McAfee MAP-3300-SWG, Web Security Appliance 5.6.0 Product Manual

Page 1

Product Guide

McAfee Email and Web Security Appliances 5.6.0

Page 2

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 3

Contents

Preface 7

About this guide ..................................7

Optional components and related products ........................8

Working with your McAfee Email and Web Security Appliances ................9

Overview of Dashboard features 21

Dashboard ....................................21

Audience ..................................7

Conventions .................................7

Finding product documentation .........................8

Contact information ..............................8

The interface ................................10

Common tasks within the interface ....................... 12

Ports used by Email and Web Security Appliances .................16

Resources .................................17

Edit Preferences ...............................25

Graphs Edit Preferences ............................27

Overview of Reports features 29

Types of reports ..................................29

Scheduled Reports .................................30

Email Reports overview ...............................33

Interactive Reporting — Total view ....................... 37

Interactive Reporting — Time view .......................38

Interactive Reporting — Itemized view ......................38

Interactive Reporting — Detail view .......................39

Selection — Favorites .............................40

Selection — Filter ..............................40

Web Reports overview ...............................43

Interactive Reporting — Total view ....................... 46

Interactive Reporting — Time view .......................47

Interactive Reporting — Itemized view ......................47

Interactive Reporting — Detail view .......................48

Selection — Favorites .............................49

Selection — Filter ..............................49

System Reports ..................................52

Interactive Reporting — Detail view .......................54

Selection — Favorites .............................54

Selection — Filter ..............................55

Overview of Email features 59

Life of an email message ..............................59

Message Search ..................................62

Email Overview ..................................70

Email Configuration ................................ 71

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 4

Contents

Protocol Configuration ............................ 72

Receiving Email ...............................86

Sending Email ................................97

Email Policies ..................................101

Introduction to policies ............................101

Email Scanning Policies menu .........................103

About Protocol Presets ............................109

Email Scanning Policies ...........................109

Dictionaries ................................146

Registered Documents ............................155

Quarantine Configuration ..............................159

Quarantine Options .............................159

Quarantine Digest Options ..........................160

Digest Message Content ...........................161

Overview of Web features 163

Web Configuration ................................163

HTTP Connection Settings ...........................163

HTTP Protocol Settings ............................165

ICAP Connection Settings ...........................169

ICAP Authentication .............................171

ICAP Protocol Settings ............................172

FTP Connection Settings ...........................174

FTP Protocol Settings ............................175

Web Policies ...................................178

Introduction to policies ............................178

Web Scanning Policies ............................179

Dictionaries ................................197

Overview of System features 207

Appliance Management ..............................207

General ..................................207

DNS and Routing ..............................212

Time and Date ...............................214

Appliance Management — Remote Access ....................215

UPS Settings ................................219

Database Maintenance ............................222

Appliance Management — System Administration .................225

Default Server Settings ...........................232

Cluster Management ...............................233

Backup and Restore Configuration .......................233

Configuration Push .............................235

Load Balancing ...............................236

Resilient Mode ...............................239

Users, Groups and Services .............................240

Directory Services .............................240

Web User Authentication ...........................240

Policy Groups ...............................241

Role-Based User Accounts ..........................241

Virtual Hosting ..................................250

Virtual Hosts ................................250

Virtual Networks ..............................255

Certificate Management ..............................256

Certificates ................................256

Certificate Revocation lists (CRLs) .......................259

Logging, Alerting and SNMP .............................261

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 5

Contents

Email Alerting ...............................261

SNMP Alert Settings .............................268

SNMP Monitor Settings ............................268

System Log Settings ............................269

WebReporter ................................275

Logging Configuration ............................275

Component Management ..............................276

Update Status ...............................276

Package Installer ..............................282

ePO ...................................283

Setup Wizard ..................................284

Welcome .................................285

Overview of Troubleshoot features 311

Troubleshooting Tools ...............................311

Ping and Trace Route ............................312

System Load ................................312

Route Information .............................313

Disk Space ................................314

Troubleshooting Reports ..............................314

Minimum Escalation Report ..........................314

Capture Network Traffic ...........................315

Save Quarantine ..............................316

Log Files .................................316

Error Reporting Tool .............................318

Tests ......................................318

System Tests ...............................318

How appliances work with ePolicy Orchestrator 321

Configuring your appliance for ePolicy Orchestrator management 323

Managing your appliances from within ePolicy Orchestrator 325

Index 327

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 6

Page 7

Preface

This guide provides the information you need to configure, use, and maintain your McAfee product.

About this guide

This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.

Audience

McAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

Conventions

This guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code

User interface

Hypertext blue A live link to a topic or to a website.

A code sample.

Words in the user interface including options, menus, buttons, and dialog boxes.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,

software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardware product.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 8

Preface

Optional components and related products

Finding product documentation

McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

Task

Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

Under Self Service, access the type of information you need:

To access... Do this...

User documentation

Click Product Documentation.

Select a Product, then select a Version.

Select a product document.

KnowledgeBase

• Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

Contact information

Use this information to contact McAfee.

To contact McAfee, either contact your local representative, or visit http://www.mcafee.com.

Optional components and related products

The appliances have several components and related products. Some components can be fully integrated into the appliances. Other products provide a central point for monitoring and managing several McAfee® products, including the appliances. The next table describes the optional components and related products. For more information, see the McAfee website.

Related products

The following McAfee products can be used with your McAfee® Email and Web Security Appliances product.

Component/ Product Description Compatible with type of

McAfee Quarantine Manager Consolidates quarantine

management for many McAfee products, including the appliances.

McAfee ePolicy Orchestrator Provides a central control point

for reporting activity on several appliances.

appliances

Email Email+Web

All

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 9

Working with your McAfee Email and Web Security Appliances

Auxiliary hardware

Some appliances include auxiliary hardware:

Auxiliary hardware Features Appliance

Accelerator card Higher throughput for HTTP

3400

protocol.

Fiber card Connection via optical fiber

3300, 3400

instead of copper wire.

Remote Access card Remote access and some

3300, 3400 management of the appliance. For example, the card can re-image the appliance remotely using a CD in another computer.

Your appliance has all auxiliary hardware pre-installed for the hardware and software combination that you have purchased.

Combinations of software and hardware

The following combinations of software and hardware are possible:

Preface

Appliance Combined Email and Web Email only Web only

3000 Yes No No

3100 Yes No No

3200 Yes No No

3300 Yes No No

3400 No Yes Yes

M3 Content

Yes Yes Yes

Security Blade Server

M7 Content

Yes Yes Yes

Security Blade Server

Virtual appliances

The McAfee® Email and Web Security Appliance software is also available as a virtual appliance, running within a VMware environment. It is available as the combined Email and Web version of the software.

Working with your McAfee Email and Web Security Appliances

This section describes important concepts to help you configure your McAfee® Email and Web Security Appliance.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 10

Preface

Working with your McAfee Email and Web Security Appliances

The interface

Use this page to get to know your way around the user interface.

The interface you see might look slightly different from that shown here, because it can vary depending on the appliance's hardware platform, software version, and language.

Refer

Option

ence

A Navigation bar

B User information bar

C Section icons

D Tab bar

E Support control buttons

F View control

G Content area

A — Navigation bar

The navigation bar contains four areas: user information, section icons, tab bar, and support controls.

B — User information bar

C — Section icons

The number of section icons depends on the software version that you are using. Click an icon to change the information in the content area and the tab bar. The icons include the following:

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 11

Working with your McAfee Email and Web Security Appliances

Icon Menu Features

Dashboard

Use this page to see a summary of the appliance. From this page you can access most of the pages that control the appliance.

Preface

Reports

Use the Reports pages to view events recorded on the appliance, such as viruses detected in email messages or during web access, and system activities such as details of recent updates and logins.

Use the Email pages to manage threats to email messages, quarantine of infected email, and other aspects of email configuration.

Web

Use the Web pages to manage threats to web downloads, and to manage other aspects of web configuration.

System

Troubleshoot

Use the System pages to configure various features on the appliance.

Use the Troubleshoot pages to diagnose any problems with the appliance.

D — Tab bar

The contents of the tab bar are controlled by the selected section icon. The selected tab dictates what is displayed in the content area.

E — Support control buttons

The support control buttons are actions that apply to the content area.

Icon Description

Refreshes or updates the content.

Returns you to the previously viewed page. We recommend that you click this button, rather than your browser's Back button.

Appears when you configure something to allow you to apply your changes.

Appears when you configure something to allow you to cancel your changes.

Opens a window of Help information. Much of the information in this window also appears in the Product Guide.

F — View control

The view control button shows or hides a status window.

The status window, which appears in the bottom right of the interface, shows recent activity. New messages are added at the top of the window. If a message is blue and underlined, you can click the link to visit another page. You can also manage the window with its own Clear and Close links.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 12

Preface

Working with your McAfee Email and Web Security Appliances

G — Content area

The content area contains the currently active content and is where most of your interaction will be.

The changes that you make take effect after you click the green checkmark.

Common tasks within the interface

This section describes some common procedures for setting up, configuring, and managing your appliance.

Tasks

• Enabling each feature on page 12 To ensure good detection and best performance, some features on the appliance are on (enabled) by default, while others are off (disabled). Many dialog boxes and windows have an Enabled checkbox. To use any feature, make sure you have selected this checkbox.

• Making changes to the appliance's configuration on page 12 Use this task to make changes to the operation of the appliance.

Enabling each feature

To ensure good detection and best performance, some features on the appliance are on (enabled) by default, while others are off (disabled). Many dialog boxes and windows have an Enabled checkbox. To use any feature, make sure you have selected this checkbox.

Making changes to the appliance's configuration

Use this task to make changes to the operation of the appliance.

Task

In the navigation bar, click an icon. The blue tabs below the icons change to show the available features.

Click the tabs until you reach the page you need. To locate any page, examine the tabs, or locate the subject in the Help index. The location of the page is often described at the foot of the Help page. Example:

System | Appliance Management | Database Maintenance

On the page, select the options. Click the Help button (?) for information about each option.

Navigate to other pages as needed.

To save your configuration changes, click the green checkmark icon at the top right of the window.

In the Configuration change comment window, type a comment to describe your changes, then click OK. Wait a few minutes while the configuration is updated.

To see all your comments, select System | Cluster Management | Backup and Restore Configuration [+] Review Configuration Changes in the navigation bar.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 13

Working with your McAfee Email and Web Security Appliances

Preface

Using lists

The following information explains the use of lists within Email and Web Security Appliances.

Contents

Making and viewing lists Adding information to a list Removing single items from a list Removing many items from a list Changing information in a list Viewing information in a long list Ordering information in a list Ordering information alphabetically in a list

Making and viewing lists

Lists specify information such as domains, addresses and port numbers on many pages in the interface. You can add new items to a list, and delete existing items.

Although the number of rows and columns might vary, all lists behave in similar ways. In some lists, you can also import items from a prepared file, and change the order of the items. Not all lists have these actions. This section describes all the actions that are available in the interface.

Adding information to a list

Use this task to add information into a list within the user interface.

Task

Click Add below the list. A new row appears in the table. If this is your first item, a column of checkboxes appears on the left of the table. You might also see a Move column on the right of the table.

Type the details in the new row. Press Tab to move between fields.

For help with typing the correct information, move your cursor over the table cell, and wait for a

pop-up to appear. For more information, click

To save the new items immediately, click the green checkmark: .

Removing single items from a list

Some lists take a long time to create, and therefore you can delete only one entry at a time to prevent the accidental deletion of a lot of information.

Click the trashcan icon .

If the item cannot be deleted, the icon is unavailable:

Alternatively, do the following:

Task

Click the item to select it. The row turns pale blue.

Click Delete at the bottom of the list.

Removing many items from a list

On some long lists, you can remove many items quickly.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 14

Preface

Working with your McAfee Email and Web Security Appliances

Task

In the column of checkboxes on the left of the table, select each item. To select many items, select the checkbox in the table's heading row to select all the items, then deselect those that you want to keep.

Click Delete at the bottom of the list.

To save the new changes immediately, click the green checkmark:

Changing information in a list

Use this task to change hte information contained within a list within the user interface.

If an item cannot be changed, the icon is unavailable: .

Task

Click the edit icon

Click on the text, then delete or retype it.

To save the new changes immediately, click the green checkmark:

To cancel any recent changes, click the close button at the top right of the window:

Viewing information in a long list

If the list has many items, you might not be able to see them all at the same time.

Task

To determine the position of an item in the list or the size of the list, view the text at the bottom of the list, such as Items 20 to 29 of 40.

To move through the list or to move quickly to either end of the list, click the arrows at the bottom right of the list. (

Ordering information in a list

Some lists display items in priority order. The first item in the list is the highest priority, the last item is the lowest priority. To change the item's priority:

Task

Find the row that contains the item.

In the Move column (on the right of the table), click the upward or downward arrow:

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 15

Working with your McAfee Email and Web Security Appliances

Preface

Ordering information alphabetically in a list

When information is given in a list, you can sort the list alphabetically.

Task

•

To change the order:

• To force items in a column into alphabetical order, click the column heading. Items in other

columns are automatically sorted accordingly. An icon appears in the column heading to indicate that this column is sorted:

• To sort the information differently, click the other column headings.

• To reverse and restore the alphabetical order of the information within a single column, click the

icons in the column heading:

Importing and exporting information

Topics describing how to import and export information.

Contents

Importing prepared information Exporting prepared information

Importing prepared information

From some pages, you can import information from other devices, appliances, or software for use on the appliance, such as from a previously prepared comma-separated value (.csv).

Imported information normally overwrites the original information.

Table 1 Some formats for comma-separated value (.csv) files

Type of information Format Example

Domain D, domain, IP address D, www.example.com,

192.168.254.200

Network address N, IP address, IP subnet mask N, 192.168.254.200,

255.255.255.0

Email address E, email-address E, network_user@example.com

Each item in the file is on a single line.

Task

Click Import.

In the Import window, browse to the file. If further options are displayed in the dialog box, make the relevant choices based on the type of file or information you are importing.

