Trend Micro VirusWall 2500 Administrator's Manual

Network VirusWall

TM

Enforcer 2500

Administrator's Guide

Trend Micro Incorporated reserves the right to make changes to this document and to
the products described herein without notice. Before installing and using the
software, please review the readme files, release notes, and the latest version of the
applicable user documentation, which are available from the Trend Micro Web site
at:

http://www.trendmicro.com/download
Trend Micro, the Trend Micro t-ball logo, OfficeScan, PC-cillin, ServerProtect,

TrendLabs, VirusWall, Trend Micro Control Manager, Trend Micro Damage
Cleanup Services, Trend Micro Outbreak Prevention Services, and Trend Micro
Vulnerability Assessment are trademarks or registered trademarks of Trend Micro,
Incorporated. All other product or company names may be trademarks or registered
trademarks of their owners.

Copyright© 2003-2006 Trend Micro Incorporated. All rights reserved.
Document Part No. NVEM12219/50301
Release Date: August 2006
Protected by U.S. Patent No. 5,623,600 and pending patents.

The user documentation for Trend Micro Network VirusWall Enforcer 2500 is
intended to introduce the main features of the software and installation instructions
for your production environment. You should read through it prior to installing or
using the software.

Detailed information about how to use specific features within the software are
available in the online help file and the online Knowledge Base at Trend Micro’s
Web site.

Trend Micro is always seeking to improve its documentation. Your feedback is
always welcome. Please evaluate this documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.asp

Contents

Preface

Network VirusWall Enforcer 2500 Documentation .......................... P-2

About This Administrator’s Guide ....................................................P-3

Audience ............................................................................................P-4

Document Conventions...................................................................... P-4

Chapter 1: Understanding Trend Micro™ Network VirusWall™

Enforcer 2500

Trend Micro™ Network VirusWall Enforcer 2500 ........................... 1-2

Functions and Capabilities .................................................................1-2

Network VirusWall Enforcer 2500 Architecture ............................... 1-5

Components ................................................................................... 1-5

Device(s) ..................................................................................... 1-5

Management ................................................................................ 1-5

Antivirus Technology .................................................................. 1-10

Understanding Security Risks ...................................................1-11

Protection Principle .....................................................................1-13

Protecting Your Network ...................................................... ....... 1-14

Understanding Endpoints .............................................................1-17

Global Endpoint Exceptions List ..............................................1-17

Quarantined Endpoints .............................................................1-17

Endpoints that Violate a Policy ................................................1-17

IP Address Settings ...................................................................... 1-18

Management IP Address ...........................................................1-18

i

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Bridge IP Address .....................................................................1-18

Static Routes ..............................................................................1-20

An Example of When a Bridge IP Address and

Static Route is Necessary ..........................................................1-20

SNMP ........................................................................................... 1-22

Security ......................................................................................1-22

SNMP Trap Limitations ............................................................1-24

SNMP Traps ..............................................................................1-24

SNMP Agent Messages .............................................................1-25

VLAN ........................................................................................... 1-25

Tagged and Non-tagged Frames ........................................ .......1-25

Native VLAN ............................................................................1-26

Network VirusWall Enforcer 2500 ..................................................1-27

Nine User-definable LAN Ports ...................................................1-27

High Availability ..........................................................................1-28

Redundant Ports and Devices ....................................................1-28

Failover ......................................................................................1-29

Failopen ..................................................................................... 1-30

Policy Prioritization and Creation .............................................1-33

Sample Policy Creation ....................................................................1-37

Policy Scenario 1: Authenticated users need to have
antivirus software and Guest users need to have a

certain registry key. ......................................................................1-37

Sample Policy 1: Authenticated users ....................................... 1-37

Sample Policy 2: Guest users ....................................................1-41

Sample Policy 3: Catchall .........................................................1-44

Sample Deployment Scenarios .........................................................1-50

Deployment Scenario I: Standard Network .................................1-50

Deployment Scenario II: Global Site ...........................................1-52

Deployment Scenario III: Very Large Enterprise or

Internet Service Provider ..............................................................1-53

Sample Policy Configuration ....................................................1-54

ii

Contents

Chapter 2: Configuring Policy Enforcement and Device Settings

Getting Started with Network VirusWall Enforcer 2500 ................... 2-2

Configuring Policy Enforcement Settings .........................................2-2

Configuring Policy Enforcement Settings .................................. 2-3

Configuring Network Zones ........................................................ 2-12

Configuring the URL List ............................................................ 2-13

Specifying Global Endpoint Exceptions ......................................2-14

Configuring Endpoint Notifications ............................................ 2-14

Configuring OfficeScan Settings ................................................. 2-15

HTTP Detection Settings .............................................................2-16

Remote Login Accounts ..............................................................2-16

Exporting and Importing Policy Data ..........................................2-17

Configuring Device and System Settings ........................................2-18

Configuring Access Control ........................................................ 2-18

Configuring Administrative Accounts .........................................2-19

Using Backup Configuration .......................................................2-19

Performing Device Tasks ............................................................2-21

Replacing the HTTPS Certificate ................................................2-24

Configuring IP Address Settings .................................................2-24

Configuring LDAP Settings ........................................................2-25

Configuring Proxy Settings .........................................................2-26

Configuring SNMP Settings ........................................................ 2-26

Using Tools ......................................................................................2-28

Restoring Default Settings ........................................................... .... 2-28

System Recovery ......................................................................2-29

Chapter 3: Updating Components

Understanding Updatable Components ......................................... .... 3-2

Updating Components ........................................................................ 3-4

Updating Components Manually ...................................................3-5

Updating Components Automatically ........................................... 3-5

Setting the Update Source .............................................................3-6

Chapter 4: Viewing Status, Logs, and Summaries

Viewing Summary Information .........................................................4-2

Viewing Real-time Status Information ..............................................4-2

Viewing the Pattern Release History .................................................4-2

iii

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Viewing Supported Products ........................ ... ...................................4-3

Understanding Logs ............................................................................4-3

Types of Network VirusWall Enforcer 2500 Logs ........................4-3

Viewing the Event Log ...............................................................4-3

Endpoint History .........................................................................4-4

Configuring Log Settings ...............................................................4-4

LCD Module Log Format and Interpretation .................................4-4

Asset Tag Logs ............................................................................ 4-5

Hardware Logs ............................................................................4-7

LCD Module Error Logs .............................................................4-8

Using the Log Viewer ......................................................................4-11

Chapter 5: Troubleshooting and FAQs

Using Network VirusWall Enforcer 2500 Utilities ............................5-2

Entering Rescue Mode .................................... ...................................5-2

Uploading the Program File and Boot Loader ...................................5-4

Uploading with the Network VirusWall Enforcer

2500 Appliance Firmware Flash Utility .........................................5-5

Flashing the BIOS and BMC ..............................................................5-7

Before Running the Appliance Firmware Flash Utility .................5-7

Running the Appliance Firmware Flash Utility .............................5-9

After Running the Appliance Firmware Flash Utility ..................5-12

Troubleshooting ................................................................................5-13

Hardware Issues ........................................................... ................5-14

Configuration Issues .....................................................................5-15

Control Manager and Network VirusWall Enforcer

2500 Communication Issues ........................................................5-22

Frequently Asked Questions (FAQs) ...............................................5-24

Chapter 6: Getting Support

Before Contacting Technical Support ................................................6-2

Contacting Technical Support ............................................................6-2

Sending Infected Files to Trend Micro ...............................................6-3

Introducing TrendLabs .......................................................................6-3

Other Useful Resources ......................................................................6-4

Appendix A: Device Specifications

iv

Appendix B: Introducing Trend Micro Control Manager™

Control Manager Basic Features ........................................................B-2

Understanding Trend Micro Management

Communication Protocol ...................................................................B-3

Reduced Network Loading and Package Size ...............................B-3

NAT and Firewall Traversal Support ............................................B-4

HTTPS Support .............................................................................B-5

One-Way and Two-Way Communication Support .......................B-6

One-Way Communication ..........................................................B-6

Two-Way Communication .........................................................B-6

Single Sign-on (SSO) Support .......................................................B-6

Cluster Node Support ....................................................................B-7

Control Manager Agent Heartbeat .....................................................B-7

Using the Schedule Bar .................................................................B-8

Determining the Right Heartbeat Setting ......................................B-9

Registering Network VirusWall Enforcer 2500 to

Control Manager ................................................................................B-9

Managing Network VirusWall Enforcer 2500 From

Control Manager ..............................................................................B-11

Understanding Product Directory ................................................B-11

Accessing a Network VirusWall Enforcer 2500

Device's Default Folder ...............................................................B-13

Access Product Directory .........................................................B-13

Manually Deploy New Components Using the

Product Directory ......................................................................B-14

View Network VirusWall Enforcer 2500 Devices

Status Summaries ......................................................................B-15

Configure Network VirusWall Enforcer 2500

Devices and Managed Products ...................................................B-16

Issue Tasks to Network VirusWall Enforcer 2500

Devices and Managed Products ...................................................B-17

Query and View Network VirusWall Enforcer 2500

Device and Managed Product Logs ......................................... .. ..B-17

Recover Network VirusWall Enforcer 2500 Devices

Removed From the Product Directory ......................................B-19

Search for Network VirusWall Enforcer 2500 Devices,

Product Directory Folders or Computers ..................................B-20

Contents

v

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Refresh the Product Directory ..................................................B-21

Understanding Directory Manager ..................................................B-21

Using the Directory Manager Options ........................................B-22

Access Directory Manager ........................................... ............B-23

Create Folders .................................................................... ......... B-23

Renaming Folders or Network VirusWall Enforcer

2500 Devices ............................................................................B-23

Move Folders or Network VirusWall Enforcer

2500 Devices ............................................................................B-24

Delete User-Defined Folders ................................................. ... B-24

Understanding Temp ....................................................................... B-25

Using Temp ........................ .........................................................B-25

Access Temp ............................................................................B-25

Adding Network VirusWall Enforcer 2500

Devices to Temp .......................................................................B-26

Removing Network VirusWall Enforcer 2500

Devices From Temp .................................................................B-28

Download and Deploy New Components From

Control Manager ..............................................................................B-29

Understanding Update Manager ................................................. B-29

Understanding Manual Downloads ............................................. B-30

Manually Download Components ............................................B-30

Configure Scheduled Download Exceptions ..............................B-37

Understanding Scheduled Downloads ........................................B-38

Configure Scheduled Downloads and Enable

Scheduled Component Downloads ........................ ..................B-39

Use Reports .....................................................................................B-46

Local Reports ...........................................................................B-46

Global Reports ..........................................................................B-46

Understanding Report Templates ................................................B-47

Understanding Report Profiles ....................................................B-48

Create Report Profiles ..............................................................B-48

Review Report Profile Settings ................................................B-54

Enable Scheduled Report Profiles ............................................B-55

Generate On-demand Scheduled Reports ...................................B-55

View Generated Reports ....................... ...................................B-56

vi

Appendix C: Supported Antivirus Products

Supported Products for Endpoints with Windows

98 or ME Operating Systems .............................................................C-2

Supported Products for Endpoints with Windows

XP, 2000, or 2003 Operating Systems ...............................................C-4

Appendix D: Glossary
Index

Contents

vii

Preface

Preface

Welcome to the Administrator’s Guide for Trend Micro™ Network VirusWall™
Enforcer 2500. This book contains information about the tasks you need to co nfigure
Network V irusWall Enforcer 2500. This boo k is int ended for n ovice and experienced
users of Trend Micro Network VirusWall Enforcer 2500 who want to quickly
configure, administer, and monitor the product.

The Network VirusWall Enforcer 2500 package includes the Trend Micro Solutions
CD for Network VirusWall Enforcer 2500. If you are planning large-scale
deployment of Network VirusWall Enforcer 2500 or have complex network
architecture, refer to the Network VirusWall Enforcer 2500 Getting Started Guide
PDF files on the Solutions CD.

This Preface discusses the following topics:

• Network VirusWall Enforcer 2500 Documentation on page 2

• About This Administrator’s Guide on page 3

• Audience on page 4

• Document Conventions on page 4

P-1

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Network VirusWall Enforcer 2500
Documentation

The Network VirusWall Enforcer 2500 documentation consists of the following:

• Online Help—Web-based documentation that is accessible from the Network
VirusWall Enforcer 2500 Web console.

The Network VirusWall Enforcer 2500 Online Help contains explanations about
the Network VirusWall Enforcer 2500 components and features.

• Upgrade Guide (UG)—PDF documentation that is accessible from the Solutions
CD for Network VirusWall Enforcer 2500 or downloadable from the Trend
Micro Web site.

The UG contains explanations about upgrading from Network VirusWall 2500

1.5 and 1.8 to Network VirusWall Enforcer 2500.

• Getting Started Guide (GSG)—PDF documentation that is accessible from the
Trend Micro Solutions CD for Network VirusWall Enforcer 2500 or
downloadable from the Trend Micro Web site

The GSG contains instructions on how to deploy Network VirusW all Enforcer
2500, a task that includes planning, testing, and preconfiguration.

