manualshive.com logo in svg

McAfee MAP-3300-SWG - Web Security Appliance 3300, Product Manual

The McAfee MAP-3300-SWG - Web Security Appliance 3300 is a cutting-edge product designed to enhance online security. To ensure its optimal use, a comprehensive Product Manual is available for download, free of charge, from our website. Get valuable insights and instructions on how to maximize your web security experience.

Share
Download
background image

Table 271   Email and Web Security Appliance v5.6 Connector Field Mappings  (continued)

McAfee-Specific Event Definition

ArcSight Event Data Field

The definition of this field depends on the value of

the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU':

'virus-names' If cs5 is 'AS': 'spam-rules-broken'

If cs5 is 'DL': 'dlpfile' If cs5 is 'FF': 'content-rules'

If cs5 is 'PX': 'content-rules'

cs1Label

The definition of this field depends on the value of

the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU': The

version of the Anti-Virus engine If cs5 is 'AS': The

spam score If cs5 is 'DL': The DLP categories that

triggered If cs5 is 'PX': The terms that caused the

content filter event

cs2

The definition of this field depends on the value of

the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU':

'av-engine-version' If cs5 is 'AS': 'spam-score' If

cs5 is 'DL': 'dlp-rules' If cs5 is 'PX':

'compliance-terms'

cs2Label

The definition of this field depends on the value of

the field 'cs5': If cs5 is 'AS': The threshold the

message exceeded

cs3

The definition of this field depends on the value of

the field 'cs5': If cs5 is 'AS': 'spam-threshold-score'

cs3Label

The attachments of the email (if available)

cs4

'email-attachments'

cs4Label

For a detection event, the scanner which

triggered the event: 'AP' - Anti-Phish 'AS' -

Anti-Spam 'AV' - Anti-Virus 'DL' - Data Loss

Prevention 'FF' - File Filtering 'MF' - Mail Filtering

'MS' - Mail Size 'PA' - Packer 'PU' - Potentially

Unwanted Program 'PX' - Compliancy 'SA' -

SiteAdvisor 'UF' - URL Filtering

cs5

'master-scan-type'

cs5Label

The subject of the email

cs6

'email-subject'

cs6Label

Indicates if the action taken is the main action

defined for the event. 1 indicates primary action

cn1

'is-primary-action'

cn1Label

The number of attachments in the email (if

available)

cn2

'num-email-attachments'

cn2Label

The number of recipients of the email

cn3

'num-email-recipients'

cn3Label

Extended Syslog attributes for Splunk 

Using the extended Syslog functions within the appliance, you can use external, third party software
— such as Splunk — to generate Syslog reports.

Table 272   Extended Syslog attributes for Splunk

Syslog entry

Notes

Example

Time and Appliance Name

Dec 30 10:58:10 Appliance1

app

Protocol

Smtp

Overview of System features

Logging, Alerting and SNMP

272

McAfee Email and Web Security Appliances 5.6.0 Product Guide

Summary of Contents for MAP-3300-SWG - Web Security Appliance 3300

Page 1: ...Product Guide McAfee Email and Web Security Appliances 5 6 0 ...

Page 2: ...registered and unregistered trademarks herein are the sole property of their respective owners LICENSE INFORMATION License Agreement NOTICE TO ALL USERS CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED PLEASE CONS...

Page 3: ...Email Reports overview 33 Interactive Reporting Total view 37 Interactive Reporting Time view 38 Interactive Reporting Itemized view 38 Interactive Reporting Detail view 39 Selection Favorites 40 Selection Filter 40 Web Reports overview 43 Interactive Reporting Total view 46 Interactive Reporting Time view 47 Interactive Reporting Itemized view 47 Interactive Reporting Detail view 48 Selection Fav...

Page 4: ...ion to policies 178 Web Scanning Policies 179 Dictionaries 197 Overview of System features 207 Appliance Management 207 General 207 DNS and Routing 212 Time and Date 214 Appliance Management Remote Access 215 UPS Settings 219 Database Maintenance 222 Appliance Management System Administration 225 Default Server Settings 232 Cluster Management 233 Backup and Restore Configuration 233 Configuration ...

Page 5: ... and Trace Route 312 System Load 312 Route Information 313 Disk Space 314 Troubleshooting Reports 314 Minimum Escalation Report 314 Capture Network Traffic 315 Save Quarantine 316 Log Files 316 Error Reporting Tool 318 Tests 318 System Tests 318 How appliances work with ePolicy Orchestrator 321 Configuring your appliance for ePolicy Orchestrator management 323 Managing your appliances from within ...

Page 6: ......

Page 7: ...d icons Book title or Emphasis Title of a book chapter or topic introduction of a new term emphasis Bold Text that is strongly emphasized User input or Path Commands and other text that the user types the path of a folder or program Code A code sample User interface Words in the user interface including options menus buttons and dialog boxes Hypertext blue A live link to a topic or to a website No...

Page 8: ...ither contact your local representative or visit http www mcafee com Optional components and related products The appliances have several components and related products Some components can be fully integrated into the appliances Other products provide a central point for monitoring and managing several McAfee products including the appliances The next table describes the optional components and r...

Page 9: ...ations of software and hardware are possible Appliance Combined Email and Web Email only Web only 3000 Yes No No 3100 Yes No No 3200 Yes No No 3300 Yes No No 3400 No Yes Yes M3 Content Security Blade Server Yes Yes Yes M7 Content Security Blade Server Yes Yes Yes Virtual appliances The McAfee Email and Web Security Appliance software is also available as a virtual appliance running within a VMware...

Page 10: ...ar E Support control buttons F View control G Content area A Navigation bar The navigation bar contains four areas user information section icons tab bar and support controls B User information bar C Section icons The number of section icons depends on the software version that you are using Click an icon to change the information in the content area and the tab bar The icons include the following...

Page 11: ...ictates what is displayed in the content area E Support control buttons The support control buttons are actions that apply to the content area Icon Description Refreshes or updates the content Returns you to the previously viewed page We recommend that you click this button rather than your browser s Back button Appears when you configure something to allow you to apply your changes Appears when y...

Page 12: ...e sure you have selected this checkbox Making changes to the appliance s configuration Use this task to make changes to the operation of the appliance Task 1 In the navigation bar click an icon The blue tabs below the icons change to show the available features 2 Click the tabs until you reach the page you need To locate any page examine the tabs or locate the subject in the Help index The locatio...

Page 13: ...list within the user interface Task 1 Click Add below the list A new row appears in the table If this is your first item a column of checkboxes appears on the left of the table You might also see a Move column on the right of the table 2 Type the details in the new row Press Tab to move between fields 3 For help with typing the correct information move your cursor over the table cell and wait for ...

Page 14: ... button at the top right of the window Viewing information in a long list If the list has many items you might not be able to see them all at the same time Task 1 To determine the position of an item in the list or the size of the list view the text at the bottom of the list such as Items 20 to 29 of 40 2 To move through the list or to move quickly to either end of the list click the arrows at the...

Page 15: ...h as from a previously prepared comma separated value csv Imported information normally overwrites the original information Table 1 Some formats for comma separated value csv files Type of information Format Example Domain D domain IP address D www example com 192 168 254 200 Network address N IP address IP subnet mask N 192 168 254 200 255 255 255 0 Email address E email address E network_user ex...

Page 16: ...s to communicate with your network and other devices Table 3 Ports used by Email and Web Security Appliances Use Protocol Port Number Software updates FTP 21 Anti virus HTTP FTP 80 21 McAfee Global Threat Intelligence file reputation DNS 53 Anti spam rules and streaming updates HTTP 80 Anti spam engine updates FTP 21 McAfee Global Threat Intelligence message reputation SSL 443 McAfee Global Threat...

Page 17: ...ances to be managed by ePolicy Orchestrator or when you set ePolicy Orchestrator to monitor and report on your appliances the following ports are used by default for communication between ePolicy Orchestrator and your appliances Table 6 ePolicy Orchestrator communication ports Port usage Port number Agent to server communication port 80 Agent to server communication secure port 443 when enabled Ag...

Page 18: ...listing and has an installer that supports automated script based installations Supported platforms Windows 2000 and Windows XP with Microsoft Outlook 2000 or later The latest MSST and documents can be downloaded from the following location http www mcafee com us enterprise downloads free_tools index html ePO Extensions Download the ePolicy Orchestrator extensions for Email and Web Security Applia...

Page 19: ...ity Appliance can transmit using SNMP HP OpenView NNM Smart Plug in Installer Download the HP OpenView installer file to enable you to configure your Email and Web Security Appliance to communicate with HP OpenView Preface Working with your McAfee Email and Web Security Appliances McAfee Email and Web Security Appliances 5 6 0 Product Guide 19 ...

Page 20: ......

Page 21: ...nother window Benefits of using the Dashboard The Dashboard provides a single location for you to view summaries of the activities of the appliance Depending on how you have your appliance configured you can view information about The email flowing through the appliance The web traffic being scanned The overall system health of the appliance Current detection rates The performance of your network ...

Page 22: ...recommended system configuration changes For Updates a green checkmark indicates that the components will update itself automatically To make a manual update click the blue link For other components a green checkmark indicates that the component is operating within acceptable limits For more information click the blue links To adjust the levels at which the warning and alert icons appear and to ch...

Page 23: ...r master appliance or management blade on a Content Security Blade Server Option Definition Email Web When clicked the meter displays Message per hour Email or Conversations per hour Web Message per hour Email Conversations per hour Web Displays the average throughput of the cluster based on measurements taken every few minutes If the cluster has twice as many scanning appliances its throughput al...

Page 24: ...files The version numbers are the same if the appliances are up to date During updating the values might be different To see more information move the cursor over the text and wait for a yellow box to appear Counter behavior All counters trigger once for every detection For example if a message contains two attachments that both contain viral content the Viruses counter increments by two The infor...

Page 25: ...s sent to two recipients and is queued for delivery for example because the onward MTA is down The number of items in the queue will be 1 because the appliance received one message The number of recipients will be 2 because the message has two recipients If you click on the Queued hyperlink you see two items because there is one message for each recipient If two messages are sent to one recipient ...

Page 26: ...severity are available yellow and red Choose from Virus detection rate Blocked connection rate Spam detection rate Blocked URL rate Other detection rate Dashboard Network Edit Use this page to set the protocols for which you want to display connection and throughput information Dashboard Email Queues Edit Use this page to select the levels at which you want to receive a warning based on the disk s...

Page 27: ...t warnings Dashboard Tasks Edit Use this page to specify the tasks that you want to be available directly from the Dashboard and change their position in the list If you change the reporting period that change is reflected across all status sections Graphs Edit Preferences Use this page to configure graphs to display on the Dashboard Dashboard Graphs Edit Option Definition Protocols By default all...

Page 28: ......

Page 29: ... the appliance itself Use features available from System Logging Alerting and SNMP or McAfee ePolicy Orchestrator to send data to generate reports externally Table 8 External reporting options External report generation option Definition System log System Logging Alerting and SNMP Supports the common event formats for Splunk and ArcSight SNMP System Logging Alerting and SNMP Supports the SNMP Aler...

Page 30: ...appliance Web reports Reports Create and view information about threats detected in the web activity on your appliance and the subsequent actions taken by the appliance System reports Reports Create and view information about threat detection updates and system events Scheduled Reports Use this page to see a list of the available reports about threats that the appliance has detected Reports Schedu...

Page 31: ...ive the most blocked or monitored messages Top detections lists top virus potentially unwanted programs and spam or phish detections and sender authentication failures Web Web security summary shows the and number of web queries that were completed or blocked because a threat was detected Web traffic summary provides information relating to the number of protected monitored or legitimate web query...

Page 32: ...ivery Schedule New report When clicked lets you create a new report which is an exact copy of an existing report A dialog box prompts you for further information Report name which appears under the Name column on this page Report title which appears at the top of the report When you click OK you return to the main page There you can select the new report click the icon under Edit and design your o...

Page 33: ...ministrator examplecompany com 6 Select Advanced options and set the Document format option to HTML 7 Click OK and apply the changes Task Send the email administrator a report that shows virus detections in email messages over the last week 1 Select Reports Scheduled Reports 2 From the list of report types select Favorite and click Edit 3 In Sender and recipient details type emailadministrator exa...

Page 34: ...ing and Selection There are four tabs beneath Email Interactive Reporting that each provide different views on a report s results See View types Total view Time view Itemized view Detail view There are two pages beneath Selection Favorites enables you to choose a report with pre defined filters and generate it immediately See Report types Filter enables you to further define the data in each Favor...

Page 35: ...l threat categories over the previous 24 hours Monitored Displays results in Time view by default Results show the number of messages for all threat categories over the previous 24 hours that triggered an event log but were delivered with no modification Modified Displays results in Time view by default Results show the number of modified messages for example cleaned or replaced with an alert mess...

Page 36: ...n Top Spam Senders report only Choose whether the report should contain results for spam senders phish senders or both Virus PuPs Top Viruses report only Type the name of the virus or potentially unwanted program to get detection results for that specific threat Show Advanced When clicked shows the options below To hide the options again click Hide Advanced Source Domain Filter traffic based on th...

Page 37: ... the appliance Task Show me the top viruses detected over the previous week Use this task to show the total number of viruses detected in the previous week and analyze the data using different report views 1 Click Reports Email Reports 2 From the Favorites list select the Top Viruses report and click Filter 3 Click Apply to run the report 4 Select Timeview to see the action that was taken on each ...

Page 38: ...hour portions of each day If you see no information click Apply on the Filter tab or change the period and click Apply You might not be able to view some older data because the appliance s log is regularly purged For information about the Filter or Favorites section on the right click its tab then click the Help button Table 14 Option definitions Option Definition Start Displays the start of the p...

Page 39: ...k each link values in the Filter tab are updated Click Apply to display the pie chart again Number of distinct criteria items within the selection Displays the number of email messages or web accesses where each criteria applies Interactive Reporting Detail view Use this page to see the details of every detected threat such as the exact time and IP address of each detection that the appliance has ...

Page 40: ...that you have already saved Reports Email Reports Selection Favorites Reports Web Reports Selection Favorites Reports System Reports Selection Favorites Table 17 Option definitions Option Definition Name Displays the name of each report that you have saved Run report When clicked opens the selected report and displays it to the left of the screen Edit Opens the Filter page from where you can chang...

Page 41: ...h as user example com When selected the advanced options Destination domain and Destination ID further specify the recipient s domain or IP address such as server1 example com and 192 168 254 200 Action Enables you to filter reports on specific actions such as Legitimate or Blocked Examples To view information about one sender or recipient type user example com The name is wrapped with chevron cha...

Page 42: ...68 254 200 Action Displays information about the action taken against the threats for example threats that were blocked or only monitored The menu does not offer the choice of legitimate web accesses because they are too numerous Category Displays information about specific categories of traffic for example Viruses or URL Filtering The menu does not offer the choice of legitimate web accesses beca...

Page 43: ... Benefits of creating web reports To keep your web infrastructure running at optimal levels you need access to up to date information about threats detected in the web traffic flowing through the appliance Generate web reports to get information such as The types of threats detected such as viruses or packers Web requests that had to have an action taken upon them URLs that were blocked or monitor...

Page 44: ...and save as a new favorite report to run again in the future then make it available in the Scheduled Reports feature To see the default settings in each report hold your mouse cursor to the left of a report name Table 21 Option definitions Option Definition Top URL List Displays results in Itemized view by default Results show top 15 blocked websites processed over the previous 24 hours Detail vie...

Page 45: ...numerous Show Advanced When clicked shows the options below To hide the options again click Hide Advanced Source domain Filter traffic based on the domain that the traffic is being sent from Source IP Filter traffic based on the IP address that the traffic is being sent from Destination domain Filter traffic based on the domain that the traffic is being sent to Destination IP Filter traffic based ...

Page 46: ...d apply the changes to the appliance Task Show me the top URLs visited over the last 24 hours Use this task to get information about each URL visited over the previous 24 hours and analyze the data using different report views 1 Click Reports Web Reports 2 From the Favorites list select the Top URL List report and click Filter 3 Click Apply to run the report 4 Select Time view to see the action th...

Page 47: ... hour portions of each day If you see no information click Apply on the Filter tab or change the period and click Apply You might not be able to view some older data because the appliance s log is regularly purged For information about the Filter or Favorites section on the right click its tab then click the Help button Table 24 Option definitions Option Definition Start Displays the start of the ...

Page 48: ...ck each link values in the Filter tab are updated Click Apply to display the pie chart again Number of distinct criteria items within the selection Displays the number of email messages or web accesses where each criteria applies Interactive Reporting Detail view Use this page to see the details of every detected threat such as the exact time and IP address of each detection that the appliance has...

Page 49: ... that you have already saved Reports Email Reports Selection Favorites Reports Web Reports Selection Favorites Reports System Reports Selection Favorites Table 27 Option definitions Option Definition Name Displays the name of each report that you have saved Run report When clicked opens the selected report and displays it to the left of the screen Edit Opens the Filter page from where you can chan...

Page 50: ...ch as user example com When selected the advanced options Destination domain and Destination ID further specify the recipient s domain or IP address such as server1 example com and 192 168 254 200 Action Enables you to filter reports on specific actions such as Legitimate or Blocked Examples To view information about one sender or recipient type user example com The name is wrapped with chevron ch...

Page 51: ...168 254 200 Action Displays information about the action taken against the threats for example threats that were blocked or only monitored The menu does not offer the choice of legitimate web accesses because they are too numerous Category Displays information about specific categories of traffic for example Viruses or URL Filtering The menu does not offer the choice of legitimate web accesses bec...

Page 52: ...rate system reports to get information about threat detection files update status user logon statistics and network and hardware status Additionally use the System Reports feature with the Scheduled Reports feature to create regular reports and send them immediately to other people or at regular intervals Introduction to the System Reports page System Reports contains several sub pages accessed fr...

Page 53: ... Definition Period and Ending Displays information for a period from one hour to one month based on the selected start date When clicked the Previous and Next buttons adjust the From date for example moving it to next week or the previous day Event type Displays reports about particular event types For example issues concerning the Network Event Select individual events based on the chosen Event t...

Page 54: ...ion definitions Option Definition Date and other headings Displays the details of each email message or web access To see all columns move the horizontal scroll bar To sort the data in any column click the column heading The most recently sorted column is indicated by a red arrow in the column heading Data Click the blue link to see further information about an email message in a table or as raw d...

Page 55: ...Make your selections then click Apply The new report might take a while to appear You can save these selections to produce a similar report at any time or clear the selections you made Table 35 Option definitions Email Reports filter options Option Definition Period and Ending Displays information for a period from one hour to one month based on the selected start date When clicked the Previous an...

Page 56: ...tially unwanted program to get detection results for that specific threat Show Advanced When clicked shows the options below To hide the options again click Hide Advanced Source Domain Filter traffic based on the domain that the messages are being sent from Source IP Filter traffic based on the IP address that the messages are being sent from Destination Domain Filter traffic based on the domain t...

Page 57: ... being sent to Destination IP Filter traffic based on the IP address that the traffic is being sent to Audit ID As traffic passes through the appliance it can have an Audit ID assigned Use this field to filter traffic with a specific Audit ID Action Enables you to filter reports on specific actions such as Legitimate or Blocked Policy Provides a selection of policies Category Displays information ...

Page 58: ......

Page 59: ... to Who sent the email message Who will receive the email message The content of the email message On receiving an email message the appliance processes it in the following order Email message processing order Kernel mode blocking Permit and Deny Lists on page 86 CONNECT Permit Sender Connection Permit and Deny Lists on page 86 Deny Sender Connection Permit and Deny Lists on page 86 Real time Blac...

Page 60: ...Sender Authentication Settings RBL Configuration on page 123 If behind an MTA SPF Sender Authentication Settings SPF Sender ID and DKIM on page 124 If behind an MTA McAfee Global Threat Intelligence message reputation Sender Authentication Settings Message reputation on page 123 Sender ID Sender Authentication Settings SPF Sender ID and DKIM on page 124 Domain Keys Identified Mail DKIM Sender Auth...

Page 61: ...n page 130 DLP Data Loss Prevention Settings on page 127 Anti virus Including McAfee Global Threat Intelligence file reputation PUPs Packers Anti Virus Settings Basic options on page 116 The anti virus scan always runs even if some of the other scans are not Anti Virus Settings McAfee Anti Spyware on page 117 Anti Virus Settings Packers on page 117 Anti Virus Settings Custom Malware Options on pag...

Page 62: ...vailable in ePolicy Orchestrator Email Message Search Message Search provides you with a convenient method to locate email messages on your appliance If the appliance has not received the message body the message cannot be found in Message Search For example if an email message is blocked by the Real time Blackhole Lists RBLs the appliance will not have received the message body In this situation ...

Page 63: ...s that have pending release requests Queued You can multi select to search for messages in more than one status Sender Recipient Subject You can search for emails containing particular sender recipient or subject text The appliance may modify the subject of some emails typically by adding a spam or phish prefix to the subject line However the subject displayed on the Message Search page is the ori...

Page 64: ...file reputation PuPs packers Mail Filtering external partial message For messages that were Quarantined by the appliance the following Category options are available Anti Spam Encrypted Content Anti Phish Compliance Mail Size DLP Corrupt Content Anti Virus Artemis PuPs packers Signed Content Mail Filtering external partial message File Filter You can multi select to search for messages in more tha...

Page 65: ...messages this allows you to search for the all messages original email or for messages that have been modified by the appliance It also allows you to search for messages that have their Release requested by your users Virtual host If you have enabled the use of virtual hosts on your appliance you can track or view email messages that are processed by an individual virtual host on the appliance To ...

Page 66: ...e release requests from within Message Search Real Time retry To retry the delivery of a queued item and to then show the results of the SMTP conversation with the target MTA click Real Time Retry You can only use Real Time Retry by selecting a single queued message View Message If the message is still available to the appliance for example if the email message has been queued or quarantined on th...

Page 67: ...essages that have been quarantined are displayed in the lower part of the page Subtask Refine the search to show which email messages are quarantined due to compliancy issues You can further refine your search for quarantined email messages to show only those that have been quarantined due to specific triggers In this example to find those email messages quarantined due to compliancy issues 1 Comp...

Page 68: ... inbound delivery You can further refine your search for queued email messages to show only those messages that have been queued for inbound or outbound delivery To view the queued messages awaiting inbound delivery 1 Complete the steps in Task Find out which email messages are queued 2 Select Inbound from the Disposition drop down list 3 Click Search Refresh All messages that have been queued for...

Page 69: ...t have been successfully delivered by the appliance are listed in the lower part of the page Task Find what happened to the email message from user domain with the subject abc sent yesterday The search options within the Message Search page can be used in combination to refine your searches for email messages The following example shows how to search for a message using multiple criteria 1 Click E...

Page 70: ... these messages Email Overview Use this page to see how well the appliance is handling email delivery and threats on incoming email This feature is not available in ePolicy Orchestrator Email Email Overview Table 42 Option definitions Incoming Email Summary Option Definition Update Now When clicked updates all the information on this table The information is not automatically updated Mail Host Dis...

Page 71: ...umber of items in the queue will be 1 because the appliance received one message The number of recipients will be 2 because the message has two recipients If you click on the Queued hyperlink you see two items because there is one message for each recipient If two messsages are sent to one recipient and are queued for delivery for example because the onward MTA is down The number of items in the q...

Page 72: ...s port numbers Message rate warning thresholds on page 73 Use this area to specify thresholds above which you will be alerted that your message rate has increased Timeouts on page 73 Use this area to specify the timeouts that apply to the SMTP conversations Basic SMTP settings Use this area to specify basic connection settings for the SMTP protocol such as port numbers Email Email Configuration Pr...

Page 73: ...tion Connection Settings SMTP Message rate warning thresholds You can configure your appliance to issue an alert or a warning if the message rate increases Table 45 Option definitions Option Definition Warn if the message rate exceeds Default value No limit Alert if the message rate exceeds Default value No limit Timeouts Use this area to specify the timeouts that apply to the SMTP conversations E...

Page 74: ...hunks of data The default value is 180 seconds Acknowledgment of the final dot The default value is 300 seconds Protocol Settings SMTP The Protocol Settings SMTP page links to areas to allow you to configure settings for the SMTP protocol on the appliance Email Email Configuration Protocol Configuration Protocol Settings SMTP Page area Summary Data command options on page 75 Use this area to speci...

Page 75: ...ely handle parts of the SMTP conversation slowly Default value is No lower limit Maximum number of trivial commands Prevents the appliance receiving too many trivial commands before a successful DATA command An attacker might repeatedly send commands like HELO EHLO NOOP VRFY and EXPN Default value is 100 Maximum number of AUTH attempts Prevents too many AUTH conversation attempts Transparent Bridg...

Page 76: ...econnection Default value is 600 seconds Generate non delivery reports for undeliverable email Default value is Yes Message processing Use this area to configure message processing options within the SMTP protocol Table 50 Option definitions Option Definition Welcome message Specifies the text that is seen by a host when connecting to the appliance in Explicit Proxy mode The default message is app...

Page 77: ...t made available deselect this feature Default value is No A HELO command implies a reset Forces the HELO command to automatically perform a reset RSET command The RSET command clears the buffers that store data such as the sender recipients and the email message Default value is Yes A HELO or EHLO command is required Forces the use of the HELO or EHLO command in any SMTP communication Most SMTP c...

Page 78: ... destination email server Default value is No Specify how often to send the keep alive NOOP commands during the DATA phase Default value of interval is 55 seconds Advanced options Use this section to specify further settings for transparency options You do not normally need to change these settings Table 53 Option definitions Option Definition Allow the appliance to generate additional scanning al...

Page 79: ...e character user The domain part is after the character example com Table 54 Option definitions Option Definition Maximum length of the local part Specifies how many characters can be used in the local part The RFC limit is 64 characters Maximum length of the domain part Specifies how many characters can be used in the domain part The RFC limit is 255 characters Allow non RFC characters in the dom...

Page 80: ... convert the original email address to a masqueraded email address Take care with the use of and in a regular expression If the email headers contain extra characters such as chevrons the regular expression will not replace the email address as expected Replacement Displays the address you want to put in place of the original email address Test When clicked opens a further window where you can tes...

Page 81: ...ulting output address Transport Layer Security SMTP Use this page to specify how devices use encrypted communications and to manage their digital certificates Email Email Configuration Protocol Configuration Transport Layer Security SMTP Import the trusted Certificates Authorities and certificates from the participating organizations before you begin this configuration RSA keys can be used both fo...

