Network Security Platform 8.2 XC Cluster Administration Guide

Network Security Platform 8.2 XC Cluster Administration Guide
XC Cluster Administration Guide
Revision C
McAfee Network Security Platform 8.2
COPYRIGHT
Copyright © 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
Contents
1
Preface
7
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
7
7
8
8
Overview
9
XC-240 load balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
M-8000XC Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2
XC clustering mechanism
11
Port configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
In-line mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Span mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tap mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sensor redundancy (N+1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
XC-240 high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sensor failure detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CRC forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jumbo packet forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Link fault detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
XC cluster management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee® Network Threat Behavior Analysis support . . . . . . . . . . . . . . . . . . . .
SNMP v3 support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manager Disaster Recovery (MDR) . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modes of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
XC-240 high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . .
XC-240 standalone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
Set up the XC-240 load balancer
25
XC-240 key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
XC-240 physical description . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Front panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rear panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install XC-240 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Usage restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Safety measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Unpack and inspect XC-240 . . . . . . . . . . . . . . . . . . . . . . . . . .
Position the XC-240 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Connect power to XC-240 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install the power supply . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remove the power supply . . . . . . . . . . . . . . . . . . . . . . . . . . .
Turn on the XC-240 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Turn off the XC-240 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee Network Security Platform 8.2
12
12
13
13
13
14
14
15
15
15
15
15
16
16
17
18
22
25
25
26
26
27
27
27
28
28
29
29
30
30
31
XC Cluster Administration Guide
3
Contents
Install the Small Form-factor Pluggable (SFP+) modules . . . . . . . . . . . . . . . . . .
Install an SFP+ module . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remove an SFP+ module . . . . . . . . . . . . . . . . . . . . . . . . . . .
Connect the XC-240 cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Connect the cable to the Console port . . . . . . . . . . . . . . . . . . . . . .
Connect the cable to the management port . . . . . . . . . . . . . . . . . . . .
Connect the cable to the monitoring port . . . . . . . . . . . . . . . . . . . . .
Connect the cable to the Sensor ports . . . . . . . . . . . . . . . . . . . . . .
Connect cables for in-line fail-close mode . . . . . . . . . . . . . . . . . . . . .
Connect cables for in-line fail-open mode . . . . . . . . . . . . . . . . . . . . .
Connect cables for tap mode . . . . . . . . . . . . . . . . . . . . . . . . . .
Connect cables for SPAN or hub mode . . . . . . . . . . . . . . . . . . . . . .
Configure the XC-240 device . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Log on to the command line interface . . . . . . . . . . . . . . . . . . . . . .
Change the logon password . . . . . . . . . . . . . . . . . . . . . . . . . .
Assign a new IP address, netmask, and gateway IP address . . . . . . . . . . . . .
Define the mode of operation . . . . . . . . . . . . . . . . . . . . . . . . .
Enable SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
Set up the M-8000XC Sensors
31
32
32
32
33
33
33
33
34
34
34
35
35
35
35
35
36
36
37
Cable the NTBA appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5
XC clustering in the McAfee® Network Security Manager
39
Create XC clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add XC-240 load balancers . . . . . . . . . . . . . . . . . . . . . . . . . .
Add M-8000XC Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add XC Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage XC clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Edit an XC Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Delete an XC Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View details of an XC cluster . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure XC-240 Monitoring and Sensor ports . . . . . . . . . . . . . . . . . .
Configure M-8000XC Sensors . . . . . . . . . . . . . . . . . . . . . . . . .
Port clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Threat Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Update XC cluster configuration . . . . . . . . . . . . . . . . . . . . . . . .
Manage NTBA devices . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
XC-240 command line interface commands
55
bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config export, import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ha set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ha config_resync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ha show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
inet6_ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lbg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pg set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pg show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
McAfee Network Security Platform 8.2
39
39
40
41
42
43
44
46
47
50
51
52
52
52
53
56
56
57
57
57
60
60
60
61
61
62
63
63
64
64
65
XC Cluster Administration Guide
Contents
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
port set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
port show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sysip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
util show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
quit or exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
66
66
66
67
68
69
70
71
71
71
72
72
73
73
7
Limitations
75
8
Troubleshooting tips
77
9
Technical specifications
79
Index
81
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
5
Contents
6
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
Preface
This guide provides the information you need to configure, use, and maintain your McAfee product.
Contents
About this guide
Find product documentation
What's in this guide
About this guide
This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
•
Administrators — People who implement and enforce the company's security program.
•
Users — People who use the computer where the software is running and can access some or all of
its features.
Conventions
This guide uses these typographical conventions and icons.
Book title, term,
emphasis
Title of a book, chapter, or topic; a new term; emphasis.
Bold
Text that is strongly emphasized.
User input, code,
message
Commands and other text that the user types; a code sample; a displayed
message.
Interface text
Words from the product interface like options, menus, buttons, and dialog
boxes.
Hypertext blue
A link to a topic or to an external website.
Note: Additional information, like an alternate method of accessing an
option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
7
Preface
Find product documentation
Find product documentation
After a product is released, information about the product is entered into the McAfee online Knowledge
Center.
Task
1
Go to the Knowledge Center tab of the McAfee ServicePortal at http://support.mcafee.com.
2
In the Knowledge Base pane, click a content source:
•
Product Documentation to find user documentation
•
Technical Articles to find KnowledgeBase articles
3
Select Do not clear my filters.
4
Enter a product, select a version, then click Search to display a list of documents.
What's in this guide
This guide contains information necessary to setup the XC cluster. This information includes guiding
you through cabling, configuring and troubleshooting the XC cluster. See the Related Documents
section for a list of other product documentation that covers topics ranging from planning and
deployment to best practices for your environment.
8
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
1
Overview
An XC Cluster in McAfee® Network Security Platform, comprising of an XC-240 Load Balancer and
M-8000XC Sensors, functions like a single virtual Sensor. The XC Cluster handles traffic at wire-speed,
efficiently inspects, detects, and prevents intrusions, misuse, denial of service (DoS) attacks, and
distributed denial of service (DDoS) attacks with a high degree of accuracy. It enables high traffic
loads to be processed by distributing the traffic flow to multiple Sensors to avoid congestion providing
a maximum throughput of 80 Gbps.
XC Clusters also support High Availability deployment monitoring traffic with no loss of session state or
degradation of protection level. An XC Cluster can be configured in both the Intrusion Detection
System (IDS) and Intrusion Prevention System (IPS) modes.
XC Clusters are flexible enough to adapt to the security needs of any enterprise environment. When
deployed at key network access points, they provide real-time monitoring on high traffic loads to
detect malicious activity and respond to the malicious activity as configured by the administrator.
After deployed, XC Clusters are configured and managed through the command line and the McAfee
Network Security Manager (Manager).
For more information on the M-8000XC Sensors, see the McAfee Network Security Platform M-8000XC
Sensor Product Guide.
Contents
XC-240 load balancer
M-8000XC Sensors
XC-240 load balancer
The McAfee Network Security Platform XC-240 Load Balancer device is a high performance traffic
access device for load balancing. It enables high traffic loads on 10 GB links to be processed by
distributing the traffic to multiple Sensors. It also increases visibility by providing remote monitoring
(RMON) statistics for the traffic flowing through each of its ports. The XC-240 is the ideal solution for
load balancing traffic at 10 Gbps.
The XC-240 device consists of 24 ports. 16 Monitoring ports are configured to receive traffic from the
Network. These ports are labeled on the device as 8 port pairs; 1A and 1B, 2A and 2B, 3A and 3B, 4A
and 4B, 5A and 5B, 6A and 6B, 7A and 7B, 8A and 8B.
8 Sensor ports to be connected to M-8000XC Sensors. These ports are labeled on the device in the
series; S1, S2, S3, S4, S5, S6, S7, S8.
When deployed in the High Availability mode, Port S8 is reserved for connecting the secondary XC-240.
Fiber SPF+ modules are installed in the ports.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
9
1
Overview
M-8000XC Sensors
The XC-240 consists of a Management port which is used for communication with the Manager server
and a Console port, which is used to set up and configure the XC-240 using the Command Line
Interface. The XC-240 provides dual power supplies.
The XC-240 can be configured to load balance traffic in the in-line fail-open, in-line fail-close, span or
tap modes by distributing traffic to multiple Sensors.
See also
Set up the XC-240 load balancer on page 3
Modes of operation on page 17
M-8000XC Sensors
The primary function of an M-8000XC Sensor is to analyze traffic on selected network segments and to
respond when an attack is detected. The Sensor examines the header and data portion of every
network packet, looking for patterns and behavior in the network traffic that indicate malicious
activity. The Sensor examines packets according to user-configured policies, or rule sets, which
determine what attacks to watch for, and how to respond with countermeasures if an attack is
detected.
If an attack is detected, a Sensor responds according to its configured policy. Sensor can perform
many types of attack responses, including generating alerts and packet logs, resetting TCP
connections, scrubbing malicious packets, and even blocking attack packets entirely before they reach
the intended target.
The XC-240 is connected to any 10G monitoring port of the M-8000XC Sensor.
For more information on the M-8000XC Sensors, see the McAfee Network Security Platform M-8000XC
Sensor Product Guide.
For more information on the features and functions of the Sensors, see the McAfee Network Security
Platform customer documentation.
See also
Set up the M-8000XC Sensors on page 4
10
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
2
XC clustering mechanism
Figure 2-1 A typical XC Cluster configuration
The front panel of the XC-240 Load Balancer consists of 16 Network Monitoring ports. These ports are
connected to various network devices and act as access ports, receiving network traffic and directing it
to the appropriate Sensor ports. There are 8 Sensor ports and each of these ports can be connected to
(a maximum of 8) M-8000XC Sensors, the traffic is to be load balanced to. The Sensor ports act as
trunk ports and the traffic flow is distributed over the connected Sensors. These ports are not
configurable. The number of Sensors configured is determined by the aggregate throughput
requirement. Port S8 is reserved for the secondary XC-240, when deployed in the High Availability
mode.
By default, the XC-24 is configured in the in-line fail-close mode. Consider the following example of
traffic flow in the in-line fail-close mode:
If switch A (source) is connected to port 1A of the XC-240 then switch B (destination) is connected to
port 1B. The traffic is received on port 1A. The data packets are directed to a particular Sensor port
(assume S2 in this case). After the Sensor inspects the data packet, based on the configured policies,
it either drops the data packet or redirects it to port 1B of the XC-240 through the same Sensor port,
that is, S2. The data packet is directed to the destination, Switch B, through port 1B.
By default, the XC-240 allocates the ARP traffic to the first Sensor configured in the XC Cluster.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
11
2
XC clustering mechanism
Port configuration
Data packets with the same source and destination IP addresses are allocated to the same Sensor.
Contents
Port configuration
Sensor redundancy (N+1)
XC-240 high availability
Sensor failure detection
CRC forwarding
Jumbo packet forwarding
Link fault detect
XC cluster management
McAfee® Network Threat Behavior Analysis support
SNMP v3 support
Manager Disaster Recovery (MDR)
Modes of operation
Port configuration
In an XC Cluster, traffic can be monitored in the in-line fail-open, in-line fail-close, span or tap modes.
Each of the monitoring port pair on the XC-240 can be configured to monitor traffic in either of these
modes.
By default, the XC-240 is deployed in the in-line fail-close mode.
The ports can be configured through the Manager.
For more information, see the McAfee Network Security Platform IPS Administration Guide.
See also
Set up the XC-240 load balancer on page 3
XC-240 command line interface commands on page 4
In-line mode
This mode deploys the XC-240 directly in the network traffic path, inspecting all traffic at wire-speed
as it passes through it. In-line mode enables you to run the XC-240 in a protection/prevention mode,
where packet inspection is performed in real time, and intrusive packets can be dealt with
immediately; you can actively drop malicious packets because the XC-240 is physically in the path of
all network traffic. This enables you to actually prevent an attack from reaching its target.
By default the XC-240 is configured in the in-line mode. The ports are configured in pairs (explained
above) and can be fail-close or fail-open.
In the in-line mode if one port is down, the peer port is also down. This ensures that if two external
switches are connected to each other through an XC-240 port pair then the operational state of one
switch is communicated to the other switch by the XC-240. For example, if switch A is connected to 1A
and switch B is connected to 1B, when switch B goes down switch A can sense that its peer switch has
gone down. This is true for in-line network ports which are administratively enabled.
Fail-open and fail-close
XC-240 ports deployed in in-line mode have the option of failing open or closed. The 10 gigabit optical
monitoring ports on the XC-240 failing open allow traffic to continue to flow. Thus, even if the ports
fail, the XC-240 does not become a bottleneck; however, monitoring ceases which may allow bad
12
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC clustering mechanism
Sensor redundancy (N+1)
2
traffic to impact systems in your network. When ports are configured to fail closed, the XC-240 does
not allow traffic to continue to flow, thus the failed ports become a bottleneck, stopping all traffic at
the XC-240. The ports can be configured through the Manager.