• Administrator’s Guide (AG)—PDF documentation that is accessible from the
Trend Micro Solutions CD for Network VirusWall Enforcer 2500 or
downloadable from the Trend Micro Web site

This AG contains detailed instructions on how to configure and administer
Network VirusWall Enforcer 2500 from the applicable management tools, as well
as explanations on the Network VirusWall Enforcer 2500 concepts and features.
See About This Administrator’s Guide for chapters available in this book.

Note: Trend Micro recommends checking the Update Center for updates to the Network

VirusWall Enforcer 2500 documentation and program file. You can download the
latest versions of the Upgrade Guide and Administrator’s Guide from the following
location:
http://www.trendmicro.com/en/products/network/nvwe/evaluate/overview.htm

P-2

About This Administrator’s Guide

The Network VirusWall Enforcer 2500 Administrator’s Guide, which is in PDF,
provides the following information:

• Overview of the product and its architecture, and description of all new features
in Network VirusWall Enforcer 2500, see Understanding Trend Micro™

Network VirusWall™ Enforcer 2500 on page 1-1

• Procedures to configure and administer Network VirusWall Enforcer 2500 from
the applicable management tools, see Configuring Policy Enforcement and

Device Settings on page 2-1

• Procedures to update Network VirusWall Enforcer 2500 components, see

Updating Components on page 3-1

• Instructions to access antivirus information to evaluate your organization’s virus
protection policies and identify endpoints that are at a high risk of infection, see

Viewing Status, Logs, and Summaries on page 4-1

• Troubleshooting tips for issues encountered during device administration, which
includes debug and error logs interpretation, see Tr oubleshooting and FAQs on
page 5-1

• Guidelines to obtain more information, see Getting Support on page 6-1

Preface

P-3

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Audience

The Network V irusWall Enforcer 2500 documentation assumes a basic knowledge of
security systems, including:

• Antivirus and content security protection

• Network concepts (such as IP address, netmask, topology, LAN settings)

• Various network topologies

• Network devices and their administration

• Network configuration (such as the use of VLAN, SNMP)

Document Conventions

To help you locate and interpret information easily, the Network VirusWall Enforcer
2500 documentation uses the following conventions.

CONVENTION DESCRIPTION

ALL CAPITALS Acronyms, abbreviations, and names of certain com-

Bold Menus and menu commands, command buttons,

Italics References to other documentation

Monospace Examples, sample command lines, program code,

Note:
Tip:
WARNING!

F

AILOVER Network VirusWall Enforcer 2500 interface connected

TABLE 1. Conventions used in the Network VirusWall Enforcer 2500

documentation

P-4

mands and keys on the keyboard

tabs, options, and Network VirusWall Enforcer 2500
tasks

Web URL, file name, and program output
Configuration notes
Recommendations
Reminders on actions or configurations that should be

avoided

to the device in a failover pair

Chapter 1

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

This chapter introduces Trend Micro Network VirusWall Enforcer 2500 and provides
an overview of its technology, capabilities, and hardware connections.

The topics discussed in this chapter include:

• Trend Micro™ Network VirusWall Enforcer 2500 on page 1-2

• Functions and Capabilities on page 1-2

• Network VirusWall Enforcer 2500 Architecture on page 1-5

• Network VirusWall Enforcer 2500 on page 1-27

• Sample Deployment Scenarios on page 1-50

1-1

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Trend Micro™ Network VirusW all Enforcer 2500

Trend Micro Network VirusWall Enforcer 2500 is an outbreak prevention appliance
that helps organizations stop network viruses (Internet worms), block high-threat
vulnerabilities during outbreaks, and quarantine and clean up infection sources
including unprotected devices as they enter the network, using threat-specific
knowledge from Trend Micro deployed at the network layer.

Unlike security solutions that only monitor threats or provide threat information,
Network V irusWall Enforcer 2500 helps organizations take precise outbreak security
actions and proactively detect, prevent or contain, and eliminate outbreaks. By
deploying Network VirusWall Enforcer 2500 in network LAN segments,
organizations can significantly reduce their security risk, network downtime, and
outbreak management burden. Network VirusW al l Enforcer 2500 suppo rts the Trend
Micro™ Enterprise Protection Strategy.

Network VirusWall Enforcer 2500 monitors network packets and events that could
indicate an attack against a network. Endpoint security prevents endpoints from
becoming sources of network outbreaks. The device scans all the traffic to guard
against security risks from passing between segments. Deploy Network VirusWall
Enforcer 2500 in a switch or router environment.

Functions and Capabilities

From the Web console, you can accomplish the following administrative tasks:

• View a Summary of Your Network’s Protection Against Viruses

• Enforce Antivirus Policies

• Update Your Protection

• Analyze Your Network’s Protection Against Viruses

• Perform Administrative Tasks

1-2

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

View a Summary of Your Network’s Protection Against Viruses

Use the Summary and Real-time status screens to help you monitor your network’s
protection against viruses.

View the following from the Summary screen:

• Policy Enforcement Status—Use this information to determine statistics on
policy compliance and violations. Click the number under Violations to view the
Endpoint History for more information.

• Top 5 Policies with Violations—Use this information to determine the most
common or largest number of policy violations. Click the number under
Violations to view additional information.

• AV Product Detection Status—Use this information to determine statistics on
detected Protected Endpoints, Undetectable Endpoints (includes endpoints that
do not have antivirus software and endpoints that can’t be assessed), Total
Endpoints, Virus Protection Ratio (the percentage of endpoints with antivirus
software in relation to the total number of detected endpoints). Click Export to
save the information to a file.

• Component Status—Use this information to determine whether your Network
VirusWall Enforcer 2500 components are current. After an update use this
information to determine if all components are current.

View the following from the Real-time Status screen:

• LED Status—Use this information to help determine the state of the device.
Network VirusWall Enforcer 2500 has five light -emitting diodes (LEDs) that
indicate the POWER, UID, SYSTEM, INSPECTION, and OUTBREAK status.

• Performance Status—Use this information to determine the device resource
usage. You can view CPU usage, memory usage, and concurrent connections.

• High Availability Status—Use this information to determine High Availability
status. View Mode (Failover/Failopen), Primary Device, Secondary Device,
Management Device, Switchback mode (On/Off), and Asymmetric Route.

• Interface Configuration Status—use this information to determine the
configuration of the ports. View connection mode, port speed, and port type.

1-3

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Enforce Antivirus Policies

Network VirusWall Enforcer 2500 monitors endpoints and determines the status of
their antivirus protection. Based on this information, configure antivirus policy
settings to block, monitor, or red irect traffic, i ncluding traffic from specified TCP and
UDP ports. In this release, you can specify multiple policies for each segment in your
network by configuring network zones.

Specify Damage Cleanup as a remedy when an endpoint is infected with a virus.
Damage Cleanup performs the following:

• Removes unwanted registry entries created by worms or Trojans

• Removes memory resident worms or Trojans

• Removes garbage and viral files dropped by viruses

• Repairs system file configurations (such as system.ini), after they have been
altered or infected by malicious code

• Returns the system to an active and clean state

Update Your Protection

Virus writers write and release new viruses through different media every day,
especially the Internet. To help ensure your protection against the latest threats is
current, periodically update Network VirusWall Enforcer 2500 components,
including the network virus pattern file, network scan engine, file virus pattern, file
virus scan engine, vulnerability assessment pattern, vulnerability engine, Damage
Cleanup engine, Damage Cleanup pattern, program file, and Pattern Release History.

Analyze Your Network’s Protection Against Viruses

Network V irusWall Enforcer 2500 generates various types of logs, including security
and event logs. Use these logs to verify module updates and network outbreaks and
view viruses found in network packets.

Perform Administrative Tasks

Network VirusWall Enforcer 2500 supports Simple Network Management Protocol
(SNMP) v2 and can send traps to specific network management stations. For added
security , you can require network management stations to authenticate before gaining
access to the Network VirusWall Enforcer 2500 Management Information Base
(MIB).

1-4

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Network VirusWall Enforcer 2500 Architecture

This section describes the Network VirusWall Enforcer 2500 components and
antivirus defenses, which includes discussion about its antivirus technology and
types of network threats.

Components

Two major components make up a Network VirusWall Enforcer 2500 system:

• Device(s)

• Management

Device(s)

Unlike security solutions that only monitor threats or provide threat information,
Network V irusWall Enforcer 2500 helps organizations take precise outbreak security
actions and proactively detect, prevent or contain, and eliminate outbreaks. By
deploying Network VirusWall Enforcer 2500 devices in network LAN segments,
organizations can significantly reduce their security risk, network downtime, and
outbreak management burden. Refer to the Network VirusWall Enforcer 2500 for
information about ports, port grouping, and fiber card installation.

Management

Network VirusWall Enforcer 2500 provides the following management tools:

• Preconfiguration console

• Web console

• LCD module (also known as LCM console)

1-5

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Preconfiguration Console

The Preconfiguration console allows you to perform the network configuration and
set the device settings by directly connecting to the Network VirusW all Enforcer 2500
device using a terminal communication application.

You can view the Preconfiguration console by using either a console connection to
Network VirusWall Enforcer 2500 or using SSH. There are certain settings you
cannot alter if you login using SSH. The settings you cannot alter using SSH include
disabling SSH connection from the Access Control menu and setting the device to
Enable Failover . Due to this dif ference, the corresp onding numbers for features may
be different depending on the method you use to connect to the Preconfiguration
console.

FIGURE 1-1. The Preconfiguration console login screen

Note: If you access the Preconfiguration console using SSH, type root at the login as

prompt. You do not need a password to access the Network VirusWall Enforcer
2500 login screen.

1-6

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Web Console

The Network V irusWall Enforcer 2500 Web console provides central management of
Network VirusWall Enforcer 2500 devices. You can manage two devices when you
configure a failover environment. The We b console gives you the tools to configure
and enforce antivirus policies for an entire organization. This enables you to react
quickly to network virus emergencies from nearly anywhere using the Web console.

FIGURE 1-2. Network VirusWall Enforcer 2500 Web console

After preconfiguration, the Web console enables you to perform the following
Network VirusWall Enforcer 2500 administrative tasks:

• Analyze your network’s protection against viruses

• View the Pattern Release History

• View the Supported Products list

• Update Network VirusWall Enforcer 2500 components and settings

• Enforce antivirus policies

• View and manage logs

• Manage Network VirusWall Enforcer 2500

1-7

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

LCD Module

This document uses the term "LCD module (LCM or LCM console)" to refer to the
Liquid Crystal Display (LCD) and the control panel Network VirusWall Enforcer
2500 front panel elements collectively. The best use of the LCM console is for
simple, on-the-spot Network VirusWall Enforcer 2500 settings adjustments, as well
as for viewing hardware logs and system information

FIGURE 1-3. LCD and Control Panel make up the LCD module

The LCM console allows you to perform the following basic configuration:

• Configure device settings
Device settings such as the Network VirusWall Enforcer 2500 IP address,

netmask, gateway, and primary and secondary DNS servers, as well as the
Control Manager IP address and root account.

• V iew and delete BMC logs
BMC logs refer to the Board Management Control or hardware (H/W) logs.

These logs report critical hardware status and error. Use the LCD module to
purge BMC logs manually.

• V iew system information
Use the LCM console to view the Network VirusWall Enforcer 2500 memory

and CPU usages, as well as its concurrent activities.

1-8

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

The following table lists the differences between the management tools:

USAGE

Configure advanced device settings
Configure device settings
Configure Endpoint Notifications
Configure interface speed and

duplex mode
Configure High Availability settings
Configure Interface Groups
Configure IP Address Settings
Configure Policy Exceptions
Configure Proxy Settings
Create and manage Policies
Manage Access Control
Manage Administrative Accounts
Monitor device events, status, and

summaries
Perform System Rollback/Restore
Register the device to Control

Manager 3.5
Restart device
Update and deploy components
View and delete BMC (device) logs
View device information (for

example, CPU usage, memory usage)
View network configuration
View Pattern Release History

PRECONFIG-

URATION

CONSOLE

WEB CONSOLE

LCD

M

ODULE

TABLE 1-1. Comparison of the Network VirusWall Enforcer 2500 management

tools

1-9

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Antivirus Technology

Network VirusWall Enforcer 2500 is equipped with state-of-the-art antivirus
technology that targets network viruses. Because it was designed to act as shield for a
segment of your network, it not only can scan and drop infected network packets
before they reach your endpoints, but also prevent vulnerable or infected endpoints
from accessing the public network.

The number and complexity of virus threats are on the rise. Many organizatio ns have
put in place multi-layer virus protection in the form of a "security suite"– several
antivirus installations that provide a patchwork virus defense. This type of virus
protection, however, is effective only after servers or endpoints detect a virus; in
other words, when a virus is already on your network.

Equipped with the Trend Micro™ network scan engine and network virus pattern
file, Network VirusWall Enforcer 2500 scans every packet entering and leaving a
network segment in real-time (see Network VirusWall Enforcer 2500). Trend Micro
has specially designed Network VirusWall Enforcer 2500 to recognize network
viruses, drop infected packets before they enter the network, and prevent future
attacks on your network caused by network virus infections. See Understanding

Security Risks for more information on viruses, including network viruses.

In addition to network virus scanning capabilities, Network VirusWall uses PEAgent
to perform assessments of endpoint. PEAgents can scan for file viruses,
vulnerabilities, antivirus software, and registry keys to help ensure that endpoints are
secure.

