manager version, operating system, and whether you want to
migrate the Manager server to a new physical system.
For information on how to upgrade the operating system, refer to Microsoft's documentation.
If you plan to upgrade the operating system to a supported flavor of Windows Server 2012, you can consider
the approaches discussed in the subsequent sections.
Tasks
• Approach 1: Upgrade the operating system and the Manager on page 172
• Approach 2: Using new hardware on page 173
• It is assumed that the 7.x Manager meets the minimum requirement to upgrade to 8.x. If not,
first upgrade the Manager to the required 7.x version.
• It is assumed that your 7.x Manager server meets the requirements for the corresponding
English or Japanese versions of Windows Server 2012.
• Note that a typical operating system upgrade can take around an hour. So the Manager upgrade
downtime window would extend by that much.
Task
1 Back up the 7.x database.
See Backing up Network Security Platform data on page 142.
3 Log on to the Manager and check the Status page to ensure everything is working fine.
For MDR, complete these steps this procedure for one of the Manager and then proceed to the other.
4 Upgrade the operating system to English or Japanese version of the corresponding Windows Server 2012.
5 Log on to the Manager and check the Status page to ensure everything is working fine.
If everything is working fine, it means that the upgrade was successful.
• It is assumed that this system meets the other requirements discussed in Upgrade
requirements for the Manager on page 149.
• It is assumed that the 7.x Manager version meets the requirement to upgrade to 8.x. If not, first
upgrade the Manager to the required 7.x version.
Task
1 Back up the 7.x database.
See Backing up Network Security Platform data on page 142.
4 On the new Windows Server 2012 server, install the same version of 8.x Manager as in step-2.
5 On the network, replace the existing 8.x Manager server with the new 8.x Manager.
Make sure that the IP address of the new Manager is the same as that of the existing one. If the IP address is
different, the Sensors cannot communicate with the new Manager system. In that case, re-establish this
communication from each Sensor.
6 Restore the 8.x database backup from the old 8.x Manager on the new 8.x Manager.
For information on how to restore a database, see the latest Manager Admin Guide.
7 Log on to the new 8.x Manager and check the Status page to make sure everything is working fine.
In case of MDR, complete this procedure fully for one Manager before you proceed to the next.
This section provides the steps to upgrade the primary and secondary Managers configured for Manager
Disaster Recovery (MDR).
Task
1 Using the Switch Over feature, make the secondary Manager active.
• If your current Manager version is earlier than 7.5, select My Company | Manager | MDR | Manager Pair |
Switch Over.
• For 7.5 and later, click Manage and select the root admin domain. Then go to Setup | MDR | Switch Over.
5 Using the Switch Back feature, make the primary the active Manager.
When you upgrade an MDR pair, the Manager currently being upgraded could miss the alerts during the
upgrade window. However, its peer receives these alerts. After you successfully upgrade both the Managers,
the missed alerts are updated for both the Managers during the next automatic synchronization. Note that
the Managers synchronize every 10 minutes. Therefore, within 10 minutes after you upgraded the MDR pair,
the alerts are synchronized.
If the number of alerts missed by a Manager is less than 10,000, all missed alerts are updated in the
Manager's database. The Real-time Threat Analyzer of both the Managers display the same alerts.
If the number of alerts missed by a Manager is more than 10,000, all missed alerts are updated in the
Manager's database. However, only the latest 10,000 of the missed alerts are displayed in the Real-time
Threat Analyzer of this Manager. The remaining missed alerts are displayed in the Historical Threat Analyzer.
Consider a Manager missed 12,000 alerts during the upgrade. After the synchronization, the latest 10,000 of
the missed alerts are displayed in the Real-time Threat Analyzer. The older 2000 missed alerts are displayed
in the Historical Threat Analyzer.
• Your current Network Security Platform infrastructure meets all the requirements discussed in
Upgrade requirements for the Manager on page 149.
• If you want to upgrade the RAM on the Manager server, make sure you do that before you begin
the Manager upgrade.
• You have reviewed and understood the implications of the upgrade considerations discussed in
Review the upgrade considerations on page 142.
• You have backed up your current Manager data. See Perform a database backup on page 142.
• As a best practice, make sure all the devices are communicating with the Manager and your
deployment is working as configured. This ensures that you do not upgrade with any existing
issues.