Click Open to import the information from the file.

Exporting prepared information

From some pages, you can export information from the appliance for use on other devices, appliances, or software.

The information is generated in various forms, such as a .zip file, a .pdf, or a .csv file.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 16

Preface

Working with your McAfee Email and Web Security Appliances

Table 2 Some formats for comma-separated value (.csv) files

Type of information Format Example

Domain D, domain, IP address D, www.example.com,

192.168.254.200

Network address N, IP address, IP subnet mask N, 192.168.254.200,

255.255.255.0

Email address E, email-address E, network_user@example.com

Each item in the file is on a single line.

Task

Click Export.

In the Export window, follow the instructions to create the file.

Ports used by Email and Web Security Appliances

Use this topic to review the ports used by your McAfee Email and Web Security Appliance.

The appliance uses various ports to communicate with your network and other devices.

Table 3 Ports used by Email and Web Security Appliances

Use Protocol Port Number

Software updates FTP 21

Anti-virus HTTP

FTP

McAfee Global Threat

DNS 53

80 21

Intelligence file reputation

Anti-spam rules and streaming

HTTP 80

updates

Anti-spam engine updates FTP 21

McAfee Global Threat

SSL 443

Intelligence message reputation

McAfee Global Threat

SSL 443 Intelligence web reputation lookup

McAfee Global Threat

HTTP 80 Intelligence web reputation database update

Domain Name System (DNS) DNS 53

McAfee Quarantine Manager HTTP 80

Active directory 389

McAfee Global Threat

SSL 443 Intelligence feedback

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 17

Working with your McAfee Email and Web Security Appliances

Preface

Intercept ports

When operating in either of the transparent modes — transparent bridge mode or transparent router mode — the appliance uses the following intercept ports to intercept traffic to be scanned.

Table 4 Intercept ports

Protocol Port number

FTP 21

HTTP 80 or 8080

ICAP 1344

POP3 110

SMTP 25

Listening ports

The appliance typically uses the following ports to listen for traffic on each protocol. The appliance listens for traffic arriving on the designated ports. You can set up one or more listening ports for each type of traffic being scanned by your appliance.

Table 5 Typical listening ports

Protocol Port number

FTP 21

HTTP 80

ICAP 1344

POP3 110

SMTP 25

Ports used for ePolicy Orchestrator communication

When you configure your Email and Web Security Appliances to be managed by ePolicy Orchestrator®, or when you set ePolicy Orchestrator to monitor and report on your appliances, the following ports are used by default for communication between ePolicy Orchestrator and your appliances.

Table 6 ePolicy Orchestrator communication ports

Port usage Port number

Agent-to-server communication port

Agent-to-server communication secure port

Agent wake-up communication port

Agent broadcast communication port

Console-to-application server communication port

Client-to-server authenticated communication port

443 (when enabled)

8081 (default)

8082 (default)

8443

8444

Resources

This topic describes the information, links, and supporting files that you can find from the Resources dialog box.

Click Resources from the black information bar at the top of the Email and Web Security Appliance user interface.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 18

Preface

Working with your McAfee Email and Web Security Appliances

The Resources dialog box contains links to different areas or to files that you might need when setting up your appliance.

Link name Description

Technical support

Clicking this link takes you to the McAfee Technical Support ServicePortal login page (https://mysupport.mcafee.com/Eservices/Default.aspx).

From this page, you can search the KnowledgeBase, view product documentation and video tutorials, as well as access other technical support services.

Submit a sample

Virus Information Library

McAfee Spam Submission Tool

ePO Extensions

If you have a file that you believe to be malicious, but that your McAfee systems are not detecting, you can safely submit it to McAfee for further analysis.

Follow the Submit a sample link and either log on or register as a new user to access the McAfee Labs Tool to submit suspicious files.

Viruses are continually evolving, with new malicious files being developed daily. To find out more about particular viruses or other threats, follow the link to the McAfee Threat Center.

This free tool integrates into Microsoft Outlook and allows users to submit missed spam samples and email that was wrongly categorized as spam to McAfee Labs. McAfee Spam Submission Tool (MSST) version 2.2 can also be used with McAfee Secure Content Management appliances and McAfee Quarantine Manager to train the Bayesian database.

The tool supports automated blacklisting and whitelisting, and has an installer that supports automated script-based installations. Supported platforms: Windows 2000 and Windows XP with Microsoft Outlook 2000 or later.

The latest MSST and documents can be downloaded from the following location:

http://www.mcafee.com/us/enterprise/downloads/free_tools/index.html

Download the ePolicy Orchestrator extensions for Email and Web Security Appliances. This file contains both the EWG and the EWS extensions.

The EWG extension allows reporting from within ePolicy Orchestrator for the following products:

• Email and Web Security Appliances version 5.5

ePO 4.5 Help

SMI File

• Email and Web Security Appliances version 5.6

• McAfee Web Gateway

• McAfee Email Gateway

The EWS extension provides full ePolicy Orchestrator management for Email and Web Security Appliances version 5.6.

For you to use ePolicy Orchestrator for either reporting or management, the ePO extensions need to be installed on your ePolicy Orchestrator server.

Download the ePolicy Orchestrator Help extensions for the two ePO extensions listed above.

This file installs the Help extensions relating to the ePolicy Orchestrator extensions for Email and Web Security Appliances onto your ePolicy Orchestrator server.

Download the Structure of Managed Information (SMI) file for use with the Simple Network Management Protocol (SNMP).

This file provides information about the syntax used by the SNMP Management Information Base (MIB) file.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 19

Link name Description

MIB File

Download the MIB file for use with SNMP. This file is used to define the information that your Email and Web Security Appliance

can transmit using SNMP.

Working with your McAfee Email and Web Security Appliances

Preface

HP OpenView NNM Smart Plug-in Installer

Download the HP OpenView installer file to enable you to configure your Email and Web Security Appliance to communicate with HP OpenView.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 20

Page 21

Overview of Dashboard features

When you first open the browser, you see the Dashboard, which gives a summary of the activity of the appliance.

From this page you can access most of the pages that control the appliance.

Dashboard

The Dashboard provides a summary of the activity of the appliance.

Dashboard

Use this page to access most of the pages that control the appliance. On a cluster master appliance, use this page also to see a summary of activity on the cluster of appliances.

To change the view in any section, click Edit, which opens another window.

Benefits of using the Dashboard

The Dashboard provides a single location for you to view summaries of the activities of the appliance.

Depending on how you have your appliance configured, you can view information about:

• The email flowing through the appliance.

• The web traffic being scanned.

• The overall system health of the appliance.

• Current detection rates.

• The performance of your network.

• Email messages being queued by the appliance.

• The number of scanning policies that you have in place, separate by protocol.

You can also configure a list of links to tasks that you often use, providing you with a quick and easy method of moving to the correct area of the user interface.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 22

Overview of Dashboard features

Dashboard

The lower pane of this page displays key graphic information about performance of the appliance. Each of these dashboard panes can be customized to show the information that you need most often.

