Showing results for 
Show  only  | Search instead for 
Did you mean: 

McAfee IPS - How to Install McAfee Network Security Manager and Network Security Platform

No ratings


      This intent of this article is to walk you through the installation of the McAfee IPS sensor,

     Network Security Platform (NSP) and the McAfee Network Security Manager (NSM).

     Once both the manager and sensor have been installed I'll demonstrate how to integrate

     the two, update policies, enable GTI, and Application Identification.


          Network Security product:

          Contact Mcafee:


     This video walks you through the steps required to install and integrate a McAfee IPS sensor with the McAfee Security Manager. You can also follow the step-by-step instructions below instead.




Download and install NSM Software

    Go to at this point you will enter your grant number



     Once on the download page navigate "McAfee Network Security Platform"

download nsp.JPG

     Scroll down until you find the NSP Manager Software, after you click on the link you'll have to agree to McAfee's End User License Agreement prior to downloading the software.

NSM software.JPG

     On the download page select the version of Network Security Manager that you'd like to install.  For the purposes of this document we used

          Tip: download the software directly onto the server you'd like NSM to be installed on. 

          NSM version.JPG

Installing the Sensor

    The sensor I will be using is the M-1450

          Sensor faceplate.JPG

     Connect to the device via console to configure an IP address used later during the integration process with NSM


Name Setting
Baud Rate 38400
Number of bits 8
Parity None
Stop Bits 1
Flow Control None


     Once you've connected to the sensor default username and password is admin/admin123. 

     Type the command:

         "set sensor ip" and

         "set sensor gateway"

     This will give the sensor an IP address accessible to the Network Security Manager you'll be installing. 

     At this point test access via SSH using the assigned IP address. 

     SSH default username and password is admin/admin123


     If your connection is successful WAIT to complete the sensor configuration.

          Note: We will complete sensor management integration later in a later step.

     If your connection failed, go back to console connection and type the command "show"

     to verify IP and Gateway settings.

Network Security Manager Installation

Server Requirements

          server requirements.JPG

     After saving the NSM software to the desktop of the server you'd like to be your manager double click the NSM icon to begin the install process...

          nsm desktop icon.JPG

      The Installation wizard opens after the "installAnywhere" dialogue box is finished. During the wizard, you'll need to click through the steps listed in the screenshot above. "Install Type" is based on the number whether or not this is a central manager or a standard manager.

The rest of the questions refer to installation locations and resources. I've selected all the defaults, please choose what makes the most sense for your installation and make notes if default folder locations are changed.

    *If you'd like to connect to an existing database the credentials are asked for during setup in the "Customize Installation" section.

     If no database has been preconfigured on this server then one will be installed during this time. 

    *Please make note of your user names and passwords used during the installation process.

     This process should take approximately 15 minutes. Once complete you can access the manager via https://<computername> or https://<ipaddress_of_nsm_host>

Configuration of the Network Security Manager


     If a browser doesn't launch on completion of installation open a browser and navigate to the manager at one of the above-listed options.

     *Supported Browsers as of 6-2014

          IE 9.0, 10.0, and 11.0


          Safari 6.0 & 7.0

          *Note: Recent versions of Chrome will not support the Java required in NSM version 8.2 or older       

     At this point 1 of 2 options will present itself, you'll find yourself at a configuration wizard or on the NSM dashboard with no information.

Configuration Option 1 - Wizzard

          NSM install wizard.JPG

    You'll notice that the wizard walks through a 10 step process.  This process updates the manager to the latest signature set and allows you to set a schedule to check for and install new signatures.

    The video and following write-up DOES NOT follow option 1

Configuration Option 2 - Blank Dashboard

          NSM blank dashboard.JPG

     The video follows option 2 for many reasons, the main reason being, that after following these steps the administrator is more familiar with workflows making changes in NSM. 