• You have the latest 8.3 Manager installable file at hand. You can download it from the McAfee
Update Server. See the Network Security Platform 8.3 Installation Guide.
• You have stopped all third-party applications such as Security Information and Event
Management (SIEM) agents. It is especially important that you stop any such third-party
application that communicates with the MySQL database. The Manager cannot upgrade the
database if MySQL is actively communicating with another application.
If this is an upgrade of a Manager in an MDR pair, then you should switch it to standby mode
before you upgrade. Make sure you are following the steps in MDR Manager upgrade on page
174.
Task
1 Stop the Manager service.
Right-click on the Manager icon at the bottom-right corner of your server and stop the service. Alternatively,
go to Windows Control Panel | Administrative Tools | Services. Then right-click on McAfee Network Security
Manager and select Stop.
2 Stop the McAfee Network Security Manager Watchdog service using the same method as described in step
1.
Make sure the McAfee Network Security Manager Database service remains started.
5 Move any saved report files and alert archives from the server to some other location.
The reports are saved at <Manager install directory>\REPORTS folder. The alert archives are saved at
<Manager install directory>\alertarchival folder.
7 At the end of the upgrade process, you might be required to restart the server. If prompted, it is highly
recommended that you restart the server.
• Select Yes, restart my system to restart the server immediately.
• Select No, I will restart my system myself to complete the upgrade process without restarting the server. You
can restart the server at a later point in time. Clicking Done in the Manager Installation Wizard will start
the Manager services.
8 During the upgrade, you might have been prompted to run additional scripts on the Manager server. After
the upgrade is complete, run the scripts only if you had been prompted to do so.
See Run additional scripts on page 177.
The system prompts you to run the scripts only if there are 1 million or more alerts or endpoint events in
your Manager. You should not run the scripts if not prompted.
11 Check the Status page to ensure that the Manager database and the Sensors are up.
Refer to the following sections and complete those tasks.
1 If you have one million or more alerts and events in the current Manager database, you must complete
the tasks in Run additional scripts on page 177.
2 Make sure the Manager contains the latest 8.7 signature set.
3 Upgrade the Sensor software with the latest 8.7 signature set. See How to perform signature set and
Sensor software upgrade on page 5.
Tasks
• Resubmit Snort custom attacks for translation on page 176
• Run additional scripts on page 177
After you upgrade the Manager from 7.x to 8.x, it is mandatory that you resubmit all Snort custom attacks for
translation to the newer McAfee signature format. Then, two signatures are created for those rules.
Task
1 Start the 8.x Manager and log on.
2 Open the Custom Attack Editor. Select Policy | <domain name> | Intrusion Prevention | Advanced | Custom Attacks |
Custom Attack Editor.
3 To re-submit the rules, in the Custom Attack Editor, select File | Snort Advanced | View Snort Variables | Re-Submit
Rules using Current Variables.
Task
1 Locate the ems.properties file. On the Manager server, go to <Manager install directory>\App
\config\.
When you upgrade to the latest 8.3 Manager, if there are 1 million or more alerts or host events in your current
Manager setup, you are prompted to run two SQL scripts as described in this section. These scripts convert
those alerts to the new Manager database schema for version 8.3.
Make sure that you run the three scripts soon after the Manager upgrade is complete. McAfee recommends that
you select a relatively idle time to run the scripts to minimize the impact on performance.
When Manager 8.3 starts, all new alerts come into the 8.3 schema tables. Your original alerts and packet logs
are still there in the database with a ' tmp_' prefixed to them. You cannot access these old alerts and packet logs
until they are manually converted to the new schema and merged back in. This is accomplished by running the
following two scripts:
1 Alertproc_offline_1.sql: When you trigger this script, it runs in the background while the newly upgraded
Manager is up and running. You do not need to stop the Manager service when running this script. It takes
about an hour per every 4-8GB of the original alert and packetlog tables. For example, for a Manager
database of 25 GB, it could take between 3–7 hours.
The time taken for alertproc_offline_1.sql to complete depends on the Manager RAM, hard disk speed, the
activities on the Manager database, number of users logged on to the Manager, reports being generated
currently, alerts from the Sensors, maintenance tasks, and so on.
The quick and easy way to estimate the time needed for this script is to look at the size of the mysql\data\lf
directory. Once started, it runs and only returns the MySQL command prompt after it completes.
After you trigger this script, do not close the window even if you do not see the MySQL command prompt.
This process might take some time but completes eventually.
2 Alertproc_offline_2.sql: Run this script when the MySQL command prompt returns after the first script. You
must stop the Manager service to run this script. However, this script takes only a few minutes to complete.
This script takes the now-converted original alerts and the alerts that came in while the first script was
running and merges them together. It does this by renaming the active tables and then renaming the
original tables back to what they had been. The script then merges the new alerts into the converted alert
tables.
The merging is because the original tables are large and the new ones are small. It is much faster to merge
the small table into the large one. The assumption is that the alert and packetlog tables for the alerts that
come into the Manager while the first script was running are much smaller than the tables with the
converted alerts. So we merge the smaller table into the larger, which makes it complete the task much
faster. When the second script completes, restart the Manager service.
Run alertproc_offline_1.sql and alertproc_offline_2.sql only if prompted to do so. The system prompts you only
when there are 1 million or more, alerts or host events, in the Manager database. If you run these scripts when
not prompted, you receive SQL errors. In this case, contact McAfee Technical Support with the details of the
message. If you do not run these scripts when prompted, you will not be able to view the alerts in the Threat
Analyzer.
Task
1 After a successful upgrade of the Manager to 8.3, check that it is up, Sensors are connected, and alerts are
generated.
3 To run the scripts easily and successfully, it is recommended that you copy the scripts to the MySQL\bin
directory and run the scripts from this location.
Follow these steps to copy the scripts to the MySQL\bin folder.
a Go to <Manager install directory>\App\db\mysql\migrate. Example: C:\Program Files
\McAfee\Network Security Manager\App\db\mysql\migrate.
b Run the following command: mysql -u<Database user name> -p<Database password> db_name
For example, run mysql -uroot -proot123 lf
• When Alertproc_offline_1.sql executes, few log messages are displayed at the MySQL prompt. The query
for the message adding few columns for alert table takes more time based on factors such as the RAM of
the Manager server, hard disk speed, activities involving the Manager database, and so on.
• When you execute Alertproc_offline_1.sql, the MySQL prompt drops to the next line and the cursor is
restored only when the script is fully executed.
• If you stop Alertproc_offline_1.sql before it executes fully, you might lose the historical alerts and
packetlogs. For such cases, revert to the earlier version of the Manager, restore the database backup
from prior to upgrade, and then restart the upgrade process.
• If an SQL error message is displayed, stop proceeding and contact McAfee Technical Support with the
details of the message.
• If an SQL error message is displayed, stop proceeding and contact McAfee Technical Support with the
details of the message.
• After you complete running the two scripts, you can delete the two scripts from MySQL\bin folder since
these scripts are might differ between versions.
• Alertprocoffline1.log and alertprocoffline2.log files are created in the <Manager install directory>
\App directory. You can check these logs if there are any issues during the upgrade.
Utilities like db backup/restore/archival/purge cannot be run on your database before completing step 7. This
is because your Manager database will still be in transition at this stage of the upgrade.
When you run the Solr script, older alerts and other events for the required number of days are imported into
Solr. You specify the required number of days when you run the script for Apache Solr. Also see, Note on
Apache Solr on page 163.
Task
1 Make sure that you have stopped the Manager service.
2 In the Manager server, open Windows Explorer and go to <Manager installed directory>\Solr\conf
\alerts and <Manager installed directory>\Solr\conf\appAlerts. Delete, rename, or remove
the folders named data.
This step is important because alerts in the old schema cannot be merged with alerts in the new schema so
the when the folder is recreated, all alerts are in the new schema.
3 In the Manager server, open the Windows command prompt and go to <Manager installed
directory>\App\bin.
4 Run solrImport offline start days=<number of days of data you want to import into
Solr>
If you have from than 10 million alerts in the Solr database, the oldest excess alerts are deleted.
For example, solrImport offline start days=25 imports 25 days of data. But assume there are 15
million alerts in the database. In that case, 5 million of the oldest alerts are deleted.
5 Wait for the batch file to complete and then start the Manager service.
If you have 1 million alerts or more, the Manager database upgrade is complete only after you run the
alertproc_offline_1.sql, alertproc_offline_2.sql, and solrImport scripts.
After you complete running the alertproc_offline_1.sql, alertproc_offline_2.sql, and solrImport scripts, it is
recommended that you restart the Manager server to make sure the Manager upgraded successfully.
