How it Works
McAfee
Loading...
Web Security Appliance 5.6.0
Product Manual
336 pgs2.72 Mb0

McAfee MAP-3300-SWG, Web Security Appliance 5.6.0 Product Manual

Product Guide
McAfee Email and Web Security Appliances 5.6.0
COPYRIGHT
Copyright © 2010 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
2
McAfee Email and Web Security Appliances 5.6.0 Product Guide
Contents
Preface 7
About this guide ..................................7
Optional components and related products ........................8
Working with your McAfee Email and Web Security Appliances ................9
Overview of Dashboard features 21
Dashboard ....................................21
Audience ..................................7
Conventions .................................7
Finding product documentation .........................8
Contact information ..............................8
The interface ................................10
Common tasks within the interface ....................... 12
Ports used by Email and Web Security Appliances .................16
Resources .................................17
Edit Preferences ...............................25
Graphs Edit Preferences ............................27
Overview of Reports features 29
Types of reports ..................................29
Scheduled Reports .................................30
Email Reports overview ...............................33
Interactive Reporting — Total view ....................... 37
Interactive Reporting — Time view .......................38
Interactive Reporting — Itemized view ......................38
Interactive Reporting — Detail view .......................39
Selection — Favorites .............................40
Selection — Filter ..............................40
Web Reports overview ...............................43
Interactive Reporting — Total view ....................... 46
Interactive Reporting — Time view .......................47
Interactive Reporting — Itemized view ......................47
Interactive Reporting — Detail view .......................48
Selection — Favorites .............................49
Selection — Filter ..............................49
System Reports ..................................52
Interactive Reporting — Detail view .......................54
Selection — Favorites .............................54
Selection — Filter ..............................55
Overview of Email features 59
Life of an email message ..............................59
Message Search ..................................62
Email Overview ..................................70
Email Configuration ................................ 71
McAfee Email and Web Security Appliances 5.6.0 Product Guide
3
Contents
Protocol Configuration ............................ 72
Receiving Email ...............................86
Sending Email ................................97
Email Policies ..................................101
Introduction to policies ............................101
Email Scanning Policies menu .........................103
About Protocol Presets ............................109
Email Scanning Policies ...........................109
Dictionaries ................................146
Registered Documents ............................155
Quarantine Configuration ..............................159
Quarantine Options .............................159
Quarantine Digest Options ..........................160
Digest Message Content ...........................161
Overview of Web features 163
Web Configuration ................................163
HTTP Connection Settings ...........................163
HTTP Protocol Settings ............................165
ICAP Connection Settings ...........................169
ICAP Authentication .............................171
ICAP Protocol Settings ............................172
FTP Connection Settings ...........................174
FTP Protocol Settings ............................175
Web Policies ...................................178
Introduction to policies ............................178
Web Scanning Policies ............................179
Dictionaries ................................197
Overview of System features 207
Appliance Management ..............................207
General ..................................207
DNS and Routing ..............................212
Time and Date ...............................214
Appliance Management — Remote Access ....................215
UPS Settings ................................219
Database Maintenance ............................222
Appliance Management — System Administration .................225
Default Server Settings ...........................232
Cluster Management ...............................233
Backup and Restore Configuration .......................233
Configuration Push .............................235
Load Balancing ...............................236
Resilient Mode ...............................239
Users, Groups and Services .............................240
Directory Services .............................240
Web User Authentication ...........................240
Policy Groups ...............................241
Role-Based User Accounts ..........................241
Virtual Hosting ..................................250
Virtual Hosts ................................250
Virtual Networks ..............................255
Certificate Management ..............................256
Certificates ................................256
Certificate Revocation lists (CRLs) .......................259
Logging, Alerting and SNMP .............................261
4
McAfee Email and Web Security Appliances 5.6.0 Product Guide
Contents
Email Alerting ...............................261
SNMP Alert Settings .............................268
SNMP Monitor Settings ............................268
System Log Settings ............................269
WebReporter ................................275
Logging Configuration ............................275
Component Management ..............................276
Update Status ...............................276
Package Installer ..............................282
ePO ...................................283
Setup Wizard ..................................284
Welcome .................................285
Overview of Troubleshoot features 311
Troubleshooting Tools ...............................311
Ping and Trace Route ............................312
System Load ................................312
Route Information .............................313
Disk Space ................................314
Troubleshooting Reports ..............................314
Minimum Escalation Report ..........................314
Capture Network Traffic ...........................315
Save Quarantine ..............................316
Log Files .................................316
Error Reporting Tool .............................318
Tests ......................................318
System Tests ...............................318
How appliances work with ePolicy Orchestrator 321
Configuring your appliance for ePolicy Orchestrator management 323
Managing your appliances from within ePolicy Orchestrator 325
Index 327
McAfee Email and Web Security Appliances 5.6.0 Product Guide
5
Preface
This guide provides the information you need to configure, use, and maintain your McAfee product.
