Enterprise Security Manager 10.0.0 Installation Guide Preface 5 About this guide 5 Audience 5 Conventions 5 Find product documentation 6 1 Installation overview 7 McAfee Enterprise

Installation Guide

McAfee Enterprise Security Manager10.0.0

COPYRIGHT

© 2017 Intel Corporation

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Enterprise Security Manager 10.0.0 Installation Guide

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Installation overview 7McAfee Enterprise Security Manager components . . . . . . . . . . . . . . . . . . . . . 7Configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8McAfee ESM installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Installing McAfee ESM devices 13ESM console hardware and software requirements . . . . . . . . . . . . . . . . . . . . 13Identifying a location for installation . . . . . . . . . . . . . . . . . . . . . . . . . . 13Hardware setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Inspect packaging and device . . . . . . . . . . . . . . . . . . . . . . . . . . 14Mount hardware in a rack . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3 Mounting ESM software on a VM 27Mounting ESM VM image overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 27ESM VM system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Download the ESM VM image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29VMware ESXi VM ESM software mounting . . . . . . . . . . . . . . . . . . . . . . . . 30

VMware ESXi VM requirements . . . . . . . . . . . . . . . . . . . . . . . . . 30Mount the VMware ESXi virtual machine . . . . . . . . . . . . . . . . . . . . . 30

Linux KVM ESM installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Linux KVM requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Deploy Linux KVM ESM software . . . . . . . . . . . . . . . . . . . . . . . . 31

Configure the VM ESM software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Configure the virtual machine . . . . . . . . . . . . . . . . . . . . . . . . . . 32Key the VM device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4 Installing ESM on AWS 35Using ESM with AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Create the AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Create an ESM image and install it on AWS . . . . . . . . . . . . . . . . . . . . . . . 37Configure ESM AWS connections . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5 Setting up McAfee ESM network connections 41Configure the ESM network interface . . . . . . . . . . . . . . . . . . . . . . . . . 41Configure the ERC, ELM, ELS, or ACE network interface . . . . . . . . . . . . . . . . . . 42Configure the DEM or ADM network interface . . . . . . . . . . . . . . . . . . . . . . 43

6 Initial ESM logon and configuration 45Log on to the McAfee ESM console . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

McAfee Enterprise Security Manager 10.0.0 Installation Guide 3

Connecting devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Add devices to the ESM console . . . . . . . . . . . . . . . . . . . . . . . . . 47

Confirm in ESM that all devices appear . . . . . . . . . . . . . . . . . . . . . . . . . 47Key a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

7 Upgrading McAfee ESM software 49What you have and what you need . . . . . . . . . . . . . . . . . . . . . . . . . . 49Preparing to upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Back up ESM settings and system data . . . . . . . . . . . . . . . . . . . . . . 53Check ERC high availability status . . . . . . . . . . . . . . . . . . . . . . . . 54

Special upgrade scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Download the upgrade files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Upgrade the software on a device . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Upgrade the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Upgrade ESM, ESMREC, or ENMELM . . . . . . . . . . . . . . . . . . . . . . . . . . 60Upgrade HA Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Available VA vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

A Alternative installation scenarios 63Install the qLogic 2460 or 2562 SAN adapters on the ELM or ELS . . . . . . . . . . . . . . 63Install DAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Common Criteria evaluated configuration . . . . . . . . . . . . . . . . . . . . . . . . 65Regulatory notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

B Enabling FIPS mode 69Select FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Index 71

Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

ConventionsThis guide uses these typographical conventions and icons.

Italic Title of a book, chapter, or topic; a new term; emphasis

Bold Text that is emphasized

Monospace Commands and other text that the user types; a code sample; a displayed message

Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes

Hypertext blue A link to a topic or to an external website

Note: Extra information to emphasize a point, remind the reader of something, orprovide an alternative method

Tip: Best practice information

Caution: Important advice to protect your computer system, software installation,network, business, or data

Warning: Critical advice to prevent bodily harm when using a hardware product


Find product documentationOn the ServicePortal, you can find information about a released product, including productdocumentation, technical articles, and more.

Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.

2 In the Knowledge Base pane under Content Source, click Product Documentation.

3 Select a product and version, then click Search to display a list of documents.

PrefaceFind product documentation


https://support.mcafee.com

1 Installation overview

This document provides an overview of McAfee®

Enterprise Security Manager (McAfee ESM)components, how to install and cable the hardware components. Plus, it describes how to mount thesoftware on a virtual machine (VM), or upgrade the software on existing components, and how toinitially configure the components on your network.

Contents McAfee Enterprise Security Manager components Configuration scenarios McAfee ESM installation overview

McAfee Enterprise Security Manager componentsMcAfee ESM and its components are installed in your network and configured to identifyvulnerabilities, and threats.

If a threat occurs, the ESM can:

• Notify you using the user interface, email, SNMP, or a text message.

• Save the history of the threat for analysis.

• Automatically act on the treat based on configured policy.

The McAfee ESM components include:

• McAfee® Enterprise Security Manager (McAfee ESM) — Available as a hardware component orVirtual Machine (VM) software installation, the McAfee ESM displays threat data, reputation feeds,and vulnerability status and a view of the systems, data, risks, and activities inside your enterprise.

• McAfee Event Receiver (ERC) — Available as a hardware component or VM software installation, itcollects up to tens of thousands of events per second, parses that data, and sends it to the ESMdevices.

• McAfee Enterprise Log Manager (ELM) —Available as a hardware component or VM softwareinstallation, it collects, compresses, signs, and stores all events to provide a proven audit trail ofactivity.

• McAfee Enterprise Log Search (ELS) — A hardware component that collects, indexes, and stores allevents to provide a proven audit trail of activity. The ELS searches the events faster using itsindexes.

• McAfee Receiver/ELM (ELMERC) — Available as a hardware component or VM software installationthat includes both ELM and ERC.

• McAfee Advanced Correlation Editor (ACE) — Available as a hardware component or VM softwareinstallation that simplifies event correlation and startup to identify and score threat events inhistorical or real time, using both rule- and risk-based logic.

1


• McAfee Application Data Monitor (ADM) — A hardware component that monitors more than 500known applications through the whole layer stack and captures full session detail of all violations.

• McAfee Database Event Monitor (DEM) — A hardware component that automates the collection,management, analysis, visualization, and reporting of database access for most databaseplatforms.

• McAfee Direct Attached Storage (DAS) — A hardware component connected to the ESM, ELM, orELS to expand storage space.

In redundant solutions, one DAS device is required in each system. For example, two redundantESMs and two redundant ELMs require four DAS devices.

• ESM Console — A computer with a browser used to configure and manage the ESM by securityadministrators.

You might use just one combination ESM, or many of these components, depending on yourenvironment.

For detailed configuration information, see the McAfee Enterprise Security Manager Product Guide.

Configuration scenarios You can configure McAfee ESM with just one combination ESM, or you can add components to identifythreats in a large enterprise network.

Adding components to your network environment allows you to increase performance, addfunctionality, and increase event storage capability. For example, adding the following components ormore advanced models of an existing component can scale your network protection.

VM installed ESM combination devices have limits to the number of components that you can add.

• ACE — Increases the events-per-second (EPS) capability, logs, network flows, and contextualinformation sent to the ESM

• ADM — Listens to layer 7 traffic on the network to monitor applications that would normally bemissed using logging only, and it tracks the application transaction details you can store.

• DEM — Increases the database transactions you can store, how you access those transactions, anddiscovers unknown databases on the network for added security.

• ERC — Additional ERCs increase the EPS throughput from your network segments and theconnected data sources.

The EPS throughput for an ERC depends on the model.

• ELM — The ELM increases the raw logs you can compress and store. The ELM is the only devicethat stores the logs in compliant "Raw Format."

• ELS — The ELS, compared to the ELM, speeds searching event data using its index tags. But, it hasa much lower compression ratio than the ELM and is not meant to meet compliance requirements.

• ESM — Adding a redundant ESM allows you to quickly switch to the standby ESM if the active ESMever fails or needs maintenance.

Simple ESM scenario

This figure shows that one ESM device allows you to gain visibility to your network events.

1 Installation overviewConfiguration scenarios


Complex ESM scenario

This figure shows a large enterprise network uses multiple ESM components to gain visibility into yournetwork events. As the network grows and your events increase, you can add ESM components.

Installation overviewConfiguration scenarios 1


McAfee ESM installation overviewThis flowchart provides an overview of the steps required to install the ESM solution.

1 Installation overviewMcAfee ESM installation overview


Installation overviewMcAfee ESM installation overview 1


1 Installation overviewMcAfee ESM installation overview


2 Installing McAfee ESM devices

Installing your McAfee devices requires mounting them in the rack, cabling the devices, and poweringthem on. These installation instructions apply to all current models of McAfee ESM devices.

Contents ESM console hardware and software requirements Identifying a location for installation Hardware setup

ESM console hardware and software requirementsThe system you use for the McAfee ESM console must meet these minimum hardware and softwarerequirements.

• Processor — P4 class (not Celeron) or higher (Mobile/Xeon/Core2,Corei3/5/7) or AMD AM2 class orhigher (Turion64/Athlon64/Opteron64,A4/6/8)

• RAM — 1.5 GB

• Windows operating system — Windows 2000, Windows XP, Windows 2003 Server, Windows Vista,Windows Server 2008, Windows Server 2012, Windows 7, Windows 8, Windows 8.1, and Windows10

• Browser — Internet Explorer 11 or later, Mozilla Firefox 42 or later, Google Chrome 48 or later

• Flash Player — Version 11.2.x.x or later

ESM features use pop-up windows when uploading or downloading files. Disable the pop-up blocker forthe IP address or host name of your ESM.

Identifying a location for installationYou must analyze your existing network and identify the network and physical location for yourdevices. Proper location impacts the effective use of your devices.

When selecting a location for your devices:

2


• Install your ESM device in a network location where it can manage devices and be accessible byany systems needing to reach it. If direct communication is restricted between devices managed bythe ESM and systems running ESM, configure your network to route network traffic between them.

• Install the ESM device in a secure location that is only accessible by network security personnel.

