Device Configuration Guide for Cisco Security MARS, Release 6.x - McAfee EPO Management Devices [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

McAfee ePolicy Orchestrator Devices

Configure ePolicy Orchestrator 4.0 to Generate Required Data

Configure ePolicy Orchestrator 3.5 and 3.6 to Generate Required Data

Add and Configure ePolicy Orchestrator Server in MARS

Add ePO Agents From File

McAfee ePolicy Orchestrator Devices

The McAfee ePolicy Orchestrator (ePO) is a central management application for many McAfee product. Antivirus (AV) devices provide detection and prevention against known viruses and anomalies, as do host-based IPS solutions. MARS is able to receive event data about the following devices that can be managed by ePO:

•McAfee VirusScan 8.0(I)/8.5(I)

•McAfee HIPS 6.0 (via ePO 3.6.x)

•McAfee HIPS 7.0 (via ePO 4.0)

Configuring MARS to receive and process the data generated by a McAfee ePolicy Orchestrator server requires you to perform two procedures.

•Configure the ePO server to forward SNMP traps to MARS

•Define the ePO server in the MARS web interface

•(Optional) Export a list of ePO agents from the ePO server and import that list as agents of the ePO server you defined in MARS. This step is not required as the list of managed agents is dynamically discovered by MARS as the ePO server forwards events generated by the agents.

Caution Monitoring devices that support dynamic discovery of agents do not discover the agent on the monitoring device server, if applicable. This agent is intentionally not discovered, as it causes issues in event processing from that device. In addition, you must not manually define the agent that runs on the monitoring device server.

This chapter contains the following topics:

•Configure ePolicy Orchestrator 4.0 to Generate Required Data

•Configure ePolicy Orchestrator 3.5 and 3.6 to Generate Required Data

•Add and Configure ePolicy Orchestrator Server in MARS

Configure ePolicy Orchestrator 4.0 to Generate Required Data

To prepare the ePolicy Orchestrator server to forward SNMP events to MARS, follow these steps:

Step 1 Select Start > Program Files > Network Associates > ePolicy Orchestrator 4.x Console.

Step 2 In the tree, select McAfee Security > ePolicy Orchestrator, and click the Log on to server link under Global Task List.

Step 3 In the Log On to Server dialog box, enter the user name and password required to access the ePolicy Orchestrator server, and click Log on.

Step 4 Click Automation, and then click the SNMP Servers subtab.

Step 5 Click New SNMP Server.

Step 6 Specify the following values, and click OK:

•Name—Enter the hostname of the Local Controller.

•Server address—Enter the IP address of the eth0 interface, the monitoring interface for the MARS Appliance.

The SNMP server is added to represent the MARS Appliance.

Step 7 Click the Notification Rules subtab.

The list of active notification rules appears.

Step 8 Edit each enabled rule in the list so that all notifications are sent to the SNMP server that represents the MARS Appliance. To edit a rule, follow these steps:

a. Click the rule.

The Describe Rule wizard page appears.

b. Click Next to proceed to Set Filters page.

c. Under Add or Edit Notification Rule, click the 3. Set Thresholds link.

Figure 30-1 Set Threshold Values

d. Verify the Aggregation and Throttling values are set as shown in Figure 30-1 Figure 30-3

e. Click Next to proceed to the Create Notifications page.

Figure 30-2 Notification Rule Builder: Notifications Step

f. In the SNMP server list, select the SNMP server that represents the MARS Appliance.

g. Verify that all the variables are selected as shown in Figure 30-2, and click Next.

h. Click Save to add the SNMP trap to the list of notifications for the selected rule.

i. Click Finish to save the changes to the selected rule.

j. Repeat a. through i. for each rule.

Configure ePolicy Orchestrator 3.5 and 3.6 to Generate Required Data

To prepare the ePolicy Orchestrator server to forward SNMP events to MARS, follow these steps:

Step 1 Select Start > Program Files > Network Associates > ePolicy Orchestrator 3.x Console.

Step 2 In the tree, select McAfee Security > ePolicy Orchestrator, and click the Log on to server link under Global Task List.

