MOVE Firewall 3.5.0 Product Guide
Transcription
MOVE Firewall 3.5.0 Product Guide
Product Guide McAfee MOVE Firewall 3.5.0 For use with ePolicy Orchestrator 4.6.7, 4.6.8, 5.1.0 Software COPYRIGHT Copyright © 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee MOVE Firewall 3.5.0 Product Guide Contents Preface 5 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1 Introduction 7 Components and what they do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Installation 9 Requirements . . . . . . . . . . . . . Install the vShield Manager Virtual Appliance Download the software extension . . . . . Install the extension . . . . . . . . . . Register a vShield Manager account . . . . 3 . . . . options . . . . . . . . . options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . 10 . . 10 . . 11 . . 11 . . . . . . 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 . 19 . 20 . 21 . 21 . 21 . 22 Resource and service groups Configuring the resource groups Add the IP address group . . . Add the MAC address group . . Add the security group resource Group details and options . . . Add a service or service group . Create an exclusion list . . . . 5 . . . . . . . . . . Resource isolation and firewall rules Add an isolation rule . . Isolation rule details and Add a firewall rule . . . Default firewall rules . . Firewall rules details and Debug firewall rules . . 4 . . . . . . . . . . . . . . . . . . . . . . . . 13 15 15 16 16 17 19 Queries and reports 25 Predefined MOVE Firewall queries . . . . . . . . . . . . . . . . . . . . . . . . . . . MOVE Firewall dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 26 Create MOVE Firewall custom query . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Create the MOVE Firewall dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Index McAfee MOVE Firewall 3.5.0 29 Product Guide 3 Contents 4 McAfee MOVE Firewall 3.5.0 Product Guide Preface This guide provides the information you need to work with your McAfee product. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Conventions This guide uses these typographical conventions and icons. Book title, term, emphasis Title of a book, chapter, or topic; a new term; emphasis. Bold Text that is strongly emphasized. User input, code, message Commands and other text that the user types; a code sample; a displayed message. Interface text Words from the product interface like options, menus, buttons, and dialog boxes. Hypertext blue A link to a topic or to an external website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee MOVE Firewall 3.5.0 Product Guide 5 Preface Find product documentation Find product documentation After a product is released, information about the product is entered into the McAfee online Knowledge Center. Task 6 1 Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. McAfee MOVE Firewall 3.5.0 Product Guide 1 Introduction ® McAfee MOVE Firewall includes the components that communicate with multiple vShield Manager accounts using McAfee ePolicy Orchestrator (McAfee ePO ). ® ® ™ It provides an interface on McAfee ePO, where you can easily manage the firewall rules for data center resources. MOVE Firewall also provides a status on whether the identified resources are isolated. The isolation of resources in the data center means that the resources identified to be isolated have a defined access criteria compared to other resources in the same data center of the cloud. The vCloud Networking and Security (vCNS) App Firewall component intercepts traffic to and from individual virtual machines to provide the firewall protection. It also understands logical grouping of data center resources, which can be used as a criteria to define firewall rules to isolate the resources. Components and what they do Each component performs specific functions to isolate the data center resources and configure firewall rules. MOVE Firewall — A McAfee ePO extension, which is able to communicate with multiple vShield Managers in a data center environment. The MOVE Firewall component provides an easy to use interface in McAfee ePO, which can simplify the management of firewall rules for vCNS App Firewall. ePolicy Orchestrator — Management software that allows you to register one or more vShield Manager accounts, so that you can isolate the data center resources and configure the firewall rules. vShield Manager — A management console that manages the vShield App Firewall component, VMware vShield Endpoint, and VMware vShield applications. Virtual Machines (VMs) — A guest operating system installation within a normal host operating system that supports both virtual desktops and virtual servers. VMware vCenter — Console that manages the VMware ESXi servers, which host the guest VMs that require protection. vCloud Networking and Security (vCNS) App Firewall — A security application that protects and isolates critical applications with security applied immediately to surround a virtual machine. vCenter integration streamlines management and improves operational efficiency. McAfee MOVE Firewall 3.5.0 Product Guide 7 1 Introduction Components and what they do 8 McAfee MOVE Firewall 3.5.0 Product Guide 2 Installation Before you set up your environment and configure the MOVE Firewall rules in McAfee ePO, make sure that you have your vShield Manager account and its details ready. You then install the extension and register the vShield Manager account in McAfee ePO. Contents