4 Replies Latest reply on Jun 6, 2012 9:20 AM by mtuma

    MFE features questions

      Hi,

         I would like to know if McAFee firewall enterprise can comply to the following:

       

      1.) Read conversations from Yahoo Messengers.

      2.) If it scans emails that outlook users downloads. What would it do if it detects malware on the email or if the email is SPAM.

      3.) User level audit like if it can see the MAC address of the user.

      4.) If the hard disk of the hardware is in solid state condition.

      5.) How can I whitelist users from firewall restriction if they we dont have domain controlers and in a DHCP environment.

      6.) Can block users by its MAC address.

        • 1. Re: MFE features questions

          Hi


          I don't have all the responses but :

           

          1.) Read conversations from Yahoo Messengers.

          NO

           

          2.) If it scans emails that outlook users downloads. What would it do if it detects malware on the email or if the email is SPAM.

          not sure, but if a virus is detected, the object is removed (http or smtp)

           

          3.) User level audit like if it can see the MAC address of the user.

          NO

           

          4.) If the hard disk of the hardware is in solid state condition.

          Not with S1004 and S2008

           

          5.) How can I whitelist users from firewall restriction if they we dont have domain controlers and in a DHCP environment.

           

           

          6.) Can block users by its MAC address.

          NO

          • 2. Re: MFE features questions
            sliedl

            The firewall does virus scanning for email or HTTP.  You either discard the email or return to sender if you find a virus/Spyware/MIMEtype you don't want to pass through.  You can discard or repair virus-infected files for HTTP.  This is all in the Admin Guide and the GUI.

             

            It doesn't do anti-spam specifically (like Bayesian filtering let's say) but there is TrustedSource/GTI and that can block a lot of spam by IP.

             

            3.) User level audit like if it can see the MAC address of the user.

            5.) How can I whitelist users from firewall restriction if they we dont have domain controlers and in a DHCP environment.

            6.) Can block users by its MAC address.

             

             

            You seem to have some user whose MAC address you know but they get a different IP from DHCP every time but you want to make sure they can get through the firewall.  The only way to do that is to set this MAC on your DHCP server so it always gets the same IP from the DHCP server.  I have never seen a DHCP server that could NOT do this.  If I'm correct in what you're trying to do the only way to do it is on the DHCP server.  The firewall can 'see' to the IP level (for policy enforcement) and it cannot see down to layer 2 where the MAC addr. is (for policy enforcement that is).

            • 3. Re: MFE features questions

              Hi,

                    Thank  you for the answers. May I also ask:

               

              1.) What is the default size of log files can McAfee store?

              2.) How large is the size of the logs can McAfee store?

              3.) How long is the period McAfee stores the logs?

              4.) What format is the rolled out logs and where can I find it?

              5.)When does it rolls out the logs (size, date, etc.)

              6.) How can I open the rolled out logs?

               

               

              Thanks.

              • 4. Re: MFE features questions

                The firewall by default rolls the audit every morning at 2 am. By default, it keeps 20 audit files. If the logs happen to get up to 250 megs, the firewall will automatically roll at that point. The firewall will keep the logs until the 21st gets "rolled off" and removed. The rolled logs are in /var/log and called audit.raw.timestamp.timestamp.gz. They can only be opened with showaudit or acat on the firewall itself.

                 

                Note: to configure the rolling of the audits, you can modify the rollaudit.conf file in /var/log. Here is the line for the audit.raw:

                 

                roll(/var/log/audit.raw root wheel  644  20 250m *   BZdkT cmd[] )

                 

                Note the 20 (number of files kept) and 250m (how large the file is before it is automatically rolled),

                 

                Hope this helps,

                 

                Matt