Active fail-open operation for the monitoring port pairs requires the use of an optional external Bypass
Switch provided in the McAfee 10 gigabit Optical Active Fail-Open Bypass Kit (the Kit) for McAfee
Network Security XC-240 device with standard 10 gigabit Small Form Factor Pluggable Module (XFP)
monitoring ports. The Kit contains an Optical Bypass Switch and all the connecting components to
connect the switch to the monitoring ports of the Sensor.
During normal XC-240 in-line fail-open operation, the Active Fail-Open Kit sends a heartbeat signal to
the monitoring port pair. If the Active Fail-Open Kit does not receive heart beat signals within its
programmed interval, the Active Fail-Open kit removes the XC-240's monitoring port pair from the
data path, providing continuous data flow.
For setting up the fail-open kit and connecting it to the XC-240 device, see the McAfee Network
Security Platform 10 GB optical Active Fail Open Bypass Kit guide.
See also
Configure XC-240 Monitoring and Sensor ports on page 47
Span mode
This mode deploys the XC 240 in the IDS mode. The SPAN port on a network switch is designed
specifically for security monitoring so that the XC-240 receives a copy of every single packet that is
sent from one host to another through the switch.
For example, data copies received on port 3A of the XC-240 are directed to a Sensor port (let's
assume port S1). The SPAN mode is passive; the Sensor essentially sees malicious traffic as it passes.
You cannot prevent attacks from reaching their target. You can issue response packets through the
XC-240's response ports. The Monitoring port which receives the traffic acts as the response port.
The SPAN port forwards all incoming and outgoing traffic within the switch to a predetermined port.
Tap mode
This mode deploys the XC-240 in the IDS mode. It works through installation of an external fiber tap
or built-in internal taps. The monitoring ports are configured in pairs. For example, ports 1A and 1B
are connected to the external tap. The tap is connected to the network devices. An XC 240 deployed in
tap mode monitors the packet information. Like SPAN mode, Tap mode is passive; the Sensor
essentially sees malicious traffic as it passes. You cannot prevent attacks from reaching their target. In
the Tap mode you can issue response packets through the XC-240's response ports. The Monitoring
port which receives the traffic acts as the response port.
The XC-240 monitoring ports are configured in pairs. For example, if 1A is configured in in-line
fail-open/in-line fail-close/span/tap mode then 1B would also work in the same mode. However, port
pairs can be configured in different modes, for example if 1A and 1B are in span mode then 2A and 2B
can be configured in the tap mode.
Sensor redundancy (N+1)
Sensor redundancy is supported in an XC Cluster. To configure redundancy, one of the Sensor ports on
the XC-240 is configured as the spare port using the lbg command. The redundant standby Sensor is
connected to the spare port. If one Sensor fails, the XC-240 diverts traffic to the standby Sensor,
which continues to monitor the traffic. The spare port can be static, that is, when the failed Sensor
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
13
2
XC clustering mechanism
XC-240 high availability
recovers, it starts monitoring traffic and the active spare port becomes the spare port once again, or
dynamic, that is, when the failed Sensor recovers the active spare port continues to monitor traffic
and the port of the recovered Sensor becomes the spare port.
Sensor redundancy ensures that the network is always available even if the hardware fails.
Redundancy reduces lapses in service to employees and customers that may lead to loss of
productivity and revenue. XC Clusters are built to meet the needs of redundant networks. When
running them in-line fail-open or in-line fail-close, the option is available to you to use one Sensor as
standby.
When traffic is diverted from the primary to the spare Sensor or vice versa, fault messages are
generated in the Status page of the Manager.
See also
Modes of operation on page 17
XC-240 high availability
XC Clusters support High Availability deployment, using a standby XC-240 device. The standby
secondary XC-240 is connected to the primary XC-240 through port S8. If one XC-240 fails, the
standby XC-240 continues to load balance and monitor the traffic with no loss of session state or
degradation of protection level.
See also
Modes of operation on page 17
Sensor failure detection
In an XC Cluster, the XC-240 detects Sensor failure on the following conditions:
Link failure on the Sensor port — XC-240 constantly monitors the links attached to the Sensors. If
any links go down, XC-240 detects it as Sensor failure and either loops back the traffic or reallocates it
to the standby Sensor, if available. When the failed Sensor comes back online, traffic allocation to it is
resumed. In case of any Sensor link failure the Manager is informed and the port information on which
the link fails is displayed.
The heartbeat mechanism —XC-240 sends heartbeat messages to the Sensor and expects a
response. For each Sensor, XC-240 transmits Heartbeat packets out of each port. When a number of
Heartbeat packets have gone missing, it is treated as Sensor failure. This may be due to over
subscription or software failure. In case of any fault detected at the Sensor side an event is generated
and displayed on the Manager. Heartbeat packets continue to be issued to the Sensor and when
response is received again, the Sensor is considered up and traffic is returned to it.
The XC-240 continues to monitor link failure and send heartbeats even after a failure, to detect when
the Sensor comes up.
See also
Modes of operation on page 17
14
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
2
XC clustering mechanism
CRC forwarding
CRC forwarding
The XC-240 forwards data packets with CRC errors to the Sensors. These packets are then handled as
per Sensor configurations. By default, this feature is turned on; when turned off, the data packets are
dropped by the XC-240.
Jumbo packet forwarding
The XC-240 forwards jumbo packets ( packets longer than the Ethernet standard maximum length of
1,518 bytes) to the Sensors. These packets are then handled as per Sensor configurations. By default,
this feature is turned on; when turned off, the jumbo packets are dropped by the XC-240.
Packets with more than 15,680 bytes are passed to the monitoring ports truncated at 15,680 bytes.
Packets with fewer than the 64 bytes, the minimum packet size supported under the 802.3 Ethernet
standards, have unpredictable handling; they may be passed, dropped, or passed with padding to no
more than 64 bytes.
Link fault detect
The in-line fail-close and in-line fail-open port pairs on an XC-240 are configured for the Link Fault
Detect (LFD) feature to ensure that faults on one side of a network link are reflected on the other side
as well. With this feature, system resilience features like automatic activation of alternate paths are
preserved.
XC cluster management
XC-240 and M-8000XC Sensors are configured and managed using a command line interface that will
be familiar to most network administrators. The command line interface can be accessed locally over
and RS232 serial link, or remotely using a secure SSH connection. Some of the XC-240 configurations
can also be managed using the Manager.
See also
XC-240 command line interface commands on page 4
XC clustering in the McAfee® Network Security Manager on page 4
McAfee® Network Threat Behavior Analysis support
The McAfee Network Threat Behavior Analysis Appliance (NTBA Appliance) provides a graphic
configurable real-time view of network traffic.
The NTBA appliance gathers NetFlow data from across users, applications, hosts, network devices, and
stores them in an embedded database.
You can see real-time data and a moving profile of applications, hosts, zones, and interface traffic.
All this information is coalesced into a summary view in the Threat Analyzer of the Manager that can
be drilled down for detailed information.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
15
2
XC clustering mechanism
SNMP v3 support
Threat related events like host scans, port scans, worm attacks, new service / application, new host,
suspicious connection, DoS, P2P, and spambots can be tracked based on user-defined policies.
Real-time monitoring of network reduces the time needed to solve network related problems and helps
in identifying threats.
Questions like, why is our network slow, which application has the maximum download impact, are
easily answered in a network that is monitored by the NTBA appliance.
The NTBA appliance does effective malware monitoring by detecting unauthorized reconnaissance
scanning by any infected laptops in the system that can spread worm traffic.
The NTBA appliance detects unauthorized applications, rogue web servers, and peer-to-peer
applications.
Each NTBA appliance is physically connected to any 1 GB port of M-8000XC Sensor to receive
NetFlows. Physically connected port of M-8000XC is configured as a NetFlow source.
The XC-240 ports attached to traffic are configured as monitoring ports. NetFlow is generated for the
traffic traversing through these ports.
For more information on NTBA, see McAfee Network Security Platform NTBA Admininstration Guide.
SNMP v3 support
SNMP v3 is used to manage the XC-240 device through the Manager. The SNMPv3 user credentials are
configured in the XC-240 using the snmp commands. The same credentials are configured in the
Manager as well. The XC-240 implements the MIB objects that can be queried from Manager.
The SNMPv3 traps are used to receive asynchronous faults and events from the XC-240, on the
Manager.
See also
Enable SNMP on page 36
Manager Disaster Recovery (MDR)
The MDR architecture incorporates Manager to Manager communication, where two Manager servers
are deployed as part of the Network Security Platform XC Cluster. One host is configured as the
Primary system; the other as the Secondary. Each uses the same major release Manager software
with mirrored databases. A Load Balancer connected to an MDR pair maintains communication with
both Managers at all times. The Primary Manager synchronizes data with the Secondary Manager
every 15 minutes. However, the Primary and Secondary Managers receive system events from a Load
Balancer independently, and store the events also independently.
Load Balancer to Manager communication
Load Balancers in the XC Cluster are MDR-aware. The Load balancer has to be configured with the IPs
of both the Primary and the Secondary Managers. SNMP traps are to be created with information for
both the Primary and the Secondary Managers. This is achieved by configuring the Secondary
Manager's IP along with the port information using the snmp trap command.
Once both the manager IPs are configured, the Load Balancer can be managed by the 'Active'
manager. At the same time, the Load Balancer can send events to both the Managers.
16
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
2
XC clustering mechanism
Modes of operation
In case of HA, both the Load Balancers are configured individually with both the Managers IPs and
port information.
(In case of using MDR) While upgrading to a newer version, the existing traps will have to be deleted
and new ones created with information on both the primary and secondary managers.
Manager to Manager communication
Once each minute, the Primary and Secondary Managers exchange a "heartbeat" communication. This
communication includes a byte of data specific to the health of the Manager in question. Manager
receiving the heartbeat concludes that its peer has failed under two scenarios:
•
One of the Network Security Platform XC Cluster subsystems reports a failure.
•
A heartbeat has not been received within the Downtime Before Switchover interval (configured using the
Manage Pair Configuration action). For example, if the default interval is 5 minutes and the heartbeat is
sent once a minute, the Secondary Manager takes control after five minutes of missed heartbeats.
If the Secondary Manager becomes unavailable, the Primary remains active and logs the failure. If the
Primary Manager becomes unavailable, the Secondary logs the event and becomes active.
If both Managers are online but are unable to communicate with each other, the Secondary Manager
queries each Load Balancer and becomes active only if more than half the Load Balancers cannot
communicate with the Primary Manager.
Data synchronization between the Primary and Secondary Manager occurs every 15 minutes.
For more information on using and configuring MDR, see the McAfee Network Security Platform
Manager Administration Guide.
Modes of operation
The XC Cluster supports various modes of operation. These modes can be configured manually on the
XC-240 device using the lbg command, and primarily determine the XC Cluster behavior. The Network
Security Platform and the M-8000XC Sensors are not affected by any change in these modes. The
number of Sensors connected to the XC-240 is determined by the throughput requirement.
By default, the XC Cluster is configured in the 60G N+1 mode. Port S8 is reserved for High Availability.
The spare port is configurable.
The following modes are supported:
•
XC-240 High Availability
This mode supports configuring a standby XC-240 through port S8. High Availability is implemented
in the active/active mode and can support both 70G N and 60G N+1 modes.
•
60G N+1 - Configuration with Sensor redundancy
This is the default mode and supports configuring a standby Sensor. One of the Sensor ports is
configured as a spare port. The standby Sensor is connected to the spare port. This enables you
to utilize 6 10 GB Sensor ports for active Sensors, providing a maximum throughput of 60 Gbps.
•
70G N - Configuration without Sensor redundancy
This mode does not support a standby Sensor and enables you to utilize 7 10 GB Sensor ports
for active Sensors, providing a maximum throughput of 70 Gbps.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
17
2
XC clustering mechanism
Modes of operation
•
XC-240 Standalone
•
80G N - Configuration without Sensor redundancy
This mode does not support a standby Sensor and enables you to utilize 8 10 GB Sensor ports
for active Sensors, providing a maximum throughput of 80 Gbps.
•
70G N+1 - Configuration with Sensor redundancy
This mode supports configuring a standby Sensor. One of the Sensor ports is configured as a
spare port. The standby Sensor is connected to the spare port. This enables you to utilize 7 10
GB Sensor ports for active Sensors, providing a maximum throughput of 70 Gbps.
See also
lbg on page 63
ha set on page 60
XC-240 high availability
When you configure High Availability, you designate a primary and a secondary XC-240 load balancer.
The XC-240 High Availability is implemented in the active/active mode.
The secondary and primary XC-240 devices are connected using port S8. The M-8000XC Sensors
connect to identical Sensor ports on both primary and secondary XC-240. For example, port 1A of an
M-8000XC Sensor connects to port S1 on the primary XC-240; port 2A of the same M-8000XC
connects to port S1 of the secondary XC-240. The network devices connect to identical monitoring
ports on the primary and secondary XC-240 devices. Once the set up is complete, the primary and
secondary XC-240 devices are configured identically.