Step 3 In the Log On to Server dialog box, enter the username and password required to access the ePolicy Orchestrator server, and click OK.

Step 4 In the tree, select McAfee Security > ePolicy Orchestrator > <Server_Name> > Notifications and click the Configuration tab and click the SNMP Servers link.

Step 5 Click Add.

Step 6 In the Name field, enter the hostname of the MARS Appliance.

Step 7 In the Server address field, enter the IP address of the eth0 interface, the monitoring interface for the MARS Appliance, and click OK.

The SNMP server is added to represent the MARS Appliance.

Step 8 Click the Rules tab.

You can access the Rules tab by selecting McAfee Security > ePolicy Orchestrator > <Server_Name> > Notifications > and then clicking the Rules tab.

Step 9 Edit each rule in the list so that all notifications are sent to the SNMP server that represents the MARS Appliance. To edit a rule, follow these steps:

a. Click the rule.

The Describe Rule wizard page appears.

b. Click Next to proceed to Set Filters page.

c. Under Add or Edit Notification Rule, click the 3. Set Thresholds link.

Figure 30-3 Set Threshold Values

d. Verify the Aggregation and Throttling values are set as shown in Figure 30-1 Figure 30-3

e. Click Next to proceed to the Create Notifications page.

f. Click Add SNMP Trap.

Figure 30-4 SNMP Trap Settings

g. In the SNMP server list, select the SNMP server that represents the MARS Appliance.

h. Verify that all the variables are selected as shown in Figure 30-4.

i. Click Save to add the SNMP trap to the list of notifications for the selected rule.

j. Click Finish to save the changes to the selected rule.

k. Repeat a. through j. for each rule.

Add and Configure ePolicy Orchestrator Server in MARS

Before MARS can begin processing SNMP traps from ePolicy Orchestrator, you must define the ePolicy Orchestrator server as software running on a host. When ePolicy Orchestrator is defined as a reporting device, MARS can process any inspection rules that you have defined using ePolicy Orchestrator event types.

After you add the ePolicy Orchestrator server to MARS, the appliance can discover the agents that are managed by the ePolicy Orchestrator server as events are generated by those agents. You do not need to manually define the agents associated with this server.

To add an ePolicy Orchestrator server to MARS, follow these steps:

Step 1 Select Admin > System Setup > Security and Monitor Devices > Add.

Step 2 From the Device Type list, select Add SW Security apps on a new host.

Step 3 In the Device Name field, enter the hostname of the server.

Step 4 In the Reporting IP field, enter the IP address of the interface in the ePolicy Orchestrator server from which SNMP traps will originate.

Step 5 Under Enter interface information, enter the interface name, IP address, and netmask value of the interface in the ePolicy Orchestrator server from which syslog messages will originate.

This address is the same value as the Reporting IP address.

Step 6 Click Apply.

Step 7 Click Next to move to the Reporting Applications tab.

Step 8 In the Select Application field, select McAfee ePO 3.5, McAfee ePO 3.6.x, or McAfee ePO 4.0, and then click Add

Step 9 Click Done to save the changes.

Step 10 Click Submit.

Step 11 To activate the device, click Activate.

Dynamic discovery of agents is supported. MARS discovers the agents by identifying the originating device in the SNMP traps. Therefore, the agents are discovered as SNMP traps originating from those devices are forwarded by the ePO server.

You are not limited to dynamic discovery for populating agents. For details on manually importing agents into MARS, see Add ePO Agents From File.

Add ePO Agents From File

You can add the complete list of hosts on which ePO Agents are installed by exporting the all hosts report from ePolicy Orchestrator server and importing that file into MARS. The only advantage to adding agents using an export file is that the first notification received that originates from the agent is not attributed to the ePO server.

Note For 3.6.x and 4.0 releases, you can import reporting agents using a CSV file exported from ePO. In 4.0, you can export from the ePO user interface. In 3.6.x, you can export from the database. Refer to the documentation that came with your product for instructions on exporting a CSV file from ePO.

Caution Monitoring devices that support dynamic discovery of agents do not discover the agent on the monitoring device server, if applicable. This agent is intentionally not discovered, as it causes issues in event processing from that device. In addition, you must not manually define the agent that runs on the monitoring device server.

