NGFW - How to add/connect Next Generation Firewall (NGFW) to Security Management Center (SMC)

Version 8

     

     

    Refer to "How to acquire and install SMC" document to learn SMC installation process. For this document, we assume that you have already installed SMC and you are ready to connect the NGFW to SMC


    Purpose of this document

     

    This document shows you how to add McAfee Next Generation Firewall to Security Management Center (SMC). Next steps show how to configure NGFW through CLI. The CLI configuration is needed to establish initial contact between the NGFW and SMC. This document also shows how to install a basic policy for the NGFW to go online.

     

    McAfee Next Generation Firewall Product Page - http://www.mcafee.com/us/products/next-generation-firewall.aspx

    McAfee Next Gneration Firewall Free Trials - http://www.mcafee.com/us/downloads/network-security/next-generation-firewall.asp x

    Contact McAfee - http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales

     

     

    Installation Video

     

    This installation video (Start from minute 7.30 to the end) shows a live demontation of the steps described in this document.


     

           

     

     

    Add Next Generation Firewall to SMC

     

    1. To add a NGFW, right click on SMC | New | Firewall | Single Firewall.

     

     

    1 - Single Firewall.jpg

     

     

    2. Configure the Single Firewall.

     

        • Type a Name for the Firewall
        • Select the right LogServer from the dropdown menu
        • Add a valid DNS Server IP address
        • Enter the POS number that was provided with the NGFW purchase

       

      NOTE: The NGFW will bind to its license through this POS number (see next steps on how to install the license). If you are evaluating McAfee NGFW, keep this field empty; in the later steps you can bind this NGFW to a full NGFW dynamic license (evaluation license) that is  provided along with SMC license

       

       

      2 - Single FIrewall properties.jpg

       

       

      3. Click on Interfaces tab to add interfaces to the NGFW.

       

        • Select Interface ID: 0 from the drop down tab. Click Ok. Interface 0 is normally used to communicate with Management Server
        • Repeat the step to add Interface ID: 1

       

       

             3 - interface.jpg

       

       

      4. Add IP address to the interfaces.

       

        • Right click on Interface 0 | New | IPv4 Address

       

       

              4 - ip address.jpg

       

       

      5. Enter the desired IP address for Interface 0.

       

        • Repeat the steps to enter IP addresses for other interfaces in your network 
        • Click OK to finish this step

       

       

      5 - enter ip.jpg

       

       

      6. You will get a confirmation once you have added the interfaces. You can click yes if you would like to open the Routing View.

       

       

      6 - routing view.jpg

       

       

      7. How to install licenses?

       

        • Right click on Configuration | Administration | Expand Licenses | Click on All Licenses

       

       

      NOTE: SMC demo license comes with two full dynamic licenses for NGFW. Once NGFW will bind to one dynamic license. These dynamic licenses will expire with the SMC demo license.

       

      You can evaluate/test McAfee Clustering technology with 2 NGFW nodes, since you have two full licenses.

       

       

      7 - how to install license.jpg

       

       

      8. If you already have a NGFW license, go ahead and install the license here. If you are evaluating NGFW, jump to Step 12.

       

        • Right click All Licenses | Tools | Install Licenses

       

       

      8 - install lciense.jpg

       

       

      9. Browse to the license and select the licenses.

       

       

      9 - browse to.jpg

       

       

      10. Click OK to this warning. Your license will activate once you install a Policy in the later steps.

       

       

      10 - warning.jpg

       

       

      11. The license will bind automatically to the NGFW node that we added earlier. Refer to Note in Step 2.

       

       

      11 - auto bind.jpg

       

       

      12. If you are evaluating NGFW, you can use either of these two dynamic licenses to bind with the NGFW.

       

        • Right click on one license | Bind | Select the NGFW Node | Click Select

       

       

      12 - evaluating.jpg

       

       

      13. The dynamic license will bind to the NGFW node.

       

       

      13 - dynamic.jpg

       

       

      14. Before we proceed to CLI, you have to save the initial configuration and we will import it to the NGFW. There are three ways to do it:

       

        • Plug and Play through Installation Cloud
        • Plug and Play through USB Drive – Save as to the USB drive and import the configuration as shown in the next step
        • Manually – the next steps will show manual configuration through CLI

       

       

      14 - save initial config.jpg

       

       

      15. If you are importing the initial configuration through USB drive, click on Import and select USB drive.

       

      16. This document shows how to import the conifguraiton manually, so Click Next.

       

       

      15 - welcome.jpg

       

       

      17. Enter the hostname and root password for this NGFW node. You will use this password when you login via CLI next time. Username: root, Password: xxxx

       

      18. Tab down to Enable SSH daemon, hit Spacebar on your keyboard to bring the * mark to enable. Click Next.

       

       

      16 - step 1.jpg

       

       

      19. Since interface eth0 is connecting to the management server in this network, bring the * mark to eth0 as shown in the picture.

       

       

      17 - step 2.jpg

       

       

      20. Enter the fields shown on the screen to make initial contact with the Management Server.

       

        • Enter the IP address of the interface that will communicate with the Management Center
        • Enter the Gateway IP address if yours is a Layer 3 environment
        • Ensure that the * mark is at Contact field
        • Enter the Management Server IP address
        • Enter the one-time password that you wrote down in Step 14

       

       

      18 - step 3.jpg

       

       

      21. Select Yes for fingerprint verification.

       

       

      19 - fingerprint.jpg

       

       

      22. You should see "contact succeeded" if the connection was successful.

       

       

      NOTE: In case contact fails and you want to verify the configuration, type “sg-reconfigure” on the command line. If you want to reset the NGFW to factory settings, type “sg-clear-all” to reset

       

      This video shows how to reset the NGFW to factory settings: https://www.youtube.com/watch?v=uzlrxovqOM0&feature=youtu.be


       

      20 - contact succeeded.jpg

       

       

      23. Install a policy on this NGFW to bring the NGFW node online.

       

        • Right click the node | Configuration | Install Policy

       

      NOTE: If you already have a policy, select the policy and refer to Step 29 on how to install the policy. Step 24-28 shows you how to configure and install a basic policy.

       

       

      21 - install policy(23).jpg

       

       

      24. Configure a basic firewall policy.

       

        • Go to Configuration | Security Engine | Expand Policies | Click Firewall Policies

       

       

      22 - basic policy (24).jpg

       

       

      25. Right click Firewall Template | New | Firewall Policy

       

       

      23 - add policy.jpg

       

       

      26. Give a name to your Policy, ensure that the Firewall Template is selected and click OK.

       

       

      24 - name policy.jpg

       

       

      27. Once the policy is open, right click and select Add Rule to add a single rule to this policy.

       

       

      25 - add rule.jpg

       

       

      28. Add any rule and click on the icon shown in the picture to save and install the policy to the NGFW node.

       

       

      26 - installation.jpg

       

       

      29. Upload the policy to the correct NGFW.

       

        • Select the NGFW node that you want to install this policy on and Add it to the Target
        • Ensure that the correct Policy is selected
        • Check the Validate Policy field. This will check for any duplicate rules, invalid settings and other general checks
        • Click OK

       

       

      27 - validate.jpg

       

       

      30. You should see 100% completion if the policy was successfully uploaded.

       

       

      28 - successful.jpg

       

       

      31. Go back to the Status Tab and your NGFW node should be online.

       

       

      29 - go online.jpg