McAfee SG310, SG560, SG560U, SG565, SG580 Administration Manual
McAfee® UTM Firewall
Administration Guide
version 4.0.4
COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into
any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate
companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD ,
INTRUSION INTELLIGENCE, LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE
EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY,
PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL
PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its
affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand
products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE
YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED
SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND
OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE
PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE
PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE).
IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF
APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
Issued August 2009 / McAfee UTM Firewall version 4.0.4
Contents
About this Document 9
1 Introduction 11
UTM Firewall desktop appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
UTM Firewall rack mount appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
UTM Firewall PCI appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
UTM Firewall Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
UTM Firewall menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Interface icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Help and Support menu option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Front panel LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Rear panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Physical specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Front panel LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Front panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Rear panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Physical specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Bridged mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Physical specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Home icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Logout icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Backup and restore icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Online help icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Edit and delete icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Add above and below icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Tooltips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Online Help page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Technical Support page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Technical Support Report page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
2 Getting Started 23
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Powering on the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Connecting an administrative PC to the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Setting password and LAN connection settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Configuring the UTM Firewall switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Selecting an initial firewall level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Confirming settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Setting up the PCs on your LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Automatic LAN configuration using the UTM Firewall DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Automatic LAN configuration using an existing DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Manual LAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Registering your UTM Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Using the My Secure Computing website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Creating an account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Adding your UTM Firewall appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Activating a feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Retrieving license information for add-on products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
3 Network Setup menu options 41
Network overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Quick Setup wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Network setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Multifunction vs. fixed-function ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
McAfee UTM Firewall 4.0.4 Administration Guide 3
Contents
Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Direct connection overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Direct Connection Settings page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Ethernet Configuration tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Aliases tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Enabling IPv6 for a connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
ADSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Routed versus bridged DSL modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Accessing the ADSL connection methods page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Connecting with a cable modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Configuring a dialout connection on the COM port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Configuring dialout port settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Enabling dial on demand for a connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Configuring static IP addresses for a connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Configuring interface aliases for a connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Setting up dial-in access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Dial-in setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Connecting a dial-in client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Failover, load balancing, and high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Internet connection failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Editing failover connection parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Enabling load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Default high availability script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Enabling high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Configuring high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
DMZ network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Configuring a DMZ connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Services on the DMZ network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Guest network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Configuring a guest connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Wireless security methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Configuring a wireless connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Bridging wireless and LAN connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Configuring Wireless MAC-based ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Configuring WDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Configuring advanced wireless features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 4
Adding a bridged interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Deleting a bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Bridging across a VPN connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Adding a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Enabling port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Adding a port-based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
GRE tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Troubleshooting GRE tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
3G USB Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
figuring 3G USB modem connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Con
Configuring USB port settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Adding new 3G USB modem profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Creating a static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Policy Routes page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Enabling route management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Manually configuring route management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Example: Configuring RIP Route Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Example: OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Example: BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
. . . . . . 106
4 McAfee UTM Firewall 4.0.4 Administration Guide
Contents
DNS Proxy tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Dynamic DNS tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Static Hosts tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Enabling IPv6 at the appliance level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
DHCP Status page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
DHCP Addresses page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
DHCP Relay page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Configuring the Windows client for DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Verifying and troubleshooting DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Web cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Enabling the Web cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Creating a user account and network share in Windows XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Allocating network storage for Web cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Configuring browsers to use the Web cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Allocating local USB storage for Web caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Configuring Web Cache Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Configuring ICAP client for Web Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Configuring advanced settings for the Web cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Traffic Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
Enabling QoS Autoshaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
About ToS packet priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 46
Enabling the SIP proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
4 Firewall menu options 149
Controlling packet traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Firewall overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 52
Service Groups page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Addresses page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Interfaces page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Packet filtering actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Packet Filtering page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Incoming access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
About custom firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
About port forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
About masquerading and source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
About one-to-one NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Port forwarding page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Source NAT page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
One-to-one NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Masquerading page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Universal Plug and Play Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
Configuring UPnP rules from Windows XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Connection tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Supported Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Connection logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Preventing connection flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Configuring connection tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Disabling connection tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
About the Connection Tracking Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Viewing the connection tracking report in the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Downloading the connection tracking report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Example: Creating a connection tracking re port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Benefits of using an IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Basic IDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Configuring basic IDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Selecting TCP dummy services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
McAfee UTM Firewall 4.0.4 Administration Guide 5
Contents
Selecting UDP dummy services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Advanced Intrusion Detection and Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
About rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
Configuring Snort in IPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Configuring Snort in IDS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Logging to an analysis server (Snort ID S only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Setting up the analysis server for Snort IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Authorizations page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
User authentication for Internet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
Configuring browsers to use the appliance Web proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
ACL tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Web Lists tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Policy enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Managing policy enforcement scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
McAfee Web Protection Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
McAfee Web Gateway web filtering service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Uploading a McAfee Web Gateway certificate an d key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Copying and pasting a McAfee Web Gateway certifi cate and key . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Blocking categories for McAfee Web Gateway filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Enabling antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Manually downloading antivirus database files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Auxiliary storage for virus scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Virus scanning POP email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Virus scanning SMTP email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Virus scanning Web traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Enabling FTP virus scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Antispam (TrustedSource) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
About TrustedSource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Enabling TrustedSource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
5 VPN menu features 239
VPN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
About PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
PPTP VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
PPTP VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Enabling and configuring the PPTP VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Adding a PPTP user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Setting up the remote PPTP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Setting up a Windows XP PPTP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
L2TP VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Configuring the L2TP VPN server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
L2TP IPSec Configuration page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
Viewing the status of an L2TP IPSec tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Adding an L2TP user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Configuring the remote L2TP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
L2TP VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258
Browsing and name resolution using L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
IPSec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 60
IPSec VPN Setup page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Enabling IPsec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Creating an IPSec tunnel with Quick Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
IPSec status details overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
IPSec Advanced Setup wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
Keying modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
Main keying mode for an IPSec tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Setting up a tunnel with RSA signatures authent ication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Setting up a tunnel using x.509 certificates for authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Aggressive keying mode for an IPSec tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Manual keying mode for an IPSec tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Converting an IPSec tunnel configuration to the advanced format . . . . . . . . . . . . . . . . . . . . . . . . . 283
IPsec example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
6 McAfee UTM Firewall 4.0.4 Administration Guide
Contents
UTM Firewall appliance to UTM Firewall appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Setting up the branch office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Configuring headquarters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
NAT traversal support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
Dynamic DNS support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
Certificate management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
The OpenSSL application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Extracting a PKCS12 certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Creating a self-signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Using certificates with Windows IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Adding a certificate for use with IPSec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
IPSec failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Branch Office with a dynamic IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Branch Office with static IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
IPSec VPN offloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Troubleshooting IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
IPSec tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
IPSec symptoms, causes, and solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Port tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Configuring an HTTP tunnel client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Configuring an HTTP tunnel server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Configuring an SSL tunnel client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Configuring an SSL tunnel server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
Creating nested port tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318
6 System menu features 319
Status menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
Reviewing the general system st atus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Reviewing the status of the unit’s connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Reviewing the status of the unit’s services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
System Setup Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Device tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Date and Time tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
Security Policy tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Memory Allocation tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Backup/Restore menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Local Backup/Erase page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Remote Backup/Restore page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
Text save/restore tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Users menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Current User page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Users page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Groups page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335
Domain page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
RADIUS page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
TACACS+ page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Password classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Service Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Management menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 43
Web configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
Certificates for HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Command Line access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Enabling remote management by McAfee UTM Fi rewall Control Center . . . . . . . . . . . . . . . . . . . . . . 351
Control Center Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352
Enabling the SNMP agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Diagnostics menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354
System tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355
Viewing the Local System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355
Network Tests page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Detected USB Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Packet Capture page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Advanced menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
McAfee UTM Firewall 4.0.4 Administration Guide 7
Contents
Erasing configuration and rebooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Upgrading firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Configuration Files tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
ASystem Log 373
Access logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Creating custom log rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374
Rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
Administrative access log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Boot log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
B Upgrading firmware 377
Firmware upgrade best practices and precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Restoring factory default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Upgrading firmware using Netflash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Troubleshooting Windows Netflash upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Recovering from a failed upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Recovery using Netflash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Recovery using a BOOTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Recovery using the boot recovery image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
C Null modem administration 383
Null modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Enabling null modem dial-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
Enabling null modem dial out of the local PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
D CLI commands 385
Glossary 395
Index 401
8 McAfee UTM Firewall 4.0.4 Administration Guide
About this Document
This guide describes the features and capabilities of your McAfee UTM Firewall (formerly SnapGear®)
appliance. The document organization follows the menu layout of the UTM Firewall Management Console.
The appendixes contain additional maintenance and reference information.
This guide is intended for network and security administrators. It assumes familiarity with the internal
network of your organization, the Internet, HTTP (Hypertext Transfer Protocol), and FTP (File Transfer
Protocol).
You can find additional information at the following locations:
• Help – Help is built into the UTM Firewall Management Console. Click the Help icon in the upper right
corner of the Management Console screen.
• Support – Visit mysupport.mcafee.com to find product documentation, announcements, and support.
• Product updates – Visit my.securecomputing.com to download the latest McAfee UTM Firewall updates.
Refer to Table 1 for a list of the text conventions used.
Table 1 Conventions
Convention Description
Courier bold
Courier italic
<Courier italic>
nnn.nnn.nnn.nnn
Courier plain
Plain text italics Identifies the names of files and directories
Plain text bold Identifies buttons, field names, and tabs that require user interaction
[ ] Signals conditional or optional text and instructions (for example, instructions that pertain only
Caution: Signals be careful—in this situation, you might do something that could result in the loss of
Note: Used for a helpful suggestion or a reference to material not covered elsewhere in the guide
Security Alert: Identifies information that is critical for maintaining product integrity or security
Tip: Indicates time-saving actions; may help you solve a problem
Identifies commands and key words you type at a system prompt
Note: A backslash (\) signals a command that does not fit on the same line. Type the
command as shown, ignoring the backslash.
Indicates a placeholder for text you type
When enclosed in angle brackets (< >), identifies optional text
Indicates a placeholder for an IP address you type
Used to show text that appears on a computer screen
Used for emphasis (for example, when introducing a new term)
to a specific configuration)
data or an unpredictable outcome.
Note: The IP addresses, screen captures, and graphics used within this document are for illustration purposes
only. They are not intended to represent a complete or appropriate configuration for your specific needs. Features
may be enabled in screen captures to make them clear; however, not all features are appropriate or desirable for
your setup.