1-10

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Understanding Security Risks

Tens of thousands of viruses exist, with more coming into existence each day.
Although once most common in DOS or W i ndows, computer viruses today can cause
a great amount of damage by exploiting vulnerabilities in corporate networks, email
systems and Web sites.

In general, computer viruses fall into the following categories:

• ActiveX malicious code—resides in Web pages that execute ActiveX controls

• Boot sector viruses—infects the boot sector of a partition or a disk

• COM and EXE file infectors—executable programs with *.com or *.exe

extensions

• Joke programs—virus-like programs that often manipulate the appearance of

things on a computer monitor

• Java malicious code—operating system-independent virus code written or

embedded in Java

• Macro viruses—encoded as an application macro and often included in a

document

• Trojan horses—executable programs that do not replicate but instead reside on

systems to perform malicious acts, such as open ports for hackers to enter

• VBScript, JavaScript or HTML viruses—reside in Web pages and

downloaded through a browser

• Worms—a self-contained program (or set of programs) that is able to spread

functional copies of itself or its segments to other computer systems, often via
email

Network Viruses

A virus spreading over a network is not, strictly speaking, a network virus. Only
some of the malware mentioned above, such as worms, are actually network viruses.
Specifically, network viruses use network protocols, such as TCP, FTP, UDP, HTTP,
and email protocols to replicate. They often do not alter system files or modify the
boot sectors of hard disks. Instead, network viruses infect the memory of endpoint
machines, forcing them to flood the network with traffic, which can cause slowdowns
and even complete network failure. Because network viruses remain in memory, they
are often undetectable by conventional file I/O based scanning methods.

1-11

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Vulnerability

The principle function of Vulnerability Scan is to assess an organization’s network’s
vulnerability to various threats. V ulnerabi lity Scan helps prevent attacks by detecting
major threats associated with vulnerabilities in Microsoft operating systems.

Trend Micro assesses the risks posed by vulnerabilities by considering the
significance of Internet threats that use them, the vulnerability’s potential and actual
impact, and the difficulty or ease by which vuln erability can b e used—also known as
exploitability. Vulnerabilities are considered low, moderate, important, critical, or
highly critical based on the described criteria.

The following is a list of the vulnerability risk ratings:

• Highly Critical Risk—Vulnerabilities considered highly critical are
vulnerabilities associated with at least ten Internet threats, regardless of how
destructive the associated Internet threats are. Systems and networks not patched
against these vulnerabilities will likely become infected due to the prevalence or
sheer variety of associated Internet threats.

• Critical Risk—All vulnerabilities utilized by known Internet threats are critical.
Vulnerabilities that remain unused by Internet threats, but that can facilitate the
propagation of Internet threats across different systems, also fall under this
category.

• Important Risk—Vulnerabilities that compromise vital information and allow
unauthorized access to passwords and other valuable data are automatically
important. Vulnerabilities that compromise the integrity or availability of system
resources are similarly important.

• Moderate Risk—Vulnerabilities, whose exploitability reduces by factors such as
default configuration, auditing, or difficulty of exploitation are moderate-risk.

• Low Risk—Low-risk vulnerabilities either have minimal impact on affected
systems or are very difficult to exploit.

1-12

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Protection Principle

The principle function of Network VirusWall Enforcer 2500 is to separate a segment
of the network from the rest of public network (that is, the Internet, other LAN
segments, and so on).

Tip: Trend Micro recommends deploying a Network VirusWall Enforcer 2500 device

between switches or routers. Although the exact location of the device depends on
the network topology, position the device between level 2 (L2) switches or level 3
(L3) routers.

Figure 1-4 depicts a representation of the Network VirusWall Enforcer 2500

protection.

FIGURE 1-4. Network Protection

1-13

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Network VirusWall Enforcer 2500 accomplishes these tasks:

• Scan network traffic to and from endpoints

• Assess vulnerability on endpoints

• Block endpoints they do not conform to the security policies of your organization

• Isolate infected endpoints to prevent viruses from spreading

Protecting Your Network

Network VirusWall Enforcer 2500 protects an organization through Policy
Enforcement configured to assess:

• Endpoint Security

• Network Threat Detection

• Network Management

Policy Enforcement

Network V irusWall Enforcer 2500 is capable of identifying a packet source, and then
determining if it complies with the current antivirus and vulnerability-elimination
policies. The device can determine if the packet source (the endpoint where the
packet originated) has antivirus protection, service packs, security patches installed,
and so on. It helps ensure that machines sending inter-segment traffic comply with
the policies you configure.

Policy Enforcement assesses endpoints that send traffic through a Network V irusWall
Enforcer 2500 device to ensure the endpoints have:

• Active antivirus protection

• No security threats on their computer

• Required security patches installed

• Required and prohibited software on their computer

1-14

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Policy Enforcement assesses the status of endpoint antivirus installations and
vulnerabilities by using the following components:

• Exception list
Network VirusWall Enforcer 2500 does not mon itor endpoints belonging to the

Policy Enforcement exception list for policy violations. Network VirusWall
Enforcer 2500 monitors endpoints that do not belong to the exception list based
on the traffic volume and connection rules. See Global Endpoint Exceptions List
on page 1-17 for details about endpoints belonging to the exception list.

• Endpoint Security
Network VirusWall Enforcer 2500 can scan endpoi nts to hel p prevent security

risks from entering the network. Network VirusWall Enforcer 2500 uses
PEAgent to perform assessments of endpoints. The device deploys PEAgent and
the agent registers itself as a Windows service and runs in the background.

You can configure policies to do the following:

• scan endpoints to ensure the installation of antivirus software

• scan network packets to prevent security threats from entering the network

• ensure vulnerabilities are updated before allowing access to the network

• specify required and prohibited registry keys to require or prohibit software

on endpoint computers

Configure Endpoint Notifications to send Windows Messenger Messages or
HTTP Messages to instruct Policy Enforcement to display endpoint notifications.

• Web Notifications— use this feature to notify endpoints using a
browser.

• Windows Messenger Service—use this feature to notify
Windows-based endpoints that are using any type of protocol (that is,
HTTP, FTP, telnet, and so on) to access a public network resource

Note: This type of Network VirusWall Enforcer 2500 endpoint notification

uses the Windows Messenger Service. This feature does not require a
Windows messaging server (for example, Windows Messenger Server or
Live Communications Server) or instant messaging application (for
example, Windows Messenger or MSN Messenger) to send popup
notifications. If you use this feature, ensure that you have not disabled
this service on endpoints.

1-15

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

• Network Virus Policy
Configure Network Virus Policy to scan for network viruses and to help prevent

network outbreaks. If a network virus is detected, Network VirusWall Enforcer
2500 can monitor (allow the packet to reach it’s destination), drop the packet, or
quarantine the endpoint computer. Use damage cleanup to repair the damage that
viruses do to endpoint computers.

• Network Application Policy
Configure Network Management Services to assess specific protocol, instant

messenger, and file transfer traffic. Monitor, reject, or drop packets that Network
VirusWall Enforcer 2500 detects. If you configure the action to reject the packet,
the action is different based on the protocol or layer 7 service. The device sends a
TCP RESET for TCP protocol related packets and ICMP Port Unreachable for
ICMP and UDP packets. The drop action filters out the selected network type
packets.

Viewing Logs to Assess Policy Enforcement

Logs provide information to help you monitor Policy Enforcement on your network.
Configure log settings from the Logs > Log Settings screen. You can also configure
the device to send the Endpoint History log to the Control Manager server from the
Log Settings screen. The device sends Endpoint History logs according to the time
you specify in Log Settings. However, Event and Network Virus logs are sent
immediately to Control Manager if the device is registered to a Control Manager
server.

Event Log—Provides information on the Policy Enforcement configuration
modification.

Network Virus Log—Provides information on viruses detected in your network.
Endpoint History—Provides information on compliant endpoints, endpoints with

violations, and endpoints that are quarantined. (This information is sorted by IP
address and not by Date/Time.)

See the following pages to:

• Configure Policy Enforcement, page 2-3

• Configure the Global Endpoint exception list, page 2-14

• Enable Windows Messenger Service popup message, page 2-14

1-16

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Understanding Endpoints

A packet source (a machine or a device) can have more than one network interface
card (NIC) and therefore can have more than one IP address. Network VirusWall
Enforcer 2500 considers each IP and MAC address pair a unique endpoint.

The following types of endpoints may exist depending on policy configuration:

• Global endpoint exceptions

• Quarantined endpoints

• Endpoints that violate a policy

Global Endpoint Exceptions List

Network VirusWall Enforcer 2500 does not monitor these endpoints for policy
violation. Therefore, the device never performs an assessment of these endpoints.
Since these endpoints are not scanned, they are also not protected from security
threats. Potential exempted endpoints may include trusted machines owned by the
organizations CEO which should not be delayed. Manage Global Endpoint
Exceptions from the Web console.

Quarantined Endpoints

You can configure the device to quarantine endpoints that violate the Network Virus
Policy. Quarantined endpoints are endpoints identified as a source or destination of
an infected packet. After an endpoint is quarantined, the device drops all network
requests by the quarantined endpoint. The only traffic the quarantined endpoint
receives is the quarantine notification and the remedy you specify from the Web
console. View and manage quarantined endpoints from the Endpoint History page
accessible from the Web console.

Endpoints that Violate a Policy

Network VirusWall Enforcer 2500 allows you to block endpoints that violate
enforcement policies. You can configure the device to block and prevent endpoints
from accessing the network if the endpoint violates a policy.

If you configure the device to monitor endpoints when the device detects a policy
violation, the endpoint displays as an endpoint that violates a policy. However,
endpoint can still access the network with no restrictions to network traffic.

1-17

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

See the following pages to:

• Configure Network VirusWall Enforcer 2500 Policy Enforcement setting, page

2-3

• V iew Network VirusWall Enforcer 2500 log information, page 4-3

IP Address Settings

Configure the Management IP Address, Bridge IP Address, and Static Routes to
minimize transfer of data through an external router.

Management IP Address

Configure the device IP address. This is the IP address you use to access the Web
console to manage the device.

Bridge IP Address

Configure bridge IP addresses to allow packets to pass directly back to the device
from endpoints. This list supports up to 64 entries.

An Example of When a Bridge IP Address is Necessary

In an environment where the Network VirusWall Enforcer 2500 Management IP
address and the endpoint IP addresses are in the same network segment, configuring
Bridge IP addresses is not necessary. See Figure 1-5 for an example. In Figure 1-5,
Endpoint 1 and the Management IP address belong to the same netwo rk segment. So,
the Policy Enforcement Agent assessment completes as expected.

However, if the Management IP address and the en dpoint I P ad dresses do not belong
to the same network segment, policy enforcement asse ssme nt en ters an infinit e loop.
For example, in Figure 1-5, Endpoint 2 and the Management IP address belong to
different network segments so the assessment enters an infinite loop.

1-18

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

What happens:

1. Network VirusWall Enforcer (NVWE) receives traffic with Endpoint 2’s IP and

MAC addresses. The path of the traffic is: Endpoint 2 -> L2 Switch -> NVWE.

2. Network VirusWall Enforcer (N VWE ) sends the blocking page and deploys

Policy Enforcement Agent to Endpoint 2. The path of the traffic is: NVWE -> L3
Switch -> NVWE -> L2 Switch -> Endpoint 2.

3. After performing an assessment, Policy Enforcement Agent sends the results to

Network VirusWall Enforcer. The path of the traffic is: Endpoint 2 -> L2 Switch

-> NVWE -> L3 Switch -> NVWE.
Network VirusWall Enforcer receives Endpoint 2’s IP address and L3 Switch’s

MAC addresses because L3 Switch forwards the results.

4. Network VirusWall Enforcer adds a new record with Endpoint 2’s IP address and

L3 Switch’s MAC addresses after receiving the results.

5. Endpoint 2 tries to refresh the page to continue, but remains in the assessment

stage because the wrong data (Endpoint 2’s IP address and the L3 Switches MAC
addresses) was stored.

FIGURE 1-5. An Example of When a Bridge IP Address is Necessary

1-19

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

The solution:
Add a Bridge IP address and bind the address to a bridge port using the Web console.

You can add Bridge IP addresses from Administration -> IP Address Settings |
Bridge IP Address(es).

What happens after you add the Bridge IP Address:

1. Network VirusWall Enforcer receives Endpoint 2 traffic.

2. Network VirusWall Enforcer (NVWE) sends the blocking page and deploys

Policy Enforcement Agent to Endpoint 2 through the bridge IP address. The path
of the traffic is: NVWE -> L2 Switch -> Endpoint 2.

3. After performing an assessment, Policy Enforcement Agent sends the results to
Network VirusWall Enforcer through the bridge IP address.

4. Network VirusWall Enforcer receives the results and updates the state of
Endpoint 2 successfully.

Static Routes

Configure static routes to allow packets to pass through the device to different
segments in your network. This list supports up to 50 entries.

An Example of When a Bridge IP Address and Static Route is Necessary

You need to configure a Bridge IP address and Static Route if you have an
environment where: the Network VirusW all Enforcer (NVWE) 2 500 Management IP
address and the endpoint IP addresses do not belong to the same network segment,
there is a router between the device and the endpoint, and the device and endpoint
belong to the same VLAN. See An Example of When a Bridge IP Address is

Necessary on page 1-18 for an explanation of why a Bridge IP address is necessary.