About this guide
This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
Administrators — People who implement and enforce the company's security program.
Conventions
This guide uses the following typographical conventions and icons.
Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.
Bold Text that is strongly emphasized.
User input or Path Commands and other text that the user types; the path of a folder or program.
Code
User interface
Hypertext blue A live link to a topic or to a website.
A code sample.
Words in the user interface including options, menus, buttons, and dialog boxes.
Note: Additional information, like an alternate method of accessing an option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware product.
McAfee Email and Web Security Appliances 5.6.0 Product Guide
7
Preface
Optional components and related products
Finding product documentation
McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.
Task
1
Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
2
Under Self Service, access the type of information you need:
To access... Do this...
User documentation
1
Click Product Documentation.
2
Select a Product, then select a Version.
3
Select a product document.
KnowledgeBase
• Click Search the KnowledgeBase for answers to your product questions.
• Click Browse the KnowledgeBase for articles listed by product and version.
Contact information
Use this information to contact McAfee.
To contact McAfee, either contact your local representative, or visit http://www.mcafee.com.
Optional components and related products
The appliances have several components and related products. Some components can be fully integrated into the appliances. Other products provide a central point for monitoring and managing several McAfee® products, including the appliances. The next table describes the optional components and related products. For more information, see the McAfee website.
Related products
The following McAfee products can be used with your McAfee® Email and Web Security Appliances product.
Component/ Product Description Compatible with type of
McAfee Quarantine Manager Consolidates quarantine
management for many McAfee products, including the appliances.
McAfee ePolicy Orchestrator Provides a central control point
for reporting activity on several appliances.
appliances
Email Email+Web
All
8
McAfee Email and Web Security Appliances 5.6.0 Product Guide
Working with your McAfee Email and Web Security Appliances
Auxiliary hardware
Some appliances include auxiliary hardware:
Auxiliary hardware Features Appliance
Accelerator card Higher throughput for HTTP
3400
protocol.
Fiber card Connection via optical fiber
3300, 3400
instead of copper wire.
Remote Access card Remote access and some
3300, 3400 management of the appliance. For example, the card can re-image the appliance remotely using a CD in another computer.
Your appliance has all auxiliary hardware pre-installed for the hardware and software combination that you have purchased.
Combinations of software and hardware
The following combinations of software and hardware are possible:
Preface
Appliance Combined Email and Web Email only Web only
3000 Yes No No
3100 Yes No No
3200 Yes No No
3300 Yes No No
3400 No Yes Yes
M3 Content
Yes Yes Yes
Security Blade Server
M7 Content
Yes Yes Yes
Security Blade Server
Virtual appliances
The McAfee® Email and Web Security Appliance software is also available as a virtual appliance, running within a VMware environment. It is available as the combined Email and Web version of the software.
Working with your McAfee Email and Web Security Appliances
This section describes important concepts to help you configure your McAfee® Email and Web Security Appliance.
McAfee Email and Web Security Appliances 5.6.0 Product Guide
9
Preface
Working with your McAfee Email and Web Security Appliances
The interface
Use this page to get to know your way around the user interface.
The interface you see might look slightly different from that shown here, because it can vary depending on the appliance's hardware platform, software version, and language.
Refer
Option
ence
A Navigation bar
B User information bar
C Section icons
D Tab bar
E Support control buttons
F View control
G Content area
A — Navigation bar
The navigation bar contains four areas: user information, section icons, tab bar, and support controls.
B — User information bar
C — Section icons
The number of section icons depends on the software version that you are using. Click an icon to change the information in the content area and the tab bar. The icons include the following:
10
McAfee Email and Web Security Appliances 5.6.0 Product Guide
Working with your McAfee Email and Web Security Appliances
Icon Menu Features
Dashboard
Use this page to see a summary of the appliance. From this page you can access most of the pages that control the appliance.
Preface
Reports
Use the Reports pages to view events recorded on the appliance, such as viruses detected in email messages or during web access, and system activities such as details of recent updates and logins.
Email
Use the Email pages to manage threats to email messages, quarantine of infected email, and other aspects of email configuration.