When you log on to the appliance, and as you work within its configuration pages, a dialog box appears up in the bottom-right hand corner of the screen to inform you of any recommended configuration changes, or give warning messages concerning the appliance operation or settings. For example, when you first set up the appliance, it warns you that it is operating as an open-relay.

Dashboard page

Dashboard panes

Option Definition

Email Detections and Web Detections

System Health

Current detection rates

Network

Email Queues

Displays the number of detections under each protocol. Click Edit to change the view in this window. Although you can choose not to display information about a protocol, the appliance continues to scan that traffic

Displays the status of important components and lets you change the settings of recommended system configuration changes:

• For Updates, a green checkmark indicates that the components will update itself automatically. To make a manual update, click the blue link

• For other components, a green checkmark indicates that the component is operating within acceptable limits. For more information, click the blue links

• To adjust the levels at which the warning and alert icons appear, and to change what the recommended configuration changes dialog box displays, click Edit

Displays the status of important detections by the appliance, using icons

Displays the number of connections under each protocol. Although you can deselect a protocol after clicking Edit, the appliance continues to handle that traffic

Displays the number of items, and the number of recipients for each queued item in the Queued, Quarantined, and Release requests queues maintained by the appliance, using icons. To visit the pages that manage the queues, click the blue links. To quickly search through email in the queues, click Quick search

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 23

Option Definition

Scanning Policies

Displays a list of the policies that the appliance is applying. Although you can deselect a protocol after clicking Edit, the appliance continues to apply policies to that traffic. To view the scanning policies or add more policies, click the blue links

Tasks

Load balancing

Displays a list of common tasks. To remove or reorganize the tasks, click Edit

On a master cluster appliance, displays the state of the cluster of appliances. To change the settings of the meter, click Edit

Graphs ...

Displays graphs that show appliance activity over time. Although you can deselect a protocol after clicking Edit, the appliance continues to monitor that traffic

Load balancing

This section is available only on a cluster master appliance or

management blade (on a Content Security Blade Server).

Option Definition

Email | Web

Message per hour

(Email)

Conversations per hour (Web)

Status

When clicked, the meter displays Message per hour (Email) or Conversations per hour (Web)

Displays the average throughput of the cluster, based on measurements taken every few minutes. If the cluster has twice as many scanning appliances, its throughput almost doubles too. Extra management activity consumes some of the processing power

Displays the status of the device:

Overview of Dashboard features

Dashboard

Scanning Device Type

Name

— Operating normally

— Needs attention

— Needs immediate attention

Displays the type of scanning device:

— Cluster Master

— Cluster Failover

— Email and Web Security Appliance

— Email Security Appliance

— Web Security Appliance

— Web Gateway Appliance

Displays the name of the appliance as configured

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 24

Overview of Dashboard features

Dashboard

Option Definition

State

Displays the current state of each appliance:

Network — Connected to the network

Redundant — The Cluster Failover device is not currently running but will take over if

the master cluster appliance fails

Install — Installing software

Synchronizing — Synchronizing with the cluster master

Boot — Booting

Shutdown — Shutting down

Malconfigured — Configuration file is faulty

Unconfigured — Not configured for load balancing

Disabled — Disabled by the user

Failed — No longer on the network. No heartbeat was detected

Fault — A fault has been detected on this appliance

Legacy — Not compatible for load balancing

Load

Active

Displays the average system load over a period of five minutes

Displays the number of active connections for each appliance. The row for the cluster master shows the total for all appliance

Connections

Displays the number of connections handled by each appliance since the counters were last reset

Component version information

Displays the versions of anti-spam and anti-virus DAT files. The version numbers are the same if the appliances are up-to-date. During updating, the values might be different. To see more information, move the cursor over the text and wait for a yellow box to appear

Counter behavior

All counters trigger once for every detection. For example, if a message contains two attachments that both contain viral content, the Viruses counter increments by two. The information in the following table applies to SMTP and POP3 statistics unless otherwise specified.

Table 7 Counter behavior

Counter Behavior

Messages

The SMTP counter increments once:

• When a TCP connection is made to the SMTP port on the appliance

• From the second <MAIL FROM> command if more than one email is received in the same SMTP conversation

The POP3 counter increments once for every message that the appliance downloads

Secure Messages

Increments once:

• When a STARTTLS command is issued over the standard SMTP port

• When the appliance intercepts the TLS conversation, from the second <MAIL

• When messages are sent over SMTPS

McAfee Email and Web Security Appliances 5.6.0 Product Guide

FROM> command if more than one email is received in the same SMTP conversation

Page 25

Table 7 Counter behavior (continued)

Counter Behavior

Blocked connections

Increments once for every SYN packet coming from an IP address that has triggered a Reject, close and deny (Block) action. The Real-time blackhole list (RBL) lookup feature is configured to perform this action by default for the next ten minutes. See Sender Authentication Settings — RBL Configuration on page 123

Viruses, PUPs, Compliance, and Data

Increment once for every detection, for example, if a message contains two attachments that both contain viral content, the Viruses counter increments by two

Loss Prevention

Spam and phish and

Increment once for every message that triggers the scanner

Sender authentication

Other

Increment once for every detection. Applies to messages filtered because of their size, those that fail anti-relay and directory harvest checks, and those that contain corrupt content, protected content, encrypted content, or signed content

Due to the way that Dashboard counters are aggregated, there is a slight difference between the information displayed in the dashboard and that returned in a scheduled report.

Overview of Dashboard features

Dashboard

Information about statistics shown in the Email Queues list

This information applies to the Queued, Quarantined, and Release requests queues:

• If one message is sent to two recipients and is queued for delivery (for example, because the onward MTA is down):

• The number of items in the queue will be 1 because the appliance received one message.

• The number of recipients will be 2 because the message has two recipients.

If you click on the Queued hyperlink, you see two items because there is one message for each recipient.

• If two messages are sent to one recipient and are queued for delivery (for example, because the onward MTA is down):

• The number of items in the queue will be 2 because the appliance received two messages.

• The number of recipients will be 2 because each message has one recipient.

If you click on the Queued hyperlink, you see two items.

Task — Turn off the McAfee Global Threat Intelligence feedback disabled warning

By default, the appliance displays a warning message if you have not enabled McAfee Global Threat Intelligence (GTI) feedback because McAfee considers it best practice to enable this form of communication.

On the appliance Dashboard, select Edit from the System Health area.

Deselect Show a warning if McAfee GTI feedback is not enabled.

Click OK.

Edit Preferences

Use this page to specify the type of status information, and tasks available from the Dashboard.

The information that you can specify using Edit on each dashboard area matches relates to the selected area of the appliance.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 26

Overview of Dashboard features

Dashboard

Dashboard | Edit Preferences

Use this page to set the protocols for which you want statistics, the counters that you want to display, and the reporting period. Choose from counters such as Messages, Secure Messages, Blocked connections, Viruses, PUPs, Spam and phish, Sender authentication, Compliance, Data Loss Prevention detections, and Other detections.

Dashboard | Web Detections | Edit

Use this page to select which protocols you want to report on, the counters you want to display on the Dashboard, and the reporting period. Choose from counters such as Requests, Viruses, PUPs, URL filtered, SiteAdvisor®, Compliance, and Other detections.

