3. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL LICENSORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes or may include some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL)
or other similar software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and
have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary
format that the source code also be made available to those users. For any such software, the source code is made available in a designated directory
created by installation of the Software or designated internet page. If any Free Software licenses require that McAfee provide rights to use, copy or modify
a software program that are broader than the rights granted in the McAfee End User License Agreement, then such rights shall take precedence over the
rights and restrictions herein.
Issued April 2009 / McAfee Firewall Enterprise Control Center (CommandCenter ) software version 4.0.0.04
® ™
4. Issued April 2009 / McAfee Firewall Enterprise Control Center (CommandCenter ) software version 4.0.0.04
® ™
11. About this Document
This Administration Guide leads you through planning and configuration of your initial Firewall Enterprise
Control Center (CommandCenter) Management Server. It also covers basic post-installation tasks for
integrating a new firewall into your network. While problems are not anticipated, this guide also includes
troubleshooting tips.
This guide is for anyone assigned to initially set up a McAfee Firewall Enterprise Control Center Management
Server. It assumes that you are familiar with McAfee Firewall Enterprise (Sidewinder) devices. It also
assumes you are familiar with networks and network terminology.
You can find additional information at the following locations:
• Online help — Online help is built into the Control Center. Click F1.
• Manuals — View product manuals at mysupport.mcafee.com.
• Knowledge Base — Visit the Knowledge Base at mysupport.mcafee.com. You’ll find helpful articles,
troubleshooting tips and commands, and the latest documentation.
The following table lists the various documentation resources for Control Center administrators:
Table 1 Summary of Control Center documentation
Document Description
Firewall Enterprise Control Leads you through your initial firewall configuration. Includes instructions for configuring
Center (CommandCenter) and installing the High Availability (HA) Management Server and registering firewalls.
Setup Guide
Firewall Enterprise Control Provides an introduction to Control Center and includes reference information and
Center (CommandCenter) procedures for using the Control Center Client Suite to centrally define and manage the
Administration Guide enterprise security policies for the firewall.
McAfee Firewall Enterprise Complete administration information on all of the firewall functions and features. You
(Sidewinder) should read this guide if your Control Center enterprise includes firewalls.
Administration Guide
Online help Online help is built into Control Center Client Suite programs and the Control Center
Initialization tool.
Knowledge Base Supplemental information for all other Control Center documentation. Articles include
helpful troubleshooting tips and commands. All manuals and application notes are also
posted here.
The Knowledge Base is located at mysupport.mcafee.com.
Any time that there is a reference to a “firewall”, this is always the McAfee Firewall Enterprise. Additionally,
refer to Table 2 for a list of the text conventions that are used in this document.
Table 2 Conventions
Convention Description
Courier bold Indicates commands and key words that you specify at a system prompt.
Note: A backslash () indicates a command that does not fit on the same line. Specify
the command as shown, ignoring the backslash.
Courier italic Indicates a placeholder for text that you specify.
<Courier italic> When enclosed in angle brackets (< >), this indicates optional text.
nnn.nnn.nnn.nnn Indicates a placeholder for an IP address that you specify.
Courier plain Indicates text that is displayed on a computer screen.
Plain text italics Indicates the names of files and directories.
Also used for emphasis (for example, when introducing a new term).
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 11
12. Table 2 Conventions (continued)
Convention Description
Plain text bold Identifies buttons, field names, and tabs that require user interaction.
[ ] Indicates conditional or optional text and instructions (for example, instructions that pertain
only to a specific configuration).
Caution Indicates that you must be careful. In this situation, you might do something that could result
in the loss of data or in an unpredictable outcome.
Note Indicates a helpful suggestion or a reference to material that is not covered elsewhere in this
documentation.
Security Alert Indicates information that is critical for maintaining product integrity or security.
Tip Indicates time-saving actions. It also might help you solve a problem.
Note: The IP addresses, screen captures, and graphics that are used within this document are for illustration
purposes only. They are not intended to represent a complete or appropriate configuration for your specific
needs. Features might be configured in screen captures because of contingency displays. However, not all
features are appropriate or desirable for your setup.
Additionally, many of the windows and pages in the Client tools have tables that can be edited. The first
column of a table that can be edited can display different symbols, depending on the action being taken. In
the help files, this is listed as the Edit column. The following example shows the symbols, along with their
descriptions. For the remainder of the help files, only a verbal description of the symbol will be used.
• Edit — This column identifies the edit status of the row in the table. The following icons can be displayed:
• [blank] — Indicates an existing line with associated values that is not the currently selected line.
• — (Pencil) Indicates that this row is the one that is being edited.
• — Indicates that you are creating a new row or entry.
• — Indicates that this row is currently selected and it contains previously specified values.
12 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
13. 1 Introduction
Contents
About the McAfee Firewall Enterprise Control Center (CommandCenter)
About the Client Suite
About the McAfee Firewall Enterprise Control Center (CommandCenter)
The Control Center is an enterprise-class management tool for creating and applying security policies
across multiple firewalls. Network administrators can remotely manage, maintain, and monitor firewalls for
one or more domains.