• Your Receiver must be accessible to the devices it monitors. If direct communication isn't possible,you must configure your network to allow proper routing of network traffic between them.

Hardware setupThese are the steps needed to physically install, connect, and power on your ESM devices.

Tasks• Inspect packaging and device on page 14

Before installing your equipment, make sure that there is no sign of damage or tampering.

Inspect packaging and deviceBefore installing your equipment, make sure that there is no sign of damage or tampering.

Task1 When you receive your device, inspect the packaging and the device for signs of damage or

tampering, including the tamper-evident packing tape that is securing the shipping container.

If there is any sign of damage, mishandling, or tampering contact McAfee Support immediately forinstructions, and do not install the product.

2 Verify that the package contains all items listed on the packing slip.

3 When performing a FIPS installation, find the tamper-evident seal in the shipping container'saccessories package. Apply the seal so it completely blocks the USB ports, preventing their usewithout leaving evidence of tampering.

Figure 2-1 USB tamper seal

Contact Technical Support immediately if not fully satisfied with the inspection.

Mount hardware in a rackMount your ESM devices in a rack to protect them and their cabling from damage or from beingdisconnected.

2 Installing McAfee ESM devicesHardware setup


Tasks• Install AXXVRAIL rail set on page 15

An AXXVRAIL rail set is shipped with each device so you can install it in a rack.

• Remove the chassis on page 19You can remove the chassis from the rails to replace or move the device.

• Connect to network and start the devices on page 19After installing the devices, make the network connections and power on the devices.

Install AXXVRAIL rail setAn AXXVRAIL rail set is shipped with each device so you can install it in a rack.

The default rail set we ship is designed to work in most racking systems. If that rail system does notwork, you might need to buy a rail system designed for your server cabinet.

Installing McAfee ESM devicesHardware setup 2


Task1 Install rails in the rack.

a Pull the release button (F) to remove the inner member (D) from the slides.

ComponentsA - front bracket

B - outer member

C - rear bracket

D - inner member

E - safety locking pin

F - release button



b Align the brackets to a vertical position on the rack, then insert the fasteners.

c Move the ball retainer to the front of the slides.



2 Install the chassis.

a Align the inner member key holes to standoffs on the chassis.

b Move the inner member in the direction shown in the following picture.

c Install the chassis to the fixed slides by pulling the release button in the inner member torelease the lock and allow the chassis to close.



Remove the chassisYou can remove the chassis from the rails to replace or move the device.

Task1 Fully extend the slides until the slides are in a locked position.

2 Pull the release button to release the lock and disconnect the inner member from the slides.

3 Press the safety locking pin to release the inner member from the chassis.

Connect to network and start the devicesAfter installing the devices, make the network connections and power on the devices.

Tasks• Connector and equipment types on page 19

You can connect your ESM devices to the network using standard Ethernet copper cables.

• Connect power and start devices on page 26Connecting the power and startup process is similar for all ESM hardware components.

Connector and equipment typesYou can connect your ESM devices to the network using standard Ethernet copper cables.

Connect your ESM, Receiver, ADM, and DEM devices to the network using copper connectors. TheCAT5 copper cables have RJ-45 connectors. Use CAT5 or higher for your copper connections. Forgigabit connections, use CAT5e.

The ADM and DEM require a network Switch Port Analyzer (SPAN) or Test Access Point (TAP) connectionto listen to the network traffic. This means that the connected switch must mirror the traffic from otherswitch ports usually on the connected switch.



You can connect Data Circuit-Terminating Equipment (DCE) and Data Terminal Equipment (DTE) toyour ESM devices.

• Firewall and routers are DTE and switches are DCE.

• ESM devices are DTE.

Network cablesThe ESM devices all use copper cable connections. They use either straight-through or crossovercopper RJ-45 male cables.

• To connect an ESM device RJ-45 port to DCE, use a straight-through cable.

• To connect to a DTE, use a crossover cable.

To distinguish between a straight-through and crossover cable, hold the two ends of the cable asshown:

• On a straight-through cable, the colored wires are the same sequence at both ends.

• On a crossover cable, the first (far left) colored wire at one end is the same color as the third wireat the other end of the cable.

Network portsIdentify the ports on the McAfee devices and connect those cables.

The devices contain management ports so they can be managed from McAfee ESM.

The following images identify the management and collection ports.

1U ERC and ADM connections



IPMI Port

Eth0 Connection varies by device:• ERC — MGMT 1

• ADM — MGMT 2

Eth1 Connection varies by device:• ERC — MGMT 2

• ADM — MGMT 1

Eth5 Connection varies by device:• ERC — Can be used as addition MGMT port

• ADM — Collection (sniffer) ports







Monitor connection

1U ERC HA connections



For HA:• Primary — IPMI Port to secondary Eth5 port, 1 of 4-port NIC

• Secondary — IPMI Port to primary Eth5 port, 1 of 4-port NIC

Eth0 MGMT 1 configured with unique IP addresses

Eth1 MGMT 2 (Data port) configured with a shared IP address

Eth5 For HA:• Primary — Port 1 of 4-port NIC to secondary IPMI port

• Secondary — Port 1 of 4-port NIC to primary IPMI port

Eth4 Heartbeat connection between HA devices

Eth3 Not used

Eth2 Not used

Monitor connection

2U ERC connections

Eth7 HA reserved for IPMI connection

Eth6 HA reserved for Heartbeat

Eth5 Can be used as addition MGMT port Shown on graphical user interface as "Interface 6

Eth4 Can be used as addition MGMT port Shown on graphical user interface as "Interface 5

Eth0 MGMT 1 Shown on graphical user interface as "Interface 1"



Eth1 Can be used as addition MGMT port Shown on graphical user interface as "Interface 2"



Monitor connection

IPMI Port

2U ERC HA connections

Eth7 For HA:• Primary — Port 1 of 4-port NIC to secondary IPMI port

• Secondary — Port 1 of 4-port NIC to primary IPMI port

Eth6 Heartbeat connection

Eth5 Can be used as addition MGMT port




Eth0 MGMT 1 configured with unique IP addresses

Eth1 MGMT 2 (Data port) configured with shared IP address



For HA:• Primary — Port 1 of 4-port NIC secondary IPMI port

• Secondary — IPMI port to primary port 1 of 4-port NIC

2U ADM connections

Eth7 SPAN or TAP port




Eth0 MGMT 1 Shown on graphical user interface as "Interface 1"






Monitor connection

IPMI Port

2U DEM connections

Eth4 through Ether7 SPAN or TAP ports

Eth0 MGMT 1

Eth1 MGMT 2

Eth2 and Eth3 Collection (sniffer) ports

Monitor connection

IPMI Port

2U ETM, ELMERC, ELM, ELS, ACE, and ENMELC connections



Eth0 MGMT 1

Eth1 MGMT 2

Monitor connection

IPMI Port

DAS data cable connections

Typical DAS SAS input connections

Typical DAS SAS output connections

See also Identifying a location for installation on page 13

Connect power and start devicesConnecting the power and startup process is similar for all ESM hardware components.

Task1 Connect the power supply cable to the power source. Properly install and ground the equipment

properly to comply with national, state, and local codes.

Connect all ESM devices to separate uninterruptible power supplies (UPS). Connecting redundantpower cords and power modules operating at normal conditions balances the load share through itsparallel design, resulting in a reliable power system.

2 Turn on the device.



3 Mounting ESM software on a VM

You can mount the McAfee ESM software on an ESXi VM or on Linux Kernel-based Virtual Machine(KVM) servers.

Contents Mounting ESM VM image overview ESM VM system requirements Download the ESM VM image VMware ESXi VM ESM software mounting Linux KVM ESM installation Configure the VM ESM software

Mounting ESM VM image overviewMounting the ESM software on a VM is similar for an VMware ESXi VM and a Linux KVM.

This flowchart shows the major tasks used to install and configure the different VM software.

3


ESM VM system requirementsThe virtual machine (VM) you use for the McAfee ESM VM must be configured with these minimumrequirements.

• Processor — 8-core 64-bit, Dual Core2/Nehalem or higher, or AMD Dual Athlon64/Dual Opteron64or higher

• RAM — Depends on the model (4 GB or more)

3 Mounting ESM software on a VMESM VM system requirements


• Disk space — Depends on the model (250 GB or more)

• ESXi 5.0 or later

• Thick versus thin provisioning — You must decide the hard disk requirements for your server. Theminimum requirement is 250 GB unless the VM purchased has more. See the specifications foryour VM product.

Thick vs thin disk provisioning — When you configure your VM disk space, use thick provisioning, ifyou have the actual disk space available on your ESXi server. Using thin provisioning saves disk spacebut there is a slight performance impact and you must be careful to never fill that disk space tocapacity.

Download the ESM VM imageDownloading the ESM software VM image is similar for the ESXi VM and a Linux KVM.

Before you beginYou must have your McAfee Grant Number to download the ESM software VM image fromthe download site.

Task1 Use your browser and this URL to access the McAfee download site:

Product Downloads, Free Security Trials & Tools

2 Click Downloads, type your McAfee Grant Number and the Captcha code, then click Submit.

3 On the My Products page, scroll down the list and click one of the McAfee Enterprise Security Mgr VM**downloads.

The number in the download file name indicates the number of cores the ESM image allocates to theVM. For example, file "VM32" allocates 32 cores to the VM.

4 Click Current Version tab and select the McAfee Enterprise Security Mgr VM image.

5 Select one of these downloads:

• KVM Image — To download the tarball image file for a Linux Kernal VM

• OVF Deployment File — To download the .ova file for the VMware vSphere ESXi client.

6 Save the image file to a location on your local system.

Now you can install or deploy the VM image file to create your ESM VM.

Mounting ESM software on a VMDownload the ESM VM image 3


http://www.mcafee.com/us/downloads/downloads.aspx

VMware ESXi VM ESM software mountingAfter you have downloaded the ESM software, perform these tasks to mount the software on aVMware ESXi VM.

VMware ESXi VM requirementsThe VMware ESXi VM must meet these minimum requirements.

• Processor — 4 cores or higher, depending on model, 64-bit, Dual Core2/Nehalem or higher, or AMDDual Athlon64/Dual Opteron64 or later

The number of CPU cores the image supports is indicated in the image filename. For example, image"McAfee Enterprise Security Mgr VM4" supports 4 cores. You can not add or suptract processorsfrom the VM or change the VM ID number.