The devices are configured in the High Availability mode, using the ha set command. Set the High
Availability mode to activeactive (by default, it is standalone) on both the devices. Set the role as
secondary (by default, it is primary) on the secondary XC-240. When connected to the peer, the
XC-240 participates in active/active mode according to its role (primary or secondary).
You can synchronize the configuration between the primary and secondary XC-240 devices either
automatically or manually. When ha set autosync is enabled, the configuration is automatically
synchronized between the primary and secondary XC‑240 devices. The synchronization happens only
when there is a configuration change in either of the devices, and not continuously. Use the ha
config_resync command to resynchronize configuration between the primary and the secondary
XC-240 devices manually. Configuration from the peer device is pulled and applied to the local device
every time this command is executed by either the primary or secondary XC-240. During this
operation, conflicting commands are blocked. The ha config_resync is also blocked. For more
information, see the section XC-240 Command Line Interface.
Use the ha show command to view the High Availability status. The XC Cluster configuration (number
of Sensors ports to be configured and the mode of operation) is also done manually on both the
devices using the lbg command. Both the primary and the secondary XC-240 devices are added in the
XC Cluster through the Manager.
In the High Availability mode, the M-8000XC Sensor receives traffic from the primary XC-240 on port
1A (considering the example given earlier in this section). When the primary XC-240 goes down, the
High Availability state changes to hunting and the mode changes to standalone (view using the ha
show command) and the Sensors receive the same traffic flow on port 2A from the secondary XC-240.
In case of a mismatch in the configuration (lbg command) between the primary and secondary
XC-240 devices, fault messages are generated in the Status page of the Manager.
You are able to create a port cluster when you deploy load balancers in high availability mode. We
explain creation of a port cluster for XC clusters in the section, Port clustering.
18
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC clustering mechanism
Modes of operation
2
For general information about port clustering in IPS Sensors, refer to the Network Security Platform
IPS Administration Guide.
Figure 2-2 Primary and secondary XC-240 devices in the High Availability mode
Ensure that the primary and secondary XC-240 devices' software versions are the same. If not, the
connection between the peer devices will not be established.
If any one of the XC-240 devices detects a Sensor failure, it notifies its High Availability peer and both
the devices declare the Sensor down.
To change the High Availability role of the configured XC-240 device, for example, from primary to
secondary and vice versa, the High Availability mode is to be changed from activeactive to
standalone. Once the role is changed, the mode is to be reset to activeactive.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
19
2
XC clustering mechanism
Modes of operation
60G N+1 — Configuration with Sensor redundancy
Figure 2-3
60G N+1 - Configuration with Sensor redundancy
This is the default mode and allows you to connect a maximum of 6 active Sensors and 1 standby
Sensor for redundancy. One of the Sensor ports is configured as the spare port and is connected to
the standby Sensor. In case of failure of any one of the active Sensors, the XC-240 diverts the traffic
destined to the failed Sensor to the standby Sensor. Port S8 is reserved for connecting the standby
XC-240.
The Sensors connect to identical ports on both primary and secondary XC-240.
When the failed Sensor recovers, XC-240 resumes the flow of traffic to the Sensor. The redundant
Sensor is restored to the standby state.
Consider the following example:
Sensor ports S1-S6 are configured; S7 is configured as the static spare port. Sensor at port S2 fails,
traffic for S2 is reallocated to S7. When S2 comes up again, traffic is reallocated to S2 and S7 goes
back into the standby mode. If any one of the XC-240 devices detects a Sensor failure, it notifies its
peer and both the devices declare the Sensor down.
See also
lbg on page 63
ha set on page 60
20
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC clustering mechanism
Modes of operation
2
70G N — Configuration without Sensor redundancy
Figure 2-4
70G N - Configuration without Sensor redundancy
This mode allows you to connect and configure a maximum of 7 active Sensors to the XC-240. Port S8
is reserved for connecting the standby XC-240.
The Sensors connect to identical ports on both primary and secondary XC-240.
The Network ports receive the traffic and distribute it to the connected Sensors. On failure of any
Sensor, when configured in the in-line fail-open or in-line fail-close mode, the traffic designated to the
failed Sensor is looped back.
When the failed Sensor recovers, XC-240 resumes the flow of traffic to the Sensor.
If any one of the XC-240 devices detects a Sensor failure, it notifies its peer and both the devices
declare the Sensor down.
Configure 70G N mode using the lbg command (example):
lbg set ports=s1-s7 group=1
See also
lbg on page 63
ha set on page 60
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
21
2
XC clustering mechanism
Modes of operation
XC-240 standalone
To switch to the standalone mode, make the following configuration changes:
The default configuration is with High Availability support in the 60G N+1 mode; port S8 is reserved as
the High Availability port. If you do not wish to operate in the High Availability mode, after installing
the XC-240 Load Balancer image, use the lbg command, to configure port S8 in the lbg group.
Example: lbg set ports=s1-s8 group=1.
While operating in the High Availability mode, if you want to configure the standalone mode, use the
ha set command to change the HA mode from activeactive to standalone. Port S8 can be
configured to connect to a Sensor, using the lbg command.
Ensure that you update the Manager based on your configurations.
80G N — Configuration without Sensor redundancy
Figure 2-5
80G N - Configuration without Sensor redundancy
This mode allows you to connect and configure a maximum of 8 Sensors to the XC-240.
The Network ports receive the traffic and distribute it to the connected Sensors. On failure of any
Sensor, when configured in the in-line fail-open or in-line fail-close mode, the traffic designated to the
failed Sensor is looped back.
When the failed Sensor recovers, XC-240 resumes the flow of traffic to the Sensor.
Configure 80G N mode using the lbg command (example):
lbg set ports=s1-s8 group=1
See also
lbg on page 63
ha set on page 60
22
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC clustering mechanism
Modes of operation
2
70G N+1 — Configuration with Sensor redundancy
Figure 2-6
70G N+1 - Configuration with Sensor redundancy
This mode allows you to connect and configure a maximum of 7 active Sensors and 1 standby Sensor
for redundancy. One of the Sensor ports is configured as the spare port and is connected to the
standby Sensor. In case of failure of any one of the active Sensors, the XC-240 diverts the traffic
destined to the failed Sensor to the standby Sensor.
The Sensors connect to identical ports on both primary and secondary XC-240.
When the failed Sensor recovers, XC-240 resumes the flow of traffic to the Sensor. The redundant
Sensor is restored to the standby state.
Consider the following example:
Sensor ports S1-S7 are configured; S8 is configured as the static spare port. Sensor at port S2 fails,
traffic for S2 is reallocated to S8. When S2 comes up again, traffic is reallocated to S2 and S8 goes
back into the standby mode. If any one of the XC-240 devices detects a Sensor failure, it notifies its
peer and both the devices declare the Sensor down.
If one Sensor fails, the configuration behaves like a 70G N configuration.
Configure 70G N+1 mode using the lbg command (example):
lbg set ports=s1-s7 spares= s7 group=1
See also
lbg on page 63
ha set on page 60
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
23
2
XC clustering mechanism
Modes of operation
24
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
3
Set up the XC-240 load balancer
This section describes the steps to set up the XC-240 device.
Contents
XC-240 key features
XC-240 physical description
Install XC-240
Connect power to XC-240
Install the Small Form-factor Pluggable (SFP+) modules
Connect the XC-240 cables
Configure the XC-240 device
XC-240 key features
The XC-240 includes the following features:
•
16 SFP+ 10 gigabit Monitoring ports (fiber)
•
8 SFP+ 10 gigabit Sensor ports (fiber)
•
1 10/100/1000 Base-T Management port
•
Dual power supply
•
Front-mounted connectors for quick and easy installation
•
LED indicators show link and activity status
•
Configurable to load balance up to 7 M-8000XC Sensors
XC-240 physical description
The XC-240 enables high traffic loads on 10 gigabit links to be processed by distributing the traffic to
multiple M-8000XC Sensors. It supports 16 10 gigabit Ethernet monitoring ports and 8 10 gigabit
Ethernet Sensor ports.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
25
3
Set up the XC-240 load balancer
XC-240 physical description
Front panel
The front panel of the XC-240 is equipped with the following components:
Figure 3-1 XC-240 Front panel
Item
Description
1
SFP+ 10 gigabit Ethernet Monitoring ports (16)
2
SFP + 10 gigabit Sensor ports (8)
3
RS-232 Console port (1)
4
10/100/1000 Management port (1)
•
One RJ-45 10/100/1000 Management port, which is used for communication with the
Manager server.
•
One RS-232 Console port, which is used to set up and configure the XC-240 using the Command
Line Interface.
•
Sixteen small form-factor pluggable (SFP+) 10 gigabit Monitoring ports, which enable you
to monitor Network traffic. The traffic is monitored in in-line fail-open, in-line fail-close, tap or span
mode. The Monitoring interfaces of the XC-240 work in stealth mode, meaning they have no IP
address and are not visible on the monitored segment.
•
Eight small form-factor pluggable (SFP+) 10 gigabit Sensor ports, which are used to
connect to the M-8000XC Sensors to be load balanced by the XC-240.
Link and Activity LEDs
Each port has a Link LED and an Activity LED located above the port. The Link LED illuminates when
the port has established a good link. The Activity LED blinks when traffic is passing through the port.
Rear panel
The front panel of the XC-240 is equipped with the following components:
Figure 3-2
XC-240 Rear panel
Item
Description
1
Power supply 1
2
Power supply 2
XC-240 is powered by two redundant power supplies. Either supply alone can power the device and
the power supplies are hot-swappable, so you do not experience any monitoring down time if you
should need to replace a power supply.
26
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
Set up the XC-240 load balancer
Install XC-240
3
Install XC-240
The XC-240 device needs to be installed following the details given in this section.
Tasks
•
Usage restrictions on page 27
•
Safety measures on page 27
•
Unpack and inspect XC-240 on page 28
•
Position the XC-240 on page 28
Usage restrictions
The following restrictions apply to the use and operation of an XC-240.
•
You may not remove the outer shell of the XC-240. Doing so will invalidate your warranty.
•
The XC-240 appliance is not a general purpose workstation.
•
McAfee prohibits the use of the XC-240 appliance for anything other than the Load Balancing
operation.
•
McAfee prohibits the modification or installation of any hardware or software in the XC-240
appliance that is not part of the normal operation of Load Balancing.
Safety measures
Please read the following warnings before you install the XC-240 appliance.
Failure to observe these safety warnings could result in serious physical injury.
•
Read the installation instructions before you connect the system to its power source.
•
To remove all power from the XC-240, unplug all power cords, including the redundant power cord.
•
Only trained and qualified personnel should be allowed to install, replace, or service this
equipment.
•
Before working on equipment that is connected to power lines, remove jewelry (including rings,
necklaces, and watches). Metal objects will heat up when connected to power and ground and can
cause serious burns or weld the metal object to the terminals.
•
This equipment is intended to be grounded. Ensure that the host is connected to earth ground
during normal use.
•
Do not operate the system unless all cards, faceplates, front covers, and rear covers are in place.
Blank faceplates and cover panels prevent exposure to hazardous voltages and currents inside the
chassis, contain electromagnetic interference (EMI) that might disrupt other equipment, and direct
the flow of cooling air through the chassis.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
27
3
Set up the XC-240 load balancer
Install XC-240
•
To avoid electric shock, do not connect safety extra-low voltage (SELV) circuits to
telephone-network voltage (TNV) circuits. LAN ports contain SELV circuits, and WAN ports contain
TNV circuits. Some LAN and WAN ports both use RJ-45 connectors. Use caution when connecting
cables.
•
This equipment has been tested and found to comply with the limits for a Class A digital device,
pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection
against harmful interference when the equipment is operated in a commercial environment. This
equipment generates, uses, and can radiate radio frequency energy and, if not installed and used
in accordance with the instruction manual, may cause harmful interference to radio
communications.
Operation of this equipment in a residential area is likely to cause harmful interference in which
case the user will be required to correct the interference at his own expense
Unpack and inspect XC-240
Carefully unpack the XC-240 device, power supplies, and all cables that are provided. XC- 240 is
delivered with the following:
•
(1) XC-240 device
•
(2) Power cords
•
(2) Cables, 3 Meter, RJ45, CAT 5e 4-Pair
•
(1) DB9-to-RJ45 adapter for use with the command line interface
•
(2) Set of rack mounting rails
•
(2) Set of rack mounting ears
•
(2) Printed Slide Rail Assembly Procedure
•
(2) Printed Quick Start Guide
•
(1) Release Notes
To unpack the XC-240, perform the following steps:
Task
1
Open the crate.
2
Verify you have received all parts. These parts are listed on the packing list and in Contents of the
XC-240 box.
3
Place the XC-240 box as close to the installation site as possible.
4
Position the box with the text upright.
5
Open the top flaps of the box.
6
Remove the accessory box within the XC-240 box.
7
Pull out the packing material surrounding the XC-240.
8
Remove the XC-240 from the anti-static bag.