After you restart, once the Manager comes up, go to Manager | <Admin Domain Name> | Maintenance | Database
Pruning | Alert Pruning. Set the Maximum Alerts to Store for Dashboard Data to maximum intended alert limit and save.
The Manager uses a MySQL database which has a pre-defined alert capacity of 30,000,000 alerts. In addition,
the Manager uses an open-source search application called Solr, which stores alerts within a flat file. If the
Manager server has 8 GB of RAM, it supports 3 million alerts in the Solr database. If the Manager server has
16 GB or more of RAM, it supports 10 million alerts in the Solr Database.
This section contains information on how to upgrade the Sensors to the latest 8.3 version.
Before you proceed with the Sensor software upgrade, you must upgrade the Manager to 8.3.
Contents
Difference between an update and an upgrade
Sensor software upgrade requirements
Review the upgrade considerations for Sensors
Updating Sensor software image
Any change to device software, whether update or upgrade, requires you to do a full reboot of the device.
If you are using a hot-fix release, contact McAfee Support for the recommended upgrade path.
NS-series (NS3100, NS3200, NS5100, NS5200, NS7100, NS7200, NS7300, NS7150, NS7250, NS7350, NS9100,
NS9200, NS9300):
M-series (M-1250, M-1450, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000, M-3030, M-4030, M-6030,
M-8030, M-8000XC):
All intermediate Sensor software versions can directly upgrade to the latest 8.3 Sensor software version.
• If you have gigabit ports connected for fail-open, disable the ports to force fail-open.
• If you have fiber ports configured for fail-open, disable the ports to force fail-open.
• It is an M-8000 or an M-8000XC Sensor, which is on a 7.5 software version earlier than 7.5.3.50.
• You plan to upgrade this Sensor using the Manager (and not a TFTP server).
This note does not apply to other Sensor models or M-8000/M-8000XC Sensors on 7.1 software.
When updating a Sensor from the Manager interface, both the Sensor software and the signature set are
bundled together and transferred to the Sensor. However, for a Sensor that matches the above conditions, the
signature set is not bundled with the Sensor software. Therefore, when the Sensor reboots after its software
upgrade, it deletes the currently loaded signature set, and contacts the Manager for the latest signature set.
(During this time the Sensor's system health status on the CLI is displayed as uninitialized.)
Until the Sensor receives the signature set from the Manager, the Sensor cannot process traffic and raise alerts.
Therefore, the Sensor's downtime is extended by a few more minutes. In other words, the impact is as if you
upgraded the Sensor using a TFTP server though you used the Manager.
As a workaround, you can first upgrade the Sensor to 7.5.3.95 and then upgrade to 8.3.
Enabling encryption can have a performance degradation, which might impact the analysis of large files and
high-volume of files.
2 Your Sensors meet the requirements mentioned in Sensor software upgrade requirements on page 181.
3 You have understood the discussion in Review the upgrade considerations on page 142.
New Sensor software images are released periodically by McAfee and are available on McAfee® Network
Security Platform Update Server to registered support customers.
You can update a Sensor image using any of the four methods illustrated below. These methods include
updating the signature sets as well.
Three of the methods involve updating your image using the Manager server:
1 You can use the Manager interface to download the Sensor image from the Network Security Platform
Update Server to the Manager server, and then upload the Sensor image to the Sensor.
2 If your Manager server is not connected to the Internet, you can download the Sensor image from the
Network Security Platform Update Server to any host, then import the Sensor image to the Manager server.
You can then download the Sensor image to the Sensor.
3 A variation of option 2: you can download the Sensor image from McAfee Network Security Platform Update
Server to any host, put it on a disk, take the disk to the Manager server, and then import the image and
download it to the Sensor.
4 However, you may prefer not to update Sensor software through the Manager, or you may encounter a
situation wherein you cannot do so. An alternative method is to download the software image from the
Update Server onto a TFTP server, and then download the image directly to the Sensor using Sensor CLI
commands. This process is described in this chapter as well.
Field Description
1 McAfee Update Server
2 Internet
3 Manager Server
4 PC/tftp server
5 Import/disk
6 Sensor
When updating a Sensor from the Manager interface, both the Sensor software and the signature set are
bundled together and transferred to the Sensor. The Sensor updates its Sensor software image, and saves the
bundled signature set. When the Sensor is rebooted, it deletes the old Signature Set, and applies the saved
signature set that was received along with the Sensor software image.