• RAM — 4 GB minimum (depends on the model)

• Disk — 250 minimum (depends on the model)

Sharing CPU or RAM with other VMs impacts the ESXi VM performance.

• ESXI — 5.0 or later

You can select the hard disk requirement needs for your server. But, the VM requirement depends onthe model of the device (at least 250 GB). If you don't have a minimum of 250 GB available, youreceive an error when deploying the VM.

This disk space is for the operating system and does not include the space needed for the database orlogs.

The VM uses many features that require CPU and RAM. If the ESXi environment shares the CPU orRAM requirements with other VMs, the performance of the VM is impacted.

McAfee recommends setting the provisioning option to Thick.

Mount the VMware ESXi virtual machineOnce you mount and key a VMware ESXi VM, it mimics normal ESM operation.

Task1 Access the root of the CD drive (for CD installation) or download the ESX .ova files from the

download site.

2 In vSphere Client, click the server IP address in the device tree.

3 Click File and select Deploy OVF Template.

4 Designate the name, the folder to mount the VM, the disk provisioning setting, and the VM Networkingoption.

5 Deploy the files to the ESXi server, select the VM, and set the Edit Virtual Machine setting.

6 Select the correct networking settings for your VMware ESXi network switches/adapters, then clickPlay to start the VM.

3 Mounting ESM software on a VMVMware ESXi VM ESM software mounting



7 Using the VM menu, set MGT1 IP address, netmask, gateway, and DNS addresses, then press Escto activate the menu.

8 Configure the network interface on the VM, save the changes before exiting the Menu window, thenkey the device. See McAfee Enterprise Security Manager Product Guide for details about keying thedevices.

Linux KVM ESM installationAfter you have downloaded the ESM software, perform these tasks to install the software on a LinuxKVM

Linux KVM requirementsThe Linux KVM where you install the ESM software must meet these minimum requirements.

Minimum requirements

• Processor — 4 cores or higher, depending on model, 64-bit, Dual Core2/Nehalem or higher, or AMDDual Athlon64/Dual Opteron64 or higher (for processors)

The number of CPU cores the image supports is indicated in the image filename. For example, image"McAfee Enterprise Security Mgr VM4" supports 4 cores. You can not add or suptract processorsfrom the VM or change the VM ID number.

• RAM — Depends on the model (4 GB or more)

• Disk space — Depends on the model (250 GB or more)

Sharing CPU or RAM with other VMs impacts KVM performance.

• 2 Virtio Ethernet interfaces for ESM

• Receiver Class devices / 3 for IPS class devices

These interfaces use sequential MAC addresses.

• 1 Virtio/Virtio-SCSI Disk Controller, which controls the Virtio virtual hard drive

Deploy Linux KVM ESM softwareTo run McAfee ESM in a Linux KVM environment, you must import the hard drive image from thetarball (.tgz file).

Task1 Obtain the current tarball (.tgz) file from the McAfee Enterprise Security Manager download page.

The tarball contains sample config files.

2 Move the tarball file to the directory where you want the virtual hard drive to reside.

Mounting ESM software on a VMLinux KVM ESM installation 3


https://secure.mcafee.com/apps/downloads/my-products/login.aspx?region=us

3 Extract the tarball by running this command: tar –xf McAfee_ETM_VM4_250.tgz

tar –xf McAfee_ETM_VM4_250.tgz

To deploy multiple VMs of the same type in the same location, change the name of the virtual harddrive.

ERC-VM4-disk-1.raw, ERC-VM4-disk-2.raw to, for example, my_first_erc.raw,my_second_erc.raw.

4 Create a VM on your KVM hypervisor using:

(libvirt, qemu-kvm, proxmox, virt-manager, ovirt)

5 Point the VM image to the existing virtual hard drive (Virtio disk .raw file) where you extracted thetarball.

Configure the VM ESM softwareOne you have mounted the ESM software on the VM, you must configure the VM network interfaceconnection, connect to the ESM using the ESM console, then key the device to establish a connection.

Tasks

• Configure the virtual machine on page 32Once you have mounted the ESM software on the VM, configure the network interface.

• Key the VM device on page 33You must key the device to establish a link between the device and the ESM.

Configure the virtual machineOnce you have mounted the ESM software on the VM, configure the network interface.

Task

1 Connect a monitor and keyboard to the device and power it on.

The boot process completes in about two minutes, and this virtual LiquidCrystal display (LCD) pageappears.

2 To start the configuration, press Esc twice, then scroll down to MGT IP Conf and press Enter.

3 To set the ESM VM IP address:

a Scroll down to Mgt1 and press Enter.

b Scroll down to IP Address and press Enter.

c Use the arrows to change the value of the current digit and to switch between digits, then whendone, press Enter.

3 Mounting ESM software on a VMConfigure the VM ESM software


4 To set the IP netmask address:

a Scroll down to Netmask and press Enter.

b Use the arrows to change the value of the current digit and to switch between digits, then whendone, press Enter.

5 To set the network gateway IP address:

a Scroll down to Gateway IP and press Enter.


6 To set the DNS IP address:

a Scroll down to DNS1 IP and press Enter.


7 To configure whether to use DHCP:

a Scroll down to DHCP and press Enter.

b Toggle the setting between Y(es) and N(o) , press Enter to select the correct setting.

8 To quit and save your changes:

a Scroll down to Done and press Enter to return to MGT IP Conf.

b Scroll down to Save Changes and press Enter.

9 Optional steps to configure FIPS, to change the communication port, press the down arrow twice,then press Enter.

a Scroll down to Comm Port and press Enter.

b Change the port number, then press Enter.

Make note of the new port number; you'll need it when you key the device.

10 See Log on to the McAfee ESM console to begin configuring the ESM VM settings.

11 See Key the VM device to add the SSH key tp the EM VM.

To complete the configuration, log on to the ESM console using the configured the IP address and yourbrowser.

Key the VM deviceYou must key the device to establish a link between the device and the ESM.

Before you beginPhysically connect the device to your network. see Installing McAfee ESM devices fordetails.

Task1 On the system navigation tree, click the system or a group, then click the Add Device icon in the

actions pane.

2 Enter the information requested on each page of the Add Device Wizard.

Mounting ESM software on a VMConfigure the VM ESM software 3


3 Mounting ESM software on a VMConfigure the VM ESM software


4 Installing ESM on AWS

Installing McAfee ESM on an Amazon Web Services (AWS) virtual server eliminates the chance ofhardware failure.

Contents Using ESM with AWS Create the AWS Create an ESM image and install it on AWS Configure ESM AWS connections

Using ESM with AWSAn Amazon Web Services (AWS) virtual server provides the same features and performance as alocally configured McAfee ESM VM.

The basic steps to create an AWS server in your network with McAfee ESM include:

1 Get an AWS account from http://aws.amazon.com/.

2 Log on to the AWS Management Console and configure your AWS instance.

3 Install the ESM, ERC, ELM, ELS, or ACE software.

4 Configure the ESM device.

Create the AWSBefore you can install ESM on an AWS server, you must create the server with the proper settings andcreate a connection to your enterprise network.

Before you beginYou must have an Amazon Web Services account.

This example, and the selected values, describe creating a simple ESM server. The values you selectmight be different.

4


http://aws.amazon.com/

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to the AWS console to display the AWS Console page.

2 Set the AWS data center region to the location closest to most of your networks.

3 Under Compute, double-click EC2 (Amazon Elastic Compute Cloud) to open Step 1: Choose anAmazon Machine Image (AMI), and select the server instance Amazon Linux AMI.

This type has the AWS/EC2 tools pre-installed. If you choose other Linux types, you have to installthe AWS/EC2 tools.

4 Open Step 2: Choose an Instance Type, select m3.large, then click Next: Configure Instance Details.

When choosing the Instance Type for a McAfee device, make sure to select the correct CPU count.

5 Click Next: Configure Instance Details to select the network to use while running your instance.

Make sure you are able to connect to your instance using:

• Public address

• Private address

You can create your own Virtual Private Cloud in AWS. For more information, see VPC in Servicesfrom the drop-down list.

6 Click Next: Add Storage to open Step 4: Add Storage page. Leave the defaults selected for the Amazon"build" instance.

The default for McAfee devices is 250 GB. You can add more volumes if you need them.

7 Click Next: Tag Instance to open Step 5: Tag Instance page. Type a name so you can find the instanceunder the "Value" column.

8 Click Next: Configure Security Group to open Step 6: Configure Security Group page, then select one:

• Create a new security group — A new security group limits who can log on to the instance.

Add your external-facing IP address range.

• Select existing security group.

9 Click Review and Launch to open Step 7: Review Launch Instance, then click Launch.

Disregard this warning that appears: Your instance configuration is not eligible for the free usage tier.

10 Select an existing key pair or create a new key pair, which you need to log on to your new instance.

11 Click Launch Instance and View Instances to confirm the status of the AWS server.

It might take 20–30 minutes before your instance is ready to access. When the Status Checkscolumn next to your new instance displays 2/2 checks, you are ready to start the installation process.

12 Make a note of the public IP address. Shown in this example as: cc.dd.ee.ff.

This IP address is needed to transfer the installer to the instance and to log on to.

You have created your AWS server. Continue with the AWS image creation and installation process.

4 Installing ESM on AWSCreate the AWS


Create an ESM image and install it on AWSInstalling ESM on an AWS server is different from installing the software on a physical server. Thesesteps describe the process.

Before you beginYou must have created the AWS server and connected to the server.

You must know the configured IP address of the AWS server.


1 Use scp or pscp (PuTTY Secure Copy Client) to convert the .pem file to .ppk.

For example, using Secure Copy Client, use this command to convert the key file and transfer it tothe new AWS instance:

scp -i mykeypair.pem siem_install.sh [email protected]:

Using PuTTY Secure Copy Client, use this command to convert the file:

pscp -i mykeypair.pem siem_install.sh [email protected]>:

These are the variables in the previous examples:

• siem_install.sh — Conversion file name

• ec2-user — User name

• cc.dd.ee.ff — IP address

For Windows, use WinSCP to copy the file to your instance by converting the .pem file to .ppk forPuTTY or WinSCP. For more information, see this Amazon help page https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html.

To download and install the PuTTY SSH and telnet client, see http://www.putty.org/.

2 Log on to the new AWS instance using SSH or PuTTY with this command:

ssh -i mykeypair.pem [email protected] are the variables in the example:

• mykeypair.pem — Convert SSH file name

• ec2-user — User name

• cc.dd.ee.ff — IP address

3 Type this command to change to root, then press Enter:

sudo su

Installing ESM on AWSCreate an ESM image and install it on AWS 4


https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html

http://www.putty.org/

4 Run aws configure as root and provide the Access Key ID and Secret Access Key that you weregiven, using these commands:

[root@<IP address> <ec2-user name>]# aws configure

AWS Access Key ID [None]: <Access Key ID>

AWS Secret Access Key [None]: <Secret Access Key>

Default region name [None]: (Leave blank, and press Enter)

Default output format [None] (Leave blank, and press Enter)

For more information about these keys, see http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html.

5 Confirm that the installation script is executable. If needed, use chmod. For example:

chmod u+x siem_install.sh

6 Create an AMI image and an instance with this command:

./siem_install.sh

If you see an error that says the keys were not defined, you can add the keys on the commandline. For example:

[root@ip-172-31-41-167 ec2-user]# ./install_McAfee_ETM_VM8.sh

The AWS access key or the AWS Secret key were not defined

[root@ip-172-31-41-167 ec2-user]# ./install_McAfee_ERU_VM8.sh -O <Access Key ID> -W

<Secret Access Key>

To access Help for the output options:

[root@ip-172-31-6-172 ec2-user]# ./install_McAfee_ETM_VM8.sh -h

install_McAfee_ETM_VM8.sh - install SIEM to Amazon EC2

install_McAfee_ETM_VM8.sh [options]

options:

-h, --help show brief help

-O AWS key

-W AWS Secret Key

Creating the AMI image takes about 20 minutes and is non-interactive. This is an example of theoutput:

[root@ip-172-31-6-172 ec2-user]# ./install_McAfee_ETM_VM8.sh Decompressing files Running installer Creating volume Attaching volume formatting volume 1+0 records in 1+0 records out 4194304 bytes (4.2 MB) copied, 0.0467013 s, 89.8 MB/s mke2fs 1.42.9 (28-Dec-2013) mke2fs 1.42.9 (28-Dec-2013) mounting main partition copying main files mounting boot partition copying boot files Updating fstab Updating grub unmounting boot partition unmounting main partition detaching volume Creating snapshot (this will take a while) Creating AMI Created AMI "ami-bb8afc81". To run, launch an instance of this AMI Deleting (temporary) volume Client.InvalidVolume.NotFound: The volume 'vol-9eb2ae81' does not exist. Done

4 Installing ESM on AWSCreate an ESM image and install it on AWS


http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html

http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html

7 Once the image is created, exit from the root shell, exit the instance, go to the EC2 Dashboard,and terminate the running instance.

Terminating the instance destroys the instance.

8 Log on to AWS, click the AMIs sidebar and find the AMI that you created.

This AMI now has the name from the installation script. In this example, McAfee_ETM_VM8.

9 Right-click the AMI name and click Launch.

10 Go through the launch options, then click Launch. For McAfee type devices, the key pair step is notneeded. Select Proceed without a key pair and click the acknowledgment.

11 Once the AMI is launched and goes through the "status checks", open a browser and navigate tothe assigned IP address. For this example, type http:\\172-31-6-172\ in the browser.

All McAfee devices in AWS are enabled using DHCP and the IP address is assigned to themautomatically.

The IP address that you navigate to depends on how you set up networking in the AWS. You canhave a private IP address or public IP address. For long-term use, we recommend using a private IPaddress.

The first time you log on to the ESM, this warning indicates that you are in the cloud and need toconfirm the features you are licensed to use.

In this example, the hash has been obfuscated.

12 Click Email Hash to populate your default email client with the created hash.

Installing ESM on AWSCreate an ESM image and install it on AWS 4


13 Add your grant number to the email and send it.

A Hash Accepted dialog box indicates that your hash was successfully sent.

A Support Representative looks at your grant number and verifies the features you are licensed tohave. They then send you a hash string back to overwrite the previously displayed hash string.When you click Send, you can log on for the first time.

14 When you log on to the AWS again, overwrite the existing hash with the hash sent by McAfee, thenclick Send.

Now you can log on to the AWS ESM successfully and configure, key, and start using your AWS device.

Configure ESM AWS connectionsAfter you configured the hash for the AWS ESM, you must connect and add the devices.

Before you beginYou must have created the AWS and installed ESM on the AWS.


1 After you have completed the hash verification with McAfee, you can use your configured IPaddress to initially log on to the ESM. See Log on to the McAfee ESM console for details.

2 Connect both physical and virtual devices to the ESM.

3 Confirm that all various ESM devices appear in ESM before configuring the devices.

4 Key the devices to complete the device configuration.

4 Installing ESM on AWSConfigure ESM AWS connections


5 Setting up McAfee ESM networkconnections

Once the ESM device is installed and turned on, you must configure the network interface connectionfor each device before it can connect to the McAfee ESM.

Contents Configure the ESM network interface Configure the ERC, ELM, ELS, or ACE network interface Configure the DEM or ADM network interface

Configure the ESM network interface Configure the network interface on an ESM.

Task

1 Connect a monitor and keyboard to the device and power it on.

The boot process completes in about two minutes, and this virtual liquid crystal display (LCD) pageappears.

2 Press Alt + F1 to go to the menu at the top left corner of the screen, press Esc twice, then scrolldown to MGT IP Conf and press Enter.

3 Select Mgt 1 and press Enter, then select IP Address and press Enter.

4 Set the value and press Enter.

5 Scroll down to Netmask and set the value.

6 Scroll down to Done and press Enter.

7 Scroll down to Gateway and press Enter.

8 Set the gateway address, scroll down to Done, and press Enter.

9 Scroll down to DNS 1, press Enter, and set the value.

5



11 Scroll down to Save Changes and press Enter.

12 Log on to the McAfee ESM console to begin configuring the systems and device settings.

Configure the ERC, ELM, ELS, or ACE network interfaceConfigure the network interface on an ERC, ELM, ELS, or ACE device.

Task1 Connect a monitor and keyboard to the device and power it on.

The boot process completes in about two minutes, and this virtual liquid crystal display (LCD) pageappears.

2 Press Alt + F1 to go to the menu at the top left-hand corner of the screen, press Esc twice, thenscroll down to MGT IP Conf and press Enter.

3 Select Mgt 1 and press Enter, then select IP Address and press Enter.

To configure an IPv6 address, scroll down to IPv6 Config.






9 Scroll down to DNS 1, press Enter, and set the value.


11 If in FIPS mode, scroll down to Port Number, change the value if needed, and press Enter.

Make note of the new port number. You need it when keying the device. Don't change the TCPcommunication port.


5 Setting up McAfee ESM network connectionsConfigure the ERC, ELM, ELS, or ACE network interface


Configure the DEM or ADM network interfaceConfigure the network interface on a DEM or ADM device.

Task1 Connect a monitor and keyboard to the device and power it on.

The boot process completes in about two minutes, and this virtual LiquidCrystal display (LCD) pageappears.

2 Press Alt + F1 to go to the menu at the top left corner of the screen, then press Esc twice.

3 Scroll down to MGT IP Conf and press Enter.

4 Select Mgt 1 and press Enter.

5 On the Active menu, select IP Address and press Enter.

To configure an IPv6 address, scroll down to IPv6 Config.






11 If in FIPS mode, scroll down to Port Number, change the value if needed, and press Enter.

Make note of the new port number. You need it when keying the device. Don't change the TCPcommunication port.


Setting up McAfee ESM network connectionsConfigure the DEM or ADM network interface 5


5 Setting up McAfee ESM network connectionsConfigure the DEM or ADM network interface


6 Initial ESM logon and configuration

Once the ESM devices are connected to the network and their interface connections configured, youcan log on to the ESM console and finish the initial configuration.

See the McAfee Enterprise Security Manager Product Guide for detailed device configuration.

Contents Log on to the McAfee ESM console Connecting devices Confirm in ESM that all devices appear Key a device

Log on to the McAfee ESM consoleLog on the console to begin configuring the systems and device settings.

Before you beginVerify whether you are required to operate the system in Federal Information ProcessingStandard (FIPS) mode.

Task1 Open a web browser on a client computer and go to the IP address you set when you configured

the ESM network interface. For example, if the ESM IP address is 172.016.001.140, type thefollowing in your browser:

https:\\172.016.001.140\

2 Click Continue to site, if a self-signed certificate error appears for your browser.

3 Click Login, select the language for the console, then type the default user name and password.

• Default user name: NGCP

• Default password: security.4u

4 Click Login, read the End User License Agreement, then click Accept.

5 When prompted, change your user name and password, then click OK.

6 Select whether to enable FIPS mode and if you select Yes, click the additional confirmation.

If you must work in FIPS mode, enable it the first time you log on so that all future communicationwith McAfee devices is in FIPS mode. Do not enable FIPS mode if you are not required to. For moreinformation about FIPS, see Appendix B.

6


7 For Rules Update Access, click OK and follow the instructions that appear to obtain your user nameand password, which are needed for access to rule updates.

8 Perform initial ESM configuration:

a Select the language to be used for system logs.

b Select the time zone where this ESM is and the date format used with this account, then clickNext.

9 Enter the server information for the ESM.

a Type the primary IPv4 and netmask addresses, or IPv6 address. If needed, click Advanced.

b (Optional) Type the secondary IPv4 and netmask addresses, or IPv6 address. If needed, clickAdvanced.

c Under General Settings, type the gateway, DNS servers, and any additional information neededto connect your ESM to your network.

d Click Next.

10 (Optional) If needed to connect through a proxy server, type its IP address, port number,credentials, and set the local network setting, then click Next.

11 (Optional) If needed, enter any static routes that the ESM needs to communicate with the network.When completed, click Next.

12 Add your network time protocol (NTP) servers to synchronize the ESM system time. Type thesesettings as needed:

• NTP Server IP address

• Authentication Key

• Key ID

To achieve best results in the ESM, it’s important to have a common time reference across theenterprise. As default, the ESM uses a set of Internet-based NTP servers. Enter your ownenterprise NTP server, then click Next.

13 To automatically check the ESM server for rule updates:

• Type your customer ID and password to verify your identity.

• Configure your Auto check interval in hours and minutes.

• Click Check Now or Manual Update.

14 Click Finish.

15 In the Network settings change dialog box, click Yes to restart the ESM service.

The restart takes about 90 seconds to complete. Then you might be required to log back on to theESM.

6 Initial ESM logon and configurationLog on to the McAfee ESM console


Connecting devicesTo enable application and database monitoring, advanced rule- and risk-based correlation, andcompliance reporting, connect both physical and virtual devices to McAfee ESM.

Add devices to the ESM consoleAfter you set up and install the physical and virtual devices, add them to the ESM console.

Before you beginSet up and install the devices.

These steps are only needed to add devices to an ESM in a complex ESM installation with multiple ESMdevices. You don't need to perform this task with a simple ESM installation using a combination ESM.

Task1 On the system navigation tree, click Local ESM or a group.

2 On the actions toolbar, click .

3 Select the type of device you are adding, then click Next.

4 In the Device Name field, enter a name that is unique in this group, then click Next.

5 Provide the information requested:

• For McAfee ePO devices — Select a Receiver, type the credentials required to log on to the webinterface, then click Next. To use for communicating with the database, type the settings.

Select Require user authentication to limit access to those users who have the user name andpassword for the device.

• For all other devices — Type the target IP address or URL for the device.

6 Select whether to use Network Time Protocol (NTP) settings on the device, then click Next.

7 Enter a password for this device, then click Next.

The ESM tests device communication and reports on the status of the connection.

Confirm in ESM that all devices appearIn the ESM console, confirm that all various ESM devices appear before you begin detailedconfiguration of the devices.

For detailed information about performing these confirmation steps, see McAfee Enterprise SecurityManager Product Guide.

Initial ESM logon and configurationConnecting devices 6



1 Log on to the McAfee ESM console, and find the System navigation pane to view the devices on thesystem.

2 Click Menu | Configuration to view the physical display.

3 Confirm that you can click the Add devices icon to see the devices that you installed in the racksand configured with their network settings.

Once the devices are added, you must key the device to enable communication and complete theinstallation. See the McAfee Enterprise Security Manager Product Guide for detailed deviceconfiguration.

Key a deviceYou must key the device to establish a link between the device and the ESM.

Before you beginPhysically connect the device to your network.

Task1 Log on to the ESM console using a browser. See Log on to the McAfee ESM console for details.

2 On the system navigation tree, click a device, then click the Properties icon .

3 Click Key Management | Key Device.

If the device has an established connection and can communicate with the ESM, the Key Device Wizardopens.

4 Type a new password for the device, then click Finish.

6 Initial ESM logon and configurationKey a device


7 Upgrading McAfee ESM software

Upgrading the software on your ESM devices provides, for example new and upgrading features,interface changes, or support for additional browsers and browser versions.

To prepare your systems for the upgrading, download the files for the components, then upgrade themin the order described.

Contents What you have and what you need Preparing to upgrade Special upgrade scenarios Download the upgrade files Upgrade the software on a device Upgrade the system Upgrade ESM, ESMREC, or ENMELM Upgrade HA Receivers Available VA vendors

What you have and what you need List the current security software and hardware that you have on your network.

Complete the following network questionnaire, before you begin upgrading your McAfee ESM devicesand software.

McAfee Security Professional Services requires this same information to help you order and configureyour existing network security.

7


Current network questionnaire

Questions Enter information

Which McAfee ESM devices do you have? Enter the quantity:• Enterprise Security Manager (ESM) — ________

• Event Receiver (ERC) — ________

• Receiver and ELM Combination (ELMERC) — ________

• Enterprise Log Manager (ELM) — ________

• Enterprise Log Search (ELS) — ________

• Advanced Correlation Engine (ACE) — ________

• Direct Attached Storage (DAS) — ________

• Application Data Monitor (ADM) — ________

• Database Event Monitor (DEM) — ________

• Storage Area Network (SAN) card — ________

Do you have an All-in-One McAfee ESM? Yes

No

Will you need an ACE tointegrate with your ESM?

Yes

No

Is your McAfee ESM solution installed ona virtual machine (VM), physical devices,or a combination of both?

Virtual Machine (VM)

Physical device

Combination of VM and devices

What are the model numbers of yourESM components?

Enter the model number:• ESM — _____________________________

• ELM — _____________________________

• ERC — _____________________________

• ACE — _____________________________

Do you have a hierarchical architecture? Yes

No

In addition to port 22, canyou open port 9092between your ERCs andESMs?

Yes

No

In addition to port 22, canyou open port 2181between your ELSs andESMs?

Yes

No

Are you, or will you be, a ManagedSecurity Service Provider (MSSP)?

Yes

No

7 Upgrading McAfee ESM softwareWhat you have and what you need


Questions Enter information

What is your current events per second(EPS) by device?

Enter the count:• ESM — ________ EPS

count• ERC — ________ EPS

count

• ELM — ________ EPScount

• ERC — ________ EPScount

• ELS — ________ EPScount

What software version are you runningon your ESM?

You must be using McAfee ESMversion 9.6 to upgrade to version10.0.

Version — _______

What browsers are you using for yourESM console?

Chrome version 48 or higher

Firefox version 42 or higher

Internet Explorer version 11 or higher

Preparing to upgradeYou must do several things before you can upgrade your ESM devices.

1 Make sure that the ESM database rebuild from a previous build (9.6.0 or later) is complete, andthat you can schedule the outage window for this upgrade.

2 Complete a database backup of the ESM. Export or back up the following items to ensure ease ofrecovery if an upgrade renders a rule, event, or other content unusable:

Alarms: On the System Properties dialog box, click Alarms, highlight each alarm, then click Exportand save the file.

Watchlists: On the System Properties dialog box, click Watchlists, highlight each watchlist, then clickExport and save the file.

Custom rules: In Default Policy on the Policy Editor, follow this process for each rule type except DataSource, Windows Events, ESM, Normalization, Variable, and Preprocessor.1 In the Rule Types pane, click a rule type.

2 In the Filters/Tagging pane, click the Advanced tab, select user defined in the Origin field,then click Refresh. .

3 Highlight the rules, click File | Export | Rules, then save them in XML format.

Policies: In Default Policy on the Policy Editor, click File | Export | Policy, then select All custom rulesand custom variables.

Upgrading McAfee ESM softwarePreparing to upgrade 7


3 Make sure that the soft RAID subsystem is running with two active drives. Issue the cat /proc/mdstat command in one of these ways:

• On the ESM console, click System Properties | ESM Management | Terminal, then click Write and type thecommand.

• SSH into the ESM.

• Connect a monitor and keyboard to the device.

If the output looks like the following example, the RAID is functioning properly and you canproceed with the upgrade.

Personalities : [raid1]md_d127 : active raid1 sda[0](W) sdb[1](W) 488386496 blocks [2/2][UU]Unused devices: <none>

The [UU] code identifies active drives. If it shows [_U] or [U_], a drive is not part of the RAID.You must contact Technical Support before upgrading.

Type ofinformation

Details

Device typessupported

The ESM, ESM/Event Receiver, or ESM/Log Manager (ENMELM) only communicateswith 9.6.0 devices. To check the model of your device, issue the cat /proc/cpuinfo command. The output includes the CPU number on the model name line.

Device removal Before upgrading the ESM, Event Receiver, or ENMELM, remove all device modelsspecified and virtual IP addresses for the specified Nitro IPS models. Otherwise, amessage appears on the Login page and the message log states that this problemoccurred, and that the upgrade failed. ESM also fails to upgrade and notations areplaced in the device message log.

To remove a virtual IPS, select the device in the system navigation tree and clickthe Properties icon . Select Device Configuration | Virtual Devices, then select the existingvirtual devices and click Remove. Click Write to write the settings to the IPS.

You must roll out the policy from the 9.6.0 ESM, Event Receiver, or ENMELM to theIPS device, otherwise the IPS remains in bypass mode and no traffic is inspected.

Save receiversettings

Make sure all Receiver settings are saved before updating from versions 9.x, to9.6, then to 10. If you don't save the settings, a problem occurs that can causeissues on the receiver and other devices. Make sure all settings for every deviceare saved before updating to any version.

Rebuild time Table rebuild time varies for ESM, Event Receiver, and ENMELM. To speed up theupgrade of the ESM database:

• Set collection duration of events, flows, and logs to a longer pull time, allowingmore time for the rebuild. On the ESM console, click System Properties | Events, Flows &Logs, then set Auto check interval.

• Turn off collection of events, flows, and logs until the rebuild finishes. Completethis step only if the number of events and flows sent to the ESM is low. On theESM console, click System Properties | Events, Flows & Logs, then deselect Auto checkinterval.

7 Upgrading McAfee ESM softwarePreparing to upgrade


Type ofinformation

Details

Upgrade paths • You can upgrade to 10.0.0 directly from 9.6.0 or later.

• You must upgrade versions before 9.6.0 following this path:8.2.x > 8.3.x > 8.4.2 > 8.5.6 > 9.0.2 > 9.2.1 > 9.4.2 or later > 9.6.0 or later >10.0

UpgradeReceiver-HAdevices

To upgrade Receiver-HA devices, you must first check the Receiver's highavailability status.

Make sure all device settings are saved before updating to any version.

Back up ESM settings and system dataBack up and save the ESM configuration files before you start any software upgrades.

When you add an ESM device, Backup & Restore is enabled to back up every seven days. You can disableit or changes the default settings. See KB article, Backup process for McAfee [ESM] devices for details.

We recommend you make a Full Backup of all devices before you start an upgrade. A full backupcontains:

• Settings for the ESM, ERC, DEM, ADM, and ACE devices.

ELM full backups only include configuration settings. The database settings must be backed upseparately or you lose all database connections to your local shares, remote shares, and SANs.

• Stop CPService and then DBServer and create a copy of the contents of: /usr/local/ess/data/, /etc/NitroGuard, and other folders on a remote share.

If anything goes wrong during the upgrade, you can:

• Reinstall the software to the existing version.

• Reinstall the backup files.

• Try upgrading to the next version again.

Backups are only compatible with the current version of the ESM device. You can't install a backup of aprevious version on an upgraded ESM device.


1 On the system navigation tree, select System Properties, then click ESM Management | Maintenance | Backup.

2 Define the settings for the backup.

3 Click OK to close the Backup & Restore page.

Table 7-1 Option definitions

Option Definition

BackupFrequency

When new ESM devices are added to the system, the Backup & Restore function isenabled to perform a backup every seven days. You can change the frequency ordisable backup.

Backup Data For Select what you want to include in the backup.

Upgrading McAfee ESM softwarePreparing to upgrade 7


https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/80000/KB80012/en_US/Backup%20process%20for%20McAfee%20devices.pdf

Table 7-1 Option definitions (continued)

Option Definition

Backup Location Select where you want the backup saved:• ESM — It is saved on the ESM and accessed on the File Maintenance page.

• Remote Location — It is saved in the location you define in the fields that becomeactive. If you are saving a copy of the ESM and all system data manually, youmust select this option.

When you back up to a CIFS share, use a slash (/) in the remote path field.

Backup Now Manually back up ESM settings and events, flows, and logs (if selected). Click Closewhen the backup is completed successfully.

Full Backup Now Manually save a copy of the device settings and the system data. This can't besaved to the ESM, so you must select Remote Location in the Backup Location field andenter the location information.

We highly recommended you make a full backup before any major version updateto avaoid data loss.

Using the Common Internet File System (CIFS) share type with Samba serverversions greater than 3.2 can result in data loss.

Check ERC high availability statusDetermine the status of a high availability (HA) ERC pair before performing an upgrade.

Before you beginYou must have Administrator privileges to complete this task.


1 On the system navigation tree, select the primary ERC-HA device, then click the Properties icon .

2 In the Status and Secondary Status fields, verify that the status is OK; HA Status: online.

3 Secure shell, or SSH, to each of the HA ERCs and run the ha_status command from the commandline interface on both ERCs. The resulting information shows the status of this ERC and what thisERC thinks the status of the other ERC is. It looks similar to this:

OK

hostname=McAfee1 mode=primary McAfee1=online McAfee2=online sharedIP=McAfee1 stonith=McAfee2 corosync=running hi_bit=no

4 Verify the following in the status:

• The first line of the response is OK.

• Host name is the same as the host name on the command line minus the ERC model number.

7 Upgrading McAfee ESM softwarePreparing to upgrade


• Mode is primary if the value of sharedIP is this ERC's host name; otherwise the mode issecondary.

• The next two lines show the host names of the ERCs in the HA pair and list the running status ofeach ERC. The status for both is online.

• corosync= shows the running status of corosync, which should be running.

• hi_bit is no on one ERC and yes on the other ERC.

Make sure that only one of the HA ERCs is set with the hi_bit value. If both HA ERCs are set tothe same value, call McAfee Support before upgrading to correct this misconfigured setting.

5 Secure shell, or SSH, to each of the HA ERCs and run the ifconfig command from both ERCs.

6 Verify the following in the data that is generated:

• The MAC addresses on eth0 and eth1 are unique on both ERCs.

• The primary ERC has the shared IP address on eth1 and the secondary ERC has no IP addresson eth1.

If both HA ERCs are set to the same value, call Technical support before upgrading to correctthis misconfigured setting.

This spot check ensures the system is functional and that no duplication of IP addresses exists, whichmeans that the devices can be upgraded.

Special upgrade scenariosIn special situations, you must take additional steps before or after upgrading.

Situation Action

Installing a newMcAfee ESMmodel

Register your hardware in 30 days to ensure that you receive policy, parser, andrule updates as part of your maintenance contract. If you don't register, you can'treceive upgrades.To get your permanent user name and password, email [email protected] the following information:• McAfee grant number • Contact name

• Account name • Contact email address

• Address

Obtaining offlinerule updates

1 Go to Product Downloads, Free Security Trials & Tools.

2 In the upper right corner, click Download, enter your grant number, type theletters displayed, then click Submit. Go.

3 Select the user type/role, then I can select the software to download.

4 Read the license agreement, then click I Agree.The available update files appear by each ESM version.

5 Download the rules for the version of your ESM.

Upgrading McAfee ESM softwareSpecial upgrade scenarios 7



Situation Action

Resolving devicecommunicationissues

If you upgraded a McAfee device before upgrading the ESM or the ESM is in themiddle of upgrading, this message might appear: The device needs to beupgraded to 10.0.0 before the operation can be performed. Verify that the ESMhas the correct version.1 On the ESM console, select the device in the system navigation tree, then click

the Properties icon .

2 Click Connection, then click Status.

3 Retry the operation that resulted in the message.

Upgrading aredundant ESM

Upgrade the primary ESM first, then upgrade the redundant ESM.

1 On the primary ESM, select the ESM on the navigation tree and click theProperties icon.

2 Click Events, Flows & Logs and deselect Auto check interval.

3 After upgrading the redundant ESM, re-enable the collection of events, flows,and logs on the primary ESM.

McAfee ePO withPolicy Auditor

If the McAfee ePO device is already on the ESM, you must refresh it.1 If you are not on an all-in-one device, upgrade the Receiver where the McAfee

ePO device is connected.

2 On the ESM console, click ePO Properties | Device Management, then click Refresh.

You can set up auto-retrieval on the Device Management tab.

3 Click Receiver Properties, then click the Vulnerability Assessment tab.

4 Click Write.

5 Repeat step 2 to get VA data on the ESM.

6 Log off the ESM console, then log back on.

Upgrading HighAvailability (HA)Receivers

Before you upgrade, set your preferred primary Receiver to No Preference, whichallows you to use the Fail-Over option.

The upgrade process requires the user to upgrade the secondary Receiver, clickFail-Over, then upgrade the new secondary Receiver. In this way, a primaryReceiver is collecting data throughout the process, ensuring minimal data loss.After you upgrade both Receivers, reapply your preferred primary Receiver.

7 Upgrading McAfee ESM softwareSpecial upgrade scenarios


Situation Action

Rebuilding theELM managementdatabase

Indexing your ELM management database might require additional time,depending on your ELM model. For example, the number of storage pools youhave, the amount of data sent from logging devices, and your networkbandwidth can increase the time it takes to complete the indexing.

But, this background task minimally impacts your performance and, whencomplete, provides improved querying on your historical data.

To check the status of the rebuild, go to ELM Properties | ELM Information. If themessage Database is rebuilding appears in the Active Status field, do not stop orstart the ELM database. The system indexes all new ELM data on the sendingdevice before sending that data to the ELM.

If you have Receivers logging to the ELM and they are near maximum capacity,contact Technical Support.

Upgrading aredundant ELM

Upgrade the standby ELM first, then upgrade the active ELM.

Never power off a device during a rebuild.

The upgrade process suspends the ELM redundancy. After upgrading both ELMs,you must restart the ELM redundancy.1 Upgrade the standby ELM.

2 Upgrade the active ELM.

3 On the system navigation tree, select the standby ELM and go to ELM Properties |ELM Redundancy, then click Return to Service.

4 Go to ELM Properties | ELM Information and click Refresh. Both the active and standbyELMs display an OK status.

5 If the standby ELM displays a Not OK status, click Refresh again. After a fewminutes, the standby ELM status changes to OK, redundant ELM resync is 100%complete. You might need to click Refresh several times.

Download the upgrade filesWhen the system is ready to upgrade, download the upgrade files to your local system.

Task1 Go to the McAfee Product Downloads website and enter your customer grant number in the Download My

Products field. Then, click Search.

2 Select the device you want to upgrade.

3 Select the correct link (MFE <device name> v10.0.0), read the McAfee license agreement, thenclick I Agree.

4 Download these files to your local system:

Device type File name

McAfee Enterprise Security Manager (ESM or ETM) ESS_Update_10.0.0.signed.tgz

McAfee Enterprise Security Manager and Log Manager(ENMELM or ESMREC)

ESSREC_Update_10.0.0.signed.tgz

McAfee Event Receiver (ERC or ELMERC) RECEIVER_Update_10.0.0.signed.tgz

Upgrading McAfee ESM softwareDownload the upgrade files 7


Device type File name

McAfee Database Event Monitor (DEM) DBM_Update_10.0.0.signed.tgz

McAfee Advanced Correlation Engine (ACE) RECEIVER_Update_10.0.0.signed.tgz

McAfee Application Data Monitor (ADM) APM_Update_10.0.0.signed.tgz

McAfee Enterprise Log Manager (ELM)

ELM devices must be version 9.6 or later before upgrading to10.0.0.

RECEIVER_Update_10.0.0.signed.tgz

McAfee Enterprise Log Search (ELS) RECEIVER_Update_10.0.0.signed.tgz

These files are now ready to be used to upgrade your ESM and devices.

Upgrade the software on a deviceIf the software on your device is out of date, upload a new version of the software from a file on theESM or your local computer.

Before you beginIf you have had your system for more than 30 days, you must obtain and install yourpermanent credentials to access the updates.

If you must comply with Common Criteria and FIPS regulations, do not upgrade the ESM inthis way. Call Technical support to obtain a FIPS certified update.


1 On the system navigation tree, select a device, then click the Properties icon .

2 Click device Management | Update Device.

3 Select an update from the table or click Browse to locate the update software on your local system.

The device restarts with the updated software version.

Table 7-2 Option definitions

Option Definition

File Name Select one of the updates listed.

Browse Browse to a file obtained from a McAfee security engineer or from the McAfee rules andupdates server.

OK If you are updating a device using the device management Update Device option, this startsthe update process. If you are updating multiple devices using the Multi-Device Managementoption, this returns you to the Multi-Device Management page.

7 Upgrading McAfee ESM softwareUpgrade the software on a device


Upgrade the systemUpgrade the ESM and its devices in a specific order, based on your FIPS mode. After you upgrade,rewrite the device settings and roll out the policy.

Before you begin• Review Preparing to upgrade and Special upgrade situations.

• Make sure that your system is running version 9.6 or later.

• If you recently upgraded to 9.6, verify that the database rebuild is complete.

When upgrading, all active collectors (such as Windows, eStreamer, and Checkpoint) stop collectingdata until you rewrite the device settings and roll out the policy.

Task1 Depending on your FIPS mode, upgrade all devices in the following order.

For details about upgrading the ESM and devices, see Upgrade ESM, ESMREC, or ENMELM andUpgrade devices.

Mode Order

Non-FIPS 1 Upgrade the ESM first, then the ESMREC or ENMELM.

2 Wait for the database to build.

3 Upgrade the ELM or ELMERC.

4 Upgrade the Event Receiver, ACE, DEM, and ADM.

This process is different if you are upgrading a redundant ESM.

FIPS 1 Upgrade the ELM or ELMERC.

2 Upgrade the Event Receiver, ACE, DEM, and ADM.

3 Upgrade the ESM, ESMREC, or ENMELM. You can begin when all device upgradesstart.

Failure to upgrade the devices before upgrading the ESM when in FIPS mode can affectELM log collection.

2 Verify that you have communication with the devices.

3 Download the manual rules update to the ESM.

4 Apply the updated rules.

a On the system navigation tree, select the system, then click the Properties icon .

b On the System Information page, click Rules Update, then click Manual Update.

c Browse to the update file, click Upload, then click OK.

Upgrading McAfee ESM softwareUpgrade the system 7


5 Follow this process to rewrite device settings for each device, so that all 10.0.0 settings areapplied.

a On the ESM console, select the device in the system navigation tree, then click the Propertiesicon.

b Follow these steps for each device.

Device type Process

Event Receiver orESM/EventReceiver combo

• For data sources: Click Data Sources | Write.

• For VA sources: Click Vulnerability Assessment | Write.

ACE • For risk correlation: Click Risk Correlation Management | Write.

• For historical correlation: Click Historical | Enable Historical Correlation | Apply. If it'salready selected, deselect it, select it again, then click Apply.

• For rule correlation: Click Rule Correlation, select Enable Rule Correlation, and clickApply. If it's already selected, deselect it, select it again, then click Apply.

DEM or ADM • For virtual devices (ADM): Click Virtual Devices | Write.

• For database servers: Click Database Servers | Write.

6 Roll out the policy to all upgraded devices.

7 To take the selected device out of bypass mode, click Device Configuration | Interfaces.

8 If you have an ELM or ELMERC collecting logs from a device, sync the ELM (Device Properties | DeviceConfiguration | Sync ELM).

Upgrade ESM, ESMREC, or ENMELMWhen your system is ready, upgrade your ESM, ESMREC, or ENMELM.

Before you begin• Complete the steps in the Instructions for upgrading section.

• Verify that all devices attached to the ESM are supported.

Task1 On the ESM console, select the ESM device, then click the Properties icon .

2 Select ESM Management, then click Update ESM.

3 On the Select Software Update File page, browse to one of these files.

Device type File

Standalone McAfee Enterprise Security Manager (ESM) ESS_Update_10.0.0.signed.tgz

McAfee Enterprise Security Manager with a built-in Receiver(ESMREC)


McAfee Enterprise Security Manager with a built-in Receiverand McAfee Enterprise Log Manager (ENMELM), also knownas a Combination Box


7 Upgrading McAfee ESM softwareUpgrade ESM, ESMREC, or ENMELM


4 Select the file, then click Upload.

You are informed that the ESM restarts and there is a loss of connection for all users.

5 Click Yes to continue, and when prompted to close the browser, click OK.

The upgrade begins, and can take several hours.

6 When the upgrade is complete, log back on to the console through a new browser session.

Upgrade HA ReceiversThe Receiver-HA upgrade process upgrades both Receivers sequentially, starting with the secondaryReceiver.

Before you beginBefore starting the upgrade process, complete the Check Receiver high availability statusprocess to make sure that the Receiver-HA devices are ready to be upgraded. Failure to doso can result in problems with the device upgrade and downtime.


1 On the system navigation tree, select the Receiver-HA device, then click the Properties icon .

2 Upgrade the secondary Receiver:

a Click Receiver Management, then select Secondary.

b Click Update Device, then select or browse to the file you want to use and click OK.

The Receiver restarts and the version of software is updated.

c On Receiver Properties, click High Availability | Return to Service.

d Select the secondary Receiver, then click OK.

3 Change the secondary Receiver to primary by clicking High Availability | Fail-Over.

4 Upgrade the new secondary Receiver by repeating step 2.

Available VA vendorsThe ESM can integrate with these VA vendors.

VA vendor Version

Digital Defense Frontline 5.1.1.4

eEye REM (REM events server) 3.7.9.1721

Upgrading McAfee ESM softwareUpgrade HA Receivers 7


VA vendor Version

eEye Retina

The eEye Retina VA source is like the Nessus data source. Youcan use scp, ftp, nfs, or cifs to grab the .rtd files. You mustmanually copy the .rtd files to an scp, ftp, or nfs share to pullthem. The .rtd files are normally located in the Retina Scansdirectory.

5.13.0, Audits: 2400

McAfee Vulnerability Manager 6.8, 7.0

Critical Watch FusionVM 4-2011.6.1.48

LanGuard 10.2

Lumension Support PatchLink SecurityManagement Console 6.4.5 andlater

nCircle 6.8.1.6

Nessus Support Tenable Nessus versions3.2.1.1 and 4.2 and file formatsNBE, .nessus (XMLv2), and .nessus(XMLv1); also, OpenNessus 3.2.1XML format

NGS

OpenVAS 3.0, 4.0

Qualys

Rapid7 Nexpose — Recommended VA partner vendor

Rapid7 Metasploit Pro — Recommended VA partner vendor

You can deduce the severity of a Metasploit exploit that startswith the name Nexpose by adding a Rapid7 VA source to thesame Receiver. If it can't be deduced, the default severity is100.

4.1.4-Update 1, file format XML

Saint

GFI Languard

NGS SQuirrel

iScan Online?

Tripwire/nCircle IPS360?

7 Upgrading McAfee ESM softwareAvailable VA vendors


A Alternative installation scenarios

Use this information to configure specific adapters and other important information.

Contents Install the qLogic 2460 or 2562 SAN adapters on the ELM or ELS Install DAS Common Criteria evaluated configuration Regulatory notices

Install the qLogic 2460 or 2562 SAN adapters on the ELM orELS

The qLogic QLE2460 is a single, Fibre Channel PCIe x4 adapter, rated at atransfer rate of 4-GB. TheQLE2562 is a single, Fiber Channel PCIe x8 adapter, rated at 8 GB. They can connect directly to theSAN device or through a SAN switch.

Before you begin• Make sure that the SAN device or SAN switch you are attaching to auto-negotiates.

• Make sure that the SAN administrator allocates and creates space on the SAN andassigns it to the channel where the qLogic adaptor is attached. Use the World Wide PortName (WWPN) for the adaptor. The WWPN is on the adapter's card, anti-static bag, andbox.

Task1 Turn off the device where you are installing the SAN adapter.

2 Insert the adapter, then place the device back on the rack and connect the cables.

For a 3U device, insert the adapter in the slot closest to the protective memory cover.

The adapter BIOS boot message informs you that the adapter is installed and functioning. If you donot see this message or if the card does not have red, yellow, or green lights, the card is notrecognized. If so, make sure that the card is seated correctly or insert it into a different PCI slot.

3 Start the device.

The operating environment detects it and loads the QLAXXX driver. The Mounting Storage Facilitiesmessage displays OK and continues.

4 Using the ESM console, key the device.

When the device is keyed, the Properties page includes the SAN Volumes option.


Install DASThe direct attached storage (DAS) adapter is an add-on device to a 4xxx/5xxx/6xxx series ESM orELM.

The DAS unit ships with a chassis and an LSI 9280-8e RAID card for:

• ETM-5205 • ENMELM-5205

• ETM-5510 • ENMELM-5510

• ETM-5600 • ENMELM-5600

• ETM-5750 • ENMELM-6000

• ETM-6000 • ELM-4600

• ETM-X3 • ELM-5205

• ETM-X4 • ELM-5510

• ETM-X5 • ELM-5600

• ETM-X6 • ELM-5750

• ESMREC-5205 • ELM-6000

• ESMREC-5510 • ELS-<TBD>

• ENMELM-4600

You can add a DAS (50 TB or 100 TB), to provide additional storage. These instructions are the samefor ESM, ELM, or ELS chassis.

Task1 Turn off the device following a normal shutdown procedure.

2 Pull the device from the rack and open the top case. You might need to remove a small screw atthe front or rear of the top case.

3 Depending on your chassis, install the DAS card in one of these slots.

• For 1U or 3U, install LSI 9280-4e RAID card in slot 4

• For 2U, install LSI 9280-4e RAID card in slot 1

4 Depending on your chassis, install the DAS cables into these slots:

• For ESM, ELM, or ELS, insert cables into slots 1 and 2 of the card.

• For DAS, insert cables into slots 1 and 3 of the card.

5 Install the LSI 9280-8e RAID card in slot 4 of the ESM.

• For devices with an orange face, if the Areca or 3Ware RAID card is in slot 4, move it to slot 6.If the McAfee ESM device has an Areca or 3Ware RAID card and also has an SSD card installed,install the LSI 9280-8e RAID card in slot 5.

• For devices with a black face, install the card in an open slot.

6 Insert power cables, then turn on the device.

7 Enter BIOS utility and look for the LSI 9280-8e RAID card BIOS utility.

8 Exit BIOS utility and verify DAS disk space with the command: df –h

A Alternative installation scenariosInstall DAS


On System Properties of the ESM console, the Hardware field on the System Information tab reflects theincreased size of the hard drive labeled /data_hd.

Common Criteria evaluated configurationThe McAfee device needs to be installed, configured, and operated in a specific way to be incompliance with the Common Criteria evaluated configuration. Consider these requirements when youare setting up your system.

Type Requirements

Physicaland virtualmachine

The McAfee device must be:• Protected from unauthorized physical modification.

• Located in controlled access facilities, which prevent unauthorized physical access.

Intendedusage

The McAfee device must:• To be able to perform its functions, have access to all network traffic.

• Be managed to allow for address changes in the network traffic that the Target ofEvaluation (TOE) monitors.

• Be scaled to the network traffic that it monitors.

Personnel • There must be one or more competent individuals assigned to manage the McAfeedevice and the security of the information it contains. Onsite assistance withinstallation and configuration and onsite training for the operation of the device isprovided by McAfee engineers for each McAfee customer.

• The authorized administrators are not careless, willfully negligent, or hostile, andfollow and abide by the instructions provided by the McAfee device documentation.

• Only authorized users can access the McAfee device.

• Those responsible for the McAfee device must ensure that all access credentials areprotected by users in a manner that is consistent with IT security.

Other • Do not apply software updates to the McAfee device because it results in aconfiguration other than the Common Criteria-evaluated configuration. ContactTechnical Support to obtain a certified update.

• Enabling the Login Security feature with a RADIUS server results in securecommunication. The IT environment provides for secure transmission of data betweenthe TOE and external entities and external sources. A RADIUS server providesexternal authentication services.

• Using the Smart Dashboard functionality of the Check Point firewall console is not part ofthe TOE.

• Using Snort Barnyard is not part of the TOE.

• Using the MEF Client is not part of the TOE.

• Using the Remedy Ticket System is not part of the TOE.

Regulatory noticesThis regulatory information applies to the different platforms you might use.

Alternative installation scenariosCommon Criteria evaluated configuration A


Table A-1 SuperMicro-based platforms

McAfee 1U McAfee 2U or 3U

Electromagnetic emissions FCC Class B, EN 55022 Class B,

EN 61000-3-2/-3-3

CISPR 22 Class B

FCC Class B, EN 55022 Class B,

EN 61000-3-2/-3-3

CISPR 22 Class B

Electromagnetic immunity EN 55024/CISPR 24,

(EN 61000-4-2, EN 61000-4-3,

EN 61000-4-4, EN 61000-4-5,

EN 61000-4-6, EN 61000-4-8,

EN 61000-4-11) 55024

EN 55024/CISPR 24,

(EN 61000-4-2, EN 61000-4-3,

EN 61000-4--4, EN 61000-4-5,

EN 61000-4-6, EN 61000-4-8,

EN 61000-4-11) 55024

Safety EN 60950/IEC 60950-Compliant,

UL Listed (USA)

CUL Listed (Canada)

TUV Certified (Germany)

CE Marking (Europe)

EN 60950/IEC 60950-Compliant,

UL Listed (USA)

CUL Listed (Canada)

TUV Certified (Germany)

CE Marking (Europe)

Table A-2 DAS-based platforms

DAS-50, DAS-100

Input voltage 100/240 VAC

Input frequency 50/60 Hz

Power supply 1400 W X3

Power consumption 472W@120VAC

461W@240VAC

Amps (Max) 9.4A

Altitude (Max) –45 to 9,500 feet

Temperature (Max) 10º to 35º C (operating)

–40º to 70º C (non-operating)

Altitude –45 to 9500 feet (operating) –45 to 25,000 feet (non-operating)

BTU BTU/HR 1609

Humidity Operating — 10% to 85%

(non-condensing)

non-operating — 10% to 90%

Table A-3 Intel-based platform 1U

Parameter Limits

Operating temperature +10° C to +35° C with the maximum rate of change not to exceed10° C per hour

Non-operating temperature –40° C to +70°

Non-operating humidity 90%, non-condensing at 35° C

Acoustic noise Sound Power: 7.0 BA in an idle state at typical office ambienttemperature. (23 ± 2 degrees C)

A Alternative installation scenariosRegulatory notices


Table A-3 Intel-based platform 1U (continued)

Parameter Limits

Shock, operating Half sine, 2-g peak, 11 msec

Shock, unpackaged Trapezoidal, 25 g, velocity change 136 inches/sec (≧ 40 lbs to > 80lbs)

Shock, packaged Non-palletized free fall in height 24 inches (≧40 lbs to > 80 lbs)

Shock, operating Half sine, 2-g peak, 11 mSec

Vibration, unpackaged 5 Hz to 500 Hz, 2.20 g RMS random

ESD ±12 kV for air discharge and 8 K for contact

System cooling requirement inBTU/Hr

1660 BTU/hour

Table A-4 Intel-based platform 2U

Parameter Limits

Temperature Operating • ASHRAE Class A2 — Continuous operation. 10°C to 35°C(50°F to 95°F) with the maximum rate of change not toexceed 10°C per hour.

• ASHRAE Class A3 — Includes operation up to 40°C for up to900 hrs per year

• ASHRAE Class A4 — Includes operation up to 45°C for up to90 hrs per year

Shipping –40°C to 70°C (–40°F to 158°F)

Altitude (Operating) Support operation up to 3050 m with ASHRAE class deratings

Humidity (Shipping) 50% to 90%, non-condensing with a maximum wet bulb of28°C (at temperatures from 25°C to 35°C)

Shock Operating Half sine, 2 g, 11 mSec

Unpackaged Trapezoidal, 25 g, velocity change is based on packaged weight

Packaged Product Weight: ≥ 40 to < 80

Non-palletized free fall height = 18 inches

Palletized (single product) free fall height = NA

Vibration 5 Hz to 500 Hz2.20 g RMS random

Packaged 5 Hz to 500 Hz1.09 g RMS random

AC-DC Voltage 90 Hz to 132 V and 180 V to 264 V

Frequency 47 Hz to 63 Hz

Source Interrupt No loss of data for power line drop-out of 12 mSec

Surge non-operatingand operating

Unidirectional

Alternative installation scenariosRegulatory notices A


A Alternative installation scenariosRegulatory notices


B Enabling FIPS mode

The Federal Information Processing Standard (FIPS) consists of publicly announced standardsdeveloped by the United States Federal government. If you are required to meet these standards, youmust operate this system in FIPS mode.

FIPS mode must be selected the first time you log on to the system and can't be changed later.

Select FIPS modeThe first time you log on to the system you are prompted to select whether you want the system tooperate in FIPS mode. Once this selection is made, it can't be changed.


1 The first time you log on to the ESM:

a In the Username field, type NGCP.

b In the Password field, type security.4u.

You are prompted to change your password.

2 Enter and confirm your new password.

3 On the Enable FIPS page, click Yes.

The Enable FIPS warning displays information requesting confirmation that you want this system tooperate in FIPS mode permanently.

4 Click Yes to confirm your selection.


B Enabling FIPS modeSelect FIPS mode


Index

Aabout this guide 5ACE, configure network interface 42

ADM, configure network interface 43

Amazon Web Servicesconfigure connections 40

create the AWS 35

install ESM 37

installation overview 35

AWS, See Amazon Web Services AXXVRAIL rails

install 15

remove chassis 19

Bback up

ESM settings 53

browsersused during planning 49

Ccables, identify network 20

Common Criteria configuration 65

communication issue between device and ESM 55

connect device 19

connector type, identify 19

consoleadd device 47

initial log in 45

conventions and icons used in this guide 5

DDAS, install 64

DEM, configure network interface 43

devicesadd device 47

add to console 47

connect 19, 26

identify network ports 20

inspect 14

remove 51

remove from rack 19

devices (continued)rewrite settings 59

set up 41

software, update 58

start 19, 26

types supported 51

update software 58

documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5

download upgrade files 57

EELM, configure network interface 42

EPS, See events per second equipment type, identify 19

ERCsimple and complex network scenarios 8

ERC-HAcheck status 54

error message when upgrading device 55

ESMback up settings 53

configure network interface 41

installing new 55

redundant ESM 53

upgrade 60

events per seconddetermines ERC throughput 8per device 49

FFIPS mode

enable 45, 69

select 69

Hhardware, minimum requirements 13

Iinspect packaging and device 14


install deviceidentify location 13

overview 10

rack mount 15

Kkey

initial device configuration 48

virtual machine 33

KVMdeploy 31

requirements 31

Llocation for installation 13

log on to ESM console 45

MManaged Security Service Provider, during planning 49

McAfee ServicePortal, accessing 6minimum requirements for hardware and software 13

MSSP, See Managed Security Service Provider

Nnetwork cables

connect 20

identify type 19

network cables, identify 20

network interfaceconfigure DEM and ADM 43

configure ESM 41

network interface, configureACE 42

ELM 42

Receiver 42

network ports, identify for each device 20

network time protocol, configure 45

NTP, See network time protocol

Ooffline rule updates, obtain 55

Ppackaging, inspect 14

password for ESM console 45

planningquestionnaire 49

platforms, regulatory notices for 65

portsidentify network for each device 20

used during planning 49

ports, identify network for each device 20

QqLogic 2460 SAN adapter, install 63

Rrebuild time 51

Receiver-HAcabling 20

upgrade 61

Receiver-HA, upgrade 51

Receiver, configure network interface 42

redundant ESMset up 53

upgrade 55

regulatory notices for platforms 65

remove a device 51

rewrite device settings 59

rule updates, obtain offline 55

SSAN adapter, install 63

Security Analystin ESM scenarios 8

ServicePortal, finding product documentation 6software

minimum requirements 13

update device 58

start device 19, 26

statusERC-HA 54

supported devices 51

syslog type, used during planning 49

Ttechnical support, finding product information 6time to rebuild 51

Uuninterruptible power supply connection 26

update device software 58

upgradedownload files 57

ENMELM 60

ESM 60

ESMREC 60

path 51

prepare to 51

Receiver-HA 51, 61

redundant ESM 55

upgrade the systemFIPS mode 59

UPS, See uninterruptible power supply user name for ESM console 45

Index


VVA vendors available on ESM 61

virtual machineconfigure 32

install 30

key 33

virtual machine (continued)overview flowchart 27

planning 49

requirements 30

VM, See virtual machine

Index


0-00

Documents

Enterprise Security Manager 10.0.0 Installation Guide Preface 5 About this guide 5 Audience 5 Conventions 5 Find product documentation 6 1 Installation overview 7 McAfee Enterprise