NGFW - How to configure McAfee Next Generation Firewall (NGFW) to integrate with McAfee Logon Collector (MLC)

Version 2


    Purpose

     

    The purpose of this document is to assist you in integrating McAfee Logon Collector with McAfee Next Generation Firewall. This document will guide you through step by step process to complete the Integration.

     

    Integration Value


    McAfee Next Generation Firewall with McAfee Logon Collector improves user identification for access control by user. This is an alternative to the Stonesoft User Agent. Logon Collector monitors logon events to associate users with IP addresses. Integration with Logon Collector adds the following new features:

     

          • High Availability using a primary and secondary Logon Collector server
          • Support for multiple Active Directory (AD) domains
          • Support for user and user group names that contain non-ASCII characters
          • Monitoring of logon events from Microsoft Exchange Servers in addition to monitoring events from the domain controller (DC)

     

    In version 5.8, both the MLC User Agent and the Stonesoft User Agent are supported. Only one type of User Agent can be used for each single engine or cluster

     

    Configuration Steps


    Complete the McAfee Logon Collector (MLC) installation and login to MLC. Refer to McAfee Logon Collector Administrators Guide for complete instruction on how to install McAfee Logon Collector


    1.Once you are logged into MLC, click on tab Monitored Domains | Add new domain. This example shows domain MLCAD.local


    Picture1.jpg

     

    2. The new domain should appear in the Status Page. All components should be green

     

    Picture2.jpg

     

    3. If you see ”authentication service is unknown” error, follow these steps

     

          • Go to C:/ProgramFiles(x86)/Mcafee/McafeeLogonCollector/LoginCollector/wmiconfig
          • In McAfee Logon Monitor Configuration window: Change “Authentication Type” from Kerberos to NTLM (This could be other way around depending on your environment)
          • Restart MLC logon monitor service. All components should go green

     

    Picture3.jpg

     

    4. Add active directory server in Security Management Center. Navigate to Configuration | User Authentication | Servers | Right click server | Active Directory Server. Add your active directory details

     

       (Optional) Go to domain controller tab and you can add your domain controller here. Based on your environment, you can have authentication methods, NAT, etc configured. Make those changes accordingly

     

    Picture4.jpg

     

    5. Add active directory domain to Security Management Center

     

          • Go to Configuration | User Authentication | Users | Right Click Users | New LDAP domain server
          • Enter the name for new LDAP domain. In this example, name is MLCAD Users. SMC logs will show user as mshaw@MLCAD Users. Scroll down to point 14 in this document to see the SMC logs

                                  Tip: If possible, use the domain name MLCAD.local as the name. This way the SMC logs will show user as mshaw@MLCAD.local instead of mshaw@MLCAD Users

          • Select default LDAP domain if the default active directory authentication will be used for all users authentication
          • Select a server and click Add to bind the active directory server to the LDAP domain
          • Go to default authentication tab and define your default authentication. You can always come back here if default authentication is not yet decided


    Picture5.jpg


    6. Export certificate from MLC and copy it to the SMC server


          • Login to McAfee Logon Collector
          • Go to Menu | Server Settings | Click on Identity Replication Certificate | Scroll down to Base 64
          • Copy and paste this cert to a notepad file. Use .txt extension and not .crt.

    - Make sure to add -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- to the certificate as shown in screenshot

    - if these lines are not added, you will see fingerprint error when you upload the certificate in SMC

          • Copy this certificate to SMC server


    Picture6.jpg

     

    7. Create a Logon Collector in SMC

     

          • Go to Configuration | Security Engine | Expand Other Elements | Expand Engine Properties | Right Click on User Agent | New Logon Collector
          • Go to certificate tab. See the next step on how to import the certificate

     

    Picture7.jpg

     

    8. On the certificate tab show in earlier slide, click import and select the certificate that was copied from MLC server earlier. Click Open and then click OK on the MLC logon Collector pop up window


          • This is the notepad file that you copied earlier


    Picture8.jpg


    9. Select the Next Generation Firewall that will be using the McAfee Logon Collector


          • Right click on the NGFW | Edit Firewall | Add-Ons | User Agent | on the User Agent drop down, Select McAfee Logon Collector and click save

     

    Picture9.jpg


    10. Export SMC certificate for communication with Logon Collector


          • Go to Configuration | Administration | Expand Other Elements | Click on internal Certificate Authorities | Right click StoneGate CA | Go to Certificate Tab and Click Export
          • Copy this exported certificate to the MLC server


    Picture10.jpg


    11. Import the SMC certificate to MLC


          • Click on Menu | Trusted CA | New Authority | Import Certificate
          • Click Browse and select the certificate that you copied earlier from SMC
          • MLC and NGFW integration is now complete

    Picture11.jpg


    12. Login to one of your client's with a valid active directory user. You will see the user-ip address mapping in the Logon report

    Picture12.jpg



    13. Users will only appear on the SMC logs if logging is enabled in the policy rules


          • Double click on Logging | Select the Override Recording check box | and select Enforced in Log User information

     

    Picture14.JPG



    14. Security Management Center will now show User's in the logs


    Picture13.jpg