Integrating NSM with Sensor

     From the dashboard navigate to the "Devices" tab.  On the left-hand side of the page select the  "Add Device Wizard" option.  Earlier in the sensor configuration, we didn't complete the setup because we want to establish a trust between the sensor and the manager.

     At the time of the sensor install, the manager wasn't ready and a trust couldn't have been established.On the "Add Device Wizard" page fill in the "Device Name", "Device Type", "Shared Secret <this will be the same on the sensor>, and "Confirm Shared Secret  "

         Hit "next" and navigate to your sensor through either a console or SSH connection

          Sensor wizard on NSM.JPG

     Type "setup" in the command line.  You will now be guided your through the steps necessary to connect the sensor to the manager...

          nsm sensor and terminal.JPG


    The "setup" command walks you through:

          Sensor Name (must match manager "sensor name in order to establish a trust)

          IPV4 or IPV6

          Sensor IP address

          Sensor subnet mask

          Manager primary address

          Manager secondary address (if one has been configured)

          Sensor default gateway

          Management port configuration

          Shared Secret Key (This is the same shared secret key entered on the manager)


     Once you have entered (and confirmed) the shared secret key on the sensor go back to the manager and select "next".  At this point, the NSM will try to establish a trust with the sensor and if there are no typos and the two devices can communicate over the network a trust should be established with a couple of minutes.


     By typing the "status" command on the terminal we can see when the trust has been established between the manager and the sensor...(Manager Communications)

          sensor trust established.JPG


    We can now also see that the device is listed in the manager

          device listed in manager.JPG

Update Signature Set on Sensor from NSM


     Now that the Manager can manage the sensor we'll want to make sure that our sensor has the latest signature set that is available. 

     Navigate to the "Manage" tab and then under "updating' on the left, select "Download IPS Signature Sets"

          update signature set.JPG


     The signature version currently on the sensor is and we can see there is a more recent set available,  Select the radio button by the newest signature set and select "Download" in the lower right hand corner.


          Note:  This action downloads the new signature set to the manager but does not push the signatures to the sensor.

Enabling GTI for IP and File Reputation


                    IP Reputation (formerly Trusted Source) – Comprehensive, real-time, cloud-based IP Reputation service to provide

                    Web reputation – URL and web domain categorization service to take policy-based threats

                    Web categorization – URL and web domain categorization service to take policy-based action on user web activity as well as protect custom against both known and emerging web-based threats.

          Message reputation – Message and sender reputation service to protect against message-based threats such as spam

          Network connection reputation – IP address, network port, and communications protocol reputation service to determine granular reputation intelligence protect against network threat.

          File Reputation (formerly Artemis) – Comprehensive, real-time, cloud-based file reputation service to protect against both known and emerging malware-based threats

    Each of these technologies works together to provide information about the threats and vulnerabilities, which gives GTI the ability to predictively adjust reputations across all threat areas and thereby avoid attacks.

GTI IP Reputation Configuration

     Navigate to the "Manage" tab then on the left-hand side expand "Integration" and select "Global Threat Intelligence".  When you first visit this page a window will open asking if you’d like to participate by sending the detailed information attacks your network may discover back to McAfee Labs.

     A list of what is being sent can be viewed at any time by hitting the “show me what I’m sending” link on the right-hand side of the page. 


    To configure the information being reported via GTI select “yes” or “no”  to each of the sections under “Global Threat Intelligence”

     By selecting the “+” icon more detail is available to see exactly what is being sent from each section.

     In my configuration, I have selected to send Alert Data Details, Alert Data Summary, General Setup, and Feature Usage.  I have chosen not to send System Faults to GTI.

 GTI opt-in.JPG



     Also in this window is the option to exclude our organizations IP address information for a

     given list of endpoints. 

          GTI exclude IP range.JPG


     Enter in the IP address range you’d like to exclude, add them to the list then click ‘save’

     (typically this is your private address space)

           Exluded Range.png


     The Next section of the page allows you to determine what level of alerts are sent to GTI. 

     To reduce information being sent from my network, I have selected “high” and “medium”

     opting not to send alerts that are either “low” or “informational”.

           Alert Data Details Filter.jpg


    The next section gives the user the option to provide contact information to McAfee.  This information will be used to communicate end of life and other key product milestones.  Since I am in a lab environment my data will be anomalous and of little value to the GTI community, I have opted not to send contact information.

          GTI Technical Contact Information.jpg


     The last section on the Global Threat Intelligence integration page is a “test” portion.  This allows you to input any IP address and verify connectivity with GTI.

          GTI Test GTI Lookup.jpg


     Note:This page defines the parameters by which GTI will communicate to and from your organization, which alerts details and summary may be sent, and some device details, it does not implement this information into a policy for blocking or alerting purposes.

GTI Implementation

     As mentioned earlier there are two parts to GTI;

    IP Reputation and File Reputation

GTI IP Reputation Implementation

     There are two steps to implement IP Reputation, the first is globally at the domain level. Then additional changes are made at the interface on the device level. Changes can be made and implemented per interface only, but as a best practices we suggest setting up the majority of your IP Reputation settings globally and then making specific changes per interface.

Implementation is a three-step process.

Step 1  Implement settings at the Domain/Global level


          Navigate to Devices > Global > Default Device Settings > IPS Devices > IP Reputation


          GTI Implementation navigation.jpg

     At the global level there are 3 steps to implement IP Reputation:

  • Check the box at the top “Use IP Reputation to Augment SmartBlocking?” 
  • Choose which protocols you’d like to whitelist and which ones you’d like to have queried. 

          (Since I am in a lab environment and don’t have to worry about performance I have

          selected all protocols to be inspected)

  • Whitelisted Endpoints – Since I included the lab IP range on the GTI Participation page,

         I selected “Inherit CIDR Exclusion list from GTI

  • Finally select “Save”.

          GTI Implementation steps.jpg

    Once this is saved let’s move to our inspection ports and apply IP Reputation inspection.

Step 2  Device level implementation (Different in ver. 8.2 or later, see Step 2b)

    Navigate to Devices > Devices > IPS Interfaces > select appropriate interface > Protection Profile

     Once you are on the protection profile page there are five different areas defined by grey boxes.

     A quick look through this page and you’ll notice that I have the “Default Inline IPS” policy deployed,

     an ATD policy for my Advanced Malware Policy and no Firewall Policies or Connection Limiting Policies in place.

    To implement IP reputation select both the “Enable Inbound” and “Enable Outbound” boxes and select “save"

          GTI Implementation IP Reputation.JPG

    After you select “save” a dialogue box will appear asking you to deploy your settings.

    Select "Ok"

    This will take you to step 3

Step 2b Steps for Version 8.2 and later

     In version 8.2 or later of the NSM GTI implementation is done at the policy level, specifically

     in the advanced malware policy.  Navigate to Policy -->Intrusion Prevention -->Advanced Malware


     Use the default malware policy as a clone to create a new policy by selecting the "Default Malware

     Policy" then select "clone" in the lower right hand corner. 

     The Advanced Malware Policies page will open.  Name your new policy and select the protocols you'd like to

     scan.  On the lower half of the page titled "Scanning Options" you'll see all of the Network Security Platform's

     signature-less engines, including GTI.

     Select the file types you'd like to look up in GTI and select save in the lower right hand corner and move to step 3.     

Step 3 Deploy Pending Changes

    To push the GTI policy we just created out to the sensor, we need to deploy the changes.

     Navigate to the "Devices" tab then on the left there are two tabs "Global" and "Devices" select "Devices"then in that menue select "Deploy Pending Changes"  On the Deploy Pending Changes page select "Update"

     GTI Deploy pending changes.JPG


    Note: When changes are waiting to be deployed there will be a notification in the upper right hand corner on the Network Security Manager.