Requirements Install the vShield Manager Virtual Appliance Download the software extension Install the extension Register a vShield Manager account Requirements Make sure that your environment includes these components and that they meet the requirements. • McAfee ePO 4.6.7, 4.6.8, 5.1.0 We recommend that your system, where the browser is used to access the McAfee ePO server, has the screen resolution 1280/x. • VMware vShield Manager 5.1, 5.5 • VMware Tools We recommend that you install the latest version of the VMware Tools, so that the latest drivers are installed. • Data Center Connector 3.5.0 for vSphere (Optional) The Data Center Connector for vSphere extension integrates with Endpoint Security report to filter VMs based on IP addresses while managing firewall rules. MOVE Firewall works without this extension. For details about system requirements and instructions for setting up the McAfee ePO environment, see McAfee ePolicy Orchestrator Installation Guide. McAfee MOVE Firewall 3.5.0 Product Guide 9 2 Installation Install the vShield Manager Virtual Appliance Install the vShield Manager Virtual Appliance The vShield Manager is the centralized network management component of vShield, and is installed as a virtual appliance on any ESX host in your vCenter Server environment. A vShield Manager can run on a different ESX host from your vShield agents. Before you begin From the VMware download site (https://my.vmware.com/web/vmware/downloads), download the OVF. Manually deploy the OVF to the selected hypervisor to ensure protection. Task 1 From the vSphere Client, select the resource pool on the hypervisor where you want to deploy the OVF, then click File | Deploy OVF Template to open the OVF wizard. 2 Apply these settings to deploy the OVF: For this option... Do this... Source Browse to and select the OVF. OVF Template Details Review details about the OVF. End User License Agreement (EULA) Accept this to continue. Name and Location Specify the name of the SVA and the inventory location. Storage Select the datastore for the SVA. This page is displayed only if the hypervisor has multiple datastores. 3 Disk Format Select the required disk provisioning. Network Mapping Map the OVF networks to the existing networks on the selected hypervisor. Properties If you specify the configuration information on the Properties page, then the SVA is automatically configured during the initial start. Ready to Complete Review the options you selected. Click Finish. Download the software extension You must download the MOVE Firewall extension before it can be installed into McAfee ePO. Task • 10 From the McAfee download site (http://www.mcafee.com/us/downloads/), download the package MOVEFirewall.zip to an accessible location on your network. McAfee MOVE Firewall 3.5.0 Product Guide Installation Install the extension 2 Install the extension You must install the product extension on the McAfee ePO server to be able to isolate the data center resources and configure the firewall rules. Before you begin Make sure that the extension file is in an accessible location on the network. Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Software | Extensions | Install Extension. 3 Browse to and select the extension file MOVEFirewall.zip, then click OK. The Install Extension page displays the extension name and version details. 4 Click OK. Register a vShield Manager account Register a vShield Manager account with McAfee ePO, so that McAfee ePO establishes a connection with vShield Manager before you configure the rules. Before you begin • Make sure that your vShield Manager account and its details are ready. • The vShield Manager must work with the firewall rules before MOVE Firewall can start managing it. Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Configuration | Registered Servers, then click New Server to open the Registered Server Builder page. 3 From the Server type drop-down list on the Description page, select vShield Manager Server, and specify a unique user-friendly name and some details that can help you identify the server, then click Next. McAfee MOVE Firewall 3.5.0 Product Guide 11 2 Installation Register a vShield Manager account 4 On the Details page, configure these settings: For this option... Do this... IP Addresses Type the IP address or the host name of the available vShield Manager. Admin User Name Type the user name of the available vShield Manager. Make this account a super user account. Password Type the password of the available vShield Manager. Make sure that the credentials have administrative permissions. 5 Click Test Connection to validate the credentials of the vShield Manager and verify that the connection to the vShield Manager works, then click Save to register the vShield Manager account. From here, you can also edit or delete a registered vShield Manager account. Deleting a vShield Manager account removes all information, including firewall rules and isolation rules, from McAfee ePO. However, the firewall rules are not removed from vCNS App Firewall. 