In the example illustrated by Figure 1-6:

• Endpoint 1 and Router 1’s interface 1 belong to the same network segment.

• Endpoint 2 and Router 1’s interface 2 belong to the same network segment.

• All devices and endpoints belong to VLAN 3.

1-20

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

FIGURE 1-6. An Example of When a Bridge IP Address and Static Route is

Necessary

What happens and when the Bridge IP address and Static Route are used:

1. Network VirusWall Enforcer (NVWE) receives traffic with Endpoint 1’s IP and

Router 1’s MAC addresses. The path of the traffic is: Endpoint 1-> Router 1->
Switch1 -> NVWE.

2. Network VirusWall Enforcer (NVWE) needs to send packets to Endpo int 1, but

they belong to different network segments. So, we add a Bridge IP address bound
to VLAN 3 that is in the same network segment as Endpoint 2 and Router 1’s
interface 2. This allows Network VirusWall Enforcer to send packets to Endpoint
1using the Bridge IP address. The path of the traffic is: NVWE -> Default
Gateway -> NVWE -> Switch 1-> Router 1-> Endpoint 1.

3. The Bridge IP address and Router 1’s interface 1 belong to different network

segments, so the traffic sends to the default gateway first. However, traffic
between NVWE and the default gateway is unnecessary. We add a Static Route
and bind it to Bridge.VLAN 3. The path of the traffic is: NVWE -> Switch 1->
Router 1-> Endpoint 1.

1-21

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

SNMP

Simple Network Management Protocol (SNMP) is set of communications
specifications for managing network devices, such as bridges, routers, and hubs over
a TCP/IP network.

In the SNMP management architecture, one or more computers on the network act as
a network management station (NMS) and poll the managed devices to gather
information about their performance and status. Each managed device has a software
module, known as an agent, which communicates with the NMS.

Security

Managed devices can protect their MIBs by granting only specific network
management stations access. One way of doing this is through authentication.
Managed devices can require th at al l NMS’s belong to a community, the name of
which acts as a password that the managed devices use to authenticate management
stations attempting to gain access. Additionally, the settings for a community can
include access privileges, such as READ-ONLY and READ-WRITE, that are granted
to network management stations.

1-22

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Table 1-2 and Table 1-3 enumerate the supported Network VirusWall Enforcer 2500

SNMP specifications:

VERSION v2c
ACCESS PRIVILEGES READ ONLY (the GET command)
MANAGEMENT INFORMATION BASE

(MIB)

MIB II, with the following standard
objects:

• System group

• Interfaces group

• Enterprise group, including system

status and memory utilization

ACCEPTED COMMUNITY NAMES Community names with the following

characteristics:

• Default name– public

• Access privileges- READ ONLY (the

get command)

• Maximum number of community

names- 5

• Maximum length of community

name- 33 alphanumeric characters

TRUSTED NETWORK
MANAGEMENT STATIONS (NMS)

Allows up to 255 specific network
management station IP addresses to
access the agent

TABLE 1-2. Supported SNMP Agent specifications

COMMUNITY NAMES One community name allowed
DESTINATION NETWORK

MANAGEMENT STATION
(NMS) IP ADDRESSES

One NMS IP address allowed per
community name

TABLE 1-3. Supported SNMP Traps specifications

1-23

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

SNMP Trap Limitations

The following SNMP traps limitations exist:

• Version supported: 2c

• Community Names: one community name allowed

• Community name character limitations: 1–33 alphanumeric characters

(including underscore: "_")

• Destination Network Management Station (NMS) IP addresses: one NMS IP
address allowed per community name

• System location and System contact: 0–254 characters (ASCII 32–126,
excluding "&")

SNMP Traps

In addition to the standard SNMP traps, Network VirusWall Enforcer 2500 defines
the following additional traps:

• Cold start—Enable SNMP.

• Link down—Remove connection from LAN port or fiber port.

• Link up—Connection to LAN port or fiber port established.

• Authentication failure—Login to the Web console or Preconfiguration console
was not successful.

• Shutdown—Shutting down Network VirusWall Enforcer 2500.

• HA role changed—The Management device has changed from Primary to
Secondary, or Secondary to Primary.

• Boot to factory default—Boot to default rescue partition. This sends an SNMP
trap every minute.

• Boot to previous partition—Boot to previous partition by typing. This sends an
SNMP trap after booting to the previous partition.

• Turn on/off OPP—If Control Manager sends an OPP command to Network
VirusWall Enforcer 2500, an SNMP trap sends to notify whether OPP is on or
off.

1-24

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

SNMP Agent Messages

In addition to the standard SNMP agent messages, Network V irusWall Enforcer 2500
defines the following additional agent messages:

• nvwScanCurrConn—Concurrent scan connections.

• nvwScanCurrMem—Current memory use for scans.

• nvwPolicyCurrConn—Concurrent number of endpoints with Policy Enforcer
Agent (PEAgent).

VLAN

A Virtual Local Area Network (VLAN) is a network consisting of endpoints that are
not on the same segment of a Local Area Network (LAN) but behave as if they are on
the same segment. These endpoints comprise a network in a virtual sense, through
software residing on a networking device, such as a switch, which filters traffic using
endpoint MAC addresses (layer 2) or IP addresses (layer 3). VLANs reduce network
congestion by managing the flow of traffic between endpoints that communicate
often, even if they are not on the same network segment.

Tagged and Non-tagged Frames

When a local switch on the netwo rk rece ives a packet , it can use th e d estination por t,
destination MAC address, or protocol to determine to which VLAN the packet
belongs. When other switches receive the packet, they determine VLAN membership
either implicitly (using the MAC address) or explicitly (using a tag that the first
switch added to the MAC address header).

Network VirusWall Enforcer 2500 recognizes both tagged and non-tagged of IEEE

802.1Q VLAN frames, thereby preserving the VLAN structure on your network.

Tip: I f you use Control Manager and the Control Manager server on your n etwork

belongs to a VLAN, bind Network VirusWall Enforcer 2500 to the same VLAN
(tagged or non-tagged). This will help ensure effective communication between
the Control Manager server and Network VirusWall Enforcer 2500.

1-25

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Native VLAN

Network VirusWall Enforcer 2500 supports the Native VLAN feature in port group
settings. When you have configured a port group with a specific VLAN and Network
VirusWall Enforcer receives untagged packets, the device compares the destination
MAC address from the packets to the Non-VLAN traffic and specific VLAN traffic
MAC address tables. Once Network VirusWall Enforcer 2500 determines the table
and the matching MAC address table, NVWE sends the packets to the destination
port. The packet format does not change.

Configure Native VLAN IDs from the Interface Grouping screen in the
Preconfiguration console to set untagged VLANs with the Native VLAN ID.

1-26

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Network VirusWall Enforcer 2500

Network V irusWall Enforcer 2500 is a high capacity, gigabit-capable device added to
the Network V irusWall product line. This model provides the following new features:

• Network VirusWall Enforcer 2500 Web console

• Network VirusWall Enforcer 2500 achieves high availability (HA) using the
following solutions:

• Redundant ports with user defined port groups

• Redundant devices with user defined port groups

• Fault tolerance solutions

Nine User-definable LAN Ports

Network VirusWall Enforcer 2500 offers high-performance gigabit connectivity via
its 9 user-definable LAN ports (5 copper ports and 4 additional fiber-optic or copper
ports).

The gigabit platform has both copper and fiber-optic interface connectivity that
allows full-duplex operation in 1000Mbps mode. This high bandwidth helps protect
network continuity through failopen, failover, and port and device redundancies.
Configure these settings using the Preconfiguration console.

1-27

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

High Availability

Network VirusWall Enforcer 2500 achieves high availability (HA) using the
following solutions:

• Redundant ports and devices

•Failover

•Failopen

Tip: R efer to the Getting Started Guide > Understanding and Testing the Network

VirusWall Enforcer 2500 Deployment section for details on how to apply a failover

and failopen solution in a Network VirusWall Enforcer 2500 deployment. You can
only configure failover and failopen settings from the Preconfiguration console.

Redundant Ports and Devices

Port redundancy allows you to use a redundant physical link implementation for
securing maximum network uptime and reliability. A mesh network is the target
topology for the redundant port solution.

In a port redundancy solution, Network VirusWall Enforcer 2500 provides two ports
to connect to the up-link and downlink switches in dual paths.

Applying a port redundant solution requires the completion of the following tasks:

1. Allocate port group 1 with two (2) ports

2. Allocate port group 2 with two (2) ports

3. Configure redundancy port groups with port groups 1and 2

T o enable the failover fault-tolerance solution, redundant devices usually accompany
the port redundancy configuration. In a port-redundant Network VirusWall Enforcer
2500 implementation, multiple connection paths exist, each with a redundant device,
to help ensure that the connection is still viable even if one (or more) paths fail. The
capacity for automatic failover means that the device can maintain normal functions
despite the inevitable interruptions caused by problems with equipment. In a failover
deployment, if one of the devices in a failover pair fails, the other Network VirusWall
Enforcer 2500 device maintains all settings, connections, and sessions.

1-28

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Port Redundancy Considerations

Consider the following points when implementing a port redundancy deployment:

• A redundant group must include two port groups with different ports

• Each port group can contain:

• Ports and port attribute

• Other port groups

• Each port group can possess configurable attributes– you can choose whether to
configure settings for a port group

• Packets cannot be routed into different port groups

• Configure the

FAILOVER port as a separate port, which should not belong to any

port group (see Failover Considerations for details)

Failover

The failover solution involves two identical Network VirusWall Enforcer 2500
devices– P
packets through a second Network V iru sWall Enforcer 2500 device if the first device
fails or is temporarily shut down for servicing. You can only configure Failover and
Asymmetric route settings from the Preconfiguration console.

RIMARY and SECONDARY. It is an operation that automatically sends

Applying a failover solution requires the completion of the following tasks:

1. Establish the failover link between the two devices.

2. Specify a failover port for each device. The failover port should be the same port

number for both devices.

3. Specify the Management device.

4. Establish a Network VirusWall Enforcer 2500 conn ection to other network

devices

1-29

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Failover Considerations

Consider the following points when implementing a failover solution:

• A Network VirusWall Enforcer 2500 failover pa ir m ust have identical
devices—same model and running the same Network VirusWall Enforcer 2500
program file and boot loader. Otherwise, the failover solution cannot work.

• Check whether the switches connected to the Network VirusWall Enforcer 2500
devices have Spanning Tree Protocol (STP) enabled.

• If STP is not enabled and there is a Network VirusWall Enforcer 2500 failover
pair in the network, Network VirusWall Enforcer 2500 will send heavy UDP
traffic broadcasts.

• Network VirusWall Enforcer 2500 disables failopen (LAN by pass) in a failover
environment.

• Do not automatically update the program file for the devices in a failover pair.
Doing so alters the identical settings for the failover devices, which consequently
disconnects the failover link.

Failopen

The failopen or LAN bypass solution involves one Network V irusWall Enforcer 2500
device. Failopen is a fault-tolerance solution that allows the Network VirusWall
Enforcer 2500 device to continue to pass traffic in an event when a software or
hardware failure occurs within the device.

In addition to previously supported cards, this release of Network V irusWall Enforcer
2500 supports 10/100/1000M copper, Sx fiber, and Lx fiber cards that also support
link-state failover.

Applying a failopen solution requires the completion of the following tasks:

1. Establishment of Network VirusWall Enforcer 2500 connection to other network
devices

2. Enable failopen

1-30

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Failopen Considerations

Consider the following points when implementing a failopen-based solution:

• If the switches on your network do no t su pport auto MDI/MDI-X, use a
crossover and non-crossover cable combination to enable failopen. Invalid cable
combinations prevent Network VirusWall Enforcer 2500 from using failopen and
can result in network issues. Refer to device documentation to determine whether
your L2 switches support auto MDI/MDI-X.

• Failopen does not work if no power is supplied to the Network VirusWall
Enforcer 2500 device (that is, the AC power receptacle is disconnected from the
power outlet or actual device). However, if you have fiber bypass cards installed,
the failopen function on the bypass cards will continue to work without power.

• The total length of the network cable connecting ports 1 and 2 to other devices
must not exceed 100 meters (328 feet) for copper port connections.

Note: This constraint only applies to failopen deployments. The network cable

connecting port 1 should not exceed 50 m. Also, the network cable connecting
port 2 should not exceed 50 m. A cable that is longer than the maximum
length prevents failopen from working because the natural electrical resistance
of a copper wire greater than that slows down the signal too much.

• If you specify port grouping with failover or port redundancy with failover, the
device automatically disables failopen.

• If you configure failopen with fiber bypass cards, failopen settings must be in the
following pairs:

• Ports 1 and 2

• Ports 6 and 7

• Ports 8 and 9
For example, you cannot set port 1 and port 6 to failopen.

• Resetting a Network VirusWall Enforcer 2500 device with failopen enabled
temporarily blocks the network connection.

Table 1-4 describes the behavior of failopen ports during a device reset.

Note: The thirty-second (20s) delay occurs only when resetting the device. Powering

on or off the device does not cause this delay.