Page 82: ...s the details such as 192 168 200 254 24 192 168 200 254 255 255 255 0 server1 example net example net Use TLS Always rejects email from participating organizations if their communication does not try to start encryption Never configure connections to the source server to never use TLS encryption When available if available the connection uses TLS encryption Authenticate Self Specifies whether the...

Page 83: ...ord protected certificate type the passphrase to unlock the private key The appliance stores the decrypted certificate in a secure internal location The appliance verifies the certificate making it available to use after you click to apply your changes If a yellow exclamation point appears next to the certificate after you click the green checkmark to apply the change the certificate is not curren...

Page 84: ...If selected ciphers without authentication are supported McAfee does not recommend using unauthenticated TLS connections so this setting is disabled by default When unauthenticated ciphers are supported some destination servers might choose these ciphers in preference to authenticated ciphers Connection and Protocol Settings POP3 Use this area to specify settings for the POP3 protocol such as port...

Page 85: ...m Click these icons and the port headings to reveal icons for managing the port information Indicates the port number Indicates the traffic that will be intercepted Indicates a period when traffic is not scanned Indicates a dedicated port Enable reverse DNS lookups When selected enables the appliance to perform lookups Default value is Yes Take care if deselecting this setting If you deny reverse ...

Page 86: ...t values User delimiter Host delimiter You need only change the delimiter characters if your POP3 provider uses different characters Respond to CAPA requests Responds to a POP3 CAPA command which returns a list of capabilities supported by the POP3 server Default value is No For more information see RFC 2449 Receiving Email The Receiving Email tab within Email Configuration enables you to configur...

Page 87: ...connection to permitted within the 600 seconds the connection continues to be blocked until the 600 seconds have elapsed This is why a connection can temporarily appear in both the Blocked and Permitted connections list Port Displays the number of the port on which the message was received This is typically port 25 VLAN ID Displays the ID of the virtual LAN on which the message was received This i...

Page 88: ...lve host names to IP addresses from a domain name These lookups take place when the SMTP proxy is initialized The default value is Yes Reverse lookup sender IP address When selected causes the appliance to use DNS to do a reverse lookup of the sending IP address to match domains in the list Because this requires an extra lookup for each connection this can affect performance The default value is N...

Page 89: ...Receiving Email Anti Relay Settings Benefits of preventing the appliance from being used as an open relay By default the appliance is configured as an open relay so anyone can send messages through it You must specify the domains that can send and receive messages Anti relay settings are required to ensure that the appliance only handles email for authorized users and to prevent other people such ...

Page 90: ...ppliance for handling their email Table 69 Option definitions Option Definition Add Domain Click to specify the domains that can relay messages through the appliance to the recipient Choose from Local domain These are the domains or networks for which email is accepted for delivery For convenience you can import a list of your local domain names using the Import Lists and Export Lists options McAf...

Page 91: ...e the recipient sends an acceptance code SMTP 250 OK McAfee does not recommend this option because it suggests to the sender that the message was received as intended Import Lists Export Lists On an appliance from which you want to save a list of domains for anti relay specification click Export Lists to create a comma separated CSV file that contains details of all the domains that you specified ...

Page 92: ...w relaying of incoming messages to your domain add a wildcard domain To allow the relaying of outgoing messages from your domain add the IP address or network address of the Message Transfer Agent MTA 1 Go to Email Email Configuration Receiving Email Anti Relay Settings 2 Click Add Domain 3 Type the domain name using a wildcard such as example dom 4 In Category select Local domain and click OK 5 C...

Page 93: ... click Import Lists Formats for export lists To create a list of domains for an export list type the domains into a comma separated values file using the following formats To add a local domain type LD domain name To add a local network address type LN IP address CIDR To add a permitted domain type PD domain name To add a denied domain type DD domain name For example LD inbri bs dom LN 10 6 1 3 24...

Page 94: ...uch as zombie networks Greylisting temporarily rejects email from new senders to resist spam attacks Table 71 Option definitions Option Definition Protocol preset Specifies the policy and network group to which these settings apply Accept SMTP callback requests If selected overcomes delays caused by devices that use SMTP callbacks to prevent spam Initial retry delay Specifies how long to reject an...

Page 95: ... appliance sends an acceptance code SMTP 250 OK We do not recommend this option because it suggests to the sender that the message was received as intended Reject Sends a rejection code SMTP 550 Fail We recommend this option because the sender is normally informed that the message was not accepted Directory harvest prevention Use this section to prevent directory harvest attacks The appliance exam...

Page 96: ...mail message the MTA returns or bounces the message to the sender using a return address in the message Unfortunately spam email messages often have a forged or spoofed return address The bounced email often goes to an innocent organization This type of email is known as backscatter During a spam attack your organization might receive many such messages Benefits of using Bounce Address Tag Validat...

Page 97: ... Email Configuration Sending Email The page has these sections Delivering email Postmaster address DKIM signing Queued email delivery Delivering email Use this section to specify how the appliance tries to deliver email based on the domain part of the recipient s address In a To field the domain part of an address such as aaa example com is example com Using the recipient s domain the appliance us...

Page 98: ...e the appliance does an A record lookup to determine the IP address To specify multiple relays for a single domain separate each with a space If the first mail relay is accepting email all email is delivered to the first relay If that relay stops accepting email subsequent email is delivered to the next relay in the list Enable DNS lookup for domains not listed above If selected the appliance uses...

Page 99: ...ient can therefore be confident that the email was sent from the stated sender and was not altered during transit The appliance can verify signatures from incoming mail and attach signatures to outgoing mail For information about Domain Keys Identified Mail DKIM visit the Internet Engineering Task Force website http www ietf org and http www dkim org Use this section to create a Domain Keys Identi...

Page 100: ... to specify how the appliance delivers email intended for known domains The options outside this section apply to email for all other destinations Table 78 Option definitions Option Definition Maximum number of connections open at any one time Default value is 500 Time before an NDR is issued Specifies how long the appliance tries to deliver an email message before sending a non delivery report ND...

Page 101: ...pe example com 4 In MX record type mx mailserver com Task Deliver all failed deliveries to a specific server 1 Go to Email Email Configuration Sending Email 2 In Fallback relays for unreachable domains click Add Relay List 3 In Domain name type 4 Click Add Host and type internal3 mailserver com Email Policies Use this page to view and configure policies relating to your email traffic Introduction ...

Page 102: ...cluding Scanning limits Content handling Alert settings Notification and routing Threat Feedback POP3 policies The appliance provides the following features when scanning the POP3 protocol Email Email Policies Scanning Policies POP3 Anti Virus including McAfee Anti Spyware Packer detection Spam including Phish Compliance including Mail size filtering Scanner Options including Scanning limits Conte...

Page 103: ...le Packers can compress Trojan horse programs and make them harder to detect Spam Email Email Policies Scanning Policies Spam This column on the page contains the following links which lead to further pages where you can control the features of the appliance Link What you can do from this part of the interface Spam Use these pages to manage spam by specifying thresholds and blacklists Phish Use th...

Page 104: ...ormance issues Content handling Use these pages to specify how the appliance handles some types of email content Alert settings Use this page to control the format and appearance of the alert message that users receive when the appliance detects a threat Notification and Routing Use these pages to manage the sending of email that the appliance automatically generates and the redirection of email f...

Page 105: ...actions when a packer is detected Protects your network from PUPs A cautious user might want to be informed of PUPs and might want to remove them McAfee anti spyware software detects and with your permission removes potentially unwanted programs Some purchased or intentionally downloaded programs act as hosts for other potentially unwanted programs Removing these potentially unwanted programs may ...

Page 106: ... to file type Some operating systems such as Microsoft Windows use file name extensions to identify the type of file For example files with the extension exe are programs files with the extension txt are simple text files You can specify the types of files you want to scan according to their file name extension Scanning inside archive files By default the scanner does not scan inside file archives...

Page 107: ...100 file types by default including exe and com Scan all files This option ensures that every file is scanned Some operating systems such as Microsoft Windows use the extension names of files to identify their type For example files with the extension exe are programs However if an infected file is renamed with a harmless extension such as txt it can escape detection and the operating system can r...

Page 108: ...packers and PUPs differently use the Custom Malware Options tab Problems with alerts for mass mailers Normally the appliance handles all potentially unwanted programs in the same way However you can specify that certain types are handled differently Email Email Policies Scanning Policies Anti Virus Custom Malware options For example you can configure the appliance to inform the sender the recipien...

Page 109: ...our connection settings to apply to all devices However some parts of your network might need some differences because some devices operate differently For example Part of the network can handle larger or smaller files than normal A slow connection requires a different time out value Part of the network must use an alternative authentication service By creating a protocol preset you can cater for ...

Page 110: ... the order in which they are applied Policy Name Displays the name of each policy The appliance always has a default policy which applies to everything in the network You can change the default policy but you cannot delete it To see the users or devices that are affected by a policy move the cursor over the policy name and wait for a yellow box to appear To change any details of the policy click t...

Page 111: ...iguration Sender Authentication Settings SPF Sender ID and DKIM Sender Authentication Settings Cumulative Score and Other Options Compliance Displays brief details about the Compliance settings Each link within the Compliance area of each policy opens a separate page containing the features and options you need to configure your policy You can configure File Filtering Settings SMTP protocol only D...

Page 112: ...Settings Email Recipients Move Use the arrow icons to move your policies higher or lower in priority order Move the policy down Move the policy up The default policy always appears at the bottom of the list of policies You cannot change its position Delete After creating policies you can choose to delete any that you no longer require by clicking You cannot delete the default policy Add Policy Whe...

Page 113: ...ules and use the and buttons to correctly order the rules 5 Click OK The new rule is added to the top of the list of policies Task Change the scanning order of my policies The appliance uses the order of the policies to evaluate the email messages being scanned A message will first be evaluated against the rule with the Order value of 1 and if this does not trigger it is then evaluated against pol...

Page 114: ... Option definitions Option Definition Add User Group Add Network Group and Add URL Group When clicked allows you to create complex groups of users devices or URLs Policy name and Description optional Specifies the policy name which you see in the Scanning Policies page The description does not appear elsewhere You can write a long description to remind yourself of the purpose of this policy Inheri...

Page 115: ... the value Add network group Table 82 Option definitions Option Definition Group name Specifies the name for the network group Rule type Displays the type of network information Examples of when to use this option IP address define the IP address that the rule groups applies to Host name specify the host name for the rule groups Match Displays a linking word such as is or is not like Use this menu...

Page 116: ... Sensitivity level Enables McAfee Global Threat Intelligence file reputation on your appliance McAfee Global Threat Intelligence file reputation complements the DAT based signatures by providing the appliances access to millions of cloud based signatures This reduces the delay between McAfee detecting a new malware threat and its inclusion in DAT files providing broader coverage The sensitivity le...

Page 117: ...take Use the default alert When selected issues the default alert upon detection When deselected allows you to click the link then change the text of the alert And also Provides several further actions to take To select several items use Ctrl click or click and Shift click To learn about spyware visit McAfee Labs Threat Library http vil nai com vil default aspx Anti Virus Settings Packers Use this...

Page 118: ...ions Option Definition Mass mailers to Trojan horses When selected applies the specified action to this type of malware If the option is not selected the malware is handled as described by the basic options Specific detection name When selected allows you to add names of specific detections You can use and to represent multiple and single characters in the malware names If detected Provides variou...

Page 119: ...ct a spam report for initial testing only because it can affect your server s performance When you have collected the information deselect the option Verbose reporting When selected adds descriptions of the anti spam rules When the spam score is at least and menus When selected specify the main actions and any other actions to take against email that has a range of spam scores For example you can ...

Page 120: ...ed for later processing Add the header Specifies the type of email message to which to add the email header For example you can add the customized email header to spam messages only Default value is Never Use alternative header names when a mail is not spam If selected appends the text Checked to the normal spam header names when the email message did not contain spam This option can be useful to ...

Page 121: ... you will need to change this list Make changes only if you understand the implications Table 94 Option definitions Option Definition Rule Name Displays the rule name that is seen in the spam report Rule Score Displays the rule score which is typically 1 5 Enabled Specifies whether a rule is active To disable a rule deselect its checkbox Apply and Filter When Apply is clicked the table shows only ...

Page 122: ...he email message which explains why the email message was marked as phish Verbose reporting When selected provides a fuller report providing descriptions of the names of the rules that have triggered Table 97 Actions Option definitions Option Definition If a phishing attempt is detected Provides a main action to take against the phish message The options available are Deny connection Block Refuse ...

Page 123: ... the score to be added Accept and drop Block blocks the message from being delivered and returns the appropriate code to the sending MTA Reject Block blocks the message from being delivered and returns the appropriate code to the sending MTA Reject and close Block blocks the message from being delivered and returns the appropriate code to the sending MTA Reject close and deny Block blocks the mess...

Page 124: ...ther the sender of an email message is genuine These techniques reduce the workload for the appliance because they reject suspicious email without the need for scanning The appliance can take various actions according to whether the email passes or fails each check You can use each type of authentication separately or combine the techniques by using scoring or weighting Table 100 Option definition...

Page 125: ...ng of an email The default value of 5 seconds is often effective in deterring a denial of service attack Parse the email headers for sender address if behind an MTA and Number of hops to the MTA If the appliance is preceded by Mail Transfer Agents MTAs specify the number of hops from the appliance to the MTA The appliance can then parse the email headers to find the original sender and check again...

