cancel
Showing results for 
Search instead for 
Did you mean: 

Adding (keying) additional McAfee ESM 10x Appliances

NOTE: This step may be skipped if the platform is limited to an All-in-One combo platform such as the ESM/REC/ELM since that appliance has the combined functionality of the ESM, Event Receiver and Log Manager. If and AIO appliance is being installed AND additional appliances are to be evaluated (ACE, DEM, ADM, dedicated ELM) then this step must be performed.

The McAfee SIEM solution is comprised of several platforms, each performing a specialized function. The combined value of all of the discrete components makes the McAfee SIEM solution stand apart from any competitive solution.

The process of connecting additional appliances to the McAfee SIEM platform is known as ‘keying’ since the provisioning activity creates/exchanges a unique SSH key for each attached device. This ensures a secure, encrypted path of communication between the ESM and all subordinate SIEM appliances.

NOTE: The following steps must be completed for each subordinate appliance added to the SIEM environment.

  1. From the Pancake menu, select Configuration
  2. From the Configuration panel, click the Add Device button from the Actions Toolbar in the upper left corner of the user interface.
    NOTE: The Actions Toolbar is context-sensitive and will change based on the object selected in the system tree. Be certain to have either the Physical Display or the Local ESM selected for this step.
  3. From the Add Device Wizard window, select the subordinate device to be added (ie. McAfee Event Receiver).
  4. Click Next >.
  5. Provide a unique name for the device being added. This will be the name used in the System Tree.
  6. Click Next >.
  7. Provide the IP address and communication port assigned to the appliance.
    NOTE: The default communication port assigned to all McAfee SIEM appliances is 22. This can be modified to a TCP port of the customer’s choosing, though all communication between the ESM and a subordinate SIEM appliance will still utilize the SSH/SCP application protocol. Make certain any firewall or network device placed between the two devices have the appropriate rules and/or ACL filters required to permit communication on this port.
  8. Provide a customer-assigned password for the device. The root user account on the subordinate appliance will be assigned this password.
    NOTE: It is helpful for administrative purposes to assign the same password to the NGCP account as well as all subordinate device keys.
  9. Click Next >.
  10. When the device has been successfully keyed, a confirmation window will open offering to Export Key or view the device Properties.
  11. Click Finish.
  12. Repeat this process for all subordinate devices to be added as part of the POC.

Troubleshooting failed connection

If, during the keying process, an error dialog is displayed claiming the SSH connection failed or a similar error message, follow these steps to troubleshoot.

  1. Confirm that network link connectivity exists between the new device (MGMT NIC 1) and a working switch port.
  2. Confirm that the network switch port connecting the ESM, and the switch port connecting the new device are either on the same VLAN or, if separated by a Layer 3 device, that the appropriate routing is configured to support communication between the two devices.
  3. If the ESM and the device being added are separated by a firewall or IPS, make certain there are no traffic rules that would prevent communication over the designated port (default:22).
  4. If the POC deployment is taking place in an ESX-based virtualized environment, it may be necessary to simply repeat the keying process a second time. In many cases, the first attempt creates the ARP entry in the vswitch but not until the second attempt will traffic be passed between the ESM and new SIEM device permitting the proper key exchange.
Tags (2)
Version history
Revision #:
1 of 1
Last update:
‎11-07-2017 12:48 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community