1-31

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

TIME

(SECONDS)

PROCESS

PORTS 1 AND 2

STATUS

(FAILOPEN

ENABLED)

PORTS 1 AND 2

STATUS

AILOPEN

(F

DISABLED)

2 Restart the device Disconnected Disconnected
18 BIOS Power-On Self Test (POST) Connected Connected

Loading Grand Unified Bootloader
(GRUB)

Connected Disconnected

Rescue Mode Connected Disconnected

35

Validating the boot partition flag Connected Disconnected
Validating the system configuration

Connected Disconnected

file
Booting the device Connected Disconnected

20 Disabling failopen and bridge

learning

Disconnected Disconnected

n/a Preconfiguring the device Connected Connected

TABLE 1-4. Ports 1 and 2 status when resetting a device

1-32

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Policy Prioritization and Creation

Network VirusWall Enforcer 2500 allows you to create multiple policies directed at
different network segments and different types of endpoints and traffic. Network
VirusWall Enforcer 2500 follows a first-match rule—once the device matches a
policy to an endpoint it stops searching for additi onal p olicy matches to the endpoint
down the policy list.

First-match Rule

Keep policies with broad settings at the bottom of the policy list and policies with
specific settings higher in the list. Once an endpoint matches a policy, that is the only
policy that Network VirusWall Enforcer 2500 applies.

For example, consider the following three policies in the table:

Priority Endpoint Destination Scan Feature

1 RD, Marketing Sales Antivirus Program

2 RD, Marketing * Antivirus Program

3 * * Network Virus Policy

TABLE 1-5. Example of correctly prioritized policies

Scan, System Threat
Scan, Vulnerability
Scan, Network Virus
Policy

Scan, Network Virus
Policy

In Table 1-5, prioritizing policies with broad settings lower in the list prevents
situations where all endpoints match the policy with broad settings. Since Network
VirusWall Enforcer 2500 applies only one policy to an endpoint, once a policy
matches an endpoint, no further matches are made.

In Table 1-6, using the same policies from above, if you rearrange the priorities and
place polices with broad settings higher in the priority list, lower priority policies
may never be applied to endpoints.

1-33

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Priority Endpoint Destination Scan Feature

1 * * Network Virus Policy
2 RD, Marketing * Antivirus Program

3 RD, Marketing Sales Antivirus Program

TABLE 1-6. Example of incorrectly priorit ize d po lic i es

Scan, Network Virus
Policy

Scan, System Threat
Scan, Vulnerability
Scan, Network Virus
Policy

In Table 1-6 specifying the policy with a setting of any source (Endpoint) and any
destination as the first priority means that policies with priorities 2 and 3 are never
applied. The any source (Endpoint) and any destination policy matches all endpoints
and the other two policies with specific settings are never applied. Even if the first
policy in Table 1-6 is removed, the third policy is still never applied since the
destination of the third policy is more specific than the second policy.

Policy Enforcement Considerations

• Carefully set policy priority based on the first-match rule.

• Traffic from endpoints must pass through Network VirusWall Enforcer 2500 or
the device will not detect the endpoint.

• You can use a switch’s mirror function with the Network VirusWall Enforcer
2500

SNIFFER port feature to scan all packets on the network and monitor activity

without disrupting your network architecture. Refer to the Getting Started Guide
for more information about different types of ports.

• T o minimize endpoint disruption and to monitor activity , select Remote login for
the Endpoint installation method, Monitor for the Endpoint Action, and
disable the detecting page. However, if Remote login is unsuccessful ActiveX is
used.

• If you have a DNS server on your network, ensure the following:

• Add the Gateway and DNS IP addresses to Global Endpoint Exceptions.

1-34

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

• Specify the DNS server IP addresses in the Preconfiguration console to
allow the device to relay DNS queries for blocked endpoints.

• If you use a proxy server, include the Proxy port in HTTP Detection settings and

the port number in the policy Authentication and Networ k Zones.

• If you select ActiveX for the Endpoint Installation Method, ActiveX needs to

be enabled on the endpoint.

• If you select Remote Login, ActiveX for the Endpoint Installation Method,

configure Remote Login Accounts and for Endpoints with Windows XP
operating systems, ensure that the firewall setting allows installation through
remote login.

• If you disable endpoint detection for endpoints with unidentifiable operating
systems, the device will not assess endpoints with firewall software or devices,
such as routers.

• If you select user authentication, you must configure LDAP settings.

• If you select Instant messaging detection, ensure you add the corresponding
ports to the Authentication and Network Zones settings page. SeeTable 1-7 for
the default ports to add to the Authentication and Network Zones settings page.

Instant

Messenger

Tools TCP TCP
MSN™ 1863, 443, 80 1863 (MSN server), random (P2P), 80 (server)
Yahoo!™ 5050, 80, 3478 5050 (file negotiation), 80 (data)
ICQ™ 5190, 80 random (P2P), 80 (server)
AIM™ 5190, 80 random (P2P), 80 (server)
IRC™ 6667

TABLE 1-7. Instant Messenger Ports

Note: The ICQ and AIM information listed are from the default settings. However,

All Activities File Transfer

these ports can be easily changed.

• If you enable only the ActiveX and select to only assess Trend Micro products,
then the Policy Enforcement Agent (PEAgent) will not install on endpoints.

1-35

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

• If you want to access the URL Exception page, do not type TCP port 80 in

Application Protocol Detection.

• If you select the Reject packet action in Application Protocol Detection the

following occurs for:

•TCP: TCP reset

• UDP: ICMP Destination Port unreachable

• ICMP: ICMP Destination Port unreachable

• If you select the Drop packet action in Application Protocol Detection, packets

are dropped and may cause certain applications to stall.

• If you select the File Transfer Detection service:

• HTTPS is not scanned.

• ASP upload is not scanned

• If the action is Reject Packet, FTP downloads a file name with zero bytes.

• If CIFS connections exist at the time of policy creation, the action may not
function correctly.

• Inform endpoints of policy requirements prior to blocking them from
accessing the network. If you deploy a policy that requires endpoints to have
the latest vulnerability patch installed moments after the patch is released,
the majority of the endpoints on your network will violate this policy.

• Selecting the monitor action for all new policies helps locate problem areas
without disrupting endpoints. This is a good way to begin deploying new
policies on your network.

• If you select Enable the detecting page and select a short reassessment time
interval, endpoints will frequently see the detecting page and have to wait to
access the network. Consider disabling the detecting page to allow scans to
run in the background instead.

1-36

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Sample Policy Creation

Network VirusWall Enforcer 2500 architecture is different from previous releases of
the Network VirusWall 2500 product line. In Network VirusWall Enforcer 2500,
administrators create policies to detect whether any or a group of endpoints sending
traffic through the device violate or comply with these po licies. Configurin g a policy
to determine whether any or a group of endpoints violate or comply with security
settings is a major feature in Network V irusWall Enforcer 2500. See First-match Rule
on page 1-33 for more information.

Before you create policies, consider the services you want to apply to an endpoint
and the type of endpoints to assess. For example, endpoints in Group A need to have
antivirus software (the corresponding service is Antivirus Program Scan) and
endpoints in Group B need to update all security patches to prevent vulnerabilities
(the corresponding service is Vulnerability Scan).

Policy Scenario 1: Authenticated users need to have antivirus software and Guest users need to have a certain registry key.

This example requires three policies: one for authenticated users, one for guest users,
and one catchall.

Sample Policy 1: Authenticated users

For the first policy, a network zone that includes all IP addresses in the network is
necessary. We add the "Internal Endpoint" network zone to the Network Zones list
from the Web console.

1-37

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

FIGURE 1-7. Sample Policy 1: Authenticated users Step 2

In Step 2:

• Select Enable user authentication and Apply policy to authenticated users to

apply this policy to authenticated users.

• Specify the "Internal Endpoints" network zone as the Source.

• Select Any destination.

1-38

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

FIGURE 1-8. Sample Policy 1: Authenticated users Step 3

In Step 3:

• Select Antivirus Program Scan and all of the antivirus applications in the list.

• Select to Block non-compliant endpoints to block endpoints that do not have

any of these applications installed.

• Select Log policy violation and Notify endpoints about policy violations to

record and send a blocking page to the endpoint with a notification message.

1-39

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

FIGURE 1-9. Sample Policy 1: Authenticated users Step 4

In Step 4:

• Select Enable Network Virus Scan.

• Select Log policy violation and Notify endpoints about policy violations to

record and send a blocking page to the endpoint with a notification message.

1-40

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Sample Policy 2: Guest users

For the second policy, specify the required registry key if guest users try to access
endpoints belonging to the network.

FIGURE 1-10. Sample Policy 2: Guest users Step 2

In Step 2:

• Select Enable user authentication and Apply this policy to guest users.

• Select Any source.

• Select "Internal Endpoints" as the Destination.

1-41

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

FIGURE 1-11. Sample Policy 2: Guest users Step 3

In Step3:

• Select Registry Key Scan and add the registry key as required.

• Select to Block non-compliant endpoints to block endpoints that do not have

any of these applications installed.

• Select Log policy violation and Notify endpoints about policy violations to

record and send a blocking page to the endpoint with a notification message.

1-42

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

FIGURE 1-12. Sample Policy 2: Guest users Step 4

In Step 4:

• Select Enable Network Virus Scan.

• Select Log policy violation and Notify endpoints about policy violations to

record and send a blocking page to the endpoint with a notification message.

1-43

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Sample Policy 3: Catchall

When you create this policy, do not select Enable user authentication in Step 2 and
ensure that settings are configured to Any or All. Select all of the Services from
Policy 1 and Policy 2. This policy should always remain in last priority due to the
first-match rule. Any policy that has a lower priority than this policy never applies to
endpoints.

FIGURE 1-13. Example of incorrect prioritization resulting in a policy tha t

never applies to endpoints

The second policy in this example never applies to endpoints since the higher priority
policy’s Trigger settings are any source, any destination, and all TCP/UDP ports.
Network traffic that passes through Network VirusWall Enforcer 2500 always
matches the higher priority policy. Since Network VirusWall Enforcer applies only
one policy to each endpoint, once a match is made, no additional polici es are appli ed.

1-44

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Policy Scenario 2: Ensure that all endpoints have
Windows XP Service Pack 2 installed.

This example requires a policy that ensures that endpoints with Windows XP
operating systems have Service Pack 2 installed.

To create a policy that ensures that endpoints with Windows XP operating
systems have Service Pack 2 installed:

1. Create a policy that specifies a persistent agent installation on endpoints.

FIGURE 1-14. Policy Scenario 2: Step 1

1-45

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

2. For this policy, configure a network zone that includes all IP addresses of
endpoints with Windows XP operating systems. You can click Add from Step 2
of the Add Policy screens to configure a new Network Zone.

FIGURE 1-15. Policy Scenario 2: Add a Network Zone

1-46

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

3. Specify the Windows XP network zone as the Source and the Destination as any

to apply this policy to the Windows XP endpoints.

FIGURE 1-16. Policy Scenario 2: Step 2

1-47

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

4. Select the Registry Key Scan service.

FIGURE 1-17. Policy Scenario 2: Step 3

1-48

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

5. Add the registry value for Service Pack 2 as a required registry key.

FIGURE 1-18. Policy Scenario 2: Add the required registry key

6. Confirm that the required registry key displays in the Registry Key Scan list.

7. Click Save.

1-49

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Sample Deployment Scenarios

Install Network V irusWall Enforcer 2500 on a network that contains Ethernet devices
such as switches, routers, and hubs. Deploy the device between a switch that leads to
the public network and an edge switch that protects a segment of the Local Area
Network (LAN). You can also install the device between an edge switch and a hub.
This section includes 3 sample deployment scenarios and 1 sample policy
configuration based on the first deployment scenario.

Deployment Scenario I: Standard Network

In this sample deployment scenario Network VirusWall Enforcer 2500:

• Protects the public server farm—The Network Virus Policy feature scans all
traffic and Policy Enforcement applies to remote endpoints. Apply a remedy to
endpoints that violate the policy.

• Protects an internal server farm—The Network Virus Policy feature scans all
traffic.

• Is located between the switch and WAN m odule—The Network Virus Policy
feature scans all traffic and pairs of devices enable failover.

• Is located between the distribution switch and access switch—The Network
Virus Policy feature scans all traffic and Policy Enforcement applies to all
hosts.

• Protects a small branch office—The Network Virus Policy feature scans all
traffic and Policy Enforcement applies to all hosts.

Note: In a three-level environment, it is best to not place Network VirusWall Enforc er

2500 between the core switch and distribution layer.

1-50

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

FIGURE 1-19. Standard Network Mode Scenario

1-51

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Deployment Scenario II: Global Site

In this sample deployment scenario, Network VirusWall Enforcer 2500:

• Protects the data center—The Network Virus Policy feature scans all traf fic and
Policy Enforcement applies to remote hosts. Apply a remedy to endpoints that
violate the policy.

• Is located between the core switch and WAN module—The Network Virus
Policy feature scans all traffic and pairs of devices enable failover.

• Is located between the core switch and access switches—The Network Virus
Policy feature scans all traffic and pairs of devices enable failover. Apply a
remedy to endpoints that violate the policy.

FIGURE 1-20. Global Site Scenario

1-52

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Deployment Scenario III: V e ry Large Enterprise or Internet Service Provider

In this sample deployment scenario, the network is very large and the WAN protocol
may be used. You can place Network VirusWall Enforcer in either of the following:

• Between the border routers and core routers—The Network Virus Scan feature

scans all traffic. Enable asymmetric routing support (BGP) and enable high
availability features.