The Control Center consists of the following entities:
• Control Center Client Suite — a set of tools that resides on a desktop computer that is running a
Windows operating system. The tools provide the graphical user interfaces (GUIs) to configure, manage,
®
and monitor supported firewalls and to perform Control Center administrative tasks. For more
information, see About the Client Suite on page 15.
• Control Center Management Server — a hardened Linux platform that provides the firewall
®
management and monitoring capabilities that are required to centrally implement security policy. It
manages the framework for secure communication between the server, Client Suite, and supported
firewalls. The Control Center Management Server requires at least one installation of the Control Center
Client Suite.
• At least one firewall in a heterogeneous network of security devices that exist in a single domain.
• One or more domains that represent a complete, inclusive network security policy.
Figure 1 Basic Control Center Management Server environment
Control Center
Client Suite Managed firewall
(Windows) Control Center
Management Server
R Managed firewall
Managed firewall
Client application: Control Center Managed firewalls:
Client Suite tools connect Management Server: The configuration and
to the Control Center All firewall management is initialization is similar to
Management Server to accomplished through a standalone firewalls. Then push
create, edit, and deploy connection to the Control policy from the Control Center
policy to the managed Center. Management Server to each
firewalls. firewall.
The Client Suite and tiers of firewalls securely communicate with the Management Server by using SOAP
over HTTPS. SSL, using Client Certificates generated by the built-in Certificate Authority, is used to encrypt
and authenticate the client/server communication.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 13
14. About the McAfee Firewall Enterprise Control Center (CommandCenter)
You can also implement Control Center Management Servers in a High Availability (HA) configuration, in
which one Management Server actively manages the registered firewalls, while another Management
Server acts as a standby or backup. If the active Management Server fails, the management responsibilities
can be switched to the standby or backup Management Server. For more information about this, see High
Availability (HA) on page 136.
Features of the Control Center
The Control Center is the central security appliance management solution from McAfee. It provides the
foundation for a suite of products that is used to:
• Define and distribute rules to hundreds of firewalls.
• Share configuration data among firewalls.
• Configure Virtual Private Network (VPN) connectivity.
• Implement and selectively activate multiple security policies.
• Manage software releases on all of your firewalls.
• Simplify routine administrative tasks.
• Manage ongoing changes to your security policies.
The Control Center supports the following features and functionality:
• Object-based design — Using an object-based configuration technique, objects can be defined once and
can be reused anywhere that the object is needed. Network objects represent one example of this
implementation. Network objects include firewalls and device groups, hosts, networks, address ranges,
interfaces, and endpoint groups. These objects are used when you define rules. Over time, hundreds of
rules can be defined by using these objects. If the properties of a network object must be changed, you
have to update the object once. The resulting changes will propagate wherever that object is used.
• Auditing of object management events and archiving of audit tracking data — The Control Center
has an audit tracking and archive management feature that can be configured to monitor object changes
and purge or archive audit tracking data. The auditing data contains information about the requested
operation performed, time, date and user name. This information can be displayed or printed using the
Audit Trail report. Because the audit tracking table grows without bounds and consumes disk space, you
also have the option to periodically remove the data from the database or archive it to another location.
This is true for both Control Center audit data and audit data that is currently stored on the Management
Server that was retrieved from one or more firewalls.
• Configuration domains — Use configuration domains to partition your managed firewalls into separate
collections of objects and configuration data. Each collection is independent of any other collection, and
changes to one collection do not affect the others. For more information, see Configuration domains on
page 92.
• Rule set queries — Because firewall configurations often require numerous rules, the Control Center can
produce views of these rules as a subset of the rules. This added convenience helps to manage and
validate the many rules that are stored in the Control Center database.
• Firewall configuration retrieval — After a firewall has been added to the list of managed firewalls, you
can use the Firewall Retrieval Options window to choose the configuration components to be retrieved and
stored as Control Center objects. You can select all components or limit your selection to specific
components. This feature saves time and effort when you are performing the initial setup to manage a
firewall.
• Policy validation and reports — After making configuration changes and before applying them, you can
determine whether firewall configurations in the Control Center database are valid. You can view a report
that shows the status of the validation process and a report that details the differences between the
current and proposed firewall configurations.
14 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide
15. About the Client Suite
• Configuration status report — After the configuration has been propagated to one or more firewalls, a
status report is produced to list warnings or errors that may have occurred.
• Certificate Authority (CA) framework — A built-in CA framework lets you quickly issue certificates for
the various architectural components. A built-in CA saves time when using SSL with client certificates.
• Simultaneous, multiple users — The Control Center provides a locking mechanism that accommodates
simultaneous use of the Control Center Client Tools by multiple users. Administrators have the option of
locking entire object trees or allowing the system to lock individual objects on a first-come, first-served
basis. This approach allows single-user environments to function without explicit locking.