When updating a Sensor through TFTP, only the Sensor software is transferred to the Sensor. Once the Sensor
software update is complete, reboot the Sensor. On reboot, the Sensor deletes the currently loaded signature
set, and contacts the Manager for the latest signature set. Until the Sensor receives the signature set from the
Manager, the Sensor cannot process traffic and raise alerts.
There will be a Sensor downtime during the Sensor software upgrade process. The downtime is longer in case
of an upgrade using TFTP [when compared to using the Manager] due to the additional time required to
download the signature set.
Task
1 If you have not already done so, download the latest 8.7 signature set from the McAfee Network Security
Update Server (Update Server).
In the Manager, click Manager and select the root admin domain. Then select Updating | Download Signature Sets.
See the McAfee Network Security Platform Manager Administration Guide for step-by-step information on how
to download the signature set. For a list of currently supported protocols, see KB61036 at
mysupport.mcafee.com. Do not push the signature set to your Sensors at this point; it will be sent with the
Sensor software in step 8.
If you are using the Advanced Callback Detection feature, make sure you have downloaded the latest callback
detectors to the Manager. See McAfee Network Security Platform IPS Administration Guide for the details on
downloading callback detectors.
2 If you had created McAfee custom attacks in the previous version of the Manager, verify that those attacks
are present in the Custom Attack Editor.
3 Download the most recent 8.3 Sensor software images from the Update Server onto the Manager.
a Click Manager and select the root admin domain. Then select Updating | Download Device Software.
b Select the applicable Sensor software version from the Software Available for Download section and click
Download.
4 To push the Sensor software to your Sensors, select Devices | <Admin Domain Name> | Global | Deploy Device
Software.
6 To select a Sensor for update, select the checkboxes (for the specific Sensor) in the Upgrade column.
7 For the corresponding Sensors, select the checkboxes (for the specific Sensor) in the Reboot column.
This will push the signature set as well as the software to the Sensors.
Signature set update could fail because of Snort custom attacks that contain unsupported PCRE constructs.
In such cases, the Incompatible custom attack fault is raised in the Status page.
• Last Update Time: (Time should reflect when the push is complete)
You will be prompted to reboot the Sensor upon completion of the Sensor software upgrade.
10 Once the reboot process is complete, verify that the Sensor's operational status is up; and that it comes up
with the latest software version as well as latest signature set.
a Click the Devices tab.
d Select the device from the Device drop-down list and click Summary.
If you have a failover pair configured, both the Sensors forming the pair should be running on the same
Sensor software version. See Update Sensor software in a failover pair on page 187.
Task
1 If you have not already done so, download the latest 8.7 signature set from the McAfee Network Security
Update Server (Update Server).
In the Manager, click Manager and select the root admin domain. Then select Updating | Download Signature Sets.
See the McAfee Network Security Platform Manager Administration Guide for step-by-step information on how
to download the signature set. For a list of currently supported protocols, see KB61036 at
mysupport.mcafee.com.
If you are using the Advanced Callback Detection feature, make sure you have downloaded the latest callback
detectors to the Manager. See McAfee Network Security Platform IPS Administration Guide for the details on
downloading callback detectors.
2 Download the software image from the Update Server to your TFTP or SCP server.
This file is compressed in a .jar file.
5 Extract the files to your TFTP boot folder [/tftpboot]. In case of SCP, extract the files to any directory.
6 Once the image is on your TFTP/SCP server, upload the image from the TFTP/SCP server to the Sensor.
From your Sensor console, perform the following steps:
a Log on to the Sensor.
The default user name is admin and default password admin123.
b Make sure you have set the TFTP or SCP server IP on the Sensor. Use the set tftpserver ip or set
scpserver ip command as described in the McAfee Network Security Platform CLI Guide.
c Load the image file on the Sensor. Use the loadimage command as described in the McAfee Network
Security Platform CLI Guide.
d To use the new software image, you must reboot the Sensor. At the prompt, type reboot.
You must confirm that you want to reboot.
For some Sensor models, the hitless reboot option is available, wherein only the required software
processes are restarted. However, for Sensor software upgrades and updates, you must do a full reboot.