• Between routers and switches—The Network Virus Scan feature scans all

traffic and policy enforcement applies to endpoints. Enable asymmetric routing
support (BGP) and enable high availability features.

FIGURE 1-21. Very large enterprise or Internet Service Provider Scenario

1-53

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Sample Policy Configuration

This section provides three sample policy configurations for Deployment Scenario I:

Standard Network on page 1-50. To protect each area of the network, create different

policies based on area and type of access. For this example, we want to do the
following:

• Configure policies to protect the public server farm

• Configure policies to scan packets going between the distribution switch and
access switch

Server Farm Policies

This section includes a few sample policies that apply to the public server farm.
Policies in the public server farm should address remote (VPN) endpoints and scan
for network viruses.

1-54

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

The first policy, Table 1-8, specifically handles all traffic originating from payment
processing since the public server farm can be used for billing purposes.

Settings Details

Endpoint
Settings

• Policy name: Priority Connection to Farm

• Policy Comment: The priority of this should always be

before "Server Farm" due to the first match rule in policies.

• Agent Type: Agentless

• Agent deployment method: ActiveX

• Compliant endpoint reassessment: 1 day

• Non-compliant endpoint reassessment: 15 minutes

Authenticati
on and
Network
Zones
Settings

• Authentication: Default settings (check boxes are clear)

• Endpoint Network Zones: Payment Processing

• Packet Destination Network Zones: Any Network Zone

• TCP Protocol Ports

Specific ports: 80,443,25,110,143,21

• UDP Protocol Ports

Specific ports: 69,137,138,138,445

• Daily Schedule: Everyday

• Hourly Schedule: All Day

Network
Virus Policy
Settings

• Network Virus Scan

Action: Drop packet
Remedy: None

• Log policy violations

TABLE 1-8. Priority 1: Sample Public Server Farm Policy Scenario

1-55

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

The second policy, Table 1-9, is necessary to handle all other traffic.

Settings Details

Endpoint
Settings

• Policy name: Server farm

• Policy comment: The priority of this should always be after

"Priority Connection to Farm" due to the first match rule in
policies.

• Agent type: Agentless

• Agent deployment method: ActiveX

• Compliant endpoint reassessment: 1 day

• Non-compliant endpoint reassessment: 15 minutes

Authenticati
on and
Network
Zones
Settings

• Authentication: Default settings (check boxes are clear)

• Endpoint Network Zones: Any Network Zone

• Packet Destination Network Zones: Any Network Zone

• TCP Protocol Ports

Specific ports: 80,443,25,110,143,21

• UDP Protocol Ports

Specific ports: 69,137,138,138,445

• Daily Schedule: Everyday

• Hourly Schedule: All Day

Network
Virus Policy
Settings

• Network Virus Scan

Action: Quarantine endpoint
Remedy: Start Damage Cleanup

• Log policy violations

TABLE 1-9. Priority 2: Sample Public Server Farm Policy Scenario

1-56

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

The last policy, Table 1-10, handles all cases not covered by the other policies.

Tab Details

Endpoint
Settings

• Policy name: Catch All

• Policy comment: The priority of this should always be last to

address all other cases.

• Agent type: Agentless

• Agent deployment method: ActiveX

• Compliant endpoint reassessment: 1 day

• Non-compliant endpoint reassessment: 15 minutes

Authenticati
on and
Network
Zones
Settings

• Authentication: Default settings (check boxes are clear)

• Endpoint Network Zones: Any Network Zone

• Packet Destination Network Zones: Any Network Zone

• TCP Protocol Ports

All ports

• UDP Protocol Ports

All ports

• Daily Schedule: Everyday

• Hourly Schedule: All Day

Network
Virus Policy
Settings

• Network Virus Scan

Action: Quarantine endpoint
Remedy: Start Damage Cleanup

• Log policy violations and notify endpoints about policy

violations

TABLE 1-10. Priority 3: Sample Public Server Farm Policy Scenario

WARNING! Because of the first match rule, keep the first policy at a higher priority than

the second policy and the third policy always last due to the first match rule.
Once a host matches a trigger for a policy, the device does not apply any
other policies to that host.

1-57

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Distribution Switch and Access Switch Policies

This section includes a few sample policies that apply to the distribution switch and
access switch. Policies on this device should address endpoint hosts and scan for
network viruses. You can configure these policies with the assumption that another
Network VirusWall Enforcer 2500 device is between the core switch and WAN
module.

The first policy, Table 1-11, specifically handles all traffic from Guest hosts. Deploy
Real-time Scan as a remedy to ensure that their computers do not introduce security
threats into the network.

Settings Details

Endpoint
Settings

• Policy name: Guest

• Policy comment: This policy should be above authenticated

users if using agentless detection.

• Agent type: Agentless

• Agent deployment method: ActiveX

• Endpoint operating system: Disable endpoint detection for

non-Windows operating systems

• Compliant endpoint reassessment: 1 day

• Non-compliant endpoint reassessment: 15 minutes

Authenticati
on and
Network
Zones
Settings

• Authentication: Apply policy to authenticated users

• Endpoint Network Zones: Any Network Zone

• Packet Destination Network Zones: Any Network Zone

• TCP Protocol Ports

All ports

• UDP Protocol Ports

All ports

• Daily Schedule: Everyday

• Hourly Schedule: All Day

TABLE 1-11. Priority 1: Sample Distribution Switch and Access Switch Policy

Scenario

1-58

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Settings Details

Enforcement
Policy
Settings

• Antivirus Program Scan:

Action: Block non-compliant endpoints
Remedy: Deploy Real-time Scan

• Details: 56 Antivirus Products

• System Threat Scan

Action: Block non-compliant endpoints

• Vulnerability Scan

Action: Block non-compliant endpoints
Remedy: Redirect to URL
Details: Highly critical vulnerabilities, Critical vulnerabilities,

and Important vulnerabilities

• Log policy violations and notify endpoints about policy

violations

Network
Virus Policy
Settings

• Network Virus Scan

Action: Quarantine endpoint
Remedy: Start Damage Cleanup

• Log policy violations and notify endpoints about policy

violations

Network
Application
Settings

• File Transfer Detection

Action: Reject packet
Details: Windows file transfer, HTTP file transfer

• Log policy violations and notify endpoints about policy

violations

TABLE 1-11. Priority 1: Sample Distribution Switch and Access Switch Policy

Scenario

1-59

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

The second policy, Table 1-12, specifically handles all traffic from Authenticated
hosts. These are hosts that regularly access the network.

Settings Details

Endpoint
Settings

• Policy name: Authenticated users

• Policy comment: This policy should be below guest and

above policies that do not use the authentication feature.

• Agent type: Persistent Agent

• Agent deployment method: Remote login, ActiveX

• Compliant endpoint reassessment: 1 day

• Non-compliant endpoint reassessment: 15 minutes

Authenticati
on and
Network
Zones
Settings

• Authentication: Apply policy to authenticated users

• Endpoint Network Zones: Any Network Zone

• Packet Destination Network Zones: Any Network Zone

• TCP Protocol Ports

Specific ports: 80,443,25,110,143,21

• UDP Protocol Ports

Specific ports: 80,443,25,110,143,21

• Daily Schedule: Everyday

• Hourly Schedule: All Day

TABLE 1-12. Priority 2: Sample Distribution Switch and Access Switch Policy

Scenario

1-60

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Settings Details

Enforcement
Policy
Settings

Network
Virus Policy
Settings

Network
Application
Settings

• Antivirus Program Scan

Action: Block non-compliant endpoints
Remedy: Redirect to URL
Details: 56 Antivirus Products

• Antivirus Version Scan

Action, if detected: Monitor
Details: 2 versions old

• System Threat Scan

Action: Block non-compliant endpoints

• Vulnerability Scan

Action: Block non-compliant endpoints
Remedy: Redirect to URL
Details: Highly critical vulnerabilities, Critical vulnerabilities,

and Important vulnerabilities

• Registry Key Scan

Action: Block non-compliant endpoints
Remedy: None
Details: Windows Firewall, Prohibited

• Log policy violations and notify endpoints about policy

violations

• Network Virus Scan

Action: Quarantine endpoint
Remedy: Start Damage Cleanup

• Log policy violations and notify endpoints about policy

violations

• File Transfer Detection

Action: Reject packet
Details: Windows file transfer, FTP file transfer

• Log policy violations and notify endpoints about policy

violations

TABLE 1-12. Priority 2: Sample Distribution Switch and Access Switch Policy

Scenario

1-61

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

The last policy, Table 1-13, handles all cases not covered by the other policies.

Settings Details

Endpoint
Settings

Authenticati
on and
Network
Zones
Settings

Enforcement
Policy
Settings

• Policy name: Catch All

• Policy comment: The priority of this should always be last to

address all other cases.

• Agent type: Agentless

• Agent deployment method: ActiveX

• Compliant endpoint reassessment: 1 day

• Non-compliant endpoint reassessment: 15 minutes

• Authentication: Default settings (check boxes are clear)

• Endpoint Network Zones: Any Network Zone

• Packet Destination Network Zones: Any Network Zone

• TCP Protocol Ports

All Ports

• UDP Protocol Ports

All Ports

• Daily Schedule: Everyday

• Hourly Schedule: All Day

• Antivirus Program Scan

Action: Block non-compliant endpoints
Remedy: Redirect to URL
Details: 56 Antivirus Products

• System Threat Scan

Action: Block non-compliant endpoints

• Vulnerability Scan

Action: Block non-compliant endpoints
Remedy: Redirect to URL
Details: Highly critical vulnerabilities, Critical vulnerabilities,

and Important vulnerabilities

• Registry Key Scan

Action: Block non-compliant endpoints
Remedy: None
Details: Windows Firewall, Prohibited

• Log policy violations and notify endpoints about policy

violations

TABLE 1-13. Priority 3: Sample Distribution Switch and Access Switch Policy

Scenario

1-62

Understanding Trend Micro™ Network VirusWall™ Enforcer 2500

Settings Details

Network
Virus Policy
Settings

• Network Virus Scan

Action: Quarantine endpoint
Remedy: Start Damage Cleanup

• Log policy violations and notify endpoints about policy

violations

Network
Application
Settings

• File Transfer Detection

Action: Reject packet
Details: Windows file transfer, FTP file transfer

• Log policy violations and notify endpoints about policy

violations

TABLE 1-13. Priority 3: Sample Distribution Switch and Access Switch Policy

Scenario

It is important to keep the authentication policies at a higher priority than policies
that do not use the authentication feature. Once a host matches a trigger for a policy,
the device does not apply any other policies to that host. This means that if two
identical policies are in the list, and the higher priority policy does not use the
authentication feature whereas the lower priority policy does, no ho sts will match the
second policy.

1-63

Chapter 2

Configuring Policy Enforcement and Device Settings

This chapter describes the management tools that you can use to take advantage of
Network VirusWall Enforcer 2500 virus-scanning capabilities, which include scan
options, enforcement policies, settings, and device tasks.

Network VirusWall Enforcer 2500 provides three management tools that let you
easily configure its settings. See Table 1-1 to understand the configuration options
allowable from the available management tools.

The topics discussed in this chapter include:

• Getting Started with Network VirusWall Enforcer 2500 on page 2-2

• Configuring Policy Enforcement Settings on page 2-2

• Configuring Device and System Settings on page 2-18

• Using Tools on page 2-28

2-1

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Getting Started with Network VirusWall Enforcer 2500

Trend Micro recommends performing the following tasks after preconfiguring a
Network VirusWall Enforcer 2500 device and testing a successful deployment:

• Update components (see page 3-1)

• Modify the Preconfiguration console accounts

• Modify the Administrative Accounts from the Web console

Tip: R efer to the Getting Started Guide for details on how to preconfigure and test a

successful Network VirusWall Enforcer 2500 deploy ment.

Configuring Policy Enforcement Settings

This section includes the following topics:

• Configuring Policy Enforcement Settings on page 2-3

• Configuring Network Zones on page 2-12

• Configuring the URL List on page 2-13

• Specifying Global Endpoint Exceptions on page 2-14

• Configuring Endpoint Notifications on page 2-14

• Configuring OfficeScan Settings on page 2-15

• HTTP Detection Settings on page 2-16

• Remote Login Accounts on page 2-16

• Exporting and Importing Policy Data on page 2-17

2-2

Configuring Policy Enforcement and Device Settings

Configuring Policy Enforcement Settings

Create policies to assess the status of endpoint:

• antivirus product installations

• system folders, vulnerabilities

• registry keys

• application protocols

• instant messaging

• file transfers
Configure settings to pass, block, or redirect different types of endpoint traffic.
Perform the following steps to create and configure a policy:

Step 1: Create a New Policy.
Step 2: Configure Authentication Settings.
Step 3: Configure the Enforcement Policy.
Step 4: Configure the Network Virus Policy.
Step 5: Configure the Network Application Policy.
Step 6: Configure Policy URL Exceptions.

Note: See Policy Enforcement Considerations on page 1-34 for important about policy

rules and priorities before you create a policy.

Step 1: Create a New Policy

1. From the main menu, click Policy Enforcement. The drop down menu displays.

2. Click Policies from the drop down menu. The Policies screen displays.

3. Click Add from the Policies screen. The Add Policy screen displays.

4. Type a policy name in the Policy name text box.

5. Type a comment to describe this policy in the Comment text box. (This is

optional.)

2-3

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

6. Specify the Policy Enforcement Agent setting by selecting one of the following:
a. Agentless—a one time install/terminate.

b. Persistent agent—an agent that remains on the endpoint computer.

7. Specify the Endpoint installation method by selecting one of the following:
a. Remote login, ActiveX—installs the Policy Enforcement Agent (PEAgent)

to the endpoint computer without confirmation from the endpoint.
(Configure Remote Login Accounts if you select this option.) The device
installs the Policy Enforcement Agent (PEAgent) using ActiveX if Remote
Login does not complete successfully.

Note: If you have configured your network with an account and password that

has domain administrator privileges, you can use this account and
password for remote deployment to endpoints belonging to that domain.

b. ActiveX— Policy Enforcement Agent (PEAgent) installation requires

confirmation from the endpoint.

8. Select Disable endpoint detection for non-Windows operati ng systems to not
assess endpoints with non-Windows operating systems.

9. Select Disable endpoint detection for unidentifiable operating systems to not
assess endpoints when the device is unable to identify the operating system.

Note: If you select this option, Network VirusWall Enfo rcer 2500 will not scan

endpoints that have enabled the firewall feature on their computers. For
example, if endpoints with Windows XP Service Pack 2 have enabled the
firewall feature, the device allows traffic from those endpoints to pass through
and does not protect those endpoints.

10. Specify the Reassess compliant endpoints after time interval.

11. Specify the Reassess non-compliant endpoints after time interval.

12. Click Next.

2-4

Configuring Policy Enforcement and Device Settings

Step 2 : Specify Authentication and Network Zones

1. Specify the Authentication Settings to apply this policy towards authenticated

users or guest users. You do not have to enable this feature. However, if you do
enable this feature, you must create another policy with the same Trigger
(Authentication and Network Zone) settings to ensure that endpoints that do
not pass authentication will match a policy. (See Sample Policy Creation on page
1-37 for an example.)

a. Select the Enable user authentication checkbox.
b. Select either Apply policy to authenticated users or Apply policy to guest

users.

Note: Configure LDAP settings if you select Enable user authentication. See

Configuring LDAP Settings on page 2-25 for more information. If you

create one policy for authenticated users, create a policy that applies to users
that are not authenticated.

2. Specify the Endpoint Network Zone to apply this policy to traffic from a

specified network segment.

3. Specify the Packet Destination Network Zones to apply this policy to traffic

going to a specified network segment.

4. Specify the TCP/UDP Protocol Ports to apply this policy to.
T o apply this policy to specific ports, select Specific ports and type port number

or port ranges in the text box.

5. Specify a Schedule for this policy. Use this feature to restrict policies to be
effective on certain days or hours.

For example, If you select a schedule of 8:00 A.M. to 7:00 A.M., the policy is
disabled from 7:00 A.M. to 8:00 A.M.

6. Click Save.

2-5

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Step 3: Specify Enforcement Policy

Specify the services by selecting the check box next to the scan to perform:

1. Antivirus Program Scan—Use this feature to scan for antivirus software

installation on endpoints.

a. Select the Antivirus Program Scan check box.
b. Select the check box next to products to detect.

To assess Trend Micro products only, select the Assess Trend products
only using networking protocols checkbox. (Remote detection is used if

you select this option or if you select only Trend Micro products from the
list.)

c. Specify the Endpoint Action by selecting one of the following:

i. Monitor—allow traffic to continue to destination
ii. Block non-compliant endpoints—you can select a Remedy from

None, Deploy Real-time Scan to scan the endpoint computer, or
Redirect to URL to a URL where the endpoint may rectify the

violation.
If you select Redirect to URL, you have the option of limiting the

number of pages, by selecting Allow off-page navigation and Link

depth, the endpoint can navigate from the specified URL.

2. Antivirus Version Scan—Use this feature to require endpoints to keep the

antivirus pattern versions updated.

a. Select the Antivirus Version Scan check box.
b. Specify the acceptable pattern version by selecting one of the following:

2-6

i. Require the latest virus pattern file—require the endpoint to keep the

virus pattern updated.

ii. Allow virus pattern files that ar e—you can specify up to four versions

old.

c. Specify the Endpoint Action by selecting one of the following:

i. Monitor—allow traffic to continue to destination

Configuring Policy Enforcement and Device Settings

ii. Block non-compliant endpoints—you can select a Remedy from

None or Redirect to URL to a URL where the endpoint may rectify the

violation.
If you select Redirect to URL, you have the option of limiting the

number of pages, by selecting Allow off-page navigation and Link

depth, the endpoint can navigate from the specified URL.

3. System Threat Scan—Use this feature to scan for system threats. This feature

does not scan file-based viruses, instead the feature scans for security threats in
memory.

Note: If you select persistent agent and System Threat Scan service in a policy, the

device may not scan the endpoint more than once. However, if you select the
agentless option, the device scans the endpoint at each reassessment time
interval.

a. Select the System Threat Scan check box.
b. Specify the Endpoint Action by selecting one of the following:

i. Monitor—allow traffic to continue to destination
ii. Block non-compliant endpoints—you can select a Remedy from

None or Redirect to URL to a URL where the endpoint may rectify the

violation.
If you select Redirect to URL, you have the option of limiting the

number of pages, by selecting Allow off-page navigation and Link

depth, the endpoint can navigate from the specified URL.

4. Vulnerability Scan—Use this feature to scan for known vulnerabilities. You

need to manually select new vulnerabilities in the vulnerability list when the
vulnerability list updates.

a. Select the Vulnerability Scan check box
b. Select the type of vulnerabilities to scan. Click on the vulnerability risk

rating to select individual vulnerabilities.

c. Specify the Endpoint Action by selecting one of the following:

i. Monitor—allow traffic to continue to destination

2-7

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

ii. Block non-compliant endpoints—you can select a Remedy from

None or Redirect to URL to a URL where the endpoint may rectify the

violation.
If you select Redirect to URL, you have the option of limiting the

number of pages, by selecting Allow off-page navigation and Link

depth, the endpoint can navigate from the specified URL.

5. Registry Key Scan—Use this feature to scan for required and prohibited

software by using registry key information.

a. Select the Registry Key Scan checkbox.
b. Click Add. The Check Registry For screen displays.
c. Type the Display Name.
d. Specify if this is a Required registry key or a Prohibited registry key.

Note: Required registry keys are those that you want endpoints to have on their

computers. Prohibited registry keys are those that you do not want
endpoints to have on their computers.

e. Type the Registry Key.
f. Select Value name to check the value.
g. Select Value and select from String or DWord.
h. Click OK. The window closes and the registry key displays in the list.
i. Specify the Endpoint Action by selecting one of the following:

i. Monitor—allow traffic to continue to destination
ii. Block non-compliant endpoints—you can select a Remedy from

None or Redirect to URL to a URL where the endpoint may rectify the

violation.
If you select Redirect to URL, you have the option of limiting the

number of pages, by selecting Allow off-page navigation and Link

depth, the endpoint can navigate from the specified URL.

6. Select Log policy violations to record log entries in the Endpoint History log.

7. Select Notify endpoints about policy violations to send messages to endpoints

that violate the policy.

2-8

Configuring Policy Enforcement and Device Settings

8. Click Next.

Step 4: Specify Network Virus Policy

1. Select the Enable Network Virus scan check box to detect network viruses in
packets that pass through the device.

a. Specify the Action, when detected by selecting one of the following:

i. Monitor endpoints—allows traffic to continue to destination
ii. Drop packets—drops the packet
iii. Quarantine endpoint—drops the packet and blocks the endpoint from

accessing the network.

b. Specify the Remedy, when detected by selecting one of the following:

i. None
ii. Start Damage Cleanup

2. Select Log policy violations to record log entries in the Endpoint History log.

3. Click Next.

Step 5: Specify Network Application Policy

Specify the service by selecting the check box next to the scan to perform:

1. Application protocol detection—Use this feature to scan specific TCP or UDP
ports or port ranges.

a. Select the Application Protocol Detection check box.
b. In the TCP port text box, type the TCP ports or port ranges to scan.
c. In the UDP port text box, type the UDP ports or port ranges to scan.
d. Select the ICMP checkbox to assess ICMP.

Note: To use ICMP, ensure you select All ports in the TCP and UDP Protocol

Ports Settings.

e. Specify an Endpoint Action by selecting one of the following:

i. Monitor endpoints—allow traffic to continue to destination.
ii. Reject packets—rejects the packet.

2-9

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

iii. Drop packets—drops the packet.

2. Instant messaging detection—Use this feature to assess instant messenger

software activity.

a. Select the Instant messaging detection check box.
b. Select the instant messaging software to detect by selecting from the

following:

i. MSN—you can select to scan File transfer activity or All activity.
ii. Yahoo—you can select to scan File transfer activity or All activity.
iii. ICQ/AIM—you can select to scan File transfer activity or All activity.
iv. IRC—the device can only scan all activity.

c. Specify an Endpoint Action by selecting one of the following:

i. Monitor endpoints—allow traffic to continue to destination.
ii. Reject packets—rejects the packet.
iii. Drop packets—drops the packet.

3. File transfer detection—Use this feature to assess file transfer activity. Ensure
that combinations such as specifying *.* for Files to assess and selecting HTTP
file transfer are not specified. This type of combination may prevent access to

the Internet.

a. Select the File Transfer Detection check box.
b. Select from Windows file transfer, HTTP file transfer, FTP file transfer

to assess.

c. Type the files to quarantine next to Files to assess and the files to allow next

to Exception.

d. Specify an Endpoint Action by selecting one of the following:

i. Monitor endpoints—rejects the packet.
ii. Reject packets—drops the packet.

4. Select Allow Control Manager to modify Network Application Policy
settings when an outbreak occurs if you use a Control Manager server to

manage your products. The policy temporarily changes to the Control Manager
specified policy and reverts to the original policy on this page after an Outbreak.

5. Select Log policy violations to record log entries in the Endpoint History log.

2-10

Configuring Policy Enforcement and Device Settings

6. Click Next.

Step 6: Policy URL Exceptions

Specify URL exceptions to allow endpoint endpoints to access URLs that help
remedy policy violations.

You may use wildcards when you specify URLs. Network VirusWall Enforcer 2500
supports * wildcards to allow you to match multiple URLs with a single entry. To
allow access to deeper links, include a wildcard at the end of the URL. For example,
http://www.trendmicro.com/*.

Using * in an expression

To represent one or more unknown characters, follow these guidelines:

• *lock—matches: block, clock, glock, plock, and flock (but not lock)

• Trend*Micro—matches: Trend Micro, Trend-Micro, Trend_Micro (but not
TrendMicro)

• block*—matches: blocking, blocked, blocker, blocks, blockhead, block-point
(but not block)

To specify policy URL Exceptions:

1. Select URL’s from the list or create new URLs.

2. To create new URLs:
a. Click Add. The ADD URL List displays.

b. Type the Name, optional Comment, and URL.
c. Click Add to. The URL di splays in the table.
d. Click Save. The window closes.

3. Select the new URL from the list and add it to Selected URL Lists.

4. Click Next.

5. View the details of this policy from the Review policy screen and click Save.

2-11

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Configuring Network Zones

Using Network Zones to group IP and MAC addresses with Network VirusWall
Enforcer 2500 ports allows you to apply policies to traffic to or from specific
segments of your network.

Performing the following tasks to create a network zone:

• Configure General settings

• Configure Interfaces / VLAN settings

• Configure Exceptions settings

Configuring General Settings

This is the first task to configuring a network zone to help manage network security.
Network Zone Considerations:

• If you do not specify any IP/MAC addresses, the network zone includes all
IP/MAC addresses.

• If you do not select any interfaces, the network zone includes all the interfaces.

• If you do not specify any exceptions, the network zone does not include any
exceptions.

To configure General network zone settings:

1. Click Policy Enforcement from the side menu. The drop down menu displays.

2. Click Network Zones from the drop down menu. The Network Zones screen

displays.

3. Click Add. The Add Network Zones screen displays.

4. Ty pe the Name of the network zone and optional Comment under General.

5. Select IP address or MAC address under IP/MAC Address .

6. Type IP or MAC addresses in the text box.

7. Click Add to. The information displays in the table.

8. Click Save.

2-12

Configuring Policy Enforcement and Device Settings

Configuring Interfaces / VLAN settings

This is the second task to configuring a network zone to help manage network
security.

To configure Interfaces / VLAN settings:

1. Click the Interfaces / VLAN tab. The Interfaces / VLAN screen displays.

2. Select the ports for the network zone under Customize Interface Settings. You

cannot select unavailable ports.

Note: Selecting no ports is the same as selecting all ports.

3. Specify the VLAN Settings by selecting All tagged and untagged VLAN IDs,
All tagged VLAN IDs, or Specific VLAN IDs.

If you select Specific VLAN IDs you may type multiple VLAN IDs in the text
box.

4. Click Save.

Configuring Exception Settings

This is the last task to configuring a network zone to help manage network security.