Web
Use the Web pages to manage threats to web downloads, and to manage other aspects of web configuration.
System
Troubleshoot
Use the System pages to configure various features on the appliance.
Use the Troubleshoot pages to diagnose any problems with the appliance.
D — Tab bar
The contents of the tab bar are controlled by the selected section icon. The selected tab dictates what is displayed in the content area.
E — Support control buttons
The support control buttons are actions that apply to the content area.
Icon Description
Refreshes or updates the content.
Returns you to the previously viewed page. We recommend that you click this button, rather than your browser's Back button.
Appears when you configure something to allow you to apply your changes.
Appears when you configure something to allow you to cancel your changes.
Opens a window of Help information. Much of the information in this window also appears in the Product Guide.
F — View control
The view control button shows or hides a status window.
The status window, which appears in the bottom right of the interface, shows recent activity. New messages are added at the top of the window. If a message is blue and underlined, you can click the link to visit another page. You can also manage the window with its own Clear and Close links.
McAfee Email and Web Security Appliances 5.6.0 Product Guide
11
Preface
Working with your McAfee Email and Web Security Appliances
G — Content area
The content area contains the currently active content and is where most of your interaction will be.
The changes that you make take effect after you click the green checkmark.
Common tasks within the interface
This section describes some common procedures for setting up, configuring, and managing your appliance.
Tasks
Enabling each feature on page 12 To ensure good detection and best performance, some features on the appliance are on (enabled) by default, while others are off (disabled). Many dialog boxes and windows have an Enabled checkbox. To use any feature, make sure you have selected this checkbox.
Making changes to the appliance's configuration on page 12 Use this task to make changes to the operation of the appliance.
Enabling each feature
To ensure good detection and best performance, some features on the appliance are on (enabled) by default, while others are off (disabled). Many dialog boxes and windows have an Enabled checkbox. To use any feature, make sure you have selected this checkbox.
Making changes to the appliance's configuration
Use this task to make changes to the operation of the appliance.
Task
1
In the navigation bar, click an icon. The blue tabs below the icons change to show the available features.
2
Click the tabs until you reach the page you need. To locate any page, examine the tabs, or locate the subject in the Help index. The location of the page is often described at the foot of the Help page. Example:
System | Appliance Management | Database Maintenance
3
On the page, select the options. Click the Help button (?) for information about each option.
4
Navigate to other pages as needed.
5
To save your configuration changes, click the green checkmark icon at the top right of the window.
6
In the Configuration change comment window, type a comment to describe your changes, then click OK. Wait a few minutes while the configuration is updated.
7
To see all your comments, select System | Cluster Management | Backup and Restore Configuration [+] Review Configuration Changes in the navigation bar.
12
McAfee Email and Web Security Appliances 5.6.0 Product Guide
Working with your McAfee Email and Web Security Appliances
Preface
Using lists
The following information explains the use of lists within Email and Web Security Appliances.
Contents
Making and viewing lists Adding information to a list Removing single items from a list Removing many items from a list Changing information in a list Viewing information in a long list Ordering information in a list Ordering information alphabetically in a list
Making and viewing lists
Lists specify information such as domains, addresses and port numbers on many pages in the interface. You can add new items to a list, and delete existing items.
Although the number of rows and columns might vary, all lists behave in similar ways. In some lists, you can also import items from a prepared file, and change the order of the items. Not all lists have these actions. This section describes all the actions that are available in the interface.
Adding information to a list
Use this task to add information into a list within the user interface.
Task
1
Click Add below the list. A new row appears in the table. If this is your first item, a column of checkboxes appears on the left of the table. You might also see a Move column on the right of the table.
2
Type the details in the new row. Press Tab to move between fields.
3
For help with typing the correct information, move your cursor over the table cell, and wait for a
pop-up to appear. For more information, click
4
To save the new items immediately, click the green checkmark: .
.
Removing single items from a list
Some lists take a long time to create, and therefore you can delete only one entry at a time to prevent the accidental deletion of a lot of information.
Click the trashcan icon .
If the item cannot be deleted, the icon is unavailable:
Alternatively, do the following:
Task
1
Click the item to select it. The row turns pale blue.
2
Click Delete at the bottom of the list.
Removing many items from a list
On some long lists, you can remove many items quickly.
McAfee Email and Web Security Appliances 5.6.0 Product Guide
13
Preface
Working with your McAfee Email and Web Security Appliances
Task
1
In the column of checkboxes on the left of the table, select each item. To select many items, select the checkbox in the table's heading row to select all the items, then deselect those that you want to keep.
2
Click Delete at the bottom of the list.
3
To save the new changes immediately, click the green checkmark:
.
Changing information in a list
Use this task to change hte information contained within a list within the user interface.
If an item cannot be changed, the icon is unavailable: .
Task
1
Click the edit icon
2
Click on the text, then delete or retype it.
3
To save the new changes immediately, click the green checkmark:
4
To cancel any recent changes, click the close button at the top right of the window:
.
Viewing information in a long list
If the list has many items, you might not be able to see them all at the same time.
Task
1
To determine the position of an item in the list or the size of the list, view the text at the bottom of the list, such as Items 20 to 29 of 40.
2
To move through the list or to move quickly to either end of the list, click the arrows at the bottom right of the list. (
).
Ordering information in a list
Some lists display items in priority order. The first item in the list is the highest priority, the last item is the lowest priority. To change the item's priority:
Task
1
Find the row that contains the item.
2
In the Move column (on the right of the table), click the upward or downward arrow:
14
McAfee Email and Web Security Appliances 5.6.0 Product Guide
Working with your McAfee Email and Web Security Appliances
Preface
Ordering information alphabetically in a list
When information is given in a list, you can sort the list alphabetically.
Task
To change the order:
• To force items in a column into alphabetical order, click the column heading. Items in other
columns are automatically sorted accordingly. An icon appears in the column heading to indicate that this column is sorted:
• To sort the information differently, click the other column headings.
• To reverse and restore the alphabetical order of the information within a single column, click the
icons in the column heading:
Importing and exporting information
Topics describing how to import and export information.
Contents
Importing prepared information Exporting prepared information
Importing prepared information
From some pages, you can import information from other devices, appliances, or software for use on the appliance, such as from a previously prepared comma-separated value (.csv).
Imported information normally overwrites the original information.
Table 1 Some formats for comma-separated value (.csv) files
Type of information Format Example
Domain D, domain, IP address D, www.example.com,
192.168.254.200
Network address N, IP address, IP subnet mask N, 192.168.254.200,
255.255.255.0
Email address E, email-address E, network_user@example.com
Each item in the file is on a single line.
Task
1
Click Import.
2
In the Import window, browse to the file. If further options are displayed in the dialog box, make the relevant choices based on the type of file or information you are importing.
3
Click Open to import the information from the file.
Exporting prepared information
From some pages, you can export information from the appliance for use on other devices, appliances, or software.
The information is generated in various forms, such as a .zip file, a .pdf, or a .csv file.
McAfee Email and Web Security Appliances 5.6.0 Product Guide
15
Preface
Working with your McAfee Email and Web Security Appliances
Table 2 Some formats for comma-separated value (.csv) files
Type of information Format Example
Domain D, domain, IP address D, www.example.com,
192.168.254.200
Network address N, IP address, IP subnet mask N, 192.168.254.200,
255.255.255.0
Email address E, email-address E, network_user@example.com
Each item in the file is on a single line.
Task
1
Click Export.
2
In the Export window, follow the instructions to create the file.
Ports used by Email and Web Security Appliances
Use this topic to review the ports used by your McAfee Email and Web Security Appliance.
The appliance uses various ports to communicate with your network and other devices.
Table 3 Ports used by Email and Web Security Appliances
Use Protocol Port Number
Software updates FTP 21
Anti-virus HTTP
FTP
McAfee Global Threat
DNS 53
80 21
Intelligence file reputation
Anti-spam rules and streaming
HTTP 80
updates
Anti-spam engine updates FTP 21
McAfee Global Threat
SSL 443
Intelligence message reputation
McAfee Global Threat
SSL 443 Intelligence web reputation lookup
McAfee Global Threat
HTTP 80 Intelligence web reputation database update
Domain Name System (DNS) DNS 53
McAfee Quarantine Manager HTTP 80
Active directory 389
McAfee Global Threat
SSL 443 Intelligence feedback
16
McAfee Email and Web Security Appliances 5.6.0 Product Guide
Working with your McAfee Email and Web Security Appliances
Preface
Intercept ports
When operating in either of the transparent modes — transparent bridge mode or transparent router mode — the appliance uses the following intercept ports to intercept traffic to be scanned.
Table 4 Intercept ports
Protocol Port number
FTP 21
HTTP 80 or 8080
ICAP 1344
POP3 110
SMTP 25
Listening ports
The appliance typically uses the following ports to listen for traffic on each protocol. The appliance listens for traffic arriving on the designated ports. You can set up one or more listening ports for each type of traffic being scanned by your appliance.
Table 5 Typical listening ports
Protocol Port number
FTP 21
HTTP 80
ICAP 1344
POP3 110
SMTP 25
Ports used for ePolicy Orchestrator communication
When you configure your Email and Web Security Appliances to be managed by ePolicy Orchestrator®, or when you set ePolicy Orchestrator to monitor and report on your appliances, the following ports are used by default for communication between ePolicy Orchestrator and your appliances.
Table 6 ePolicy Orchestrator communication ports
Port usage Port number
Agent-to-server communication port
Agent-to-server communication secure port
Agent wake-up communication port
Agent broadcast communication port
Console-to-application server communication port
Client-to-server authenticated communication port
80
443 (when enabled)
8081 (default)
8082 (default)
8443
8444
Resources
This topic describes the information, links, and supporting files that you can find from the Resources dialog box.
Click Resources from the black information bar at the top of the Email and Web Security Appliance user interface.
McAfee Email and Web Security Appliances 5.6.0 Product Guide
17
Preface
Working with your McAfee Email and Web Security Appliances
The Resources dialog box contains links to different areas or to files that you might need when setting up your appliance.
Link name Description
Technical support
Clicking this link takes you to the McAfee Technical Support ServicePortal login page (https://mysupport.mcafee.com/Eservices/Default.aspx).
From this page, you can search the KnowledgeBase, view product documentation and video tutorials, as well as access other technical support services.
Submit a sample
Virus Information Library
McAfee Spam Submission Tool
ePO Extensions
If you have a file that you believe to be malicious, but that your McAfee systems are not detecting, you can safely submit it to McAfee for further analysis.
Follow the Submit a sample link and either log on or register as a new user to access the McAfee Labs Tool to submit suspicious files.
Viruses are continually evolving, with new malicious files being developed daily. To find out more about particular viruses or other threats, follow the link to the McAfee Threat Center.
This free tool integrates into Microsoft Outlook and allows users to submit missed spam samples and email that was wrongly categorized as spam to McAfee Labs. McAfee Spam Submission Tool (MSST) version 2.2 can also be used with McAfee Secure Content Management appliances and McAfee Quarantine Manager to train the Bayesian database.
The tool supports automated blacklisting and whitelisting, and has an installer that supports automated script-based installations. Supported platforms: Windows 2000 and Windows XP with Microsoft Outlook 2000 or later.
The latest MSST and documents can be downloaded from the following location:
http://www.mcafee.com/us/enterprise/downloads/free_tools/index.html
Download the ePolicy Orchestrator extensions for Email and Web Security Appliances. This file contains both the EWG and the EWS extensions.
The EWG extension allows reporting from within ePolicy Orchestrator for the following products:
• Email and Web Security Appliances version 5.5
ePO 4.5 Help
SMI File
• Email and Web Security Appliances version 5.6
• McAfee Web Gateway
• McAfee Email Gateway
The EWS extension provides full ePolicy Orchestrator management for Email and Web Security Appliances version 5.6.
For you to use ePolicy Orchestrator for either reporting or management, the ePO extensions need to be installed on your ePolicy Orchestrator server.
Download the ePolicy Orchestrator Help extensions for the two ePO extensions listed above.
This file installs the Help extensions relating to the ePolicy Orchestrator extensions for Email and Web Security Appliances onto your ePolicy Orchestrator server.
Download the Structure of Managed Information (SMI) file for use with the Simple Network Management Protocol (SNMP).
This file provides information about the syntax used by the SNMP Management Information Base (MIB) file.
18
McAfee Email and Web Security Appliances 5.6.0 Product Guide
Link name Description
MIB File
Download the MIB file for use with SNMP. This file is used to define the information that your Email and Web Security Appliance
can transmit using SNMP.
Working with your McAfee Email and Web Security Appliances
Preface
HP OpenView NNM Smart Plug-in Installer
Download the HP OpenView installer file to enable you to configure your Email and Web Security Appliance to communicate with HP OpenView.
McAfee Email and Web Security Appliances 5.6.0 Product Guide
19
Overview of Dashboard features
When you first open the browser, you see the Dashboard, which gives a summary of the activity of the appliance.
From this page you can access most of the pages that control the appliance.
Dashboard
The Dashboard provides a summary of the activity of the appliance.
Dashboard
Dashboard
Use this page to access most of the pages that control the appliance. On a cluster master appliance, use this page also to see a summary of activity on the cluster of appliances.
To change the view in any section, click Edit, which opens another window.
Benefits of using the Dashboard
The Dashboard provides a single location for you to view summaries of the activities of the appliance.
Depending on how you have your appliance configured, you can view information about:
• The email flowing through the appliance.
• The web traffic being scanned.
• The overall system health of the appliance.
• Current detection rates.
• The performance of your network.
• Email messages being queued by the appliance.
• The number of scanning policies that you have in place, separate by protocol.
You can also configure a list of links to tasks that you often use, providing you with a quick and easy method of moving to the correct area of the user interface.
McAfee Email and Web Security Appliances 5.6.0 Product Guide
21
Overview of Dashboard features
Dashboard
The lower pane of this page displays key graphic information about performance of the appliance. Each of these dashboard panes can be customized to show the information that you need most often.
When you log on to the appliance, and as you work within its configuration pages, a dialog box appears up in the bottom-right hand corner of the screen to inform you of any recommended configuration changes, or give warning messages concerning the appliance operation or settings. For example, when you first set up the appliance, it warns you that it is operating as an open-relay.
Dashboard page
Dashboard panes
Option Definition
Email Detections and Web Detections
System Health
Current detection rates
Network
Email Queues
Displays the number of detections under each protocol. Click Edit to change the view in this window. Although you can choose not to display information about a protocol, the appliance continues to scan that traffic
Displays the status of important components and lets you change the settings of recommended system configuration changes:
• For Updates, a green checkmark indicates that the components will update itself automatically. To make a manual update, click the blue link
• For other components, a green checkmark indicates that the component is operating within acceptable limits. For more information, click the blue links
• To adjust the levels at which the warning and alert icons appear, and to change what the recommended configuration changes dialog box displays, click Edit
Displays the status of important detections by the appliance, using icons
Displays the number of connections under each protocol. Although you can deselect a protocol after clicking Edit, the appliance continues to handle that traffic
Displays the number of items, and the number of recipients for each queued item in the Queued, Quarantined, and Release requests queues maintained by the appliance, using icons. To visit the pages that manage the queues, click the blue links. To quickly search through email in the queues, click Quick search
22
McAfee Email and Web Security Appliances 5.6.0 Product Guide
Option Definition
Scanning Policies
Displays a list of the policies that the appliance is applying. Although you can deselect a protocol after clicking Edit, the appliance continues to apply policies to that traffic. To view the scanning policies or add more policies, click the blue links
Tasks
Load balancing
Displays a list of common tasks. To remove or reorganize the tasks, click Edit
On a master cluster appliance, displays the state of the cluster of appliances. To change the settings of the meter, click Edit
Graphs ...
Displays graphs that show appliance activity over time. Although you can deselect a protocol after clicking Edit, the appliance continues to monitor that traffic
Load balancing
This section is available only on a cluster master appliance or
management blade (on a Content Security Blade Server).
Option Definition
Email | Web
Message per hour
(Email)
Conversations per hour (Web)
Status
When clicked, the meter displays Message per hour (Email) or Conversations per hour (Web)
Displays the average throughput of the cluster, based on measurements taken every few minutes. If the cluster has twice as many scanning appliances, its throughput almost doubles too. Extra management activity consumes some of the processing power
Displays the status of the device:
Overview of Dashboard features
Dashboard
Scanning Device Type
Name
— Operating normally
— Needs attention
— Needs immediate attention
Displays the type of scanning device:
— Cluster Master
— Cluster Failover
— Email and Web Security Appliance
— Email Security Appliance
— Web Security Appliance
— Web Gateway Appliance
Displays the name of the appliance as configured
McAfee Email and Web Security Appliances 5.6.0 Product Guide
23
Overview of Dashboard features
Dashboard
Option Definition
State
Displays the current state of each appliance:
Network — Connected to the network
Redundant — The Cluster Failover device is not currently running but will take over if
the master cluster appliance fails
Install — Installing software
Synchronizing — Synchronizing with the cluster master
Boot — Booting
Shutdown — Shutting down
Malconfigured — Configuration file is faulty
Unconfigured — Not configured for load balancing
Disabled — Disabled by the user
Failed — No longer on the network. No heartbeat was detected
Fault — A fault has been detected on this appliance
Legacy — Not compatible for load balancing
Load
Active
Displays the average system load over a period of five minutes
Displays the number of active connections for each appliance. The row for the cluster master shows the total for all appliance
Connections
Displays the number of connections handled by each appliance since the counters were last reset
Component version information
Displays the versions of anti-spam and anti-virus DAT files. The version numbers are the same if the appliances are up-to-date. During updating, the values might be different. To see more information, move the cursor over the text and wait for a yellow box to appear
Counter behavior
All counters trigger once for every detection. For example, if a message contains two attachments that both contain viral content, the Viruses counter increments by two. The information in the following table applies to SMTP and POP3 statistics unless otherwise specified.
Table 7 Counter behavior
Counter Behavior
Messages
The SMTP counter increments once:
• When a TCP connection is made to the SMTP port on the appliance
• From the second <MAIL FROM> command if more than one email is received in the same SMTP conversation
The POP3 counter increments once for every message that the appliance downloads
Secure Messages
Increments once:
• When a STARTTLS command is issued over the standard SMTP port
• When the appliance intercepts the TLS conversation, from the second <MAIL
• When messages are sent over SMTPS
24
McAfee Email and Web Security Appliances 5.6.0 Product Guide
FROM> command if more than one email is received in the same SMTP conversation
Table 7 Counter behavior (continued)
Counter Behavior
Blocked connections
Increments once for every SYN packet coming from an IP address that has triggered a Reject, close and deny (Block) action. The Real-time blackhole list (RBL) lookup feature is configured to perform this action by default for the next ten minutes. See Sender Authentication Settings — RBL Configuration on page 123
Viruses, PUPs, Compliance, and Data
Increment once for every detection, for example, if a message contains two attachments that both contain viral content, the Viruses counter increments by two
Loss Prevention
Spam and phish and
Increment once for every message that triggers the scanner
Sender authentication
Other
Increment once for every detection. Applies to messages filtered because of their size, those that fail anti-relay and directory harvest checks, and those that contain corrupt content, protected content, encrypted content, or signed content
Due to the way that Dashboard counters are aggregated, there is a slight difference between the information displayed in the dashboard and that returned in a scheduled report.
Overview of Dashboard features
Dashboard
Information about statistics shown in the Email Queues list
This information applies to the Queued, Quarantined, and Release requests queues:
• If one message is sent to two recipients and is queued for delivery (for example, because the onward MTA is down):
• The number of items in the queue will be 1 because the appliance received one message.
• The number of recipients will be 2 because the message has two recipients.
If you click on the Queued hyperlink, you see two items because there is one message for each recipient.
• If two messages are sent to one recipient and are queued for delivery (for example, because the onward MTA is down):
• The number of items in the queue will be 2 because the appliance received two messages.
• The number of recipients will be 2 because each message has one recipient.
If you click on the Queued hyperlink, you see two items.
Task — Turn off the McAfee Global Threat Intelligence feedback disabled warning
By default, the appliance displays a warning message if you have not enabled McAfee Global Threat Intelligence (GTI) feedback because McAfee considers it best practice to enable this form of communication.
1
On the appliance Dashboard, select Edit from the System Health area.
2
Deselect Show a warning if McAfee GTI feedback is not enabled.
3
Click OK.
Edit Preferences
Use this page to specify the type of status information, and tasks available from the Dashboard.
The information that you can specify using Edit on each dashboard area matches relates to the selected area of the appliance.
McAfee Email and Web Security Appliances 5.6.0 Product Guide
25
Overview of Dashboard features
Dashboard
Dashboard | Edit Preferences
Use this page to set the protocols for which you want statistics, the counters that you want to display, and the reporting period. Choose from counters such as Messages, Secure Messages, Blocked connections, Viruses, PUPs, Spam and phish, Sender authentication, Compliance, Data Loss Prevention detections, and Other detections.
Dashboard | Web Detections | Edit
Use this page to select which protocols you want to report on, the counters you want to display on the Dashboard, and the reporting period. Choose from counters such as Requests, Viruses, PUPs, URL filtered, SiteAdvisor®, Compliance, and Other detections.
Dashboard | Current Detection Rates | Edit
Use this page to select the levels at which you want to receive a warning based on the number of threat detections. Two levels of severity are available: yellow and red. Choose from Virus detection rate, Blocked connection rate, Spam detection rate, Blocked URL rate, Other detection rate.
Dashboard | Network | Edit
Use this page to set the protocols for which you want to display connection and throughput information.
Dashboard | Email Queues | Edit
Use this page to select the levels at which you want to receive a warning based on the disk space taken up by quarantined and queued messages, maximum capacity of the quarantine location, the number of queued and quarantined messages, and the number of release from quarantine requests. Two levels of severity are available: yellow and red.
Dashboard | Scanning Policies | Edit
Use this page to set the protocols for which you want policies to display, and whether you want to see detailed policy information on the Dashboard.
On each page, you can reset the values to the default settings.
26
McAfee Email and Web Security Appliances 5.6.0 Product Guide
Overview of Dashboard features
Dashboard
Dashboard | System Health | Edit
Use this page to select the levels at which you want to receive a warning based on load average, memory swap rate, disk usage, attempts to use inefficient dictionary regex, the last anti-virus, anti-spam, and URL filtering definition update. Two levels of severity are available: yellow and red.
To stop receiving notifications that the appliance is an open relay, if web-based user authentication needs more setup or when you have not configured McAfee Global Threat Intelligence feedback, click Edit in the System Health area, and deselect the relevant warnings.
Dashboard | Tasks | Edit
Use this page to specify the tasks that you want to be available directly from the Dashboard, and change their position in the list.
If you change the reporting period, that change is reflected across all status sections.
Graphs Edit Preferences
Use this page to configure graphs to display on the Dashboard.
Dashboard | Graphs | Edit
Option Definition
Protocols By default, all the protocols are selected.
Counters By default, all the counters are selected. This option is not applicable to
Network Graphs.
Thresholds (Email timeline graph only)
Reporting period By default, the period is the past week.
Display thresholds on the Email timeline graphs.
McAfee Email and Web Security Appliances 5.6.0 Product Guide
27
Overview of Reports features
This topic provides an overview of the features within the Email and Web Security Appliances that relate to reporting the activities of the appliance.
Reports
Contents
Types of reports Scheduled Reports Email Reports overview Web Reports overview System Reports
Types of reports
You can generate reports either on your appliance, your ePolicy Orchestrator server, or externally.
System | Logging, Alerting and SNMP
Reports
Use the external methods to keep the reported events over a longer period of time than that offered by the reporting options on the appliance itself. Use features available from System | Logging, Alerting and SNMP, or McAfee ePolicy Orchestrator to send data to generate reports externally.
Table 8 External reporting options
External report generation option
System log System | Logging, Alerting and SNMP. Supports the common event formats for
SNMP System | Logging, Alerting and SNMP. Supports the SNMP Alert Settings and SNMP Monitor
Email Alerting System | Logging, Alerting and SNMP | Email Alerting. You can configure Email Alerting
Definition
Splunk and ArcSight.
Settings options. The MIB file can be downloaded from the Resources tab available from the appliances toolbar.
to alert specified people about different events that occur on your appliance.
McAfee Email and Web Security Appliances 5.6.0 Product Guide
29
Overview of Reports features
Scheduled Reports
Table 8 External reporting options (continued)
External report
Definition
generation option
McAfee ePolicy Orchestrator
Use ePolicy Orchestrator to generate reports about multiple appliances and security software within your organization, such as information about the total number of viruses detected within your organization.
McAfee Web Reporter System | Logging, Alerting and SNMP. Generates reports about Uniform Resource
Locator (URL) filtering activities. See the McAfee Web Reporter Product Guide, available from the McAfee download site.
Use the appliance Dashboard to see high-level event statistics. Use the options in Reports to produce regular and real-time reports on the following types of events on the appliance.
Table 9 Reporting options on the appliance
Report type Definition
Scheduled reports Reports — Set up regular activity overview (by protocol, threat type, and
detection), email detections, web detections, and system event reports and send them to other administrators.
Email reports Reports — Create and view information about threats detected in the email passing
through your appliance, and the subsequent actions taken by the appliance.
Web reports Reports — Create and view information about threats detected in the web activity
on your appliance, and the subsequent actions taken by the appliance.
System reports Reports — Create and view information about threat detection updates, and
system events.
Scheduled Reports
Use this page to see a list of the available reports about threats that the appliance has detected.
Reports | Scheduled Reports
You can view the reports, send reports immediately to other people, or schedule reports to be sent at regular intervals.
Benefits of creating Scheduled Reports
Keeping up-to-date with threat detection statistics and system activity, and sharing that information is vital. The Scheduled Reports option has some default report types already set up for you, or you can customize their content or frequency, or even create new report types as necessary. The resulting reports can be sent by email immediately, or at regular intervals to other people in your organization in a variety of formats, such as PDF, HTML, or text.
You must enable the default reports to run automatically. To do so, select the report type from the list of available reports, and click Edit. On the Edit Report dialog box, click Enable scheduled delivery.
30
McAfee Email and Web Security Appliances 5.6.0 Product Guide
Loading...
+ 306 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use