NGFW - How to configure McAfee Next Generation Firewall (NGFW) to integrate with McAfee Logon Collector (MLC)

Version 2



    The purpose of this document is to assist you in integrating McAfee Logon Collector with McAfee Next Generation Firewall. This document will guide you through step by step process to complete the Integration.


    Integration Value

    McAfee Next Generation Firewall with McAfee Logon Collector improves user identification for access control by user. This is an alternative to the Stonesoft User Agent. Logon Collector monitors logon events to associate users with IP addresses. Integration with Logon Collector adds the following new features:


          • High Availability using a primary and secondary Logon Collector server
          • Support for multiple Active Directory (AD) domains
          • Support for user and user group names that contain non-ASCII characters
          • Monitoring of logon events from Microsoft Exchange Servers in addition to monitoring events from the domain controller (DC)


    In version 5.8, both the MLC User Agent and the Stonesoft User Agent are supported. Only one type of User Agent can be used for each single engine or cluster


    Configuration Steps

    Complete the McAfee Logon Collector (MLC) installation and login to MLC. Refer to McAfee Logon Collector Administrators Guide for complete instruction on how to install McAfee Logon Collector

    1.Once you are logged into MLC, click on tab Monitored Domains | Add new domain. This example shows domain MLCAD.local



    2. The new domain should appear in the Status Page. All components should be green




    3. If you see ”authentication service is unknown” error, follow these steps


          • Go to C:/ProgramFiles(x86)/Mcafee/McafeeLogonCollector/LoginCollector/wmiconfig
          • In McAfee Logon Monitor Configuration window: Change “Authentication Type” from Kerberos to NTLM (This could be other way around depending on your environment)
          • Restart MLC logon monitor service. All components should go green




    4. Add active directory server in Security Management Center. Navigate to Configuration | User Authentication | Servers | Right click server | Active Directory Server. Add your active directory details


       (Optional) Go to domain controller tab and you can add your domain controller here. Based on your environment, you can have authentication methods, NAT, etc configured. Make those changes accordingly




    5. Add active directory domain to Security Management Center


          • Go to Configuration | User Authentication | Users | Right Click Users | New LDAP domain server
          • Enter the name for new LDAP domain. In this example, name is MLCAD Users. SMC logs will show user as mshaw@MLCAD Users. Scroll down to point 14 in this document to see the SMC logs

                                  Tip: If possible, use the domain name MLCAD.local as the name. This way the SMC logs will show user as mshaw@MLCAD.local instead of mshaw@MLCAD Users

          • Select default LDAP domain if the default active directory authentication will be used for all users authentication
          • Select a server and click Add to bind the active directory server to the LDAP domain
          • Go to default authentication tab and define your default authentication. You can always come back here if default authentication is not yet decided


    6. Export certificate from MLC and copy it to the SMC server

          • Login to McAfee Logon Collector
          • Go to Menu | Server Settings | Click on Identity Replication Certificate | Scroll down to Base 64
          • Copy and paste this cert to a notepad file. Use .txt extension and not .crt.

    - Make sure to add -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- to the certificate as shown in screenshot

    - if these lines are not added, you will see fingerprint error when you upload the certificate in SMC

          • Copy this certificate to SMC server



    7. Create a Logon Collector in SMC


          • Go to Configuration | Security Engine | Expand Other Elements | Expand Engine Properties | Right Click on User Agent | New Logon Collector
          • Go to certificate tab. See the next step on how to import the certificate




    8. On the certificate tab show in earlier slide, click import and select the certificate that was copied from MLC server earlier. Click Open and then click OK on the MLC logon Collector pop up window

          • This is the notepad file that you copied earlier


    9. Select the Next Generation Firewall that will be using the McAfee Logon Collector

          • Right click on the NGFW | Edit Firewall | Add-Ons | User Agent | on the User Agent drop down, Select McAfee Logon Collector and click save



    10. Export SMC certificate for communication with Logon Collector

          • Go to Configuration | Administration | Expand Other Elements | Click on internal Certificate Authorities | Right click StoneGate CA | Go to Certificate Tab and Click Export
          • Copy this exported certificate to the MLC server


    11. Import the SMC certificate to MLC

          • Click on Menu | Trusted CA | New Authority | Import Certificate
          • Click Browse and select the certificate that you copied earlier from SMC
          • MLC and NGFW integration is now complete


    12. Login to one of your client's with a valid active directory user. You will see the user-ip address mapping in the Logon report


    13. Users will only appear on the SMC logs if logging is enabled in the policy rules

          • Double click on Logging | Select the Override Recording check box | and select Enforced in Log User information



    14. Security Management Center will now show User's in the logs