1. Click the Exception tab. The Exception screen displays.

2. Select IP address or MAC address under Network Zone Exception.

3. T y pe IP or MAC addresses in the text box.

4. Click Add to. The information displays in the table.

5. Click Save.

View the details of the network zone you created from the Network Zones screen.

Configuring the URL List

Specify URL exceptions to allow endpoints to access URLs that help remedy policy
violations. This list can be used when you create policies to specify exceptions.

The URL exceptions list supports the * wildcard.

access to the root directory. Specify access to deeper links by typing http://www.*.com/*.

Typing http://www.*.com allows

2-13

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

To add to th e URL Li st:

1. Click Policy Enforcement from the side menu. The drop down menu displays.

2. Click URL List from the drop down menu. The URL List screen displays.

3. Click Add. The Add URL List screen displays.

4. Ty pe the Name, optional Comment, and URL.

5. Click Add to. The URL displays in the table.

6. Click Save. The URL List screen displays.

View the details of the new URL exception you’ve just created from the URL List
screen. Use the URL List screen to manage all URL exceptions.

Specifying Global Endpoint Exceptions

Specify Global Endpoint exceptions to ensure that certain computers or network
segments are not scanned. Policy Enforcement assessments will not scan any Global
Endpoint exceptions.

To add to the Global Endpoint Exceptions:

1. Click Policy Enforcement from the side menu. The drop down menu displays.

2. Click Global Endpoint Exceptions from the drop down menu. The Global
Endpoint Exceptions screen displays.

3. Select IP address or MAC address under Global Endpoint Exception List.

4. Type IP or MAC addresses in the text box.

5. Click Add to. The information displays in the table.

6. Click Save.

WARNING! Endpoints belonging to the Global Endpoint Exception list are not protected

by Network VirusWall Enforcer 2500.

Configuring Endpoint Notifications

Configure Endpoint Notifications to inform endpoints of policy violations. Specify
notifications to send as Web Notifications or Windows Messenger Service
Notifications.

2-14

Configuring Policy Enforcement and Device Settings

To configure Endpoint Notifications:

1. Click Policy Enforcement from the side menu. The drop down menu displays.

2. Click Endpoint Notifications from the drop down menu. The Endpoint
Notifications screen displays.

• Click the notification to configure under Notification Type. The Message screen
displays.

• Type changes to the default message directly in the text box. Click Preview.

•Click Save when the message displays correctly.

To configure Endpoint Notification Settings:

1. Click Policy Enforcement from the side menu. The drop down menu displays.

2. Click Endpoint Notifications from the drop down menu. The Endpoint
Notifications screen displays.

3. Click the Settings tab.

4. Select to display the T rend default look and feel or Custom to specify the Page

Title, Title Text color, and Banner color.

5. Select whether to enable or disable the detecting page. If you disable the
detecting page, the endpoint may not be aware that the device is making an
assessment.

Note: You may configure the appearance of Endpoint Notifications by selecting the

Settings tab from the Endpoint Notifications screen.

Configuring OfficeScan Settings

The device can assess whether endpoints have antivirus software installed. If you use
OfficeScan to protect your network, specify the port to use to communicate with
OfficeScan.

To specify the OfficeScan detection port:

1. Click Policy Enforcement from the main menu. The Policy Enforcement menu
displays.

2-15

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

2. Click OfficeScan Settings from the Policy Enforcement menu. The OfficeScan

Detection screen displays.

3. T ype the port number next to Trend Micro OfficeScan port(s). Use a comma to

separate ports.

4. Click Save.

HTTP Detection Settings

Specify the HTTP ports to allow the device to detect HTTP traffic.

To add a port for HTTP detection:

1. Click Policy Enforcement from the main menu. The Policy Enforcement menu

displays.

2. Click HTTP Detection Settings from the Policy Enforcement menu. The HTTP

Detection Settings screen displays.

3. Type the port number next to Port and type an optional comment.

4. Click Add to. The port is added to the current list on the right.

5. Click Save.

Remote Login Accounts

To use the remote login feature for deploying the PEAgent to endpoints, you must
configure remote login accounts. Windows 95, 98, ME, and XP Home operating
systems do not support remote login. For operating systems that do not support
remote login, agent installation will use ActiveX instead.

To add a remote login account:

1. Click Policy Enforcement from the main menu. The Policy Enforcement menu

displays.

2. Click Remote Login Accounts from the Policy Enforcement menu. The

Remote Login Accounts screen displays.

3. Click Add. The Add Remote Login Account screen displays.

4. Select the Enable this account checkbox.

5. Ty pe the User ID, Password, Confirm (the password), and optional Comment.

2-16

Configuring Policy Enforcement and Device Settings

6. Click Save.

Note: You can specify a User ID with [0-9], [a-z], [A-Z], [ @ ], [ - ], [ . ], [_ ], [ \ ] ,

and [ / ]. You can specify a password with all alphanumeric characters and
symbols, except [ " ], [ ‘ ], and [ \ ]. The following format must be used if you
want to specify a domain account as the User ID: domain\testuser, or
domain/testuser, or testuser@zone.

Exporting and Importing Policy Data

You can export policy data for backup purposes or for deploying policy data to
another Network VirusWall Enforcer 2500 device. Import policies from another
Network VirusWall Enforcer 2500 device to quickly replicate policy settings. When
you import a policy file, the policy file overwrites all current policy settings.

To export Policies:

1. Click Policy Enforcement from the side menu. The drop down menu displays.

2. Click Export/Import Policy Data from the drop down menu. The
Export/Import Policy Data screen displays.

3. Click Export under Export Policies. A File Download screen displays.

4. Select Save and specify the location to save the policy data to.

5. Click Save.

To import Policies:

1. Click Policy Enforcement from the side menu. The drop down menu displays.

2. Click Export/Import Policy Data from the drop down menu. The
Export/Import Policy Data screen displays.

3. Click Browse under Import Policies. The Choose File screen displays.

4. Select the file to import and click Open. Network VirusWall Enforcer 2500 resets

after the import completes.

2-17

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

Configuring Device and System Settings

This section includes the following topics:

• Configuring Access Control on page 2-18

• Using Backup Configuration on page 2-19

• Performing Device Tasks on page 2-21

• Replacing the HTTPS Certificate on page 2-24

• Configuring IP Address Settings on page 2-24

• Configuring LDAP Settings on page 2-25

• Configuring Proxy Settings on page 2-26

• Configuring SNMP Settings on page 2-26

Configuring Access Control

Configure Access Control settings to help keep undesired users from accessing
Network VirusWall Enforcer 2500.

Restricting SSH Console Access

Enable or disable SSH console access from the Access Control screen on the Web
console.

From the Preconfiguration console, you must connect to Network VirusWall
Enforcer 2500 using a direct console connection to change SSH console access.

IP Addresses Restriction

Enable IP address access from the Access Control screen on the Web console.
Specify IP addresses to allow to access the Web console.

2-18

Configuring Policy Enforcement and Device Settings

Configuring Administrative Accounts

Configure Administrative Accounts to manage Network VirusWall Enforcer 2500.
There are three kinds of accounts in Network VirusWall Enforcer:

• Operator accounts—can view configuration information from the W eb console,
but cannot login to the Preconfiguration console.

• Power User accounts—can view configuration information from the Web and
Preconfiguration consoles.

• Administrator accounts—has complete access to the W eb and Preconfiguration
consoles.

To add an administrative account:

1. Click Administration from the main menu. The Administration menu displays.

2. Click Administrative Accounts from Administration the menu. The
Administrative Accounts screen displays.

3. Click Add. The Add Administrative Account screen displays.

4. Type the User ID, Password, and Confirm (the password).

5. Select the Privileges.

6. Click Save.

Using Backup Configuration

You can export configuration data for backup purposes or for deploying
configuration data to another Network VirusWall Enforcer 2500 device. Import a
configuration file from another Network VirusWall Enforcer 2500 device to quickly
replicate configuration settings. When you import a configuration file, the
configuration file overwrites all current policy and network settings.

To backup the configuration file:

1. Click Administration from the side menu. The drop down menu displays.

2. Click Backup Configuration from the drop down menu. The Backup
Configuration screen displays.

3. Click Backup under Backup Configuration File. A File Download screen

displays.

4. Select Save and specify the location to save the configuration file to.

2-19

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

5. Click Save.
To restore the configuration file:

1. Click Administration from the side menu. The drop down menu displays.

2. Click Backup Configuration from the drop down menu. The Backup
Configuration screen displays.

3. Click Browse under Restore Configuration File. The Choose File screen

displays.

4. Select the file to import and click Open. Network VirusWall Enforcer 2500 resets
after the import completes.

Importing and Exporting the Configuration File from the
Preconfiguration console

Use the Preconfiguration console to import and export the Network VirusWall
Enforcer 2500 configuration. This allows easy replication of existing Network
VirusWall Enforcer 2500 settings from one Network VirusWall Enforcer 2500 to
other devices of the same model and locale settings.

Note: Importing or exporting the configuration is not possible when using Minicom or

SSH.

To import the configuration file:

1. Access the Network VirusWall Enforcer 2500 Preconfiguration console (see

Getting Started Guide > Logging on to the Preconfiguration Console for
instructions).

2. Type 8 in the main menu. The System Tasks submenu appears.

3. Type 3 to import the configuration file. A confirmation screen appears.

4. Type

2-20

y to continue.

Note: Refer to the Getting Started for detailed information on using the

preconfiguration menu through the Preconfiguration console.

Configuring Policy Enforcement and Device Settings

To export the configuration file:

1. Access the Network VirusWall Enforcer 2500 Preconfiguration console (see

Getting Started Guide > Logging on to the Preconfiguration Console for
instructions).

2. Type

8in the main menu. The System Tasks submenu appears.

3. Type 4 to export the configurati on file. A confirmatio n screen appears.

4. Type

y to continue.

Note: Refer to the Getting Started Guide for detailed information on using the

preconfiguration menu through the Preconfiguration console.

Performing Device Tasks

If an emergency arises whereby you want to isolate your network, you can lock
Network VirusWall Enforcer 2500 to block all traffic that would normally pass
through the device. Likewise, if you are experiencing problems with Network
VirusWall Enforcer 2500, you can power on the UID LED or perform a reset.

Turning On the UID LED

Use the Device Tasks screen to turn on the UID LED. Turning on the UID LED
allows you to identify a Network VirusWall Enforcer 2500 device to maintain or
troubleshoot. This option is useful especially if you have multiple Network
VirusWall Enforcer 2500 devices mounted on a rack wall.

Turn on the UID LED through the UID button on the front panel of the device.
The UID LED becomes blue if the UID LED is pressed. See UID LED and button on

page 2-21.

UID button

UID LED

FIGURE 2-1. UID LED and button

2-21

Trend Micro™ Network VirusWall™ Enforcer 2500 Administrator’s Guide

To turn on the UID LED through the UID button:

Press the UID button on the front panel of the device. The UID LED becomes
blue.

Locking Network VirusWall Enforcer 2500

The Device Tasks screen allows you to lock Network VirusWall Enforcer 2500,
which performs the same function as physically disconnecting the device from the
network. Unlock Network VirusWall Enforcer 2500 later to bring the device back
online.

To set the network traffic lock:

1. Click Administration.

2. Click Device Tasks.

3. Click Lock.

Take note of the following scenarios:

• If the device is powered off, failopen is enabled, and network traffic lock is
enabled, traffic passes through the failopen ports (ports 1 and 2, and possibly 6, 7,
8, and 9 if you have installed bypass cards)

• If the device is powered on, failopen is enabled, and network traffic lock is
enabled, traffic is not allowed to pass through the device

Resetting Network VirusWall Enforcer 2500

Reset Network VirusWall Enforcer 2500 if you experience any problems or if the
Control Manager management console prompts you to perform a reset.

Reset Network VirusWall Enforcer 2500 through the:

• Preconfiguration console (see page 2-23)

• RESET button on the front panel of the device (see page 2-23)

• Web console (see page 2-23)

Any of the following actions invokes a device reset:

• Manually resetting the device by following one of the procedures listed in page

2-23

2-22

Configuring Policy Enforcement and Device Settings

• Importing the configuration file through the Preconfiguration console or the Web
console.

• Automatically or manually updating the Network VirusWall Enforcer 2500
program file (versions that require a reset) through the Web console.

If the device detects any of the above actions and failopen is in use, the device
temporarily disconnects ports 1 and 2 for approximately thirty seconds (30s). See

Table 1-4 for details.

Note: The thirty-second (30s) delay only occurs when resetting the device. Powering on

or off the device does not cause this delay.

To reset the device through the preconfiguration menu:

1. Access the Network VirusWall Enforcer 2500 Preconfiguration console (see

Getting Started Guide > Logging on to the Preconfiguration Console for
instructions).

2. Select item

8 in the main menu. The System Tasks submenu appears.

3. Select item 6 to reset the device. A confirmation screen appears.

4. Select

OK to continue.

Note: Refer to the Getting Started Guide for detailed information on using the

preconfiguration menu through the Preconfiguration console.

To reset the device with the Reset button:

Press the Reset button on the front panel of the device. Network VirusWall
Enforcer 2500 resets.

To reset the device through the Web console:

1. Click Administration.

2. Click Device Tasks.

3. Click Reset Now.

4. Confirm the reset when prompted.

2-23