McAfee UTM Firewall 4.0.4 Administration Guide 9
10 McAfee UTM Firewall 4.0.4 Administration Guide
Introduction
1
Contents
UTM Firewall desktop appliances
UTM Firewall rack mount appliance
UTM Firewall PCI appliance
UTM Firewall Management Console
UTM Firewall menus
Interface icons
Help and Support menu option
UTM Firewall desktop appliances
The McAfee UTM Firewall desktop appliance range includes the following models:
Figure 1 UTM Firewall desktop appliance models
SG310 SG560 and SG560U
SG565 SG580
The UTM Firewall desktop appliance range provides Internet security and privacy of communications for
small and medium enterprises and branch offices. It simply and securely connects your office to the
Internet, and with its robust stateful firewall, shields your computers from external threats.
By default, all UTM Firewall appliances run a fully secured stateful firewall. This means from the PC
(Personal Computer) that the appliance is plugged into, most network resources are freely accessible.
However, any services that the PC provides, such as file shares or Web services such as IIS are not
accessible by other hosts on the internet without further configuration of the UTM Firewall appliance. This is
accomplished using packet filter rules. For details, refer to Packet filtering.
With the UTM Firewall appliance's masquerading firewall, hosts on your LAN (Local Area Network) can see
and access resources on the Internet, but all that outsiders see is the UTM Firewall appliance's external
address.
You can tailor your appliance to disallow access from your LAN to specific Internet sites or categories of
content, give priority to specific types of network traffic, and allow controlled access to your LAN from the
outside world. You can also choose to enable intrusion detection and prevention services on your UTM
Firewall appliance, to further bolster the security of your local network.
McAfee UTM Firewall 4.0.4 Administration Guide 11
Introduction
UTM Firewall desktop appliances
The SG560, SG560U, SG565, and SG580 can also connect to a DMZ (DeMilitarized Zone) network. A DMZ is
a separate local network typically used to host servers accessible to the outside world. It is separated both
physically and by the firewall, in order to shield your LAN from external traffic.
The UTM Firewall appliance allows you to establish a VPN (Virtual Private Network). A VPN enables remote
workers or branch offices to connect securely to your LAN over the public Internet. The UTM Firewall
appliance can also connect to external VPNs as a client. The SG560, SG560U, SG565, and SG580 use
onboard cryptographic acceleration to ensure excellent VPN throughput.
You can configure the appliance with multiple Internet connections. These auxiliary connections can be kept
on standby should the primary connection become unavailable, or maintained concurrently with the
primary connection for spreading network load.
The SG565 and SG580 incorporate a powerful Web proxy cache to improve Web page response time and
reduce link loads. It is designed to integrate seamlessly with upstream proxy caches provided by ISPs.
Front panel LEDs
The front and rear panels contain Light-emitting Diodes (LEDs) indicating status. LEDs and labels vary from
model to model. The labels for the front panel LEDs are detailed in the following tables.
Note: If H/B does not begin flashing shortly after power is supplied, refer to Recovering from a failed upgrade.
Table 1 SG310 LED descriptions
Label Activity Description
Power On (steady) Power is supplied to the UTM Firewall appliance.
TST Flashing Similar to H/B light on other models. The appliance is operating correctly.
On If this LED is on and not flashing, an operating error has occurred.
Off If the power is on and the H/B light is off, either the Halt Now option is acti vated
LAN1, LAN2,
LAN3, LAN4
WAN Flashing Indicates network traffic on the Internet network interface.
Flashing Indicates network traffic on the LAN network interfaces.
in preparation to power down safely, or an operating error has occurred.
Table 2 SG560, SG560U, and SG580 LED descriptions
Label Activity Description
Power On (steady) Power is supplied to the UTM Firewall appliance.
H/B (Heart
Beat)
ETH A Flashing Indicates activity on the 4 port switch.
ETH B Flashing Indicates activity on Port B.
Serial Flashing Indicates the COM port is receiving and tran smitting data.
HA On High Availability. The appliance has switched to a backup device.
Online On (steady) An Internet connection has been established.
VPN On Virtual private networking is active.
Table 3 SG565 LED descriptions
Label Activity Description
Power On (steady) Power is supplied to the UTM Firewall appliance.
Flashing steadily The appliance is operating correctly.
On If this LED is on and not flashing, an operating error has occurred.
Off If the power is on and the H/B light is off, either the Halt Now option is activated
in preparation to power down safely, or an operating error has occurred.
12 McAfee UTM Firewall 4.0.4 Administration Guide
Introduction
UTM Firewall desktop appliances
Table 3 SG565 LED descriptions <Comment>(continued)
Label Activity Description
H/B (Heart
Beat)
ETH Flashing Indicates network traffic.
USB Flashing Indicates activity on an attached USB device.
WLAN Flashing Indicates network traffic on the Wireless network interface.
Serial Flashing Indicates the COM port is receiving and transmitting data.
Online On (steady) An Internet connection has been established.
VPN On Indicates Virtual Private Networking is active. If IPSec tunnels are configured,
Flashing steadily The appliance is operatin g correctly.
On If this LED is on and not flashing, an operating error has occurred.
Off If the power is on and the H/B light is off, either the Halt Now option is activated
in preparation to power down safely, or an operating error has occurred.
the light illuminates when a valid IPSec tunnel is ac tive. If there are no IPSec
tunnels configured, the LED illuminates for the PPTP VPN Server. For the VPN
LED, IPSec takes precedence over other VPN configurations. For further
information on VPN, see Chapter 5, VPN menu features.
Rear panel
The rear panel contains Ethernet and serial ports, the erase button, and power inlet. The serial port can b e
connected to an analog/ISDN modem or terminal for serial console access.
Note: For instructions on serial console access, refer to Appendix C, Null modem administration.
