Refer to "How to acquire and install SMC" document to learn SMC installation process. For this document, we assume that you have already installed SMC and you are ready to connect the NGFW to SMC
Purpose of this document
This document shows you how to add McAfee Next Generation Firewall to Security Management Center (SMC). Next steps show how to configure NGFW through CLI. The CLI configuration is needed to establish initial contact between the NGFW and SMC. This document also shows how to install a basic policy for the NGFW to go online.
McAfee Next Generation Firewall Product Page - http://www.mcafee.com/us/products/next-generation-firewall.aspx
McAfee Next Gneration Firewall Free Trials - http://www.mcafee.com/us/downloads/network-security/next-generation-firewall.asp x
Contact McAfee - http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales
This installation video (Start from minute 7.30 to the end) shows a live demontation of the steps described in this document.
Add Next Generation Firewall to SMC
1. To add a NGFW, right click on SMC | New | Firewall | Single Firewall.
2. Configure the Single Firewall.
- Type a Name for the Firewall
- Select the right LogServer from the dropdown menu
- Add a valid DNS Server IP address
- Enter the POS number that was provided with the NGFW purchase
NOTE: The NGFW will bind to its license through this POS number (see next steps on how to install the license). If you are evaluating McAfee NGFW, keep this field empty; in the later steps you can bind this NGFW to a full NGFW dynamic license (evaluation license) that is provided along with SMC license
3. Click on Interfaces tab to add interfaces to the NGFW.
- Select Interface ID: 0 from the drop down tab. Click Ok. Interface 0 is normally used to communicate with Management Server
- Repeat the step to add Interface ID: 1
4. Add IP address to the interfaces.
- Right click on Interface 0 | New | IPv4 Address
5. Enter the desired IP address for Interface 0.
- Repeat the steps to enter IP addresses for other interfaces in your network
- Click OK to finish this step
6. You will get a confirmation once you have added the interfaces. You can click yes if you would like to open the Routing View.
7. How to install licenses?
- Right click on Configuration | Administration | Expand Licenses | Click on All Licenses
NOTE: SMC demo license comes with two full dynamic licenses for NGFW. Once NGFW will bind to one dynamic license. These dynamic licenses will expire with the SMC demo license.
You can evaluate/test McAfee Clustering technology with 2 NGFW nodes, since you have two full licenses.
8. If you already have a NGFW license, go ahead and install the license here. If you are evaluating NGFW, jump to Step 12.
- Right click All Licenses | Tools | Install Licenses
9. Browse to the license and select the licenses.
10. Click OK to this warning. Your license will activate once you install a Policy in the later steps.
11. The license will bind automatically to the NGFW node that we added earlier. Refer to Note in Step 2.
12. If you are evaluating NGFW, you can use either of these two dynamic licenses to bind with the NGFW.
- Right click on one license | Bind | Select the NGFW Node | Click Select
13. The dynamic license will bind to the NGFW node.
14. Before we proceed to CLI, you have to save the initial configuration and we will import it to the NGFW. There are three ways to do it:
- Plug and Play through Installation Cloud
- Plug and Play through USB Drive – Save as to the USB drive and import the configuration as shown in the next step
- Manually – the next steps will show manual configuration through CLI
15. If you are importing the initial configuration through USB drive, click on Import and select USB drive.
16. This document shows how to import the conifguraiton manually, so Click Next.
17. Enter the hostname and root password for this NGFW node. You will use this password when you login via CLI next time. Username: root, Password: xxxx
18. Tab down to Enable SSH daemon, hit Spacebar on your keyboard to bring the * mark to enable. Click Next.
19. Since interface eth0 is connecting to the management server in this network, bring the * mark to eth0 as shown in the picture.
20. Enter the fields shown on the screen to make initial contact with the Management Server.
- Enter the IP address of the interface that will communicate with the Management Center
- Enter the Gateway IP address if yours is a Layer 3 environment
- Ensure that the * mark is at Contact field
- Enter the Management Server IP address
- Enter the one-time password that you wrote down in Step 14
21. Select Yes for fingerprint verification.
22. You should see "contact succeeded" if the connection was successful.
NOTE: In case contact fails and you want to verify the configuration, type “sg-reconfigure” on the command line. If you want to reset the NGFW to factory settings, type “sg-clear-all” to reset
This video shows how to reset the NGFW to factory settings: https://www.youtube.com/watch?v=uzlrxovqOM0&feature=youtu.be
23. Install a policy on this NGFW to bring the NGFW node online.
- Right click the node | Configuration | Install Policy
NOTE: If you already have a policy, select the policy and refer to Step 29 on how to install the policy. Step 24-28 shows you how to configure and install a basic policy.
24. Configure a basic firewall policy.
- Go to Configuration | Security Engine | Expand Policies | Click Firewall Policies
25. Right click Firewall Template | New | Firewall Policy
26. Give a name to your Policy, ensure that the Firewall Template is selected and click OK.
27. Once the policy is open, right click and select Add Rule to add a single rule to this policy.
28. Add any rule and click on the icon shown in the picture to save and install the policy to the NGFW node.
29. Upload the policy to the correct NGFW.
- Select the NGFW node that you want to install this policy on and Add it to the Target
- Ensure that the correct Policy is selected
- Check the Validate Policy field. This will check for any duplicate rules, invalid settings and other general checks
- Click OK
30. You should see 100% completion if the policy was successfully uploaded.
31. Go back to the Status Tab and your NGFW node should be online.