For information on these reboot options, see the McAfee Network Security Platform IPS Administration
Guide.
After the reboot process is complete, the Sensor deletes the old signature set. Because the signature set
is incompatible with the current Manager version, the Sensor's system health status on the CLI is
displayed as uninitialized. Then, the Sensor contacts the Manager for the latest signature set. After the
signature set is downloaded to the Sensor, its system health status is displayed as good. Signature set
update could fail because of Snort custom attacks that contain unsupported PCRE constructs. In such
cases, the Incompatible custom attack fault is raised in the Status page.
7 Verify the Sensor's system health status is good; check the Sensor status from CLI by typing the status
command.
You can also check whether the Sensor is updated with the latest software version as well as latest signature
set in the Summary page.
a Click the Devices tab.
d Select the device from the Device drop-down list and click Summary.
Task
1 Push the software to each of the Sensors that are in the failover pair. You can follow one of these methods:
• Sensor software and signature set upgrade using Manager 8.3 on page 185
Review this chapter for information on how to upgrade the software for the NTBA and XC Cluster devices.
Contents
Upgrade NTBA Appliance software
Upgrade XC Cluster
• Make sure that you have upgraded the Manager to 8.3. See How to Upgrade the Manager? on page 5.
• In this section, the term NTBA Appliance refers to the physical as well as the NTBA Virtual Appliances unless
mentioned otherwise.
• In release 7.5 and later, in addition to the NTBA Virtual Appliance software (T-VM), the following are also
available:
• NTBA T-100 Virtual Appliance (T-100VM)
• Beginning with release 8.1, NTBA includes the availability of new hardware, which are the T-600 and the
T-1200 NTBA Appliances.
• The following are the minimum required NTBA versions to upgrade to 8.3. These apply to both T-200 and
T-500 NTBA Appliances and NTBA Virtual Appliances:
• 7.1.3.6 (does not include T-100VM and T-200VM)
• 7.5.3.10
• 8.0.5.6
• 8.1.3.6
• 8.2.7.4
• You can upgrade your earlier NTBA Virtual Appliance (T-VM) to NTBA T-100VM or T-200VM Virtual Appliance
software. However, once you have upgraded, you cannot downgrade. For example, if you have upgraded
your NTBA Virtual Appliance software to NTBA T-200VM, you cannot downgrade to NTBA T-100VM or any
version of NTBA Virtual Appliance.
• In release 7.5 and later, there are specific images for NTBA T-200 and NTBA T-500 appliances.
You cannot load software versions across appliances. For example, you cannot load NTBA T-200 image on an
NTBA T-500 appliance. The same applies to the NTBA Virtual Appliances as well.
• An 8.x Sensor, for its connections through its management port with NTBA appliances, by default uses NULL
cipher (no encryption). Using NULL cipher is required to support the analysis of much larger files. If you
want this connection to be encrypted, use the following CLI command on the 8.x Sensor: set
amchannelencryption <on><off>. To know if the connection is encrypted, use show
amchannelencryption status on the Sensor CLI.
Enabling encryption can have a performance degradation, which might impact the analysis of large files and
high-volume of files.
The upgraded process for an NTBA Appliance is similar to that of a Sensor. So review Sensor software upgrade
— Manager versus TFTP server on page 184 and then choose one of the following methods:
• Sensor software and signature set upgrade using Manager 8.3 on page 185:
• In this section, read Sensor as NTBA Appliance.
Upgrade XC Cluster
The upgrade for XC Cluster involves upgrade of the Manager, the M-8000XC Sensors, and the XC-240 Load
Balancer Device. You can also upgrade just the Manager and continue with the older versions for the M-8000XC
Sensors and the XC-240 Load Balancer.
The following are the changes in the XC-240 2.11.x when compared to the earlier versions:
• In XC-240 2.10.X, the lbg set command has a parameter, ha=rebalance ha=loopback. This is no longer
available in the 2.11.X.
Even in the earlier versions, McAfee recommends you to not use ha=rebalance ha=loopback.
• In the XC-240 2.11.x, the output of the pg show command is modified. The parameter, Operating mode is
changed to Operating Status. Also, the parameter Administrative State is introduced.
• In XC-240 2.11.X, the port show command has changed. The parameters tag and tpid which are present
in XC-240 2.10.x are removed in XC-240 2.11.x .