9
Save the box and packing materials for later use in case you need to move or ship the XC-240.
Position the XC-240
XC-240 is designed for mounting in a 19-inch rack, occupying one rack unit of height.
28
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
Set up the XC-240 load balancer
Connect power to XC-240
3
Place the XC-240 in a physically secure location, close to the switches or routers it will be monitoring.
Connect power to XC-240
A basic configuration of the XC-240 includes two hot swappable supply. The XC-240 is an AC model.
Each of the modules have one handle for insertion or extraction from the unit as well as a release
latch.
Figure 3-3
Power supply unit
Tasks
•
Install the power supply on page 29
•
Remove the power supply on page 30
•
Turn on the XC-240 on page 30
•
Turn off the XC-240 on page 31
Install the power supply
To install a power supply in the XC-240:
Task
1
Unpack the power supply from its shipping carton.
2
Remove the faceplate panel covering the power supply slot.
The faceplate panel must remain in place unless a power supply is in the power supply slot.
3
Do not operate the XC-240 without the faceplate panel in place.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
29
3
Set up the XC-240 load balancer
Connect power to XC-240
4
Place the power supply in the slot with the cable outlet facing front and on the left side of the
faceplate.
5
Slide in the power supply until it makes contact with the backplane, then push firmly to mate the
connectors solidly with the backplane.
Figure 3-4
Power supply installation
For true redundant operation with the optional redundant power supply, McAfee recommends that
you plug each supply into a different power circuit. For optimal protection, use uninterruptable
power sources.
Remove the power supply
To remove a power supply from the XC-240 (Optional-the power supplies are hot-swappable):
Task
1
Unplug the power cable from its power source and remove the power cable from the power supply.
2
Put on an antistatic wrist or ankle strap. Attach the strap to a bare metal surface of the chassis.
3
Push the release latch inward toward the handle.
4
Squeeze the handle of the power supply and pull it out.
5
Use faceplate panels to protect unused slots from dust and reduce electromagnetic radiation.
6
Replace the mounting bracket.
To avoid data interruption, do not turn off both power supplies when working in the in-line fail-open
or in-line fail-close mode, or the XC-240 shuts down and all data traffic stops. Turn off only the
power supply you are replacing.
To remove all power from the XC-240, unplug all power cords.
Turn on the XC-240
Do not attempt to turn on the XC-240 device until you have installed it, made all necessary network
connections, and connected the power cable to the power supply.
30
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
Set up the XC-240 load balancer
Install the Small Form-factor Pluggable (SFP+) modules
3
Task
1
Connect one of the supplied power cable to the XC-240 power supply.
2
Install a power supply clip over it to keep the AC power cord from accidently being unplugged from
the power connector.
3
Plug the other end of the cable into a power source.
4
Push the power switch to activate power.
The switch illuminates to indicate that power is active.
5
Repeat Steps 1 to 4 to connect the other power supply on the rear panel.
Turn off the XC-240
McAfee recommends that you use the logout, exit, or quit command line interface command to halt
the XC-240 before turning it off. Push the module's power switch to deactivate power.
Install the Small Form-factor Pluggable (SFP+) modules
The XC-240 uses fiber-optic connectors for its ports. The connector type is a Small Form-factor
Pluggable (SFP+) fiber optic connector.
The SFP+ module is a protocol-independant, compact, optical receiver, which allows for greater port
density than the standard GBIC. This module operates at varying speeds for up to 10 gigabit per
second on SONET/SDH, Fibre Channel, gigabit Ethernet and other applications. The SFP+ module
operates in multimode. Additionally, this module transmits on a 850-nanometer wavelength.
Figure 3-5
SFP+ module
SFP+ transceiver modules are bundled along with the XC-240 appliance. Install them as desired in the
SFP+ slots in the appliance. For each module, remove the temporary plug from the SFP+ slot and
insert the module until it clicks into place.
Unused ports do not need to be populated with transceiver modules.
These installation instructions provide information for installing an SFP+ module that uses a bail clasp
for securing the module in place in the XC-240.
For ease of installation, insert the module in the XC-240 while it is powered down.
To prevent eye damage, do not stare into open laser apertures.
Tasks
•
Install an SFP+ module on page 32
•
Remove an SFP+ module on page 32
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
31
3
Set up the XC-240 load balancer
Connect the XC-240 cables
Install an SFP+ module
To install a module with a bail clasp, follow these steps:
Task
1
Remove the module from its protective packaging.
2
Locate the label on the module and ensure that the alignment groove is down.
For SFP+ modules, turn the module so that its label is on top.
3
Grip the sides of the module with your thumb and fore-finger and insert module into the module
socket.
Modules are keyed to prevent incorrect insertion.
Figure 3-6
Install an SFP+ module
Remove an SFP+ module
If you are removing a module, follow these steps:
Task
1
Disconnect the network fiber-optic cable from the module.
2
Release the module from the slot by pulling the bail clasp out of its locked position.
3
Slide the module out of the slot.
4
Insert the module plug into the module optical bore for protection.
Connect the XC-240 cables
Follow the steps outlined in this chapter to connect the cables to the various ports on your XC-240
device.
32
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
Set up the XC-240 load balancer
Connect the XC-240 cables
3
Tasks
•
Connect the cable to the Console port on page 33
•
Connect the cable to the management port on page 33
•
Connect the cable to the monitoring port on page 33
•
Connect the cable to the Sensor ports on page 33
•
Connect cables for in-line fail-close mode on page 34
•
Connect cables for in-line fail-open mode on page 34
•
Connect cables for tap mode on page 34
•
Connect cables for SPAN or hub mode on page 35
Connect the cable to the Console port
The Console port is used for setting up and configuring the XC-240.
Task
1
Plug the RS232 RJ45 cable supplied in the XC-240 box into the Console port.
2
Connect the other end of the Console port cable directly to a COM port of the PC or terminal server
you will be using to configure the XC-240 (for example, a PC running correctly configured Windows
Hyperterminal software). RJ45 to DB9 adapter has been provided. You must connect directly to the
console for initial configuration.
Connect the cable to the management port
The Management port is used for communication with the Manager server.
Task
1
Plug a Category 5e Ethernet cable in the Management port of XC-240.
2
Plug the other end of the cable into a network device (switch, router, hub etc.) which in turn
connects to the manager server.
Connect the cable to the monitoring port
Connect to the network devices you will be monitoring using the XC-240 monitoring ports. You can
deploy XC-240 in the operating modes shown in the following table. Cabling instructions for the
XC-240 monitoring ports are shown on the pages indicated.
Connect the cable to the Sensor ports
The Sensor ports are used to connect to the M-8000XC Sensors to be load balanced by the XC-240.
Task
1
Plug the fiber cable appropriate for use with the SFP+ module into the Sensor port of the XC-240.
2
Connect the other end of the fiber cable used in Step 1 to a 10 G monitoring port, for example,
port 1A of the M-8000XC Sensor.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
33
3
Set up the XC-240 load balancer
Connect the XC-240 cables
Connect cables for in-line fail-close mode
To connect an XC-240 device in an in-line fail-close mode, perform the following steps:
Task
1
Plug the cable appropriate for use with your gigabit Ethernet into one of the ports labeled xA (for
example, 1A).
2
Plug another cable into the peer of the port used in Step 1. This port will be labeled xB (for
example, 1B).
3
Connect the other end of each cable to the network devices that you want to monitor. (For
example, if you plan to monitor traffic between a switch and a router, connect the cable connected
to 1A to the switch and the one connected to 1B to the router.
Connect cables for in-line fail-open mode
To connect an XC-240 device in an in-line fail-open mode using the 10 gigabit Optical Active Fail-Open
Bypass Kit (kit), perform the following steps:
Task
1
Plug an inside network cable connector into the Network port labeled A on the Bypass Switch.
2
Plug the other end of this cable into the corresponding network device.
3
Plug an outside network cable into the Network port labeled B on the Bypass Switch
4
Plug the other end of this cable into the corresponding network device.
5
Plug a LC fiber cable (inside) into a network port of XC-240.
6
Plug the other end of the cable into the monitoring port labeled 1 on the Optical Bypass Switch.
7
Plug a LC fiber cable (outside) into the corresponding peer port.
(For example, if you used 1A in step 5, plug the cable into port 1B).
8
Plug the other end of the cable into the monitoring port labeled 2 on the Optical Bypass Switch.
With this cable configuration, XC-240 monitoring port 1A views traffic as originating inside the
network, and port 1B views traffic as originating outside the network. Note that this configuration
(1A = outside, 1B = inside) must match the port configuration specified for this XC-240 in the
Manager, and that the ports must be enabled.
Connect cables for tap mode
The XC-240 device's gigabit Ethernet ports must be used with a 3rd party external 10 GB tap.
External tap mode requires a port pair (for example, 1A and 1B).
To connect the XC-240 to the devices you want to monitor in external tap mode:
Task
34
1
Plug the cable appropriate for use with your gigabit Ethernet port into one of the ports labeled xA
(for example, 1A).
2
Plug another cable into into the peer of the port used in Step 1. This port will be labeled xB (for
example, 1B).
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
Set up the XC-240 load balancer
Configure the XC-240 device
3
Connect the other end of each cable to the tap.
4
Connect the network devices that you want to monitor to the tap.
3
Connect cables for SPAN or hub mode
When you monitor in SPAN or hub mode, you do not need to use a port pair. You can use single ports.
To connect an XC-240 to a SPAN port or hub, plug an LC fiber-optic or RJ45 cable into one of the
modules and connect the other end of the cable to the SPAN port or the hub.
Configure the XC-240 device
Log on to the XC-240 using the terminal connected to the Console port. This section describes the
basic configurations to be done to get the XC-240 device up and running. When the device is
configured through the command line interface, it needs to be configured in the Manager.
Log on to the command line interface
Each XC-240 maintains a list of accounts for users authorized to access that particular device. To logon
to the command line interface, perform the following steps:
Task
1
Type the user name at the logon prompt. The default user name is admin.
2
Type the password. The default password is admin123.
For security, the password is not displayed as you type it. The Help command is automatically
executed and the command line interface prompt is displayed.
Change the logon password
McAfee strongly recommends that you change the logon password from the default to provide security
against unauthorized access.
To change the logon password, type user mod name=admin pw=<new password> priv=2, where
<new-password> is the new password.
The password is changed.
Assign a new IP address, netmask, and gateway IP address
To assign a new IP address, netmask, and gateway IP address to XC-240.
Task
1
Type sysip show. The current IP address, netmask, and gateway IP address are displayed.
2
To configure an IPv4 address, type sysip set ipaddr=<IP address> mask=<netmask>
gw=<gateway>. The IP address, netmask, and gateway IP address are made pending, where <ip
address> is the IPv4 address for XC-240, <netmask> is the netmask, and <gateway> is the IP
address of the gateway. To configure an IPv6 address, type sysip inet6_set ipaddr=<IP
address> prefixlen=<prefix length>, where <ip address> is the IPv6 address for XC-240.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
35
3
Set up the XC-240 load balancer
Configure the XC-240 device
3
Type sysip show. Verify that the displayed values are the desired ones.
4
Type sysip commit to activate the new IP address.
Define the mode of operation
The lbg command indicates the number of Sensors configured and the mode of operation.
By default, the XC Cluster is configured with High Availability support in the 60G N+1 mode. Port S8 is
reserved for the peer XC-240 device.
Task
1
View the number of Sensor ports to be load balanced and the status of these ports. At the prompt,
type: lbg show.
The ports are down if they are displayed in braces, example, (s1),(s2),(s3),(s4),(s5),(s6)
spares: (s7). The ports are up if they are not displayed in braces, example, s1,s2,s3,s4,s5,s6
spares: s7.
2
Configure the mode of operation for the XC-240. At the prompt, type lbg set ports.
While using the lbg command, ensure that the Sensor ports being configured match with the
Sensors connected to the XC-240.
Enable SNMP
The SNMP agent is disabled by default. To enable and configure the SNMP agent:
Task
1
At the prompt, type snmp set admin=<enable>.
2
To add the Manager IP to the XC-240, at the prompt type snmp trap_add name=<SNMP user
configured on the NSM while adding the XC-240> authProto=<authentication protocol>
authPass=<authentication password> privProto=<privacy protocol> privPass=<privacy
password> access=<rw> ip=<IP of the Manager> port=<4169> admin=<enable>
Example: snmp trap_add name=nsmuser type=v3 ip=172.25.70.140 port=4169 authProto=SHA
authPass=admin123 privProto=AES privPass=test123 admin=enable access=rw.
36
3
To save and load the configurations, execute the snmp commit command.
4
To view the current SNMP server configurations, at the prompt type, snmp show.
5
To view the SNMP user configurations, at the prompt type snmp user_show.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
4
Set up the M-8000XC Sensors
The M-8000XC Sensors are connected to the XC-240 Load Balancer device. Traffic is load balanced to
the connected Sensors. These Sensors cannot be used as standalone Sensors. They can used as part
of the XC Cluster only.
1
Plug the cable appropriate for use with your SFP+ module into a 10G monitoring port, for example,
port 1A.
2
Connect the other end of the cable to a Sensor port on the XC-240 Load Balancer.
The existing M-8000XC devices need to be upgraded to M-8000XC. Contact the McAfee Technical
Support Personnel.
Figure 4-1
M-8000XC connected to XC-240
An M-8000XC Sensor includes the following features:
•
12 10–GbE XFP
•
Dual power supply
•
Hot-swappable SFP/XFP modules
•
1 10/100/1000 Base-T Management port
•
16 SFP ports (10/100/1000 copper or 1
GbE fiber)
•
6 Fan units that are field-replaceable
For detailed setup information of the M-8000XC Sensors, refer to the McAfee Network Security
Platform M-8000XC Sensor Product Guide and McAfee Network Security Platform M-8000XC Quick
Start Guide.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
37
4
Set up the M-8000XC Sensors
Cable the NTBA appliance
Cable the NTBA appliance
Task
1
Plug the cable appropriate for use with the SFP+ module into one of the 1 GB port of the M-8000XC
Sensor.
2
Connect the other end of the cable used in Step 1 to a monitoring port of the NTBA appliance.
For detailed information on setting up the NTBA appliance, see the McAfee Network Security
Platform NTBA Appliance T-500 Quick Start Guide.
38
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
5
XC clustering in the McAfee® Network
Security Manager
This section discusses the configuration instructions for managing XC Clusters using the Manager Resource
Tree.
Contents
Create XC clusters
Manage XC clusters
Create XC clusters
The Manager provides the ability to add an XC Cluster, that includes 1 XC-240 Load Balancer device
and a maximum of 8 M-8000XC Sensors. These are the member devices of an XC Cluster.
All M-8000XC Sensors added to the XC Cluster need to have the first 3 digits of Sensor software
version identical.
After the XC Cluster is created, majority of the Sensor features can be configured at the XC Cluster
level. For more information, see the McAfee Network Security Platform Installation Guide.
Tasks
•
Add XC-240 load balancers on page 39
•
Add M-8000XC Sensors on page 40
•
Add XC Clusters on page 41
Add XC-240 load balancers
When an XC-240 Load Balancer device is added to the Manager, the device configurations are read
and displayed by the Manager. Subsequently, whenever specific configuration changes are done on the
physical device, faults are sent to the Manager. These faults are displayed in the Status page. Based
on these fault details, appropriate configuration changes need to be done in the Manager. You need to
ensure that configurations on the XC-240 device and Manager are identical. This is a manual
procedure.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
39
5
XC clustering in the McAfee® Network Security Manager
Create XC clusters
To add an XC-240 to Manager, do the following:
Task
1
Select Devices | <Admin Domain> | Global | Add and Remove Devices .
2
Click New.
The Add New Device page is displayed.
Figure 5-1
3
Add a new XC-240 Load Balancer
Type the Device Name.
The Name must begin with a letter. The length of the Name is not configurable.
4
Select the Device Type as Load Balancer.
5
Enter the XC-240 IP address.
6
Enter the following SNMP v3 user credentials to interact with the XC-240 device:
•
SNMPv3 User
•
Authentication Password
•
Privacy Password
The characters that can be used while creating passwords are as follows:
•
3-64 alpha-numeric characters: upper and lower case (a,b,c,...z and A, B, C,...Z) and 10 digits:
0 1 2 3 4 5 6 7 8 9.
•
32 symbols: ~ ` ! @ # $ % ^ & * ( ) _ + - = [ ] { } \ | ; : " ' , . < > ? /
The SNMP v3 credentials should be the same as those configured in the command line.
7
Add the Contact Information and Location.
Two XC-240 devices cannot be added with the same name.
Add M-8000XC Sensors
A maximum of 8 M-8000XC Sensors can be added to the XC Cluster.
40
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC clustering in the McAfee® Network Security Manager
Create XC clusters
5
To add a Sensor to Manager, do the following:
Task
1
Select Devices | Admin Domain | Global | Add and Remove Devices.
2
Click New.
The Add New Device page is displayed.
Figure 5-2
3
Add a new M-8000XC Sensor
Type the Device Name.
The name must begin with a letter. The length of the name is not configurable.
4
Select the Device Type as IPS Sensor.
5
Enter the Shared Secret (repeat at Confirm Shared Secret).
The shared secret must be a minimum of 8 characters in length: the length of the shared secret is
not configurable. The shared secret cannot start with an exclamation mark nor have any spaces.
The characters that can be used while creating a shared secret are as follows:
•
26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z)
•
10 digits: 0 1 2 3 4 5 6 7 8 9
•
32 symbols: ~ ` ! @ # $ % ^ & * ( ) _ + - = [ ] { } \ | ; : " ' , . < > ? /
The exact, case-sensitive Device Name and Shared Secret must also be entered on the device command
line interface during physical installation and initialization. If not, the device will not be able to
register itself with the Manager.
6
Select the Updating Mode as Online or Offline. Online is the default mode.
Devices with Online update mode will have the signature set/software directly pushed to the devices.
Devices for which you want the signature set/software to be manually pushed can be done by
selecting the update mode as Offline.
7
Type the Contact Information and Location.
8
Click Save to begin the Manager-device handshake process.
Add XC Clusters
To add an XC Cluster, you need to include an existing XC-240 and existing M-8000XC Sensors.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
41
5
XC clustering in the McAfee® Network Security Manager
Manage XC clusters
To add an XC Cluster to Manager, do the following:
Task
1
Select Devices | <Admin Domain> | Global | XC Clusters.
2
Click New.
The Add New XC Cluster page is displayed.
3
Enter the Cluster Name.
4
Select the Load Balancer Logic. For the High Availability mode, select Double Load Balancer Solution, else
select Single Load Balancer Solution.
5
Select the XC-240 Primary Load Balancer and Secondary Load Balancer (only if you select the Double Load
Balancer Solution in step 4.) to be included in the XC Cluster.
6
Select the Template Device (software version).
The template device is the device whose existing configuration should be used as a starting point
for the new XC Cluster's initial configuration. The template device's configuration will be copied to
all other member devices, replacing their existing configuration.
7
Select the Additional Member Devices.
Additional member devices can be dynamically added and removed from an XC Cluster.
8
Click Save.
Sensors and XC-240 devices added in one XC Cluster cannot be added in another XC Cluster.
Manage XC clusters
The XC Cluster can be managed through a series of tasks.
Tasks
42
•
Edit an XC Cluster on page 43
•
Delete an XC Cluster on page 44
•
View details of an XC cluster on page 46
•
Configure XC-240 Monitoring and Sensor ports on page 47
•
Configure M-8000XC Sensors on page 50
•
Port clustering on page 51
•
Reports on page 52
•
Threat Analyzer on page 52
•
Update XC cluster configuration on page 52
•
Manage NTBA devices on page 53
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC clustering in the McAfee® Network Security Manager
Manage XC clusters
5
Edit an XC Cluster
To edit an XC Cluster, do the following:
Task
1
Select Devices | <Admin Domain> | Global | XC Clusters. The list of XC Clusters is displayed. Select the one
to be edited.
Figure 5-3
2
Edit a XC Cluster
Click Edit.
You can only edit the field Additional Member XCs. When edited, click Save.
The Load Balancer Logic cannot be modified. You need to create a new XC Cluster, if there is a change of
mode from High Availability to standalone or vice versa.
To edit the member devices of the XC Custer, that is XC-240 and M-8000XCs, do the following:
a
Select Devices | <Admin Domain> | Global | Add and Remove Devices .
b
Select the device.
c
Click Edit.
d
Make the required changes.
e
Click Save to save the changes; click Cancel to abort.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
43
5
XC clustering in the McAfee® Network Security Manager
Manage XC clusters
You can edit all the parameters except Device Type.
Figure 5-4 Edit an XC-240 Load Balancer
Figure 5-5 Edit an M-8000XC Sensor
Delete an XC Cluster
To delete the XC Cluster, do the following:
Task
1
Select Devices | <Admin Domain> | Global | Add and Remove Devices .
The list of XC Cluster is displayed. Select the one to be deleted.
2
44
Click Delete.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC clustering in the McAfee® Network Security Manager
Manage XC clusters
5
The XC Cluster can be deleted if there are no member devices in it. To delete member devices, do
the following:
a
Select Devices | <Admin Domain> | Global | Add and Remove Devices .
b
Select the device.
c
Click Delete.
Do not delete the device from the Manager if you plan to generate reports with data specific to
the device.
If the device is in the middle of active communication with the database, deleting the device may
not be successful (the device still appears in the Resource Tree). If you experience this problem,
check your device to make sure communication to the Manager is quiet, then re-attempt the
delete action.
While removing and adding the Sensor into an XC cluster, refresh the Manager page.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
45
5
XC clustering in the McAfee® Network Security Manager
Manage XC clusters
View details of an XC cluster
To view details of the XC Cluster, Select Devices | <Admin Domain> | Devices | <Device Name> | Summary. The
Summary page is displayed.
Figure 5-6 XC Cluster summary
Figure 5-7 XC-240 summary
Figure 5-8 M-8000XC summary
46
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC clustering in the McAfee® Network Security Manager
Manage XC clusters
5
Configure XC-240 Monitoring and Sensor ports
The Physical Ports action enables you to view/edit the parameters of the monitoring and Sensor ports on
the XC-240. Monitoring port configuration allows you to change deployment modes, or indicate
whether you are using McAfee certified modules, enable/disable ports, and choose the path for device
responses. The port settings are pushed to the XC-240 device using Deploy Pending Changes.
Figure 5-9
Configure XC-240 ports
Tasks
•
Configure monitoring ports on page 47
•
Change a monitoring port from single port to a port pair mode on page 49
•
Change a monitoring interface from external tap to in-line (and vice versa) on page 49
•
Configure Sensor ports on page 50
Configure monitoring ports
Configuration of monitoring ports enables you to set the operating mode of your ports, change port
speeds, and/or choose the corresponding response port for device action.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
47
5
XC clustering in the McAfee® Network Security Manager
Manage XC clusters
To view or configure settings for the 10 Gbps monitoring ports, do the following:
Task
1
Select Devices | <Admin Domain> | Devices | <Device_Name> | Physical Ports.
2
Double-click a numbered 10 Gbps port (which includes 1A through 8B) from 10 Gbps Monitoring Ports. A
side panel window displays current port settings.
Figure 5-10
3
Configure monitoring ports
Select the State as either Enable (on) or Disable (off). Accordingly the Link status in the main window
displays Up (on) or Down (off).
If your Link displays as Down and your State is Enabled, there may be a problem. Check the Link for
more information.
4
Select a Mode from the following:
Your device cabling must match the selected mode for correct system functionality. Improper
deployment may result in system faults, including missed attacks and system failure.
•
In-line Fail-Open Active
•
In-line Fail-Closed
In-line Fail-open and In-line Fail-closed are determined by the port cabling method. Fail-open
operation for GE ports requires use of the optional Bypass Switch provided in the gigabit Optical
Fail-Open Bypass Kit (sold separately). You should not select the In-line Fail-Open option if the
optional external Bypass Switch is not present.
•
Tap
Ports can be configured in the Tap mode. This requires an external tap to be connected to the
monitoring ports.
•
SPAN or Hub
If a port is functioning as part of a port pair, the peer port is listed. For example, if port 1A is
configured for Tap mode, port 1B is listed as the Peer Port. All ports are wirematched internally
with a single peer, for example 1A-1B make up a port pair. However, 1A-2B cannot be a port
pair.
48
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC clustering in the McAfee® Network Security Manager
Manage XC clusters
5
Select the area of your network where the current port is connected: Inside Network (internal) or
Outside Network (external) your network. This step applies to Tap or In-line modes only.
6
Click Save to save changes.
5
A confirmation page is displayed.
7
Download the changes to your device by updating the configuration of your device.
Change a monitoring port from single port to a port pair mode
You must disable both ports required for port pair operation when changing the operating mode from
SPAN or Hub Mode to a port pair (Tap or In-line) mode, device monitoring ports are configured by
default to operate in SPAN or Hub mode.
Changing from one port pair mode to another port pair mode does not require disabling of ports.
To change your monitoring from single port to port pair, do the following:
Task
1
Select Devices | <Admin Domain> | Devices | <Device_Name> | Physical Ports.
2
Select a port from the virtual device, for example, 1A.
A window on the right displays current port settings.
3
Click Save.
4
Select the peer port, for example, 1B.
5
Select Tap (Port Pair) or an In-line (Port Pair) mode as the Mode. The peer port, 1A, is noted in the dialog.
6
In the State field, click Enable.
7
Configure your port settings.
8
Click Save.
9
Select port 1A to verify the State reads Enabled and the Mode matches your new setting.
10 Click Save.
11 Download the changes to your device by updating the configuration of the device.
Change a monitoring interface from external tap to in-line (and vice versa)
If you decide to change your monitoring configuration from External Tap mode to In-line mode, or you
want to change from In-line Mode back to External Tap mode, perform the following steps:
Task
1
Disconnect the segments from the external tap and connect the segments appropriately to your
device port pair.
If going from an In-line mode to External Tap mode, disconnect the segments from the device and
connect the segments appropriately to the external tap and device ports.
2
Select Devices | <Admin Domain> | Devices | <Device_Name> | Physical Ports using Manager’s Configuration
page.
3
Select a port from the virtual device, for example, 1A. A window on the right displays current port
settings.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
49
5
XC clustering in the McAfee® Network Security Manager
Manage XC clusters
4
Select an In-line (Port Pair) mode as the Mode.
Select Tap as the Mode if going from In-line to External Tap mode.
5
Configure port settings.
6
Click Save to close the window.
7
Download the changes to your device by updating the configuration of the device.
Configure Sensor ports
To configure your Sensor ports, perform the following steps:
Task
1
Select Devices | <Admin Domain> | Devices | <Device_Name> | Physical Ports.
2
Double-click a numbered 10 Gbps port (which includes S1 through S8) from 10 Gbps Monitoring Ports. A
side panel window displays current Sensor port settings.
Figure 5-11
3
Configure Sensor Ports
Select the State as either Enable (On) or Disable (Off). For example, you need to Disable the port if
you connect a new wire, then Enable it after re-connection. Depending on the State selected, the Link
status in the main window displays Up (on) or Down (off).
Link: Up (On) or Down (Off). If your port is enabled and State displays as Down, there is a problem.
4
Select the mode as Sensor Uplink.
The Response Mode is not applicable.
5
Click Save to save your port changes.
Configure M-8000XC Sensors
To configure the M-8000XC Sensors to monitor traffic, see the McAfee Network Security Platform
Installation Guide and the McAfee Network Security Platform IPS Administration Guide. The
configuration update of a Sensor can be done only when used in an XC Cluster.
50
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC clustering in the McAfee® Network Security Manager
Manage XC clusters
5
Port clustering
The interfaces of XC Cluster can be grouped into a Port Cluster.
The Port Cluster (Interface Groups) action enables multiple device ports to be grouped together for
the effective monitoring of asymmetric environments. You cluster ports when you want the traffic
across multiple interfaces to be analyzed as if it were a single interface. Asymmetric networks are
common in load balancing. When configured, an interface group appears in the configuration page’s
Resource Tree as a single interface node (icon) under the Sensor where the ports are located. All of
the ports that make up the interface are configured as one logical entity, keeping the configuration
consistent.
To configure a port cluster, select Devices | <Admin Domain> | Devices > | <XC Cluster> | Setup > | Advanced > |
Port Clusters > and then click New.
Figure 5-12 Add a port cluster
The Template Member Port is the one whose configuration is retained and applied to the Port group, the
existing configuration of all the member ports is discarded.
Tasks
•
Port Clustering in High Availability mode on page 51
Port Clustering in High Availability mode
When you deploy XC Cluster load balancers in high availability, monitoring ports for both load
balancers are consolidated in the Manager and displayed as one set. Any configuration applies to both
XC Cluster load balancers.
Figure 5-13 Port cluster for a high availability deployment
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
51
5
XC clustering in the McAfee® Network Security Manager
Manage XC clusters
For example, consider load balancers 1 and 2 deployed in high availability. Each of these load
balancers has an individual set of monitoring ports, 1A thru 8B. In the Manager however, you will only
see one set of ports, 1A thru 8B. You can select one of the port pairs (say 1A-1B) and create a port
cluster for any of the ports depending on your network topology and requirement. In our illustration,
we will only add 2A-2B and 3A-3B.
Reports
You can generate a range of reports for both the alert information reported to your Manager, as well as
information pertaining to your XC Cluster configuration settings.
Next Generation reports give you the alerting information pertaining to the XC Cluster and Traditional
reports give you detailed configuration information on the XC Cluster.
For more information see the document McAfee Network Security Platform Manager Administration
Guide.
Threat Analyzer
The performance statistics of the XC Cluster and the alert data is available in the Threat Analyzer.
Update XC cluster configuration
Updating the configuration sends configuration changes, attack/signature updates, policy changes, and
SSL key updates to the XC Cluster. Configuration updates refer to changes to device and interface/
sub-interface configurations, such as port configuration, non-standard ports, interface traffic types,
and configuration changes to the Sensor Appliance.
Signature updates have new and/or modified signatures that can apply to the attacks enforced in a
chosen policy. Policy changes update the device in case of a newly applied policy, or changes made to
the current enforced policy.
When configured in the High Availability mode the configurations of the primary XC-240 are also pushed
to the secondary XC-240.
To update the configuration of a specific device, do the following:
Task
1
Click Devices | <Admin Domain > | Devices | <Device Name> | Troubleshooting | Deploy Pending Changes.
Figure 5-14 Configuration update
52
2
View the update information. If changes have been made, the Configuration and Signature Set column is
checked by default.
3
Check the SSL Key Update column in case SSL Key Update is required.
4
Check the Callback Detectors if callback detectors updates have to be updated to the Sensor.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC clustering in the McAfee® Network Security Manager
Manage XC clusters
5
5
You will be able to check the GAM Updates only in the case of NS series Sensors or NTBA appliances.
6
Click Update. A pop-up window displays configuration download status.
The configuration update and faults information is displayed in the Manager Status page.
Automatic signature set download and push to XC cluster is supported. However, the first signature
set push after the cluster is formed/updated is to be done manually.
Manage NTBA devices
The NTBA devices are managed through a series of tasks using the Manager.
Tasks
•
Add NTBA devices on page 53
•
Configure NTBA devices on page 54
Add NTBA devices
To add an NTBA device to Manager, do the following:
Task
1
Select Devices | <Admin Domain> | Global | Add and Remove Devices .
2
Click New.
The Add New Device page is displayed.
Figure 5-15
3
Add a new NTBA appliance
Type the Device Name.
The name must begin with a letter. The length of the name is not configurable.
4
Select the Device Type as NTBA Appliance.
5
Enter the Shared Secret (repeat at Confirm Shared Secret).
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
53
5
XC clustering in the McAfee® Network Security Manager
Manage XC clusters
The shared secret must be a minimum of 8 characters in length: the length of the shared secret is
not configurable. The shared secret cannot start with an exclamation mark nor have any spaces.
The characters that can be used while creating a shared secret are as follows:
•
26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z)
•
10 digits: 0 1 2 3 4 5 6 7 8 9
•
32 symbols: ~ ` ! @ # $ % ^ & * ( ) _ + - = [ ] { } \ | ; : " ' , . < > ? /
The exact, case-sensitive Device Name and Shared Secret must also be entered on the device command
line interface during physical installation and initialization. If not, the device will not be able to
register itself with the Manager.
6
Select an Updating Mode as Online or Offline. Online is the default mode.
Devices with Online update mode will have the signature set/software directly pushed to the devices.
Devices for which you want the signature set/software to be manually pushed can be done by
selecting the update mode as Offline.
7
Type the Contact Information and Location.
8
Click Save to begin the Manager-device handshake process.
Configure NTBA devices
The NTBA device is added and configured in the Manager. For more information on configuring NTBA
see, McAfee Network Security Platform NTBA Admininstration Guide.
Each NTBA device connected to an XC Cluster should have similar configuration with respect to
monitoring ports, zone creation, communication rules, and so on. This is required because the traffic
entering through the XC-240 ports can reach any M-8000XC Sensor.
In the Manager, the Threat Analyzer console, NTBA monitors show display data received by each NTBA
device in the dashboards. By configuring one of the NTBA T-500 as an aggregator, real time monitors
can display the aggregated data for the XC Cluster traffic. You can right click and get more details.
Right click queries are sent to individual NTBA Sensors.
Note that custom monitors do not aggregate the data. Next gen reports collect data from multiple
Sensors and provide data in a single report. You need to select multiple Sensors while generating the
reports. The reports append the results received from multiple Sensors.
Since load balancing is done based on source and destination IP addresses, traffic belonging to the
same connection reaches the same M-8000XC Sensor and thus related flows reach the attached NTBA
device.
54
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
6
XC-240 command line interface
commands
This section describes the XC-240 commands. For the M-8000XC Sensor commands, see McAfee
Network Security Platform CLI Guide.
See also
Configure the XC-240 device on page 35
Contents
bypass
capture
config export, import
date
device
help
history
ha set
ha config_resync
ha show
image
inet6_ping
lbg
logout
pg set
pg show
ping
port set
port show
snmp
stats
sysip
syslog
system
time
upgrade
user
util show
quit or exit
!
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
55
6
XC-240 command line interface commands
bypass
bypass
Used to bypass the ARP and the MPLS traffic. By default the ARP and MPLS traffic is not set to be
bypassed.
To bypass ARP and MPLS traffic use bypass set. To bypass other traffic use bypass set other.
To view the bypass status use bypass show.
Syntax
bypass set arp=<y|n> mpls=<y|n> other=<y|n>
Parameter
Description
<y|n>
To bypass ARP and MPLS or other traffic enter y.
capture
To capture log and configuration files and transfer them to an ftp server, use the capture command.
The capture command is designed to capture information that can help McAfee support engineers
debug problems. It creates a tarball of important system log files and configuration files and uploads
them to a remote FTP server. The filename is generated automatically with the format capture_MM‑DD
‑YY_HHMMSS.tgz. The remote directory relative to the FTP home can optionally be specified.
Syntax
capture all srvip=<ipaddr> user=<username> pw=<password> dir=<remote_directory>
ftp_mode=<FTP transfer mode> config=<configuration files> core=<core dump files>
erase_core=<y|yes> db=<database files> logs=<log files> mibs=<MIB files>
Parameter
Description
srvip=<srvip>
The IPv4 address of the ftp log server
user=<username>
The username of the ftp log server account
pw=<password>
The password for the ftp log server account
dir=<remote_directory>
The name of the directory on the ftp upgrade server
The directory must already exist
56
ftp_mode
The FTP transfer mode, whether active or passive; default is passive
config
Uploads the CLI scripts and the configuration files
core
Uploads the core dump files
erase_core
To erase the core dump files
db
Upload the database files
logs
Upload the system log files and the boot records
mibs
Upload the SNMP MIB files
all
Upload all available content; supercedes all other options
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC-240 command line interface commands
config export, import
6
config export, import
To export/import a saved XC-240 configuration to/from a remote server using FTP, use the config
export and config import commands.
Syntax
config export = <url=ftp://hostname[:port] [/[path]] [file]> | <srvip> | <user> | <pw>
| <ftp_mode>
config import = <url=ftp://hostname[:port] [/[path]] [file]> | <srvip> | <file> |
<user> | <pw> | <ftp_mode>
Parameter Description
url
The URL of the FTP server; port, path, and filename. Filename is optional. The ftp://
prefix is required.
srvip
The IP address of the FTP server
file
The name of the XC-240 configuration file to be imported
user
The username of the FTP server account
pw
The password of the FTP server account
ftp_mode
The FTP transfer mode, whether active or passive
The source/destination FTP server can be specified by URL or by simple IP address. If the complete
URL is specified, the filename is optional.
date
To view the XC-240 system calendar date, use the date show command. To set the XC-240 system
calendar date, use the date command.
XC-240 maintains the system clock (date and time) even when no power is supplied to the unit, so
you only need to set the date and time once (and to adjust for Daylight Saving Time and leap years).
XC-240 uses the system clock only to timestamp log messages.
Syntax
date <mm/dd/yyyy>
date show
Parameter
Description
<mm/dd/yyyy>
Enter in mm/dd/yyyy format; the system clock is set to this date.
device
To view the device details, such as model name, model number, serial number and so forth, use the
device show command.
Syntax
device show
Parameters
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
57
6
XC-240 command line interface commands
device
None
Sample output
XC-240> device show
--------------------------------------Device Information
--------------------------------------Model Name: XB
Model Number: 2400X
Serial Number: 191056
HW Build Date: 081810
SW Version: bal_020800_101311
SW Build Date: Thu Oct 13 17:56:47 PDT 2011
System Uptime: 07d 22h 05m 47s
Last reboot: type:coldStart reason:premature_reboot_nm_rc
Mgmt MAC Address: C8:87:3B:00:10:A4
Mgmt Port Status: Link:up 100Mb/s full auto:on
To set the parameters of the ethernet management port, use the command device set mgmtport. To
view the detailed information on the ethernet management port, use the command device show
mgmtport.
To set the speed or duplex, auto-negotiation needs to be turned off.
Syntax
device set mgmtport speed=<10|100|1000> duplex=<half|full> autoneg=<on|off>
device show mgmtport
Parameter
Description
speed=<10|100|1000> The speed on the ethernet management port. The speed value can be either
10, 100 or 1000.
duplex=<half|full>
The duplex setting on the ethernet management port. The value can be half
for half duplex or full for full duplex.
autoneg=<on|off>
Enables auto-negotiation of speed and the duplex settings. The value can
be on to enable auto-negotiation or off to disable auto-negotiation.