• High Availability (HA) feature — You can configure redundant Management Servers by using the High
Availability Server Configuration (HA) feature. The HA feature uses a multi-server configuration to
continue Control Center Management Server functions if the active Management Server fails. For more
information, see High Availability (HA) on page 136.
• Apply Configuration enhancements — The Apply Configuration window includes a checkbox that
determines whether the network is automatically re-initialized when configuration changes are applied to
a firewall. If the network is not re-initialized automatically, the Client displays all of the firewalls that need
to be re-initialized in the Configuration Status report. In addition, the apply mechanism on the firewall
supports the running of a script after the apply operation has been completed. The apply process also
supports the listing files that are to be excluded from management.
About the Client Suite
The McAfee Firewall Enterprise Control Center Client Suite is the suite of tools that provides the user
interfaces for task-grouped operations of the Control Center. Each tool encapsulates related operations to
deliver the functionality required by Control Center users.
Administration Tool
The Administration Tool aggregates the McAfee Firewall Enterprise Control Center administrative functions
into a single tool.
You can accomplish the following tasks by using the features and functions of the Administration Tool:
• Control Center users — You can create and manage the unique Control Center user names and
passwords that are used to authenticate user access to the Control Center Management Server. For more
information, see Control Center users on page 81.
• Control Center roles — After a user is defined, he or she is assigned a role that determines the tasks
that he or she is allowed to perform. Although a default set of roles has been pre-defined, you can create
additional user-defined roles that can be assigned to Control Center users. For more information, see
Control Center roles on page 89.
• Configuration domains — Activate the configuration domains option to segregate configuration data
views and management into multiple domains. The operation and configuration data associated with a
configuration domain is accessible only when the specific domain is selected during the login process. All
other configuration data is obscured and cannot be acted upon or seen. If configuration domains are
activated, configuration domain versions and version management can be accessed from the
Administration Tool, as well as from the Configuration tool. For more information about configuring and
managing configuration domains, see Configuration domains on page 92. For more information about
versions and version management for configuration domains, see Configuration domain version
management on page 97.
McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide 15
16. About the Client Suite
• Audit Trail — The Control Center can track when firewalls, endpoints, services, rules, alert processing
rules, and many other objects are updated, added, or removed by Control Center users. You can define
the actions that are to be tracked, the objects that are to be tracked, the archiving (or not) of the tracked
data, and a way to view and filter the tracked data. For more information, see Audit data management
on page 100.
Note: Do not confuse the Control Center Audit Trail that provides a record of actions performed by Control
Center users with security firewall-specific audit reports.
• Control Center license — You can manage the Control Center license by selecting License from the
System menu. For more information, see Control Center Management Server licensing on page 104.
• System settings — You can manage specific Control Center system settings in the Administration Tool.
These settings include: defining the default login disclaimer information that is posted in the login window
for each tool in the Client Suite, the failed login lockout settings, and the default application time-out
period. For more information, see Configuring system settings on page 121.
• Alternate authentication — Use the Administration Tool to configure the way that Control Center users
authenticate with the Management Server. The Control Center supports an internal authentication
mechanism, as well as LDAP and RADIUS for off-box authentication. For more information, see
Authentication on page 145.
• Management Server backup and restore operations — Use the Administration Tool (and the
Configuration Tool under certain circumstances) to manage the backup and restoration of the Control
Center configuration and the operational data. A full system backup can be requested and an FTP off-box
location can be specified. For more information, see Managing configuration data for the Management
Server on page 23.
• Backup server status — If the High Availability (HA) Management Server Configuration option is used,
you can view the status condition of the backup Management Servers in the Backup Server Status page.
For more information, see Viewing the status of your backup Management Servers on page 122.
Configuration Tool
Use the Configuration Tool to define, configure, and maintain multiple firewalls and security policies for a
distributed homogeneous or heterogeneous configuration of firewalls.
You can accomplish the following tasks by using the features and functions of the Configuration Tool:
• Create configurable objects — The components that comprise a security policy include a set of
configurable objects that defines the characteristics of the building blocks that are used to implement the
security policy. Use this object model of defined objects to share characteristics, options, and
functionality, instead of having to provide raw configuration information for each aspect of an
implemented security policy. Use the Configuration Tool to retrieve, create, and manage configurable
object characteristics. For more information, see Configurable objects on page 154.
• Manage configurable objects — After configurable objects have been defined or retrieved, you can
edit, validate, and apply changes to the configured object. You can manage the implemented security
policy across all of the supported firewalls in your configuration. For more information, see Firewall
configuration management on page 574.
• Create and manage rules — Rules provide the network security mechanism that controls the flow of
data into and out of the internal network. They specify the network communications protocols that can
be used to transfer packets, the hosts and networks to and from which packets can travel, and the time
periods during which the rules can be applied. Rules are created by the system administrator and should
reflect the internal network site's security policy. You can retrieve, create, and manage rules in the
Configuration Tool. For more information, see Creating, viewing, or modifying rules on page 528.
16 McAfee Firewall Enterprise Control Center 4.0.0.04 Administration Guide