If network status LEDs are present for the ports (not present on the SG310 model), the lower or left LED
indicates the link condition, where a cable is connected correctly to another device. The upper or right LED
indicates network activity.
Physical specifications
The following are the local or wide area network link specifications:
• 10/100BaseT 4 port LAN switch (SG310)
• 10/100BaseT 4 port VLAN-capable switch (SG560, SG560U, SG565, SG580)
Note: Port A1 is set to LAN and cannot be changed.
• Serial (for dial-up/ISDN)
• Front panel serial status LEDs (for TX/RX)
• Online status LEDs (for Internet/VPN)
• Rear panel Ethernet link and activity status LEDs
The following are the environmental specifications:
• External power adaptor (voltage/current depends on individual model)
• Front panel operating status LEDs: Power, H/B
• Operating temperature between 0° C and 40° C
• Storage temperature between -20° C and 70° C
• Humidity between 0 to 95% (non-condensing)
McAfee UTM Firewall 4.0.4 Administration Guide 13
Introduction
UTM Firewall rack mount appliance
UTM Firewall rack mount appliance
The SG720 is the flagship of the UTM Firewall appliances. It features multi-megabit throughput,
rack-optimized form factor, three fast Ethernet ports, and two gigabit ports. There are no switches on the
SG720; all ports are bona fide ports.
Figure 2 SG720
In addition to providing all of the features described in the desktop appliances models section, the SG720
model equips central sites to securely connect hundreds of mobile employees and branch offices.
Front panel LEDs
The front panel contains LEDs indicating status. On the front panel Ethernet ports, the orange LED on the
upper right indicates the link condition when a cable is connected correctly to another device. The flashing
green LED to the upper left indicates network activity. A description of the front panel LEDs are detailed in
the following table.
Note: If H/B does not begin flashing shortly after power is supplied, refer to Recovering from a failed upgrade.
Table 4 SG720 LED descriptions
Label Activity Description
Online On An Internet connection has been established.
Failover On The appliance has switched to the backup Internet connection.
PWR On Power is supplied to the UTM Firewall appliance.
H/B (Heart
Beat)
High Avail On High Availability. Indicates the appliance has switched to a backup
Flashing The appliance is operating correctly.
On If this LED is on and not flashing, an operating error has occurred.
Off If the power is on and the H/B light is off, either the Halt Now option is
activated in preparation to power down safely, or an operating error has
occurred.
appliance.
Front panel
The front panel contains two 10/100/1000 GbE (Gigabit Ethernet) ports (A and B), three 10/100BaseT FE
(Fast Ethernet) ports (C, D, and E), a serial port that can be connected to an analog/ISDN modem or
terminal for serial console access, as well as operating status LEDs and the configuration erase button.
Note: For instructions on serial console access, refer to Appendix C, Null modem administration.
Rear panel
The rear panel contains a power switch and a power inlet for an IEC power cable.
Physical specifications
The following are the connectivity specifications:
• Two 10/100/1000 GbE ports (A and B)
Note: Port A is set to LAN and cannot be changed.
• Three 10/100BaseT FE ports (C, D, E)
• Serial port
14 McAfee UTM Firewall 4.0.4 Administration Guide
Introduction
UTM Firewall PCI appliance
• Online status LEDs (Online, Failover, High Availability)
• Ethernet link and activity status LEDs
The following are the environmental specifications:
• Front panel operating status LEDs: Power, H/B
• Operating temperature between 0° C and 40° C
• Storage temperature between -20° C and 70° C
• Humidity between 0 to 95% (non-condensing)
UTM Firewall PCI appliance
The UTM Firewall PCI appliance (SG640) is a hardware-based firewall and VPN server embedded in a
10/100 Ethernet PCI network interface card (NIC). It is installed into the host PC like a regular NIC,
providing a transparent firewall to shield the host PC from malicious Internet traffic, and VPN services to
allow secure remote access to the host PC.
Figure 3 UTM Firewall PCI appliance – SG640
Unlike other UTM Firewall desktop and rack mount appliances, a single UTM Firewall PCI appliance is not
intended as a means for your entire office LAN to be connected to, and shielded from the Internet.
Installing a UTM Firewall PCI appliance in each network-connected PC gives it its own independently
manageable, enterprise-grade VPN server and firewall, running in isolation from the host operating system.
This approach offers an increased measure of protection against internal threats, as well as conventional
Internet security concerns. You can update, configure and monitor the firewall and VPN connectivity of a
workstation or server from any Web browser. In the event of a breach, you have complete control over
access to the host PC independently of its operating system, even if the host PC has been subverted and is
denying normal administrator access.
All network filtering is handled entirely by the UTM Firewall appliance. This has the advantage over the
traditional approach of using a host-based personal software firewall and VPN service by not taxing the host
PC's resources.
Bridged mode
By default, the PCI appliance operates in bridged mode. This is distinctly different from the masquerading
behavior of UTM Firewall desktop and rack mount appliances.
In bridged mode, the PCI appliance uses two IP addresses. Note that these addresses are both in the same
subnet as the LAN, as no masquerading is being performed.
Note: It is possible to configure the UTM Firewall PCI appliance to run in masquerading mode. For more
information, refer to Masquerading page.
One IP address is used to manage the UTM Firewall appliance via the Management Console. The other is the
host PC's IP address, which is configurable through the host operating system, identically to a regular
Network Interface Card (NIC). This is the IP address that other PCs on the LAN see. It should be
dynamically (DHCP) or statically configured to use the same gateway and DNS settings as a regular PC on
the LAN.