12 McAfee MOVE Firewall 3.5.0 Product Guide 3 Resource isolation and firewall rules The isolation of resources in the data center means that the resources identified to be isolated have a defined access criteria compared to other resources in the same data center of the cloud. This helps to increase visibility and control over network communications between virtual machines, and protect sensitive data. These access criteria are enforced using vShield App Firewall. Using the MOVE Firewall application, the administrator must create the firewall rules so that they provide access to what is defined in the rule. Any other access is automatically blocked. Make sure that you do not blacklist any ports or other resources that will affect other products. Contents Add an isolation rule Isolation rule details and options Add a firewall rule Default firewall rules Firewall rules details and options Debug firewall rules Add an isolation rule The product component of MOVE Firewall can make a logical grouping of data center resources, which can be used as a criteria to define the firewall rules. Before you begin • Make sure that you installed the MOVE Firewall extension. Isolation is a set of four firewall rules based on the source resource, destination resource, and service details provided by the administrator. Make sure that you do not add any security virtual appliance (SVA) in the isolation rule. The access criteria is defined using these four firewall rules: • An outgoing rule permits the isolated resources to access a set of other resources. • An incoming rule permits a defined set of resources to access the isolated resources. McAfee MOVE Firewall 3.5.0 Product Guide 13 3 Resource isolation and firewall rules Add an isolation rule • An explicit rule blocks further access to the isolated resources and any other resources not defined in the first rule. • An explicit rule blocks further access to the isolated resources and any other resources not defined in the second rule. The isolation rules are always created as L3Rules. Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Policy | MOVE Firewall, then click the Isolation Zone tab. 3 From the vShield Manager drop-down list, select the registered server and the data center. 4 Click Actions | Add to open the Create Isolation Details page. 5 Specify a unique user-friendly name and a rule description that can help you identify the rule and configure these settings. You can use the Advanced Filter icon addresses. to search for a resource using its IP address or range of For this... Do this... Isolation Details From the Available drop-down list under Isolated Resources, select the required resource, then click Select to move the resource to the Selected column. This setting defines the resource to be isolated. Inbound Access 1 From the Available drop-down list under Resources, select the required resource, then click Select to move it to the Selected column. This setting defines the incoming rule for the isolation. Use the Filter box under the Selected column to search a resource in the Selected column. 2 From the Available drop-down list under Services, select the required service, then click Select to move it to the Selected column. This setting defines the incoming rule for the isolation. Outbound Access 1 From the Available drop-down list under Resources, select the required resource, then click Select to move it to the Selected column. 2 From the Available drop-down list under Services, select the required service, then click Select to move it to the Selected column. 6 14 Review the isolation Summary, then click Save to create these set of rules for this isolation and store it in McAfee ePO. Rule Source Destination Service Allow Outgoing Defined isolated set Resource defined by the user Define set of services Allow Incoming External resource Isolated resource Define set of services Explicit Block Isolated group Any Any Explicit Block Any Isolated group Any McAfee MOVE Firewall 3.5.0 Product Guide Resource isolation and firewall rules Isolation rule details and options 3 Isolation rule details and options After adding an isolation, you can access these isolation rule details and options. Option Definition Name Name of the isolation rule. Status Specifies isolation status: • OK — Specifies the default status of an isolation rule created. • Modified — This status appears whenever the content of a rule is changed. • Broken — This status appears whenever a rule is deleted or the order of the rule is changed. Actions • Repair — When an individual rule that is part of isolation is deleted or moved up or down, the isolation status appears as Broken. You can then click Repair to fix the isolation status. • Edit — Clicking Edit opens a page that allows you to specify details about the isolation. Using this option, you can define the resources to be isolated. • Delete — Use this option to delete an isolation. This button is enabled only when an isolation is selected. Add a firewall rule You must create the individual firewall rule as defined in this section, so that it specifically allows or blocks access to the resources defined in the rule. Before you begin Make sure that you installed the MOVE Firewall extension. It is not possible to manage the firewall rules when VMware NSX Manager is installed. Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Policy | MOVE Firewall, then click the Firewall Rules tab. 3 From the vShield Manager drop-down list, select the registered server and the data center. 4 Click Actions | Add to open the Add Firewall Rule page. 5 Specify a unique user-friendly Name and some Rule Description that can help you identify the rule. 6 From Rule Type, select L3Rule or L2Rule, as appropriate. The IP addresses can be matched in L3Rules and the MAC addresses can be matched in L2Rules. 7 Configure these settings to add the firewall rules: You can use the Advanced Filter icon to search for a resource using its IP address or range of addresses, or for a service using its port or port range. McAfee MOVE Firewall 3.5.0 Product Guide 15 3 Resource isolation and firewall rules Default firewall rules For this... Do this... Sources 1 From the Available drop-down list under Resources, select the required resource, then click Select to move it to the Selected column. Use the Filter box under the Selected column to search the resource in the Selected column. 2 Select Negate to exclude the selected source and the port from the rule. 3 Specify the source port details in SrcPort. Destination 1 From the Available drop-down list under Resources, select the required resource, then click Select to move it to the Selected column. 2 Select Negate to exclude the selected destination and the port from the rule. Services 1 From the Available drop-down list under Services, select the required service, then click Select to move it to the Selected column. Log and Action 1 From Action, select Allow to allow access to the resource, or Block to block access to the resource. 2 Select Enable Log to write the log to the log server. 8 Click Save to store the firewall rules. Default firewall rules MOVE Firewall includes four default rules, which cannot be edited or deleted. These rules take priority in the rule hierarchy. The firewall rules are created and placed in a position relative to the rule selected in the list. The position of the default firewall rules and the default L2Rules and L3Rules cannot be changed. • DataCenterDNSRule — This rule allows communication from the managed data center to the DNS IP over TCP and UDP (over the DNS port 53).This ensures that all the DNS related communication is not blocked. • ConsoleTOEPORule — This rule allows communication to the McAfee ePO server from external virtual machines over the TCP service (over ports as specified by McAfee ePO). • EPOToAgentRule — This rule allows communication between McAfee ePO and the McAfee Agent on all virtual machines in the managed data center (over the TCP service on the Agent Ports specified by McAfee ePO). • AgentToEPORule — This rule allows communication between the McAfee Agent to McAfee ePO over any service. Firewall rules details and options After adding individual firewall rules, you can access these firewall rules details and options. 16 Option Definition Name Name of the firewall rule. Source The resource that initiates the connection or the traffic to the destination resource. McAfee MOVE Firewall 3.5.0 Product Guide 3 Resource isolation and firewall rules Debug firewall rules Option Definition Destination The resource to which the source initiates the connection. Service The protocol-port combination that is used for the rule. Action • Allow — Specifies that the action of this rule is to allow access to the resource. • Deny — Specifies that the action of this rule is to deny access to the resource. Status Specifies whether the individual firewall rule is enabled or disabled. Options • Add — Define the individual firewall rule. • Edit — Enabled when an individual rule that is not part of an isolated set is selected, or when an isolation name is selected. • Delete — Enabled when an individual firewall rule is selected. This option deletes the rule from the vShield App Firewall. • Move Up — Enabled only when a rule or an isolation name is selected. Move Up is not enabled when a rule is part of a selected isolation. When an isolation is moved, all four rules are moved together. The rule order inside the isolation does not change. • Move Down — Enabled only when a rule or an isolation name is selected. Move Down is not enabled when a rule is part of a selected isolation. When an isolation is moved, all four rules are moved together. The rule order inside the isolation does not change. • Enable/Disable — Used to enable or disable a rule, as appropriate. • Save Changes — Saves the changes. The default firewall rules cannot be edited or deleted. They take priority in the rule hierarchy. The firewall rules are created and placed in a position relative to the rule selected in the list. The position of the default firewall rules and the default L3Rules and L2Rules cannot be changed. Debug firewall rules After creating the firewall rules and traffic between the resources, collect the vApp logs from the vShield Manager Web User Interface, so that you can use them for debugging your firewall rules and policies. Task 1 Log on to the vShield Manager. 2 Click the datacenter IP under Datacenters, then click the Summary tab. 3 Click Download Support Log under Service Virtual Machines. This generates and downloads the log file. 4 Open the log file and search for VMWALL Logs. You can now check for details like source and destination IP, Proto, and packet drop status. McAfee MOVE Firewall 3.5.0 Product Guide 17 3 Resource isolation and firewall rules Debug firewall rules 18 McAfee MOVE Firewall 3.5.0 Product Guide 4 Resource and service groups The data center resources are categorized and grouped for defining the firewall rules. Contents Configuring the resource groups Add the IP address group Add the MAC address group Add the security group resource Group details and options Add a service or service group Create an exclusion list Configuring the resource groups The resource groups must be defined and created before you include them in the isolation groups and create the firewall rules. These resources are available under the Groups tab: • IP Addresses — Resources grouped based on their IP addresses. • MAC Addresses — Resources grouped based on their machine addresses. • Security Group — Objects that are used in defining the individual firewall rules. They can also contain a list of other resources including other security groups. Add the IP address group The data center resources can be categorized and grouped based on their IP addresses. Add an IP address group so that you can include it for configuring the firewall rules. Before you begin Make sure that you installed the MOVE Firewall extension. Task The IP address group can also contain hosts that are external to the data center. For example, an IP address of a public FTP. For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Policy | MOVE Firewall, then click the Groups tab. McAfee MOVE Firewall 3.5.0 Product Guide 19 4 Resource and service groups Add the MAC address group 3 From the vShield Manager drop-down list, select the registered server and the data center. 4 Click Actions | Add | IPset to open the Add IPset page. 5 Specify a unique user-friendly Name and some Description that can help you identify the group 6 From Scope, select Datacenter or Global. 7 • Datacenter — These resources can be used in the particular data center only. • Global — These resources can be used in other data centers as well. Specify the valid IP address or a range of addresses. You can add multiple IP addresses or a range, separated by a comma. 8 Review the group details and click Save to save the group configuration. Add the MAC address group The data center resources can be categorized and grouped based on their MAC addresses. Add a MAC address group so that you can include it for configuring the firewall rules. Before you begin Make sure that you installed the MOVE Firewall extension. Task The MAC address group is used for creating L2Rules only, because L3Rules do not check for MAC address. For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Policy | MOVE Firewall, then click the Groups tab. 3 From the vShield Manager drop-down list, select the registered server and the data center. 4 Click Actions | Add | MACset to open the Add Macset page. 5 Specify a unique user-friendly name and a description that can help you identify the group. 6 From Scope, select Datacenter or Global. 7 • Datacenter — These resources can be used in the particular data center only. • Global — These resources can be used in other data centers as well. Specify the valid MAC addresses or MAC address range. You can add multiple MAC addresses, separated by a comma. 8 20 Review the group details and click Save to save the group configuration. McAfee MOVE Firewall 3.5.0 Product Guide 4 Resource and service groups Add the security group resource Add the security group resource Security group is an object that is used in defining firewall rules. It can also contain a list of other resources including other security groups. Before you begin Make sure that you installed the MOVE Firewall extension. Add a security group resource so that you can include it for configuring the firewall rules. Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Policy | MOVE Firewall, then click the Groups tab. 3 From the vShield Manager drop-down list, select the registered server and the data center. 4 Click Actions | Add | Security Group to open the Add Security Group page. 5 Specify a unique user-friendly name and a description that can help you identify the group. 6 From Scope, select Datacenter. 7 From the Available drop-down list under Security Groups, select the required resource, then click Select to move it to the Selected column. Use the Filter box under the Selected column to search for a security group in the Selected column. 8 Review the group details, then click Save to save the group configuration. Group details and options After adding the resource groups, you can access these group details and options. Option Definition Name Specifies the name of the resource group. Type Specifies the type of the resource group. Details Specifies the group details such as IP address, MAC address, and Security Group. Scope Specifies whether the Scope is Datacenter or Global. Actions • Edit — Use this option to edit any resource group. This button is enabled only when a resource group is selected. • Delete — Use this option to delete any resource group. This button is enabled only when a resource group is selected. Add a service or service group A service is a protocol-port combination, which is used in configuring the firewall rules. Before you begin Make sure that you installed the MOVE Firewall extension. McAfee MOVE Firewall 3.5.0 Product Guide 21 4 Resource and service groups Create an exclusion list Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Policy | MOVE Firewall, then click the Services tab. 3 From the vShield Manager drop-down list, select the registered server and the data center. 4 Click Actions | Add | Service to open the Add Service page. For Service Group, select the Service Group option. 5 Specify a unique user-friendly name and a description that can help you identify the group 6 From Scope, select Datacenter or Global. 7 • Datacenter — These resources can be used in the particular data center only. • Global — These resources can be used in other data centers as well. From the Protocol drop-down list, select the required protocol, then type the valid port number for the selected protocol. Service Group — from the Available drop-down list under Service Group Members, select the required service group member, then click Select to move it to the Selected column. Use the Filter box under the Selected column to search for a service group in the Selected column. 8 Click Save. Create an exclusion list Using the MOVE Firewall policy in McAfee ePO, you can create a list that includes a list of virtual machines to be excluded from vShield App protection. Before you begin Make sure that you installed the MOVE Firewall extension. If a virtual machine has multiple vNICs, all are excluded from being protected. The exclusion feature is recommended for troubleshooting purposes only. You can narrow any possible network and firewall rule issues, because the exclusion bypasses any firewall rule even if explicitly defined for the excluded resource. Task For option definitions, click ? in the interface. 22 1 Log on to the ePolicy Orchestrator server as an administrator. 2 Click Menu | Policy | MOVE Firewall, then click the Exclusion List tab. 3 From the vShield Manager drop-down list, select the registered server and the data center. 4 Click Actions | Add to open the Add Exclusion Members page. McAfee MOVE Firewall 3.5.0 Product Guide 4 Resource and service groups Create an exclusion list 5 From the Available drop-down list under Members, select the required VMs, and click Select to move it to the Selected column. Use the Filter box under the Selected column to search for the VM in the Selected column. 6 Click Save. McAfee MOVE Firewall 3.5.0 Product Guide 23 4 Resource and service groups Create an exclusion list 24 McAfee MOVE Firewall 3.5.0 Product Guide 5 Queries and reports With the MOVE Firewall software, you can quickly generate a summary view of all data center resources configured and protected with firewall rules. The predefined queries and dashboards provide out‑of‑the‑box functionality, because they are added to your McAfee ePO server when the software is installed. You can configure these queries to display results in charts or tables, which you can use as dashboard monitors. Query results can be exported to several formats, which can be downloaded or sent as an attachment to an email message. You can also create custom queries based on the properties collected by the MOVE Firewall software. For details about how to use custom queries, see the product documentation for your version of McAfee ePO. Contents Predefined MOVE Firewall queries MOVE Firewall dashboard Create MOVE Firewall custom query Create the MOVE Firewall dashboard Predefined MOVE Firewall queries You can use predefined queries as is, edit them, or create queries from events and properties stored in the McAfee ePO database. You can't edit predefined queries in McAfee ePO version 5.1 and later. To create custom queries, your assigned permission set must include the ability to create and edit private queries. McAfee MOVE Firewall 3.5.0 Product Guide 25 5 Queries and reports MOVE Firewall dashboard The default query that appears for MOVE Firewall under the data center query is: Query Endpoint Security Report Definition To get accurate data in the Endpoint Security Report, run the server task Data Center: Compute Dashboard data from Menu | Automation | Server Tasks before running this report. • Endpoint — Displays the name of the endpoint. • IP Address— Displays the IP address of the endpoint. • Virtual — Specifies whether the endpoint is a virtual system. • Power Status — Specifies the power status of the endpoint. • Category — Displays the group/resource pool/host of the endpoint. • Operating System — Displays the operating system details. • AntiVirus/Antimalware — Displays the name of the McAfee anti-virus and antimalware software installed on the endpoint. • Firewall — Displays the name of the McAfee software with firewall protection active on the endpoint. • Whitelisting — Specifies whether the whitelisting feature is enabled. • Access Protection — Displays the name of the McAfee software that provides access protection. • Memory Protection — Displays the name of the McAfee software that provides memory protection. • Last Communication — Displays the time details of the last server-client communication. MOVE Firewall dashboard The data center dashboard is added to your McAfee ePO server when you install the data center software. The dashboard displays a collection of monitors based on the results of the default data center software queries. The default monitor that appears for MOVE Firewall under the Data Center dashboard is: • 26 Endpoint Security Report • Endpoint — Displays the name of the endpoint. • IP Address— Displays the IP address of the endpoint. • Virtual — Specifies whether the endpoint is a virtual system. • Power Status — Specifies the power status of the endpoint. • Category — Displays the group/resource pool/host of the endpoint. • Operating System — Displays the operating system details. • AntiVirus/Antimalware — Displays the name of the McAfee anti-virus and anti-malware software installed on the endpoint. • Firewall — Displays the name of the McAfee software with firewall protection active on the endpoint. McAfee MOVE Firewall 3.5.0 Product Guide 5 Queries and reports Create MOVE Firewall custom query • Whitelisting — Specifies whether the whitelisting feature is enabled. • Access Protection — Displays the name of the McAfee software that provides access protection. • Memory Protection — Displays the name of the McAfee software that provides memory protection. • Last Communication — Displays the time details of the last server-client communication. Create MOVE Firewall custom query You can create queries that retrieve and display the details like number of endpoints and firewall status. With this wizard you can configure which data is retrieved and displayed, and how it is displayed. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? in the interface. 1 Click Menu | Reporting | Queries & Reports, then click Actions | New. The Query Builder wizard opens. 2 On the Result Type page, select Data Center, then select Endpoint Security for the query, and click Next. The Chart page appears. This choice determines the options available on subsequent pages of the wizard. 3 Select the type of chart as Pie Chart and configure these criteria to include in the query, then click Next. a Select Number of Endpoint from the Pie slice values are drop-down list. b Select Firewall from the Labels are drop-down list. 4 (Optional) Select the columns to be included in the query, then click Next. The Filter page appears. 5 Select property Firewall equals MOVEFirewall and HIPS to narrow the search results, then click Run. The Unsaved Query page displays the results of the query, which is actionable, so you can take any available actions on items in any tables or drill‑down tables. Selected properties appear in the content pane with operators that can specify criteria used to narrow the data that is returned for that property. 6 • If the query didn’t appear to return the expected results, click Edit Query to go back to the Query Builder and edit the details of this query. • If you don’t need to save the query, click Close. • If this is a query you want to use again, click Save and continue to the next step. The Save Query page appears. Type a name for the query, add any notes, and select one of the following: • New Group — Type the new group name and select either: • Private group (My Groups) • Public group (Shared Groups) McAfee MOVE Firewall 3.5.0 Product Guide 27 5 Queries and reports Create the MOVE Firewall dashboard • 7 Existing Group — Select the group from the list of Shared Groups. Click Save. Create the MOVE Firewall dashboard Dashboards are collections of user‑selected and configured monitors that provide current data about your environment. You can create your own dashboards from query results or use ePolicy Orchestrators default dashboards. Before you begin You must have appropriate permission to perform this task. Task For option definitions, click ? in the interface. 1 Click Menu | Reporting | Dashboards, then click Options | Manage Dashboards. The Manage Dashboards page appears. 2 Click New Dashboard and type a name. 3 For each monitor, click Add Monitor, select the custom query you created for MOVE Firewall to display in the dashboard, then click OK. 4 Click Save. 5 Optionally, you can make this dashboard public by editing the dashboard and choosing PUBLIC. All new dashboards are saved to the private My Dashboards category. For more information on creating dashboard, see the product documentation for your version of McAfee ePO. 28 McAfee MOVE Firewall 3.5.0 Product Guide Index A about this guide 5 access protection 25, 26 anti-malware status 26 application control 25 C change control 25 components MOVE Firewall 7 conventions and icons used in this guide 5 creating firewall rules 15, 16 isolation rules 13 D dashboard, MOVE Firewall creating 28 dashboards, MOVE Firewall security reports 26 status 26 Data Center Connector, requirements 9 details default rules 16 firewall rules 16 isolation rules 15 details and options firewall 16 isolation 15 security group 21 documentation product-specific, finding 6 typographical conventions and icons 5 E extensions downloading 10 installing 11 F firewall rules adding 16 creating 15 debugging 17 details and options 16 I inbound access isolation 13 incoming rule isolation 13 installation extension 11 requirements 9 IP address group, adding 19 isolation adding 13 vShield App Firewall 13 isolation rules details and options 15 M machine address group, adding 20 McAfee ServicePortal, accessing 6 memory protection 25 MOVE Firewall default rules 16 status 26 O ePolicy Orchestrator management 7 requirements 9 ESXi components 7 outbound access isolation 13 outgoing rule isolation 13 exclusion list, creating 22 McAfee MOVE Firewall 3.5.0 Product Guide 29 Index Q queries, MOVE Firewall creating 27 predefined 25 R requirements software 9 resource filter 13 resource groups configuring 19 resources isolation 13 rules creating 15, 16 default 16 firewall 13, 15 isolation 13 S security group, adding 21 service group, adding 21 ServicePortal, finding product documentation 6 services 13 status (continued) isolation 15 power 25 T technical support, finding product information 6 types 16 V vCenter 7 vCloud Networking and Security (vCNS) 7 vCNS App Firewall 7 virtual machines 11 VMware 7 VMware vShield Manager, requirements 9 vShield App Firewall 7 isolation 13 vShield Manager deleting 11 downloading 10 installing 10 registering 11 requirements 9 status firewall 25 30 McAfee MOVE Firewall 3.5.0 Product Guide 0-00