Sample output of device show mgmtport
XC-240> device show mgmtport
Settings for eth0:
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
58
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC-240 command line interface commands
device
6
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Auto-negotiation: on
Link detected: yes
Rx Total: 2579802
Rx CRC Errors: 0
Rx Other Errors: 20
Tx Total: 6761
Tx CRC Errors: 0
Tx Other Errors: 0
To monitor the hardware status (power supply units and fans), use device show hwStatus.
Syntax
device show hwStatus
Sample output of device show hwStatus
XC-240>device show hwStatus
--------------------------------------HW Status
--------------------------------------Item Value Status Last Failure (since restart)
-------------------- ----------- ------ ---------------------------Fan 1 14136 RPM OK
Fan 2 13466 RPM OK
Fan 3 13917 RPM OK
Fan 4 14173 RPM OK
Pwr 1 12V Main 12.31 vDC OK
Pwr 2 12V Main 12.25 vDC OK
SNMP traps are sent each time fan or power failure/recovery is detected.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
59
6
XC-240 command line interface commands
help
help
To view the complete list of command line interface commands or to get more information about any
command, use the help command.
In addition to the help command, the command line interface provides other ways to get help:
•
If you type a command without a required sub-command, help for the command is displayed.
•
Press the ? key after entering the command or the command and sub-command to display a list of
supported sub‑ commands and arguments. (A space is required between the command and ?).
•
The tab key or the space bar can be used to automatically complete words in the command line
interface. This function works for commands as well as arguments. For example, typing the letter i
followed by the tab key results in image being entered in the command line. Likewise, pi followed
by the tab key results in ping being entered in the command line. However, p followed by the tab
key does not auto-complete, because it is ambiguous between the ping and port commands
Syntax
help [<command>]
Parameter Description
Command
The command line interface command for which additional information should be
displayed.
history
XC-240 keeps a history of the last 100 commands you entered. To view the command history buffer,
use the history command. To execute a command that is stored in the command buffer, use the !
command. You can also bring commands from the history buffer to the current command line for
execution or editing by using the up‑arrow and down‑arrow keys. To clear the command history buffer,
use the history clear command.
Syntax
history
history clear
Parameters
None
ha set
To configure the XC-240 devices in the High Availability mode.
Syntax
ha set mode=<standalone|activeActive> role=<primary|secondary> ha_port=<S1..S8>
autosync=<enable|disable>
60
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
6
XC-240 command line interface commands
ha config_resync
Parameter
Description
mode=<standalone|
activeActive>
The mode of deployment, whether it is a standalone device or configured
in an active/active High Availability mode. Default is standalone.
role=<primary|
secondary>
The role of the XC-240 device in the High Availability mode, whether it is
to be designated as the primary or the secondary device. Default is
primary.
ha_port=<S1..S8>
The port S8 on which the High Availability link is set up, that is, the port
at which the XC-240 connects to another XC-240 device.
Port S8 is to be configured as the High Availability port.
autosync=<enable|
disable>
Synchronizes the configuration between the primary and secondary
XC-240 Load Balancers automatically. The synchronization happens only
when there is a configuration change in either of the Load Balancers, and
not continuously.
ha config_resync
To resynchronize configuration between the primary and secondary XC-240 devices.
Syntax
ha config_resync
Parameters
None
This command can be executed on either the primary or the secondary XC-240 device. Configuration
from the peer device is pulled and applied to the local device every time this command is executed.
If the ha config_resync command is issued on both the primary and secondary XC-240s at the same
time, one or both of them are rejected based on the timing of the execution and the state of each
device. Consider the following points when the ha config_resync is executed on both the devices:
•
If the requests are sufficiently delayed by one another, then the later of the two requests is
rejected.
•
If the requests occur nearly simultaneously, then each side detects the collision. In that case, both
devices abort the command.
All configurations, except port settings are synchronized by this command.
ha show
Used to display the status of the High Availability mode.
Syntax
ha show
Parameters
None
Sample output
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
61
6
XC-240 command line interface commands
image
XC-240>ha show
-------------------------------------High-Availability Running
-------------------------------------HA Role: primary
HA Mode: standalone
HA Port: s8
-------------------------------------High-Availability Status
-------------------------------------HA State: standalone
HA Peer Link Admin: enable
HA Peer Link Speed: 10000
HA Peer Link State: up
-------------------------------------HA Config Sync Status
-------------------------------------HA Cfg Sync State: Idle-connected to peer
HA Configuration State: UNLOCKED
Last Resync Cmd Time: 02/28/13-14:55:05
Last Resync Cmd Result: Completed successfully
Last Resync Req Time: 2023-11-06_10:14:31
Last Resync Req Result: Completed successfully
Last Commit Time: 2023-11-06_10:14:07
Last Commit ID: 236
Last Sync Time: 2023-11-06_10:14:07
Last Sync ID: 236
Last Sync Source: self
image
To display information about the two stored system software images, including the software version
number, use the image show command. To change the image that will be used to boot from, use the
image command
62
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC-240 command line interface commands
inet6_ping
6
Syntax
image <1|2>
image show
Parameter
Description
<1|2>
Identifies which image should be used for future reboots.
inet6_ping
This command allows you to ping the system IPv6 address.
Syntax
inet6_ping ipaddr=<IP address> interface=<interface name>
Parameter
Description
ipaddr=<IP address>
The IPv6 address
interface=<interface name> (optional)
The name of the interface
lbg
The lbg command indicates the number of Sensor ports to be configured and the mode of operation.
By default, the 60G N+1 mode is configured; 6 Sensor ports are configured to load balance traffic, S7
is the spare port and S8 is the High Availability port.
Configure the mode of operation for the XC-240 using the command lbg set ports.
To view the number of Sensor ports to be load balanced and the status of these ports use the
command lbg show.
Syntax
lbg show
The ports are down if they are displayed in braces, example, (s1),(s2),(s3),(s4),(s5),(s6)
spares: (s7).
The ports are up if they are not displayed in braces, example, s1,s2,s3,s4,s5,s6 spares: s7.
lbg set ports=<port list> spares=<spare port> group=# dyn=<enable|disable> arp=<port
list> mpls=<port list>
Examples
Without High Availability and without Sensor redundancy (80G N):
lbg set ports=s1,s2,s3,s4,s5,s6,s7,s8 group =1 OR lbg set ports=s1-s8 group=1.
Without High Availability and with Sensor redundancy (70G N+1):
lbg set ports=s1,s2,s3,s4,s5,s6,s7 spare= s8 group =1 OR lbg set ports=s1-s7 spares=s8
group=1.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
63
6
XC-240 command line interface commands
logout
With High Availability and without Sensor redundancy (70G N):
lbg set ports=s1,s2,s3,s4,s5,s6,s7 group =1 OR lbg set ports=s1-s7 group=1.
With High Availability and with Sensor redundancy (60G N+1):
lbg set ports=s1,s2,s3,s4,s5,s6 spares=s7 group =1 OR lbg set ports=s1-s6 spares=s7
group=1
Parameter
Description
<port list>
The Sensor ports to be configured for load balancing.
<spares=spare port>
The Sensor port configured as the spare port. The standby Sensor is
connected to this port.
arp=<port list>
The Sensor ports to be configured to receive the ARP traffic.
mpls=<port list>
The Sensor ports to be configured to receive the MPLS traffic.
dyn=<enable|disable> To enable dynamic spare port.
group=1
The XC-240 port group.
Sample output of lbg show
XC-240> lbg show
group ports
----- ----1 s5,s6 loopback
ARP s5
MPLS all
logout
When you are done using the command line interface, log out of the system by using the exit,
logout, or quit command. All three commands exit to the shell where you launched your SSH client.
Syntax
logout
Parameters
None
pg set
This command allows you to set the layer2 mode and the operating mode for XC-240 ports.
Syntax
pg set layer2=enable group=<port group>
Enables layer2 mode for specific ports.
pg set layer2=disable group=<port group>
64
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC-240 command line interface commands
pg show
6
Disables layer2 mode for specific ports.
In the layer2 mode, traffic is monitored only on the inline network ports. Traffic received on span and
tap network ports is dropped.
pg set group=<port group> mode=<operating mode>
Sets the operating mode (inline fail-open/inline fail-close/span/tap) for specific ports.
Do not modify the operating mode through the CLI.
Parameter
Description
<port group>
Indicates the port pair to be put into the layer2 mode. The port group can have
values from 1-8. If more than one port pair is to be specified, they can be
separated using commas (,). The XC-240 ports are divided into the following
eight groups.
• Ports 1A & 1B ---- 1
• Ports 5A & 5B ---- 5
• Ports 2A & 2B ---- 2
• Ports 6A & 6B ---- 6
• Ports 3A & 3B ---- 3
• Ports 7A & 7B ---- 7
• Ports 4A & 4B ---- 4
• Ports 8A & 8B ---- 8
<operating_mode> Indicates the operating mode. The values of inlineFailOpen, inlineFailClose, span
or tap can be given.
pg show
This command displays the status of the XC-240 ports.
Syntax
pg show ports=<1A-S8>|<all>|<none>
You can view the status of all ports or specific ports (1A-S8). Specific ports can be separated using
commas (,) or given in a range (1A-5B).
Sample output
LB_79>pg show ports=1a
Port 1a
Operating Mode: inlineFailClose
Layer2 Status: disabled
Speed: 1000 Full
Operating status: down
Administrative state: enabled
Packets Rx: 0
Packets Tx: 0
Packets Rx CRC Err: 0
Packets Tx CRC Err: 0
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
65
6
XC-240 command line interface commands
ping
Packets Other Err: 0
Packets Rx Jumbo 0
Packets Tx Jumbo 0
Packets Looped Back: 0
ping
To find out if a device is accessible at a certain IP address, use the ping command.
Syntax
ping <address>
Parameter
Description
<address>
The IP address to be pinged.
port set
To configure ports, use the port set command.
Syntax
port set admin=<enable|disable> ports=<port list>|<none>|<all> speed=<1000|10000>
tag=<2 to 4094 | none> tpid=<8100 or 9100>
Parameter
Description
ports=<port list>|<none>|
<all>
Indicates the port to be configured. If more than one port is specified
they can be separated using commas (,). To configure all ports use
all.
admin=<enable|disable>
To enable or disable the administrative status of the port
speed=<1000|10000>
The speed on the port. The values can be either 1000 or 10000.
McAfee recommends not to change the values of the tag and tpid parameters.
port show
To view the current port status and settings, use the port show command.
Syntax
port show
Sample output
XC-240>port show
Status Setting LFD
port | link speed | admin speed | Peer
-------+-----------------+---------------+----------
66
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC-240 command line interface commands
snmp
6
1a | LFD dis unk | en 1000 | 1b
1b | LFD dis unk | en 1000 | 1a
2a | LFD dis unk | dis 10000 | 2b
2b | LFD dis unk | dis 10000 | 2a
3a | LFD dis unk | en 10000 | 3b
3b | LFD dis unk | en 10000 | 3a
snmp
The SNMP commands allow you to configure SNMP support for XC-240.
To configure SNMP agent settings use snmp set. To view pending and running SNMP agent settings
use snmp show. To activate SNMP agent settings use snmp commit.
Syntax
snmp set admin=<enable|disable> agent=<12|123|3> port=<SNMP port> read_community=<SNMP
v2C Read Community string> write_community=<SNMP v2C Write Community String>
snmp show
snmp commit
SNMP user commands
To add new SNMP v3 users
snmp user_add name=<name of the user> authProto=<authentication protocol>
authPass=<authentication password> privProto=<privacy protocol> privPass=<privacy
password> access=<user access>
To configure existing SNMP v3 users
snmp user_set name=<name of the user> access=<user access>
To delete existing SNMP v3 users
snmp user_del name=<name of the user>
To list pending and running SNMP v3 users
snmp user_show
Parameter
Description
name
The name of the SNMP v3 user
authProto
Authentication protocol (MD5, SHA, none)
authPass
Authentication password (6-64 alphanumeric or underscore "_" characters)
privProto
Privacy protocol (DES, AES, none)
privPass
Privacy password (6-64 alphanumeric or underscore "_" characters)
access
User access (rw, ro, none)
SNMP trap commands
To add new SNMP trap receivers
snmp trap_add name=<SNMP user configured on the NSM while adding the XC-240>
type=<type of trap receiver> authProto=<authentication protocol>
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
67
6
XC-240 command line interface commands
stats
authPass=<authentication password> privProto=<privacy protocol> privPass=<privacy
password> community= <SNMP Community String> engID=<Engine ID of trap receiver>
access=<user access> ip=<IP of the Manager> port=<4169> ip_secondary=<secondary IP>
port_secondary=<4169> admin=<adminstrative status of the trap receiver>
To configure existing SNMP trap receivers
snmp trap_set name=<name of the trap receiver> admin=<enable|disable> access=<user
access> port=<4169> ip=<IP address> ip_secondary=<secondary IP address>
port_secondary=<4169>
To view details of existing SNMP trap receivers
snmp trap_show
To delete existing SNMP trap receivers
snmp trap_del <name>
To send an SNMP trap
snmp trap_send type=<coldStart | warmStart | hello>
Parameter
Description
name
The SNMP user configured on the Manager while adding the XC-240
type
The type of the trap receiver; v1|v2|v12|v2i|v3|v3i
ip
The IP address of the Manager
authProto
Authentication protocol (MD5, SHA, none)
authPass
Authentication password (6-64 alphanumeric characters and "_")
authProto
Authentication protocol (MD5, SHA, none)
privPass
Privacy password (6-64 alphanumeric characters and "_")
community
The SNMP community string
port
SNMP port 4169.
ip_secondary
The IP address of the secondary manager (when MDR is used).
port_secondary
The SNMP port of the secondary manager (when MDR is used).
admin
Administrative state of the trap receiver (enable | disable)
access
User access (rw, ro, none)
engID
Engine ID of the trap receiver (5-30 octets)
type
Used to test whether the configured trap receiver is able to send traps.
stats
To clear port statistics, use the stats clear command. To view port statistics, use the stats show
command.
In a multi-unit system, use the argument to specify which unit should be acted upon by the command.
Syntax
stats clear ports=<all|portlist>
stats show ports=<all|portlist> [all=<y|yes>] [brief=<y|yes>] [bytes=<y|yes>]
[dropped=<y|yes>] [errs=<y|yes>] [other=<y|yes>] [priority=<y|yes>] [protocol=<y|yes>]
[size=<y|yes>] [parse_trigs=y] [global_parse_trigs=y]
68
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC-240 command line interface commands
sysip
Parameter
6
Description
ports=<all|portlist> Identifies the ports to which the command applies; all applies the command to
all ports.
all
Displays all statistics
brief
Displays brief statistics (default)
bytes
Displays byte counters
dropped
Displays dropped packet counters
errs
Displays error counters
other
Displays uncategorized statistics
priority
Displays priority counters
protocol
Displays protocol counters
size
Displays packet size counters
parse_trigs
Displays port counters for parse error frames trapped to the CPU
global_parse_trigs
Displays system wide counters for parse error frames trapped to the CPU
sysip
To set the system IPv4 address, use the sysip set command. To set the system IPv6 address, use
the sysip inet6_set command. The set commands must be followed (not necessarily immediately you can enter other commands in between) by the sysip commit command to make the change
active. To delete the current assigned system IPv6 address, use the sysip inet6_del command. To
discard the changes before they are made active, use the sysip discard command. To view the
current and pending system IP addresses, use the sysip show command.
If you are operating over an SSH or Web connection, note that when you change XC-240's IP address,
your connection will be broken and you will have to establish a new connection at the new IP address.
Syntax
sysip commit
sysip discard
sysip set ipaddr=<IPv4 address> mask=<netmask> gw=<gateway>
sysip inet6_set ipaddr=<IPv6 address> prefixlen=<prefix length>
sysip inet6_del ipaddr
sysip show
Parameter
Description
ipaddr=<address>
The new IPv4/IPv6 address
mask=<netmask>
The new netmask
gw=<gateway>
The new gateway IP address
prefixlen=<prefix length>
The prefix length; 0-128.
Sample output of sysip show
XC-240> sysip show
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
69
6
XC-240 command line interface commands
syslog
Active System IP Address
-----------------------IP addr: 172.16.233.120
IP mask: 255.255.255.0
Gateway: 172.16.233.1
IPv6 addr: 2000::79/64 (Scope:Global)
MAC addr: C8:87:3B:00:10:A4
syslog
To clear the system log file, use the syslog clear command. To display the system log using
pagination control commands, use the syslog page command (equivalent to the Linux less
command). To dump the entire system log to the console screen, use the syslog show command. To
monitor the end of the system log file, in other words, to watch messages as they arrive in the file,
use the syslog tail command (equivalent to the Linux tail -f command). The system log captures
information primarily intended to help McAfee service engineers debug problems.
When you execute the syslog tail command, messages are displayed on the console screen as they
are added to the log file. Use CTRL-c to stop the command and issue new command line interface
commands.
When you execute the syslog page command, use these keys to manipulate the file
Key
Action
<space>, <page-down>, <up-arrow>, d, f
move forward
<pgup>, <down-arrow>, b, u, y
move backward
G
go to beginning
<n> g
go to line <n>
G
go to end
/<pattern>
search forward
?<pattern>
search backward
N
repeat last search (forward)
N
repeat last search (backward)
Q
quit
H
print detailed help
Syntax
syslog clear
syslog page
syslog show
syslog tail
Parameters
70
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC-240 command line interface commands
system
6
None
system
To restart XC-240, use the system restart command; this has the same effect as cycling power to
the unit. To shutdown the system in preparation for powering it off, use the system shutdown
command. Power can be turned on and off without using the system shutdown command; but use of
the system shutdown command when possible is a best practice on all systems.
Syntax
system restart
system shutdown
system unconfig action=<restart | shutdown>
The system unconfig command can be executed without the action parameter. When this is done, you
are prompted to confirm a system reboot.
time
To view the XC-240 system time-of-day clock, use the time show command. To set the XC-240 system
time-of day clock, use the time command.
XC-240 maintains the system clock (date and time) even when no power is supplied to the unit, so
you should only need to set the date and time once (and to adjust for Daylight Saving Time and leap
years). The system clock is used only for timestamping log messages.
Syntax
time <hh:mm:ss>
time show
Parameter
Description
<hh:mm:ss>
Enter in hh:mm:ss format; the system clock is set to this time
upgrade
To upgrade XC-240's software, use the upgrade command. You can copy the system image to a local
server and upgrade locally for faster performance.
If you need the correct parameters for a software upgrade, contact the McAfee Technical Support
Personnel.
Syntax
upgrade srvip=<srvip> user=<username> pw=<password> file=<filename> [uncongif=y]
[ftp_mode=active|passive]
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
71
6
XC-240 command line interface commands
user
Parameter
Description
srvip=<srvip>
The IPv4 address of the ftp upgrade server
user=<username>
The username of the ftp upgrade server account
pw=<password>
The password for the ftp upgrade server account
file=<filename>
The name of the XC-240 software image file on the ftp upgrade server
[uncongif=y]
[Optional] Erases system configuration after upgrade. This is required
when upgrade operation is done on an image with no backward
compatibility.
[ftp_mode=active|passive] The FTP transfer mode; whether active or passive.
user
To add a new user account to the system, use the user add command. To delete a user account from
the system, use the user del command. To change a user account password or privilege level, use
the user mod command. To view a list of user accounts on the system, use the user show command.
Syntax
user add name=<username> pw=<password> priv=<privilege>
user del name=<username>
user mod name=<username> pw=<password> priv=<privilege> console_login=<1_level|
2_level>
user show
Parameter
Description
name=<username>
The username of the affected account
pw=<password>
The password for the affected account
priv=<level>
The privilege level for the affected account. The following privilege
levels are supported:
• 1 - admin. Full privileges
• 2 - user. All privileges except the user, port set, remote, and
security commands (and can change own user password)
console_login=<1_level|
2_level>
The console login levels (root account only)
util show
To display the port bandwidth utilization statistics, use util show command.
The display includes:
72
•
The current transmit and receive bandwidth utilization, averaged over 1 second
•
A character bar graph displaying the utilization with one = character for each 5%
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
XC-240 command line interface commands
quit or exit
•
The peak utilization since the last stats clear operation
•
The date and time the recorded peak utilization occurred
6
Syntax
util show ports=<all | portlist>
Parameter
Description
ports=<all | portlist>
The ports to which the command applies
quit or exit
When you are done using the command line interface, log out of the system by using the exit,
logout, or quit command. All three commands exit to the shell where you launched your SSH client.
Syntax
quit
Parameters
None
!
XC-240 keeps a history of the last 100 commands you entered. To view the command history buffer,
use the history command. To execute a command that is stored in the command buffer, use the !
command. You can also bring commands from the history buffer to the current command line for
execution or editing by using the up arrow and down arrow keys.
Syntax
!<number>
Parameter Description
<number>
The number of the command in the history buffer that will be executed; lower numbers
are older commands
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
73
6
XC-240 command line interface commands
!
74
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
7
Limitations
This section describes the limitations on the XC Cluster.
The following functionalities are not supported on M-8000XC Sensors:
•
Rate limiting
•
Syn-Cookies
•
VLAN bridging
•
Importing and exporting configurations
•
Packet Capturing
The following functionalities are not supported on XC-240 Load Balancer:
•
The XC-240 device does not follow the shared-secret based trust establishment. Instead the user
has to configure the SNMPv3 credentials in the XC-240 and manually configure the same in the
Manager.
•
The XC-240 device software upgrade is not possible through the Manager.
•
The Passive Fail-open kit is not supported.
•
IPv6 support for SNMP and management port is not available.
The Manager does not support configuring the mode of operation: the load balancing group and High
Availability parameters
SCP file Transfer, Granular access control to CLI, Advanced Botnet Detection, Passive Device Profiling
and the Application IDs work independently at per Sensor level.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
75
7
Limitations
76
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
8
Troubleshooting tips
Some troubleshooting tips for the XC-240 device are given in the following table.
Problem
Possible cause
Solution
LED is off.
The XC-240 is powered off.
Restore XC-240 power.
LED is off.
The XC-240 port cable is
disconnected.
Check the XC-240 cable connections.
XC-240 is operational, but
is not monitoring traffic.
Network device cables have
been disconnected.
Check the cables and ensure they are
properly connected to the network
devices.
Network or link problems.
Improper cabling or port
configuration.
Ensure that the transmit and receive
cables are properly connected to the
network devices.
Runts or giants errors on
switch and routers.
Improper cabling or port
configuration.
Ensure that the transmit and receive
cables are properly connected to the
network devices.
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
77
8
Troubleshooting tips
78
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
9
Technical specifications
The technical specifications for the device XC-240 are described in the following table:
XC-240 specifics
Description
Environmental
Operating Temperature: 0° to 35° C
Storage Temperature: -40° to 70° C
Relative Humidity (non-condensing): Operational: 10% to 90%,
Non-operational: 5% to 95%
Mechanical
Dimensions (WxHxD): 1U rack mountable 16.75" x 1.75" x 17.5"
Mounting: Surface or 19" rack mount (1U)
Weight: 13.6 lbs
Connectors
Ports: (24) SFP+ (16 Monitoring ports, 8 Sensor ports)
Management Port: (1) RJ45 10/100/100 Copper Network
Configuration (command line interface) Port: (1) RJ45 RS232
Power: (2) AC universal, redundant, hot-swappable modules
Electrical
Specifications
AC Input: 100-240VAC, 4.5A, 47-63Hz (Japan: 100-125VAC, ~300 VA,
50-60Hz)
Power Consumption: 200W typical
Indicators
(All ports) Link LEDs
(All ports) Activity LEDs
(2) Power LEDs
Certifications
Safety: UL 1950, CSA-C22.2 No. 950, EN-60950, IEC 950, EN 60825, IEC
60825, 21CFR1040 CB license and report covering all national country
deviations.
EMI: FCC Part 15, Class A (CFR 47) (USA) ICES-003 Class A (Canada), EN55022
Class A (Europe), CISPR22 Class A (Int'l)
Protocol: Fully IEEE 802.3 compliant
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
79
9
Technical specifications
80
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
Index
A
O
about this guide 7
operation modes 17
C
P
CLI commands 55
conventions and icons used in this guide 7
CRC forwarding 15
port cluster 51
D
port configuration 47
changing 49
modes 12
monitoring ports 47
Sensor ports 50
documentation
audience for this guide 7
product-specific, finding 8
typographical conventions and icons 7
reports 52
F
S
failure detection 14
Sensor redundancy 13
ServicePortal, finding product documentation 8
SFP+ module 31
installing 32
removing 32
SNMP v3 16
H
high availability for XC-240 14
J
R
jumbo packet forwarding 15
T
L
technical specifications 79
technical support, finding product information 8
threat analyzer 52
troubleshooting 77
limitations 75
Link fault detect 15
M
M-8000XC Sensors
configuring 50
overview 10
McAfee ServicePortal, accessing 8
N
NTBA appliance
cabling 38
NTBA devices
managing 53
NTBA support 15
X
XC cluster configuration
updating 52
viewing details 46
XC clustering mechanism 11, 12
XC clusters 9
adding 41
XC clusters configuration 39, 42
adding load balancers 39
adding Sensors 40
deleting 44
editing 43
XC-240 cables connection 32, 33
McAfee Network Security Platform 8.2
XC Cluster Administration Guide
81
Index
XC-240 connection 33
management port 33
monitoring port 33
XC-240 deployment
high availability 18
XC-240 device configuration 35
XC-240 installation 27
XC-240 load balancer
description 25
82
McAfee Network Security Platform 8.2
XC-240 load balancer (continued)
features 25
XC-240 power supply 29
XC-240 standalone
70G N+1, Sensor redundancy 23
80G N, no Sensor redundancy 22
XC Cluster Administration Guide
0C00
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement