McAfee IPS - How to Install McAfee Network Security Manager and Network Security Platform


          This intent of this article is to walk you through the installation of the McAfee IPS sensor,

         Network Security Platform (NSP) and the McAfee Network Security Manager (NSM).

         Once both the manager and sensor have been installed I'll demonstrate how to integrate

         the two, update policies, enable GTI, and Application Identification.



              Network Security product:

              Contact Mcafee:                  




         This video walks you through the steps required to install and integrate a McAfee IPS

         sensor with the McAfee Security Manager.  You can also follow the step-by-step instructions below instead.




    Download and install NSM Software

        Go to at this point you will enter your grant number





        Once on the download page navigate "McAfee Network Security Platform"



              download nsp.JPG


         Scroll down until you find the NSP Manager Software, after you click on the link you'll

         have to agree to McAfee's End User License Agreement prior to downloading the software.


              NSM software.JPG


         On the download page select the version of Network Security Manager that you'd like

         to install.  For the purposes of this document we used


              Tip: download the software directly onto the server you'd like NSM to be installed on. 


              NSM version.JPG

    Installing the Sensor

        The sensor I will be using is the M-1450


              Sensor faceplate.JPG

         Connect to the device via console to configure an IP address used later during the integration

         process with NSM



    Baud Rate38400
    Number of bits8
    Stop Bits1
    Flow ControlNone



         Once you've connected to the sensor default username and password is admin/admin123. 

         Type the command:

             "set sensor ip" and

             "set sensor gateway"



         This will give the sensor an IP address accessable to the Network Security Manager you'll

         be installing. 


         At this point test access via SSH using the assigned IP address. 

         SSH default username and password is admin/admin123



         If your connection is successful WAIT to complete the sensor configuration.


              Note: We will complete sensor management integration later in a later step.


         If your connection failed go back to console connection and type the command "show"

         to verify IP and Gateway settings.


    Network Security Manager Installation


    Server Requirements


              server requirements.JPG


         After saving the NSM software to the desktop of the server you'd like to be your manager

         double click the NSM icon to begin the install process...


              nsm desktop icon.JPG


          The Installation wizzard opens after the "installAnywhere" dialogue box is finished.

         During the wizard you'll need to click through the steps listed in the screen shot above.

         "Install Type" is based on the number whether or not this is a central manager or a standard manager.

         The rest of the questions refer to installation locations and resources. I've selected all the defaults,

         please choose what makes most sense for your installation and make notes if default folder locations

         are changed.


        *If you'd like to connect to an existing database the credentials are asked for during setup in

         the "Customize Installation" section.


         If no database has been preconfigured on this server then one will be installed during this time. 


        *Please make note of your user names and passwords used during the installation process.

         This process should take approximately 15 minutes. Once complete you can access the manager

         via https://<computername> or https://<ipaddress_of_nsm_host>



    Configuration of the Network Security Manager

         If a browser doesn't launch on completion of installation open a browser and navigate to the manager

         at one of the above listed options.


         *Supported Browsers as of 6-2014

              IE 9.0, 10.0, and 11.0


              Safari 6.0 & 7.0

              *Note: Recent versions of Chrome will not support the Java required in NSM version 8.2 or older


         At this point 1 of 2 options will present itself, you'll find yourself at a configuration wizzard or on the NSM

         dashboard with no information


    Configuration Option 1 - Wizzard

              NSM install wizard.JPG


        You'll notice that the wizzard walks through a 10 step process.  This process updates the manager

         to the latest signature set and allows you to set a schedule to check for and install new signatures.


        The video and following write-up DOES NOT follow option 1


    Configuration Option 2 - Blank Dashboard

              NSM blank dashboard.JPG



         The video follows option 2 for many reasons, the main reason being, that after following these

         steps the administrator is more familiar with work flows making changes in NSM. 


    Integrating NSM with Sensor

         From the dashboard navigate to the "Devices" tab.  On the left hand side of the page select the

         "Add Device Wizard" option.  Earlier in the sensor configuration we didn't complete the setup

         because we want to establish a trust between the sensor and the manager.


         At the time of the sensor install the manager wasn't ready and a trust couldn't have been established.

         On the "Add Device Wizard" page fill in the "Device Name", "Device Type", "Shared Secret

         <this will be the same on the sensor>, and "Confirm Shared Secret  "


             Hit "next" and navigate to your sensor through either a console or SSH connection

              Sensor wizard on NSM.JPG


         Type "setup" in the command line.  You will now be guided your through the steps necessary to

         connect the sensor to the manager...


              nsm sensor and terminal.JPG



        The "setup" command walks you through:


              Sensor Name (must match manager "sensor name in order to establish a trust)

              IPV4 or IPV6

              Sensor IP address

              Sensor subnet mask

              Manager primary address

              Manager secondary address (if one has been configured)

              Sensor default gateway

              Management port configuration

              Shared Secret Key (This is the same shared secret key entered on the manager)


         Once you have entered (and confirmed) the shared secret key on the sensor go back to the manager

         and select "next".  At this point the NSM will try to establish a trust with the sensor and if there are no

         typos and the two devices can communicate over the network a trust should be established with a couple

         of minutes.


         By typing the "status" command on the terminal we can see when the trust has been established

         between the manager and the sensor...


        (Manager Communications)

              sensor trust established.JPG



        We can now also see that the device is listed in the manager



              device listed in manager.JPG


    Update Signature Set on Sensor from NSM

         Now that the Manager can manage the sensor we'll want to make sure that our sensor has the

         latest signature set that is available. 

         Navigate to the "Manage" tab and then under "updating' on the left, select "Download IPS Signature Sets"


              update signature set.JPG

         The signature version currently on the sensor is and we can see there is a more recent

         set available,  Select the radio button by the newest signature set and select "Download"

         in the lower right hand corner.


              Note:  This action downloads the new signature set to the manager but does not push the

              signatures to the sensor.



    Enabling GTI for IP and File Reputation


                        IP Reputation (formerly Trusted Source) – Comprehensive, real-time, cloud-based IP Reputation

                                                                                                   service to provided

                        Web reputation – URL and web domain categorization service to take policy-based threats

                        Web categorization – URL and web domain categorization service to take policy-based

                  action on user web activity as well as protect custom against both known and emerging

                  web-based threats.

              Message reputation – Message and sender reputation service to protect against message-based

                   threats such as spam


              Network connection reputation – IP address, network port, and communications protocol reputation

                   service to determine granular reputation intelligence protect against network threat.


              File Reputation (formerly Artemis) – Comprehensive, real-time, cloud-based file reputation

                        service to protect against both known and emerging malware-based threats


        Each of these technologies work together to provide information about the threats and vulnerabilities, which gives GTI the ability to predictively

        adjust reputations across all threat areas and thereby avoid attacks.


    GTI IP Reputation Configuration

         Navigate to the "Manage" tab then on the left hand side expand "Integration" and select

         "Global Threat Intelligence".  When you first visit this page a window will open asking if

         you’d like to participate by sending the detailed information attacks your network may discover

         back to McAfee Labs.


         A list of what is being sent can be viewed at any time by hitting the “show me what I’m sending”

         link on the right hand side of the page. 



        To configure the information being reported via GTI select “yes” or “no”  to each of the sections

         under “Global Threat Intelligence”

         By selecting the “+” icon more detail is available to see exactly what is being sent from each section.

         In my configuration I have selected to send Alert Data Details, Alert Data Summary, General Setup,

         and Feature Usage.  I have chosen not to send System Faults to GTI.


              GTI opt-in.JPG



         Also in this window is the option to exclude our organizations IP address information for a

         given list of endpoints. 



              GTI exclude IP range.JPG



         Enter in the IP address range you’d like to exclude, add them to the list then click ‘save’

         (typically this is your private address space)



              Exluded Range.png



         The Next section of the page allows you to determine what level of alerts are sent to GTI. 