McAfee UTM Firewall 4.0.4 Administration Guide 15
Introduction
UTM Firewall Management Console
LEDs
The rear panel contains LEDs indicating status. The two LEDs closest to the network port are network
activity (upper) and network link (lower). The two other LEDs are power (upper) and heart beat (lower).
Table 5 SG640 LED descriptions
Location Activity Descriptions
Top right (Power On Power is supplied to the appliance.
Bottom right
(Heart beat)
Top left (Network
activity)
Bottom left
(Network link)
Note: If the Heart Beat does not begin flashing shortly after power is supplied, refer to Recovering from a failed
upgrade.
Flashing The appliance is operating correctly.
On If this LED is on and not flashing, an operating error has occurred.
Off If the power is on and the H/B light is off, either the Halt Now option is activated
in preparation to power down safely, or an operating error has occurred.
Flashing Data is being transmitted or received.
On The appliance is attached to the network.
Physical specifications
The following are the network link specifications:
• 10/100baseT Ethernet port
• Ethernet LEDs (link, activity)
The following are the environmental specifications:
• Status LEDs: Power, Heart Beat
• Operating temperature between 0° C and 40° C
• Storage temperature between -20° C and 70° C
• Humidity between 0 to 95% (non-condensing)
UTM Firewall Management Console
The features of your UTM Firewall appliance are configured and monitored using the UTM Firewall
Management Console. When you first browse to the Management Console, the Status page displays
(Figure 4). Here you can view the current system status of your UTM Firewall appliance. You can also view
the status of the UTM Firewall connections and the services that are running on it by selecting one of the
other two tabs that display on the Status page.
The menu displayed on the left side of every Management Console page is used to configure your UTM
Firewall appliance, or you can use the Quick Setup Wizard (see Chapter 2, Getting Started) and the guided
configurations. Once you have completed the initial configuration, you can continue the setup using the
Guided Configurations that are available from the lower pane of the page.
16 McAfee UTM Firewall 4.0.4 Administration Guide
Introduction
UTM Firewall menus
Figure 4 UTM Firewall Management Console - Status page
Note: Advanced users can customize the appearance of the console, and override the default HTML styles. To do
so, create the file localstyle.css in the /etc/config/ directory with the styles you prefer.
UTM Firewall menus
To navigate the UTM Firewall interface, click a menu option on the left-side of the screen. The available
menu options depend on the particular UTM Firewall appliance model and the firmware version currently
installed.
Your current menu selection is highlighted.
The UTM Firewall Management Console contains the following menus:
•Network Setup
•Firewall
•VPN
•System
The following tables provide brief descriptions of the tabs available under each menu option.
McAfee UTM Firewall 4.0.4 Administration Guide 17
Introduction
UTM Firewall menus
Table 6 Network Setup menu
Network Setup menu
options
Quick Setup Opens the Quick Setup page for accessing the Quick Setup Wizard, the product
Network Setup Opens the Connections, Failover & High Availability, Routes, DNS, and IPv6 tabs for
Description
registration links, and the guided configurations.
configuring network-specific settings of the appliance.
See:
• Network overview.
• Failover, load balancing, and high availability.
• Routes.
• DNS.
• IPv6.
DHCP Server Opens the DHCP Server Configuration page for handing out IP addresses. See DHCP
Web Cache Opens the Web Cache pages for caching pages on the UTM Firewall appliance. See Web
Server.
cache.
Note: Not applicable to the SG310 or SG560 models.
Traffic Shaping Opens the Traffic Shaping pages for enabling and configuring QoS (Quality of Service)
SIP Opens the SIP (Session Initiation Protocol) Proxy page for enabling and configuration.
traffic. See Traffic Shaping.
See SIP.
Note: Not applicable to the SG310 model.
Table 7 Firewall menu
Firewall menu options Description
Definitions Opens the definitions pages for Service Groups, Addresses, and Interfaces. See
Packet Filtering Opens the Packet Filtering, Incoming Access, Custom Firewall Rules, and Custom IPv6
NAT Opens NAT pages for Port Forwarding, Source NAT, 1 to 1 NAT, Masquerading, and UPnP
Connection Tracking Opens the Connection Tracking page in which you can enable or disable specific options
Intrusion Detection Opens the configuration pages for Intrusion Detection and Prevention. See Intrusion
Definitions.
Firewall Rules tabs. See Packet filtering.
Gateway. See NAT.
for connection tracking. Connection tracking keeps a record of packets that have passed
through the appliance and how the packets are interrelated. See Connection tracking.
Detection Systems.
Note: Snort IDS (Intrusion Detection System) and IPS (Intrusion Prevention
System) features are not applicable to the SG310 or SG560 models. Basic IDB
(Intrusion Detection and Blocking) is available on all UTM Firewall models.
Access Control Opens the Authorizations pages for Access Control, ACL, Web Lists, Policy, and Web
Antivirus Opens the Antivirus page where you can configure antivirus for email, Web downloads,
Filtering. See Access control.
and FTP. See Antivirus.
Note: Not applicable to the SG310 or SG560 models.
Antispam Opens the Antispam page for configuring reputation thresholds for SMTP mail. See
Table 8 VPN menu
VPN menu options Description
PPTP Opens the page for configuring the appliance as a PPTP VPN client or server. See PPTP
L2TP Opens the page for configuring the appliance as an L2TP VPN client or server. See L2TP
Antispam (TrustedSource).
VPN Client, and PPTP VPN Server.
VPN Client, and L2TP VPN Server.
18 McAfee UTM Firewall 4.0.4 Administration Guide
Introduction
Interface icons
Table 8 VPN menu <Comment>(continued)
VPN menu options Description
IPSec Opens the pages for configuring IP Security (IPSec). See IPSec VPN.