• The file parameter in the config export command is removed in the XC-240 2.11.x.
Following are the high-level steps to upgrade a XC Cluster Load Balancer solution:
1 Make sure you have upgraded the Manager to 8.3. See How to Upgrade the Manager? on page 5.
2 Upgrade all the M-8000XC Sensors in a cluster to 8.3. The upgrade process for an XC Cluster Sensor software
is similar to that of a Sensor. So review Sensor software upgrade — Manager versus TFTP server on page
184 and then choose one of the methods.
For the minimum required versions for the M-8000XC Sensors to upgrade to 8.3, see Sensor software
upgrade requirements on page 181.
When you upgrade an the M-8000XC Sensor, the Manager pushes the signature set to all the Sensors in the
cluster. You can ignore the failed running tasks messages and fault messages displayed in the Manager.
These messages are raised because not all the Sensors in the cluster are upgraded to 8.3.
3 Optionally, use the upgrade command to upgrade the XC-240 Load Balancer device to bal_021109_013114.
This command is explained in detail in the McAfee Network Security Platform XC Cluster Administration Guide.
The following are the minimum required versions:
• bal_020902_121611
• bal_021004_060412
• bal_021107_041913
Notes:
• You must always upgrade the Sensors before you upgrade XC-240.
• In case of stand-alone XC-240, there is a network downtime when you upgrade the XC-240. To avoid this
downtime, you can use a fail-open switch.
• For high-availability setups, refer to the scenarios described below in this section.
• If you have a configuration higher than n, make sure you upgrade the template Sensor first and then
upgrade other Sensors.
If you have deployed an N configuration, that is without Sensor redundancy, follow this process to upgrade:
1 Make sure the Managers are upgraded to the latest 8.3 version.
If you have deployed an N+1 configuration, that is with Sensor redundancy, follow this process to upgrade:
1 Make sure the Managers are upgraded to the latest 8.3 version.
• Make sure you have the database backup from the Manager version that you want to
downgrade to. For example, if you want to downgrade from 8.3 to 8.2, then you must have the
database backup from 8.2 Manager.
If for some reason the upgrade is not suitable, you can uninstall the 8.3 version and reinstall the previous
version.
Task
1 Stop the Manager service by following one of these steps:
• Right-click on the Manager icon at the bottom-right corner of your server and stop the service.
• Select Windows Control Panel | Administrative Tools | Services. Then right-click on McAfee Network Security
Manager and select Stop.
2 Stop the McAfee Network Security Manager Watchdog service using the same method as described in step
1.
4 Delete the Network Security Platform install directory (including the MySQL install directory).
1 I am using Manager version 8.0.x.x. Can I directly upgrade to the latest 8.3?
Recommend that you upgrade to a supported 8.1 or an earlier 8.2 version before you upgrade to the
latest 8.2 version. For details, see Upgrade requirements for the Manager on page 149.
3 In an MDR setup, after upgrading the primary Manager to 8.3, can I switch over to make the primary
active or do I have to first stop the secondary?
Yes. You must stop the secondary. For details, see MDR Manager upgrade on page 174.
5 After upgrading the Secondary Manager, do I need to import the database to secondary or will that
happen when I re-establish MDR?
You must explicitly import the database into the secondary.
6 Do I need to reconfigure MDR to get primary and secondary into MDR again?
No. The MDR configuration will be retained and will work automatically.
7 Is it safe to assume that the database gets converted from 7.x to 8.3 as part of the 8.3 upgrade?
Yes.
8 I see the Switch Over button in the interface but I have read that I must use the "Switch Back" button to
make the primary Manager active. Which is correct?
The Switch Over button in the interface changes to Switch Back for the primary to take control from the
secondary.
9 If I downgrade the Managers following the instructions in the Network Security Platform 8.3
Installation Guide, I will end up with 7.x Managers and 8.3 Sensors. How do I downgrade the Sensors?
Downgrading Sensors is a complex process. Contact McAfee Support to first downgrade the Sensors and
then downgrade the Manager.
10 Do I really need to upgrade the OS to Windows 2008 or Windows 2012 server for 8.3; can I not
continue with my 2003 Server setup?
No. You must upgrade to one of the supported operating systems to use Network Security Platform 8.3.
J pre-requisites
installation 13
java runtime engine 18
preparation for the upgrade
M Central Manager; Manager 141, 151