Dashboard | Current Detection Rates | Edit

Use this page to select the levels at which you want to receive a warning based on the number of threat detections. Two levels of severity are available: yellow and red. Choose from Virus detection rate, Blocked connection rate, Spam detection rate, Blocked URL rate, Other detection rate.

Dashboard | Network | Edit

Use this page to set the protocols for which you want to display connection and throughput information.

Dashboard | Email Queues | Edit

Use this page to select the levels at which you want to receive a warning based on the disk space taken up by quarantined and queued messages, maximum capacity of the quarantine location, the number of queued and quarantined messages, and the number of release from quarantine requests. Two levels of severity are available: yellow and red.

Dashboard | Scanning Policies | Edit

Use this page to set the protocols for which you want policies to display, and whether you want to see detailed policy information on the Dashboard.

On each page, you can reset the values to the default settings.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 27

Overview of Dashboard features

Dashboard

Dashboard | System Health | Edit

Use this page to select the levels at which you want to receive a warning based on load average, memory swap rate, disk usage, attempts to use inefficient dictionary regex, the last anti-virus, anti-spam, and URL filtering definition update. Two levels of severity are available: yellow and red.

To stop receiving notifications that the appliance is an open relay, if web-based user authentication needs more setup or when you have not configured McAfee Global Threat Intelligence feedback, click Edit in the System Health area, and deselect the relevant warnings.

Dashboard | Tasks | Edit

Use this page to specify the tasks that you want to be available directly from the Dashboard, and change their position in the list.

If you change the reporting period, that change is reflected across all status sections.

Graphs Edit Preferences

Use this page to configure graphs to display on the Dashboard.

Dashboard | Graphs | Edit

Option Definition

Protocols By default, all the protocols are selected.

Counters By default, all the counters are selected. This option is not applicable to

Network Graphs.

Thresholds (Email timeline graph only)

Reporting period By default, the period is the past week.

Display thresholds on the Email timeline graphs.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 28

Page 29

Overview of Reports features

This topic provides an overview of the features within the Email and Web Security Appliances that relate to reporting the activities of the appliance.

Reports

Contents

Types of reports Scheduled Reports Email Reports overview Web Reports overview System Reports

Types of reports

You can generate reports either on your appliance, your ePolicy Orchestrator server, or externally.

System | Logging, Alerting and SNMP

Reports

Use the external methods to keep the reported events over a longer period of time than that offered by the reporting options on the appliance itself. Use features available from System | Logging, Alerting and SNMP, or McAfee ePolicy Orchestrator to send data to generate reports externally.

Table 8 External reporting options

External report generation option

System log System | Logging, Alerting and SNMP. Supports the common event formats for

SNMP System | Logging, Alerting and SNMP. Supports the SNMP Alert Settings and SNMP Monitor

Email Alerting System | Logging, Alerting and SNMP | Email Alerting. You can configure Email Alerting

Definition

Splunk and ArcSight.

Settings options. The MIB file can be downloaded from the Resources tab available from the appliances toolbar.

to alert specified people about different events that occur on your appliance.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 30

Overview of Reports features

Scheduled Reports

Table 8 External reporting options (continued)

External report

Definition

generation option

McAfee ePolicy Orchestrator

Use ePolicy Orchestrator to generate reports about multiple appliances and security software within your organization, such as information about the total number of viruses detected within your organization.

McAfee Web Reporter System | Logging, Alerting and SNMP. Generates reports about Uniform Resource

Locator (URL) filtering activities. See the McAfee Web Reporter Product Guide, available from the McAfee download site.

Use the appliance Dashboard to see high-level event statistics. Use the options in Reports to produce regular and real-time reports on the following types of events on the appliance.

Table 9 Reporting options on the appliance

Report type Definition

Scheduled reports Reports — Set up regular activity overview (by protocol, threat type, and

detection), email detections, web detections, and system event reports and send them to other administrators.

Email reports Reports — Create and view information about threats detected in the email passing

through your appliance, and the subsequent actions taken by the appliance.

Web reports Reports — Create and view information about threats detected in the web activity

on your appliance, and the subsequent actions taken by the appliance.

System reports Reports — Create and view information about threat detection updates, and

system events.

Scheduled Reports

Use this page to see a list of the available reports about threats that the appliance has detected.

Reports | Scheduled Reports

You can view the reports, send reports immediately to other people, or schedule reports to be sent at regular intervals.

Benefits of creating Scheduled Reports

Keeping up-to-date with threat detection statistics and system activity, and sharing that information is vital. The Scheduled Reports option has some default report types already set up for you, or you can customize their content or frequency, or even create new report types as necessary. The resulting reports can be sent by email immediately, or at regular intervals to other people in your organization in a variety of formats, such as PDF, HTML, or text.

You must enable the default reports to run automatically. To do so, select the report type from the list of available reports, and click Edit. On the Edit Report dialog box, click Enable scheduled delivery.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 31

Table 10 Report types

Option Definition

Overview

Lists the number of detections by protocol, and type of threat, and provides details about the types of detection made per protocol

• Email security summary (inbound) shows the % and number of messages to internal users that were delivered or blocked because a threat was detected

• Email security summary (outbound) shows the % and number of messages to external users that were delivered or blocked because a threat was detected

• Email traffic flow provides information relating to the flow of messages in to, and out of the organization

Email security trend

•

• Email volume trends (inbound and outbound) provides information relating to the amount of messages coming in to, and going out of the organization

• Email size trends (inbound and outbound) provides information relating to the size of the messages coming in to, and going out of the organization

• Average number of emails displays the average number of messages sent in to, or out of the organization for one day, or more

Overview of Reports features

Scheduled Reports

Web

System

Favorite

• Users activity lists internal or external users who send or receive the most blocked or monitored messages

• Top detections lists top virus, potentially unwanted programs, and spam, or phish detections, and sender authentication failures

• Web security summary shows the % and number of web queries that were completed, or blocked because a threat was detected

• Web traffic summary provides information relating to the number of protected, monitored, or legitimate web query detections

• Top detections lists top virus or potentially unwanted program detections

• Users activity lists the users who visit the most blocked, or monitored web pages

Web traffic flow

•

Web security trend

•

• Disk utilization provides information relating to the used and available space on the disk for items such as the log and quarantine partitions

• Disk utilization trends shows the % utilization of each partition in graph format

Click Edit to choose from a list of pre-defined report types for email, web and system reports, and optionally send the report to other people in your organization daily, weekly, or monthly. Any new favorite reports that you created in the Email Interactive Reports, or Web Interactive Reports section are available from here too.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 32

Overview of Reports features

Scheduled Reports

User interface option definitions

Option Definition

Name

Displays the name of the report. By default, the list includes some standard reports, which you cannot delete.

The icon indicates the type of content in that report:

— Overview, such as numbers of overall detections.

— Email activity

— Web activity

— System activity such as disk usage.

— A choice of popular reports.

Description

Displays the title that appears on the first page of the report, the scheduling information, and a list of the recipients.

When clicked, generates the report, then allows you to download it for viewing in a

Download

browser or saving as a file.

When clicked, generates the report, then immediately sends it to the recipients. Any

Email Now

regular schedule is not affected.

— If the icon is disabled, the schedule has not been set. Double-click the icon,

then specify the details under Delivery Schedule.

New report

When clicked, lets you create a new report, which is an exact copy of an existing report. A dialog box prompts you for further information:

• Report name, which appears under the Name column on this page.

• Report title, which appears at the top of the report.

When you click OK, you return to the main page. There you can select the new report, click the icon under Edit, and design your own report.

When the icon is clicked, enables you to change the schedule, content, format and

Edit

delivery information of the selected report.

When the icon is clicked, deletes the selected report.

Delete

Task — See the number of detections by protocol and threat type over the last week

Select Reports | Scheduled Reports.

From the list of report types, select Overview, and click Edit.

In the Edit Report dialog box, set the Reporting period to 1 week.

Click OK, and apply the changes to the appliance.

Click Download to generate the report.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 33

Overview of Reports features

Email Reports overview

Task — Send your manager an email activity report in PDF format every Monday at

10.00am

Select Reports | Scheduled Reports.

From the list of report types, select Email, and click Edit.

In the Edit Report dialog box, click Enable scheduled delivery.

Set the Report sent option to Weekly and choose Monday from the drop-down menu.

Click New Recipient, type myboss@examplecompany.com.

Click OK, and apply the changes to the appliance.

Task — Send the web administrator a Web activity report in HTML format every day at 5.00pm

Select Reports | Scheduled Reports.

From the list of report types, select Web, and click Edit.

In the Edit Report dialog box, click Enable scheduled delivery.

Set the Report sent option to Daily, and set the At option to 17:00.

In Sender and recipient details, type webadministrator@examplecompany.com.

Select Advanced options, and set the Document format option to HTML.

Click OK, and apply the changes.

Task — Send the email administrator a report that shows virus detections in email messages over the last week

Select Reports | Scheduled Reports.

From the list of report types, select Favorite, and click Edit.

In Sender and recipient details, type emailadministrator@examplecompany.com.

Select Report content, and select the Top Viruses report.

Click OK, and apply the changes.

Click Email Now.

Email Reports overview

Use this page to create and view real-time reports about threats detected in the email passing through your appliance, and the subsequent actions taken by the appliance.

Reports | Email Reports

You can generate a report based on a set of predefined filters, or edit the filters, test the results, and save the report as a new report.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 34

Overview of Reports features

Email Reports overview

Benefits of creating email reports

To keep your email infrastructure running at optimal levels, you need access to up-to-date information about threats detected in the email flowing through the appliance. Generate email reports to get information such as:

• Ttypes of threats detected, such as viruses, or spam and phishing messages.

• Messages that had to have an action taken upon them.

• Messages that were prevented from entering or leaving your network.

• Individual sender activity.

Additionally, use the Email Reports feature with the Scheduled Reports feature to create regular reports, and send them immediately to other people, or at regular intervals.

You can compile a list of, for example, blocked email messages using the Message Search feature (Email | Message Search). Message Search cannot locate messages if the appliance has not received the message body, such as messages blocked by the Real-time Blackhole Lists (RBLs). In this situation, use the Email Reports feature to find out about an individual message.

Introduction to the Email Reports page

Email Reports contains several sub-pages, accessed from the tabs beneath Email Interactive Reporting and Selection.

There are four tabs beneath Email Interactive Reporting that each provide different views on a report's results. See View types:

Total view

•

Time view

•

Itemized view

•

Detail view

•

There are two pages beneath Selection:

• Favorites enables you to choose a report with pre-defined filters, and generate it immediately. See Report types.

• Filter enables you to further define the data in each Favorite report using standard and advanced filter settings, and set the period of time for which you want to retrieve data. See Filter types.

View types

Each report that you generate can be presented in one of the following views:

Type of View Definition

Total view

Time view

Itemized view

Detail view

Displays results in a bar chart and table format for each action

Displays results in a bar chart and table format over the time specified. Results are shown in periods of ten minutes for hourly reports, by the hour for 24 hour reports, every six hours for weekly reports, twelve hours for fortnightly reports, or daily for monthly reports.

Displays results in a pie chart and table format for each filter criteria, or for all filters.

Displays all results in a table format. Results are shown for each detection in the report results.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 35

Overview of Reports features

Email Reports overview

Report types

The appliance comes with a set of reports with pre-defined filters available from the Favorites tab. You can run these reports immediately, or edit them using standard and advanced settings and save as a new favorite report to run again in the future, then make it available in the Scheduled Reports feature.

To see the default settings in each report, hold your mouse cursor to the left of a report name.

Table 11 Option definitions

Option Definition

Email Overview

Email Profile

Top Spam Senders

Top Viruses

Legitimate

Monitored

Modified

Rerouted

Blocked

Displays results in Total view by default. Results show the number of legitimate, monitored, modified, rerouted, or blocked messages processed over the previous day.

Displays results in Itemized view by default. Results show the number of items detected for each filter selection over the previous week.

Displays results in Itemized view by default. Results are filtered using the Spam/Phish category by default, and show the spam or phish (or both) messages by sender over the previous 24 hours.

Displays results in Itemized view by default. Results are filtered using the Viruses category by default, and show the viruses detected over the previous week, or results for a specific threat that you specify.

Displays results in Time view by default. Results show the number of messages categorized as Legitimate (that is, delivered with no detection or modification) for all threat categories over the previous 24 hours.

Displays results in Time view by default. Results show the number of messages for all threat categories over the previous 24 hours that triggered an event log but were delivered with no modification.

Displays results in Time view by default. Results show the number of modified messages (for example, cleaned or replaced with an alert message) for all threat categories over the previous 24 hours.

Displays results in Time view by default. Results show the number of messages routed to another server (for example, an encryption server) for all threat categories over the previous 24 hours.

Displays results in Time view by default. Results show the number of inbound or outbound messages stopped by the appliance for all threat categories over the previous 24 hours.

Filter types

Each report allows you to filter the results by standard and advanced criteria.

Table 12 Option definitions — Email Reports filter options

Option Definition

Period and Ending

Protocol

Traffic

Displays information for a period from one hour to one month, based on the selected start date.

When clicked, the Previous and Next buttons adjust the From date, for example, moving it to next week or the previous day.

Displays the protocols you want to view, such as SMTP.

Displays traffic, whether inbound or outbound. In a simple network, you might see reports on compliancy for outbound traffic and

reports on spam for inbound traffic.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 36

Overview of Reports features

Email Reports overview

Table 12 Option definitions — Email Reports filter options (continued)

Option Definition

Sender

Displays information about one sender, such as user@example.com When selected, the advanced options, Source domain and Source ID, further specify

the sender's domain or IP address, such as server1.example.com and

192.168.254.200.

Recipient

Action

Category

Detection

Virus/PuPs

Show Advanced

Displays information about one recipient, such as user@example.com When selected, the advanced options, Destination domain and Destination ID,

further specify the recipient's domain or IP address, such as server1.example.com and 192.168.254.200.

Enables you to filter reports on specific actions, such as Legitimate or Blocked. Examples: To view information about one sender or recipient, type:

<user@example.com>

The name is wrapped with chevron characters.

To view information about all senders' names that begin with b or B, type:

<b*

To view information about all senders' names that begin with b, B, e, or E, type:

<b*, <e*

Displays information about a single type of detection, such as spam or virus. If the selection is not All, you see further choices. For example, if you select Content, you can further select Mail Size.

Extra categories appear here if you have installed any optional software.

Top Spam Senders report only. Choose whether the report should contain results for spam senders, phish senders, or both.

Top Viruses report only. Type the name of the virus or potentially unwanted program to get detection results for that specific threat.

When clicked, shows the options below. To hide the options again, click Hide Advanced.

Source Domain

Source IP

Destination Domain

Destination IP

Audit ID

Filter traffic based on the domain that the messages are being sent from.

Filter traffic based on the IP address that the messages are being sent from.

Filter traffic based on the domain that the messages are being sent to.

Filter traffic based on the IP address that the messages are being sent to.

As traffic passes through the appliance it can have an Audit ID assigned. Use this field to filter traffic with a specific Audit ID.

Policy

Provides a selection of policies.

Task — Generate an email activity overview for a particular sender

Use this task to:

• Create a report that shows global email activity in the previous 24 hours

• Filter those results to show the activity of a particular sender

• Save the report as a new favorite report to be run again in the future

• Set up a schedule to send the report regularly to the email administrator

Subtask — Run a standard email activity report

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 37

Click Reports | Email Reports.

From the Favorites list, select the Email Overview (last 24h) report.

Click Run report to generate a report for all users.

Overview of Reports features

Email Reports overview

Subtask — Filter the data for a particular sender and save the report as a new favorite report

Click Filter.

In Sender, type sender@examplecompany.com and click Apply to filter the data for that sender.

Click Save, type a name for the report, and click OK. The report appears in the list of Favorites.

Subtask — Set up a schedule to send the report regularly to the email administrator

Click Reports | Scheduled Reports.

In the list of available report documents, select Favorite, and click Edit.

Select Enable scheduled delivery, and set the report to run Daily at 17:00 hours.

Type the email administrator address.

Click Report content.

In the list of favorite reports, select the report that you created, click OK, and apply the changes to the appliance.

Task — Show me the top viruses detected over the previous week

Use this task to show the total number of viruses detected in the previous week, and analyze the data using different report views.

Click Reports | Email Reports.

From the Favorites list, select the Top Viruses report, and click Filter.

Click Apply to run the report.

Select Time view to see the action that was taken on each message broken down into eight hour periods.

Select Detail view to see further information such as policy details, and the source IP address for each message.

Interactive Reporting — Total view

Use this page to see the actions that the appliance has taken against threats over the period specified under Filter.

Reports | Email Reports | Email Interactive Reporting | Total View

Reports | Web Reports | Web Interactive Reporting | Total View

The information is displayed in a horizontal bar chart. If you see no information, click Apply on the Filter tab, or change the period and click Apply.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 38

Overview of Reports features

Email Reports overview

For information about the Filter or Favorites section on the right, click its tab, then click the Help button (?).

Table 13 Option definitions

Option Definition

Action

Displays the list of actions taken by the appliance’s policies against each email message or web access.

Number of email messages

Displays the number of email messages or web accesses where this action was applied.

Interactive Reporting — Time view

Use this page to see the actions that the appliance has taken against threats over the period specified under Filter.

Reports | Email Reports | Email Interactive Reporting | Time View

Reports | Web Reports | Web Interactive Reporting | Time View

The information is displayed in a vertical bar chart, and organized into small intervals. For example, a weekly report shows activity in whole 6-hour portions of each day. If you see no information, click Apply on the Filter tab, or change the period and click Apply.

You might not be able to view some older data, because the appliance’s log is regularly purged.

For information about the Filter or Favorites section on the right, click its tab, then click the Help button (?).

Table 14 Option definitions

Option Definition

Start

Displays the start of the period, such as on the hour.

Legitimate to Blocked Displays the numbers of email messages or web accesses corresponding to each

action in that period. If Action is not set to All, most columns have values of 0.

Interactive Reporting — Itemized view

Use this page to see the details of every detected threat.

Reports | Email Reports | Email Interactive Reporting | Itemized View

Reports | Web Reports | Web Interactive Reporting | Itemized View

The information is displayed in a pie chart.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 39

Overview of Reports features

Email Reports overview

If you see no information, click Apply on the Filter tab, or change the period and click Apply.

For information about the Filter or Favorites section on the right, click its tab, then click the Help button (?).

Table 15 Option definitions

Option Definition

Pie chart Displays the percentage of all email or web accesses that match the criteria

selected in the Filter tab. The orange portion of the pie shows the portion of the data that matches the

criteria. The green portion shows the remainder. If no filtering is set, the whole pie appears orange.

Filter criteria

Displays the list of categories taken against the email message or web access. Click any blue link for more information represented as a bar chart.

To return to the pie chart, click List all criteria. To examine the information further, click any blue links.

As you click each link, values in the Filter tab are updated. Click Apply to display the pie chart again.

Number of distinct

Displays the number of email messages or web accesses where each criteria applies.

criteria items within the selection

Interactive Reporting — Detail view

Use this page to see the details of every detected threat, such as the exact time and IP address of each detection that the appliance has handled.

Reports | Email Reports | Email Interactive Reporting | Detail View

Reports | Web Reports | Web Interactive Reporting | Detail View

Reports | System Reports | System Interactive Reporting | Detail View

Information includes any threat in the email messages or IP addresses. The information is displayed in a table.

If you see no information, click Apply on the Filter tab, or change the period and click Apply.

For information about the Filter or Favorites section on the right, click its tab, then click the Help button (?).

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 40

Overview of Reports features

Email Reports overview

Table 16 Option definitions

Option Definition

Date and other headings

Displays the details of each email message or web access. To see all columns, move the horizontal scroll bar.

To sort the data in any column, click the column heading. The most recently sorted column is indicated by a red arrow in the column heading.

Data

Click the blue link to see further information about an email message — in a table or as raw data (that is, in an XML-like format).

To move through the list or to move quickly to either end of the list, click the arrows at the bottom right of the list.

Selection — Favorites

Use this page to run an existing favorite report immediately, or build a list of links to reports that you have already saved.

Reports | Email Reports | Selection | Favorites

Reports | Web Reports | Selection | Favorites

Reports | System Reports | Selection | Favorites

Table 17 Option definitions

Option Definition

Name

Run report

Edit

Delete

Displays the name of each report that you have saved.

When clicked, opens the selected report and displays it to the left of the screen.

Opens the Filter page from where you can change the settings, test the report results, and save the report criteria into a new favorite report.

Removes that Favorite report from the list, and from the reports available in Scheduled Reports.

Selection — Filter

Use this section of the page to refine or “filter” the information in the report.