         To reduce information being sent from my network, I have selected “high” and “medium”

         opting not to send alerts that are either “low” or “informational”.



              Alert Data Details Filter.jpg


        The next section gives the user the option to provide contact information to McAfee.  This information

         will be used to communicate end of life and other key product milestones.  Since I am in a lab environment

         my data will be anomalous and of little value to the GTI community, I have opted not to send contact information.


              GTI Technical Contact Information.jpg



         The last section on the Global Threat Intelligence integration page is a “test” portion.  This

         allows you to input any IP address and verify connectivity with GTI.



              GTI Test GTI Lookup.jpg



         Note:  This page defines the parameters by which GTI will communicate to and from your

         organization, which alerts details and summary may be sent, and some device details, it

         does not implement this information into a policy for blocking or alerting purposes.


    GTI Implementation


         As mentioned earlier there are two parts to GTI;

        IP Reputation and File Reputation


    GTI IP Reputation Implementation

         There are two steps to implement IP Reputation, the first is globally at the domain level.

         Then additional changes are made at the interface on the device level.  Changes can be made

         and implemented per interface only, but as a best practices we suggest setting up the majority

         of your IP Reputation settings globally and then making specific changes per interface.



    Implementation is a three-step process.


    Step 1  Implement settings at the Domain/Global level


              Navigate to Devices > Global > Default Device Settings > IPS Devices > IP Reputation


              GTI Implementation navigation.jpg

         At the global level there are 3 steps to implement IP Reputation:



    • Check the box at the top “Use IP Reputation to Augment SmartBlocking?” 


    • Choose which protocols you’d like to whitelist and which ones you’d like to have queried. 

              (Since I am in a lab environment and don’t have to worry about performance I have

              selected all protocols to be inspected)


    • Whitelisted Endpoints – Since I included the lab IP range on the GTI Participation page,

             I selected “Inherit CIDR Exclusion list from GTI


    • Finally select “Save”.



              GTI Implementation steps.jpg



        Once this is saved let’s move to our inspection ports and apply IP Reputation inspection.


    Step 2  Device level implementation (Different in ver. 8.2 or later, see Step 2b)

        Navigate to Devices > Devices > IPS Interfaces > select appropriate interface > Protection Profile


         Once you are on the protection profile page there are five different areas defined by grey boxes.

         A quick look through this page and you’ll notice that I have the “Default Inline IPS” policy deployed,

         an ATD policy for my Advanced Malware Policy and no Firewall Policies or Connection Limiting Policies in place.


        To implement IP reputation select both the “Enable Inbound” and “Enable Outbound” boxes and select “save"



              GTI Implementation IP Reputation.JPG


        After you select “save” a dialogue box will appear asking you to deploy your settings.


        Select "Ok"


        This will take you to step 3


    Step 2b Steps for Version 8.2 and later

         In version 8.2 or later of the NSM GTI implementation is done at the policy level, specifically

         in the advanced malware policy.  Navigate to Policy -->Intrusion Prevention -->Advanced Malware


         Use the default malware policy as a clone to create a new policy by selecting the "Default Malware

         Policy" then select "clone" in the lower right hand corner. 

         The Advanced Malware Policies page will open.  Name your new policy and select the protocols you'd like to

         scan.  On the lower half of the page titled "Scanning Options" you'll see all of the Network Security Platform's

         signature-less engines, including GTI.

         Select the file types you'd like to look up in GTI and select save in the lower right hand corner and move to step 3.     



    Step 3 Deploy Pending Changes


        To push the GTI policy we just created out to the sensor, we need to deploy the changes.

         Navigate to the "Devices" tab then on the left there are two tabs "Global" and "Devices" select "Devices"

         then in that menue select "Deploy Pending Changes"  On the Deploy Pending Changes page select "Update"


         GTI Deploy pending changes.JPG



        Note: When changes are waiting to be deployed there will be a notification in the upper right hand corner

              on the Network Security Manager.


        During the update a status window will appear to let you know of the update progress


              GTI updating window.jpg


    GTI File Reputation Implementation


    Step 1


    Navigate to Policy > Advanced Malware


              GTI FIle Reputation.jpg


         If this is your first time navigating to this page only the Default Malware Policy will be visible.  Select “Default Malware

         Policy” and then hit the “clone” button at the bottom of the page.  A new window will open.



              GTI File advanced malware policy.JPG


        Define your advanced malware Polciy


    •     Give your new policy a name (a description is optional)
    •     Select the boxes “visible to child domain” and the protocols you’d like to scan, I selected both SMTP and HTTP
    •     Select the supported file types in the GTI File Reputation column under ”Malware Engines”
    •     Select the small box next to the save button “Prompt for assignment after save”
    •     Save your new policy


    Step 2 


        Apply the Advanced Malware Policy to an interface for inspection


        After Clicking “Save” a “PolicyName / Assignments” window will open




              GTI FIle Reputation Assignments.jpg



    • On this page select the interfaces you’d like to apply the policy and hit the right arrow in the middle of the

              page to move these interfaces to the “Selected Interfaces” window. 

        *Notice there are two listings for each interface, one inbound and one outbound.


    • Once you’ve selected the appropriate interfaces click “Save” a dialogue box will open reminding you to

         apply the configuration on the sensor.



    Step 3

         Clicking okay will take you to the “Deploy Pending Changes” page.  If it doesn’t it is located in Device >

         Devices (M1450 in our example) > Deploy Pending Changes


              GTI File Reputation deployment.jpg



         Select “Update” to deploy the changes to your selected ports.


         After the changes have been applied you should be able to brows to the Advanced Malware Policies and see that the GTI File

         Reputation policy has been assigned to two interfaces.


              GTI File Reputation deployment confirmation.jpg




         GTI is now enabled



    Enabling Application Identification


         What is Application Identification


         McAfee creates signatures for applications based on an ongoing research. This involves creating signatures for

         applications for which there were no signatures earlier.  This also involves removing signatures for invalid and

         obsolete applications. These application signatures enable the Sensors to accurately detect the applications on your network.


         The application signatures are bundled as part of the regular signature set that the McAfee Update Server

         downloads to the Manager.  If the Manager is connected to the McAfee Update Server, the application database

         of your Network Security Platform remains up-to-date.

         NS-series and M-series Sensors can identify the applications being used in your network and act on them.

         You can choose to allow or block specific applications on your network.  For example, you can block just the connections

         to Facebook from your network while allowing all other HTTP and HTTPS traffic. Using advanced Quality of Service (QoS)

         policies,  you can also control the bandwidth allocated for applications on your network.


         In addition to controlling the applications on your network, you can also view the Internet applications that are accessed

         from your network.  Related details such as the network bandwidth consumed by specific applications is now available.

         You can also check if these applications generated any attacks.






         Without Application Identification enabled, application data regarding the network won’t be reported to the dashboard. 


              Application Identification dashboard.JPG




         Application identification is done on the NS-series and M-series sensors.  To enabled this feature brows to Devices >

         select ‘Devices’ tab > Policy > Application Identification

               Application Identification enablement.JPG



         This set up is straight forward


    1. select “Enable Application Identification”
    2. select which ports to which you’d like to enable application identification
    3. then “Save”.



         Now we need to push the new configuration out to the selected sensor. 


         On the same page to the left, select “Deploy Pending Changes”. 


         Once that page loads select “update” update to push the changes to the sensor.


              Application Identification deployment.JPG


          Within 5 minutes information is being reported to the dashboard


              Application Identification dashboard w apps.jpg



         At this point we have


         1.      Deployed a sensor

         2.      Built NSM and Configured and updated the signature set

         3.      Enabled GTI both IP Reputation and File Reputation

         4.      Enabled Application Identification


    There are many more features that can be deployed on the Network Security Manager that can help increase visibility from external attacks to endpoint events.  Look for videos and write-ups on the McAfee Community.