Port Tunnels Opens the pages for configuring HTTP and SSL client and server port tunnels. See Port
Table 9 System menu
System menu options Description
Status Opens high-level summaries of the general system, the unit’s connections, and the unit’s
System Setup Opens the Device Settings, Security Policy, Memory Allocation and Date and Time
Backup/Restore Opens the Remote, Local, and Text options for Configuration Backup/Restore. See
Users Opens the Administrative users pages where you can add or edit users and their
Management Opens the Management page where you can configure how the UTM Firewall device is
Diagnostics Opens the Diagnostics page where you can view system information, syst em log
Advanced Opens the advanced features for Reboot / Configuration such as Reboot, Flash Upgrade,
Help and Support Opens the Technical Support page, where you can find additional sources of information
tunnels.
Note: Not applicable to the SG310 model.
services. See Status menu.
configuration pages. See System Setup Menu.
Backup/Restore menu.
permissions. See Users menu.
managed, such as through CMS or SNMP. See Management men u.
information, perform networks tests, view USB devices (SG565 only), and capture
network traffic. See Diagnostics menu.
upload and edit Configuration Files, and direct edit of Device Configuration. See
Advanced menu.
or report an issue if you have a support agreement. See Help and Support menu option.
Interface icons
The icons in the UTM Firewall Management Console provide navigation to Online Help pages, system status,
backup and restore pages, and editing pages for features.
Home icon
The home icon (Figure 5) is available from every page within the UTM Firewall Management Console.
Clicking the icon returns you to UTM Firewall home page where a high-level summary of the system’s status
is displayed.
Figure 5 Home icon
Logout icon
The logout icon (Figure 6) is available from every page within the UTM Firewall Management Console.
Clicking the icon logs you out and ends the current session.
Figure 6 Logout icon
McAfee UTM Firewall 4.0.4 Administration Guide 19
Introduction
Enable/disable checkbox
Move rule up/down arrow
Add above/below arrows
Interface icons
Backup and restore icon
The backup and restore icon (Figure 7) is available from every page within the UTM Firewall Management
Console. Clicking the icon opens the Remote Configuration Backup/Restore page. For information on
backup and restore, see Remote Backup/Restore page.
Figure 7 Backup/Restore icon
Online help icon
To access context-sensitive help for the page your are currently viewing, click the help icon (Figure 8). For
more information about the Help and Support menu option, see Help and Support menu option.
Figure 8 Help icon
Edit and delete icons
Many of the pages in the UTM Firewall Management Console have icons with which you can edit or delete its
associated definition. You can click the edit icon (Figure 9) associated with the item you want to edit.
Figure 9 Edit icon
You can click the delete icon (Figure 10) associated with the item you want to delete.
Figure 10 Delete icon
Add above and below icons
Certain pages within the Web console, see packet filtering and NAT rules for example, have icons you can
use to add and manipulate the ordered list of objects within the pages.
The controls you use to manipulate rules (and policy routes as well) are labelled in Figure 11.
Figure 11 Rule object controls
The add above or below icon has plus (+) signs next to the arrows, indicating you are adding an object. The
arrow pointing upward adds the object above the current row selection; the arrow pointing downward adds
the object below the current row.
Many of the pages in the console also have enable or disable checkboxes. The enable checkbox is the
leftmost checkbox.
20 McAfee UTM Firewall 4.0.4 Administration Guide
Tooltips
Hover your pointer over a control to view its tooltip (Figure 12).
Introduction
Help and Support menu option
Figure 12 Tooltip
Help and Support menu option
The Help and Support menu option provides access to the following pages:
• Online Help page
• Technical Support page
• Technical Support Report page
Online Help page
This page provides information about and access to the UTM Firewall online help. To go to the Online Help
page, from the System menu, click Help and Support. The Help tab appears (Figure 13).
Figure 13 Online Help Search page
To access context-sensitive help for the page your are currently viewing, click the help icon in the upper
right corner of the page. Help describes each field and provides acceptable input values where appropriate.
To search the entire help system, enter terms in the Keywords field and click Search. The search results
are displayed in the page. Click a link to view its associated topic. The Search field is available on every
help page.
Technical Support page
To access the technical support page, from the System menu, click Help and Support, then select the
Technical Support tab. The Technical Support page appears (Figure 14).
McAfee UTM Firewall 4.0.4 Administration Guide 21
Introduction
Help and Support menu option
Figure 14 Technical Support page
a
This page provides information about the firmware release notes, links to the Knowledge Base and the
Support site, and a link that allows you to download the technical support report. The technical support
report is used to assist technical support staff with troubleshooting the configuration of your appliance.
When contacting Support, you should always download and attach a technical support report. See Technical
Support Report page for details.
Technical Support Report page
The Technical Support Report page is an important and invaluable resource for the technical support team
to use to analyze issues with your UTM Firewall applia nce. If you experience an issue with your appliance,
and you need to contact the technical support team, always include the technical support report with your
support request. Without this report, the technical support staff are unlikely to have enough information to
assist you.
Security Alert: To maintain your security and privacy, the technical support report removes any confidential
information such as passwords and keys.
Tip: The technical support report should be generated when t he issue is occurring. It should also be generated on
each of the appliances involved, and attached to the support request in plain text format.
To generate a technical support report:
1 From the System menu, click Help and Support, and then select the Technical Support Report tab.
The Technical Support Report page appears (Figure 15).
Figure 15 Technical Support Report page
[Optional] Select the Include full logs checkbox if you want to include all log entries in the Technical
2
Support Report. Otherwise, only the most recent log entries will be included.