Reports | Email Reports | Selection | Filter

Reports | Web Reports | Selection | Filter

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 41

Overview of Reports features

Email Reports overview

Reports | System Reports | Selection | Filter

For example, you can see information about one user’s visits to undesirable websites on Tuesday of last week, or about viruses from all sources in the last month. Make your selections, then click Apply. The new report might take a while to appear. You can save these selections to produce a similar report at any time. or clear the selections you made.

Table 18 Option definitions — Email Reports filter options

Option Definition

Period and Ending

Displays information for a period from one hour to one month, based on the selected start date.

When clicked, the Previous and Next buttons adjust the From date, for example, moving it to next week or the previous day.

Protocol

Traffic

Sender

Recipient

Action

Displays the protocols you want to view, such as SMTP.

Displays traffic, whether inbound or outbound. In a simple network, you might see reports on compliancy for outbound traffic and

reports on spam for inbound traffic.

Displays information about one sender, such as user@example.com When selected, the advanced options, Source domain and Source ID, further specify

the sender's domain or IP address, such as server1.example.com and

192.168.254.200.

Displays information about one recipient, such as user@example.com When selected, the advanced options, Destination domain and Destination ID,

further specify the recipient's domain or IP address, such as server1.example.com and 192.168.254.200.

Enables you to filter reports on specific actions, such as Legitimate or Blocked. Examples: To view information about one sender or recipient, type:

<user@example.com>

The name is wrapped with chevron characters.

To view information about all senders' names that begin with b or B, type:

<b*

To view information about all senders' names that begin with b, B, e, or E, type:

<b*, <e*

Category

Extra categories appear here if you have installed any optional software.

Detection

Top Spam Senders report only. Choose whether the report should contain results for

spam senders, phish senders, or both.

Virus/PuPs

Top Viruses report only. Type the name of the virus or potentially unwanted program to

get detection results for that specific threat.

Show Advanced

When clicked, shows the options below. To hide the options again, click Hide Advanced.

Source Domain

Filter traffic based on the domain that the messages are being sent from.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 42

Overview of Reports features

Email Reports overview

Table 18 Option definitions — Email Reports filter options (continued)

Option Definition

Source IP

Destination Domain

Destination IP

Audit ID

Filter traffic based on the IP address that the messages are being sent from.

Filter traffic based on the domain that the messages are being sent to.

Filter traffic based on the IP address that the messages are being sent to.

As traffic passes through the appliance it can have an Audit ID assigned. Use this field to filter traffic with a specific Audit ID.

Policy

Provides a selection of policies.

Table 19 Option definitions — Web Reports filter options

Option Definition

Period and Ending Displays information for a period from one hour to one month, based on the

selected start date. When clicked, the Previous and Next buttons adjust the From date, for example,

moving it to next week or the previous day.

Protocol

User login

URL

Action

Category

Show Advanced

Source domain

Source IP

Destination domain

Destination IP

Audit ID

Action

Policy

Category

Displays the protocols you want to view, such as HTTP.

Displays information about one user. When selected, the advanced options, Source domain and Source IP, further specify the

domain or IP address, such as server1.example.com and 192.168.254.200.

Displays information about URL (web address), such as example.com. When selected, the advanced options, Destination domain and Destination ID, further

specify the recipient's domain or IP address, such as server1.example.com and

192.168.254.200.

Displays information about the action taken against the threats, for example, threats that were blocked or only monitored. The menu does not offer the choice of legitimate web accesses because they are too numerous.

Displays information about specific categories of traffic, for example, Viruses or URL Filtering. The menu does not offer the choice of legitimate web accesses because they are too numerous.

When clicked, shows the options below. To hide the options again, click Hide Advanced.

Filter traffic based on the domain that the traffic is being sent from.

Filter traffic based on the IP address that the traffic is being sent from.

Filter traffic based on the domain that the traffic is being sent to.

Filter traffic based on the IP address that the traffic is being sent to.

As traffic passes through the appliance it can have an Audit ID assigned. Use this field to filter traffic with a specific Audit ID.

Enables you to filter reports on specific actions, such as Legitimate or Blocked.

Provides a selection of policies.

Extra categories appear here if you have installed any optional software.

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 43

Overview of Reports features

Table 20 Option definitions — System Reports filter options

Option Definition

Period and Ending Displays information for a period from one hour to one month, based on the

selected start date. When clicked, the Previous and Next buttons adjust the From date, for example,

moving it to next week or the previous day.

Web Reports overview

Event type

Event

Reason

Displays reports about particular event types. For example, issues concerning the Network.

Select individual events based on the chosen Event type.

Select individual reasons based on the chosen Event.

Web Reports overview

Use this page to create and view real-time reports about threats detected in the web activity on your appliance, and the subsequent actions taken by the appliance.

Reports | Email Reports

You can generate a report based on a set of pre-defined filters, or edit the filters, test the results, and save the report as a new report.

Benefits of creating web reports

To keep your web infrastructure running at optimal levels, you need access to up-to-date information about threats detected in the web traffic flowing through the appliance. Generate web reports to get information such as:

• The types of threats detected, such as viruses, or packers

• Web requests that had to have an action taken upon them

• URLs that were blocked or monitored

• Individual employee activity

Additionally, use the Web Reports feature with the Scheduled Reports feature to create regular reports, and send them immediately to other people, or at regular intervals.

Introduction to the Web Reports page

Web Reports contains several sub-pages, accessed from the tabs beneath Web Interactive Reporting and Selection.

There are four tabs beneath Web Interactive Reporting that each provide different views on a reports results. See View types:

Total view

•

Time view

•

Itemized view

•

Detail view

•

There are two pages beneath Selection:

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 44

Overview of Reports features

Web Reports overview

• Favorites enables you to choose a report with pre-defined filters, and generate it immediately. See Report types.

View types

Each report that you generate can be presented in one of the following views:

Type of View Definition

Total view

Time view

Itemized view

Detail view

Displays results in a bar chart and table format for each action

Displays results in a pie chart and table format for each filter criteria, or for all filters.

Displays all results in a table format. Results are shown for each detection in the report results.

Report types

To see the default settings in each report, hold your mouse cursor to the left of a report name.

Table 21 Option definitions

Option Definition

Top URL List

Detail view

Monitored

Modified

Blocked

Blocked (SiteAdvisor)

Displays results in Itemized view by default. Results show top 15 blocked websites processed over the previous 24 hours

Displays results in Detail view by default. Results show information about blocked websites identified over the previous 24 hours

Displays results in Time view by default. Results show the web requests that triggered an event log, but were allowed to continue over the previous 24 hours

Displays results in Time view by default. Results show the web requests from which the appliance removed a threat before delivering it successfully over the previous 24 hours

Displays results in Time view by default. Results show the web requests that were stopped and replaced by an alert because the appliance detected a threat such as a virus or packer over the previous 24 hours

Displays results in Total view by default. Results show the web requests blocked by the McAfee SiteAdvisor program due to a detected threat over the previous 24 hours

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Page 45

Overview of Reports features

Web Reports overview

Filter types

Each report allows you to filter the results by standard and advanced criteria.

Table 22 Option definitions — Web Reports filter options