    During the update a status window will appear to let you know of the update progress

          GTI updating window.jpg


GTI File Reputation Implementation

Step 1

Navigate to Policy > Advanced Malware

          GTI FIle Reputation.jpg


     If this is your first time navigating to this page only the Default Malware Policy will be visible.  Select “Default Malware Policy” and then hit the “clone” button at the bottom of the page.  A new window will open.

          GTI File advanced malware policy.JPG

    Define your advanced malware Polciy

  •     Give your new policy a name (a description is optional)
  •     Select the boxes “visible to child domain” and the protocols you’d like to scan, I selected both SMTP and HTTP
  •     Select the supported file types in the GTI File Reputation column under ”Malware Engines”
  •     Select the small box next to the save button “Prompt for assignment after save”
  •     Save your new policy

Step 2 

    Apply the Advanced Malware Policy to an interface for inspection

    After Clicking “Save” a “PolicyName / Assignments” window will open

         GTI FIle Reputation Assignments.jpg


  • On this page select the interfaces you’d like to apply the policy and hit the right arrow in the middle of the page to move these interfaces to the “Selected Interfaces” window.

    *Notice there are two listings for each interface, one inbound and one outbound.

  • Once you’ve selected the appropriate interfaces click “Save” a dialogue box will open reminding you to apply the configuration on the sensor.

Step 3

     Clicking okay will take you to the “Deploy Pending Changes” page.  If it doesn’t it is located in Device >

     Devices (M1450 in our example) > Deploy Pending Changes

          GTI File Reputation deployment.jpg

     Select “Update” to deploy the changes to your selected ports.

     After the changes have been applied you should be able to brows to the Advanced Malware Policies and see that the GTI File

     Reputation policy has been assigned to two interfaces.

          GTI File Reputation deployment confirmation.jpg


     GTI is now enabled

Enabling Application Identification

     What is Application Identification

     McAfee creates signatures for applications based on an ongoing research. This involves creating signatures for applications for which there were no signatures earlier. This also involves removing signatures for invalid and obsolete applications. These application signatures enable the Sensors to accurately detect the applications on your network. The application signatures are bundled as part of the regular signature set that the McAfee Update Server downloads to the Manager.  If the Manager is connected to the McAfee Update Server, the application database of your Network Security Platform remains up-to-date.NS-series and M-series Sensors can identify the applications being used in your network and act on them.


     You can choose to allow or block specific applications on your network.  For example, you can block just the connections to Facebook from your network while allowing all other HTTP and HTTPS traffic. Using advanced Quality of Service (QoS) policies, you can also control the bandwidth allocated for applications on your network.


     In addition to controlling the applications on your network, you can also view the Internet applications that are accessed from your network.  Related details such as the network bandwidth consumed by specific applications is now available. You can also check if these applications generated any attacks.


     Without Application Identification enabled, application data regarding the network won’t be reported to the dashboard. 


          Application Identification dashboard.JPG



     Application identification is done on the NS-series and M-series sensors.  To enabled this feature brows to Devices >

     select ‘Devices’ tab > Policy > Application Identification

           Application Identification enablement.JPG


     This set up is straight forward


  1. select “Enable Application Identification”
  2. select which ports to which you’d like to enable application identification
  3. then “Save”.


     Now we need to push the new configuration out to the selected sensor. 


     On the same page to the left, select “Deploy Pending Changes”. 


     Once that page loads select “update” update to push the changes to the sensor.


          Application Identification deployment.JPG


      Within 5 minutes information is being reported to the dashboard


          Application Identification dashboard w apps.jpg


     At this point we have

     1.      Deployed a sensor

     2.      Built NSM and Configured and updated the signature set

     3.      Enabled GTI both IP Reputation and File Reputation

     4.      Enabled Application Identification

There are many more features that can be deployed on the Network Security Manager that can help increase visibility from external attacks to endpoint events.  Look for videos and write-ups on the McAfee Community.

Version history
Revision #:
3 of 3
Last update:
‎03-15-2018 11:51 AM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community