Page 126: ...s the text 2008 can detect the movement of these files By file format For example much of your organization s most valuable information such as designs and lists of customers is in databases or other special files so it is important to control the movement of these files The appliance examines files based on their true content Any file can be made to masquerade as another A person with malicious i...

Page 127: ...ose to restrict the flow of sensitive information sent in email messages by SMTP through the appliance using the Data Loss Prevention feature For example by blocking the transmission of a sensitive document such as a financial report that is to be sent outside of your organization Detection occurs whether the original document is sent as an email attachment or even as just a section of text taken ...

Page 128: ...he categories that you set in Registered Documents Create document exclusion This list is empty until you register documents Click to specify registered documents to exclude from this policy If a Data Loss Prevention action results in an alert When selected issues the default alert upon detection When deselected allows you to click the link then change the text of the alert Task Block a sensitive ...

Page 129: ...iance Mail Size Filtering The default policy values are normally suitable but you might need another policy to allow the occasional transfer of large email messages or to investigate possible attacks Changing these settings can affect scanning performance If you are not sure about the impact of making any changes ask your network expert Table 104 Option definitions Option Definition If the message...

Page 130: ...ify how to handle large numbers of attachments within email messages Email Email Policies Scanning Policies Compliance Mail Size Filtering The default policy values are normally suitable but you might need another policy to allow the occasional transfer of large numbers of attachments within email messages or to investigate possible attacks Changing these settings can affect scanning performance I...

Page 131: ...ned compliance rules See Rule Creation Wizard If a compliance action results in an alert When selected issues the default alert upon detection When deselected allows you to click the link then change the text of the alert Task Block email messages that violate the threatening language policy 1 Go to Email Email Policies Scanning Policies and select Compliance 2 On the Default Compliance Settings d...

Page 132: ...o Email Email Policies Scanning Policies and select Compliance 2 Expand the rule that you want to edit 3 Select Add dictionaries 4 Select the new dictionary that you want to include and click OK Task Configure a Discontent rule to monitor at a low threshold and block at a high threshold For score based dictionaries you might want to monitor triggers that reach a low threshold and only block the em...

Page 133: ...nt to 2 1 Go to Email Email Policies Scanning Policies and select Compliance 2 Expand the rule that you want to edit then click the Edit icon next to the dictionary whose score you want to change 3 In Maximum term count type the maximum number of times that you want a term to contribute to the score Rule Creation Wizard Use the wizard to create a new compliancy rule Email Email Policies Scanning P...

Page 134: ...anner Options Notification and routing And conditionally Specify whether you want the actions to take place when Any or All of the dictionaries in the rule trigger a match Rule Creation Wizard Use the wizard to create a new compliancy rule based on settings from an existing rule Email Email Policies Scanning Policies Introduction to the Rule Creation Wizard Select the rule on which you want to bas...

Page 135: ...tion definitions Option Definition If expanded file size exceeds Specifies the limit The default value is File size 500MB menu Provides a main action to take against the message And also Provides any further actions To select several items use Ctrl click or click and Shift click Use the default alert When selected issues the default alert upon detection When deselected allows you to click the link...

Page 136: ...to the subject line it precedes other prefixes such as those that indicate spam or phish detections If you add a disclaimer to a message its subject line is not affected Enable the use of disclaimers When selected adds extra text to each email message The appliance cannot add a disclaimer to an email message that contains unsupported character sets such as the Hebrew character set ISO 8859 8 I Dis...

Page 137: ...ximum which can help prevent denial of service attacks Default value is 10000 Treat corrupt message headers the same as corrupt content If selected the email message is handled according to the action that the policy applies to any corrupt content Treat NULL characters in message headers the same as corrupt content When selected acts on NULL characters Remove any Received From headers to obscure S...

Page 138: ...tent Handling Email Options The appliance handles common MIME types You need only specify any new or unusual MIME types here Table 116 Option definitions Option Definition Treat the following MIME types as text attachments Allows you to build a list of text MIME types Treat the following MIME types as binary attachments Allows you to build a list of binary MIME types About MIME formats Multipurpos...

Page 139: ...s the original character set in the email message Fixed If selected you can choose one alternative character set If deselected provides any number of choices To select several items use Ctrl click or click and Shift click Alternatives Specifies the alternative character encodings Content Handling Settings HTML Options Use this page to specify how the appliance handles certain elements and componen...

Page 140: ...ems use Ctrl click or click and Shift click Content Handling Settings Corrupt or Unreadable Content Encrypted content Use this page to specify how to handle encrypted content Email Email Policies Scanning Policies Scanner Options Content Handling Corrupt or Unreadable Content You can specify the action to take when the appliance scans an S MIME or PGP encrypted email message If you allow encrypted...

Page 141: ...ed with read protected documents will only trigger when compliance scanning is enabled and the contents of the document can not be extracted If a password protected archive file is detected Provides a main action to take Use the default alert When selected issues the default alert upon detection When deselected allows you to click the link then change the text of the alert And also Provides severa...

Page 142: ...nce scans an S MIME or PGP signed email message such as whether you allow the appliance to modify a signed email Table 123 Option definitions Option Definition If a signed message is detected Provides a main action to take And also Provides several further actions to take To select several items use Ctrl click or click and Shift click Signed email messages are quarantined only if a virus or banned...

Page 143: ...for alerts in HTML format Big 5 to UTF 8 provides character encoding for plain texts Default value is UTF 8 Alert filename Specifies the name of the file that contains the alert Default value is warning htm or warning txt Notification and Routing Settings Notification Emails Use this page to specify the email addresses for messages from the appliance to users and to administrators Email Email Poli...

Page 144: ...to specify that a copy must be kept of every email that is sent Email Email Policies Scanner Options Notification and routing Audit Copies Select this feature if your organization needs to record all email for auditing purposes Table 126 Option definitions Option Definition Sender address and Use the sender address of the original email To retain the name of the original sender select the checkbox...

Page 145: ...mail Policies Scanning Policies Scanner Options McAfee GTI feedback System Setup Wizard Benefits of using McAfee Global Threat Intelligence feedback McAfee analyzes data about product detections and alerts threat details and usage statistics from a broad set of customers in order to combat electronic attacks protect vulnerable systems from exploit and thwart cyber crime By enabling this feedback s...

Page 146: ...Enable GTI feedback for outbound email policies only 1 Go to Email Email Policies Scanning Policies Scanner Options 2 In the Scanner Options column for the relevant outbound policy and select McAfee GTI feedback 3 Select Enable threat feedback 4 Click OK and apply the changes Task Enable GTI feedback during a new installation GTI feedback can be enabled from within the Setup Wizard 1 Go to System ...

Page 147: ...eutral dictionaries Dictionary Displays the name of the dictionary and a symbol to indicate its type Red book Non score based Blue book Score based Green book User defined Open book Currently selected item Category Dictionaries are grouped into related categories For example Profanity and Sex are in the Acceptable Use category Used by Displays the number of policies that use the dictionary Edit Wh...

Page 148: ...al term lists can apply to different contexts For example one term list might look for terms within message bodies whilst another might look for terms within the subject line Term lists For dictionaries that are score based you can view the individual lists of terms in the selected dictionary Individual term lists can apply to different contexts For example one term list might look for terms withi...

Page 149: ...bcd or abcd When used together Starts with and Ends with match the term when it appears as a whole word Example If the term is bc the appliance responds to the words bc However the appliance ignores bcd or abc Edit When clicked opens a window that allows you to change the basic term properties or create a complex term Term details Edit the basic term properties including the actual text that you a...

Page 150: ...for example one term list may look for terms within message bodies whilst another may look for terms within the subject line Add AND condition For dictionaries that are not score based click to add new lists that are combined using the logical AND operator using the following settings Match type Specify whether the list contains regular expressions or simple strings Applies to Click the link to sp...

Page 151: ... details Specify the basic term properties including the actual text that you are looking for as well as case sensitive wildcard and starts with and ends with as defined above Contextual matching advanced Set triggers for terms based on proximity to other terms To set these details click Add Word or Phrase Display string Set the display name for the term in the list of dictionary terms Enable near...

Page 152: ...m matches 0 or more of the previous term matches 1 or more of the previous term For example aa matches lines that start with aa bb matches lines that end with bb cc matches ccd acc and accd ab c matches ac abc and abbc a d b matches a2b and a23456b but not ab a c matches abc but not ac or abbc a c matches ac abc and adefghb a bcd e matches abe ace and ade but not abcde It is lunch dinner time matc...

Page 153: ...he second regular expression click the edit icon and click Test 6 Type Here is the number 111 22 3333 and click OK The Matches area shows the text that matches the regular expression Click OK or Cancel twice Task Test the social security number regular expressions 1 Go to Email Email Polices Dictionaries 2 Select the Social Security Number dictionary 3 Select the first regular expression click the...

Page 154: ...st by Description If required add a description for the dictionary list Language Define the language for the content of the list Match type Select how the appliance matches terms within this dictionary New Condition Use this dialog box to enter new terms into a dictionary Email Email Policies Dictionaries Dictionary Add Condition Web Web Policies Dictionaries Dictionary Add Condition Table 134 Opt...

Page 155: ...ot delete either the document or any categories that the document belongs to To delete either the category or the document the document must first be removed from any associated policies Hover the cursor over the Used by column to see the policies that use either the category or the document Table 135 Option definitions DLP Registered Documents Option Definition Categories Groups of registered doc...

Page 156: ... documents database File Name Lists all the documents associated with the selected document category Status indicates that there is an error in the document See the tooltip to see the reason either an error in the database an error occurred while uploading the document an error occurred during document training indicates that there are modifications that have not yet been applied indicates that th...

Page 157: ...r over the icon to see why it is unavailable See the following table to find out what you can do to edit or remove the category or document Tooltip text reason Solution Cannot delete Document because it s excluded by policy Identify the policy by hovering over the value in the Excluded by column and remove the document from the policies listed in the tooltip Cannot edit delete Category because it ...

Page 158: ...nt in multiple categories 1 Go to Email Email Policies Registered Documents 2 In the Documents section select the document and click the Copy icon 3 Select the categories to which you want the document to be associated and click OK 4 Apply the changes Task Remove a document that is excluded by a policy 1 Go to Email Email Policies Registered Documents 2 In the document list locate the file that yo...

Page 159: ...er that is hosting your McAfee Quarantine Manager service Listening port the port used by your McAfee Quarantine Manager service Use HTTP to communicate with the MQM server MQM v6 and greater Enable user submitted blacklists and whitelists Update interval specify the time between updates between the appliance and your McAfee Quarantine Manager service The default value is 4 hours When you select U...

Page 160: ...ble when you have on box quarantine selected Enable digests Table 139 Option definitions Option Definition Enable digest messages Specifies whether to enable digest messages for the selected protocol preset and message Reminds you that digest messages are enabled for this protocol preset Protocol preset Allows you to make settings for any exception to the default setting For example you can specif...

Page 161: ...means internal information is visible Appliance IP address or domain name to use in digest messages Specifies an IP address or a domain name to appear as the sending information for the digest messages For example 192 168 254 200 example com Use the appliance s fully qualified domain name When selected uses the FQDN format as specified in the appliance s basic settings instead of an IP address For...

Page 162: ... where you can edit the main text of the digest Edit the body text When clicked opens a window where you can edit the first sentence of the digest You can edit the HTML content directly or at source Column headings used in the message body When Use the default value is deselected you can change the column headings that the user sees in the digest Select a response type Selects the type of message ...

Page 163: ...otocol specific configuration settings Contents HTTP Connection Settings HTTP Protocol Settings ICAP Connection Settings ICAP Authentication ICAP Protocol Settings FTP Connection Settings FTP Protocol Settings HTTP Connection Settings Use this page to specify connection settings for the HTTP protocol such as port numbers and timeouts Web Web Configuration HTTP Connection Settings Changing these se...

Page 164: ...ive because they contain only IP addresses such as 192 168 200 254 not names such as www example com User Authentication Use this section to enable user authentication for this policy By default authentication is disabled To set up authentication services select System Users Groups and Services Web User Authentication on the navigation bar Table 143 Option Definitions Option Definition Authenticat...

Page 165: ...n see your Microsoft documentation Timeouts Table 144 Option Definitions Option Definition Connection timeout Default value is 60 seconds Data timeout Default value is 60 seconds Protocol preset Allows you to make settings for any exception to the default setting For example you can require that some parts of the network use different timeout values HTTP Protocol Settings Use this page to specify ...

Page 166: ...status pages for these triggers If status pages were requested displays lists of conditions where a page will be displayed during downloads A browser such as Internet Explorer is assumed If your users have them specify Mozilla and other browsers Some types of files are often large for example gz exe zip pdf iso and bmp Some types of content such as text plain might not require download status page...

Page 167: ...r HTTP In this section you can choose Whether to use passive FTP which is a more secure form of data transfer than active FTP How to display information about files in FTP directories Short form displays only file names The other forms display more information including the file size and date Handoff host The appliance can be configured to use a handoff host for HTTP traffic A handoff host diverts...

Page 168: ...appliance to a server that requires NTLM authentication the authentication fails Forward non compliant POST requests A POST request is a request made by an HTTP client to send data to a server A non compliant POST request occurs when the client web browser appends non compliant characters such as line breaks to the POST request Such malformed requests might be part of an attack on a web server Def...

Page 169: ...certain port numbers which prevents hackers tunnelling different protocols over an HTTP connection Use this option for HTTP traffic that is not sent over the SSL The entry 1025 means port number 1025 or above Typical values are 21 70 and 80 Permitted SSL Ports Displays the HTTP port numbers that the appliance uses when forwarding traffic over SSL Secure Socket Layer For security reasons the applia...

Page 170: ...ticated User ICAP service name Default value is appliance OPTIONS time to live Indicates to the ICAP client how often the ICAP server configuration is likely to change You can recommend how long an ICAP client must wait before sending another OPTIONS request to the appliance Default value is 300 seconds Idle timeout Specifies how long the ICAP server waits for a request from the ICAP client Defaul...

Page 171: ...ers Authentication is done by another server for example a web caching appliance However if the appliance can extract the user s identity it can apply URL filtering and other policy settings based on that identity Table 157 Option definitions Option Definition Authenticated user header Specifies a header that the ICAP server adds after it has authenticated the user to show who made the request Def...

Page 172: ...ic ICAP settings Client alert messages Data trickling response modification only Permissions request modification only Service Settings Basic ICAP settings Table 158 Option definitions Option Definition Denied REQMOD headers Specifies request headers to remove For example the appliance can remove HTTP headers that contain Accept Encoding and Accept Ranges records Add Via headers to HTTP Adds Via h...

Page 173: ... cannot be used URLs include text that defines which resource is being requested After you add any schemes to this list by implication you permit the use of all other schemes that are not in the list Permitted Schemes Displays the request schemes that can be used URLs include text that defines which resource is being requested After you add any schemes to this list by implication you deny the use ...

Page 174: ...ng the Preview option ICAP header Transfer Preview Some ICAP clients will enable preview only if this header is set If most files sent for scanning are smaller than the preview size set this value to By default this field is empty and preview is disabled by the in the field above Ignore files of this type Displays the types of file that the ICAP client must not send to the appliance ICAP header Tr...

Page 175: ...icons and the port headings to reveal icons for managing the port information Enable reverse DNS lookups When selected enables the appliance to find the host name associated with an IP address Change reverse lookup settings only if you fully understand the consequences If you deny reverse DNS look ups some functions might fail Timeouts Table 164 Option definitions Option Definition Command timeout...

Page 176: ...iance is scanning large files The appliance repeatedly sends this command to that device Default command is SYST Denied commands Specifies FTP commands that the appliance does not accept Advanced setting Download status and data trickling Table 166 Option definitions Option Definition Permit downloading You can configure the appliance to start downloading data trickling the file to the client befo...

Page 177: ...iance handles FTP downloads Default values are Permit uploading Yes Scan the data Yes Block 8 bit data in ASCII mode No Send messages every Default value is 10 seconds Upload data trickling Specifies details of data trickling Default values are Delay before data trickling starts 15 seconds Trickle data every 10 seconds Amount of data to trickle each time 1024 bytes Maximum amount of data to trickl...

Page 178: ...s that can be applied to specific types of traffic or to groups of users FTP policies The appliance provides the following features when scanning the FTP protocol Web Web Policies Scanning Policies FTP Anti virus Scanner control The appliance can also handle the following types of content Alert settings ICAP policies The appliance provides the following features when scanning the ICAP protocol Web...

Page 179: ...policy can apply to all computers on the same subnet or all users in a department Benefits of using the Scanning Policies page The Scanning Policies page enables you to access all the forms you need to configure and manage your policies for the HTTP ICAP FTP and HTTPS protocols The user interface provides an overview of your policy settings giving you information about each policy such as the acti...

Page 180: ...nti Virus area of the relevant policy to open the Anti Virus Settings page From the Anti Virus Settings page you can access Anti Virus Settings Basic Options Anti Virus Settings McAfee Anti Spyware Anti Virus Settings Packers and Custom Malware options Web Reputation and Categorization Displays brief details about the URL Filtering settings Each link within the URL Filtering area of each policy op...

Page 181: ... cannot delete the default policy Add Policy When clicked enables you to create a new policy Task View policies for the HTTP ICAP or FTP protocols You use this page to create and manage your HTTP ICAP or FTP email scanning policies 1 Click Web Web Policies Scanning Policies 2 Select either HTTP ICAP or FTP from the Select a protocol drop down list The Web Web Policies Scanning Policies page refres...

Page 182: ...d so on until it is evaluated by the default scanning policy If you have created more than two scanning policies you can change the order that your appliance uses the policies to evaluate email traffic This is achieved by moving the relevant policies up or down the policy list The default policy always appears at the bottom of the list of policies You cannot change its position 1 Click Web Web Pol...

Page 183: ...a list of existing policies so that you can base your new policy on the settings of an existing policy Match logic Provides choices to use with the rules in the table Rule type Displays the type of user or device Examples of when to use this option Directory group if you have already imported groups from your LDAP servers You will be prompted to select a directory group User group for a complex co...

Page 184: ...s menu to include and exclude users and groups Value Define the value such as an IP address Move your mouse pointer over the option for help with the format of the value Add URL group Table 173 Option definitions Option Definition Group name Specifies the name for the URL group Rule type For the URL Group the rule type is Requested URL Match Displays a linking word such as is or is not like Use th...

Page 185: ...ions of cloud based signatures This reduces the delay between McAfee detecting a new malware threat and its inclusion in DAT files providing broader coverage The sensitivity levels enable you to balance the risk of missing potentially harmful content low settings with the risk of false positive detections high settings For gateway appliances the recommended sensitivity level is Medium Attempt to c...

Page 186: ... Ctrl click or click and Shift click To learn about spyware visit McAfee Labs Threat Library http vil nai com vil default aspx Anti Virus Settings Packers Use this page to specify the actions to take against packers Email Email Policies Scanning Policies Anti Virus Packers Web Web Policies Scanning Policies Anti Virus Packers Packers compress files which changes the binary signature of the executa...

Page 187: ...s further actions to take Do not perform custom malware check if the object has already been cleaned When selected prevents further processing HTTPS Web Categorization Settings Use this page to block SSL HTTPS access to specified websites The address of a secure website has the form https www example com Web Web Policies Scanning Policies HTTPS web categorization To determine which sites to block ...

Page 188: ... matches a prohibited category then access to the site is blocked If the appliance cannot see the URL provided by the browser because it is encrypted but it can see the IP address that the browser is trying to connect to the appliance takes this IP address and performs a DNS reverse look up to find the URL that the IP relates to With the return from the DNS lookup the appliance will perform the sa...

Page 189: ... users might receive from some websites If you have selected Timed setting you can also specify periods when the access to websites can vary For example Weekdays During daytime on Monday Friday 8 a m 5 p m allow access only to sites classified as SiteAdvisor Tested OK Weekday evenings During the evenings Monday Friday allow access to sites classified as SiteAdvisor Use caution Weekend On Saturday ...

Page 190: ...hen selected enables you to allow remote lookups to be made When selected the following parameters apply Default Query timeout value 200ms Default Maximum number of attempts 3 Default Cache time to live 15 minutes Default Cache retry before expiry 5 minutes If a remote lookup is requested after Default Cache time to live MINUS Cache retry before expiry time then a remote lookup will not be made Th...

Page 191: ...ator s Display Name Enter the name for administrators that is displayed to users Compliance Settings Use this page to create and manage compliancy rules Email Email Policies Scanning Policies Compliance Web Web Policies Scanning Policies Compliance Benefits of using Compliance Use Compliance scanning to assist with conformance to regulatory compliance and corporate operating compliance You can cho...

Page 192: ...k Create a simple custom rule to block email messages that contain social security numbers 1 Go to Email Email Policies Scanning Policies and select Compliance 2 On the Default Compliance Settings dialog box click Yes to enable the policy 3 Click Create new rule to open the Rule Creation Wizard 4 Type a name for the rule and click Next 5 In the Search field type social 6 Select the Social Security...

Page 193: ...me it Discontent High and assign it a threshold of 40 8 In If the compliance rule is triggered select Deny connection Block 9 Click Finish 10 Click OK and apply the changes Task Edit the threshold associated with an existing rule This task assumes that your rule includes a dictionary which triggers the action based on a threshold such as the Compensation and Benefits dictionary See Dictionaries to...

Page 194: ...plication to pass through the appliance because these MIME types are executable and are a security risk Table 186 Option definitions Option Definition Content Type Displays content types for streaming data Server Type Displays server types for streaming data Instant Messaging Use this page to specify how to handle instant messaging Web Web Policies Scanning Policies Compliance Instant messaging In...

Page 195: ...tion to take against the message And also Provides any further actions To select several items use Ctrl click or click and Shift click Use the default alert When selected issues the default alert upon detection When deselected allows you to click the link then change the text of the alert Maximum scan time Table 190 Option definitions Option Definition If the scan time exceeds Specifies the limit ...

Page 196: ...t Scanners and other applications can have difficulty reading corrupt content You can specify the action to take when the appliance detects corrupt content in Email messages Archives Documents Table 192 Option definitions Option Definition If is detected Provides a main action to take against corrupt content And also Provides several further actions to take To select several items use Ctrl click o...

Page 197: ...the default alert upon detection When deselected allows you to click the link then change the text of the alert And also Provides several further actions to take To select several items use Ctrl click or click and Shift click HTTP Scanning Use this page to scan request and response bodies cookies and headers to prevent exploits including buffer overflow attacks and malicious scripts Web Web Polici...

Page 198: ... neutral dictionaries Dictionary Displays the name of the dictionary and a symbol to indicate its type Red book Non score based Blue book Score based Green book User defined Open book Currently selected item Category Dictionaries are grouped into related categories For example Profanity and Sex are in the Acceptable Use category Used by Displays the number of policies that use the dictionary Edit ...

Page 199: ...dual term lists can apply to different contexts For example one term list might look for terms within message bodies whilst another might look for terms within the subject line Term lists For dictionaries that are score based you can view the individual lists of terms in the selected dictionary Individual term lists can apply to different contexts For example one term list might look for terms wit...

Page 200: ...s bcd or abcd When used together Starts with and Ends with match the term when it appears as a whole word Example If the term is bc the appliance responds to the words bc However the appliance ignores bcd or abc Edit When clicked opens a window that allows you to change the basic term properties or create a complex term Term details Edit the basic term properties including the actual text that you...

Page 201: ...t for example one term list may look for terms within message bodies whilst another may look for terms within the subject line Add AND condition For dictionaries that are not score based click to add new lists that are combined using the logical AND operator using the following settings Match type Specify whether the list contains regular expressions or simple strings Applies to Click the link to ...

Page 202: ...rm details Specify the basic term properties including the actual text that you are looking for as well as case sensitive wildcard and starts with and ends with as defined above Contextual matching advanced Set triggers for terms based on proximity to other terms To set these details click Add Word or Phrase Display string Set the display name for the term in the list of dictionary terms Enable ne...

Page 203: ...erm matches 0 or more of the previous term matches 1 or more of the previous term For example aa matches lines that start with aa bb matches lines that end with bb cc matches ccd acc and accd ab c matches ac abc and abbc a d b matches a2b and a23456b but not ab a c matches abc but not ac or abbc a c matches ac abc and adefghb a bcd e matches abe ace and ade but not abcde It is lunch dinner time ma...

Page 204: ... the second regular expression click the edit icon and click Test 6 Type Here is the number 111 22 3333 and click OK The Matches area shows the text that matches the regular expression Click OK or Cancel twice Task Test the social security number regular expressions 1 Go to Email Email Polices Dictionaries 2 Select the Social Security Number dictionary 3 Select the first regular expression click t...

Page 205: ...list by Description If required add a description for the dictionary list Language Define the language for the content of the list Match type Select how the appliance matches terms within this dictionary New Condition Use this dialog box to enter new terms into a dictionary Email Email Policies Dictionaries Dictionary Add Condition Web Web Policies Dictionaries Dictionary Add Condition Table 199 O...

Page 206: ......

Page 207: ...nce and links to further appliance management configuration pages that specify settings such as remote access and DNS and Routing System Appliance Management Use these pages to define settings for the appliance such as the domain name and default gateway General Use this page to specify basic settings for the appliance like those you defined in the Setup Wizard The appliance can handle IP addresse...

Page 208: ... Use the Network Interfaces Wizard to specify the IP address and adapter settings for NIC 1 and NIC 2 and change the chosen operating mode System Appliance Management General Network Interface Settings Change Network Settings Introduction to the Network Interfaces Wizard The options you see in the Network Interfaces Wizard depend on the operating mode On the first page of the wizard you can choose...

Page 209: ... the following options MTU size specifies the Maximum Transmission Unit MTU size The MTU is the maximum size expressed in bytes of a single unit of data for example an Ethernet Frame that can be sent over the connection The default value is 1500 bytes Autonegotiation state either On allows the appliance to negotiate the speed and duplex state for communicating with other network devices Off allows...

Page 210: ...Default value is 100MB Duplex state provides duplex states Default value is Full duplex Enable IPv6 auto configuration select this option to allow the appliance automatically configure its IPv6 addresses and IPv6 default next hop router by receiving Router Advertisement messages sent from your IPv6 router This option is unavailable by default if your appliance is running in transparent router mode...

Page 211: ... network devices Off allows you to select the speed and duplex state Connection speed provides a range of speeds Default value is 100MB Duplex state provides duplex states Default value is Full duplex Enable IPv6 auto configuration select this option to allow the appliance automatically configure its IPv6 addresses and IPv6 default next hop router by receiving Router Advertisement messages sent fr...

Page 212: ...k activity timeout seconds becomes active when you select Monitor heartbeat and link activity in Mode Enable buzzer enabled by default DNS and Routing Use this page to configure the appliance s use of DNS and routing System Appliance Management DNS and Routing Benefits of specifying DNS servers and adding routes When you first log on to the appliance the DNS and Routing page displays the servers a...

Page 213: ... Internet When they get a reply the appliance receives it and caches the response so that other servers that query that DNS server can get an answer more quickly If you deselect this option the appliance first tries to resolve the requests or might query DNS servers outside your network Table 205 Option definitions Routing Option Definition Network Address Type the network address of the route Mas...

Page 214: ...e time zone of the appliance You might need to set this twice each year if your region observes daylight saving time Appliance Time UTC Specifies the date and UTC time for the appliance To select the date click the calendar icon You can determine the UTC time from websites such as http www worldtimeserver com Set Now When clicked applies the date and UTC time that you specified in this row Client ...

Page 215: ...a new NTP Server Task Using an NTP Server to set the appliance date and time 1 Click System Appliance Management Time and Date 2 Select Enable NTP and click New Server 3 Type the IP address of the server that you wish to add Useful websites http www ntp org http www worldtimeserver com current_time_in_UTC aspx for current UTC time Appliance Management Remote Access Use this page to provide the met...

Page 216: ... that can use Secure Shell SSH The entries here are added to the etc hosts allow file and therefore must follow its conventions We recommend that you allow access to known domains or users initially To add a network use the following notation formats IPv4 192 168 5 0 24 or 192 168 5 0 255 255 255 0 allows every host with a network address beginning 192 168 5 to access the secure shell IPv6 3ffe 50...

Page 217: ...nistrator This address appears if someone tries to access an invalid page on the appliance user interface in the form of the webmaster s email address Out of Band Management Normally the commands you issue to the appliance are part of the network traffic With out of band management your commands are directed to a third port on the appliance and become separate or out of band from the other network...

Page 218: ... configuration Enable in band management Specifies ports to prevent any attempts to access the appliance via ports over the main non management interface New Port Delete Selected Port RemoteAccessCard In 3300 and 3400 versions of the appliance there is a built in remote access card installed This section of the interface will not appear on other appliance models Choose to obtain an IP address dyna...

Page 219: ...lue to zero the appliance shuts down immediately Status Displays the status of the device Operating normally Needs attention Needs immediate attention Devices and Driver Displays the type model of the UPS device and driver Type Displays the type of connection between the appliance and the UPS USB Cable Serial Cable or Network New Device When clicked opens the Add UPS Device on page 221 wizard wher...

Page 220: ...d a serial UPS device 1 Connect the serial UPS to the appliance using the serial cable supplied with the UPS 2 Go to System Appliance Management UPS Settings 3 Click Enable UPS support and click New Device 4 Select Serial Device then click Next 5 Select appropriate values for Vendor Name UPS Device Model and Serial Port 6 Click Finish then apply the changes 7 Click Edit to change the settings for ...

Page 221: ...lick Finish and apply changes Add UPS Device Use this wizard to select the type of UPS device that you want to add and specify its details System Appliance Management UPS Settings New Device Introduction to the Add UPS Device wizard The options you see in the wizard depend on the type of device that you choose On the UPS Device Connection screen choose from USB device this option is unavailable un...

Page 222: ... page specific to the area of the user interface you are interested in Table 215 Option definitions Option Definition Retention Limits Use this area to set the limits on the maximum time or number of items retained within the database The limits differ depending on your model of hardware and the size of the appliance hard disk Event Options Events are defined as items contained in the reporting da...

Page 223: ...ounced messages can be stored in the database for use by the Message Search feature Default value is 3 days or 20000 items Event Options Use this area to define the events that are stored in the database System Appliance Management Database Maintenance Event Options Table 217 Option definitions Option Definition Insert events into the database Select to add information about reporting events into ...

Page 224: ...d name of the detection if available Configuration Change shows a unique event identifier the date and time the event was added the login name of the person who made the changes and the IP address of the computer used to make the change Table 218 Option definitions Option Definition Enable off box sql access Select to allow an off box SQL client to access the appliance Allow external database acce...

Page 225: ...be lost Maintain Database Click to manually start the database maintenance tasks ever X minutes The database checks for items in the reporting database or identified using the Message Search feature have reached the retention limit that you set Appliance Management System Administration The System Administration page provides the tools to safely turn off or reboot your appliance and provides the t...

Page 226: ... turn off its power Reboot Appliance When clicked restarts the appliance Revert to Default Configuration When clicked restores all the original out of the box settings to the appliance Task Shutting down the appliance Before shutting down the appliance ensure that you have the relevant permissions and network outage plans in place 1 Navigate to System Appliance Management System Administration Sys...

Page 227: ...d on a protected partition on the hard disk You can also manage your rescue images and create a bootable USB drive containing the rescue image from here System Appliance Management System Administration Manage Internal Rescue Image This version of the appliance includes the ability to store a rescue image On a protected partition on the appliances hard disk On a USB drive attached to one of the ex...

Page 228: ...Option definitions Option Definition Rescue image details Provides details of the rescue image currently stored within the rescue partition of your appliance Force Boot from Rescue Image Provides options to reboot your appliance from a rescue image Boot to menu If you select Boot to menu ensure that you are either local to the appliance or that you have access to the appliance using a DRAC card Pe...

Page 229: ...ings and if required your proxy settings and passwords 4 Click OK Your appliance saves these server and proxy settings Subtask Installing from the rescue image on the appliances hard disk When you have verified that you have the correct version of the rescue image stored on the protected partition of the appliances hard disk you can use this image to reimage your appliance 1 Click System Appliance...

Page 230: ...B drive overwriting any existing files and creates a bootable image Subtask Installing from the rescue image on the appliance USB drive You can use the bootable rescue image stored on an external USB drive or on an internal USB drive hardware dependant to reimage your appliance To use this 1 Click System Appliance Management System Administration Manage Internal Rescue Image 2 Ensure that the USB ...

Page 231: ...o a previous iso release of the software or to upgrade to a newer version You do this by importing the required image to the rescue partition on your appliance and then forcing your appliance to boot from the newly imported rescue image using the Perform a full installation overwriting existing data option To roll back you need to use the option 2 or 3 settings to upgrade you need to use option 2 ...

Page 232: ...is divided into the following sections Default HTTP proxy settings Default FTP proxy settings Default remote backup settings Specify the following information to set up the HTTP proxy and FTP proxy Proxy server Proxy port Proxy username Proxy password Remote backup server settings There are three options to choose from to back up to a remote server FTP SSH with password authentication SSH with pub...

Page 233: ...estore your configurations push configurations from one appliance to others and set up load balancing between your appliances Topic Description Backup and Restore Configuration Use this page to back up and restore the information about the appliance s configuration Configuration Push Use this page to copy the settings on one appliance to other appliances For example you can specify that all your a...

Page 234: ...ecify If no server is configured already the Configure Automatic Configuration Backups wizard starts Otherwise click the link next to Backup Scheduled to specify the server Include TLS certificates When selected includes information in the backup to the remote server about any digital certificates and private keys that are stored on the appliance These are included in a form that can be read that ...

Page 235: ...ther appliance The following configuration parameters are not pushed to the other appliances Network settings Hostname and domain name Default routes IP addresses Ethernet settings such as MTU and duplex Appliance operating mode explicit proxy transparent bridge transparent router Spanning tree protocol settings transparent bridge mode only DNS server addresses DHCP server settings applies to clus...

Page 236: ...master and failover then the scanning appliances will receive the most traffic to scan then the failover with the master receiving the least If you have more than three appliances in a cluster McAfee recommends that you do not enable scanning on the master appliance You cannot configure the master or the failover blades of the McAfee Content Security Blade Server to scan traffic McAfee recommends ...

Page 237: ...ppliances Cluster Failover If the master fails this appliance controls the scanning workload instead Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the same subnet assign each a different Cluster identifier to ensure the clusters do not conflict The allowable range is 0 255 Cluster configuration Master cluster and failover cluster appliances Table 2...

Page 238: ... to whichever appliance is currently acting as the master appliance Network Interface 1 or Network Interface 2 Network Interface 2 is not shown if you select explicit proxy as your operating mode Table 230 Option definitions Option Definition IP Address Specifies network addresses to enable the appliance to communicate with your network You can specify multiple IP addresses for the appliance s net...

Page 239: ... your appliance is running in transparent router mode or is part of a cluster configuration or running as part of a Blade Server installation Resilient Mode Use this page of the user interface to enable resiliency mode on your blade server This page only applies to the McAfee Content Security Blade Server Table 231 Option definitions Option Definition Enable Resilient Mode Within this area you can...

Page 240: ...or its own on box directory Table 233 Option definitions Option Definition Update information Displays the status of the information in the on box directory Information is available for query The time and date shows when the latest update occurred The on box directory has no data or is not up to date Update Now When clicked the appliance immediately copies directory information from the servers un...

Page 241: ...ance that is specified in the Kerberos authentication service settings If selected ensure your DNS is set up correctly for the hostname for both forward and reverse lookups otherwise significant delays can occur during authentication of users Configure HTTP user authentication When clicked opens another page To open the page at other times select Web Web Configuration HTTP Connection Settings from...

Page 242: ...hange details for the System Administrator Delete Delete the user You cannot delete the System Administrator To reset a password for another user a super administrator can click on the Edit icon in the user s row in the table By default other administrators cannot change the settings on this page You can create any number of users each with their own password where applicable The users capabilitie...

Page 243: ...ions Option Definition Display custom user notification When selected displays a message that the user will see when logging on To change the message click Edit to open the Custom Text window To restore the original message click Reset in the Custom Text window Add Login Service This topic describes the pages that enable you to configure authentication services such as Kerberos or RADIUS on your a...

Page 244: ... to specify the realm should appear after the delimiter character or Prefix to specify the realm should appear before the delimiter character An example of a Postfix realm is myusername realm and an example of a Prefix realm is realm myusername Realm delimiter If a realm name has been specified choose the character used to separate the user name from the realm name By default this is which gives y...

Page 245: ... login will be refused unless a role is defined by a local user of type External user or a RADIUS attribute Role Mappings Kerberos Table 244 Option definitions Option Definition Default Role Choose the role to assign to a user who does not match any of the criteria above None indicates that no role will be assigned meaning that login will be refused unless a role is defined by a local user of type...

Page 246: ...n using Active Directory 2003 This topic explains how to configure the appliance to use Kerberos authentication in a Microsoft Active Directory 2003 environment It explains how to configure the appliance to authenticate users when they access the Internet Before you begin This topic involves several pages of the interface We recommend that you print the topic before starting the task Alternatively...

Page 247: ...wnload and extract the ktpass exe 91 136 bytes file from the support cab file to a temporary folder For further details see the article http www microsoft com downloads details aspx familyid 96A35011 FD83 419D 939B 9A772EA2DF90 displaylang en b On the Windows desktop open a command prompt click Start Run type command and click OK c Create a keytab file scm keytab to be imported into the appliance ...

Page 248: ...yntax Example Test the forward zone for the appliance Names to IP addresses nslookup host_name nslookup scmgateway mcafee local Test the reverse zone for the appliance IP addresses to names nslookup IP_address nslookup 192 168 0 15 Test the forward zone for the Domain Controller KDC Names to IP addresses nslookup host_name nslookup kdc mcafee local Test the reverse zone for the Domain Controller K...

Page 249: ...vice type Kerberos Authentication Select Prevent Web Access when Authentication fails Click Next and type the following information KDC hostname kdc mcafee local Username normalization None e Click Next and click Apply All Changes Now Click Next and import the keytab file After the Kerberos keytab file is imported successfully a message is displayed Click Finish If this process fails delete all Ac...

Page 250: ...d and add the FQDN of the appliance to this zone Click OK then click Custom Level and select Automatic logon only in Intranet Zone and click OK The option is at the end of the scrolling list f Click the Advanced tab select Enable Integrated Windows Authentication requires restart then click OK The option is near the end of the scrolling list g Close and open the browser again Try to access a websi...

Page 251: ...laces the appliance on a reputation black list only a virtual host is affected not the whole appliance Virtual hosts behave differently depending on whether the virtual host is running in proxy mode which listens on the inbound addresses while virtual hosts running in transparent mode intercept traffic going to the IP addresses listed If you create outbound IP address pools on both the LAN1 and LA...

Page 252: ...rtual host available 1 Go to System Virtual Hosting Virtual Hosts 2 Ensure that Enable virtual hosting on this appliance is checked 3 Click Add The Add Virtual Host dialog box appears 4 Type a Virtual host name 5 Type a Description for this virtual host This step is optional but enables you to quickly identify further information about this virtual host 6 Type the Host name 7 Type the Domain name ...

Page 253: ...rch Reports Icon for virtual appliance Host name This value is used in the SMTP greeting banner If the host name is a Fully Qualified Domain Name FQDN the domain name does not appear in the SMTP greeting banner Domain name Displays the domain name of the virtual host The domain name has the form domain dom and must be unique across all virtual hosts If the host name is a Fully Qualified Domain Nam...

Page 254: ... 168 254 1 24 The IP addresses are created on the network driver so you cannot ping or see the IP address by running the ip addr show commands Network address The appliance auto fills this field based on the information you enter in Address range Network interface Select the interface on which you need to create the IP addresses Choose from LAN1 or LAN2 The IP addresses are created on the network ...

Page 255: ...u enter in Address range Network interface Choose from LAN1 or LAN2 If you have created outbound IP address pools on both LAN1 and LAN2 the IP addresses from the interface it connects out from is used Virtual Networks Use this page to specify virtual networks System Virtual Hosting Virtual Networks Table 251 Option definitions Option Definition Network address Specifies a virtual network address s...

Page 256: ... from Certification Authorities System Certificate Management Certificates CA Certificates Digital certificates are needed for the secure transfer of email Over 100 popular certificates from certificate authorities such as Thawte and Verisign are available Certificates typically have a lifetime of several months or years so they do not need to be managed often RSA keys can be used both for encrypt...

Page 257: ...tificate chains and certificates with password protected private keys The appliance only verifies the certificate and makes it available to use after you click the icon to apply your changes If a yellow exclamation point appears next to the certificate after you click the green checkmark to apply the change the certificate is not currently trusted Import the associated CA certificate before you us...

Page 258: ... the certificate s expiry date such as May 05 2010 12 15 00 Delete When clicked deletes the selected certificate View When clicked displays details of the selected certificate such as its version issuer and public key Export When clicked opens another window where you can choose to export the certificate or a complete certificate chain and specify the certificate format The file name extension is ...

Page 259: ... Import When clicked opens a window where you can specify the file To import a password protected certificate type the passphrase to unlock the private key The appliance stores the decrypted certificate in a secure internal location The appliance only verifies the certificate and makes it available to use after you click the icon to apply your changes Export When clicked opens a window where you c...

Page 260: ...ed opens a browser for selecting a file The appliance can fetch a local file or a file from a website The appliance only verifies the CRL and makes it available to use after you click to apply your changes CRL updates Use this page to specify how often the appliance fetches updates to its Certificate Revocation Lists System Certificate Management Certificate Revocation Lists CRLs CRL updates If th...

Page 261: ...itor Settings System Log Settings WebReporter Logging Configuration Email Alerting Use this page to decide who receives an email message when events such as a virus detection occur System Logging Alerting and SNMP Email Alerting Table 258 Option definitions Option Definition Anti virus events to Aggregated data events When selected sends email messages when this type of event occurs To change the ...

Page 262: ... Token name Description ACTIONNAME The action being taken AV ACTIVECONTENT The list of active content found in the item HTML ATTACHMENTCONTEXT A detailed description of the sub contexts that triggered only different from ATTACHMENTNAME when have multiple condition rules Compliance ATTACHMENTNAME Name of the item being scanned AVDATVERSION The DAT version used by the anti virus engine AV AVENGINENA...

Page 263: ... in SMTP SMTP SENDER Envelope Email Sender Available in SMTP SMTP SITEADVISOR The SiteAdvisor web reputation of the requested URL URL SIZE Size of data SOURCEHOST Source host name SOURCEIP Source IP address SUBJECT Email Subject Available in SMTP SMTP TOTALSCORE Total accumulated score for the stream Compliance URL_CATEGORY The filtered category that has matched the requested URL URL URL_REQUEST_D...

Page 264: ...IELDVIRTUALIP Virtual IP address Table 261 Alert tokens for Quarantine digest messages Token name Description Message body SPAM_LIST A list of email messages quarantined as spam since last digest FULL_SPAM_LIST A full list of email messages quarantined as spam CONTENT_LIST A list of email messages quarantined because of content violations since the last digest FULL_CONTENT_LIST A full list of emai...

Page 265: ...fied in the request RULE The matched rule that led to the response USER_AGENT User agent Table 263 Alert tokens for HTTP ICAP Download status messages Token name Description COMFORT_DOWNLOADED Number of bytes downloaded COMFORT_FILE File being downloaded COMFORT_PERCENTCOMPLETE Percentage of the file downloaded COMFORT_REFRESHINTERVAL Refresh time for the comfort page COMFORT_SCANNINGTIME Time spe...

Page 266: ...anned AV DLP ATTACHMENTNAME Name of the item being scanned compliance BLOCKED_URL The URL that was requested and blocked by the web categorization engine URL BLOCKED_URL_ICAP The URL that was requested and blocked by the web categorization engine URL for the ICAP REQMOD DLP_RULE The registered document categories that triggered DLP_FINGERPRINTSOURCE The registered document name DLP_REPORT Detailed...

Page 267: ...The number of compliance detections HTTP HTTPOTHERS The number of other detections HTTP ICAPNUMREQUESTS The number of ICAP requests received ICAPVIRUSDETECTED The number of viruses detected ICAP ICAPPUPSDETECTED The number of PUPs detected ICAP ICAPURL The number of URL web categorization detections ICAP ICAPSITEADVISOR The number of SiteAdvisor detections ICAP FTPNUMREQUESTS The number of FTP req...

Page 268: ...gs Table 266 Option definitions Option Definition Name to Community name Versions 1 and 2 of the SNMP protocol use the community name like a password The community name is required with each SNMP Get request to allow access to the appliance The default Community Name is public If you have several appliances change the default name of appliance Security Options v3 only Table 267 Option definitions ...

Page 269: ... collected and delivered to the on appliance logging system or sent to an off box solution Select the type of logging format that you want to use This option creates an output log file that is structured so that it can be easily read by third party applications and used to generate custom reports Due to the amount of data generated we recommend that this option is only enabled when using TCP syslo...

Page 270: ...appen Extended Syslog attributes for ArcSight Using the extended Syslog functions within the appliance you can use external third party software such as ArcSight to generate Syslog reports Table 270 Events for ArcSight Event ID Event Description 50005 Logging of the email status during processing 50006 Logging of the email status during processing 50022 Logging of the email status during McAfee Qu...

Page 271: ...le dhost Originating IP address of the host making the connection src Originating hostname of the host making the connection shost The sender of the email suser A list of recipient email addresses duser Whether inbound 0 or outbound 1 as defined by the administrator for the policy deviceDirection Name of active policy sourceServiceName Filename in which the detection occurred filePath A unique id ...

Page 272: ...e field cs5 If cs5 is AS spam threshold score cs3Label The attachments of the email if available cs4 email attachments cs4Label For a detection event the scanner which triggered the event AP Anti Phish AS Anti Spam AV Anti Virus DL Data Loss Prevention FF File Filtering MF Mail Filtering MS Mail Size PA Packer PU Potentially Unwanted Program PX Compliancy SA SiteAdvisor UF URL Filtering cs5 master...

Page 273: ...for the event 1 indicates primary action 0 1 scanner Which scanner detected the event AV Anti Virus action The action taken for the event ESERVICES REPLACE Replace with an alert WEBSHIELD REFUSEORIGINAL Refuse the email WEBSHIELD ACCEPTANDDROP Accept the email and then drop it ESERVICES ALLOWTHRU Allow the email through WEBSHIELD DENYCONNECTION Refuse the email and deny the connection for a period...

Page 274: ... event tz The timezone where the event is generated UTC tz_offset The timezone offset in use where the event is generated 0000 Table 273 Glossary event_id Name Scanner 50006 Email Status 180000 Anti virus engine detection AV Anti Virus 180002 Anti spam classification AS Anti Spam 180002 Anti spam classification AP Anti Phish 180003 File format detection FF Format Blocking 180004 MIME format detect...

Page 275: ...ng the reporting software For Web Reporter the URL typically has the form http server IP address 9111 logloader For secure communication use https and port 9112 Purge after transfer Select to purge events from the database on the appliance after they have been transferred to Web Reporter Purge Threshold Specifies the number of events the appliance collects before the data is transferred from appli...

Page 276: ...ent Level A symbol that indicates the severity of the event High Severity We recommend that this event is recorded in the log Medium Severity Low Severity High Volume A symbol that indicates how often this event occurs The event can generate a high volume of log records Description A description of the event such as Quarantine Component Management The component management area of the user interfac...

Page 277: ...tor server you can now configure your appliance to use ftp or http to download the v2 DAT files and scanning engine files These DAT files and scanning engine updates can be obtained by ePolicy Orchestrator and pulled from the ePolicy Orchestrator repository using the McAfee Agent You can also manually download the files and install them onto your appliance You cannot use the Update Status pages to...

Page 278: ...ds that you do not include that update when you export the update file Table 277 Automatic package updates Option definitions Option Definition Update scheduled When clicked the link opens a wizard where you can specify the type source and schedule for installing packages such as hot fixes and service packs Update now Installs packages immediately You can select options about how the package updat...

Page 279: ... the size of the update file as small as possible 1 Go to System Component Management Update Status 2 Click the link in the Scheduled column for the Web categorization database component 3 Click Next to have the update use the default update server settings 4 In Choose how to update the web categorization database select the Incremental option and click Next 5 In Time to schedule update for select...

Page 280: ...switch off FTP as an update method altogether Table 280 Option definitions Option Definition HowFTPupdatesiteshouldbeused Default value is Secondary Site If the appliance receives its updates from an ePO server the value is Not Used Server Default value is ftp nai com Port Default value is 21 Directory For anti virus updates the default value is virusdef 4 x Username Default value is anonymous Pas...

Page 281: ...ult value is 21 Directory For anti spam updates the default value is spamdefs 1 x Username Default value is anonymous Password Default value is anonymous Use the default proxy settings configure defaults The appliance uses information that you type here or the default settings from another page To access the page at any other time select System Appliance Management Default Server Settings on the n...

Page 282: ...s and Hotfixes and update them immediately to ensure that your appliance remains as up to date as possible McAfee recommends that you update the software packages manually on a new appliance using the Update From File option then go to the System Component Management Update Status scheduling options in Automatic package updates to create regular updates at a time when traffic is low such as during...

Page 283: ...er for any changes Apply When clicked installs or downloads the patches that you specified ePO Use this page to manually set up the appliance to be managed by ePolicy Orchestrator System Component Management ePO The information and settings in this page provide similar features as found in the ePO Managed Setup pages of the Setup Wizard Table 286 Option definitions Option Definition Export Configu...

Page 284: ...licy Orchestrator management and that your changes will be overwritten the next time that ePolicy Orchestrator updates the configuration Task Configuring the appliance to work with ePolicy Orchestrator Use this task to set up the appliance to be managed by ePolicy Orchestrator 1 From your Email and Web Security Appliance select Resources and then click ePO Extensions and ePO 4 5 Help to download t...

Page 285: ...ode on page 285 Transparent Router mode on page 286 Explicit Proxy mode on page 287 Transparent Bridge Mode Use this page to specify the type of installation Standard Setup installation has fewer steps and is intended for Transparent Bridge mode Custom Setup installation allows you to select the operating mode Restore from a File installation allows you to set up the appliance using the configurat...

Page 286: ...rlier version of the software some details are not available ePO Managed Setup installation allows you to configure only the settings that you need if you plan to have your appliance managed by McAfee ePolicy Orchestrator The appliance operates in one of the following modes Transparent Bridge Transparent Router or Explicit Proxy The mode affects how you integrate the appliance into your network an...

Page 287: ...affects how you integrate the appliance into your network and how the appliance handles traffic You will need to change the mode only if you restructure your network Transparent Bridge Mode on page 285 Transparent Router mode on page 286 Explicit Proxy mode In Explicit Proxy mode some network devices send traffic to the appliance The appliance then works as a proxy processing traffic on behalf of ...

Page 288: ...etect and with your permission remove potentially unwanted programs PUPs Some purchased or intentionally downloaded programs act as hosts for PUPs Removing these PUPs might prevent their hosts from working Be sure to review the license agreements for these host programs for further details McAfee Inc neither encourages nor condones breaking any license agreements that you may have entered into Ple...

Page 289: ... the mode Transparent Bridge Transparent Router or Explicit Proxy User ID The scmadmin user is the super administrator You cannot change or disable this account and the account cannot be deleted However you can add more login accounts after installation Current Password New Password The original default password is scmchangeme Specify the new password Change the password as soon as possible to kee...

Page 290: ...Finish the setup wizard has completed and the appliance is configured as a transparent bridge Use the IP address shown here to access the interface For example https 192 168 200 10 Note that the address begins with https not http When you first log onto the interface type the user name scmadmin and the password that you gave to this setup wizard Table 288 Option definitions Option Definition The v...

Page 291: ...ent Router or Transparent Bridge mode and the protocol is disabled traffic for the protocol passes through the appliance but is not scanned If the appliance is in Explicit Proxy mode and a protocol is disabled traffic directed to the appliance for that protocol is refused The protocol is blocked at the appliance In Explicit Proxy mode only SMTP POP3 HTTP ICAP and FTP traffic is handled by the appl...

Page 292: ... to configure the IP address and network speeds for the appliance You can use IPv4 and IPv6 addresses separately or in combination To prevent duplication of IP addresses on your network and to deter hackers give the appliance new IP addresses and disable the default IP addresses The IP addresses must be unique and suitable for your network Specify as many IP addresses as you need Table 290 Network...

Page 293: ...ions at that moment in time is assigned the next connection For a cluster of appliances If you have only a master and a failover appliance with both configured to scan traffic the master will send most connections to the failover appliance for scanning If you have scanning appliances and scanning enabled on the master and failover then the scanning appliances will receive the most traffic to scan ...

Page 294: ...tion Address to use for load balancing Specifies the appliance address Provides a list of all subnets assigned to the appliance Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the same subnet assign each a different Cluster identifier to ensure the clusters do not conflict The allowable range is 0 255 Enable scanning on this appliance Not applicable ...

Page 295: ...cifies how many hosts are on your network for example 255 255 255 0 Gateway Specifies the IP address of the router used as the next hop out of the network The address 0 0 0 0 IPv4 or IPv6 means that the router has no default gateway Metric Specifies the preference given to the route A low number indicates a high preference for that route New Route Add a new route to the table Use the arrows to mov...

Page 296: ...n turn to determine the correct time Password Use this page in the Custom Setup Wizard to specify a password for the appliance For a strong password include letters and numbers You can type up to 15 characters Table 297 Option definitions Option Definition User ID This is scmadmin You can add more users later Password Specifies the new password Change the password as soon as possible to keep your ...

Page 297: ...e 288 Basic Settings Standard setup on page 288 Network Settings on page 292 Cluster Management on page 293 DNS and Routing on page 212 Time Settings on page 295 Password on page 296 Summary Standard setup on page 290 Contents Import Configuration Values to Restore Traffic Custom setup Basic Settings Custom setup Cluster Management DNS and Routing Time Settings Password Summary Custom setup Import...

Page 298: ...option applies these ePO configuration settings Traffic Custom setup Use this page when selecting the Custom Setup Wizard to specify the type of traffic that the appliance will scan and the local relay domain Email traffic includes SMTP and POP3 You can also choose to enable protection against Potentially Unwanted Programs and to enable McAfee Global Threat intelligence You can also configure the ...

Page 299: ...nning workload instead Device name Specifies a name such as appliance1 Domain name Specifies a name such as domain1 com Default Gateway Specifies an IPv4 address such as 198 168 10 1 You can test later that the appliance can communicate with this server Next hop router Specifies an IPv6 address such as FD4A A1B2 C3D4 1 Cluster Management Use this page to specify cluster management balancing requir...

Page 300: ...ion definitions Option Definition Cluster identifier If you have more than one cluster or McAfee Content Security Blade Server on the same subnet assign each a different Cluster identifier to ensure the clusters do not conflict The allowable range is 0 255 Cluster Management Cluster Master Use this page to specify information for a master appliance Table 303 Option definitions Option Definition Ad...

Page 301: ...t reliable server If the first server cannot resolve the request the appliance contacts the second server If no servers in the list can resolve the request the appliance forwards the request to the DNS root name servers on the Internet If your firewall prevents DNS lookup typically on port 53 specify the IP address of a local device that provides name resolution New Server Delete Selected Servers ...

Page 302: ...ecause NTP messages are not sent often they do not noticeably affect the appliance s performance Table 307 Time Settings Option definitions Option Definition Time zone Specifies your local time zone You might need to set this twice each year if your region observes daylight saving time System time local Specifies the date and the local time To set the date click the calendar icon Set Appliance Tim...

Page 303: ...and the password that you gave to this setup wizard Table 309 Option definitions Option Definition The value is set according to best practice The value is probably not correct Although the value is valid it is not set according to best practice Check the value before continuing No value has been set The value has not been changed from the default Check the value before continuing ePO Managed Setu...

Page 304: ...r help extensions for the two ePO Extensions listed above This file installs the help extensions relating to the ePolicy Orchestrator extensions for Email and Web Security Appliances onto your ePolicy Orchestrator server Import ePO connection settings Click to browse to the ePolicy Orchestrator connection settings file to import the ePolicy Orchestrator connection information into the appliance Ta...

Page 305: ...addresses on your network and to deter hackers give the appliance new IP addresses and disable the default IP addresses The IP addresses must be unique and suitable for your network Specify as many IP addresses as you need Table 312 Network Settings Option definitions Option Definition Change Network Settings When clicked starts a wizard with the following options Operating mode Offers a choice of...

Page 306: ...se this page to specify information for a scanning appliance Table 313 Option definitions Option Definition Cluster identifier Specifies an identifier Range is 0 255 Cluster Management Cluster Master Use this page to specify information for a master appliance Table 314 Option definitions Option Definition Address to use for load balancing Specifies the appliance address Cluster identifier Specifie...

Page 307: ...n answer more quickly If you deselect this option the appliance first tries to resolve the requests or might query DNS servers outside your network Table 317 Option definitions Routing Option Definition Network Address Type the network address of the route Mask Specifies how many hosts are on your network for example 255 255 255 0 Gateway Specifies the IP address of the router used as the next hop...

Page 308: ...in turn to determine the correct time Password Use this page in the Custom Setup Wizard to specify a password for the appliance For a strong password include letters and numbers You can type up to 15 characters Table 319 Option definitions Option Definition User ID This is scmadmin You can add more users later Password Specifies the new password Change the password as soon as possible to keep your...

Page 309: ...orrect Although the value is valid it is not set according to best practice Check the value before continuing No value has been set The value has not been changed from the default Check the value before continuing Overview of System features Setup Wizard McAfee Email and Web Security Appliances 5 6 0 Product Guide 309 ...

Page 310: ......

Page 311: ...Resources link at the top of the window provides links to the following information Contacting support Submitting a sample The Virus Information Library Additional resources including links to a list of McAfee addresses and to the SNMP MIB definitions Contents Troubleshooting Tools Troubleshooting Reports Tests Troubleshooting Tools Use these topics to learn about the troubleshooting tools include...

Page 312: ...at from the Linux top command Table 322 Option definitions Option Definition Pause When clicked stops the information being updated Click Resume to return to normal updating Uptime Info Displays how long the system has been running Load Averages Displays the load averages which are the average number of processes that are ready to run during the last 1 5 and 15 minutes CPU Displays the percentage ...

Page 313: ...t for this route A destination of 0 0 0 0 means that the default route specified by the Setup Wizard is used Gateway or Next Hop Displays IP address of the router used as the next hop out of the network The address 0 0 0 0 means that route has no default gateway Genmask Displays network mask that determines whether an IP address is the address of a network or of a specific host Flags Displays info...

Page 314: ...s next to more names to see the size of the subdirectories Size to Percentage used Displays information about each main directory Percentages are rounded to the nearest whole number Troubleshooting Reports Use these topics to learn about the troubleshooting reports included within the appliance Troubleshoot Reports Contents Minimum Escalation Report Capture Network Traffic Save Quarantine Log File...

Page 315: ...apture Network Traffic Use this page to capture the TCP traffic coming in and out of the appliance for later analysis Troubleshoot Troubleshooting Reports Capture Network Traffic This tool will not work correctly if the appliance is running in transparent router mode or transparent bridge mode The output file is gzip compressed tcpdump capture file You can analyze the output with a tool such as Wi...

Page 316: ... which can take a few minutes to produce To view the lists of quarantined items on the appliance select Email Message Search on the navigation bar To view the queued email select Email Email Overview Table 327 Option definitions Option Definition Quarantine viruses to MQM deferred When selected specifies which items to include in the report If you select Quarantine viruses Quarantine queue or MQM ...

Page 317: ...en clicked allows you to download the logs The link is active only after the log files have been generated System Log Viewer Table 329 Option definitions Option Definition Log file to view From the drop down list select the log file that you want to view System log this shows the contents of the system log stored at var log messages Mail log with on box syslog enabled this shows the contents of ma...

Page 318: ...hat was being handled by the appliance at the time of the error This can greatly assist McAfee in diagnosing the problem Auto submit error events Allows the appliance to automatically submit information about error events to McAfee Event lifetime The number of days that the appliance will store events for if an error is detected Submit selected events to McAfee Use this to send error reports to Mc...

Page 319: ...e appliance address States whether each DNS server can find the appliance given its domain address and its fully qualified domain name Check for McAfee GTI file reputation connectivity Confirms that the servers can be accessed via a test sample Query the SiteAdvisor update server States whether the appliance can contact the SiteAdvisor server Query the McAfee GTI message reputation lookup server S...

Page 320: ...ts are available only if ePO Management is enabled See System Component Management ePO The tests do the following Check that the updater has started Check that the appliance is listening to the ePO server Check that the appliance can send data to the ePO server Check that the number of ePO events waiting to be sent to the ePO server does not exceed a predefined threshold Overview of Troubleshoot f...

Page 321: ...our appliance and the ePolicy Orchestrator server You can download the ePolicy Orchestrator extensions from the Resources link within the Email and Web Security Appliances user interface This zip file contains two ePolicy Orchestrator extensions the EWG 1 5 extension that provides the monitoring and reporting capabilities for Email and Web Security Appliances versions 5 5 and 5 6 as well as for Mc...

Page 322: ......

Page 323: ...aged by ePolicy Orchestrator you need to import the configuration details from your ePolicy Orchestrator software In addition you also need to install the Email and Web Security extension available from the Resources link within the Email and Web Security Appliances user interface onto your ePolicy Orchestrator software To assist you with setting up your Email and Web Security Appliances for ePoli...

Page 324: ......

Page 325: ...ur appliance making configuration changes from within the appliance user interface will make hte required changes but these changes are likely to be overwritten with the next configuration push from your ePolicy Orcestrator server Within ePolicy Orchestrator the configuration pages for your appliances can be found by browsing to Menu Gateway Protection and then selecting either Email and Web Gatew...

Page 326: ......

Page 327: ...services Kerberos 241 RADIUS 241 autonegotiation 207 B backup configuration 233 backup server 232 basic options anti virus settings 116 184 blocked messages retention limits 222 blocking instant messaging 194 bounced messages retention limits 222 Bubbleboy 108 C changes making to appliance operation 12 cloud anti virus protection 109 cluster configuration IPv6 auto configuration 215 statistics 21 ...

Page 328: ...ypographical conventions and icons 7 domain adding local domain 89 dynamic routing 212 E email how messages are processed 59 report filter options 40 49 55 reports 33 Email and Web Security Appliances working with 9 email detections external access to 224 email policies compliance 130 191 email queues 21 Email Scanning Policies menu 103 email status 21 ePO integration with 321 management by 321 mo...

Page 329: ...Kerberos configuring 243 Kerberos authentication services 241 Kerberos user authentication Microsoft Active Directory 2003 246 L least used 236 293 299 listening ports 16 lists changing information 14 making and viewing 13 ordering alphabetically 15 removing many items from 13 removing single items from 13 viewing long 14 load balancing configuring 236 log files save 316 view 316 lookups with anti...

Page 330: ... hosts 253 policy anti virus settings 104 POP3 content policies 102 POP3 policies 101 ports ePO 16 ePolicy Orchestrator 16 intercept 16 listening 16 transparent 16 problem solving 311 protocol presets with anti relay settings 89 protocol settings ftp 175 http 165 icap 172 proxy server adding 232 public key authentication 232 PUPs special actions 108 push configuration 235 Q quarantine options off ...

Page 331: ...84 shut down the appliance with UPS 219 SMTP content policies 102 smtp policies 101 spam rules and engine updates 276 special actions 108 Splunk extended syslog attributes 272 spyware 106 SSH 232 static routing 212 statistics Dashboard 21 streaming media 194 substitution variables 262 summary Dashboard 21 email 59 reports 29 system 207 troubleshoot 311 web 163 system report filter options 40 49 55...

Page 332: ... Universel Temps Coordinee 214 V variables alert 262 substitution 262 view log files 316 Virtual Host adding 253 virus scanning types of 106 viruses detecting new 107 VBS Bubbleboy MM 108 W97M Melissa MM 108 W warning messages Dashboard 21 web report filter options 40 49 55 reports 43 scanning policies 179 web categorization database update now 281 updates 276 web detections external access to 224...

Page 333: ......

Page 334: ......

Page 335: ......

Page 336: ...700 2647A00 00 ...

Reviews:

No comments

Related manuals for MAP-3300-SWG - Web Security Appliance 3300

3Com OfficeConnect 3C16771 User Manual preview
OfficeConnect 3C16771
Brand: 3Com Pages: 182
Keezel keezel Detailed Instructions preview
keezel
Brand: Keezel Pages: 27
H3C SecPath F1000-AI-X0 Installation Manual preview
SecPath F1000-AI-X0
Brand: H3C Pages: 73
Asus AAEON FWS-2272 User Manual preview
AAEON FWS-2272
Brand: Asus Pages: 93
Huawei E8000E-X16 Manual preview
E8000E-X16
Brand: Huawei Pages: 182
Fortinet FortiGate 300 Installation & Configuration Manual preview
FortiGate 300
Brand: Fortinet Pages: 282
ZyXEL Communications ZyWALL USG 100 Series Manual preview
ZyWALL USG 100 Series
Brand: ZyXEL Communications Pages: 1157
PaloAlto Networks PA-5000 Series Hardware Reference Manual preview
PA-5000 Series
Brand: PaloAlto Networks Pages: 34
Watchguard Firebox t10 Release Note preview
Firebox t10
Brand: Watchguard Pages: 24
Barracuda Networks Spam Firewall Outbound Quick Start Manual preview
Spam Firewall Outbound
Brand: Barracuda Networks Pages: 2
Draytek VIGOR2950 User Manual preview
VIGOR2950
Brand: Draytek Pages: 217

Brands by name

Popular brands

Load more brands