3 Click Download.
4 Save the report as a text file.
5 Submit a support request and attach the technical support report in plain text format.
22 McAfee UTM Firewall 4.0.4 Administration Guide
Getting Started
2
Contents
Overview
Powering on the device
Connecting an administrative PC to the device
Connect your administrative PC to the device:
Configuring the UTM Firewall switch
Confirming settings
Setting up the PCs on your LAN
Registering your UTM Firewall
Overview
This chapter walks you through the installation of your McAfee UTM Firewall device. These instructions
apply to the SG310, SG560U, SG565, SG580, and SG720 models. For instructions on installing an SG640,
refer to the McAfee UTM Firewall Quick Installation Guide for PCI Cards. Installing the UTM Firewall into a
well-planned network is quick and easy. To add your UTM Firewall device to your LAN (Local Area Network),
perform the following procedures:
1 Powering on the device
2 Connecting an administrative PC to the device
3 Configuring the UTM Firewall switch
4 Confirming settings
5 Setting up the PCs on your LAN
6 Registering your UTM Firewall
Note: These procedures assume you have a PC running Microsoft Windows (2000 or later) with an Ethernet
network interface card installed. You may need to be logged in with administrator privileges.
Powering on the device
Connect the power adapter to the device and apply the power. Use only the power adapter packaged with
the unit.
Check that the front panel System/Heart Beat (H/B) /TST lights, along with all other front panel LEDs,
flash when the device is running.
Note: If these LEDs do not behave in the above manner before your device is attached to the network, perform a
factory reset. Press the erase button on rear panel twice within three seconds, 1 second apart to restore factory
default settings. If the LEDs are still not flashing after 30 seconds, you may need to contact customer service.
McAfee UTM Firewall 4.0.4 Administration Guide 23
Getting Started
Connecting an administrative PC to the device
Connecting an administrative PC to the device
1 Connect your administrative PC to the device:
• If you are setting up the SG310, attach your PC's network interface card directly to any LAN port on
the device using the supplied network cable.
• If you are setting up the SG560, SG560U, SG565 or SG580, attach your PC's network interface card
directly to any network port on switch A (A1 - A4) using the supplied network cable.
2 Launch your Web browser. At setup, the UTM Firewall device has an internal DHCP server option that
automatically resolves any DNS request with the UTM Firewall device’s own LAN IP address.
The UTM Firewall Quick Setup Wizard appears with the Set Adminis tra ti on Pa ss word dialo g sh owi ng.
Note: If the UTM Firewall Management Cons ole does not automatically appear (perhaps because yo u h a v e n o
home page established on your browser), navigate to
Firewall device at
erase button on the unit's rear panel twice within 3 seconds, 1 second apart. Wait 20 - 30 seconds, and then
try browsing to
192.168.0.1, or are not accepted, reset the device to the factory default by pressing the
192.168.0.1 again.
192.168.0.1. If you are unable to browse to the UTM
Setting password and LAN connection settings
1 Enter and confirm a new password for your UTM Firewall. This is the password for the user root, the main
administrative user account on the UTM Firewall. It is important to choose a password that is hard for
others to guess, and to keep the password safe.
The new password takes effect immediately. You are prompted to enter the new password wh en
completing the next step.
Click Submit. A logon prompt is displayed (Figure 16).
Figure 16 Logon prompt
2
Enter the user name root, and the password you created in Step 1.
Click OK. The Hostname dialog appears (Figure 17).
24 McAfee UTM Firewall 4.0.4 Administration Guide
Getting Started
Setting password and LAN connection settings
Figure 17 Quick Setup Wizard – Hostname dialog
.
3 Enter a Hostname to identify the device. The name must begin with an alpha character, and can consist
of number letters and dashes. The default is the model number.
Click Next. The LAN dialog appears (Figure 18).
Figure 18 Quick Setup Wizard – LAN dialog
4
Select an option for your LAN configuration:
•[Recommended] To manually configure your LAN and optionally enable the UTM Firewall’s built-in
DHCP server, which automatically configures the network settings of PCs and other hosts on your LAN,
select Use a fixed IP.
• To use the UTM Firewall’s initial network settings as a basis for your LAN settings, and not use the UTM
Firewall's built-in DHCP server, select Skip.
McAfee UTM Firewall 4.0.4 Administration Guide 25
Getting Started
Setting password and LAN connection settings
•[Not recommended] If you have an existing DHCP server, and want to rely on the DHCP server to
automatically configure the UTM Firewall's LAN connection setting, choose Use an IP address from
a server on the LAN (DHCP).
Note: Changes to the UTM Firewall's LAN configuration do not take effect until you complete the quick setup
wizard.
Click Next.
• If you did not select Use a fixed IP configuration, skip to Step 6 on page 27.
• If you selected Use a fixed IP, the fixed IP configuration dialog appears (Figure 19). Continue to
Step 6 on page 27.
Figure 19 Quick Setup Wizard – fixed IP configuration dialog
.
5 Enter an IP address and Subnet Mask for the UTM Firewall's LAN connection. Take note of the IP
address and subnet mask; you will need them later on.
To enable the UTM Firewall's built-in DHCP serv er, en ter bo th the st ar t and en d IP a ddr ess es o f a
range of addresses in the DHCP Server Start and End Address fields. PCs and other hosts on your
LAN set to automatically obtain network settings are assigned an address from this range, and use the
UTM Firewall as their gateway to the Internet, and as their DNS s erver for Inter net domai n nam e
resolution.
Or, if you plan to use a DHCP server already on you r LAN, le ave the field blank to leave the UTM
Firewall’s DHCP server disabled.
Click Next.
• If you are not configuring an SG565, The ISP connection dialog appears (Figure 20).Continue to Step 6
on page 27.
• If you are configuring an SG565, the Wireless dialog appears. See Wireless for configuration details,
and then continue to Step 6 on page 27.
26 McAfee UTM Firewall 4.0.4 Administration Guide
Getting Started
Setting password and LAN connection settings
Figure 20 Quick Setup Wizard – ISP connection dialog
.
6 Select an option for your Internet Interface Configuration:
•Select Cable Modem if connecting using a cable modem.
•Select Modem if connecting using a regular analog modem.
•Select ADSL to attempt automatic detection of your ADSL connection type if connecting using an ADSL
modem.
•Select Direct Connection if you have a direct connection to the Internet (e.g., a leased line).
•Select Skip if your Internet connection is already configured, or you want to defer its configuration.
7 Click Next. The page that appears depends on the selection you made on the ISP Connection page:
• If you selected Cable Modem, see Connecting with a cable modem for configuration details.
•If you selected Modem, see Configuring a dialout connection on the COM port for configuration details.
• If you selected ADSL, see ADSL for configuration details.
The next dialog that appears depends on the UTM Firewall model you are setting up.
• If you are setting up an SG310, the Firewall page appears. Go to Selecting an initial firewall level.
• For all other models, the Switch Configuration page appears. Go to Configuring the UTM Firewall
switch.
• If you selected Skip, the next page that appears depends on the UTM Firewall model you are setting
up.
• If you are setting up an SG310, the Firewall page appears. Go to Selecting an initial firewall level.
• For all other desktop models, the Switch Configuration page appears. Go to Configuring the UTM
Firewall switch.
• If you selected Direct Connection, the direct connection dialog for choosing a dynamic or static
Internet interface appears (Figure 21). Continue to Step 8 on page 28.
McAfee UTM Firewall 4.0.4 Administration Guide 27
Getting Started
Setting password and LAN connection settings
Figure 21 Quick Setup Wizard – direct connection dialog
.
8 Select an option for the ISP connection.
•Select Use an IP address obtained from a server on the Internet (DHCP) if you plan to use a
DHCP server already in use on your LAN.
• [Recommended] Select Use a Fixed IP to manually configure the Internet address using static
parameters.
9 Click Next.
•If you chose Use an IP address obtained from a server on the Internet (DHCP), and you are
setting up an SG310, the Firewall page appears. Continue to Selecting an initial firewall level.
• For all other desktop models, the Switch Configuration page appears. Go to Configuring the UTM
Firewall switch.
•If you chose Use a Fixed IP, the direct connection page appears for configuring the Internet interface
(Figure 22).
Figure 22 Quick Setup Wizard – direct connection Internet interface dialog
.
28 McAfee UTM Firewall 4.0.4 Administration Guide
Getting Started
Configuring the UTM Firewall switch
10Fill out the fields:
•In the IP Address field, enter the static IP address you want to apply to the WAN port of the appliance.
•Enter the Subnet Mask to use for the WAN port.
• [Optional] Set the default Gateway Address.
• [Optional] Set the IP address of the Domain Name Server (DNS).
11Click Next.
• The Switch Configuration page appears for most models. In this case, go to Configuring the UTM
Firewall switch.
• If you are setting up a SG310, the Confirm Settings page appears. Go to Confirming settings.
Configuring the UTM Firewall switch
The switch dialog displays if you are setting up the SG560, SG 560U, SG565 or SG580. If you are setting
up a different model, skip to Selecting an initial firewall level.
By default, the UTM Firewall's switch A behaves as a conventional switching hub. However, it may be
configured so that each port behaves as if it were physically separate from the others.
Figure 23 Quick Setup Wizard – Switch dialog
.
1 Select a configuration for the UTM Firewall's switch (Figure 23).
• If you require multiple network segments, such as a DMZ, guest network, or second LAN; or if you
want to use multiple broadband Internet connections for Internet load balancing or Internet failover,
select 1 LAN Port, 3 Isolated Ports. Port A1 is used as the primary LAN connection.
• Otherwise, select 4 LAN Ports.
2 Click Next. The Firewall dialog appears (Figure 24).
McAfee UTM Firewall 4.0.4 Administration Guide 29
Getting Started
Selecting an initial firewall level
Selecting an initial firewall level
UTM Firewall devices support packet filtering rules that can be used to restrict access to parts of your
network. The firewall dialog enables you to select a firewall level, and have the associated packet filtering
rules applied automatically. See Packet filtering.
Figure 24 Quick Setup Wizard – Firewall dialog
1
Select a Firewall Configuration option (Figure 24).
• Block Everything – Blocks all traffic that is not expressly allowed by a packet filtering rule.
• Ultra / VPN access – Allows VPN, Dialin and LAN traffic to move through the firewall. Denies all
Internet traffic
• High / Web and VPN access – Allows VPN, Dialin, LAN, HTTP and HTTPS traffic to move through the
firewall. Denies other common traffic types.
• Medium / Common Internet access – Allows VPN, Dialin, LAN, HTTP, HTTPS, and most common
types of traffic to move through the firewall. Denies peer to peer (P2P) traffic unless that traffic is
tunneled through another protocol (such as P2P over HTTP).
• Low / All Internet access – Allows all Internet traffic to pass through the firewall.
2 Click Next. The Confirm settings dialog appears.
30 McAfee UTM Firewall 4.0.4 Administration Guide
Loading...