To add ePO agents from a file, follow these steps:

Step 1 Click Admin > Security and Monitoring Devices.

Step 2 From the list of devices, select the host running ePolicy Orchestrator server, and click Edit.

Step 3 Click the Reporting Applications tab, select McAfee ePO 3.6.x or McAfee ePO 4.0 in the Device Type list, and click Edit.

Step 4 Click Load From File.

Caution The file should be formatted as a tab delimited file. You cannot use a CSV file. To generate a tab delimited file of the ePO agents managed by the ePolicy Orchestrator server, see the documentation that came with your ePolicy Orchestrator product.

Step 5 In the IP Address field, enter the address of the FTP server where you stored the exported hosts file.

Step 6 In the User Name field, enter the name of the account used to authenticate to the FTP server.

Step 7 In the Password field, enter the password that corresponds to the account specified in Step 6.

Step 8 In the Path field, enter the path to the folder where the file is stored. If this file is stored in the root folder, you must specify a backslash (\) in this field. The format of this value is \<path_here>\ .

Step 9 In the File Name field, enter the name of the tab delimited file.

Step 10 Click Submit.

The following message displays and the hosts are added as agents of the ePolicy Orchestrator server:
Success:
Status: OK
Step 11 Click Done.

	Device Configuration Guide for Cisco Security MARS, Release 6.x
	McAfee EPO Management Devices
Device Configuration Guide for Cisco Security MARS, Release 6.x Preface Part 1: Concepts Configuring Reporting and Mitigation Devices in MARS Part 2: Intrusion Detection and Prevention (Network based) Cisco IPS Devices (4.x and 5.x) NetScreen IDP Devices and Servers Cisco IPS 6.x Devices and Virtual Sensors Enterasys Dragon Devices Snort Devices McAfee Intrushield Symantec ManHunt Cisco IPS Modules IBM SiteProtector Devices IBM RealSecure Devices Part 3: Vulnerability Assessment Qualys QualysGuard Devices eEye REM Devices McAfee Foundstone Part 4: Switches Cisco Switches Extreme Switches Part 5: Routers Cisco Routers Routers (Generic) Part 6: Firewalls Cisco Firewall Devices Cisco ASA, Version 8.1.X and 8.2.X and NetFlow Check Point Devices NetScreen ScreenOS Devices Part 7: Network Access Control Cisco NAC Appliance Part 8: Virtual Private Network Gateways Cisco VPN 3000 Concentrator Part 9: WLAN Controller Cisco Wireless LAN Controller Part 10: AAA Servers Cisco Secure ACS Devices Part 11: Intrusion Detection and Prevention (Host based) Cisco Security Agent Entercept Devices Part 12: Virus Protection Symantec AntiVirus McAfee EPO Management Devices Cisco Incident Controller Server Part 13: Content Management Cisco CSC SSM Part 14: Database Applications Oracle Database Applications Part 15: Web Servers Web Server Devices Part 16: Web Proxies Network Appliance NetCache Generic Part 17: Host Nodes Generic, Solaris, Linux, and Windows Application Hosts Index	Download this chapter McAfee EPO Management Devices Download the complete book Device Configuration Guide for Cisco Security MARS Release 6.x (PDF - 5 MB) Table Of Contents McAfee ePolicy Orchestrator Devices Configure ePolicy Orchestrator 4.0 to Generate Required Data Configure ePolicy Orchestrator 3.5 and 3.6 to Generate Required Data Add and Configure ePolicy Orchestrator Server in MARS Add ePO Agents From File McAfee ePolicy Orchestrator Devices The McAfee ePolicy Orchestrator (ePO) is a central management application for many McAfee product. Antivirus (AV) devices provide detection and prevention against known viruses and anomalies, as do host-based IPS solutions. MARS is able to receive event data about the following devices that can be managed by ePO: •McAfee VirusScan 8.0(I)/8.5(I) •McAfee HIPS 6.0 (via ePO 3.6.x) •McAfee HIPS 7.0 (via ePO 4.0) Configuring MARS to receive and process the data generated by a McAfee ePolicy Orchestrator server requires you to perform two procedures. •Configure the ePO server to forward SNMP traps to MARS •Define the ePO server in the MARS web interface •(Optional) Export a list of ePO agents from the ePO server and import that list as agents of the ePO server you defined in MARS. This step is not required as the list of managed agents is dynamically discovered by MARS as the ePO server forwards events generated by the agents. Caution Monitoring devices that support dynamic discovery of agents do not discover the agent on the monitoring device server, if applicable. This agent is intentionally not discovered, as it causes issues in event processing from that device. In addition, you must not manually define the agent that runs on the monitoring device server. This chapter contains the following topics: •Configure ePolicy Orchestrator 4.0 to Generate Required Data •Configure ePolicy Orchestrator 3.5 and 3.6 to Generate Required Data •Add and Configure ePolicy Orchestrator Server in MARS Configure ePolicy Orchestrator 4.0 to Generate Required Data To prepare the ePolicy Orchestrator server to forward SNMP events to MARS, follow these steps: Step 1 Select Start > Program Files > Network Associates > ePolicy Orchestrator 4.x Console. Step 2 In the tree, select McAfee Security > ePolicy Orchestrator, and click the Log on to server link under Global Task List. Step 3 In the Log On to Server dialog box, enter the user name and password required to access the ePolicy Orchestrator server, and click Log on. Step 4 Click Automation, and then click the SNMP Servers subtab. Step 5 Click New SNMP Server. Step 6 Specify the following values, and click OK: •Name—Enter the hostname of the Local Controller. •Server address—Enter the IP address of the eth0 interface, the monitoring interface for the MARS Appliance. The SNMP server is added to represent the MARS Appliance. Step 7 Click the Notification Rules subtab. The list of active notification rules appears. Step 8 Edit each enabled rule in the list so that all notifications are sent to the SNMP server that represents the MARS Appliance. To edit a rule, follow these steps: a. Click the rule. The Describe Rule wizard page appears. b. Click Next to proceed to Set Filters page. c. Under Add or Edit Notification Rule, click the 3. Set Thresholds link. Figure 30-1 Set Threshold Values d. Verify the Aggregation and Throttling values are set as shown in Figure 30-1 Figure 30-3 e. Click Next to proceed to the Create Notifications page. Figure 30-2 Notification Rule Builder: Notifications Step f. In the SNMP server list, select the SNMP server that represents the MARS Appliance. g. Verify that all the variables are selected as shown in Figure 30-2, and click Next. h. Click Save to add the SNMP trap to the list of notifications for the selected rule. i. Click Finish to save the changes to the selected rule. j. Repeat a. through i. for each rule. Configure ePolicy Orchestrator 3.5 and 3.6 to Generate Required Data To prepare the ePolicy Orchestrator server to forward SNMP events to MARS, follow these steps: Step 1 Select Start > Program Files > Network Associates > ePolicy Orchestrator 3.x Console. Step 2 In the tree, select McAfee Security > ePolicy Orchestrator, and click the Log on to server link under Global Task List. Step 3 In the Log On to Server dialog box, enter the username and password required to access the ePolicy Orchestrator server, and click OK. Step 4 In the tree, select McAfee Security > ePolicy Orchestrator > <Server_Name> > Notifications and click the Configuration tab and click the SNMP Servers link. Step 5 Click Add. Step 6 In the Name field, enter the hostname of the MARS Appliance. Step 7 In the Server address field, enter the IP address of the eth0 interface, the monitoring interface for the MARS Appliance, and click OK. The SNMP server is added to represent the MARS Appliance. Step 8 Click the Rules tab. You can access the Rules tab by selecting McAfee Security > ePolicy Orchestrator > <Server_Name> > Notifications > and then clicking the Rules tab. Step 9 Edit each rule in the list so that all notifications are sent to the SNMP server that represents the MARS Appliance. To edit a rule, follow these steps: a. Click the rule. The Describe Rule wizard page appears. b. Click Next to proceed to Set Filters page. c. Under Add or Edit Notification Rule, click the 3. Set Thresholds link. Figure 30-3 Set Threshold Values d. Verify the Aggregation and Throttling values are set as shown in Figure 30-1 Figure 30-3 e. Click Next to proceed to the Create Notifications page. f. Click Add SNMP Trap. Figure 30-4 SNMP Trap Settings g. In the SNMP server list, select the SNMP server that represents the MARS Appliance. h. Verify that all the variables are selected as shown in Figure 30-4. i. Click Save to add the SNMP trap to the list of notifications for the selected rule. j. Click Finish to save the changes to the selected rule. k. Repeat a. through j. for each rule. Add and Configure ePolicy Orchestrator Server in MARS Before MARS can begin processing SNMP traps from ePolicy Orchestrator, you must define the ePolicy Orchestrator server as software running on a host. When ePolicy Orchestrator is defined as a reporting device, MARS can process any inspection rules that you have defined using ePolicy Orchestrator event types. After you add the ePolicy Orchestrator server to MARS, the appliance can discover the agents that are managed by the ePolicy Orchestrator server as events are generated by those agents. You do not need to manually define the agents associated with this server. To add an ePolicy Orchestrator server to MARS, follow these steps: Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host. Step 3 In the Device Name field, enter the hostname of the server. Step 4 In the Reporting IP field, enter the IP address of the interface in the ePolicy Orchestrator server from which SNMP traps will originate. Step 5 Under Enter interface information, enter the interface name, IP address, and netmask value of the interface in the ePolicy Orchestrator server from which syslog messages will originate. This address is the same value as the Reporting IP address. Step 6 Click Apply. Step 7 Click Next to move to the Reporting Applications tab. Step 8 In the Select Application field, select McAfee ePO 3.5, McAfee ePO 3.6.x, or McAfee ePO 4.0, and then click Add Step 9 Click Done to save the changes. Step 10 Click Submit. Step 11 To activate the device, click Activate. Dynamic discovery of agents is supported. MARS discovers the agents by identifying the originating device in the SNMP traps. Therefore, the agents are discovered as SNMP traps originating from those devices are forwarded by the ePO server. You are not limited to dynamic discovery for populating agents. For details on manually importing agents into MARS, see Add ePO Agents From File. Add ePO Agents From File You can add the complete list of hosts on which ePO Agents are installed by exporting the all hosts report from ePolicy Orchestrator server and importing that file into MARS. The only advantage to adding agents using an export file is that the first notification received that originates from the agent is not attributed to the ePO server. Note For 3.6.x and 4.0 releases, you can import reporting agents using a CSV file exported from ePO. In 4.0, you can export from the ePO user interface. In 3.6.x, you can export from the database. Refer to the documentation that came with your product for instructions on exporting a CSV file from ePO. Caution Monitoring devices that support dynamic discovery of agents do not discover the agent on the monitoring device server, if applicable. This agent is intentionally not discovered, as it causes issues in event processing from that device. In addition, you must not manually define the agent that runs on the monitoring device server. To add ePO agents from a file, follow these steps: Step 1 Click Admin > Security and Monitoring Devices. Step 2 From the list of devices, select the host running ePolicy Orchestrator server, and click Edit. Step 3 Click the Reporting Applications tab, select McAfee ePO 3.6.x or McAfee ePO 4.0 in the Device Type list, and click Edit. Step 4 Click Load From File. Caution The file should be formatted as a tab delimited file. You cannot use a CSV file. To generate a tab delimited file of the ePO agents managed by the ePolicy Orchestrator server, see the documentation that came with your ePolicy Orchestrator product. Step 5 In the IP Address field, enter the address of the FTP server where you stored the exported hosts file. Step 6 In the User Name field, enter the name of the account used to authenticate to the FTP server. Step 7 In the Password field, enter the password that corresponds to the account specified in Step 6. Step 8 In the Path field, enter the path to the folder where the file is stored. If this file is stored in the root folder, you must specify a backslash (\) in this field. The format of this value is \<path_here>\ . Step 9 In the File Name field, enter the name of the tab delimited file. Step 10 Click Submit. The following message displays and the hosts are added as agents of the ePolicy Orchestrator server: Success: Status: OK Step 11 Click Done.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks