Mcafee Network Threat Behavior Analysis 9.1.x Product Guide 11-28-2021
Uploaded by
Sérgio Locatelli JúniorMcafee Network Threat Behavior Analysis 9.1.x Product Guide 11-28-2021
Uploaded by
Sérgio Locatelli JúniorMcAfee Network Threat
Behavior Analysis 9.1.x Product
Guide
Network Threat Behavior Analysis Basics
Overview
The McAfee NTBA Appliance is a feature-rich, non-intrusive solution for monitoring network traffic by analyzing flow information
flowing through network in real time. The NTBA Appliance complements the IPS capabilities in a scenario where Network Security
Platform IPS Sensors and NTBA Appliances are installed and managed through the McAfee® Network Security Manager
(Manager).
Real-time monitoring of network reduces the time needed to solve network-related problems and helps in identifying threats.
Questions as to why our network is slow, which application has the maximum download impact, are easily answered in a
network that is monitored by the NTBA Appliance.
The NTBA Appliance gathers flow information from across users, applications, endpoints, network devices, and stores them in an
embedded database. You can see real-time data and a moving profile of applications, endpoints, zones, and interface traffic. The
NTBA Appliance provides a graphic configurable real-time view of the network traffic.
Threat-related events such as endpoint scans, port scans, worm attacks, new service / application, new endpoint, suspicious
connection, DoS, P2P, and spambots can be tracked based on user-defined policies. All this information is coalesced in the Attack
Log of the Manager that can be drilled down for detailed information.
The NTBA Appliance does effective malware monitoring by detecting unauthorized reconnaissance scanning of any infected
laptops in the system that can spread worm traffic. It also detects unauthorized applications, rogue web servers, and peer-to-
peer applications.
NTBA Appliance features
This section provides a high-level view of the features supported by NTBA.
• Detection of volume and threshold traffic anomalies in normal traffic within the network, and in incoming traffic after
establishing a threshold profile. If traffic is attack traffic and the burst size exceeds the threshold, an alert is raised.
• Detection of behavioral anomaly and checks for generic behavioral violations.
• Detection of communication between endpoints.
• Detection of worms, and SMTP callback activity based on behavior analysis. The NTBA Appliance maintains profiles of
cardinality for endpoints, establishes the baseline for each parameter during a given period, and updates the average of
parameters regularly. Worm outbreak detection is done by comparing the sample parameters with the baseline parameters.
• Detection of SMTP mail domain for mail sent from internal endpoints and comparison of the same against configured mail
domains.
• Detection of services, ports, protocols, and IP addresses.
• Detection of port scan/endpoint sweep attacks through inspection of flow packets. A mix of the source endpoints address and
destination port is used to key the scan entry. A scan entry times out after 5 seconds by default (configurable). Detection
happens when the scan weight crosses a configured threshold.
• Monitoring and reporting unusual network behavior by analyzing the flow traffic from flow-enabled switches/routers of
vendors such as Cisco.
• Processing of enhanced flow packets from IPS with Layer7 (L7) data without requiring SPAN traffic feed. IPS sends L7 data to
the NTBA Appliance. The types of L7 data handled by the NTBA Appliance are FTP (Action, Banner, File Name, and User Name),
HTTP (CLSID, Host Header, Request URI, Request User-Agent Header, and Server Type), NetBios (Action, and Filename), and
SMTP (Attachment, Banner, From, and To). These are used in rules and are stored in the embedded database for forensic
analysis.
• Perform context-aware network forensics that analyzes an endpoint and its network activities. The Manager integrates with
NTBA to capture network activity information for a time period and summarizes them for an administrator to take action.
2 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
• Perform deduplication. User can choose to enable deduplication through the Manager. The NTBA Appliance checks each new
flow and determines if it is a duplicate of an already existing conversation. The flow is processed based on the User setting.
User can enable or disable Deduplication.
• Allow security investigation and forensic analysis seamlessly for IPS events.
• Check for compliance to the organization's network access policies.
• Provide an automated means through alerts and notifications of enforcing policies relating to anomalies, worms, and callback
activity. This provides real-time protection in areas not covered by signature-based detection.
• Perform forensic analysis based on past flow data.
• Identify endpoints running non-standard applications and laptop users that generate the most IDS events.
• Answer many specific queries through various monitors in the Manager. For example, top N endpoints, top N services, top N
files, top N URLs, top N endpoints, and endpoint threat factor.
• Apply communication rules to flows through policies. Communication rules for a policy can be applied to inbound, outbound,
or bidirectional flows. They can match specific combination of application, service, CIDR block, file, and URL.
• Maintain destination, services, and application information for every internal endpoint.
• Maintain Endpoint Threat Factor with the following threat ranges:
◦ Less than six (low/medium threat)
◦ Greater or equal to six (high threat)
◦ Greater or equal to nine (critical threat)
• Keep track of the endpoint name changes by refreshing endpoint names at a specific time every day. If the endpoint name is
changed, the NTBA Appliance automatically updates the endpoint name to the new endpoint name.
• Collect application finger printing information from the IPS Sensor and provide useful application visibility data for the flow
traffic.
• Store data in an embedded database. The NTBA Appliance has an internal MariaDB, which is used to save flow processed data.
The database has different tables for capturing various types of flow processed data such as conversation traffic, service traffic,
traffic per endpoint, per exporter, per service, per application, and per zone.
• Provide real-time information through default, drill down, and custom monitors in the Manager.
Note: The NTBA Appliance supports Cisco NetFlow routers.
Terminologies
Familiarity with NTBA and flow terminology is important for working with NTBA.
Flow
Flow is defined as a set of IP packets passing an observation point in the network during a certain time interval. All packets
belonging to a particular flow have a set of common properties. Each property is defined as the result of applying a function to
the following values:
• One or more packet header fields (for example, destination IP address), transport header fields (for example, destination port
number), or application header fields (for example, Real Time Protocol (RTP) header fields)
• One or more characteristics of the packet itself (for example, number of Multi-Protocol Label Switching (MPLS) labels)
• One or more of fields derived from packet treatment (for example, next hop IP address and the output interface)
Note: Throughout this document, flow is used to refer to both NetFlow, J-Flow, and IPFIX.
J-Flow
J-Flow is a Juniper Networks proprietary flow monitoring implementation. Juniper devices generate summarized flow records for
sampled packets. J-Flow records are compliant with the NetFlow format.
Currently, NTBA supports J-Flow v5 and v9.
NetFlow
NetFlow is a flow type developed by Cisco and has two components: flow generator and flow collector. Currently, NTBA supports
NetFlow v5 and v9.
NetFlows from Palo Alto are also supported.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 3
IPFIX
Internet Protocol Flow Information Export (IPFIX) is a standard for the exchange of IP traffic flow information. It basically defines
the format of the flow information that must be sent from an exporter like routers to collectors like NTBA. Currently, NTBA
supports IPFIX v10 flows from only Cisco routers.
Flow exporter
Flow exporters are network devices such as routers and Sensors configured to export flow to the flow collector.
Flow collector
Flow collector is a device that receives the data pushed from one or more flow exporters.
The collector stores the information coming from the flow exporters and provides the administrator with reporting and analysis
through a graphical user interface.
As the flow collector creates its archive of traffic details, a graphical user interface uses this data to provide the network
administrator with details such as, top talkers on a link, who they are communicating with, what protocol/application they are
using, and how long the connections last.
This information can then be used for capacity planning, usage control, security, and incident resolution.
The NTBA Appliance acts as a flow collector and provides reporting as well as analysis through the Manager.
Aggregator
An aggregator is an NTBA Appliance that aggregates flow data from other NTBA Appliances in a multi-NTBA Appliance set up.
Central Collector
It is possible to install more that one NTBA Appliance in a network when such multiple NTBA Appliance installations are called for
due to the geographical spread and flow volume of the network. In a multiple NTBA Appliance scenario, one of the NTBA
Appliances can be designated as the central collector. In such a scenario, the central collector acts as the aggregator.
The designated central collector consolidates flow information from all other NTBA Appliances to provide a network-wide view.
Endpoint Threat Factor
The NTBA Appliance maintains a threat factor per endpoint in the network by correlating endpoint behavior with alerts raised on
the endpoint. This risk factor is called the Endpoint Threat Factor.
The NTBA Appliance calculates traffic profiles for every endpoint on the network by calculating and summarizing endpoint
behavior into behavior indexes.
Behavior indexes are calculated by comparing endpoint behavior over a period, over its average behavior over a larger period.
The behavior index is maintained in the database along with the metrics and other data for every endpoint as its traffic profile.
When an alert is raised for the endpoint, the alert level is used and combined with the current behavior index to generate a
threat factor for the endpoint.
The Endpoint Threat Factor is an index that ranges from zero to 10 including fractional values.
The Endpoint Threat Factor is aged automatically if an endpoint no longer raises alerts (say after it was quarantined after a high
critical alert, and subsequently its behavior was brought to normal). In such a situation, the NTBA Appliance brings the behavioral
index of the endpoint to zero as soon as the endpoint behavior approaches its average behavior.
If an endpoint shows no anomalous behavior for long periods, its Endpoint Threat Factor will remain at or decrease to zero,
which is the normal Endpoint Threat Factor value for a benign endpoint.
The Endpoint Threat Factor has the following threat ranges:
• Less than six (low/medium threat)
• Greater or equal to six (high threat)
• Greater or equal to nine (critical threat)
De-duplication
De-duplication is the process of eliminating redundant flow data.
De-duplication can be enabled or disabled for the NTBA Appliance in the Manager.
Checking for duplicate flows is done only if de-duplication is enabled. Redundant flows are dropped if de-duplication is enabled.
4 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Communication rules
Communication rules are traffic match and alert trigger threshold rules. Communication rules are applied to network traffic flows
in relation to an NTBA policy.
NTBA zones
A zone is a concept of segregating the traffic either logically based on IP Addresses (CIDR zones), or physically based on exporter
interfaces (interface zones). Zones represent groups of endpoint whose traffic should be analyzed collectively for anomalous
behavior.
You can group the network into various logical and physical zones. You can create zones according to specific network
monitoring requirements.
For example, you can create a zone based on a particular LAN, a server zone, or a functional zone like HR or Finance for a group
of endpoints with similar functions.
You can monitor traffic and security threats for individual zones. You can create different policies for each zone and monitor
them exclusively.
Suspicious activity indicators
These predefined indicators are used to collect the network forensic data. The indicators are triggered only when an endpoint,
flow, or executable makes a network connection in the network forensic analysis time window.
NTBA components
The NTBA Appliance captures flow from network devices such as routers and Sensors and analyzes them. The processed data is
then forwarded to the Manager for monitoring.
The NTBA Appliance also enforces policies that can be configured through the Manager.
NTBA NetFlow flow diagram
The NTBA Appliance has single/dual quad core processor for the low-end and high-end appliance respectively.
A RAID 0 configuration for Linux and RAID 10 (mirrored disks) for the database with hardware controller is used to set up the
disks for the device.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 5
NTBA Appliance benefits
Common management
The NTBA Appliance has benefits for both operations and security requirements.
The NTBA Appliance provides traffic trends that are useful as an operational tool for administering a network. Based on
customizable summary information that the NTBA Appliance provides through the Attack Log of the Manager, operational
decisions can be taken for effective monitoring of traffic flow.
You can secure your network by configuring policies based on anomaly and worm attacks.
You can set customized alert and notification response to attacks through the Default NTBA Attack Settings.
Granular refinements to your security requirements are possible through policies that are applied to zones, which is a concept of
grouping that can isolate network traffic either logically (IP Address based) or physically (interface based).
You can group the network into various logical zones (CIDR based), and physical zones (Exporter Interface based) and respond to
security threats for an individual zone.
McAfee offers common management of its NTBA Appliance and Sensor through the Manager.
In this environment, you can add, configure, and apply policies to NTBA Appliances and to IPS Sensors from the Policy page of the
Manager. You can do security investigation and forensic analysis seamlessly for IPS events.
The NTBA Appliance can be added in the same manner as an IPS Sensor under Devices in the resource tree of the Manager.
The NTBA Appliance can be configured in a similar manner as an IPS Sensor.
Multiple NTBA Appliance environments
Multiple NTBA Appliance deployment option is possible in a network where this is called for due to the geographical spread and
flow volume of the network.
In a multiple NTBA Appliance environment, one NTBA Appliance can be designated as the Central Collector.
The Central Collector consolidates information from all other NTBA Appliances and provides a network-wide view.
The NTBA Appliance designated as the Central Collector acts as a data aggregator, rest of the NTBA Appliances in the network are
components (peers) of the NTBA Appliance cluster.
Aggregator - schematic view
The NTBA Appliance High Availability
Primary and backup Central Collectors can be configured through the Manager.
6 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
High Availability (availability of a backup NTBA Appliance in case of failure of the Primary NTBA Appliance) is ensured by the Central
Collector.
The Manager appoints the primary as the aggregator and mutually informs the components and the aggregator, their respective
IP addresses.
If the primary goes down, Manager appoints the backup NTBA Appliance as the aggregator. The IP address of the new aggregator
is communicated to the components.
The components establish a handshake with the aggregator by a simple ACK protocol.
If the aggregator does not receive the handshake from a component within a timeout, an alert is raised prompting remedial
action.
High-level visibility
The NTBA Appliance is about high-level visibility into the behavior of your network.
The NTBA Appliance provides a visibility umbrella over network infrastructure, firewalls, IPS, applications, and database.
The NTBA Appliance uses a combination of deterministic (based on past occurrences), and non-deterministic mechanisms to
analyze flow information generated by the network infrastructure or packet capture devices.
The NTBA Appliance provides network-wide visibility to understand how systems are used, who uses them (endpoint IP address),
how they connect, depend on each other, as also the ports and protocols they connect over.
The NTBA Appliance provides protection from threats that other security systems cannot identify, such as insider attacks,
unauthorized servers or services, and zero-day attacks.
The NTBA Appliance makes the network transparent to the Administrator. This eases regulatory compliance because network
behavior that did or did not occur becomes unambiguous.
Misuse detection
The NTBA Appliance catches hard-to-detect insider misuse, detects potentially harmful behavior, and helps an organization
contain them before they spread. As a decision-support system, the NTBA helps organizations address the impact of various
attacks and behaviors on their network.
Security and operations requirement
The NTBA Appliance provides visibility into network activity to satisfy security and operations requirement. In a network where
firewalls, intrusion prevention and security information management systems have been successfully deployed, NTBA provides
the last line of defense that can identify network events and behavior not detectable using other deployed techniques.
Passive discovery
NTBA makes passive discovery of network assets and the nature of network communications. This is used to monitor network
traffic.
Real-time picture
The NTBA Appliance also identifies policies and regulatory violations in real time.
The NTBA Appliance tracks all network connectivity and assembles a picture in real time of how data flows. This can be used to
plan security, to debug problems as also to keep applications up and running from an end user perspective.
Easy exporter configuration
Network devices such as routers and IPS Sensors can be configured to export flows to the NTBA Appliance. You can define a
router or IPS Sensor flow exporter, and specify ports and flow direction to forward records to NTBA for processing.
Note: McAfee M-series and NS-series Sensors can function as flow exporters and send flow information (including Layer 7 data)
to NTBA Appliances. However, M-series or NS-series Sensors cannot be configured to export to a third-party Netflow collector.
Low cost, high value
Since the NTBA Appliance uses the flow information data that is part of all standard network devices, it is a simple low cost-high
value offering for network security and analysis.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 7
NTBA Appliance types
The NTBA Appliance is available as a physical or virtual appliance.
• Physical NTBA Appliance — The NTBA Appliance is shipped as a physical appliance like T-600, T-1200 that is pre-imaged with
the NTBA software. You can use an ISO image to install NTBA on physical appliances.
• Virtual NTBA Appliance — Virtual McAfee Network Threat Behavior Analysis Appliance (hereinafter referred to as the Virtual
NTBA Appliance) runs on the VMware ESX operating system, allowing you to provide flexible security for your virtual
environment. You can use an ISO or OVA image to deploy NTBA on virtual appliances.
Considerations for NTBA Appliance installation
This chapter details the considerations for NTBA Appliance installation.
Ports used by the NTBA Appliance
The following table lists the ports used by the NTBA Appliance.
Port Information for configuring firewall rules
User
Client Server Protocol Port configurable? Description Communication
Any NTBA TCP 22(ssh) No Command Line SSH
access
Manager NTBA TCP 443(https) No Command SSL (128-bit RC4,
channel MD5), with client
authentication
NetFlow NTBA UDP 9996 Yes NetFlow channel UDP
Exporter
System running NTBA UDP 9008 Yes EIA service DTLS
EIA
System running NTBA TCP 9008 Yes EIA service TCP
EIA
Sensor NTBA TCP 8505 No IPS Channel SSL (AES-128,
SHA1, NULL)
NTBA Manager TCP 8504 No File Transfer TCP, Encryption
channel (AES-128)
NTBA Manager TCP 8502 No Alert channel SSL (128-bit RC4,
MD5), with client
authentication
NTBA Manager TCP 8501 No Control channel SSL (128-bit RC4,
MD5), with client
authentication
8 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
User
Client Server Protocol Port configurable? Description Communication
NTBA ePO Server TCP 8444 Yes For certificate SSL
signing
NTBA NTBA TCP 8443 No Aggregation SSL
channel
NTBA NetFlow TCP 22(ssh) No Router ACL SSH
Exporter channel
NTBA tunnel.web. TCP 443(https) No GTI channel SSL
trustedsource.org
NTBA tunnel.web. TCP 80 No GTI Database HTTP
trustedsource.org download
NTBA DNS Server UDP 53(dns) No DNS query UDP
NTBA NetFlow UDP - Yes Netflow UDP
collector orwarding
NTBA TFTP Server UDP 69(tftp) No Not for Not for
Customer customer
NTBA Any endpoint UDP 137 (netbios-ns) No Netbios lookup Netbios-NS
NTBA list.smartfilter.comTCP 80 No GTI database HTTP
download
NTBA BackupServer TCP/UDP NFS Yes Backup channel NFS
NTBA BackupServer TCP 445 Yes Backup channel CIFS
NTBA tau.mcafee.com TCP 443 No Anti-malware SSL
downloads
NTBA Exporter UDP 161 Yes Query SNMP UDP
(v2c)
NTBA Exporter UDP 161 Yes Query SNMP (v3) UDP, (Md5,
SHA1, AES, DES)
Resource limit matrix
Resource limit matrix
Flow processing
Recommended Recommended Maximum rate (flows per Maximum
SKU RAM CPU Exporters Maximum Hosts second) Zones
T-600 NA NA 256 200000 60000 1000
T-1200 NA NA 256 400000 100000 1000
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 9
Flow processing
Recommended Recommended Maximum rate (flows per Maximum
SKU RAM CPU Exporters Maximum Hosts second) Zones
T-VM 16 4 Sensor/Routers: 100000 25000 1000
128
T-100VM 8 4 Sensor/Routers: 100000 10000 1000
256
T-200VM 16 4 Sensor/Routers: 200000 25000 1000
256
Note: Whenever the user configuration of resources does not meet the recommended values as mentioned in the resource limit
matrix, an error event is raised.
High performance Virtual NTBA Appliance configurations
Resource limit matrix
Flow processing
Maximum rate (flows per Maximum
SKU RAM CPU Exporters Maximum Hosts second) zones
T-200VM 16 (Default) 4 (Default) Sensor/Routers: 200000 60000 1000
256
32 8 Sensor/Routers: 200000 70000 1000
256
46 16 Sensor/Routers: 200000 80000 1000
256
96 32 Sensor/Routers: 200000 95000 1000
256
Note: High performance Virtual NTBA Appliance configurations are applicable only from Virtual NTBA sensor software version
9.1.3.54.
Selecting the right Virtual NTBA Appliance
The number of flows for a given throughput can vary based on the traffic in your network. The following table illustrates the
approximate number of flows generated based on the traffic flowing through the exporter.
Correlation between number of flows and throughput from exporter
Average throughput from exporter Number of flows per second in NTBA Appliance
1 Gbps ~5,000
3 Gbps ~15,000
> 6 Gbps ~30,000
To determine how many flows are received by IPS Sensors configured as exporters:
• View the consolidated Sensor TCP/UDP flow utilization status under Devices → <Admin Domain Name> → Devices → <Device Name> →
Troubleshooting → Traffic Throughput.
10 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
-OR-
• Use the show flows CLI command on the IPS Sensor to get the same information.
For better performance of the Virtual NTBA Appliance, make sure that more CPUs are allocated to the Virtual NTBA Appliance.
Selecting installation and upgrade files
Before you download files, it is important to understand whether you wish to do a fresh installation, re-image an appliance, or
upgrade existing NTBA software.
The extracted download files are a combination of .iso, .ova, .jar, and .opt files.
Installation and upgrade files
Files Description
1 . jar files — If you wish to upgrade virtual appliances or
existing NTBA software on physical appliances, download
these files. For virtual appliances, you can upgrade a T-VM to
T-100VM or T-200VM and T-100VM to T-200VM. For physical
appliances, you can only upgrade the existing NTBA software
and not the appliances as such. For example, you can
upgrade 7.5.3.34 to 7.5.3.37 but not T-600 to T1200.
2 .ova files — If you wish to install NTBA on virtual appliances,
download these files for T-VM, T-100VM, and T-200VM. We
recommend to deploy OVA images on virtual appliances.
3 .opt files — If you wish to upgrade virtual machines or
existing NTBA software on physical appliances, you can use a
TFTP server to download and load images. The .opt
and .unsigned files enable you to upgrade VMs and upgrade
NTBA software on appliances. This is an alternative for the .jar
files.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 11
Files Description
4 .iso files — If you wish to install NTBA on physical or virtual
appliances, download these files. You need to extract the
winzip files and install the specific versions.
12 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Setting up a Physical NTBA Appliance
Setting up the NTBA Appliance: T-600 and T-1200
Verify the shipment
Check for these contents that are shipped with the McAfee Network Threat Behavior Analysis Appliance (NTBA Appliance).
• NTBA Appliance
• Accessory kit containing:
◦ NTBA Appliance Quick Start Guide
◦ Lockable front bezel with key
◦ Power cords (2)
◦ Console cable (1)
◦ Tool-less slide rail (2)
◦ Chassis cable management arm
If any of the contents from the preceding list are missing or damaged, contact McAfee support at http://
mysupport.mcafee.com.
Download documentation
Download the product documentation for the NTBA Appliance.
1. Go to McAfee Documentation Portal at https://docs.mcafee.com.
2. Scroll to the Products A-Z section in the landing page.
3. Click Network Security Platform.
4. Under the Product filter in the left pane, select the version to display a list of documents.
5. Download these documents.
◦ McAfee Network Security Platform 9.1.x Manager-NTBA Release Notes
◦ McAfee Network Threat Behavior Analysis 9.1 Product Guide
Install the mounting rails
Position the mounting rails correctly and install them at same levels.
Task
1. At the front of the rack, position one of the mounting rails so that its mounting bracket aligns with the required rack holes. Clip
the rail into the rack.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 13
Slide rail installation
2. At the back of the rack, pull the back mounting-bracket (extending the mounting rail) so that it aligns with the required rack
holes.
3. Clip the rail to the rack and secure it.
4. Repeat these steps to secure the second mounting rail to the rack.
5. Make sure that the mounting rails are at the same level on each side of the rack.
Note: Make sure that you follow the safety warnings. When identifying where you want the NTBA Appliance to go in the rack,
remember that you should always load the rack from the bottom up. If you are installing multiple NTBA Appliances, start with
the lowest available position first.
Install the NTBA Appliance in the mounting rails
1. With help from another person, lift the NTBA Appliance so that the side rails at the back of the NTBA Appliance are aligned
with the mounting rails in the rack, then push the NTBA Appliance into the mounting rails until it stops.
Caution: Lifting the NTBA Appliance and attaching it to the rack is a two-person job.
2. Use a screwdriver to fix a screw through the front and back rack holes to secure the system to the rack.
3. Attach the provided cable management arm if required.
4. Attach the lockable bezel to protect the front panel if required.
Front panel features and indicators T-1200
The front panel features and indicators of NTBA Appliance T-1200 are as follows:
Front panel T-1200
14 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Item Description
0-11 Hard Drive Bays (12)
12 Front Control Panel
Front Control Panel options
1 Power button with integrated indicator light
2 Hard Drive Activity indicator light
3 System ID button integrated with indicator light
4 System Cold Reset button
5 System NIC 4 Activity indicator light
6 System NIC 3 Activity indicator light
7 Non-maskable interrupt (NMI) button
8 System Status indicator light
9 System NIC 2 Activity indicator light
10 System NIC 1 Activity indicator light (Management port)
Back panel features and indicators T-1200
The T-1200 NTBA Appliance has three collection ports and one management port. For cabling, use ports 1 to 10 in the back
panel.
The collection ports connect to the network infrastructure that generates the NetFlow data from the routers and McAfee®
Network Security Sensor (Sensor)s. The three collection ports can be used to distribute the NetFlow data from different routers
and Sensors. The management port connects to a network device that in turn connects to the Manager. The NTBA Appliance is
managed through the Manager.
Back panel T-1200
Item Description
1 Power supply 1
2 Power supply 2
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 15
Item Description
3 Management port (1)
4-6 Collection ports (3)
7 Video connector
8 Console port
9 USB ports (3)
10 Remote Management Module (RMM4 NIC) port
11 Add-in card slots
Front panel features and indicators T-600
The front panel features and indicators of NTBA Appliance T-600 are as follows:
Front panel T-600
Item Description
0-3 Hard drive bays (4)
4 Front Control Panel
5 USB ports (2)
6 Video connector
Front Control Panel options
1 System ID button integrated with indicator light
2 Non-maskable interrupt (NMI) button
3 System NIC 1 Activity indicator light (Management port)
4 System NIC 3 Activity indicator light
5 System Status indicator light
6 Power button with integrated indicator light
16 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Item Description
7 Hard Drive Activity indicator light
8 System Cold Reset button
9 System NIC 4 Activity indicator light
10 System NIC 2 Activity indicator light
Back panel features and indicators T-600
The T-600 NTBA Appliance has three collection ports and one management port. For cabling, use ports 1 to 10 in the back panel.
Back panel T-600
Item Description
1 Power supply 1
2 Power supply 2
3 Management port (1)
4-6 Collection ports (3)
7 Video connector
8 Console port
9 USB ports (3)
10 Remote Management Module (RMM4 NIC) port
11 Add-in card slots
Hardware specifications
These are the hardware specifications for T-1200 and T-600.
Hardware specifications
Appliance model T-1200 T-600
Form factor 2U 1U
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 17
Appliance model T-1200 T-600
Width 17.244 in (438 mm) 17.244 in (438 mm)
Depth 27.87 in (707.8 mm) 27.93 in (709.37 mm)
Height 3.45 in (87.6 mm) 1.7 in (43.2 mm)
Maximum weight 21.6 kg (47.65 lbs) 14.96 kg (33 lbs)
Redundant power supply 750W 750W
Estimated inlet power utilization (worst 666W 402W
case scenario)
Quiescent power utilization (@ 120V) 230W 140W
Flows per second (fps) 100000 60000
Environmental requirements
These are the system level operating and non-operating environmental limits.
NTBA Appliance environmental requirements
Parameter Limits
Environment
Operating Temperature +10°C to +35°C with the maximum rate of change not to
exceed 10°C per hour
Non- Operating Temperature -40°C to +70°C
Non- Operating Humidity 50% to 90%, non-condensing at 35°C
Acoustic noise Sound power: 7.0 BA in an idle state at typical office ambient
temperature. (23 +/- 2°C)
Shock, operating Half sine, 2 g peak, 11 milliseconds
Shock, unpackaged Trapezoidal, 25 g, velocity change 136 inches/second (≥40 lbs
to <80 lbs)
Shock, packaged Non-palletized free fall in height 18 inches (≥40 lbs to <80 lbs)
Vibration, unpackaged 5 Hz to 500 Hz, 2.20 g RMS random
Vibration, packaged 5 Hz to 500 Hz, 1.09 g RMS random
ESD, Air Discharged 12 kV
ESD, Contact Discharge 8 kV
System Cooling Requirement in BTU/Hr T-1200: 2280 BTU/Hr
T-600: 1370 BTU/Hr
18 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Connect the console ports
Task
1. Plug a console cable (RJ45 to DB9 serial) to the console port at the back panel of the NTBA Appliance.
2. Connect the other end of the cable directly to the serial port of the PC or Terminal Server you will be using to configure the
NTBA Appliance (for example, a PC running correctly configured Windows HyperTerminal software.)
You must connect directly to the console for initial configuration. You can't configure the NTBA Appliance remotely.
The required settings for HyperTerminal are:
Name Setting
Baud rate 115200
Number of Bits 8
Parity None
Stop Bits 1
Control Flow None
Note: The procedure for cabling the console port of NTBA Appliance T-1200 and T-600 is similar.
Connect the power cables
Connect one end of the power cable to the NTBA Appliance. Plug the other end of the power cable into a grounded electrical
outlet or a separate power source such as an uninterrupted power supply (UPS) or a power distribution unit (PDU).
Note: When you connect power to the appliance, the appliance will immediately turn on and boot up.
Install the Manager software
Task
1. Prepare the system according to the requirements outlined in the McAfee® Network Security Platform Installation Guide and
McAfee Network Security Platform Release Notes.
2. Close all open applications.
3. Insert the Manager CD into the appropriate drive of the Windows server that you want to use as your Manager server. Follow
the instructions in the Installation Wizard as it guides you through the entire process.
Note: You must have administrator rights on the target Windows server to install the Manager software.
Note: A MariaDB database is included with the Manager and is installed (embedded) automatically on your target Windows
server during this process.
Add the NTBA Appliance to the Manager
Adding an NTBA Appliance to the Manager enables the Manager to accept communication from a physically installed and
network-connected Appliance. After communication has been established, the Manager allows editing of the Appliance
configuration. The alert data is available in the Attack Log and Report queries.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 19
Important: You can add a device by selecting Devices → <Admin Domain Name> → Global → Add and Remove Devices but it is
recommended to use the Add Device Wizard to add all devices (except Virtual HIP Sensors) and to establish the trust between the
Manager and the device.
Task
1. The Add Device Wizard window is displayed after the Manager Initialization Wizard is completed.
Important: McAfee recommend to first add an Appliance to the Manager.
Select Devices → <Admin Domain Name> → Global → Add Device Wizard.
The Preparation page is displayed.
Add Device Wizard
2. Click Next.
The Add New Device page is displayed.
3. Enter the device name.
The name must begin with a letter and can contain alphanumeric characters, hyphens, underscores and periods. The length
of the name is not configurable.
4. Select the Device Type as NTBA Appliance.
5. Enter the Shared Secret (repeat at Confirm Shared Secret).
The device name and shared secret are case-sensitive. The Device Name and Shared Secret must also be entered on the device
command line interface (CLI) during physical installation and initialization. If not, the Appliance will not be able to register itself
with the Manager.
The shared secret must be a minimum of 8 characters in length: the length of the shared secret is not configurable. The shared secret
cannot start with an exclamation mark or have any spaces. The characters that can be used while creating a shared secret are
as follows:
◦ 26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z)
◦ 10 digits: 0 1 2 3 4 5 6 7 8 9
◦ 32 symbols: ~ ` ! @ # $ % ^ & * ( ) _ + - = [ ] { } \ | ; : " ' , . <? /
6. For a NTBA Appliance, the Updating mode is set to Online.
7. [Optional] Enter the Contact Information and Location.
8. Click Next.
The Trust Establishment page is displayed.
9. Follow the instructions on the page to complete the command line interface (CLI) setup and click Check Trust.
Using the command line interface (CLI), enter the necessary information for the Appliance identification and communication
as described in the McAfee Network Security Platform Installation Guide.
Attention: If you set up the NTBA Appliance first, after the Manager addition, you need to return to the Appliance to reset the
shared secret key and begin Appliance-to-Manager communication.
10. Click Next.
Note: The Next button is enabled once the trust between the Appliance and the Manager is established.
The Port Settings page is displayed. By default, the collection ports are disabled.
11. Enable the ports and modify settings. Click Save and then Next.
20 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
The General Settings page is displayed.
12. Configure NTBA Appliance settings for collection ports. Click Next.
The DNS Settings page is displayed.
13. By default global settings are inherited. If you wish, modify the DNS server details. Click Next.
The Exporters page is displayed.
14. Add a router exporter that will forward records to the NBA Sensor for processing and click Next. To add a IPS exporter, go to IPS
devices.
The Inside Zones page is displayed.
15. Add a new inside zone or edit the default inside zones. Click Next.
The Outside Zones page is displayed.
16. Add a new outside zone or edit the default outside zone. Click Next.
The Update Configuration page is displayed.
17. On the Active Device Profiling page, select the Active Device Profiling checkbox and click Next.
18. Click Update to deploy configuration on the device. This might take some time.
The Update Status bar displays 100% complete.
19. Click Finish.
On the Devices tab, under the Device drop-down list, the NTBA Appliance is added. From Global → Add and Remove Devices option,
you can also view the added Appliance.
Add and Remove Devices
Set up NTBA Appliance
Task
1. Plug a console cable (RJ45 to DB9 serial) to the console port at the back panel of the NTBA Appliance.
2. Connect the other end of the cable directly to the serial port of the PC or Terminal Server you are using to configure the NTBA
Appliance. (For example, a PC running correctly configured Windows HyperTerminal software.)
The required settings for HyperTerminal are:
Name Setting
Baud rate 115200
Number of Bits 8
Parity None
Stop Bits 1
Control Flow None
3. Run the HyperTerminal.
4. At the logon prompt, log on to the NTBA Appliance using the default user name admin and password admin123.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 21
5. At the Press Y to start the setup now or N to do it later prompt, enter Y. Set and confirm a setup password. Wait for
some time to configure the NTBA Appliance.
6. At the Please enter the sensor name prompt, enter the name of the NTBA Appliance.
Note: The values between <> characters are to be entered by the user, excluding the <> characters.
Example: ntba_appliance_1
The NTBA Appliance name is a case-sensitive alphanumeric character string up to 25 characters. The string must begin with a
letter and can include hyphens. underscores, periods but not spaces. The NTBA Appliance name typed here should be
identical to the one entered against Device Name in the Add New Device page of the Manager.
7. At the Please enter the sensor IP(A.B.C.D) prompt, type the management port IP address of the NTBA Appliance.
Specify a 32-bit address written as four eight-bit numbers separated by periods as in <A.B.C.D>, where A, B, C, or D is an eight-
bit number between 0-255.
Example: 10.213.173.237
Note: Setting the IP address for the first time during the initial configuration of the NTBA Appliance does not require an NTBA
Appliance reboot. Subsequent changes to the IP address however, require reboot for the change to take effect.
8. At the Please enter the sensor subnet mask(A.B.C.D) prompt, type the management port subnet mask of the Appliance.
<A.B.C.D> represents the subnet mask.
Example: 255.255.255.0
9. At the Please enter the manager primary IPv4 address(A.B.C.D) prompt, type the IPv4 address of the Manager server.
Example: 192.34.3.2
10. (Optional) At the Press Y to configure manager secondary IP address prompt, type Y if you wish to set a Manager
secondary IP address. By default, this is set to N.
11. At the Please enter the sensor default gateway(A.B.C.D) prompt, type the IP address. Use the same convention as for
the Sensor IP address.
Tip: Note that you should be able to ping the gateway. The gateway should be reachable.
Example: 192.34.2.8
12. Make sure you have set a shared secret key on the Manager for this Sensor.
13. At the Please enter shared secret key prompt, type the shared secret key value. This value is used to establish a trust
relationship between the NTBA Appliance and the Manager.
14. Type the same shared secret key value that you typed in the Add New Device page of the Manager.
The NTBA Appliance prompts you to verify the value. Make sure that the configuration settings to this point have successfully
established the NTBA Appliance on the network.
15. Type the value again and press ENTER.
You can change the NTBA Appliance password by using the passwd command.
A password must be between 8 and 25 characters, is case-sensitive, and can consist of any alphanumeric character or symbol.
Note: McAfee strongly recommends that you choose a password with a combination of characters that is easy for you to
remember but difficult for someone else to guess.
Verify successful NTBA Appliance configuration
You can check whether the NTBA Appliance is configured and is available by executing the following actions:
Verification process
You can check the NTBA Appliance is configuration as follows:
• At the NTBA Appliance console type status.
The status information of the NTBA Appliance is displayed. This includes information on whether the NTBA Appliance is
initialized and its health status.
22 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
'status' command result
• At the NTBA Appliance console type show.
The system information is displayed. This includes information on system uptime and the status of the Management port link.
'show' command result
Note: To exit the session, type exit.
• To view or configure the settings of the collection ports for the NTBA Appliance, you access the configuration page in Devices →
<Admin Domain Name> → Devices → <Device Name> → Setup → Physical Ports.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 23
NTBA Physical Ports page
Download the latest NTBA Appliance software
Task
1. Select Manager → <Admin Domain Name> → Updating → Download Device Software.
The Download Device Software page is displayed.
Download Device Software page
2. Select the latest software listed under Software Available for Download and click Download.
The Download Status window is displayed.
24 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Download Status window
3. Click Close Window once the download is complete.
The downloaded software is listed under Software on the Manager in the Download Device Software page as also in the Deploy Device
Software page (Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Maintenance → Deploy Device Software).
Upgrade NTBA Appliance software
You need to upgrade to the latest available version from the Manager.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Maintenance → Deploy Device Software.
The Deploy Device Software page is displayed.
Software Upgrade page
2. Select the latest software listed under Software Ready for Installation and click Upgrade.
The Download Status page is displayed.
3. Click Close Window once the download is complete.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 25
Setting up a Virtual NTBA Appliance
Setting up Virtual NTBA Appliance on an ESX server
This chapter describes the steps to configure your Virtual NTBA Appliance.
NTBA as a Virtual Appliance
A virtual machine is a software implementation of a computer in which an operating system or a program can be installed and
run. While the virtual machine emulates a physical computing environment, requests for CPU, memory, hard disk, hardware
resources, and network are managed by a virtualization layer.
Virtual machines are created within a virtualization layer, such as a hypervisor or a virtualization platform, that runs on top of a
client or a server operating system. This operating system is known as the host operating system. The virtualization layer can be
used to create many individual, isolated virtual machine environments.
McAfee Network Threat Behavior Analysis Virtual Appliance (hereinafter referred to as the Virtual NTBA Appliance) runs on the
VMware ESX operating system, allowing you to provide flexible security for your virtual environment.
If you are an existing user of Network Security Manager, you can download and install a single instance of the Virtual NTBA
Appliance either by using the open virtualization format (OVF) image or the ISO image by extracting CD/DVD image files.
Open Virtualization Format (OVF) is an open standard across various virtualization platforms, for packaging and distributing the
software to be run on virtual machines. An OVF virtual machine consists of a folder containing virtual machine files and a file
describing them. An Open Virtualization Appliance (OVA) file is a single compressed file that contains the contents of an OVF
folder.
The NTBA OVA image comes with pre‑installed NTBA Appliance software, including the recommended configurations and
therefore, is easier to deploy.
Important: McAfee recommends that you deploy the Virtual NTBA Appliance using the OVA image going forward.
You can also install the Virtual NTBA Appliance using the ISO image by extracting the CD/DVD image files. You will have to
configure the hard disks, CPUs, memory, and serial port separately as explained in the Section, Create a virtual instance using ISO
image.
Virtual NTBA Appliance models
McAfee supports these Virtual NTBA Appliance.
• T-VM — Available free with every new purchase of Network Security Manager
• T-100VM and T-200VM — Two stock-keeping units (SKU) for paid virtual NTBA Appliance
You can upgrade your T-VM to NTBA T‑100 or T‑200 Virtual Appliance software. However, once you have upgraded, you cannot
downgrade. For example, if you have upgraded your Virtual NTBA Appliance software to Virtual NTBA T‑200 Appliance, you
cannot downgrade to Virtual NTBA T‑100 Appliance or any version of Virtual NTBA Appliance.
For more information, refer to the McAfee Network Security Platform Installation Guide.
Verify materials
Make sure that you have all the necessary documents and hardware to set up your Virtual NTBA Appliance.
26 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
• Grant letter — When you purchase or request an evaluation for Network Security Platform, an email is sent to the point of contact
for your company on record at McAfee. The email contains the:
◦ Serial number
◦ Grant number
• Hardware — The following resources must be dedicated for the Virtual NTBA Appliance.
VMware ESX server requirements for Virtual NTBA Appliance
Component Details
Virtualization software ◦ ESXi 6.5 Update 3
◦ ESXi 6.7 Update 3
Note: Hyperthreading should be available.
Network ports 5 (One network management port and four network
collection ports)*
Storage 500 GB (create two partitions: 250 GB and 250 GB)
Note: Do not install VMware tools for a Virtual NTBA Appliance.
*If you want to use only two collection ports, then create two switches and add two collection ports to Switch 1 and the other
two to Switch 2.
Note: The management port and the collection ports can be mapped to the same network.
Selecting an OVA or ISO image
You can use an ISO image to install NTBA on physical and virtual appliances. OVA images can be deployed only on virtual
appliances.
ISO Vs. OVA for installing NTBA
ISO image OVA image
Appliances Physical and virtual appliances Virtual appliances
Models All models T-VM, T-100VM, and T-200VM
Packaging Needs user to manually configure Single and complete package
settings like creating virtual machines
Setup time More Less
Configuration User needs to create and configure VM Pre-installed NTBA Appliance software
options like CPU, memory, network that includes the recommended
interfaces, and hard disk configuration
Errors Due to manual intervention might lead Less
to more errors
Readiness Create and configure VMs, install NTBA, Deploy an OVA image
and reboot the appliance
Tip: McAfee strongly recommends to deploy OVA images on virtual machines as it is simpler and faster than ISO image
deployment.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 27
High performance Virtual NTBA Appliance
From software version 9.1.3.54, the high performance Virtual NTBA Appliance now gives you the option to configure the number
of virtual sockets, number of cores per socket, and the memory for higher throughput.
For deploying the Virtual NTBA Appliance as a fresh installation, execute either of the following tasks:
• Create a virtual instance using OVA image or
• Create a virtual instance using ISO image
Note: When deploying a virtual instance using an OVA image, the hard disk storage capacity is set to a maximum of 350 GB. For a
storage capacity of beyond 350 GB, you must use an ISO image.
For more information on upgrading the Virtual NTBA Appliance, see McAfee Network Security Platform Installation Guide.
Download the software
You need to download the Virtual NTBA Appliance software to your computer before installing it.
Task
1. Go to the McAfee product downloads page at http://www.mcafee.com/us/downloads/downloads.aspx.
2. Enter your grant ID to view the latest downloads available.
3. Download the Virtual NTBA Appliance software (.iso file or .ova file) depending on the Virtual NTBA Appliance you want to
install and save it on your local drive.
OVA file names for Virtual NTBA Appliance
Virtual NTBA Appliance File name
T-VM ntbasensorImage.T-VM_opt.ova
T-100VM ntbasensorImage.T-100VM_opt.ova
T-200VM ntbasensorImage.T-200VM_opt.ova
4. Copy the Virtual NTBA Appliance software (.iso file or .ova file) to the ESX server datastore (either at datastore1 or datastore2
under /vmfs/volumes) using SSH from the server hosting the iso/ova release image. This is used for booting and installing the
Virtual NTBA Appliance.
Go to/vmfs/volumes/datastore1 and issue:
◦ For ISO: scp <user name>@<ip>:/<path>/imagename.iso.
Example: scp [email protected]:/home/ntbasensorImage_opt.iso.
◦ For OVA: scp <user name>@<ip>:/<path>/imagename.ova.
Example for T-VM: scp [email protected]:/home/ntbasensorImage.T-VM_opt.ova.
Download the documentation
Go to McAfee Documentation Portal to find the product documentation for this product.
Or
Task
1. Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center.
2. Enter a product name, select a version, then click Search to display a list of documents.
3. Download the McAfee Network Security Platform NTBA Administration Guide and Release Notes.
28 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Configure network port mappings on the ESX server
Task
1. In the VMware vSphere Client, connect to the ESX server.
2. In the left pane, select the ESX server that you want to configure.
3. Click the Configuration tab.
4. In the Hardware list, click Networking.
5. In the top right, click the Add networking link.
The Add Network Wizard appears.
6. Specify the connection type as Virtual Machine, then click Next .
7. Use any two unused physical ports or virtual ports and map it to labels: NTBA Management and Collection Port. Select the
interface to be used as management port for Network Access, then click Next.
8. In the Connection Settings field, type the network label as NTBA Management. This will be the management port.
Virtual Machines-Connection Settings page
9. Click Next.
10. Preview the summary and click Finish.
11. Repeat steps 3 through 10 to add collection ports. Type the network label as Collection Port (see port vmnic5 in the
following figure)
The Network Configuration page is displayed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 29
Network Configuration page
Create a virtual instance using OVA image
You can create a virtual instance for the Virtual NTBA Appliance using either the OVA image or the ISO image. McAfee
recommends that you deploy the Virtual NTBA Appliance using the OVA image.
Task
1. In the VMware vSphere Client, select File → Deploy OVF Template.
The Deploy OVF Template window is displayed.
The Deploy OVF Template option
2. Browse to the location where the OVA images are placed, and select a file depending on the virtual Appliance you want to
install. In this example, OVA image for T-VM is selected.
30 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Select the OVA image source location
3. Click Next.
The OVF Template Details are displayed.
Verify the OVA image details
4. Click Next. In the Name and Location page, specify the name and location for the deployed template. By default, the OVA file is
displayed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 31
The Name and Location page with the default OVA image name
5. Type the name for the virtual machine. The name can contain up to 80 characters. In this example, the virtual machine is
named as My-NTBA. Click Next.
6. In the Resource Pool page, select where you want to deploy this template. In this example, it is named as My Resource Pool.
Click Next.
Select a resource pool
7. In the Disk Format page, select the disk format as thick or thin provisioning depending on the amount of the physical disk
storage left. McAfee recommends the default option, which is thick provisioning. Click Next.
Note: When deploying a virtual instance using an OVA image, the hard disk storage capacity is set to a maximum of 350 GB.
For a storage capacity of beyond 350 GB, you must use an ISO image.
8. On the Network Mapping page, map NTBA Collection source network to a collection port configured earlier while setting the network
port mapping on the ESX server. Similarly, map NTBA Management source network. Click Next.
32 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Networking Mapping page
9. On the Ready to Complete page, check the options you have selected. Click Finish to deploy the settings.
Check the options selected
10. Verify that you have created one management port, four collection ports, and two hard disks as shown.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 33
View Virtual Machine properties for the deployed settings
Note: Select the Power on after deployment checkbox if you want the virtual machine to be powered on once the deployment is
complete.
11. [Optional] With Virtual NTBA Appliance software version 9.1.3.54, you can configure the number of virtual sockets, number of
cores per socket, and the memory to match your desired flow processing rate. Select CPUs from the list of hardware devices.
Then, select Number of virtual socket and Number of cores per socket so that the total cores configured match the recommended CPUs.
See Resource limit matrix for more information.
12. [Optional] Select Memory from the list of hardware devices. Depending on the virtual Appliance you want to install, specify the
memory size.
Note: By default, the Virtual NTBA Appliance software version 9.1.3.54 is installed with a configuration of 16 GB Memory and 4
CPUs.
Important: Virtual NTBA Appliance must be shut down before attempting any configuration changes. After updating the
configuration settings, power on the NTBA Appliance for the updated settings to take effect.
13. Once the deployment is successful, click Close.
14. Type Y to proceed with the setup and configure NTBA IP address, device name, device IP address, device default gateway, Manager IP address,
TFTP server IP address.
Note: At this time, do not give the set sensor sharedsecretkey CLI command.
15. This completes creation of the virtual instance using the NTBA OVA image. Skip the next section Create a virtual instance using
ISO image and proceed to the section Configuring Virtual NTBA Appliance using Manager.
You can opt to add a serial port for troubleshooting purposes. However this is optional.
a. Turn off the Virtual NTBA Appliance.
b. [Optional] Right-click the new virtual machine and select Edit Settings to view the properties.
c. [Optional] Once the installation is complete, add a serial port.
Create a virtual instance using ISO image
Use this section only if you wish to create a virtual instance using the NTBA ISO image. McAfee recommends that you deploy the
Virtual NTBA Appliance using the OVA image.
Task
1. In the VMware vSphere Client, go to the Getting Started tab, and click Create a new virtual machine link.
34 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Create new virtual machine instance on NTBA
2. By default, Typical is selected. Click Next.
3. Type a name for the virtual machine.
4. Click Next.
5. Select a destination storage for the virtual machine files.
6. Click Next.
7. Select the guest operating system as Linux. Select the version as Other 2.6.x Linux (64 Bit) from the drop-down list.
8. Click Next.
9. From the drop-down list, select four NICs and map them to the Collection Port label. These will act as the virtual collection
ports for the NTBA Appliance.
Important: Depending on the virtual machine version, more than four virtual collection ports can be added after the virtual
machine is created, using its Edit Settings dialog.
Network Connections window
10. Click Next.
11. Specify the virtual disk size and the provisioning policy. You can choose the default size for now as this will be removed later.
12. Select the Edit the virtual machine settings before completion checkbox.
13. Click Continue.
14. Remove the default virtual disk created from the list of devices by selecting the device and clicking Remove. You can add new
hard disks as explained in the following section.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 35
Add a new hard disk
Task
1. In the VMware vSphere Client, go to the Virtual Machine Properties window, and click Add.
The Add Hardware wizard appears.
2. Select the device type as Hard Disk.
Add Hardware window
3. Click Next.
4. Select the Create a new virtual disk option.
5. Click Next.
6. Specify the disk size as 250 GB. This is to store the Virtual NTBA Appliance software.
7. Select the Specify a datastore or datastore cluster option.
8. Click Next.
9. Select any SCSI virtual device node.
10. Click Next.
11. Click Finish.
12. Repeat these steps to add another hard disk of 250 GB or above. This will be used to store the NTBA database.
Configure the CPUs
Task
1. In the VMware vSphere Client, go to the Virtual Machine Properties window, and select CPUs from the list of hardware devices.
2. Select Number of virtual socket and Number of cores per socket so that the total cores configured match the recommended CPUs.
Configure memory
Task
1. In the VMware vSphere Client, go to the Virtual Machine Properties window, and select Memory from the list of hardware devices.
36 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
2. Depending on the virtual Appliance you want to install, specify the memory size.
Add an NTBA Management Ethernet adapter
Task
1. In the VMware vSphere Client, go to the Virtual Machine Properties window, and click Add.
The Add Hardware wizard appears.
2. Select the device type as Ethernet Adapter.
3. Click Next.
4. Select Adapter Type as E1000 and map it to the NTBA Management label.
5. Click Next.
6. Click Finish.
Add a serial port
Task
1. In the VMware vSphere Client, go to the Virtual Machine Properties window, and click Add.
The Add Hardware wizard appears.
2. Select the device type as Serial Port and click Next.
3. On the right-hand panel, select connection as Use output file. Browse to the location where the output file is saved.
After you have added all the hardware devices, you must see the final screen as shown.
Configured Virtual NTBA Appliance
Add the Virtual NTBA Appliance software
Important: You must have completed the steps in the Section, Download the Software to proceed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 37
Task
1. In the Virtual Machine Properties window, select CD/DVD drive from the list of hardware devices.
2. In the right pane, under Device Type, select the Datastore ISO File option.
3. Browse to the location where the NTBA Virtual Appliance software is stored.
4. Click OK.
5. Under Device Status, select the Connect at power on checkbox.
6. Click OK.
[Optional] Remove unwanted hardware devices
You can remove unwanted hardware devices such as floppy drive, LSI SCSI adapter, and so on.
Task
1. In the VMware vSphere Client, go to the Virtual Machine Properties window, select Floppy drive from the list of hardware devices.
2. Click Remove.
3. Click OK.
Results
Repeat the steps to remove other unwanted hardware devices from the list.
[Optional] Configure the security profile
The security profile is configured on the ESX server for copying the Virtual NTBA Appliance Software from your local drive to
install the Virtual NTBA Appliance.
Task
1. In the VMware vSphere Client, go to the Configuration tab on the VMWare ESX wizard.
2. From the Software list, select Security Profile.
3. In the Firewall section, click Properties.
4. In the Firewall Properties window, select the SSH Server checkbox under Secure Shell.
5. Click Options.
6. In Startup Policy, select the Start and stop with host option.
7. Click Start.
8. Click OK.
9. In the Firewall Properties window, select the SSH Client checkbox.
10. Click OK.
Install the Virtual NTBA Appliance
Task
1. In the VMware vSphere Client, select the Virtual NTBA Appliancethat you want to configure.
2. Right-click the Virtual NTBA Appliance, then select Power → Power On.
3. Click the Console tab. After startup is complete, the NTBA Virtual Appliance Quick Start Program console appears.
38 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Virtual NTBA ApplianceQuick Start Program window
4. Type NTBA login as admin and Password as admin123 to log on to the Virtual NTBA Appliance.
5. Run the installntba command to start the Virtual NTBA Appliance installation.
Attention: You will be prompted to reboot the Virtual NTBA Appliance, but do not reboot. Reboot must happen only at Step 9.
A detailed error message will be displayed if the command fails.
6. Once the installation is complete, select the Virtual NTBA Appliance under the ESX server. Right-click the Virtual NTBA
Appliance and select Edit Setting.
The Virtual Machine Properties window appears.
7. Select CD/DVD drive and deselect the Connect at power on checkbox under Device Status.
A Virtual Machine Message window appears.
Virtual Machine Message window
8. Click Yes.
9. From the NTBA console, type the reboot command.
The Virtual NTBA Appliance installation is complete when you see the NTBA login prompt.
Note: This might take several minutes to complete.
10. Type Y to proceed with the setup and configure NTBA IP address, device name, device IP address, device default gateway, Manager IP address,
TFTP server IP address.
Note: At this time, do not give the set sensor sharedsecretkey CLI command.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 39
Add the Virtual NTBA Appliance to the Manager
Define and configure the vNTBA in the Manager.
Task
1. Log on to the Network Security Manager.
2. Add the Virtual NTBA Appliance to the Manager using the Add Device Wizard.
3. If you have not already configured the NTBA interfaces (to which the flow records are addressed) in the Add Device Wizard, specify
the IP address and network mask for the NTBA Virtual Appliance collection port by selecting Devices → <Admin Domain Name> →
Devices → <NTBA Appliance> → Setup → Collection Settings.
4. Verify that the collection ports are up by selecting Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Setup → Physical
Ports. Check that the ESX server's physical port that is mapped to the collection port is up. If the connection is down, you will
see a red cross mark as shown in the figure.
Verifying if physical port connection is up
5. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Exporters → Exporters and click Edit.
Note: Configure the Sensor for L7 data export by selecting Devices → <Admin Domain Name> → Devices → <IPS/vIPS Sensor> → Setup →
Advanced → L7 Data Collection.
6. Under IPS Monitoring Port to be Used to Export Traffic :
a. Select the designated port for exporting flows.
b. Provide the port IP address to be used in the IPS monitoring port.
c. Provide the network mask.
d. Provide the default gateway. If the IPS exporting port and the NTBA collection port are directly connected, then provide the
default gateway as Flow Collection IP Address.
40 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Configuration for NetFlow exporting
When the IPS interfaces are deployed inline, NTBA automatically inherits the direction from IPS. For example, If the IPS
interface is set to inbound the direction in NTBA will be set to internal. For span, the direction must be configured manually.
Only after making this change, the Save operation is allowed.
Note: You can mark interfaces as either external or internal only for the IPS interfaces that are non-inline.
7. Select the monitoring ports of IPS, which you wish to monitor, and click Save.
The saved settings are displayed.
8. If you would like the traffic to go through the collection port, you must configure static route. Select Devices → <Admin Domain
Name> → Devices → <NTBA Appliance> → Setup → Routing.
9. [Optional] To add a router or IPS Sensor as an exporter, select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> →
Exporters → Exporters and click New.
The Add Exporter page is displayed.
10. To create zones:
◦ If your deployment uses a CIDR network, then create CIDRs and associate them to internal or external zones.
The Virtual NTBA Appliance appears in the Manager as shown.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 41
Newly added NTBA Virtual Appliance in Manager
11. Perform a configuration update by selecting Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Deploy Pending Changes.
12. Check the NetFlow processing: On the command line, enter show nfcstats. Check the output to verify if the packets are being
processed correctly by the Virtual NTBA Appliance.
Output of show nfcstats CLI command
13. To make sure that NTBA monitors display information received from McAfee® Global Threat Intelligence™ , complete the
following steps:
a. Enable Global Threat Intelligence integration by selecting Manager → <Admin Domain Name> → Integration → GTI.
b. Configure DNS settings by selecting Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Setup → Name Resolution.
c. Verify whether Global Threat Intelligence is enabled by default by selecting Devices → <Admin Domain Name> → Global → NTBA
Device Settings → Zone Settings → GTI IP Reputation.
d. Perform a configuration update by selecting Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Deploy Pending
Changes.
14. Verify/monitor your network traffic by selecting Devices → <Admin Domain Name> → Devices → <Device Name> → Troubleshooting → Traffic
Throughput.
42 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Attention: If all the endpoints are internal and if all the URLs are internal, then no data is displayed in the Top External Endpoints
By Reputation and the Top URLS By Reputation monitors as McAfee GTI lookup fails for internal endpoints and internal URLs.
Important: The ETF monitors take at least five minutes to populate and display data.
Delete an existing Virtual NTBA Appliance
You can delete an existing Virtual NTBA Appliance.
Task
1. Connect to the ESX server using the VMware vSphere Client.
2. Click the Virtual Machines tab.
3. If the Virtual NTBA Appliancethat you want to delete is running, turn it off.
a. Select the Virtual NTBA Appliance.
b. From the menu bar, select Inventory → Virtual Machine → Power → Power Off.
c. Click Yes to confirm.
4. Delete the Virtual NTBA Appliance.
a. Select the Virtual NTBA Appliance.
b. From the menu bar, select Inventory → Virtual Machine → Delete from Disk.
A confirmation window appears.
5. Click Yes.
Results
The Virtual NTBA Appliance is deleted.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 43
Configuring the NTBA Appliance on the Manager
Configuring NTBA Appliance settings
This chapter details the steps involved in configuring the NTBA Appliance settings.
Define the collection settings
You need to define essential NTBA Appliance collection settings, such as the flow record listening port and duplicate flow record
settings.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Setup → Collection Settings.
The Collection Settings page is displayed.
Collection Settings page
2. Select the Inherit Settings checkbox if you want to use global settings.
Global settings are set at Devices → <Admin Domain Name> → Global → NTBA Device Settings → Device Settings → Setup → Collection Settings.
All other settings are disabled if this checkbox is selected. Deselect this checkbox to set NTBA Appliance device specific
settings.
3. Select the Discard Duplicate Flow Records checkbox to discard duplicate flow records.
Note: If Discard Duplicate Flow Records is enabled, the NTBA Appliance can detect if one or more exporters are sending flow records
belonging to the same traffic. This prevents duplication.
4. Click Save.
Note: To isolate and protect your management traffic, McAfee strongly recommends using a separate, dedicated
management subnet to interconnect the NTBA Appliance and the Manager. If the management and collection ports of the
NTBA Appliance are in the same subnet, flow information might be sent to the management port instead of the collection
port.
Configure the collection ports
In the Collection Ports tab within the Physical Ports page, you can view or edit the parameters of the collection ports for a specific NTBA
Appliance.
44 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Collection port configuration allows you to change NTBA Appliance deployment modes, select port speeds, or indicate enabled or
disabled ports.
To configure the collection ports, select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Setup → Physical Ports. The
Collection Ports tab in the Physical Ports page is displayed. The Collection Ports tab displays the list of ports available for the NTBA
Appliance.
Collection Ports tab - T-1200
Collection Port details
Column Description
Port Specifies the collection port.
Link Specifies the status of the collection port. The available status
are:
• Up
• Down
• Disabled
Connector Type Displays the connector type.
• T-600 and T-1200 Appliance displays only the connector
type RJ-45.
Virtual Adapter
Speed Specifies the speed and duplex of the port. The following are
the available options for speed:
• Auto-negotiate
• 1 Gbps(full)
• 100 Mbps(full)
• 100 Mbps(half)
• 10 Mbps(full)
• 10 Mbps(half)
Operation • Mode —
• Fail-Open Kit —
• Placement —
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 45
Column Description
Response Port
IP Address Specifies the IP address and network mask assigned to the
collection port. These details are displayed for each port.
To view or configure settings for the NTBA Appliance, do the following:
Task
1. In the Collection Ports tab, double-click on the row of a collection port.
The Collection Port Details window is displayed.
Collection Port Details window
2. Configure the following:
◦ Select Enabled or Disabled from the State drop-down list.
3. In IP Settings, type the IP Address and Network Mask for the collection port.
The Physical Ports page displays the configured collection ports
4. Click Save to save the configuration changes. A window is displayed to confirm the changes. Click OK to confirm changes.
Enable or disable a collection port
This section explains about enabling and disabling a collection port from the Collection Ports tab.
To view or configure the settings of the collection ports for McAfee Network Security Platform NTBA Appliance, you access the
configuration page in Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Setup → Physical Ports. A list of ports available for
the device you selected is displayed in the Collection Ports tab.
To disable a collection port:
1. Click the row of the collection port that you want to disable.
Note: To disable multiple collection ports, press the Shift key and click the multiple collection ports that you want to disable.
2. Click Disable. The collection ports are disabled.
To enable a collection port:
46 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
1. Click the row of the collection port that you want to enable.
Note: To enable multiple collection ports, press the Shift key and click the multiple collection ports that you want to enable.
2. Click Enable. The collection ports are enabled.
Port color key
This section describes a port's status color under the Link column in the Monitoring Ports tab.
Port color key
Color Description
Green Port is enabled and operating correctly.
Red Port is enabled, but not operating due to some failure. Check
system faults.
Gray Port has been disabled by the user.
Orange Device or NTBA Appliance is disconnected. The port data is
retrieved from the database.
Beige Port has been modified.
Viewing management port settings
You can view the details of the management port settings by performing the following steps:
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Setup → Physical Ports.
2. Click the Management Port tab. The following information is displayed.
Option Definition
Virtual IPS Sensor
IPv4 Address Displays the IPv4 IP address.
IPv4 Network Mask Displays the Network mask for IPv4
IPv4 Default Gateway Displays the Default Gateway for IPv4
IPv6 Address Displays the IPv6 IP address.
IPv6 Network Mask Displays the Network mask for IPv6
IPv6 Default Gateway Displays the Default Gateway for IPv6
Virtual adapter Specifies the virtual adapter
Hypervisor Server
Name Displays the name of the hypervisor server
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 47
Option Definition
IPv4 Address Displays the IPv4 IP address of the hypervisor server.
IPv6 Address Displays the IPv6 IP address of the hypervisor server.
Note: You will not be able to modify any settings in this page. The settings can be modified only from the device CLI.
Add a router as an exporter
Network devices such as routers and IPS Sensors can be added and listed under Exporters under the NTBA_Appliance_name node
in the Devices page of the Manager. When added, these devices can be configured to export flow information to the NTBA
Appliance.
Attention: Without SNMP access, you cannot add a router as an exporter.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Exporters → Exporters.
The Exporters page is displayed.
2. Click New. From the Exporter Type, select Router. By default, IPS Sensor is selected.
Add Exporter page : Router options
3. Set the following choices:
◦ In the Exporter Name field, enter a name for the router.
◦ In the Exporter IP Address field, enter the router's IP address.
◦ In the Description field, enter the description for the router.
◦ Deselect the Inherit Settings checkbox if you want to set SNMP parameters specific to the router.
◦ If Inherit Settings is not selected, enter the UDP port in the UDP Port field.
◦ From the SNMP Version drop-down list, select SNMP Version (2c or 3).
◦ In the Read Only Community String field, enter a read only community string.
◦ In the SNMP Polling Interval (minutes) field, set the interval.
◦ In the User Name field, enter the user name.
◦ In the Password field, enter the password.
◦ In the Write Password field, re-enter the password for the router.
48 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
4. Click Test Connection to test the SNMP connection to the router.
Note: If SNMP is not configured, NTBA cannot discover interfaces and does not accept any flows from a router unless
unknown-interfaces-flows command is set to accept. You also need to configure proper CIDR ranges in inside and outside
zones. If not configured, all endpoints are treated as inside by NTBA.
5. [Optional] If you want the NTBA Appliance to use SSH to add access rules (similar to ACLs in the Manager) to exporters when
configured to quarantine in response to alerts, then specify a user name and click Test Connection. Once the NTBA Appliance has
the router information, this option will test SSH to router.
6. Click Add Exporter and Retrieve Interfaces. The list of interfaces on this exporter are displayed.
Note: Make sure the router is reachable from NTBA. Only then the available interfaces are fetched for an exporter.
7. Select the router interfaces to forward flows to NTBA. Select External or Internal to mark interfaces outside or inside zones.
8. Click Save.
The newly added router is listed on the Exporters page.
Modify router interfaces
After adding a router, you can modify interface settings to the router that can be configured to collect flow data. You can see the
list of interfaces if you have configured the SNMP settings.
Task
1. From the Exporters list, select the exporter you have added and click Edit.
The Properties page is displayed.
2. From Traffic to be Forwarded to NTBA, select Forward to NTBA for sending traffic from a router interface. Select the direction as External
for outbound traffic and Internal for inbound traffic.
3. Click Save.
The selected interfaces are displayed on the Properties page.
Configure L7 data collection
Sensor captures Layer 7 (L7) data using FTP, HTTP, Netbios-ss, SMTP, and TELNET protocols and sends it to the NTBA Appliance.
You can customize the Layer 7 data that the Sensor captures and sends to NTBA Appliance.
Task
1. Select Devices → <Admin Domain Name> → Devices → <IPS/vIPS Sensor> → Setup → Advanced → L7 Data Collection.
The L7 Data Collection page is displayed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 49
L7 Data Collection page
2. Select Customize against the protocol that you want to customize and select the required Enabled? checkboxes.
3. Click Save.
Configure Network Security Sensor as an exporter
Before you begin
You need to configure the Sensor for L7 data export at the L7 Data Collection page before performing this procedure (Devices →
<Admin Domain Name> → Devices → <IPS/vIPS Sensor> → Setup → Advanced → L7 Data Collection).
Sensor or Virtual IPS Sensor (Virtual Sensor) can be configured to export flow information to a particular NTBA Appliance, or to
forward file details for advanced malware analysis to the Gateway Anti-Malware (GAM) engine, or both. Since the Sensor does
deep packet inspection, its flow records will include Layer 7 data.
Task
1. Select Devices → <Admin Domain Name> → Devices → <IPS Sensor> → Setup → NTBA Integration.
NTBA Integration page
2. Set the following configuration choices:
◦ From the NTBA Integration drop-down list, select to export flows or forward files to GAM engine or both. By default, this is set to
Disabled prior to integration. You can select one of these options:
◦ Enabled for Flow Exporting and Advanced Malware Analysis
50 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
◦ Enabled for Flow Exporting only
◦ Enabled for Advanced Malware Analysis only
Tip: If NTBA was integrated with a Sensor, and you upgrade from 7.5 or 8.0 to 8.1 and above, the NTBA Integration option must
show Enabled for Flow Exporting and Advanced Malware Analysis as selected. If Sensor is on 7.1, and you upgrade NTBA from 7.1 to 8.1,
it displays Enabled for Flow Exporting only.
Note: For NS Series Sensors with software version 8.2 and above, the NTBA Integration has options Enabled and Disabled. These
Sensors have a Gateway Anti-Malware engine that scans files using this engine.
◦ From the Target NTBA Appliance drop-down list, select the NTBA Appliance to which you want to send the flow or advanced
malware information or both.
◦ Select the NTBA Appliance collection and listening port.
◦ Under IPS Monitoring Port to be Used to Export Traffic, select the Sensor port for exporting the flow by selecting it from the Designated
Port for Exporting Flows drop-down list.
◦ In the Port IP Address field, enter the port IP Address.
◦ In the Network Mask field, enter the network mask.
◦ In the Default Gateway field, enter the default gateway.
◦ In the VLAN ID field, enter the VLAN ID. Click View Connectivity to confirm if exporting connectivity is established between the
Sensor and NTBA Appliance.
◦ Under Traffic to be Forwarded to NTBA:
◦ Select the protocol to forward flows to NTBA. By default, TCP is selected.
Note: After you upgrade the Sensor to 8.2, by default, ICMP flows are disabled and UDP flows are enabledTCP. If the
Sensor version is pre-8.2, Manager displays a message that protocols will not be saved. Once the Sensor is upgraded to
8.2, the changes are updated on the Sensor.
◦ Specify the Sensor monitoring ports for which ingress traffic should generate flow records by selecting the Forward to NTBA
checkbox against the listed ports.
3. Click Save.
Note: If the port specified as the Designated Port for Exporting Flows is used exclusively for exporting flow (not used for IPS
monitoring), you have to necessarily configure it as a SPAN port.
4. The newly added interface is displayed on the Exporters page.
Edit exporter configuration
You can edit the existing exporter configuration.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Exporters.
Note: You can also edit the exporter by clicking Properties under the exporter you want to edit.
2. Select the exporter, and click Edit.
The Properties page is displayed.
Note: If the exporter is a Sensor, then you can only edit the description of the Sensor.
3. Make edits and click Save.
[Optional] Configure static route
You can configure static routes on an NTBA Appliance for diagnostic purposes and to check for connectivity between NTBA and
IPS Sensor ports. A static route is also required if you want to route outbound traffic from a collection port.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Setup → Routing → New.
The Add a Static Route page is displayed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 51
Add a Static Route page
2. Select an appliance port from the drop-down list. Check the port status.
Tip: When you select a port, Port Status displays whether the port is Up, Down, or Disabled. For disabled ports, static routes can't be
defined.
Tip: Go to Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Setup → Physical Ports to assign an IP address to an
appliance port. If the port is assigned an IP address 0.0.0.0, the static route might not be able to reach the port.
Physical Ports page
3. Type the destination address and mask length.
4. Type the gateway address that exists in the same network as the appliance port.
5. Click Save. The Static Routes page displays the route details like appliance port, port status, destination, and gateway addresses.
Static Routes page
Tip: You can select and delete multiple static routes from the list.
6. Select the route and click Edit or Delete to make changes.
Mark exporter interfaces as internal or external
When you configure an IPS device as exporter, you can configure the ports as internal or external zone.
For example, if port 1A is configured as Inbound, then you can configure that interface as external zone; if port 1A is configured
as Outbound, then you can configure it as internal zone.
Task
1. Select Devices → <Admin Domain Name> → Devices → <IPS Sensor> → Setup → NTBA Integration.
52 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
NTBA Integration page
Note: On this page, SPAN ports are depicted with IPS Placement as N/A. Select from the NTBA Direction drop-down list to mark
these ports as internal or external for span traffic.
2. From the NTBA Direction drop-down list, select External to mark the interface as external or Internal to mark the interface as internal
only for SPAN ports.
Tip: To set NTBA direction for in-line ports, navigate to Devices → <Admin Domain Name> → Devices → <IPS Sensor> → Setup → Physical
Ports, and define placement inside or outside the network.
Note: For a router exporter, you can select the NTBA Direction as Internal or External from Devices → <Admin Domain Name> → Devices →
<NTBA Appliance> → Exporters → <Exporter> → Properties page.
3. Click Save.
Note: The current zone assignment for the interface is shown in brackets against Name. On changing the direction (to internal
or external), the interface is automatically moved to the corresponding default zone.
Important: If you want to add an exporter to another NTBA Appliance, you must first delete the existing exporter. To do so,
go toDevices → <Admin Domain Name> → Devices → <NTBA Appliance> → Exporters → Exporters. Select an exporter and click Delete.
Define zones
A zone is a concept of segregating network traffic either logically based on IP Addresses (CIDR zones) or physically based on
exporter interfaces (Interface zones).
Zones represent groups of endpoints whose traffic should be analyzed collectively for anomalous behavior. You can group the
network into various logical and physical zones. You can create zones according to specific network monitoring requirements.
For example, you can create a zone based on a particular LAN, a server zone, or a functional zone like HR or Finance for a group
of endpoints with similar functions. You can create different policies for each zone and monitor them exclusively.
Zone creation - rationale
Zone creation involves creating zone elements within the inside and outside zone configuration options in the Manager.
The reason for providing the option to mark zone elements as inside or outside is to provide greater flexibility in applying
policies, and for better capacity planning. (NTBA Appliance T-600 and T-1200 have capacities to monitor 200,000 endpoints and
400,000 endpoints, respectively. Information in excess of these capacities is dropped.)
All zone elements within the inside zone are monitored through the NTBA monitors in the Manager. You can apply different
policies for each zone to monitor threats.
Zone element types
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 53
Zone element type can be either CIDR or exporter interface.
Note: The CIDR type settings always override the exporter interface type settings. The NTBA Appliance checks for the CIDR first
to identify if the specific IP address in question belongs to a zone. If it does not belong to the CIDR, only then does it look for the
exporter interface information.
Logic for configuring zone elements
For configuring CIDR zone elements, you need to apply the following logic:
You should include any CIDR address range within the network segment covered by NTBA Appliance as an inside zone element.
You can group them based on groups of endpoints belonging to a network segment with similar functions such as different
departments.
For configuring Interface zone elements, you need to apply the following logic:
Exporter interfaces that export NetFlow to the NTBA Appliance are to be included in the interface zone elements.
Edge interfaces (interfaces connected to traffic coming from outside the network) are to be included while configuring external
interface zone elements.
There are many situations where you would not want to monitor information on network segments covered by CIDR or exporter
interfaces within your internal network. In such cases, you should exclude these CIDR ranges and exporter interfaces from inside
zone elements and set them as outside zone elements.
Configuring SPAN ports and CIDR zones
• If SPAN port is configured as internal, then there will not be any McAfee GTI lookups for endpoint/URL.
• If SPAN port is configured as external (considering there are no CIDRs corresponding to the traffic from this SPAN port in the
inside zone), all the conversations from this port will be dropped.
Therefore, the best practice is to configure SPAN/TAP ports as external. Keep the default CIDRs in the inside zone. If required, add
more CIDRs in the inside zone as per the traffic requirement. This will keep the dashboards populated.
Zone context
A zone is a context with an NTBA Appliance. Hence in a multi-NTBA Appliance context, they are defined for each NTBA Appliance.
Note: In NTBA, hosts are not associated to IPS Interface zones since netflow packets from the same host may reach the NTBA
Appliance through different IPS interfaces. They are associated either to a matching CIDR zone or to the Default Inside/Outside
zone. Therefore, the IPS Interface zones are not associated with certain L7 data parameters of the host, such as URLs and files.
This L7 data is displayed under the Default Inside/Outside zone.
Define inside zones
Inside zones represent groups of internal endpoints whose traffic should be analyzed for anomalous behavior. Zones can be
based on CIDR blocks and exporter interfaces. You can select the default inside zone or define a new inside zone.
Note: When an NTBA Appliance is added to the Manager, all the RFC 1918 IP addresses are added under the default inside zone.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Zones → Inside Zones → Summary.
The Summary page for inside zones is displayed.
Summary page
2. Click New. Enter a name and description for the inside zone.
3. From Zone Elements, select Type as CIDR.
4. In CIDR, enter the CIDR address.
5. Click Add to create an inside CIDR zone. The zone element is displayed.
54 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
6. From Zone Elements, select Type as Interface. The Exporter and Interfaces options are displayed.
7. From Exporters, select one of the network devices configured as exporters.
8. From Interfaces, select the interfaces. (Hold down the CTRL key for multiple selections.)
9. Select the interface listed in the Interfaces field. (Hold down the CTRL key for multiple selections.)
10. Click Add and then Save to create an inside interface zone.
Apply NTBA policies to inside zones
The NTBA policies are applied to the NTBA Appliance zones. The procedure for applying NTBA policies to the default inside zone
for an NTBA Appliance is described below. The procedure for applying policies to other inside zones is similar.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Zones → Inside Zones → Default Inside Zone → Protection Profile.
The Protection Profile page is displayed.
2. From the NTBA Policy drop-down list, select the policy that you want to apply.
3. Click Save.
Define outside zones
Outside zones represent groups of internal endpoints whose traffic should be analyzed for anomalous behavior. Zones can be
based on CIDR blocks and exporter interfaces. You can select the default outside zone or define a new outside zone.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Zones → Outside Zones → Summary.
The Summary page for outside zones is displayed.
Summary page for outside zones
2. Click New. Enter a name and description for the outside zone.
3. From Zone Elements, select Type as CIDR.
4. In CIDR, enter the CIDR address.
5. Click Add to create an outside CIDR zone. The zone element is displayed.
6. From Zone Elements, select Type as Interface. The Exporter and Interfaces options are displayed.
7. From Exporters, select one of the network devices configured as exporters.
8. From Interfaces, select the interfaces. (Hold down the CTRL key for multiple selections.)
9. Click Add and then Save to create an outside interface zone.
Apply NTBA policies to outside zones
The NTBA policies are applied to the NTBA Appliance zones. The procedure for applying policies to other outside zones is similar.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Zones → Outside Zones → Default Outside Zone → Protection Profile.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 55
The Apply Policy page is displayed.
2. From the NTBA Policy drop-down list, select the policy that you want to apply.
3. Click Save.
Update configuration of a Sensor or an NTBA Appliance
Configuration updates refer to changes to device and interface/subinterface configurations, such as port configuration, non-
standard ports, interface traffic types, and configuration changes to the Sensor or NTBA Appliance.
Signature updates have new and modified signatures that can apply to the attacks enforced in a chosen policy. Policy changes
update the device in case of a newly applied policy or changes made to the current enforced policy.
You can schedule configurations to be pushed to the NTBA Appliances and Sensors from Manager → <Admin Domain Name> → Updating
→ Automatic Updating → Signature Sets. The Automatic Signature Set Deployment options allow you to set the time when these configurations
can be deployed on Sensors and NTBA. Configurations are automatically deployed based on schedule.
All configurations in the Policy page that apply to your Sensors or NTBA Appliance can also be manually pushed from Devices →
<Admin Domain Name> → Global → Deploy Pending Changes (all Sensors and NTBA Appliance in a domain) or Devices → <Admin Domain Name>
→ Devices → <NTBA Appliance> → Deploy Pending Changes (to a single Sensor or NTBA Appliance) action.
Scheduled deployment
1. Select Manager → <Admin Domain Name> → Updating → Automatic Updating → Signature Sets. The Signature Sets page is displayed.
Signature Sets page
2. From the Automatic Signature Set Deployment options set the schedule for deploying signature updates:
◦ For Deploy in Real Time, select Yes (This option pushes signature sets update to all Sensors and NTBA Appliances immediately
after it is downloaded to the Manager). By default, No is the default option.
◦ For Deploy at Scheduled Interval, select Yes to schedule for automatic deployment of signature sets.
◦ In Schedule, set the frequency by which you want the Manager to check for a newly downloaded signature set. The choices
are:
◦ Frequently — Several times a day during a specified period at interval indicated in the Recur every option
◦ Daily — Once a day
◦ Weekly — Once a week
◦ Select the Start Time, End Time, and Recur every options to specify intervals. Based on Schedule frequency, these fields allow you to
select options.
3. Click Save.
On-demand deployment
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Deploy Pending Changes.
The Deploy Pending Changes page is displayed.
56 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Deploy Pending Changes page
2. View the update information. If changes have been made, the Configuration & Signature Set column is checked by default.
3. Click Update.
A pop-up window displays configuration download status.
Deploy pending changes to a device
When you make any configuration changes, or policy changes on the Manager, or a new/updated signature set is available from
McAfee, you must apply these updates to the devices (such as Sensors and NTBA Appliances) in your deployment for the
changes to take effect.
Note the following:
• Configuration changes such as port configuration, non-standard ports and interface traffic types are updated regardless of the
changes made to the Sensor, interface/ subinterface.
• NTBA configuration updates refer to the changes done in the various tabs of the Devices node.
• Policy changes are updated on the Sensor or NTBA Appliance in case of a newly applied policy, or changes made to the current
enforced policy.
• Signature updates contain new and/or modified signatures that can be applied to the latest attacks.
• When policy and rule updates are applied to the devices, the current traffic analysis is not impacted until the last phase of
configuration updates (i.e the Manager status update is at 95%).
You can deploy the configuration changes to all the devices in the admin domain from the Global tab. The navigation path for this
is Devices → <Admin Domain Name> → Global → Deploy Pending Changes.
Alternatively, you can deploy the configuration changes at a device level by selecting Devices → <Admin Domain Name> → Devices →
<Device Name> → Deploy Pending Changes. In this case, the Deploy Pending Changes option is available in the menu only if the device is
active.
Task
1. Select Devices → <Admin Domain Name> → Global → Deploy Pending Changes.
The Deploy Pending Changes page is displayed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 57
Global-level deploy pending changes
To deploy the changes to a specific device, go to Devices → <Admin Domain Name> → Devices → <Device Name> → Deploy Pending Changes.
Device-level deploy pending changes
2. Click Update.
The Manager processes these updates in three stages — Queued, Deploying, Completed — and displays the current stage in the
Status Column.
Configuration update
58 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Status Description
Queued The Queued status indicates that the Manager is preparing to
deploy updates to the devices. If more than one device is
being updated, devices are updated one at a time until all
downloads are complete. If you want to cancel the updates
for certain devices, click the X. Consider the following:
◦ The deployment of the configuration changes or
signature file updates can be cancelled for bulk updates
only.
◦ Updates cannot be cancelled when deployed for
individual devices.
◦ After you click Deploy, wait for five seconds before you start
cancelling the updates for devices.
◦ Once cancelled, the checkbox is deselected, suggesting
that the update was cancelled. There is no status change
to indicate the cancellation of an update.
Deploying In this state, the configuration changes are applied to the
devices. There is no option to abort the update process for
devices in which the deployment of updates are already in
progress. When the deployment is cancelled for any device,
the item will still be selected for future updates unless it is
explicitly deselected.
Completed Shows that all the configuration changes have been updated
for the devices.
3. Click Offline Update Files to view and export the deployment changes file to offline Sensors. The changes can then be deployed to
the Sensors manually using the CLI command window.
4. Click Refresh to refresh the page and the status of the deployment.
5. Click Clear Status to clear the status column in the UI.
Note: Clearing the status does not cancel the deployment. The update process will be running in the background.
Configure a Central Collector
In an environment with multiple NTBA Appliances, the designated Central Collector consolidates flow information from all other
NTBA Appliances to provide a network-wide view.
You can configure the central collector only at the root level. You can either configure an aggregator or leave it as individual
devices. Only one NTBA Appliance can be nominated as the central collector among multiple NTBA Appliances.
Task
1. Select Manager → <Admin Domain Name> → Setup → Network Threat Behavior Analysis → Central Collector.
The Central Collector page is displayed.
2. From the drop-down list, select a central collector.
3. Click Save.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 59
Managing NTBA ignore rules
Ignore rules are rules that filter attacks and attack responses in IPv4 traffic based on source IP address, destination IP address, or
both. You can also define port-based ignore rules, which filter based on the source or destination port (TCP/UDP ports) in
addition to the source IP or destination IP addresses.
NTBA ignore rules provide a way to ignore traffic that would normally trigger a response from NTBA Appliances. When traffic
matches a rule, no alert is generated and no response action is taken.
In the Manager, you can define the NTBA ignore rules from Policy → Network Threat Behavior Analysis → NTBA Ignore Rules and assign
them to NTBA Appliances and zones. Ignore rules defined at the domain level get associated with all NTBA Appliances belonging
to that domain. Similarly, ignore rules defined at the NTBA Appliance level are associated with all zones belonging to that NTBA
Appliance.
You can add, edit, clone, assign, export, and import ignore rules. You can edit an ignore rule only in the admin domain where the
ignore rule was created.
You can define the following types of ignore rules in the Manager:
• IPv4 — IPv4 ignore rules without any source/destination port settings
• TCP/UDP Port — Ignore rules with only source/destination port settings
• IPv4 with TCP/UDP Port — IPv4 ignore rules with source/destination port settings
The ignore rules TCP/UDP Port and IPv4 with TCP/UDP Port are based on the source or destination TCP/UDP port settings.
While defining an ignore rule, you can choose any one the following criteria for the Attacker or Target IP address settings:
• Any IP Address
• Any internal IP Address
• Any external IP Address
• A range of IP Addresses
• A single IP Address
• A list of IP Addresses
For the port-based ignore rules (TCP/UDP Port, IPv4 with TCP/UDP Port), any one of the following options can be chosen in the
Attacker and Target settings:
• Any
• TCP
• UDP
• TCP or UDP
• Range of ports
Select Policy → Network Threat Behavior Analysis → NTBA Ignore Rules to view the Ignore Rules page.
If you have a heterogeneous deployment with 8.3 Manager and pre-8.3 NTBA or IPS Sensor, make a note of the following:
Heterogenous deployment version matrix
Manager IPS Sensor NTBA Ignore Rules Exception Objects
9.1 8.3 8.3 Yes No
9.1 8.1 8.3 Yes No
9.1 8.3 8.1 Yes Yes
9.1 8.1 8.1 No No
Note: Once you upgrade NTBA or Sensor to 8.2, the exception objects are migrated and new ignore rules are created.
60 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Interpreting the NTBA ignore rules
Use the ignore rule editor to manage ignore rules. You can define an ignore rule from Policy → Network Threat Behavior Analysis → NTBA
Ignore Rules.
Option Definitions
Field Description
Search Type your search criteria in the field to find the ignore rule
with the matching elements.
State Specifies whether the state of the ignore rule is Enabled or
Disabled. Disabled rules are not sent to NTBA.
Name Displays the name of the NTBA ignore rule.
Attack Name Displays the name of the attack.
Scope Specifies the device or zone to which the ignore rule is
applicable.
Attacker • Endpoint — Specifies the endpoint that initiated the attack.
• Port — Specifies the attacker port as TCP, UDP, TCP or UDP or
Any.
Target • Endpoint — Specifies the endpoint that was attacked.
• Port — Specifies the target port as TCP, UDP, TCP or UDP or Any.
Last Updated Time — Specifies the time when the ignore was last updated.
By — Displays the user who modified the rule.
Comment Displays any additional comment specified for the rule.
Adds new ignore rules from the Rule Details panel.
Modifies an existing ignore rule details.
Copies or clones an existing ignore rule.
Deletes the selected ignore rule.
Save as CSV Exports the ignore rules in CSV format.
Note: If you attempt exporting policies using Internet
Explorer 10 in combination with Windows Server 2008/2012,
the Manager will generate the “Export of custom policy error”.
To avoid this, go to Control Panel → Add or Remove Programs → Add/
Remove Windows Components, the Windows Components Wizard window
opens, select the Internet Explorer Enhanced Security Configuration and
disable it. For more information on the fault, see the McAfee
Network Security Platform Product Guide.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 61
Add ignore rules
You can add ignore rules at the Policy → Network Threat Behavior Analysis node.
Task
1. Select Policy → Network Threat Behavior Analysis → NTBA Ignore Rules.
The NTBA Ignore Rules page is displayed.
2. Click Add.
The Rule Details panel is displayed.
Rule Details
3. From Rule Details, configure the following:
a. Select the state as Enabled.
b. Enter the Name for the ignore rule. Optionally, enter a comment.
c. The Owner Domain displays the selected admin domain under which the ignore rule is added.
d. The Editable here field displays status Yes if the ignore rule is owned by the current domain, else displays No.
4. From Attack, select the attack to match the criteria. Enter a attack name in Search attack name and click Add
5. From Resource, select the NTBA device or interface to match the criteria and click Add.
6. From Attacker, configure the following:
a. From the Endpoint drop-down list, select the rule object and click Add.
b. Click + to add a new rule object. The supported network objects are:
◦ IPv4 Address Range
◦ IPv4 Endpoint
◦ IPv4 Network
◦ Network Group for Exception Object
c. From the Port drop-down list, select the type of port. You can select Any, TCP, UDP, or TCP or UDP.
d. Enter port values 1–65535 in the provided fields. You can also specify multiple ports by entering the values separated by
commas, for example, 25, 80-81.
7. From Target, select one or more rule objects.
a. From the Endpoint drop-down list, select the rule object and click Add.
b. Click + to add a new rule object. The supported network objects are same as Attacker options.
c. From the Port drop-down list, select the port and enter the port values. These are same as Attacker port options and value
ranges.
8. Click Save to save the ignore rule.
After defining an ignore rule, push the signature files for the new rule to take effect.
62 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Clone ignore rules
You can clone ignore rules at the Network Threat Behavior Analysis node.
Task
1. Select Policy → Network Threat Behavior Analysis → NTBA Ignore Rules.
2. Select the ignore rule you want to clone and click Copy.
You can use Search to quickly find an ignore rule.
3. Make any changes and click Save.
Delete ignore rules
You can delete ignore rules from the Network Threat Behavior Analysis node.
Task
1. Select Policy → Network Threat Behavior Analysis → NTBA Ignore Rules.
The NTBA Ignore Rules page is displayed.
2. Select the ignore rule you want to delete and click Delete.
3. Confirm to delete the object.
Note: Only objects that are not assigned to any attack can be deleted.
Export the ignore rules
You can export the ignore rules in CSV format from the Network Threat Behavior Analysis node.
Task
1. Select Policy → Network Threat Behavior Analysis → NTBA Ignore Rules.
The NTBA Ignore Rules page is displayed.
2. Click Save as CSV to export into an excel sheet.
You can also export the ignore rules from Policy → <Admin Domain Name> → Network Threat Behavior Analysis → Policy Export → NTBA Ignore
Rules.
Note: If you attempt exporting policies using Internet Explorer 10 in combination with Windows Server 2008/2012, the
Manager will generate the “Export of custom policy error”. To avoid this, go to Control Panel → Add or Remove Programs → Add/ Remove
Windows Components, the Windows Components Wizard window opens, select the Internet Explorer Enhanced Security Configuration and disable
it. For more information on the fault, see the McAfee Network Security Platform Product Guide.
Import ignore rules
You can import an .xml file into the Manager to create an ignore rule.
Task
1. Select Policy → <Admin Domain Name> → Network Threat Behavior Analysis → Policy Import → NTBA Ignore Rules.
The Import page is displayed.
2. Select Append to the existing set of rules checkbox if you want to add the imported ignore rules to the existing set.
3. Click Browse to select a file.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 63
4. Click Import.
Create and assign ignore rules
You can create and assign ignore rules to specific NTBA alerts from the Attack Log page.
You can select a particular alert and configure an ignore rule. If necessary, you can create a new ignore rule and apply it to the
selected alert. You apply an ignore rule to the resource for which the attack is raised and the direction of the attack.
Note the following while creating rules:
• If you are using pre 8.2 devices, use the Exception Objects feature to create the rules. For more information on exception
objects, see the section Exception object configuration in the McAfee Network Security Platform 8.1 Manager Administration Guide.
To create Ignore Rules for the alerts generated, complete the following steps:
Task
1. Select Analysis → <Admin Domain Name> → Attack Log.
2. Select the alert for which you want to create the Ignore Rule, and click Other Actions.
3. Select Create Exception and click the Add Ignore Rule option.
The Add Ignore Rule panel appears.
4. Specify your options in the corresponding fields.
Field Description
Name Type the name for the Ignore Rule.
Comment Type additional comments if required.
Secondary Action The secondary/additional action to be performed on the
alert other than ignoring the alert.
◦ None — No action taken other than ignoring the alert.
◦ Acknowledge all existing alerts that match — Acknowledges all the
alerts that match the criteria. You can later view these
alerts as acknowledged alerts in the Attack Log.
◦ Delete all exisitng alerts that match — Deletes all the alerts that
match the ignore rule criteria. These alerts will not be
available in the database also.
Modified Displays the last modified user, date and time for the Ignore
Rule. The field is blank when creating the rule for the first
time.
Owner Domain The name of the admin domain under which the Ignore
Rules are added.
Editable here The status Yes indicates that the Ignore Rule is owned by the
current admin domain. The status No indicates that the
Ignore Rule is not owned by the current admin domain.
Attack Select the attack to match the criteria.
1. Type the first few letters of the attack name in the Search
attack name field select the attack from the list.
2. Click the Add button to add the attack name to the list.
3. Select the Direction from the drop-down list. The options
are Inbound, Outbound and Any.
64 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Field Description
Click to remove the attack from the list.
Scope Select one or more device or interface to match the criteria.
1. Select the device or interface from the Resource drop-
down-list.
2. Click the Add button to add the device or interface to the
list.
Click to remove the item from the list.
Attacker 1. Select the rule object from the Endpoint drop-down-list.
2. Click on the Add button to add the rule object to the list.
Click to add a new rule object. The supported
network objects are:
◦ IPv4 Address Range
◦ IPv4 Endpoint
◦ IPv4 Network
◦ IPv6 Address Range
◦ IPv6 Endpoint
◦ IPv6 Network
◦ Network Group for Ignore Rule
Click to edit or view a rule object.
Click to remove the rule object from the list.
3. Select the type of port from the Port drop-down list. The
available options are:
◦ Any
◦ TCP
◦ UDP
◦ TCP or UDP
4. Type the port values for TCP and UDP protocols in the
field provided. The supported port values are 1 to 65535.
To specify multiple ports used in the same protocol,
provide the values separated by commas. Example: 15,25.
Target Select one or more rule objects.
1. Select the rule object from the Endpoint drop-down-list.
2. Click on the Add button to add the rule object to the list.
Click to add a new rule object. The supported
network objects are:
◦ IPv4 Address Range
◦ IPv4 Endpoint
◦ IPv4 Network
◦ IPv6 Address Range
◦ IPv6 Endpoint
◦ IPv6 Network
◦ Network Group for Ignore Rule
Click to edit or view a rule object.
Click to remove the rule object from the list.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 65
Field Description
3. Select the type of port from the Port drop-down list. The
available options are:
◦ Any
◦ TCP
◦ UDP
◦ TCP or UDP
4. Type the port values for TCP and UDP protocols in the
field provided. The supported port values are 1 to 65535.
To specify multiple ports used in the same protocol,
provide the values separated by commas. Example: 15,25.
5. Click Save to save the Ignore Rule.
For more information on Ignore Rules, see the Manage Ignore Rules section in the McAfee Network Security Platform IPS
Administration Guide.
Alert notification options
The Manager can send alert information to third-party repositories such as SNMP servers and syslog servers. Further, you can
configure your Sensor to forward syslog notifications directly to a syslog server, thereby ensuring that the Sensor forwards alerts
to a server other than that assigned to the Manager.
In addition to SNMP and syslog notifications, the Manager can also be configured to notify you through email, pager, or script of
detected attacks.
For the alert notifications for the Sensor and the NTBA Appliance select Manager → <Admin Domain Name> → Setup → Notification → (IPS/
NTBA) Events.
Alert notifications are forwarded to syslog servers based on the configuration. Within the configuration, settings notification
destination form only one aspect. The Manager and Sensor send notifications depending on the attack, the attack severity, or
both.
View alert notification details
You can view the summary of configured alert notification settings from the Manager node.
Select Manager → <Admin Domain Name> → Setup → Notification → NTBA Events → Summary.
The Summary page is displayed.
66 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Summary page
Forward alerts to an SNMP server
You can configure the SNMP server to which alert information for Sensor or NTBA Appliance is to be sent.
You can configure more than one SNMP server. You can configure the SNMP servers for each admin domain separately. The
SNMP server configured for a root admin domain can be different from the SNMP server configured for its child domains. When
the Children and the Current checkbox is selected while configuring an SNMP server for the root admin domain, the SNMP server
configured for the child domain will forward notifications to both, the parent and child domain SNMP servers. When the Children
checkbox is not selected in the root admin domain, then the child domain will use only the SNMP server configured for that
domain to forward notifications. The SNMP Servers list in the SNMP tab displays the SNMP servers you have configured.
Task
1. Select Manager → <Admin Domain Name> → Setup → Notification → IPS Events/NTBA Events → SNMP.
The SNMP tab is displayed where Enable SNMP Notification option and the configured SNMP Servers list is displayed.
2. Select Yes against Enable SNMP Notification and click Save.
3. Click New.
The SNMP page is displayed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 67
4. Specify your options in the appropriate fields.
Field Description
Admin Domains Specify whether this applies to the child domains as well.
IP Address IP address of the target SNMP server. This can be an IPv4 or
IPv6 address.
Target Port SNMP listening port of the target server.
SNMP Version The version of SNMP running on your target SNMP server.
Version options are 1, 2c, Both 1 and 2c, and 3.
Community String Enter an SNMP community string to protect your Network
Security Platform data. SNMP community strings
authenticate access to Management Information Base (MIB)
objects and functions as embedded passwords.
Send Notification If By attack for Sensor and the attack definition has this
notification option explicitly enabled for IPS — Forwards
attacks that match customized policy notification settings,
which you must set when editing attack responses within
the Policy Editor.
By Alert Filter for Sensor and the following notification filter is
matched for NTBA — Sends notification for all, or based on
the severity of alerts:
◦ Severity Informational above — Includes all alerts.
◦ Severity Low and above — Includes low, medium, and high
severity alerts.
◦ Severity Medium and above — Includes both medium, and high
severity alerts.
◦ Severity High — Includes only high severity alerts.
The following fields appear only when SNMP Version 3 is selected.
68 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Field Description
User Name User name for authentication.
Authoritative Engine ID (Hex Values) The authoritative (security) engine ID used for SNMP version
3 REQUEST messages by primary Manager.
The hex value of the Authoritative Engine ID should have
only even pairs (For example, you can have hex value of 4
pairs like 00-1B-3F-2C).
Note: MAC address can also be used as Authoritative Engine
ID.
Authoritative Peer Engine ID (Hex Values): The authoritative (security) engine ID used for SNMP version
Note: The Authoritative Peer Engine ID field is available while 3 REQUEST messages by secondary Manager.
configuring SNMP version 3 only after successful creation Note: The Authoritative (security) engine ID for any Manager
of an MDR pair. is unique. At any point of time, the Authoritative Engine ID of the
Manager is static irrespective of Manager status in case of
an MDR pair. That is, when MDR switchover occurs, the
authoritative engine ID of the Manager will not change with
the status of the Manager. Hence, the alerts generated from
the Primary and Secondary Manager will have their
respective authoritative engine ID's.
Note: After successful deletion of an MDR pair, the
Authoritative Engine ID's are retained by the respective
Managers.
Authentication Level This specifies the authentication level and has the following
categories:
◦ No Authorization, No Privileges — Uses User name match for
authentication.
◦ Authorization, No Privileges — Provides authentication based on
the MD5 or SHA algorithms.
◦ Authorization and Privileges — Provides authentication based
on the MD5 or SHA algorithms. It also provides encryption
in addition to authentication based on the DES or AES
standards.
Customize Community
The following fields appear only when Authorization, No Privileges is selected as Authentication Level:
Authentication Type The authentication protocol (MD5 or SHA) used for
authenticating SNMP version 3 messages.
Authentication Password The authentication pass phrase used for authenticating
SNMP version 3 messages.
The following fields appear only when Authorization and Privileges is selected as Authentication Level:
Authentication Type The authentication protocol (MD5 or SHA) used for
authenticating SNMP version 3 messages.
Authentication Password The authentication pass phrase used for authenticating
SNMP version 3 messages.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 69
Field Description
Encryption Type The privacy protocol (AES or DES) used for encrypting SNMP
version 3 messages.
Privacy Password The privacy pass phrase used for encrypting SNMP version 3
messages.
5. Click Save.
The SNMP server is added to the SNMP Servers page.
Note: Do not use a broadcast IP address (that is, 255.255.255.255) as the target SNMP server for forwarding alerts.
Modify or delete SNMP server settings
You can modify or delete the SNMP server settings at the Manager node.
Task
1. Select Manager → <Admin Domain Name> → Setup → Notification → IPS/NTBA Events → SNMP.
The SNMP tab with the Enable SNMP Notification option and the SNMP Servers list is displayed.
2. Select the configured SNMP server instance from the SNMP Servers list.
3. Configure the following:
a. To edit the settings, click Edit, modify the fields as required, and click Apply.
b. To delete the settings, click Delete and click OK to confirm deletion.
Forward alerts to a syslog server
You can forward Sensor and NTBA Appliance alerts to a syslog server. Syslog forwarding enables you to view the forwarded alerts
from a third-party syslog application.
Task
1. Select Manager → <Admin Domain Name> → Setup → Notification → NTBA Events → Syslog.
The Syslog page is displayed.
2. Configure the following fields:
Syslog page
70 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Syslog - configuration options
Field Description
Enable Syslog Notification Yes is enabled; No is disabled
Server Name or IP Address Enter the name or IP address (IPv4 or IPv6) of the Syslog
server where the alerts will be sent. You can configure
multiple Syslog servers separated by a semicolon.
Note: You can configure a maximum of eight Syslog servers.
UDP Port Port on the target syslog server that is authorized to receive
syslog messages.
Facility Standard syslog prioritization value. The choices are as
follows:
◦ Security/authorization (code 4)
◦ Security/authorization (code 10)
◦ Log audit (note 1)
◦ Log alert (note 1)
◦ Clock daemon (note 2)
◦ Local user 0 (local0)
◦ Local user 1 (local1)
◦ Local user 2 (local2)
◦ Local user 3 (local3)
◦ Local user 4 (local4)
◦ Local user 5 (local5)
◦ Local user 6 (local6)
◦ Local user 7 (local7)
Severity Mapping You can map each severity (Informational, Low, Medium, or
High) to one of these standard syslog severities:
◦ Emergency — System is unusable
◦ Alert — Action must be taken immediately
◦ Critical — Critical conditions
◦ Error — Error conditions
◦ Warning — Warning conditions
◦ Notice — Normal but significant condition
◦ Informational — Informational messages
◦ Debug — Debug-level messages
Send Notification If The attack definition has this notification option explicitly enabled — Send
notification for attacks that match customized policy
notification settings, which you must set when editing attack
responses within the policy editor.
The following notification filter is matched — Send notification based
on following filters:
◦ Allow All — Notifies for all discovered attacks.
◦ Block All — Blocks notification.
◦ Severity Informational and above — Includes all alerts.
◦ Severity Low and above — Includes low, medium, and high
severity alerts.
◦ Severity Medium and above — Includes both medium and high
severity alerts.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 71
Field Description
◦ Severity High — Includes only high severity alerts.
3. Click Save.
Note: You must click Save before you can customize the message format to be sent to your syslog server. Customization
option is available only if notification is enabled against Enable Syslog Notification.
4. Select your Message Preference to customize the format of the message to be sent to your syslog server.
Message Preference - options
Field Description
System Default The default message is a quick summary of an alert with two
fields for easy recognition: Attack Name and Attack Severity. A
default message reads:
Attack $IV_ATTACK_NAME$ ($IV_ATTACK_SEVERITY$).
Customized Create a custom message.
Create a custom message
◦ Select the Customized and click Edit to view the Custom message page.
◦ Type a message and select (click) the parameters for the appropriate alert identification format. You can type custom text in
the Message field. You can also click the Content-Specific Variables to move them to the Message field.
◦ Click Save to return to the Syslog page.
◦ Click Save.
Configure email or pager alert notifications
Before you begin
You must identify a mail server for email notifications in the E-mail page (Manager → <Admin Domain Name> → Setup → Notification → IPS/
NTBA Events → E-mail).
Users can be alerted by email or pager when an alert is generated that matches a chosen severity or customized attack setting.
The procedure for configuring email alerts is described here. The procedure for configuring pager is similar.
Task
1. Select Manager → <Admin Domain Name> → Setup → Notification → IPS/NTBA Events → E-mail.
The E-Mail and Recipient List information is displayed under the E-mail tab.
72 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
2. Specify your options in the corresponding fields.
Field Description
Enable E-mail Notification Select Yes to enable alert notification through email.
Send Notification If The attack definition has this notification option explicitly enabled — Send
notification for attacks that match customized policy
notification settings, which you must set when editing attack
responses within the policy editor.
The following notification filter is matched — Send notification based
on the following filters:
◦ Severity Informational and above — Includes all alerts.
◦ Severity Low and above — Includes low, medium, and high
severity alerts.
◦ Severity Medium and above — Includes both medium and high
severity alerts
◦ Severity High — Includes only high severity alerts.
The table below explains the functional interdependency of
the two options.
Suppression Time Type a Suppression Time for the notification. The suppression
time is the duration (minutes and seconds) to wait after an
alert notification has been sent before sending another alert
notification. The default and minimum value is 10 minutes
and 0 seconds. Suppression time is useful to avoid sending
excessive notifications when there is heavy attack traffic.
Message Body The message body is a preset response sent with the
notification with information pertaining to the alert.
System Default — The system default message provides the
notified admin with the most basic attack details so that an
immediate response can be made. Details include the attack
name, time detected, attack type, severity, the Sensor
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 73
Field Description
interface where detected, and the source and/or destination
IP addresses.
Note: You cannot edit the System Default message.
Customized — Select Customized against Message Body and click
Edit to view the Custom Message page.
You can type custom text in the Subject field or Body section,
as well as click one or more of the provided variable links at
Subject Line Variables or Content-Specific Variables.
Notification option explicitly enabled Notification filter is matched Functionality
✔ Emails are sent only for the attacks
where the notification option is
enabled.
✔ Emails are sent only when the defined
severity level is matched and the
notification option is disabled.
✔ ✔ If the attack matches at least one of the
criteria, an email is sent.
3. Click Save to return to the email or pager notification settings page.
4. Click New in the Recipient List section of the E-mail page.
The Add a Recipient page is displayed.
5. Enter the Recipient email address in the SMTP Address field and click Save.
The email address is listed under the Recipient List in the E-mail tab.
◦ You can configure pager sittings using a similar procedure in the Pager page. Select Manager → <Admin Domain Name> → Setup →
Notification → IPS/NTBA Events → Pager to view the Pager page.
◦ Email and pager notifications are configured per admin domain.
Enable alert notification by script
Users can be alerted through an executed script when an alert is generated that matches a chosen severity or customized attack
setting.
Task
1. Select Manager → <Admin Domain Name> → Setup → Notification → IPS/NTBA Events → Script.
The Script page is displayed.
2. Specify the options in the corresponding fields.
74 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Field Description
Enable Script Execution Select Yes to enable alert notification through an executed
script.
Send Notification If The attack definition has this notification option explicitly enabled — send
notification for attacks that match customized policy
notification settings, which you must set when editing attack
responses within the policy editor.
The following notification filter is matched:
◦ Severity Informational and above — Includes all alerts
◦ Severity Low and above — Includes low, medium, and high
severity alerts
◦ Severity Medium and above — Includes both medium and high
severity alerts
◦ Severity High — Includes only high severity alerts
Suppression Time Enter a Suppression Time for the notification. The suppression
time is the amount of time (minutes and seconds) to wait
after an alert has been generated before sending the
notification. This will prevent alerts being sent through
notification in the event an alert has been acknowledged or
deleted through the Attack Log page within the suppression
time. The default and minimum value is 10 minutes and 0
seconds.
3. Click Edit.
The Script Contents page is displayed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 75
◦ Enter a description in the Description field.
◦ Enter the required text in the Script Contents field. Click the links provided against Content-Specific Variables to add variables in the
Script Contents field.
4. Click Save to return to the Script page.
5. Click Save to save your settings.
◦ The local system user needs to have permission to create the script output file on the Manager installation directory.
◦ Notifications are configured per admin domain.
Configure alert suppression
Alert suppression minimizes the number of duplicate alerts the NTBA Appliance sends to the Manager.
Within the configured suppression interval, when the configured number of individual alerts has been reached, all subsequent
alerts containing the same attack, source, and destination details are suppressed.
At the conclusion of suppression interval, a summary alert is sent, which includes the total number of suppressed alerts for each
of the maintained source-destination IP pairs. An additional total is shown for all other IP pairs.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Setup → Advanced → Alert Suppression.
The Alert Suppression page is displayed.
Alert Suppression page
2. Select the Enabled checkbox to enable alert suppression.
3. Configure the following under Threshold Settings:
◦ The alert suppression window is [X] seconds — This value is the time span in which you accumulate instances of the same attack. This
value acts as a timer, when the timer expires, the current instance is cleared to make room for a new suppression instance.
The value entered in this field is the suppression interval.
◦ Generate standard alerts for the first [X] attack(s) seen during the alert suppression window — This value identifies the minimum number of
alerts that must be detected for a unique suppression instance to be classified as an exploit throttle attack or summary
alert.
The value entered in this field is the configured number of individual alerts.
Sending a few of the summary alerts as individual alerts, allows you to view details and packet log information for the first
few instances of an attack.
Within the configured suppression interval, once the configured number of individual alerts has been reached, all
subsequent alerts containing the same attack, source, and destination details are suppressed.
76 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
If there are x+1, the first x attacks are sent as individual alerts and the attacks exceeding this count are throttled into one
summary alert that summarizes this persistent attack.
◦ Generate unique suppression summary alerts for up to [X] attack, attacker and target combinations — This value determines the number of
unique source-destination IP pairs for summary alerts that are to be maintained at a given time.
For example, if you enter the number 10, then 10 unique summary alert instances can be tracked at a given time.
Once 10 is reached, all other cases are kept in a single "wildcard" instance.
Note: Source and destination IP do not appear in the exploit throttle summary since multiple addresses may be involved.
This is due to memory limits.
Note: A throttle entry is removed after the time limit (Suppress for [X] seconds) has expired.
4. Click Save.
Send notifications for quarantined attacks
You can define if and how administrators should be notified when endpoints are quarantined. This can be done only at the root
level and it is inherited by the child domains.
Task
1. Select Manager → Setup → Notification → NTBA Quarantine Events.
The Syslog page is displayed.
Syslog page
2. Configure the following fields.
Field Description
Enable Syslog Notification Yes is enabled; No is disabled.
Server Name or IP Address Enter the Endpoint IP address or the Endpoint name of the syslog
server where alerts will be sent.
For Endpoint IP address, you can enter either IPv4 or IPv6
address.
UDP Port Port on the target syslog server that is authorized to receive
syslog messages.
Facility Standard syslog prioritization value. The choices are as
follows:
◦ Security/authorization (code 4)
◦ Security /authorization (code 10)
◦ Log audit (note 1)
◦ Log alert (note 1)
◦ Clock daemon (note 2)
◦ Local user 0 (local0)
◦ Local user 1 (local1)
◦ Local user 2 (local2)
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 77
Field Description
◦ Local user 3 (local3)
◦ Local user 4 (local4)
◦ Local user 5 (local5)
◦ Local user 6 (local6)
◦ Local user 7 (local7)
Severity Mapping You can map each severity (Informational, Low, Medium, or
High) to one of the standard syslog severities listed below:
◦ Emergency - System is unusable
◦ Alert - Action must be taken immediately
◦ Critical - Critical conditions
◦ Error - Error conditions
◦ Warning - Warning conditions
◦ Notice - Normal but significant condition
◦ Informational - Informational messages
◦ Debug - Debug-level messages
3. Click Save.
Note: You must click Save before you can customize the message format to be sent to your syslog server. The Customization
option is available only if notification is enabled against Enable Syslog Notification.
4. Select a Message Preference to customize the format of the message to be sent to your syslog server.
Field Description
System default The default message is a summary of an alert with two fields
for easy recognition: Attack Name and Attack Severity. A default
message reads: Attack $IV_ATTACK_NAME$
($IV_ATTACK_SEVERITY$).
Customized Create a custom message.
Create a custom message
You can create a custom message by selecting the parameters for the desired alert identification format.
Task
1. Select Manager → Setup → Notification → NTBA Quarantine Events.
2. In Message Preference, select the Customized option and click Edit.
The Customize Message page is displayed.
3. Type a message and select (click) the parameters for the desired alert identification format. You can type custom text in the
Message field. You can also click the Content-Specific Variables to move them to the Message field.
Custom Message page
78 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
4. Click Save to return to the Syslog page.
5. Click Save.
Add flow exclusion
You can exclude processing of all flow data or Layer 7 (L7) data for specific networks by including the IP address to the exclusion
list. These data will not be displayed, stored, or analyzed for threats.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Setup → Flow Exclusions.
Note: You can also add exclusions at the root node. This is explained in the following section.
The Flow Exclusions page is displayed.
2. Click New page.
Note: By default, the Inherit CIDR Exclusion List checkbox is selected. The New button is enabled on deselecting this checkbox.
3. Provide the IP address and the gateway port of the endpoint you want to exclude.
Add exclusions page
4. From the drop-down list, select Exclude all flow data or Exclude only L7 flow data.
5. Click Add and click Save.
6. Click Edit or Delete to make updates to the existing exclusion.
Inherit exclusions to child domains
You can set exclusions at the root level so it can be inherited to the child domains.
Task
1. Select Devices → <Admin Domain Name> → Global → NTBA Device Settings → Device Settings → Setup → Flow Exclusions.
The Flow Exclusions page is displayed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 79
Flow Exclusions page
2. If you want the child nodes to inherit the exclusion list, select the Inherit CIDR Exclusion list from GTI Participation Page checkbox.
3. Click Save.
Deploy configuration changes on device
For the exclusions to be implemented, you must deploy configuration changes on your device.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Deploy Pending Changes.
The Deploy Pending Changes page is displayed.
Deploy Pending Changes page
2. Select the Configuration & Signature Set checkbox for the device and click Update.
A pop-up window displays that the download is in progress.
3. When the download completes, click Close Window.
Configure services
Services map ports to protocols for reporting and policy configuration display purposes. You can view default services and define
custom ones thorough the Services page.
Task
1. Select Manager → <Admin Domain Name> → Setup → Network Threat Behavior Analysis → Services.
The Services page with the defaults services already listed is displayed.
80 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Services page
2. Click New.
The New Service page is displayed.
New Service page
3. Configure the following:
◦ Select the Enabled? checkbox if you want to enable the service once you create it. (Do not select this checkbox if you wish to
enable it later using the Edit option).
◦ Enter a name for the service.
◦ Select the protocol from the Protocol drop-down list.
◦ Enter the port values against Ports and click Add to add it to the list of ports. (You can select a listed port and click Remove to
remove it from the list).
4. Click Save.
The newly configured service is listed the Services page.
Note: You can select a custom service and click Edit to edit the settings.
Configure exporter access
You can control the way the NTBA Appliance gains access to the exporters configured to export NetFlow information to the NTBA
Appliance by configuring the SNMP and SSH Parameters in the Exporter Access page.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 81
The NTBA Appliance uses SNMP to poll exporters and gather device-specific information, such as quantity and type of interfaces
according to set parameters.
NTBA Appliances use SSH to add ACLs to exporters when configured to quarantine in response to alerts.
Task
1. Select Devices → <Admin Domain Name> → Global → NTBA Device Settings → Device Settings → Setup → Exporter Access.
The Exporter Access page is displayed.
Exporter Access page
2. Configure the following:
◦ Enter the UDP port number against UDP Port.
◦ Select the SNMP version (2c or 3) from the drop-down list against SNMP Version.
The following fields appear only when SNMP Version 3 is selected.
Choices for SNMP Version 3
Field Description
Security Level This specifies the authentication level and has the following
categories:
◦ Authentication and Privacy (AuthPriv) — Provides authentication
based on the MD5 or SHA algorithms. It also provides
encryption in addition to authentication based on the
DES or AES standards.
◦ Authentication Only (AuthNoPriv) — Provides authentication
based on the MD5 or SHA algorithms.
◦ No Authentication and No Privacy (NoAuthNoPriv) — Uses name
match for authentication.
The following fields are enabled/disabled according to the selection in Security Level.
User Name User name for authentication.
Authentication Protocol The authentication protocol (MD5 or SHA) used for
authenticating SNMP version 3 messages.
82 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Field Description
Note: Applicable when Authentication and Privacy (AuthPriv) or
Authentication Only (AuthNoPriv) is selected as Security Level.
Authentication Key Authentication key used for authenticating SNMP version 3
messages.
Note: Applicable when Authentication and Privacy (AuthPriv) or
Authentication Only (AuthNoPriv) is selected as Security Level.
Encryption Protocol The privacy protocol (DES or AES) used for encrypting
SNMP version 3 messages.
Note: Applicable when Authentication and Privacy (AuthPriv) and is
selected as Security Level.
Encryption Key Encryption key used for the selected privacy protocol.
Note: Applicable whenAuthentication and Privacy (AuthPriv) is
selected as Security Level.
◦ Type a string against Read Only Community String (Applicable when SNMP Version 2c is selected).
◦ Enter the SNMP Polling Interval in minutes.
3. Enter the User Name, Password, and the Write Password for the SSH Parameters.
4. Click Save.
How communication rules work
Communication rules provide a mechanism to match network traffic through flow fields and generate alerts when there is a
match.
Communication rules are applied to network traffic flows in relation to an NTBA policy. For instance, for a given NTBA policy you
can set a communication rule to match the BitTorrent application and Remote Desktop protocol. When these communication
rule parameters are met, an alert is raised.
View communication rules
The Communication Rules page displays the pre-defined Communication rules.
Task
1. In the Manager, click Policy and then select the required Domain.
2. Select Network Threat Behavior Analysis → Communication Rules.
The Communication Rules page is displayed.
The options on this page are as follows.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 83
Option definitions
Field Description
Search Search criteria in the field to find the communication rule
with the matching elements.
State Specifies whether the communication rule is Enabled or
Disabled. Disabled rules are not sent to NTBA.
Name Displays the name of the NTBA communication rule.
Scope Specifies the device to which the communication rule is
applicable.
Source Zone — Specifies the source zone for the communication
rule.
Risk/Address — Specifies the severity of the risk and the IP/
country name of the risk source.
Destination Zone — Specifies the destination zone for the
communication rule.
Risk/Address — Specifies the severity of the risk and the IP/
country name of the risk destination.
Application Specifies the name of the applications or the services for
which the communication rule is applicable.
Note: Services are also created in the Services page in Manager
→ <Admin Domain Name> → Setup → Network Threat Behavior Analysis
→ Services.
URLs Specifies the Risk/URLs for which the communication rule is
applicable.
Files Specifies the files for which the communication rule is
applicable.
Effective time Specifies the time from when the communication rule is
applicable.
Response Actions Appliance — Specifies the Sensor's response actions required
to quarantine and in the severity of the alert.
Manager — Specifies the Manager response actions. Example:
Send syslog message.
Last Updated Time — Specifies the time when the rule was last updated.
By — Specifies the name of the user who last updated the
rule.
Comment Specify any comments regarding the rule, if any.
Adds new communication rule from the Rule Details panel.
Modifies an existing communication rule details.
Copies or clones an existing communication rule.
84 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Field Description
Deletes the selected communication rule.
Save as CSV Saves the communication rules in CSV format.
Note: Only those communication rules that are displayed in
the Communication rules page are saved.
The communication rules page does not display all the rule objects that are created as shown below.
In the above example, you can see that the Risk/Address field displays only three rules when there are four created in the
communication rule. The four rules can be seen in the Rule Details panel. When, you save the communication rule, only those 3
rules that are displayed in the page gets saved.
You can use the following options to customize your view in the right panel.
Name Icon Description
Hide Hide a section in the right panel.
Expand Expand a section in the right panel.
View inherited communication rules
When a child domain is created, it automatically inherits the communication rules of its parent. To override communication rule
inheritance from parent, create a rule that is specific to that child domain.
Task
1. Click Policy and then select the specific Child domain.
2. Select Network Threat Behavior Analysis → Communiction Rules.
The Communication Rules page or the child domain is displayed.
3. From the drop-down list, select any of the following options:
◦ Show Inherited Rules — Displays the communication rules inherited from the parent domain and the communication rules
created in the child domain.
◦ Hide Inherited Rules — Hides the display of communication rules inherited from the parent domain.
Note: In the child domain, the communication rules that are inherited from the parent domain cannot be modified.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 85
Filter and sort communication rules
The Communication Rules page has some useful filtering options to locate communication rules. To set the display of communication
rules, click on a column header and then select or unselect the check-box for the columns to be displayed or hidden in the
Communication Rules page.
The following are two filtering options to filter the display of communication rules:
• List based filter
• String based filter.
List based filter
List based filter is available for those columns where the display of communication rules is based on selecting a specific criteria
listed in the column.
To view the display of communication rules based on a selected criteria
1. Click on the down arrow in column header.
2. In the menu, place the mouse pointer over the Columns option.
3. Select the check-box of the column names that you wish to display.
String based filter
String based filter is available for those columns where the display of communication rules are based on the criteria typed in the
Search text field.
To view the display of communication rules based on a search option:
86 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Type the first few characters in the Search text field. the communication rules matching the typed characters are displayed on the
page. The communication rules matching the typed characters are displayed on the page.
Sort communication rules
You can sort the display of communication rules in ascending or descending order.
To sort the display of communication rules :
1. Click the down arrow and select the order you want the rules to appear.
2. Select the option Sort Ascending or Sort Descending as per your sorting requirement.
The column, based on which the communication rules list are sorted is indicated in the column header by an up arrow icon for
ascending order and down arrow icon for descending order.
Add communication rules
Follow the steps below to create communication rules.
Task
1. Select Policy → Network Threat Behavior Analysis → Communication Rules.
The Communication Rules page is displayed.
2. Click .
The Rule Details panel is displayed.
3. Specify your options in the corresponding fields.
Field Description
State Specifies whether the communication rule is Enabled or
Disabled. Disabled rules are not sent to NTBA.
Name Type the name of the NTBA communication rule.
Comment Type any additional comments.
Modified Name of the user who last modified the rule.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 87
Field Description
Owner Domain The name of the admin domain under which the
communication rule is added.
Editable here Yes indicates that the communication rule is owned by the
current admin domain.
No indicates that the communication rule is not owned by
the current admin domain.
Scope Select one or more devices to match the criteria.
Source Zone configure communication rules for an inside or outside
source domain zone.
1. Select an inside or outside source domain zone from the
drop-down-list.
2. Click to add the source domain zone to the list.
Click to remove the source zone from the list.
Source Risk/Address Select the risk type from the Risk drop-down list. The
following are the available options:
◦ Any — Endpoints with any risk severity.
◦ High Risk Endpoints — Endpoints with high risk severity
◦ Medium+ Risk Endpoints — Endpoints having risk severity as
medium and high.
◦ Unverified+ Risk Endpoints — Endpoints with unverified risk
severity.
You can select the option to either risk or the IP address
From the Address drop down-list, select a rule object. Click
Click to add a rule object.
Click to edit or view a rule object.
Click to remove a rule object from the list.
Destination Zone Configure communication rules for an inside or outside
destination domain zone.
1. Select an inside or outside destination domain zone from
the drop-down-list.
2. Click to add the destination zone to the list.
Click to remove the destination zone from the list.
Destination Risk/Address Select the risk type from the Risk drop-down list. The
following are the available options:
◦ Any — Endpoints with any risk severity.
◦ High Risk Endpoints — Endpoints with high risk severity
◦ Medium+ Risk Endpoints — Endpoints having risk severity as
medium and high.
◦ Unverified+ Risk Endpoints — Endpoints with unverified risk
severity.
From the Address drop down-list, select a rule object.
88 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Field Description
Click to add a rule object.
Click to edit or view a rule object.
Click to remove a rule object from the list.
Application Configure the application object for the communication
rule .
1. From the Available drop-down list, select the application.
2. Click to add an application or service object.
Click to add a new application and object.
Select a rule object and click to edit or view an
application object.
Note: Services cannot be edited in this page
Click to remove an application object.
Effective Time Configure the effective time for the communication rule .
1. From the Available drop-down list, select a rule object.
2. Click to add the existing rule object.
Click to add a new rule object.
Click to edit or view a time object.
Click to remove a time object.
URLs Select the risk level of URLs that are applicable for the
communication rule. The following are the available options:
◦ Any
◦ High Risk URLs
◦ Medium+ Risk URLs
◦ Unverified+ Risk URLs
To add a new URL, type the URL in the URL text field, and
click Add.
Note: Ensure that you do not type the domain name
prefixed with the protocol (http://). Instead, type only the
domain name. Example : www.google.com.
Click to remove a URL from the list.
Files Type the file name that is applicable for the communication
rule and click .
Click to remove a file from the list.
Appliance Actions Select a quarantine action and the severity level of the alert.
In the Quarantine drop-down list, select any of the following
options:
◦ Quarantine Destination
◦ Quarantine Source
◦ Quarantine Source and Destination
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 89
Field Description
◦ Disabled
Alert field displays the status as Send alert to Manager and it is
not an editable field.
Select the Alert Severity. The following are the available
options:
◦ Info - 0
◦ Low - 1
◦ Low - 2
◦ Low - 3
◦ Medium - 4
◦ Medium - 5
◦ Medium - 6
◦ High - 7
◦ High - 8
◦ High - 9
Manager Actions
Syslog Select the following Syslog options:
◦ Send Syslog Message
◦ Disabled
SNMP Select the following SNMP options:
◦ Send SNMP trap
◦ Disabled
E-Mail Select the following email options:
◦ Send E-Mail Message
◦ Disabled
Pager Select whether you want to send an alert to a configured
pager:
◦ Send Page
◦ Disabled
Script Select the following script options:
◦ Run script
◦ Disabled
Auto-acknowledge alert Select the following auto-acknowledge options:
◦ Auto-Acknowlege Alert
◦ Disabled
4. Click Save to save the communication rule.
Clone communication rules
You can clone communication rules at the Network Threat Behavior Analysis node.
90 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Task
1. Select Policy → Network Threat Behavior Analysis → Communication Rules.
2. Select the communication rule you want to clone and click .
You can use Search to quickly find a communication rule.
3. Make changes, if any and click Save.
Delete communication rules
Task
1. Select Policy → Network Threat Behavior Analysis → Communication Rules.
The Communication Rules page is displayed.
2. Select the communication rule you want to delete and click .
3. Confirm to delete the communication rule.
Configure name resolution
The NTBA Appliance collects flow information from network routers and Sensors. You can set the DNS Settings values for collection
of flow information.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Setup → Name Resolution.
The Name Resolution page is displayed.
Name Resolution page
Note: By default, the Inherit Settings? checkbox is selected. Deselect the checkbox to enable the fields in the Name Resolution
section.
2. Configure the following:
◦ Select the Enable Name Resolution? checkbox to enable it (Do not select this checkbox if you want to disable this feature).
◦ Specify the IP addresses for Primary DNS Server and Secondary DNS Server.
◦ Specify the Refresh Interval in hours.
3. Click Test Connection to check the DNS connection with primary DNS server.
4. Click Save.
How Global Threat Intelligence integrates with NTBA
McAfee® Global Threat Intelligence™ (formerly McAfee® TrustedSource™ ) is a global threat correlation engine and intelligence
base of global messaging and communication behavior; including reputation, volume, trends, email, web traffic, and malware.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 91
McAfee GTI can be integrated with NTBA. Having evolved to become a worldwide communications security resource, Global
Threat Intelligence (McAfee GTI) and global internet communications behavior intelligence is incorporated into products across
McAfee appliances and service suite, as well as into appliances and services of other companies and organizations. The
additional knowledge provided by McAfee GTI data enables appliances and services to more accurately filter communications
and protect electronic communications and transactions between people, companies, and countries.
McAfee GTI receives and analyzes billions of queries per month from McAfee network of Sensors deployed to protect consumer
and enterprise network traffic across 120 countries globally, collecting and correlating threat data for URLs, IP addresses,
domains, and content.
McAfee GTI assigns a reputation score and further classifies network identities and content with a risk level based on an in-depth
highly sophisticated analysis derived by processing thousands of behavior attributes to profile each network traffic sender,
website, domain, and content.
McAfee GTI is the first and only reputation system to combine traffic data, routing, IP/domain registration data, and network
characteristics with the unparalleled breadth of the global customer base of McAfee.
For each IP address on the internet, McAfee GTI calculates a reputation value based on sending or hosting behavior and various
environmental data.
McAfee GTI automatically collects, aggregates, and correlates this data from customers as well as partners to assess the state of
internet threat landscape.
McAfee GTI is expressed in four classes:
McAfee GTI classes
Minimal Risk — Indicates this is a legitimate source or destination of content/traffic. McAfee GTI defines the reputation of
private addresses that are not seen on the public internet also to be minimal risk.
Unverified — Indicates that this appears to be a legitimate source or destination of content/traffic, but also displays certain
properties suggesting that further inspection is necessary.
Medium Risk — Indicates that this source/destination shows behavior believed to be suspicious and content/traffic to or from it
requires special scrutiny.
High Risk — Indicates that this source/destination does or will send/host potentially malicious content/traffic and we believe it
presents a serious risk.
In the context of NTBA, McAfee GTI provides reputation and country of origin information. Endpoint communication rules can
use that information as matching criteria. For example, you can generate an alert in the Attack Log if the source of a connection
is from a specific country or is known to be malicious.
Configure IP Reputation at the global level
Before you begin
You must have enabled sending alert data details on the Manager → <Admin Domain Name> → Integration → GTI page to configure
settings on this page.
If you configure IP reputation at the global node, it is reflected in the child nodes.
Task
1. Select Devices → <Admin Domain Name> → Global → NTBA Device Settings → Zone Settings → IP Reputation.
The IP Reputation page is displayed.
92 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
2. Select the NTBA checkbox under State to enable Global Threat Intelligence IP Reputation.
3. Set the list of services to be excluded or included in the McAfee GTI lookups by moving them under Excluded Services or Included
Services by using the left and right arrows under Service-Based Lookups field.
4. Select Inherit CIDR Exclusion list from GTI Participation page to add the exclusion list directly from Manager → <Admin Domain Name> →
Integration → GTI.
5. Click Add to add the CIDR block to the Excluded Endpoints list.
6. Click Delete to exclude from the CIDR block list.
7. Click Save.
Configure IP Reputation at the zone level
You can also configure IP reputation at the zone level.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Zones → Outside Zones → Default Outside Zone → IP Reputation.
The IP Reputation page is displayed.
IP Reputation page
2. By default, the Inherit Settings? checkbox is selected. Keep it selected to inherit the settings from the Global node. Deselect this
checkbox to configure Global Threat Intelligence IP Reputation settings at the zone name level.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 93
3. Select the NTBA checkbox under State to enable Global Threat Intelligence IP Reputation.
4. Set the list of services to be excluded or included in the McAfee GTI lookups by moving them under Excluded Services or Included
Services by using the left, and right arrows under Service-Based Lookups field.
5. Click Add to add the CIDR block to the Excluded Endpoints list.
6. Click Delete to exclude from the CIDR block list.
7. Click Save.
Before configuring the McAfee GTI integration with NTBA, it must be enabled at Manager → <Admin Domain Name> → Integration →
GTI.
In exchange for detailed alert information, full integration with the McAfee GTI is enabled. Full integration permits you to
report, filter, and sort endpoints involved in attacks based on their network reputation and/or country of origin
In exchange for alert summary information, partial integration with the McAfee GTI is enabled. Partial integration permits you
to right-click an alert and view the network reputation and country of origin for its source or destination endpoint.
To optimize the use of the McAfee GTI, only send alert data (and retrieve the McAfee GTI information) for attacks for which you
are most interested in viewing endpoint reputation and country information.
With the exception of the optional contact information, all data is sent anonymously.
Note: Firewall port 443 (port for the McAfee GTI queries) and port 80 (port for the McAfee GTI database download) should be
open for the McAfee GTI information to be displayed in the NTBA monitors.
Note: NTBA Appliance does an endpoint lookup through NetBIOS or DNS. Hence, this type of network traffic emanating from
NTBA is normal.
Note: For more information on configuring the McAfee GTI integration in the Manager, see McAfee Network Security Platform
Integration Guide.
Configure miscellaneous settings
You can specify corporate e-mail domain, which is used to identify compromised internal endpoints acting as spambots.
Task
1. Select Manager → <Admin Domain Name> → Setup → Network Threat Behavior Analysis → Miscellaneous.
The Miscellaneous configuration page is displayed.
Miscellaneous page
2. Type the corporate email domain(s) against E-mail Domain.
94 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
This information is used to identify compromised internal endpoints acting as spambots. The NTBA examines whether the
domain name of the email addresses it receives is one of the domain name inputs specified against E-mail Domain, if not the
source IP is treated as a candidate for callback activity.
3. Do the following:
◦ Enter the value of N in the Top N Lists presented in the Miscellaneous page under Manager Presentation against The Value of N in Top N
Lists.
◦ Set the time limit (days) to consider endpoints/protocols as new if seen for first time under Manager Presentation against Consider
Endpoints/Protocols "New" if Seen for First Time Within.
◦ Set the time limit (days) to consider endpoints/protocols as new if seen for first time under Manager Presentation against Consider
Endpoints/Protocols "New" if Seen for First Time With Reference Days As with reference to a number of previous days .
4. Click Save.
Note: The value entered in the Consider Endpoints/Protocols "New" if Seen for First Time With Reference Days As is the number of previous
reference days. For example if this value is set to 90 and the value for Consider Endpoints/Protocols "New" if Seen for First Time Within is set
to 7, all the endpoints/protocols seen for the first time during the past 7 days during the last 90 days are presented under
Manager Presentation.
Active device profiling
NTBA Appliances can actively scan your internal devices to identify the device type and operating system.
By default, the NTBA Appliance scans all endpoints that fall in the inside zones. Before scanning, the NTBA Appliance fetches the
list of IP addresses to scan from the Manager. The Manager then sends the passive scan information to the NTBA Appliance to
optimize the active scans.
The NTBA Appliance sends active endpoint scan details to the Manager. The Manager will consolidate data from all sources and
provide a comprehensive view of the endpoints on the network. It also uses the data for alert relevancy.
The NTBA Appliance supports CIDR/zone-based exclusions for scanning. It also supports port exclusions, which are passed as
input to the scan engine.
Scan categories
Active device profiling is performed based on these scan needs:
• Scheduled scan — You can schedule to scan a set of endpoints or all endpoints in the inside zones. The IP addresses can be
sent from the Manager too. Example: Daily, Weekly.
• Internal scan — If no scheduled scans are defined, NTBA triggers a scan on its own endpoints as per its own schedule.
You can also exclude a list of IP addresses, CIDR zones, or ports that you do not wish to scan.
Active device profiling workflow
After you define the inside zones, a scan can be performed based on this workflow.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 95
How a scan is performed
Configure active device profiling
Perform these steps to enable active device profiling to scan the network devices.
Before you begin
Prior to enabling active device profiling, define internal zones and ports you want to scan.
Task
1. If you are installing the Manager using the Add Device Wizard, the option to enable active device profiling appears on the last
screen.
-OR-
Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Setup → Active Device Profiling.
The Active Device Profiling page is displayed.
2. Select the Enable Active Device Profiling? checkbox.
Note: The Enable Active Device Profiling? checkbox will be enabled per the NTBA Appliance. By default, it is disabled. On enabling
the checkbox, the previous configuration, if any, is displayed. This allows you to temporarily disable the option without losing
the original settings.
By enabling this checkbox, the scanning feature is enabled. This will start the scanning service. Various scan configurations can
also be enabled. The status of the device profiler service can be verified by using the service status DeviceProfiler CLI
command.
96 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Active Device Profiling page for NTBA Appliance
3. Use this section to exclude the following from being profiled and to bypass specific TCP/UDP ports normally used by the
scanner during the profiling process:
◦ Available Zones: By default, only inside zones are profiled. Use the arrow key to move it to the excluded list.
◦ CIDR Blocks: Type and click (+) to add a CIDR block to the excluded list.
◦ TCP/UDP Ports: Type and click (+) to add a TCP/UDP port block to the excluded list. By default, NTBA scans the ports 1, 7, 9,13,
21-23, 25-26, 37, 53, 79-81, 88, 106,110-113, 119, 135, 139, 143-145, 179, 199, 389, 427, 443-445, 465, 513-515, 543, 544, 548,
554, 587, 631, 646, 873, 990, 993, 995,1025-1029, 1110, 1433, 1720, 1723, 1755, 1900, 2000, 2001, 2049, 2121, 2717, 3000,
3128, 3306, 3389, 3986, 4899, 5000, 5009, 5051, 5060, 5101, 5190, 5357, 5432, 5631, 5666, 5800, 5900, 6000, 6001, 6646,
7070, 8000, 8008, 8009, 8080, 8081, 8443, 8888, 9100, 9999, 10000, 32768, 49152-49157, and 62078.
Caution: Be extremely cautious while configuring the internal and external zones. A configuration error might lead to external
endpoints being unintentionally scanned and could be considered an attack by an external organization.
4. In the Advanced section, you can set:
a. Profiling Frequency: To scan when needed or scheduled.
◦ Profile as needed: This option is for internal scan. The NTBA Appliance will decide when to scan.
◦ Profile as scheduled: This option lets you schedule the scan as you need it. Make sure you set the time based on GMT time
zone.
Note: To minimize scanning traffic, configure the schedule during off-peak hours.
b. Profile Expiration (days): Signifies the rescan time. For example, if the expiration date is set as 2 days, then the asset, if it has
been scanned before, will be scanned again only after the expiration date. After expiration, a device is profiled anew. By
default, the expiration is set as 2 days.
5. Click Save.
Note: Scanning/scan results might be filtered if devices such as IPS Sensor or Firewall are configured between the NTBA
Appliance and the endpoint to be scanned.
For more information on active device profiling, see Active device profiling
Advanced malware policies
Modern advanced malware-based attacks pose acute security threats to enterprises. McAfee Network Security Platform provides
several features to detect and prevent the advanced threats prior to infection. You can also detect post infection by monitoring
the bot command and control server activity. McAfee Network Security Platform provides visibility across multiple network
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 97
vectors (endpoint, IP, user, and so on) and the ability to correlate this information over a period of time. Once a threat is
identified, understanding the root cause and exposure are critical to avoid similar threats in the future.
McAfee Network Security Platform provides a highly effective solution in identifying vulnerability and signature-based threat
vectors and preventing damage to customer networks. However, the threat landscape is evolving and malware is getting more
evasive and the activity is also spread over a bigger time frame.
For more information, refer to the McAfee Network Security Platform Product Guide.
How the McAfee Gateway Anti-Malware engine works
The McAfee Gateway Anti-Malware engine (or McAfee anti-malware engine) is a multi-platform engine that detects and blocks
malware threats—everything from viruses and worms to adware, spyware, and riskware. To further protect end users against
emerging malware threats, zero-day threats, and targeted attacks, the McAfee anti-malware engine focuses on generic and
heuristic detection of malware.
The NTBA Appliance and NS-series Sensors have the McAfee Gateway Anti-Malware engine running on it. The Gateway Anti-
Malware engine consists of an anti-malware DAT and engine, and anti-virus DAT and engine. The IPS Sensor sends the file with
potential malware to the NTBA Appliance, which scans this using this engine and sends the results (confidence level) back to the
IPS Sensor. The Sensor sends the alert to the Manager and the configured response action takes place.
Important: If your deployment consists of a suitable NS-series Sensor (that is a Sensor running Sensor software version 8.2 or
above) and an NTBA appliance, then files are scanned by Gateway Anti-Malware present on the Sensor. However, if your
deployment consists of an NS-series Sensor with Sensor software version 8.1 or lesser, or another Sensor model, then you will
require NTBA for files to be scanned by Gateway Anti-Malware. In case of a suitable NS-series Sensor, suspicious files are
scanned by the Gateway Anti-Malware engine resident on the Sensor.
Download or update Gateway Anti-Malware
The primary function of the Advanced Malware Protection feature is to provide a prioritized list of endpoints that need
remediation based on a risk score determined on a set of threat vectors and events correlated over time.
Before you begin
• Make sure you are using either an NS-series Sensor running Sensor software version 8.2 or above or NTBA to use this engine.
• For automatic updating, configure a DNS server for a device.
• NTBA uses OpenSSL version 1.0.2h. Hence, your environment must accept SSL connections using TLSv1 protocol or higher.
• If you make any changes in the proxy server settings, make sure to save your changes and then restart the Gateway Anti-
Malware service by using the below command:
service restart AntiMalwareService.
See Specify a proxy server for Internet connectivity.
Gateway Anti-Malware comprises two components that include:
• Gateway Anti-Malware DAT and engine
• Gateway Anti-Virus DAT and engine
Note: The IPS Sensor sends files to the NTBA Appliance over the NTBA management port. Therefore, for the Advanced Malware
Protection feature to work, make sure that the NTBA collection port and the IPS Sensor management port are not on the same
subnet.
You can set up automatic updates for both these components on NTBA using these steps. Set up automatic updates by enabling
GAM Updating. This option is available at both the root level and at the device level node of the NTBA Appliance.
Note: Make sure you are connected to the Internet while downloading and updating anti-malware software and signatures.
Updating anti-malware software and signatures from offline servers is not supported.
98 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Task
1. You can enable the gateway anti-malware engine updates at the root-level node by selecting Devices → <Admin Domain Name> →
Global → Common Device Settings → GAM Updating OR at the device-level node by selecting Devices → <Admin Domain Name> → Devices →
<NTBA Appliance> → Setup → GAM Updating.
Note: By default, the Inherit Settings? and Enable Automatic Updating? checkboxes are enabled. This allows you to inherit any settings
done at the root-level node to be applied to the child nodes as well.
Remember: Automatic updating requires name resolution. If you have not configured a DNS server for a device, you might
get a warning prompt to do so.
The GAM Updating page is displayed.
GAM Updating page
2. From the Update Interval drop-down list, select the update interval in the range of 2-24 hours. The default interval is set to 2
hours. This allows for the next automatic download signature set for download.
Tip: The lower panel displays the active version and latest available version of each component. For latest version, the icon is
green. If a newer version is available, the icon is red.
Tip: NTBA Appliances will continue to receive automatic updates for which configuring Name Resolution in the Manager is a
prerequisite.
3. Click Save.
Results
You have now set up updates for all devices that run Gateway Anti-Malware in the domain or device.
Specify a proxy server for Internet connectivity
If you employ a proxy server for Internet connectivity, you can configure the Manager or your devices to connect to that server
for proxy service. This is necessary if you want to download updates directly to Manager from the Update Server or if you want to
download host reputation and country of origin information during integration with TrustedSource.
The Manager supports application-level HTTP/HTTPS proxies, such as Squid, iPlanet, Microsoft Proxy Server, and Microsoft ISA.
Note: To use Microsoft ISA, you must configure this proxy server with basic authentication. Network Security Platform does not
support Microsoft ISA during NTLM (Microsoft LAN Manager) authentication.
Note: SOCKS, a network-level proxy, is not currently supported by Network Security Platform.
To specify your proxy server, do the following:
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 99
Task
1. Select Devices → <Admin Domain Name> → Devices → Device: NTBA → Setup → Proxy Server. The Proxy Server page is displayed.
Proxy Server Settings
2. Type the Proxy Server Name or IP Address. This can be either IPv4 or IPv6 address.
3. Type the Proxy Port of your proxy server.
4. Type User Name and Password.
5. Provide the appropriate URL. You may test to ensure that the connection works by entering a Test URL and clicking Test
Connection.
6. Click Save to save your settings.
7. For your changes to be effective, make sure to restart the Gateway Anti-Malware service by using the below command:
service restart AntiMalwareService
8. To view the status of your Gateway Anti-Malware service, use the below command:
service status AntiMalwareService
When the Manager or the device makes a successful connection, it displays a message indicating that the proxy server settings
are valid.
Configuring policies
The NTBA Appliance polices are rule based monitoring and control tools.
The NTBA policies consist of anomaly policies that contain attack definitions for anomalies in TCP, UDP, and ICMP traffic and also
contain attack definitions for worms and callback activities.
The NTBA policies are assigned per zone and can be assigned to specific NTBA Appliances.
View NTBA policies
The NTBA Policies page displays the pre-defined NTBA Policies and the user-defined NTBA Policies available for the selected admin
domain.
100 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Task
Select Policy → Network Threat Behavior Analysis → NTBA Policies. The NTBA Policies page is displayed. The NTBA Policies page lists the Default
NTBA Policy by default.
NTBA Policies page
The options on this page are as follows:
Option Definition
Name Displays the name of the NTBA policy.
Description Displays the description of the NTBA policy.
Ownership and Visibility Owner Domain Indicates the admin domain to which an NTBA
policy belongs.
Editable here Indicates whether you can edit or delete an NTBA
policy from the current admin domain. You can edit but not
delete the pre-defined NTBA policy. You can edit or delete a
user-defined NTBA policy only from the admin domain from
which it was created.Yes indicates that the NTBA policy
belongs to the current admin domain. If it is No, you cannot
edit the NTBA policy because it is defined at a parent admin
domain.
Last Updated Time Displays the time when the NTBA policy was last updated
By Displays the user who modified the NTBA policy.
New Click New to create an NTBA policy. The Properties and Attack
Definitions tabs are explained in the sections that follow.
Copy Select an NTBA policy and click Copy to copy it. This is helpful
especially if you want to use a non-editable NTBA policy with
slight changes.
Edit Select any of the listed NTBA policy and click Edit to edit or
view the details.
Delete Select an NTBA policy and click Delete to delete.
Note: The Delete option is disabled if you have selected a
Default NTBA policy.
You also cannot delete a policy if it is already assigned to a
zone. In such a scenario, you should unassign the zone that is
assigned for the policy and then delete the policy.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 101
Properties tab
The Properties tab is to manage the basic properties such as name, description, and visibility to owner and child domains.
Properties tab
Attack Definitions tab
The Attack Definitions tab contains a list of attack definitions. So, the Attack Definitions tab has some useful filtering options to locate
attack definitions.
To set the display of attack definitions click on the column header and then select or type in the Filters options. There are two
options to filter the displayed attack definitions: List based filter and String based filter.
List based filter is available for those columns where the display of attack definitions is based on selecting a specific criteria listed
in the column header.
String based filter is available for those columns where the display of attack definitions is based on the criteria typed in the text
field of the Filters option in the column header. By typing the first few characters in the text field, the policy assignments matching
the typed characters are displayed on the page.
Note: When the attack definitions are displayed by using the Filters option, the header of column by which the policy assignments
are filtered is highlighted in orange color. By clicking the Clear All Filters button, the filter is removed and all the attack definitions
are displayed on the page.
Attack Definitions tab
102 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Click a column header and select the option to sort based on ascending or descending order. The options are Sort Ascending and
Sort Descending.The column based on which the list is sorted is indicated in the column header by an up arrow icon for ascending
order and down arrow icon for descending order.
Viewing options
For a consolidated view of a group of the attack definitions, click on the column header of the field (Example : Attack Type) by which
it should be grouped and click Group by this field.
Note: To remove the display of attack definitions by groups unselect the Show in groups check-box option from the column header.
The Show in Groups option is enabled only if the Groups by this field option is selected.
You can search for an attack based on the criteria typed in the text field of the Search option. By typing the first few characters in
the Search text field, the attacks matching the typed characters are displayed on the page. By clicking the Clear All Filters button, the
filter is removed and all the attacks are displayed on the page.
Add an NTBA policy
Adding a policy in NTBA policy takes you through the process of refining the parameters for managing your network.
Task
1. Select Policy → Network Threat Behavior Analysis → NTBA Policies.
The NTBA Policies page is displayed.
NTBA Policies page
2. Click New.
The New Policy window opens with the Properties tab selected.
3. Update the following fields.
Properties option definitions
Option Definition
Name Enter a unique name to easily identify the policy. The name
should contain only letters, numerals, spaces, commas,
hyphens and underscores.
Note: The name field should not be left blank and no special
character should be entered while typing the name
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 103
Option Definition
Description Describe the policy for other users to identify its purpose.
Owner Displays the admin domain to which the policy belongs.
Visibility When selected, makes the policy available to the
corresponding child admin domains. However, the policy
cannot be edited or deleted from the child admin domains.
From the drop-down list, select the option for the visibility
level of the rule object.
Editable here The status Yes indicates that the policy is owned by the
current admin domain.
Prompt for assignment after save If you clear this option you can save the policy now and
assign it to a zone later. If you select this option, the
Assignments window opens automatically when you save the
policy and you can assign the policy to the required zone.
Cancel Reverts to the last saved configuration.
4. Click Next.
The Attack Definitions tab is displayed.
Attack Definitions
The following fields are displayed:
Attack Definitions fields
Option Definition
State Displays the state of communication rule as Enabled or
Disabled
Name Specifies the name of the attack.
Direction Displays the direction of attack as Inbound, Outbound or Any.
Severity Displays the severity level as either High, Medium or Low.
Attack Type Displays the category of attack. The attack categories are:
◦ Behavior
◦ Anamoly
◦ Threshold
◦ Reconnaissance
◦ Worm Attack
104 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Option Definition
◦ Call Back Attack
Appliance Actions Displays the appliance response actions.
Manager Actions Specifies the Manager's action for the attack.
Prompt for assignment after save If you clear this option you can save the policy now and
assign it to the zone later. If you select this option, the
Assignments window opens automatically when you save the
policy and you can assign the policy to the required zone.
Save Saves the attack definition configuration.
Cancel Reverts to the last saved configuration.
5. In the Attack Definitions tab, double-click on the row of the attack that you want to configure and update the settings. The attack
details are displayed on the right panel displaying the settings under the Settings tab. More details on configuring attack
details are given in the following section.
6. Click Save to save the NTBA policy.
Configure attack details
You can configure and update the attack settings either by inheriting the settings from the master NTBA policy or set them
explicitly in the attack details panel.
The attack details panel has two tabs. Settings and Description.
On the Settings tab, you can set the configurable fields for NTBA Appliance and Manager actions. The Description tab is a read-only
tab where you can view the attack and signature details.
Task
1. On the Attack Definitions tab, double-click on the row of the attack that you want to configure and update the settings. The attack
details are displayed on the right panel displaying the settings under the Settings tab.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 105
Settings tab
2. Configure the settings for the attack definitions
The following fields are displayed for attacks of categories such as Reconnaissance, Behavior and Anomaly:
Settings tab fields
Option Definition
State Severity Select any following options:
◦ Inherit
◦ Enabled
◦ Disabled
Severity Select the severity level of the attack:
◦ Inherit
◦ Info - 0
◦ Low - 1
◦ Low - 2
◦ Low - 3
◦ Medium - 4
◦ Medium - 5
◦ Medium - 6
◦ High - 7
◦ High - 8
◦ High - 9
Threshold This field is displayed only configuring attacks of type
threshold, reconnaissance, and anomaly attacks. Select the
severity level of the attack:
◦ Inherit
◦ Set explicitly
Note: If you select the option Set explicitly, specify the
threshold value in the number field.
106 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Option Definition
Interval This field is displayed only configuring attacks of type
Threshold, Reconnaissance, Anomaly and Worm attacks.
Select the interval duration:
◦ Inherit thresholds : Select the checkbox to inherit thresholds.
◦ Set explicitly
Note: If you select the option Set explicitly, specify the
interval duration seconds in the number field.
Appliance actions
Quarantine Select any of the following quarantine options:
◦ Inherit
◦ Quarantine attacker
◦ Disabled
Quarantine applies only to IPS sensors, but not routers. The
NTBA detects traffic based on the NTBA policy and adds the
attacker host IP to the quarantine list of that particular IPS
sensor. However, the attacker host IP is not quarantined by
other IPS sensors in the network that are connected to the
NTBA, unless similar traffic is received.
Alert Suppression Timer This field is displayed only configuring appliance response
for attacks of type Reconnaissance attacks. Select the
severity level of the attack:
◦ Inherit
◦ Set explicitly
Note: If you select the option Set explicitly, specify the
seconds in the number field.
Manager actions
Syslog Select any of the following syslog options:
◦ Inherit
◦ Send syslog message
◦ Disabled
SNMP Select any of the following SNMP options:
◦ Inherit
◦ Send SNMP trap
◦ Disabled
Email Select any of the following email options:
◦ Inherit
◦ Send e-mail message
◦ Disabled
Pager Select any of the following pager options:
◦ Inherit
◦ Send page
◦ Disabled
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 107
Option Definition
Script Select any of the following script options:
◦ Inherit
◦ Run script
◦ Disabled
Auto-acknowledge Select any of the following auto-acknowledgment options:
◦ Inherit
◦ Auto-acknowledge alert
◦ Disabled
Update Click here to update the settings.
Fields in the Capture Packets and Manager actions sections are displayed only when alerting (Alert field option) is enabled or
inherited.
View attack description
The Description tab provides additional information about an attack. It also displays the signature descriptions, reference
information.
Do the following steps to view the description of an attack.
Task
1. On the Attack Definitions tab, double-click on the row of the attack that you want to view the attack description.
2. Click the Description tab in the right panel.
Description tab
Results
The tab displays the description of the attack. The following details are also displayed:
• BTP
• RfSB
108 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
• Protection Category
• Target
• HTTP Response Attack
• Protocols
• Attack Category
• Attack Subcategory
The Reference section displays the following details:
• NSP ID
• CVE ID - click the hyper-link to view details
• Microsoft ID
• Bugtraq ID
• CERT ID
• ArachNIDS ID
• Link for Additional Information, if any.
In the Comments section, you have an option to add comments in the text field Comment for this Admin Domain and click Save Comment to
save the comment.
Comments section
To display the comments from the parent admin domain, select the checkbox Show Comments from Parent Admin Domains.
To make the comments to be displayed in the child admin domain, select the check-box Make Comment Available to Child Admin Domains.
Assign NTBA policy
Before you begin
Make sure the NTBA policies that you want to assign to are available.
You can assign different policies to those zones from the NTBA Policies page.
Task
1. Click the Policy tab.
2. From the Domain drop-down list, select the domain you want to work in.
3. Select Network Threat Behavior Anaysis → NTBA Policies. The NTBA policies page is displayed.
4. In the Assignments column, click the Assignments value for the policy that you want to assign.
The Assignments page is displayed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 109
5. Assign the NTBA policy to the required zones.
Option definitions
Option Definition
Search To filter the list of available zones, enter a string that is part
of the Available Zones.
Available Zones Lists the zones of the appliance in the admin domain. The
zones to which you have already assigned this NTBA policy
are displayed under Selected Zones.
Select a zone and click to move it to Selected Zones.
Current Policy The NTBA policy that is currently assigned to an zone.
Selected Zones Lists the zones to which you have assigned the selected
NTBA policy.
Reset Reverts to last saved configuration.
Save Saves the changes to the Manager database.
Cancel Closes the Assignments window without saving the changes.
Configure the policy fields
The Default NTBA policy contains the following attack types:
• Reconnaissance attack
• Reconnaissance attack (Bot)
• Behavior attack
• Anomaly attack (Host)
• Anomaly attack (Zone)
• Threshold attack (Host)
• Threshold attack (Zone)
The configuration choices vary from attack type to attack type. The choices are summarized below:
• Reconnaissance attack
You can inherit these settings or set them explicitly. You can choose to quarantine NTBA attack packets of this attack type when
detected, customize severity, threshold value, threshold interval, alert suppression timer, and Manager actions.
110 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Edit Reconnaissance Attack details
• Reconnaissance attack (Bot attack)
You can inherit these settings or set them explicitly. You can choose to quarantine NTBA attack packets of this attack type when
detected, customize severity, and Manager actions.
Edit Reconnaissance Attack details (Bot)
• Behavior attack
You can inherit these settings or set them explicitly. You can choose to quarantine NTBA attack packets of this attack type when
detected, customize severity, and Manager actions.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 111
Edit Behavior Attack details
• Host Anomaly attack
You can inherit these settings or set them explicitly. You can choose to quarantine NTBA attack packets of this attack type when
detected, customize sensitivity (Low, Medium or High), endpoint anomalies for any IP address or a specific IP address, threshold
suppression rate, threshold interval and Manager actions.
Edit Anomaly Attack details
• Zone anomaly attack
You can inherit these settings or set them explicitly. You can customize severity, threshold suppression rate, threshold interval,
response sensitivity level, and Manager response actions.
Note: Setting the response sensitivity to Low tells the detection algorithm to be tolerant of traffic spikes before raising alerts.
The system becomes more sensitive to traffic surges if the response sensitivity is set to High.
112 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Edit Zone Anomaly Attack details
• Host Threshold attack
You can inherit these settings or set them explicitly. You can choose to quarantine NTBA attack packets of this attack type when
detected, customize severity, threshold host service group (threshold rate and interval for a named group of selected
application that can be applied to any IP address or to a specific IP Address), and Manager actions.
Note: By default, the threshold settings are inherited.
Edit Threshold Attack details
• Zone threshold attack
You can inherit these settings or set them explicitly. You can customize severity, threshold host service group (threshold rate
and interval for a named group of selected application, and Manager actions.
Note: By default, the threshold settings are inherited.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 113
Edit Zone Threshold Attack details
Configure the default NTBA attack settings
The Master NTBA Attack Repository in the NTBA Policies page provides an attack editor that works in concert with the NTBA Appliance
policy editors.
The Master NTBA Attack Repository enables you to edit an attack definition's response once and have that modification apply across all
policies that contain that attack definition, rather than having to find all policies that use a particular attack, and then modify the
response on each of those policies one at a time.
Changes made to an attack in the Master NTBA Attack Repository apply to that attack in all policies unless customized within a specific
policy. You can customize severity, alerts, and notification actions for each attack in Master NTBA Policy.
Task
1. Select Policy → Network Threat Behavior Analysis → NTBA Policies.
The NTBA Policies page is displayed.
2. Double-click on Master NTBA Attack Repository row. The Attack Definitions tab is displayed.
3. In the Attack Definitions tab, double-click on the row of the attack that you want to configure and update the settings. The attack
details are displayed on the right panel displaying the settings under the Settings tab.
114 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Settings tab
4. Configure the settings for the attack definitions
The following fields are displayed for attacks of categories such as reconnaissance, behavior, threshold and anomaly:
Settings tab fields
Option Definition
State Select any following options:
◦ Inherit
◦ Enabled
◦ Disabled
Severity Select the severity level of the attack:
◦ Inherit
◦ Info - 0
◦ Low - 1
◦ Low - 2
◦ Low - 3
◦ Medium - 4
◦ Medium - 5
◦ Medium - 6
◦ High - 7
◦ High - 8
◦ High - 9
Threshold This field is displayed only configuring attacks of type
Threshold, Reconnaissance, Anomaly attacks. Select the
severity level of the attack:
◦ Inherit
◦ Set explicitly
Note: If you select the option Set explicitly, specify the
threshold value in the number field.
For Host anomaly, zone threshold and host threshold
attacks you can also configure endpoints of any IP address
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 115
Option Definition
or a specific IP address, threshold suppression rate, and
threshold interval.
Interval This field is displayed only configuring attacks of type
Threshold, Reconnaissance, Anomaly and Worm attacks.
Select the interval duration:
◦ Inherit thresholds : Select the checkbox to inherit thresholds.
◦ Set explicitly
Note: If you select the option Set explicitly, specify the
interval duration seconds in the number field.
Appliance actions
Quarantine Select any of the following quarantine options:
◦ Inherit
◦ Quarantine attacker
◦ Disabled
Alert Suppression Timer This field is displayed only configuring appliance response
for attacks of type Reconnaissance attacks. Select the
severity level of the attack:
◦ Inherit
◦ Set explicitly
Note: If you select the option Set explicitly, specify the
seconds in the number field.
Manager actions
Syslog Select any of the following syslog options:
◦ Inherit
◦ Send syslog message
◦ Disabled
SNMP Select any of the following SNMP options:
◦ Inherit
◦ Send SNMP trap
◦ Disabled
Email Select any of the following email options:
◦ Inherit
◦ Send e-mail message
◦ Disabled
Pager Select any of the following pager options:
◦ Inherit
◦ Send page
◦ Disabled
Script Select any of the following script options:
◦ Inherit
◦ Run script
116 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Option Definition
◦ Disabled
Auto-acknowledge Select any of the following auto-acknowledgment options:
◦ Inherit
◦ Auto-acknowledge alert
◦ Disabled
Update Click here to update the settings.
Fields in the Capture Packets and Manager actions sections are displayed only when alerting (Alert field option) is enabled or
inherited.
Bulk Edit of Attacks
The bulk edit attack feature enables you to select and edit multiple attack definitions at once. On the Attack Definitions tab, double-
click on an attack, so that the Settings tab is displayed in the right panel. To select multiple attacks that you wish to edit in bulk
press the Shift key (for continuous selection) or press the Ctrl key (for discontinuous selection), then select the attacks.
The attack details are displayed on the right panel displaying the settings under the Settings tab. This operation is useful for
configuring the same responses for multiple attacks at once, thus reducing overall configuration time.
Note: The panel also displays the name Multiple Attacks Selected. It ensures that you have selected multiple attacks to be edited at
the same time.
Configure the settings for the selected attacks and click Save to save the changes.
Configure callback detection
Callback Activity Detection feature supports the detection by correlation of multiple attacks across flows. Attacks are correlated
by observing a endpoint for a given period of time. This detection provides detailed information retrieved from different attack
phases at the end of a successful correlation. Network Security Platform forwards the attack information to the NTBA Appliance
for doing similar correlation.
Use any one of the following paths to configure callback activity detection:
• Device → <Admin Domain Name> → Global → NTBA Device Settings → Zone Settings → Advanced Callback Detection
Callback Activity Detection at Global level
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 117
• Device → <Admin Domain Name> → Devices → <NTBA Appliance> → Zones → Inside Zones/ Outside Zones → Default Inside Zone/ Outside Zone →
Advanced Callback Detection
Callback Activity Detection at Zone level
For further details, refer McAfee Network Security Platform Product Guide.
Set default NTBA and worm policies
You can set default NTBA and worm policies at the Manager tab.
Task
1. Select Manager → <Admin Domain Name> → Setup → Admin Domains.
The Admin Domains page is displayed.
2. Click New.
The Add a Child Admin Domain page is displayed.
Add a Child Admin Domain page
3. Enter the child domain configuration details:
◦ Domain Name
◦ Contact Person
◦ E-mail Address
◦ Title
◦ Contact Phone Number
◦ Company Phone Number
◦ Organization
◦ Address
◦ City
◦ State
◦ Country
4. Click Save.
118 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
The settings are saved.
5. Click Allocate to allocate an interface.
The Available Interfaces page is displayed.
Available Interfaces page
6. Click Close.
7. Click Finish.
The Admin Domains page now lists the newly created child admin domain.
Note: The default NTBA and worm policies selected while configuring the new child admin domain are listed under Policy →
<Admin Domain Name>/<Child Admin Domain Name> → Network Threat Behavior Analysis → NTBA Policies and Policy → <Admin Domain Name>/<Child
Admin Domain Name> → Network Threat Behavior Analysis → Worm Policies.
Export NTBA and Worm policies
NTBA policy export enables you to save one or more custom (created/cloned) NTBA and Worm policies from your Manager to
your client.
This is effective for archiving as well as transferring a policy from a test Manager environment to your live environment.
For example, you log in to your test Manager from a client and create a new policy. After creation, you export the policy to your
client. You then log into your live Manager from the client and import the policy for active use.
Task
1. Select Policy → Network Threat Behavior Analysis → Policy Export → NTBA Policies.
The Export NTBA and Worm Policies page is displayed.
Export NTBA and Worm Policies page
2. Select the policy or policies you want to export.
3. Click Export.
4. Browse to the location on your client where you want to save the exported file.
5. Verify successful export by checking the destination for the exported file. The policy file is saved as an XML file and it contains
all the policies you selected for export. Thus, if you select two policies for export, both policies are saved in the same file.
Caution: Although this feature outputs an XML file, this file is not intended for reading or editing. Any manipulation of this file
besides regular copying from/to different media will result in possible import failure.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 119
Import NTBA and Worm policies
The Import NTBA and Worm Policies action enables you to add an NTBA policy and a worm policy to the Manager from an outside
location. You can import from the Manager, through CD-ROM, by browsing connected network servers, or from your remote
client.
Task
1. Select Policy → Network Threat Behavior Analysis → Policy Import → NTBA Policies.
The Import NTBA and Worm Policies page is displayed.
2. Click Browse to search your system for an exported policy file.
Note: Select the Skip duplicate file definitions checkbox if you want to skip duplicate file definitions.
3. Click Save to download the file to the Manager.
Note: Visibility rules apply to imported policies. For any custom (created or cloned) policy you import, if you deselect the Visible
to Child Admin Domains checkbox in the Add an NTBA Policy page during creation, the imported policy will only be visible in the parent
admin domain.
Apply NTBA and worm policies
NTBA policies and worm policies are created at the Policy node and are applied to specific NTBA Appliances at the appliance level.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Setup → Protection Profile .
The Protection Profile page is displayed.
Protection Profile page
2. Select the NTBA policy to be applied from the NTBA Policy drop-down list.
3. Select the worm policy to be applied from the Worm Policy drop-down list.
4. Click Save.
Using context-aware data for network forensics
As a security administrator, you may sometimes want to analyze the root cause of a specific security event a few hours or days
after an event has occurred. You may also want any supporting contextual data for an endpoint during that time interval.
NTBA performs context-aware network forensics to capture connections and layer 7 activity before and after a security event.
This helps forensic analysis to be performed on the contextual data, against a set of predefined suspicious activity indicators.
NTBA collects forensic data for a target or attacker that is internal or external to the network. NTBA collects context-aware data
as profile and forensic data. Profile data includes details like executables and services launched by an endpoint. Forensic data
captures contextual data n minutes before and after a security event occurs like policy violation or an attack. By default, forensic
data is collected for 10 minutes before and after an event.
The network forensics data collected by NTBA provides details like connections made to a target and attacker, port information,
network application, executables, URLs, and files. Metadata information like malware confidence, executable classification,
reputation, and location are also shown if available. If a connection is suspicious, a Suspicious Activity indicator briefs the type of
suspicious activity performed in the network.
120 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
How NTBA collects and stores context-aware data
When a security event like an attack occurs, NTBA performs the following high-level steps to collect context-aware data:
1. Consolidates conversations with attack information like 5-tuple, URLs, files, and programs involved in the connection for a
target or attacker.
2. Collects the accessed URLs, files, executables, and connections for the specified time interval based on suspicious activity
indicators. By default, these details are collected 60 minutes before and after an event occurred.
3. Checks if the endpoint is an attacker or target.
4. Collects data based on conditions that match the suspicious activity indicators.
Once the context-aware data is collected, NTBA stores this in the database for the configured period. By default, forensic data is
stored for 30 days. You can configure the collection settings from Devices → Devices → <NTBA device> → Setup → Collection Settings.
The Manager enables you to configure the forensics collection settings, and retrieves the context-aware data from NTBA when
you want to perform forensic analysis on a specific endpoint or attack.
The forensic data is stored as part of the virtual disk of NTBA. By default, the netflow data uses 60% and forensic data uses 40%
of the disk space. By enabling export of Layer 7, the entire payload is not exported. Only fields related to http, netbios, ftp,smtp,
file hash and attack ID are exported. In http application, specific fields of http (like URI, host) are exported. Netflow monitoring is
not made in real time as the statistics of the particular flow is sent every minute. If you upgrade from a pre-8.2 version to version
9.1, these default settings get applied during migration. You can modify these limits using the command set dbdisksize.
NTBA database architecture
The RAID 10 layer is the first layer, followed by ext3 file system, and MariaDB layer is the container for the netflow, forensic, and
configuration databases.
You can modify the forensic database pruning settings from the Devices → Devices → <NTBA Device> → Maintenance → Database Pruning
page. For more details, see Prune the database.
When you analyze an endpoint on the Network Forensics page, the Manager queries all the NTBAs and displays data from the
NTBA that is mapped to the endpoint. On the Analysis → Network Forensics page, the displayed network forensic data is only from a
single NTBA.
Note: If an IP address is mapped to more than one NTBA, the Network Forensics page has Data Source drop-down list to view
network forensics data for NTBA mapped to an endpoint. The drop-down can be used to query the other NTBAs for forensic
information.
Note: By default, if you directly navigate to the Network Forensics page to analyze an endpoint, the current date and time and
analysis window of ± 60 minutes is displayed. If you perform forensics from other Manager UI paths for an endpoint, by default,
the time of event occurrence and analysis window of ± 10 minutes is displayed.
Suspicious activity indicators
NTBA uses a set of predefined indicators to collect the forensic data. The indicators are triggered only when an attacker or target
endpoint, flow, or executable makes a network connection in the configured analysis time window.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 121
For example, on the Network Forensics page, you select an IP 1.1.1.6 that is involved in a policy violation. You select an analysis time
of ±30 minutes to analyze the collected flows before and after the policy violation happened, and click Analyze. The suspicious
flows and activity indicators are displayed based on connections made in the network in this defined time window of one hour.
NTBA collects forensic data based on the following rules:
Suspicious activity indicators
Suspicious activity indicator Description
Destination matches attacker in another attack A target endpoint was involved in another attack or traffic
from/to this endpoint.
Source matches attacker in another attack An attacker endpoint was involved in another attack or traffic
from/to this endpoint.
Suspicious endpoint risk Endpoint made a connection to another endpoint with GTI
risk level of Medium Risk or High Risk.
Unverified endpoint risk Endpoint made a connection to another endpoint with GTI
risk level of Unverified.
Executable used in another attack Executable, for example, chrome.exe was involved in another
attack or traffic from/to this endpoint.
Suspicious executable malware confidence Endpoint accessed an executable that has malware
confidence level above Medium.
Blocked executable Endpoint accessed a blocked executable.
New executable Endpoint accessed a new executable that has not been
previously seen in the last x* days.
*x refers to the number of days defined on the Devices | NTBA
Device Settings | Device Settings | Setup | Collection Settings page.
URL used in another attack Endpoint accessed a URL that was involved in another attack
or traffic from/to this endpoint.
Suspicious URL risk Endpoint accessed a URL with GTI risk level of Medium Risk or
High Risk.
Unverified URL risk Endpoint accessed a URL with GTI risk level of Unverified Risk.
File used in another attack Endpoint accessed a file that is involved in another attack or
traffic from/to this endpoint.
Suspicious file malware confidence Endpoint accessed a file with suspicious malware confidence
of Medium or High.
Unverified file malware confidence Endpoint accessed a file with suspicious malware confidence
of Unknown.
Attack detected Specific suspicious flow generated an attack in the network.
New service detected A new service was installed on an endpoint that has not been
previously seen in the last x* days.
*x refers to the number of days defined on the Devices → NTBA
Device Settings → Device Settings → Setup → Collection Settings page.
122 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
On the Analysis → Network Forensics page, these are displayed in the Suspicious Activity column. You can also use these indicators as
filters from the Any Activity drop-down list to view specific suspicious activity-based flows in the network.
Note: If McAfee EIA is disabled, executable-related indicators like executable used in another attack are not available. Similarly, if
McAfee GTI is disabled, reputation-based indicators are not functional.
Enable Network Forensics
When network forensics is enabled, the Manager takes advantage of the NTBA Appliance to provide network activity for a given
endpoint over a given time span. You can collect network forensic data for a time period for analysis.
Task
1. At the Global level, select Devices → Global → NTBA Device Settings → Device Settings → Setup → Collection Settings.
Tip: At a device level, you can navigate to Devices → Devices → <NTBA Appliance> → Setup → Collection Settings. If you want to inherit
the global level collection settings, select Use Global Settings.
2. Enter the listening port and select Discard Duplicate Flow Records if you do not wish duplicate records. By default, the UDP port is
set to 9996.
3. In the Network Forensics area, specify the following:
Item Description
Collect Network Forensics Data Select this checkbox to collect network forensics data. By
default, this checkbox is selected.
Applicable Attacks Select Any, IPS Attacks Only or NTBA Attacks Only. By default, this is
set to Any.
Collect Data Before the Attack For Select the time for which you wish to collect data before a
security event. By default, this is set to 10 minutes. The time
range is 1-60 minutes.
Collect Data After the Attack For Select the time for which you wish to collect data after a
security event. By default, this is set to 10 minutes. The time
range is 1-60 minutes.
Executable is 'New' if Not Seen in Previous Collect executable details if the executable is new in the
network. By default, this is set to 30 days. The day range is
3-90 days.
Service is 'New' if Not Seen in Previous Collect service details if the service is new in the network. By
default, this is set to 30 days. The day range is 3-90 days.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 123
Forensic data collection
4. Click Save.
Tip: If no forensic data is displayed, execute the show forensic-db details command to check if the network forensics
feature is enabled or not. By default, this feature is enabled. You can use the set dbdisksize and show l7dcapstats
commands to set the percentage of disk size for the forensic data and view layer 7 captured data details.
Perform Network Forensics
You can perform network forensics from these UI paths in the Manager:
• From Analysis → Network Forensics, enter an IP address and select the time window to perform forensics.
• From Analysis → Threat Explorer, select an attack, attacker, or target. Drill down to an endpoint and view forensics data before and
after an event occurred.
• From Analysis → Attack Log, select an alert and select , click Other Actions button and select Perform Network Forensics .
• From Analysis → High-Risk Endpoints, select an high-risk endpoint. From the Endpoint Risk tab, go to Exploits, Infections, or Callbacks. Under
Actions, click Take Action and select Attacker Forensics or Target Forensics.
• From the Analysis → Callback Activity, select a callback activity and related IP address whose activities you want to track. From the
related events for the selected IP address, click Endpoint Information → Network Forensics to view behavior of an endpoint.
Read the following sections to perform network forensics from each of these Manager UI paths.
Perform network forensics on an endpoint from the Analysis tab
You can enter an IP address and track its network behavior for a specified time period.
Go to Analysis → Network Forensics to analyze the recent behavior of the specific endpoint in the network, including conversations
and events in the specified time period.
Filter your view by choosing the time and date of your choice. Use the ± option to view data before and after an attack. This
enables to analyze context-aware data and see network behavior of an endpoint in the network.
124 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Date and time options
The following table shows the information displayed on the Network Forensics page.
Item Description
Filter Criteria Panel
Enter IP address Enter the IP address of the endpoint whose network activities
you wish to analyze.
Date Select the date when the event occurred.
Event occurrence time Select the time at which the event occurred. The event can be
an attack, alert, or policy violation.
Analysis window Select the time period in which you wish to track an
endpoint's activities in the network. This includes activities
performed by an endpoint before and after a security event.
Analyze Retrieves suspicious flows, activities, and indicators for an
event in the specified time period.
Task
1. In the Enter IP address field, enter an IP address for which you wish to view the suspicious flows and activity. Example: 1.1.1.9.
2. Select the date and time. Use the ± time to view endpoint behavior before and after an attack.
3. Click Analyze.
4. In the top panel, view Summary for endpoint details and connections made to and from an endpoint.
Summary Panel
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 125
Item Description
Summary Panel
Endpoint Summary ◦ Analysis Window — The period of analysis.
◦ Data Source — The NTBA device that is mapped to an
endpoint IP address.
Note: If one or more NTBAs have an endpoint IP address
within the same time range, you can view these NTBA
devices from this drop-down list.
◦ Zone — The zone to which this endpoint belongs to.
◦ Country — The country of the endpoint.
◦ ETF — The ETF value assigned by NTBA to an endpoint.
Connections from endpoint Specifies the client connections from an endpoint that
include the TCP and UDP services and ports.
◦ Connections — The number of connections made from an
endpoint.
◦ Applications — The applications accessed from an endpoint.
◦ Endpoint Executables — The executables accessed.
◦ TCP Services — The tcp services used by an endpoint.
◦ UDP Services — The UDP services accessed by an endpoint.
Connections to endpoint ◦ Connections — The number of connections made to an
endpoint.
◦ Applications — The applications used on an endpoint.
◦ TCP Services — The TCP services used on an endpoint.
◦ UDP Services — The UDP services accessed on an endpoint.
5. In the lower panel, view Suspicious Flows for details like suspicious activity, applications, attack name, and files and URLs
accessed.
◦ From the flows, select the indicator to view specific activity-based flows. Example: blocked executable.
◦ View suspicious flows that have blocked executables involved in the attack.
Suspicious activity indicator filter
Item Description
Suspicious Flows Panel
Suspicious activity indicators View indicators that map to an event like an alert or attack.
◦ Destination matches attacker in another attack
126 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Item Description
Suspicious Flows Panel
◦ Source matches attacker in another attack
◦ Suspicious endpoint risk
◦ Unverified endpoint risk
◦ Executable used in another attack
◦ Suspicious executable malware confidence
◦ Blocked executable
◦ New executable
◦ URL used in another attack
◦ Suspicious URL risk
◦ Unverified URL risk
◦ File used in another attack
◦ Suspicious file malware confidence
◦ Unverified file malware confidence
◦ Attack detected
◦ New service detected
IP Address Specify an IP address and use Search to view flows for this
address.
Time Displays the date and time when the suspicious flow for an
event occurred.
Tip: You can sort the flows view based on time.
Suspicious Activity Displays the indicator that specifies the suspicious activity
performed like an URL accessed that was involved in
another attack, blocked executable accessed and others.
Source Specifies the source from which the flow was initiated for an
endpoint. Details include endpoint and ports used.
Destination Specifies the destination details like endpoint involved and
port.
Applications Displays the applications accessed from the endpoint.
Attack Attacks for a specific endpoint that includes attack name
and result.
File/URL Accessed Specifies file or URL access details for a specific endpoint.
6. Click Save as CSV to export suspicious flows for analysis.
Perform network forensics on an attacker or target from Threat
Explorer
You can drill down a security event like an attack from the Analysis → Threat Explorer page. You can select an attack and view attack-
context data on the Network Forensics page and then decide the next steps.
Task
1. Go to Analysis → Threat Explorer.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 127
2. From the Top Attackers or Top Targets list, click an IP address whose activities you wish to view and analyze, for example, 2.1.1.6.
The Threat Explorer details page is displayed with the IP address filter applied.
3. From the Endpoint Information tab, view details for this IP address like involved attacks, targets/attackers, applications, executables,
and malware.
4. To analyze this endpoint's behavior further, click Network Forensics. View any suspicious flows or activity where this endpoint is
involved.
Attacker IP details
5. In the top panel, view Summary for attacker or target details and connections made.
6. In the lower panel, view Suspicious Flows for details like suspicious activity, applications, attack name, and files and URLs
accessed.
7. Click Save as CSV to export suspicious flows for analysis.
Results
Based on the suspicious flows and activity performed by an IP address, you can either block traffic initiated from this endpoint or
take any other action.
Run network forensics on an alert from Attack Log
When you see an alert in Attack Log, you can perform forensics for an IP address and based on analysis respond accordingly.
From Attack Log, you can drill-down and analyze suspicious flows for an alert that occurred at a specific time.
Task
1. Go to Analysis → <Admin Domain Name> → Attack Log.
2. Select an alert that you wish to drill-down and investigate. Click Other Actions.
For example, an event displays the NTBA communication alert category and is initiated from a source IP 176.104.168.2. You
now want to see if this IP address has been involved in suspicious activities in the network.
128 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Attack Log page
3. Select Perform Network Forensics and click the IP address for which you want to check.
Source IP forensics action
4. On the Network Forensics page, view Summary for source or destination IP details.
Note: The IP address and time are automatically set to the time of occurrence as displayed in the Attack Log page. You can
select the time for which you wish to see activities performed by this IP address before and after an alert was raised.
5. View Suspicious Flows for details like suspicious activity, applications, attack name, and files and URLs accessed. You can view
events that happened before and after an attack occurred.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 129
Source IP Forensics: Suspicious Flows
6. Click Back to return to the Attack Log page. Decide if the IP address traffic needs to be blocked or take any other corrective
measures.
View network forensics from High-Risk Endpoints
You can select a high-risk endpoint and perform network forensics.
Task
1. Go to Analysis → High-Risk Endpoints.
2. Select a high-risk endpoint that you wish to investigate.
3. View details in the lower panel for this endpoint like exploits, infections, and callbacks involved.
4. From the Endpoint Information tab, select Network Forensics.
130 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
High-Risk Endpoints
5. On the Network Forensics page, view Suspicious Flows for source attacker or target endpoint.
6. Click Save as CSV to export suspicious flows for analysis.
View network forensics from Callback Activity
For a callback activity, you can investigate further using forensics.
Task
1. Go to Analysis → <Admin Domain Name> → Callback Activity.
2. Select a callback activity that you wish to investigate.
3. View details in the lower panel for this activity like zombies and events.
4. Select a zombie IP address that you want to investigate and view event details.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 131
Callback Activity
5. Click the Network Forensics to conduct the forensics analysis on the source and destination IP address.
6. On the Network Forensics page, view Suspicious Flows for target or attacker endpoints.
7. Click Save as CSV to export suspicious flows for analysis.
Response actions
With context-aware data in hand, administrators can view events and activity that happened before and after an attack. This
helps them analyze attacker or endpoint behavior in the network and take corrective measures or configured response action.
Sample scenario: View and analyze behavior of a high-risk
endpoint
You can analyze a high-risk endpoint activities from the Network Forensics page. This helps you decide if an endpoint is involved in
any malicious activity and take corrective measures.
On the Manager Dashboard page, you see on the Top High-Risk Endpoints monitor that an IP address 10.213.173.220 is posing as a Very
High risk endpoint.
132 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Top High-Risk Endpoints monitor
Note: Alternatively, you can go to Analysis → High-Risk Endpoints to view high-risk endpoints whose activities you want to track.
To analyze, click the endpoint bar that navigates to the High-Risk Endpoints page.
High-Risk Endpoints page
View details in the lower panel for this endpoint like exploits, infections, and callbacks involved. You can view more details on the
Endpoint Information and Endpoint Security Events tab. If you wish to see activities from this endpoint in a specific time window , go to
Endpoint Risk → Exploits tab, select an attack, right-click Take Action, and perform attacker or target endpoint forensics. The Network
Forensics page is displayed.
Note: Similarly, you can go to Infections and Callbacks tab and perform target or attacker forensics that have this endpoint involved.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 133
10.213.173.220 forensics summary
Alternatively, you can go to Endpoint Information → Network Forensics and analyze behavior of an endpoint in the network.
Endpoint suspicious flows
Check and analyze suspicious flows and activity by this endpoint and decide if the endpoint is safe for your network.
134 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Integrating with other McAfee products
Integrating with McAfee Endpoint Intelligence Agent
This chapter explains how NTBA Appliance is integrated with McAfee® Endpoint Intelligence Agent (McAfee EIA).
Overview
Most enterprises today face a challenge in understanding executables running on the network. With malware increasing at a
rampant pace, it has become imperative for networks to understand executables sending traffic on the network. Malware can
exploit the network and endpoint's inability to coordinate information/policies. Some malware can name themselves as standard
executables and make standard application connections on the network. Such malware cannot be easily detected by looking at
just the endpoint processes or monitoring the network traffic flows in isolation.
Combining information at the endpoints with information in the network can provide security administrators deeper visibility
into your enterprise. McAfee Network Security Platform, along with Endpoint Intelligence Agent, provides security administrators
insight into what executables are running at endpoints that are linked to the network traffic. You can also view malware status
and details for non-executables like doc and pdf files. The administrator can then quickly investigate any unusual executable
behavior, classify executables and files running on the network as malicious or safe, and take response actions.
McAfee® Endpoint Intelligence Agent (McAfee EIA) (McAfee EIA) is an endpoint solution that provides executable and file
information to the NTBA Appliance. It delivers real-time and dynamically analyzed detection results.
When McAfee EIA is installed on an endpoint, it monitors the system for execution of all executables irrespective of whether it is
making outgoing connections. This helps you to even monitor data files like word and pdf documents. When a connection
attempt is made by an executable, McAfee EIA sends the executable information to the NTBA over an encrypted channel. Using
dynamic analysis, if EIA detects malicious data files, it sends the artifacts to NTBA over a separate channel. It also sends dynamic
analysis information in metadata. This gives enough time for the NTBA Appliance to process the executable and artifact
information and make it available at policy-decision points before the connection request packet is received.
With this solution, you can view all executables and files used on the endpoint. It also provides the number of endpoints using
each executable. All executables and files are classified as known good (allowed), known bad (blocked), or unclassified. For the
unclassified executables, the solution provides further malware confidence.
The executable information contains:
• 5-tuple information such as source IP address, destination IP address, source port, destination port, and protocol
• Executable name, full path, and hash of the executable that generated the connection
• User and operating system information associated with the executable
• Details such as MD5 hash value, product version, malware confidence, malware name, certificate signer, malware indicators,
and classification details.
The file information includes a detailed trace report or artifacts in JSON format. You can view details such as file version and
certificates. When network traffic is generated, based on the reputation of the executable file, you can allow or block them.
Architecture
McAfee EIA resides on the endpoint where it collects details about the executables that initiate traffic. When integration with
McAfee EIA is enabled, McAfee EIA sends the executable information to the NTBA Appliance, which uses it to enhance its analysis,
such as determining which endpoints are infected or are at risk of infection.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 135
The communication between the McAfee EIA and the NTBA Appliance is through the Datagram Transport Layer Security (DTLS)
protocol with the McAfee EIA as the client and the NTBA Appliance as the server. The artifacts for a file are sent to NTBA using the
Transport Layer Security (TLS) channel.
McAfee EIA and NTBA can integrate and communicate in either static or dynamic mode. If the DTLS channel doesn't exist when
the packet is sent to McAfee EIA, then in:
• Static mode - Based on the pre-configured NTBA and EIA details, a DTLS channel is created. EIA sends the metadata to
mapped NTBA.
• Dynamic mode - If an NTBA is not pre-configured for McAfee EIA, EIA automatically discovers the NTBA device and sends
executable information. When endpoint traffic is going through a Sensor that sends flows to NTBA, and if NTBA does not have
executable information for that endpoint, NTBA sends a discovery probe to that endpoint. McAfee EIA discovers the NTBA and
starts to communicate with NTBA. This reduces the administrator's burden to figure out how Sensors, NTBA and endpoints are
deployed in the network.
Both the client and the server must have the certificates signed by the common Certification Authority (CA). The common CA can
be McAfee® ePolicy Orchestrator (McAfee ePO) server.
Architecture diagram
• ePO Server: The ePO server installs and configures the McAfee® Agent and McAfee EIA settings on the managed hosts. The
server is used to exchange the certificates that will be used to authenticate and secure McAfee EIA communication with the
NTBA Appliance.
• McAfee EIA : These are endpoints that have the McAfee EIA installed on them. They provide the executable information about
all executables to the NTBA Appliance. Based on dynamic analysis, if data files like doc and pdf are malicious, EIA provides file
information like malware name and artifacts to NTBA.
• NTBA Appliance: The McAfee EIA connects to the NTBA Appliance and sends the executable information to the NTBA
Appliance. The IPS Sensor/router, if configured, sends NetFlows to the NTBA Appliance. The NTBA Appliance also responds to
the Manager queries for monitors/dashboards data and also for endpoint intelligence information for existing NTBA and IPS
alerts.
• IPS Sensors/Routers: The NetFlow data that come from the IPS Sensor is correlated with the executable information coming
from the McAfee EIA. For the NTBA Appliance to receive NetFlows, you must configure the IPS Sensor/router as an exporter
(optional).
• McAfee Global Threat Intelligence: McAfee EIA gets the GTI information via the NTBA Appliance and computes the malware
confidence for an executable along with its own malware indicators.
• Manager: The Manager maintains the allowed and blocked hashes that can be leveraged by all devices configured on the
Manager for reporting and blocking purposes. The Manager pushes all the imported hashes to all the available NTBA
Appliances and the IPS Sensors.
136 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Benefits
The benefits of McAfee EIA are as follows:
• Provides visibility into the executables used in the enterprise network
• Provides file information for non-executables like doc and pdf files on an endpoint
• Provides characteristics of the executable such as the version, the endpoints where it was executed, the number of connections
made, the applications invoked, and the events associated with it
• Provides reputation (malware confidence) for each executable and data file using its own malware indicators and dynamic
analysis engine
• Provides trust information for good and unknown executables
• Enables detection of unknown executables in the network that the administrator can classify as allowed or blocked, thereby
creating an intelligent baseline for the network
• Provides the administrator the flexibility to enable auto-classification of known good executables as allowed and known bad
executables as blocked
• Integrates with the IPS Sensor's Allow and Block Lists functionality to prevent further spread of malware in the network
• Provides correlation between the Application Identification feature provided by the IPS Sensor with the executable information for
every flow
• Correlates McAfee EIA executable information with analysis from other network detections such as ATD and NTBA.
How integration with McAfee EIA works
This section provides the high-level steps to integrate NTBA Appliance with McAfee EIA.
Task
1. Set up McAfee Agent with ePolicy Orchestrator: Deploy McAfee Agent extension and McAfee Agentpackage to the ePolicy
Orchestrator server. Skip this step if you have deployed McAfee Agent version 4.8 or higher.
2. Set up McAfee EIA with ePolicy Orchestrator: Deploy the Endpoint Intelligence Management extension and McAfee EIA
package to the ePolicy Orchestrator server. Assign policy to managed systems for McAfee EIA to communicate with the NTBA
Appliance.
3. Enable EIA integration on the Manager: Establish connections between the NTBA appliance and the managed host systems
with the McAfee EIA by enabling EIA integration at the Global level or the Device level on the Manager. The Auto-Classification Settings
are available only at the Global level.
Note: Maximum endpoint connections supported on the NTBA Appliance is 12000.
4. Work with allow and block lists: You can either enable the auto-classification settings or manually change the executable
classification. The manually classified values of the executable hashes are added to the allowed/blocked hashes that the
administrator maintains.
5. Configure NTBA policies for McAfee EIA alerts: There are seven attack definitions for the NTBA policies. Based on which of
the alerts you want to see, you can configure policies to raise only those EIA alerts.
6. View executables running on endpoints: You can view all the executables running on your internal endpoints that have
made network calls on the Endpoint Executables page. The top n endpoint executables are displayed in the Top Endpoint Executables
monitor on the Home Dashboard page.
7. Analyze executable behavior: Even with auto-classification settings enabled, there might be instances where the executable
classification is not justified with its behavior. In such cases, you might want to investigate these executables and accordingly
change the executable classification as allowed or blocked so they appear with the modified value the next time. The changes
are updated to the allowed and blocked hashes maintained by the Manager. You can also generate reports to see more details
on the top 10 endpoint executables and endpoint executable connections.
Note: Quarantine of endpoints is not supported.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 137
Setting up McAfee EIA integration
McAfee EIA can be installed on ePO-managed endpoints. This section explains how you can deploy McAfee Agent and McAfee EIA
and configure the agents to send the executable information to the NTBA Appliance in the ePolicy Orchestrator console. It also
explains how to enable McAfee EIA integration on the Manager.
Verify system requirements
Make sure your NTBA, McAfee ePO, and managed systems meet the requirements.
• McAfee ePO server must be at version 5.10.0
• McAfee Agent must be at version 5.6 or later
• McAfee® Endpoint Intelligence Manager (McAfee EIM) extension must be at version 3.2.2
• McAfee EIA must be at version 3.2.x
• McAfee Network Security Manager (Manager) must be at version 10.1.7.35 or later or 9.1.7.83 or later
• McAfee Network Threat Behavior Analysis Appliance (NTBA Appliance) must be at version 9.1.3.12 or later
Note: McAfee recommends you upgrade McAfee EIA to version 3.2.2.
McAfee EIA 3.2.2 runs on these Microsoft operating systems:
• Windows 10 20H1 (64-bit)
• Windows 10 RS5 (64-bit)
• Windows 10 RS4 (64-bit)
• Windows 10 R2 (64-bit)
• Windows Server 2019 Standard
• Windows Server 2016 Standard
• Windows Server 2012 R2 (64-bit) Standard
• Windows Server 2012 (64-bit) Standard
Setting up McAfee Agent with ePolicy Orchestrator server
Install McAfee Agent extension, upload McAfee Agent package, and deploy McAfee Agent on managed systems.
Download McAfee Agent and the extension package
Before you begin
Locate your grant number.
Task
1. In a web browser, go to www.mcafee.com/us/downloads.
2. Enter your grant number, then go to the appropriate product and version.
3. Download the McAfee Agent extension, MA-WIN x.y.z Build <abcd> Package <#y> (ENU-LICENSED-RELEASE), and the agent packages to
the system containing the McAfee ePO server.
For more information, see the specific version of McAfee Agent Product Guide.
138 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Install McAfee Agent extension
Task
1. From the ePolicy Orchestrator console, click .
2. Select Software → Extensions.
Navigating to software extensions on ePO console
3. At the top of the Extensions pane on the left side of the Extensions page, click Install Extension.
Installing McAfee Agentextension
4. Browse to the MA-WIN x.y.z Build <abcd> Package <#y> (ENU-LICENSED-RELEASE) file you downloaded from the McAfee downloads
page.
5. Click Open to select the file, then click OK to proceed with the selection.
6. Click OK to install the extension.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 139
Upload McAfee Agent package
Upload the McAfee Agent package to the ePolicy Orchestrator server. This package contains the files necessary to install McAfee
Agent on managed systems.
Task
1. From the ePolicy Orchestrator console, click .
2. Select Software → Master Repository.
Master Repository in ePO console
3. Click Check In Package.
The Check In Package page is displayed.
4. From the Package type list, select Product or Update (.ZIP), then browse and select the McAfee Agent package file.
Uploading McAfee Agent package
5. Click Next.
6. Click Save.
The package is added to the Master Repository.
Deploy McAfee Agent
Deploy McAfee Agent to managed systems.
140 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Task
1. From the ePolicy Orchestrator console, click .
2. Select Menu → Client Tasks → Client Task Catalog.
Client Task Dialog in ePO console
3. Click New Task.
4. From the Task Types list, select Product Deployment.
5. Click OK.
The Client Task Catalog: New Task McAfee Agent: Product Deployment page appears.
Selecting McAfee Agent to deploy
6. In the Task Name field, enter a name for the task.
7. From the Products and components menu, select McAfee Agent <x.y>.
8. Click Save.
9. Run the task.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 141
a. Click the System Tree icon. The Systems tab appears.
Selecting systems to deploy McAfee Agent
b. Select the systems to deploy McAfee Agent.
c. Select Actions → Agent → Run Client Task now.
d. In the Task Type column, select Product Deployment, and in the Task Name column, select the task you created.
e. Click Run Task Now.
For more information, see the specific version of McAfee Agent Product Guide.
Setting up McAfee EIA with ePolicy Orchestrator server
Install the Endpoint Intelligence Management extension, upload the Endpoint Intelligence Agent package, and deploy McAfee EIA
on managed systems.
Download McAfee EIA and the extension package
Download McAfee EIA package and the Endpoint Intelligence Management extension to the ePolicy Orchestrator server.
Before you begin
Locate your grant number.
Task
1. In a web browser, go to www.mcafee.com/us/downloads.
2. Enter your grant number, then go to the appropriate product and version.
3. Download the Endpoint Intelligence Management extension file, eim_epo_extension_<version>.zip.
4. Download the Endpoint Intelligence Agent file, eia_epo_deploy_<version>.zip.
Install the Endpoint Intelligence Management extension
Install the Endpoint Intelligence Management extension from your download location to your ePolicy Orchestrator server.
Task
1. From the ePolicy Orchestrator console, select Menu → Software → Extensions.
142 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Navigating to software extensions on ePO console
2. At the bottom of the Extensions pane on the left side of the Extensions page, click Install Extension.
Installing Endpoint Intelligence Management extension
3. Browse to the eim_epo_extension_<version>.zip file you downloaded from the McAfee downloads page.
4. Click Open to select the file, then click OK to proceed with the selection.
5. Click OK to install the extension.
Upload McAfee EIA package
Upload McAfee EIA package to the ePolicy Orchestrator server. This package contains the files necessary to install McAfee EIA on
managed systems.
Task
1. From the ePolicy Orchestrator console, select Menu → Software → Master Repository.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 143
Master Repository in ePO console
2. Click Check In Package.
The Check In Package page is displayed.
3. From the Package Type list, select Product or Update (.ZIP), then browse and select ePO_Deploy.zip.
Uploading package
4. Click Next.
5. Click Save.
The package is added to the Master Repository.
Deploy McAfee EIA
Deploy McAfee EIA to managed systems.
Task
1. From the ePolicy Orchestrator console, click
2. Select Client Task → Client Task Catalog.
3. Click New Task.
4. From the Task Types list, select Product Deployment.
144 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
5. Click OK.
The Client Task Catalog: New Task Endpoint Intelligence Agent: Product Deployment page appears.
Selecting Endpoint Intelligence Agent to deploy
6. In the Task Name field, enter a name for the task.
7. From the Products and components menu, select Endpoint Intelligence Agent <version>.
8. Click Save.
9. Run the task.
a. Click the System Tree icon. The Systems tab appears.
Selecting systems to deploy McAfee Agent
b. Select the systems to deploy McAfee EIA.
c. Select Actions → Agent → Run Client Task now.
d. In the Task Type column, select Product Deployment, and in the Task Name column, select the task you created.
e. Click Run Task Now.
For more information, see the Endpoint Intelligence Agent Product Guide.
Create and assign policy to managed systems
For McAfee EIA to communicate with the NTBA Appliance, policy must be applied to managed systems.
Task
1. From the ePolicy Orchestrator console, select Policy Catalog:
a. Select Product as Endpoint Intelligence Agent <version>.
b. Select Category as EIA Settings.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 145
Policy Catalog ePolicy Orchestrator page
2. Click the My Default policy to edit it.
a. Select the Device Type as NTBA from the drop-down list.
General Settings tab
b. Enter the source IP address.
c. Enter the subnet mask.
d. Enter the device IP address. The device IP address you specify here must be the same as the NTBA Management IP address
running on your Manager.
e. Enter the port number. Select the NTBA listening port for McAfee EIA connections and make sure that this port is not
blocked by Firewall rules. Default port used on NTBA is 9008.
f. Click Add Route and click Save.
3. In the System Tree tab, click Actions → Wake Up Agent for the new configurations to take effect. By default, the policy is applied to all
groups/subgroups.
146 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Wake Up Agents option on ePolicy Orchestrator console
For more information, see the Endpoint Intelligence Agent Product Guide.
Enabling McAfee EIA integration on the Manager
Note: You must have deployed McAfee Agent and McAfee EIA and configured the agents to send their results to NTBA in the
ePolicy Orchestrator console as explained in the preceding sections.
You can enable McAfee EIA integration with the NTBA Appliance at the Global level and at the Device level.
When you enable McAfee EIA integration at the Global level, the settings are inherited by its child domain nodes as the Inherit
Settings checkbox is enabled by default.
When you enable McAfee EIA integration at the Device level, you can apply the configuration settings only to that particular NTBA
Appliance.
Enable McAfee EIA integration globally
By default, the Inherit Settings checkbox is enabled, so settings done at the global level are inherited by all NTBA Appliances in this
domain (and child admin domains). The Auto-Classification Settings options are available only at the Global level and are inherited by all
devices.
Task
1. Select Devices → <Admin Domain Name> → Global → NTBA Device Settings → Device Settings → Setup → EIA Integration.
The EIA Integration page is displayed.
Note: The settings done at the parent admin domain level are inherited by default by its child domains.
2. Select the Enable EIA Integration checkbox to enable the feature.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 147
Enable EIA Integration page globally
Field descriptions
Field Description
Agent Connection Settings The NTBA Listening Port is the port on which the NTBA
Appliance listens for incoming connections from endpoints
running McAfee EIA. It is pre-populated with the value used
by default by the agents. You can edit this field by specifying
a port number between 0 and 65535.
At a device level, click View Agent Connectivity to verify EIA
connectivity with the configured NTBA device.
ePO Settings This section defines the parameters used to connect with
the ePO server and exchange the certificates used to
authenticate and secure agent communication with the
NTBA Appliance.
◦ ePO Server IP Address: Displays the IP address of the ePO
server
◦ ePO Server Port: This field is pre-populated with the value
used by default by the ePO server. You can edit this field
by specifying a port number between 0 and 65535.
◦ ePO User Name: Type the user name to log on to the ePO
console
Note: ePO user must enable the Allow Download of Certificates
present in the Endpoint Intelligence category of user
permissions.
◦ ePO Password: Type the password to log on to the ePO
console
◦ Open ePO Console: Click to configure the ePO settings from
here
Auto-Classification Settings This section provides options to automatically allow and
block executables in which McAfee is confident of their
posture. It provides the following options:
148 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Field Description
◦ Automatically Allow Executables Signed by a Trusted Certificate Authority:
If the executable is found signed by a trusted CA or if there
is a signer name, then it is allowed. This is enabled by
default.
◦ Automatically Allow Executables Found on the GTI Allow List: If GTI file
reputation is clean, then it is allowed. This is enabled by
default.
◦ Automatically Block Executables Found on the GTI Block List: If GTI file
reputation is malicious, then it is blocked. This is disabled
by default.
◦ Automatically Block Executables that Dynamic Analysis Indicates to be
Malware: If dynamic analysis reports a file as malicious, then
it is blocked. This is disabled by default.
Note: McAfee recommends that you keep all auto-
classification settings as enabled unless you want to
investigate every executable manually.
Update ePO Certificate Click this button if there have been changes in the certificate
on the ePO side to automatically update all NTBA Appliances
in the admin domain node (and devices in the child admin
node that are inheriting them).
To check if McAfee EIA service is running on the NTBA Appliance, run the show endpointintelligence summary CLI command.
Note: ePO user must have the option 'Allow Download of Certificates' enabled in the Endpoint Intelligence category of user
permissions.
Enable McAfee EIA integration per device
You can enable McAfee EIA integration for a particular device or domain at the Device level.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Setup → EIA Integration.
The EIA Integration page is displayed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 149
Enabling McAfee EIA integration at Device level
Note: If the Inherit Settings checkbox is selected (default), then the settings from the Global level for the selected admin domain
will be inherited by the device.
2. Deselect the Inherit Settings checkbox and select the Enable EIA Integration checkbox to configure settings for a particular device.
3. Follow the procedure as explained in Enable McAfee EIA integration globally to configure McAfee EIA at the device level.
Understanding executable classification
The Manager provides options to auto-classify or manually classify the executables. Executables that appear as unclassified can
be allowed or blocked. The Manager pushes the updates in the allowed and blocked hashes to the NTBA Appliance every five
minutes.
The executables are classified as:
• Allowed: Executables that are considered safe.
• Blocked: Executables that are not considered safe or not allowed per corporate policy.
• Unclassified: Executables that are yet to be classified.
You can classify executables from any of the following:
• Endpoint Baseline Generator: When the Endpoint Baseline Generator tool is run on a computer, it scans the computer,
calculates the heuristics for all the executable hashes on the system, and generates an XML file. This XML file contains
information such as file name, file size, hash type (MD5), and file hash.
McAfee recommends that you run the tool on a system that can be treated as a baseline computer profile for your
organization. You can then use the import option in the Manager to append your list to the existing allow and block list in the
Manager.
• Auto-Classification: You can configure Auto-Classification Settings at the Global level of the EIA Integration page to classify executables
based on the following:
◦ If the executable is signed and trusted, then it is allowed.
◦ If GTI file reputation is malicious, then it is blocked.
◦ If GTI file reputation is clean, then it is allowed.
◦ If dynamic analysis reports an executable or data file as malicious, then it is blocked.
◦ Auto-classified blocked and allowed executables are added to the Allowed and Blocked Hashes tabs in File Hashes page.
Note: Make sure that GTI is reachable. This can be done by configuring the local DNS Server (or proxy) by selecting Devices →
<Admin Domain Name> → Global → Default Device Settings → Common → Name Resolution. Enter the IP Address (IPv4 or IPv6) here.
150 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
• Manual Classification: You can also manually classify the executables from the Manager. Based on their overall malware
confidence and their network behavior, you can classify them as allowed or blocked.
Note: Manual classification has the highest priority and takes precedence over auto-classification.
The following aspects are used to classify executables:
Executable classification
Manually Manually Digitally Dynamic Auto-GTI Auto-GTI
allowed blocked trusted analysis allowed blocked Gets classified as
Yes - Yes or No Any Yes or No Yes or No Allowed
- Yes Yes or No Any Yes or No Yes or No Blocked
Not classified Yes Any Yes or No Yes or No Allowed
Not classified No Malicious Yes or No Yes or No Blocked
Not classified No Not malicious Yes No Allowed
Not classified No Not malicious No Yes Blocked
Scenario: A new executable is seen in your network
- Yes Any Unknown Allowed
- No Malicious Unknown Blocked
- No Not malicious Unknown Unclassified
Note: A new executable is not known to McAfee GTI and an administrator cannot classify it until its behavior is analyzed. For the
second occurrence, GTI discovers and computes reputation for an unclassified executable, and accordingly the NTBA
classification may vary.
Working with allowed and blocked hashes
The Manager maintains a single list of allowed (good) and blocked (bad) hashes. Each list contains file hashes and executable
names that can be leveraged by all devices configured on the Manager for reporting purpose.
Import of allowed and blocked hashes
You can use this page to import hashes into the allow and block list.
Supported file formats include XML and CSV. The XML format is used to import a list of hashes that have been exported from
endpoints running McAfee EIA using the Endpoint Baseline Generator utility. The Manager exports the lists in CSV format, so CSV
can be used to import previous exports. It also provides a straightforward way to create a list manually.
CSV file format
The file to be imported should be in the following CSV format:
<File name>,<File size>,<Hash type>,<File hash>,<Description>. For example:
Application.exe, 1024, MD5, 30a4edd18db6dd6aaa20e3da93c5f425, My description where:
• Application.exe is the file name. File name must be a string value and at least 1 character long.
• 1024 is the file size. File size must be an integer value and at least 1 character long. It is not currently used.
• MD5 is the hash type. Hash type can only be MD5.
• 30a4edd18db6dd6aaa20e3da93c5f425 is the file hash. File hash must be a valid MD5 hash value.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 151
• My description is the description. Description must be a string value and at least 1 character long.
If you are importing multiple files, each file has to be on a new line.
Once hashes are imported, the list of all available hashes is displayed. The Manager pushes all the imported hashes to all the
available NTBA Appliances and the IPS Sensors. The auto-allowed and auto-blocked executable hashes are added to the Manager
global list. The Comment column on the Policy → <Admin Domain Node> → Intrusion Prevention → Exceptions → File Hash Exceptions page
provides details for the same.
Note: The Manager supports up to 99,000 hash entries (allowed and blocked combined).
Task
1. Select Policy → <Admin Domain Node> → Intrusion Prevention → Exceptions → File Hash Exceptions.
The Allowed and Blocked Hashes tabs are displayed.
Note: You can also go to the File Hash Exceptions page by clicking the Manage allow and block lists link from the Malware Files page or the
Endpoint Executables page.
2. Depending on the type of hashes you want to import, select the Allowed Hashes or the Blocked Hashes tab.
Tip: View Comment for auto-allowed and auto-blocked executables and decide to import the hashes.
3. Click Import.
The Import page is displayed.
Importing hashes into the allow list
4. Browse to the location of the file and click Import. The list is populated.
Note: By default, the list is sorted in the ascending order of the file name. To sort it according to your choice, you can click any
of the column name and select an option from the drop-down list.
5. You can append to the existing list by clicking the Append option, which is selected by default.
Note: For information about how to use the Replace option, see the Section, Remove or replace hashes from allow and block lists.
6. Use the Search option to locate an entry by the file hash, file name, or classifier.
7. You can consider adding a description in the Comment field as to why a file hash was allowed or blocked.
Note: The Comment field allows up to 250 characters.
Export of allowed and blocked Hashes
If you want to export the Hashes, you can go to the appropriate tab and click Export Allowed or Export Block List. The exported CSV file
contains either allowed or blocked Hashes based on the tab from where it is exported. You can use the exported file as source of
import in another Manager.
Note: Currently, export of only CSV files is supported.
Task
1. Select Policy → <Admin Domain Node> → Intrusion Prevention → Exceptions → File Hash Exceptions.
The Allowed and Blocked Hashes tabs are displayed.
Note: You can also go to the File Hash Exceptions page by clicking the Manage allow and block lists link from the Malware Files page or the
Endpoint Executables page.
152 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
2. Depending on the type of Hashes you want to export, select the Allowed Hashes or the Blocked Hashes tab.
3. Click Export Allowed or Export Block List.
The File Download page is displayed.
Exporting Hashes
4. Click Open or Save.
The exported CSV file will contain the file name, file size, hash function (MD5), file hash, and description.
Note: If you attempt exporting policies using Internet Explorer 10 in combination with Windows Server 2012, the Manager will
generate the “Export of custom policy error”. To avoid this, go to Control Panel → Add or Remove Programs → Add/ Remove Windows
Components, the Windows Components Wizard window opens, select the Internet Explorer Enhanced Security Configuration and disable it. For
more information on the fault, see the Network Security Platform Product Guide.
Move hashes from or to allow list or block list
After you have imported the list, you can move some or all of the hashes from one list to another.
Note: If a hash is part of both allow list and block list, the one in the allow list takes precedence.
Task
1. Select an entry that you want to move. To select multiple entries, hold the SHIFT key while selecting.
2. From the Take Action drop-down list, select Move selected hashes to allow list or Move all hashes to allow list.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 153
Moving a selected hash to the allow list
The selected entry is moved to the corresponding list that you have chosen. A message that the action is successful is
displayed on top of the page.
Remove or replace hashes from allow list or the block list
You can remove some or all of the hashes from the allow list or the block list and mark them as unclassified. The hashes are
removed from the Manager database but are available in the NTBA database as unclassified.
Task
1. Select an entry that you want to remove. To select multiple entries, hold the SHIFT key while selecting.
2. From the Take Action drop-down list, select Remove selected hashes (reset as Unclassified) or Remove all hashes (reset as Unclassified).
The selected entry is no longer be displayed on this page.
3. You can use the Replace option to put back the removed entry or to overwrite the old entries with new ones. A confirmation
message will be displayed.
4. Click OK to continue.
The old list is replaced with the new list.
Configuring NTBA policies for McAfee EIA alerts
Seven attack definitions are added to the NTBA policies in Policy → Network Threat Behavior Analysis → NTBA Policies:
NTBA policy Description Enabled by default Alert frequency
EXECUTABLE: Unclassified This alert is raised when the No Raised once per executable
executable detected by executable is not classified by from the NTBA Appliance
Endpoint Intelligence Agent the administrator or is not
engine auto-classified.
154 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
NTBA policy Description Enabled by default Alert frequency
EXECUTABLE: Allowed This alert is raised when the No
executable detected by executable is marked as
Endpoint Intelligence Agent allowed by the administrator.
engine This alert is also raised when
the executable is found to be
digitally allowed or GTI
allowed.
EXECUTABLE: Blocked This alert is raised when the Yes Raised per executable per
executable detected by executable is marked as endpoint
Endpoint Intelligence Agent blocked by the administrator
engine or when the executable is
auto-classified based on GTI
Block List.
MALWARE: Very High- This alert is raised when the Yes
confidence malware malware confidence of the
executable detected by executable detected by
Endpoint Intelligence Agent McAfee EIA is very high and
engine the executable is not allowed.
MALWARE: High-confidence This alert is raised when the Yes
malware executable detected malware confidence of the
by Endpoint Intelligence executable detected by
Agent engine McAfee EIA is high and the
executable is not allowed.
MALWARE: Medium- This alert is raised when the No
confidence malware malware confidence of the
executable detected by executable detected by
Endpoint Intelligence Agent McAfee EIA is medium and the
engine executable is not allowed.
MALWARE: Very High- This alert is raised when the No Raised per non-executable file
confidence malware file malware confidence of the file such as doc or pdf file per
detected by Endpoint detected by McAfee EIA is very endpoint
Intelligence Agent engine high and the file is not
allowed.
Depending on which of the attack definitions are enabled in the NTBA policies, alerts are generated for the matching traffic.
The malware attacks can be viewed in the Top Malware Files monitor on the Manager Dashboard page, and the Top Attack Executables
table in the Threat Explorer.
Alert throttling
Run set endpointintelligence alertinterval CLI command to configure the time interval as to when the alert should be
raised again. By default, it is 7 days. It can be configured between 0 and 30 days. Configure it as zero to disable alert throttling.
Whenever a given executable property changes (malware confidence or classification), the alert generation interval is reset for
that executable.
Note: Filter functionality is not supported for Endpoint Intelligence Agent alerts.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 155
Viewing executables running on endpoint
The Endpoint Executables page on the Analysis tab provides a snapshot of all the executables running on your internal endpoints that
have made network calls. It also provides network visibility on how many endpoints are running the executables, how many
connections were made, and the events triggered by the executable during the selected timeframe.
Note: All NTBA Appliances that have McAfee EIA services running on them will be displayed in the Devices drop-down list. You can
filter data based on the NTBA Appliance selection.
The executables listed here are processes and files. They can be allowed, blocked, and unclassified. You can use this page to
investigate further on what factors led to the classification of the executable and manually change the classification.
By default, the order is sorted by the endpoints, so executables with most endpoint connections are displayed first.
Note: Maximum number of executables displayed on the Endpoint Executables page is 4096. Historical data and inactive executable
data are kept for 30 days.
The page is divided into the Executable panel and the Details panel. Click a row in the Executable panel to view additional information
about the executable hash in the Details panel.
Endpoint Executables page with default settings
Item Description
1 Filters and Search options
2 Executable panel
3 Details panel
Following are the filters and search option available:
Field Description Default Value
Malware Confidence • Any Malware Confidence — Displays all High+ Malware Confidence
executables irrespective of their
malware confidence
• High+ Malware Confidence — Displays
executables with high and very high
malware confidence
156 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Field Description Default Value
• Medium+ Malware Confidence — Displays
executables with medium, high, and
very high malware confidence
• Very High Malware Confidence — Displays
executables with very high malware
confidence
Classification • Any Classification — Displays all Any Classification
executables, whether blocked, allowed,
and unclassified
• Blocked — Displays only blocked
executables
• Unclassified — Displays executables that
are neither blocked nor allowed
• Allowed — Displays only allowed
executables
Devices Displays the list of NTBA Appliances that Displays device names in the
have McAfee EIA services running on alphabetical order.
them
Time interval • Last 5 minutes Last 12 hours
• Last 1 hour
• Last 6 hour
• Last 12 hours
• Last 24 hours
• Last 48 hours
• Last 7 days
• Last 14 days
• Custom Time Period
Search Allows you to search executable by the Blank
file hash or the binary name of the
executable
Attack Log
Upon double-clicking any executable hash you navigate to the Attack Log page. You can analyze and view alerts related to the
selected hash.
Selected hash alerts in Attack Log
The date and time filter used in the Endpoint Executables page is persisted upon navigating to attack log. To close the attack log, click
Back or the X icon.
Manage Allow and Block lists
The Manage Allow and Block lists is a link to the File Hash Exceptions page.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 157
For the selected NTBA Appliance, the Executable panel consists of:
Option Definitions
Executable • Actions — Click Take Actions to classify an executable as
allowed, blocked, marked as, or unclassified
• Hash — Displays the file hash of the executable
• Name — Displays the binary name of the executable
• Version — Displays the product version
Malware Confidence Displays the malware confidence level returned by the
configured McAfee EIA. The malware confidence values are
very high, high, medium, low, very low, and unknown.
Classification Displays the executable classification whether blocked,
allowed, or unclassified.
First Seen Displays when the executable was first reported by McAfee
EIA to the NTBA Appliance for the selected timeframe.
Last Seen Displays when the executable was last reported by McAfee
EIA to the NTBA Appliance.
Counts By default, the order is sorted by the endpoints, so
executables with most endpoint connections displayed first.
• Endpoints — Displays the number of endpoints running the
executable for the selected timeframe
• Attacks — Displays the number of attacks triggered by the
executable for the selected timeframe
• Connections — Displays the number of connections made by
the executable for the selected timeframe
Comment Reason for changing the executable classification
Click any row to see additional information of the executable hash in the Details panel. The Details panel consists of:
EIA Details
This tab displays the executable or file information. This includes:
• Properties — Displays the malware confidence for the executable along with malware indicators that helped determine the
reputation.
158 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Executable or file details
Field descriptions of EIA Details tab
Field Description
Hash Displays the file hash.
Binary Name Displays the binary name and the type, whether process or
library.
Product Name Displays the product name for the executable or file.
Version Displays the product version number.
Malware Summary
Malware Confidence Displays the malware confidence level returned by the
configured McAfee EIA. The malware confidence values are
very high, high, medium, low, very low, and unknown.
Malware Name Displays the malware name, for example, gtalk.exe.
File Certificate Displays the certificate signer and status for the file
certificate, for example, Microsoft Corporation.
GTI Reputation Displays the file reputation received from GTI. Valid values
are Very Low, Low, Medium, High, Very High, and Unknown.
Local Classification Displays the executable classification whether Blocked, Allowed,
or Unclassified.
Classified Displays the method of classification (Auto if the executable
has been auto-classified by the NTBA Appliance or Manual if
it has been manually classified) and the timestamp, only for
classified executables.
File Execution Summary Displays a summary of the tasks performed when a program
was executed. Examples: connects to the internet, changes
proxy settings, adds host file entries.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 159
Field Description
File Execution Details Displays execution details as they happened.
◦ Save as CSV — Exports the list of executables in CSV
format.
◦ Executable — Displays the executable name,
example, gtalk.exe.
◦ Action — Displays action performed by the
program, example, create_dir.
◦ Target Object — Specifies the path where this action
was performed, example, \Device\Harddisk\Users
\Ellie\Local
◦ Search — Displays details based on search criteria.
• File Execution Results — Shows some of the methods and engines that were used to compute the executable reputation.
Endpoints
This tab displays the list of endpoints running the executable during the selected timeframe.
Endpoints information
Field descriptions of Endpoints tab
Field Description
IP Address Displays the IP address of the endpoint.
Hostname Displays the name of the managed host.
OS Displays the version of the operating system running on the
endpoint. For example: Windows 7.
User Displays the user name who invoked the executable or the
DLL. The user name can include system users and local users.
Counts • Attacks — Displays the number of attacks triggered by the
executable during the selected timeframe
• Connections — Displays the number of connections made by
the executable during the selected timeframe
The Search field allows you to search by IP address, host name, operating system, or user columns.
Double-click the IP address to view alerts related to the IP address in the Attack Log. The alerts are filtered based on the IP
address selected. To close Attack Log, click Back or the X icon.
160 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Alerts based on the IP address selected
Applications
This tab displays the list of applications that have been invoked by the executable during the selected timeframe.
Applications invoked by the executable
Field descriptions of Applications tab
Field Description
Application Displays the name of the application.
Risk Displays whether the application is high, medium, or low risk.
McAfee Labs categorizes an application based on its
vulnerability and the probability for it to deliver malware.
Category Displays the category that the application falls under. For
example, HTTP falls under the Infrastructure Services
category.
Counts • Attacks — Displays the number of attacks triggered by the
executable during the selected timeframe
• Connections — Displays the number of connections made by
the executable during the selected timeframe
The Search field allows you to search by application name, risk, or category.
Double-click the application to view alerts related to the application in the Attack Log. The alerts are filtered based on the
application selected. To close Attack Log, click Back or the X icon.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 161
Alerts based on the application selected
Sample scenario: Analyze an unclassified executable with high
malware confidence
Consider an executable, DAP.exe, is shown on the Top Endpoint Executables monitor with malware confidence as High and
classification as Unclassified. This section provides you a workflow that you could follow in the Manager user interface to further
investigate the executable properties, malware indicators used to compute the malware confidence, the type of alerts it
triggered, the confidence assigned by other malware engines to this file, and subsequently allow or block it.
Task
1. Click Dashboard on the Home page to view the Top Endpoint Executables monitor.
a. Select Attacks to view executables that have generated most attacks.
-OR-
Select Endpoints (default) to view executables that have made most connections. The Device drop-down list is shown when you
select Endpoints. This list shows all NTBA Appliances configured that have McAfee EIA services running on them sorted in
alphabetical order.
b. Click DAP.exe in the Top Endpoint Executables monitor to go the Endpoint Executables page.
Note: Hover the mouse on the bar graph to see the executable name, number of attacks/endpoints, executable hash
name, classification type, and malware confidence level.
The executable, DAP.exe, shows high malware confidence but the classification type is shown as Unclassified.
2. The Endpoint Executables page provides network visibility on how many endpoints are running the executables, how many
connections were made, and the events that it triggered. It also displays the malware indicators used to compute the malware
confidence of the executable.
a. Click the Hash link, IP Address link, Application link, Attack link, Attacker IP Address link, or Target IP Address link in the
Details panel to go to the Threat Explorer page.
Note: In some cases, alert count is shown even for allowed executables such as Mozilla Firefox. If bad or malicious sites were
accessed and files downloaded using Mozilla Firefox, there could be executables generating alerts that result in increase of the
attack count.
3. Click View Attacks in the Threat Explorer page to go to the Malware Files page to view the malware confidence alerts, how the malware
confidence was computed by the individual malware engines, and overall malware confidence of the executable was
computed. This page also allows an in-depth analysis of the malware detected in your network.
Note: You can also go to the Malware Files page from the Endpoint Executables page.
Note: For alerts triggered by McAfee EIA, the bottom panel displays the Direction and Protocol as unknown, Attacker Country and
Target Country as blank, and Result as inconclusive.
4. Select Analysis → Network Forensics to further analyze the endpoint behavior on your network.
a. Enter the IP address of the endpoint for the selected date and time and click Analyze.
The Network Forensics page is displayed with summary, conversation, and event information.
Note: All the executables invoked on the endpoint are displayed in the Client connections panel.
b. Scroll to the Top 10 Conversations panel to see the connections made using this IP address.
162 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
c. Scroll to the Last 50 Events to view more details about the attacks. The Endpoint Executables column displays hash, name,
classification, and malware confidence. Click the hash link to go to the Threat Explorer page.
5. Click View attacks in the Attack Log to view and analyze alerts.
a. You can view and group by alerts based on the following:
◦ Name: Displays binary name of the executable
◦ Hash: Displays the file hash of the executable
◦ Malware Confidence: Displays the malware confidence level returned by the configured McAfee EIA. The malware confidence
values are very high, high, medium, low, very low, and unknown.
Note: All the executables invoked on the endpoint are displayed in the Client connections panel.
Note: The above-mentioned fields are not displayed for suppressed alerts.
The alert count and attack count are displayed for the attribute selected in the list.
b. Double-click an alert to open the Alert details panel.
For all alerts triggered by McAfee EIA, an additional panel called Endpoint Intelligence panel is displayed. This displays the hash,
name, classification, and malware confidence of the executable.
c. Click Real-time EIA Details to view executable information for existing IPS and NTBA alerts that have 5-tuple information. Alerts
such as Exploits, Callback Activity, Behavioral, Malware and Policy violation have the 5-tuple information. It also gives
information of the library invoked by the executable, the malware indicators used to compute the score, and classifier
information.
As an administrator, you might want to investigate the alerts further.
Note: The malware confidence and classification values shown in the Real-time EIA Details window might be different from what
is shown in the Alert Details window. This is because the Alert Details window shows the malware confidence and classification of
the alert when the alert as first generated while the Real-time EIA Details shows the current details of the executable.
6. Based on the analysis, you can classify the executable as allowed or blocked by clicking the Take Action link on the Malware Files
page.
These updates are made to the allowed and blocked hashes maintained in the Manager.
The Manager sends the changes in the allowed and blocked hashes to the NTBA Appliance every five minutes. Whenever the
file's hash matches with the ones in the allowed and blocked hashes, the allowed hashes are exempted from malware
analysis.
Viewing endpoint intelligence reports
From Analysis → Event Reporting → Next Generation Reports, run and view the Default-Top 10 Endpoint Executables and Default-Endpoint Executable
Details for details based on EIA alerts.
NTBA-EIA deployment scenarios
Scenario Solution
NTBA-EIA integration with IPS Sensor The NTBA Appliance, the IPS Sensor, and McAfee EIA should
be configured in such a way that traffic from endpoints
passing through IPS, same endpoints must be configured to
send executable information to the NTBA Appliance.
NTBA-EIA integration without netflows coming to NTBA The solution will work. Applications associated with the
executables will not be shown. Events will not have
executable information. The Network Forensics page will be
blank.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 163
Scenario Solution
NTBA-EIA integration in a setup with IPS Sensor and multiple The Endpoint Executables page displays information per NTBA
NTBA Appliances appliance. The block lists and allow lists maintained by the
Manager are pushed to all NTBA Appliances with EIA
integration enabled. McAfee recommends that you distribute
EIA agents across various NTBAs depending on the maximum
limit of endpoints supported by connected NTBA models.
Note: When more than one NTBA is configured to get
executable information from endpoints and if an NTBA is not
connected to IPS Sensor, the Endpoint Executables → Applications
displays no applications. Sensor generated alerts do not
display executable information.
NTBA-EIA integration in a setup with endpoints distributed The NTBA Appliance must be deployed closer to the specific
across geo-locations geo to be monitored in order to reduce data exchange across
WAN links. The number of endpoints at a particular geo-
location should be used as a factor to decide the location at
which the NTBA Appliance is to be deployed. For more
information, refer to the NTBA-EIA sizing recommendations.
NTBA-EIA integration in a setup with multiple ePO servers If there are multiple ePOs managing different parts of the
network and all endpoints need to communicate to a NTBA
appliance on the network, this can be achieved by using third-
party CA in ePO to provide the CA certificates. This way, all
endpoints will receive certificates from the same CA.
Best practices
The auto-classification settings for allow list executables (based on GTI reputation or signed by a trusted authority) are enabled
by default. Auto-classification for block list executables based on GTI reputation and dynamic analysis are disabled by default.
McAfee recommends that you keep all auto-classification settings as enabled unless you want to investigate every executable
manually.
For all executables, the malware confidence displayed on the Manager is a best effort based on malware indicators associated
with each executable.
If time permits:
• Once the solution is deployed, learn the executables used in the network to create a baseline computer profile, investigate, and
classify as allowed all the approved executables for your enterprise.
• Every time new patches are deployed, use the endpoint baseline generator to create an updated hash list and import into the
Manager.
• Investigate each executable that displays malware confidence as low or very low. For example, use the malware indicators,
alerts generated, and network forensics.
• Integrate with McAfee Advanced Threat Defense to leverage its sandboxing capabilities.
• Enable the Gateway Anti-Malware Engine running on NTBA as an additional engine for inspection of malware.
• Look at the number of endpoints using an executable, and the type of applications, events associated with the executable.
• If the number of endpoints is high, then it is unlikely that it is a bot.
• Analyze the results from all of these, and then make the final decision to allow list or block list an executable.
If you have time constraints, investigate executables that have malware confidence displayed as medium and above.
164 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
NTBA-EIA sizing recommendations
NTBA-EIA sizing recommendations
SKU Maximum endpoints
T-600 12,000
T-1200 12,000
T-VM 8,000
T-100VM 8,000
T-200VM 10,000
Below are the observations from tests conducted at McAfee:
• On a typical working day, the average number of executable information records sent by one endpoint in an enterprise is
around 2500 per hour.
• The average size of each record is around 300 bytes.
Depending on the number of active endpoints, you can compute the bandwidth requirements for data sent by Endpoint
Intelligence Agent on endpoints to NTBA.
Assume you have total 50,000 endpoints in your enterprise network:
• Number of NTBA Appliance recommended = 5 T-600 Appliances
• Assume 70% of endpoints are active => 7000 endpoints will be talking to each NTBA
• Network bandwidth requirement for each NTBA = [7000*2500*300/3600] *8 bits per second = 12 Mbps
Troubleshooting
This section addresses some of the issues that might be encountered while working with McAfee EIA.
Connectivity issues
This section covers the scenarios and solutions for connectivity issues.
To check if connection between ePO server and NTBA Appliance
is established
Run the show endpointintelligence summary command:
Check the ePO connection status and the ePO certificate status as shown.
The output of the command is:
[Endpoint Configuration and Status]
Endpoint Intelligence Service : Not Running
ePO Server IP : 0.0.0.0
Last ePO connection attempt : 2013-10-01 09:12:20
Last ePO connection status : Failed (ePO server not reachable)
ePO certificate : Not available
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 165
Alert throttling : Disabled
GTI file reputation server : Reachable
[Endpoint connections]
Total active endpoint connections : 22
Total packets received : 16884
Total packets sent : 778
Last packet received time : 2013-10-01 07:49:05
Last packet sent time : 2013-10-01 08:06:23
Last endpoint connected : 172.16.232.109
If there is a failure in downloading the ePO certificate, the reason is displayed for troubleshooting purpose.
If there is any issue with SSL handshake
Run show endpointintelligence details CLI command.
In Packet processing stats, check session failures as shown.
[Packet processing stats]
Total packets received : 17065
Total packets sent : 790
Total metadata flows : 16201
Total GTI file reputation requests : 6
Total GTI file reputation responses : 0
Total Sysinfo packets received : 789
Total keepalives received : 790
Total keepalives sent : 790
Total malformed packets : 0
Total unsupported packets : 0
Total packet send failures due to session not available : 0
Total connections : 46
Total active connections : 22
Total connection timeouts : 1
Total sessions : 23
Total session failures : 1
Total session failures due to certificate mismatch : 1
Total session failures due to timeouts : 1
Total session failures due to certificate mismatch indicates that McAfee EIA is not able to talk to NTBA and that endpoints are
using a different ePO certificate from what is available in NTBA. To resolve this, push the latest ePO certificate to NTBA using the
Manager interface.
Critical faults
Critical faults are the highest severity faults and generally indicate a serious issue. See the Action column for potential
troubleshooting tips.
166 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Critical faults
Fault Description/Cause Action
Endpoint Intelligence Service is down Endpoint Intelligence Service has not Please make sure that the ePO server is
started as the ePO is not reachable. up and running and is reachable to
NTBA.
Endpoint Intelligence Service has not Make sure that the ePO server supports
started as the ePO extension does not ePO Auto Signing functionality (Change
support auto-signing service. on Name confirmation).
Endpoint Intelligence Service has not Please provide valid ePO Server
started because of authentication error credentials.
connecting to the ePO server.
Endpoint Intelligence Service has not ePO server responded error, please look
started because of internal error from at the ePO logs.
the ePO server.
Endpoint Intelligence Service has not Please look at the ePO server and NTBA
started because of unexpected errors. logs for the error. Please try again.
Endpoint Intelligence Service has not Certificate invalid, please retry saving
started because of corrupt certificate. again.
Endpoint Intelligence Service has not This port is already in use; please
started because the configured port for configure an unused port.
Endpoint Intelligence Service is already
in use.
If no data is seen in Executables panel of the Endpoint
Executables page
• Make sure McAfee EIA service is running on the NTBA Appliance.
• Make sure that endpoint connections are made to the NTBA Appliance.
• Check the ntba.log file by running the TOP_PROCESS query:
2013-08-27 10:51:10,019 INFO iv.core.nba.control.command - NBA Command ID -> 0 2013-08-27 10:51:10,019 INFO
iv.core.nba.control.command - NBA Command Name -> TOP_PROCESS 2013-08-27 10:51:10,019 INFO
iv.core.nba.control.command - Response returned from NBA Server 2013-08-27 10:51:10,019 INFO
iv.core.nba.control.command - {message=OK, isXML=true, respcode=200, msgcode=0, data=<results> <proc
p_id="172475594623937" p_hash="62880e4a7bd8d63aed832734836b4093" p_nm="HTMLayout" b_name="HTMLayout.dll"
s_name="" p_ver="3, 3, 2, 4" p_conf="5" p_cls="0" f_size="0" f_sn="2013-08-26 23:00:00" l_sn="2013-08-26
23:00:00" host_cnt="1" con_cnt="2" /></results>, Id=4697, isPartial=false, code=200} 2013-08-27 10:51:10,019
INFO iv.core.nba.control.command - Response -> {message=OK, isXML=true, respcode=200, msgcode=0, data=<results>
<proc p_id="172475594623937" p_hash="62880e4a7bd8d63aed832734836b4093" p_nm="HTMLayout" b_name="HTMLayout.dll"
s_name="" p_ver="3, 3, 2, 4" p_conf="5" p_cls="0" f_size="0" f_sn="2013-08-26 23:00:00" l_sn="2013-08-26
23:00:00" host_cnt="1" con_cnt="2" /></results>, Id=4697, isPartial=false, code=200} 2013-08-27 10:51:10,019
INFO iv.core.nba.control.command - Response message text -> <results> <proc p_id="172475594623937"
p_hash="62880e4a7bd8d63aed832734836b4093" p_nm="HTMLayout" b_name="HTMLayout.dll" s_name="" p_ver="3, 3, 2, 4"
p_conf="5" p_cls="0" f_size="0" f_sn="2013-08-26 23:00:00" l_sn="2013-08-26 23:00:00" host_cnt="1"
con_cnt="2" /></results> 2013-08-27 10:51:10,019 INFO iv.core.nba.control.command -
This query returns the list of Top Executables from the NTBA Appliance.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 167
Data not seen on Manager
This section covers scenarios when there is data mismatch or unavailability in the Manager.
Integrating with McAfee Global Threat Intelligence
The Global Threat Intelligence data is powered by McAfee Global Threat Intelligence correlation engine that receives and analyzes
billions of queries per month from McAfee's network of Sensors deployed to protect consumer, and enterprise network traffic
across 120 countries globally, collecting and correlating threat data for URLs, IP addresses, domains, and content.
McAfee GTI assigns a reputation score and further classifies network identities, and content with a risk level based on an in-
depth highly sophisticated analysis derived by processing thousands of behavior attributes to profile each network traffic sender,
website, domain, or content.
McAfee GTI is the first and only reputation system to combine traffic data, routing, IP/domain registration data, and network
characteristics with the unparalleled breadth of McAfee's global customer base.
You can view the McAfee GTI portal data for a selected endpoint from the right-click options in the Traffic Volume (Bytes) - Top Source
Endpoints, Endpoint Threat Factor, and Endpoints - New (Last 1 day) NTBA monitors.
McAfee GTI integration needs to be configured in the Manager (Devices → <Admin Domain Name> → Global → NTBA Device Settings → Zone
Settings → IP Reputation) for viewing McAfee GTI information in NTBA monitors.
Before configuring McAfee GTI integration with NTBA, participation in Global Threat Intelligence needs to be enabled at Manager →
Integration → GTI.
McAfee GTI Details page
Note: Firewall port 443 (port is for McAfee GTI queries) and port 80 (port for McAfee GTI database download) should be open for
McAfee GTI information to be displayed in the NTBA monitors.
NTBA Appliance does endpoint look-up through NetBIOS or DNS. Hence, this type of network traffic emanating from NTBA is
normal.
For more information on configuring McAfee GTI integration in the Manager, see McAfee Network Security Platform Integration
Guide.
168 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Integrating with McAfee Logon Collector
The Manager can display a variety of information about the endpoints inside and outside a network.
The Manager integrates with McAfee Logon Collector (MLC) to display user names of the endpoints in your IPS and NTBA
deployments. The Logon Collector provides an out-of-band method to obtain user names from the Active Directories.
For more information, refer to the McAfee Network Security Platform Integration Guide.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 169
NTBA Monitors and Reports
Monitoring networks
Monitoring of networks is a complex process. The process involves monitoring of network components consisting of network
devices and the traffic that flows through such devices.
Monitoring of network devices is essential as it has a direct impact on decisions regarding optimal use of network resources, and
tailored allocation of available bandwidth.
The ability to monitor network traffic in real time provides the inputs needed to take critical decisions that address the economic
and security concerns of an enterprise. This is more so when the network is spread across different geographical locations with
distributed applications.
McAfee® Network Threat Behavior Analysis (NTBA) Appliance effectively addresses these concerns and provides several options
of network monitoring that can be tailored by an enterprise to suit its requirements.
How NTBA Appliance helps network monitoring
The McAfee NTBA Appliance provides a graphic configurable real-time view of the network traffic.
The NTBA Appliance gathers flow and application data from across users, applications, endpoints, devices, and stores them in an
embedded database.
You can see real-time data and a moving profile of the typical behavior of users, applications, endpoints, and devices. All this
information is coalesced into the Attack Log that can be drilled down for more detailed information.
A typical activity like endpoints scans, port scans, worm detection, new service / application, new endpoint, suspicious
connection, DoS, P2P, and spambots can be tracked based on user-defined policies.
Real-time monitoring of network reduces the time needed to solve network-related problems, and helps in identifying threats.
Questions such as why is our network slow, which application has the maximum download impact, are easily answered in a
network that is monitored by the NTBA Appliance.
The NTBA Appliance does effective malware monitoring by detecting unauthorized reconnaissance scanning by any infected
laptops in the system that can spread worm traffic. The NTBA Appliance detects unauthorized applications, rogue web servers,
and peer-to-peer Applications.
If McAfee GTI integration is enabled in the Manager, relevant NTBA monitor options provide access to McAfee GTI portal data.
This data is powered by McAfee GTI global threat correlation engine that receives and analyzes billions of queries per month
from a network of McAfee Sensors deployed to protect consumer and enterprise network traffic across 120 countries globally,
collecting and correlating threat data for URLs, IP addresses, domains, and content.
Endpoint Threat Factor
The NTBA Appliance maintains a threat factor per endpoint in the network by correlating endpoint behavior with alerts raised on
the endpoint. This threat factor is called the Endpoint Threat Factor.
The NTBA Appliance calculates traffic profiles for every endpoint on the network by calculating and summarizing endpoint
behavior into behavior indexes.
Behavior indexes are calculated by comparing normal endpoint behavior over a period over its average behavior over a larger
period.
The behavior index is maintained in the database along with the metrics and other data for every endpoint as its "traffic profile."
When an alert is raised for the endpoint, the alert level is combined with the current behavior index to generate a threat factor
for the endpoint.
The Endpoint Threat Factor is an index, which ranges from zero to 10, including fractional values.
The Endpoint Threat Factor is aged automatically if an endpoint no longer raises alerts (say after it was quarantined after a high
critical alert, and subsequently its behavior was brought to normal). In such a situation, the NTBA Appliance brings the behavioral
index of the endpoint to zero as soon as the endpoint behavior approaches its average behavior. If an endpoint shows no
170 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
anomalous behavior for long periods, its behavior risk factor will remain at, or decrease to zero, which is the normal Endpoint
Threat Factor value for a benign endpoint. The Endpoint Threat Factor has the following color-coded threat ranges:
• Less than Six (Low/Medium Threat) — YELLOW
• Greater or equal to Six (High Threat) — ORANGE
• Greater or equal to Nine (Critical Threat) — RED
• Equal to Zero — GREEN
The Endpoint Threat Factor values for the endpoints in the network are displayed in the Endpoint Threat Factor monitor.
NTBA Monitors
The Dashboard page displays the following NTBA security monitors:
• Top Applications (NTBA)
• Top Destinations
• Top Files
• Top Sources
• Top URLs
• To Endpoint Executables
Top Applications (NTBA)
The Top Applications (NTBA) monitor enables you to view the top applications seen in the network based on bytes or connections.
Top Applications (NTBA)
If multiple NTBA devices are configured, select the NTBA device for which you want to view the data from the first drop-down list.
The following options are available in the monitor's second drop-down list to view the top applications based on zones.
• All Zones - top applications based on all zones.
• Default Inside Zone - top applications based on inside zones.
• Default Outside Zone - top applications based on outside zones.
The following options are available in the monitor's third drop-down list to view the top applications based on risk levels.
• Any Risk - top applications with any risk level.
• High Risk - top applications with high risk level.
• Medium+Risk - top applications with medium and above risk level.
• Unverified Risk - top applications with risks that are not verified.
The fourth drop-down list are available in the monitor to view the top applications based on Bytes or Connections.
Clicking on a bar in the monitor, you will be redirected to the Threat Explorer page where more details on the application are
displayed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 171
Top Destinations
The Top Destinations monitor enables you to view the top destination IP addresses identified in the network based on bytes or
connections.
Top Destinations
If multiple NTBA devices are configured, select the NTBA device for which you want to view the data from the first drop-down list.
The following options are available in the monitor's second drop-down list to view the destination IP addresses based on zones.
• All Zones - top destination IP addresses based on all zones.
• Default Inside Zone - top destination IP addresses based on inside zones.
• Default Outside Zone - top destination IP addressess based on outside zones.
The third drop-down list are available in the monitor to view the destination IP addresses based on Bytes or Connections.
Clicking on a bar in the monitor, you will be redirected to the Threat Explorer page where more details on the destination IP
address are displayed.
Top Files
The Top Files monitor enables you to view the files that are most used in the network based on bytes or connections.
Top Files
If multiple NTBA devices are configured, select the NTBA device for which you want to view the data from the first drop-down list.
The following options are available in the monitor's second drop-down list to view the files that are most used in the network
based on zones.
• All Zones - top files based on all zones.
• Default Inside Zone - top files based on inside zones.
• Default Outside Zone - top files based on outside zones.
172 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
The following options are available in the monitor's third drop-down list to view the files that are most used in the network based
on malware confidence level.
• Any Malware Confidence - files with any malware confidence level.
• Very High Malware Confidence - files with very high malware confidence level.
• High+Malware Confidence - files with malware confidence level as high and above.
• Medium+Malware Confidence - files with malware confidence level as medium and above.
• Low+Malware Confidence- files with malware confidence level as low and above.
• Very Low+Malware Confidence- files with malware confidence level as very low and above.
Clicking on a bar in the monitor, you will be redirected to the Threat Explorer page where more details on the file are displayed.
Top Sources
The Top Sources monitor enables you to view the top source IP addresses identified in the network based on bytes or
connections.
Top Sources
If multiple NTBA devices are configured, select the NTBA device for which you want to view the data from the first drop-down list.
The following options are available in the monitor's second drop-down list to view the source IP addresses based on zones.
• All Zones - top source IP addresses based on all zones.
• Default Inside Zone - top source IP addresses based on inside zones.
• Default Outside Zone - top source IP addresses based on outside zones.
The third drop-down list are available in the monitor to view the source IP addresses based on Bytes or Connections.
Clicking on a bar in the monitor, you will be redirected to the Threat Explorer page where more details on the source IP address
are displayed.
Top URLs
The Top URLs monitor enables you to view the most accessed URLs in the network based on bytes or connections.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 173
Top URLs
If there are multiple NTBA devices that are configured, select the NTBA device for which you want to view the data from the first
drop-down list.
The following options are available in the monitor's second drop-down list to view the top URLs based on zones.
• All Zones - top URLs based on all zones.
• Default Inside Zone - top URLs based on inside zones.
• Default Outside Zone - top URLs based on outside zones.
The following options are available in the monitor's third drop-down list to view the top URLs based on risk levels.
• Any Risk - URLs with any risk level.
• High Risk - URLs with high risk level.
• Medium+Risk - URLs with medium and above risk level.
• Unverified Risk - URLs with risks that are not verified.
Clicking on a bar in the monitor, you will be redirected to the Threat Explorer page where more details on the URL are displayed.
Top Endpoint Executables
The Endpoint Executables monitor enables you to view the top endpoint executables based on attacks and endpoints.
If multiple NTBA devices are configured, select the NTBA device for which you want to view the data from the first drop-down list.
The following options are available in the monitor's second drop-down list to view the top endpoint executables based on attacks
and endpoint executables.
• Any Malware Confidence - endpoint executables with any malware confidence level.
• Very High Malware Confidence - endpoint executables with very high malware confidence level.
• High+Malware Confidence - endpoint executables with malware confidence level as high and above.
• Medium+Malware Confidence - endpoint executables with malware confidence level as medium and above.
• Low+Malware Confidence- endpoint executables with malware confidence level as low and above.
• Very Low+Malware Confidence- endpoint executables with malware confidence level as very low and above.
The following additional options are available in the monitor's third drop-down list to view the top endpoint executables based
on endpoints.
• Any classification - endpoint executables with any classification.
• Blocked - endpoint executables that are blocked.
• Unclassified - endpoint executables that are unclassified.
• Allowed - endpoint executables that are allowed.
Clicking on a bar in the monitor, you will be redirected to the Threat Explorer page where more details on the endpoint
executables are displayed.
174 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Monitoring traffic in NTBA Appliance
You can monitor traffic per NTBA Appliance to check if traffic is going through the device, zone, or its exporter's interface.
Task
1. Select Devices → Devices → <NTBA Appliance> → Troubleshooting → Traffic Throughput.
The Traffic Throughput page is displayed. By default Device is selected.
Traffic throughput for NTBA Appliances
2. Select Device to generate a bar graph showing the total bytes observed in each direction for the last hour.
3. Select Zones to display the throughput for each zone in each direction with the time when the last packet was seen on that
zone.
You can use the Search field to search by a particular zone of the device.
4. Select Exporters to display the combination of exporter and interface, its line speed, and the utilization percentage in each
direction.
You can use the Search field to search by a particular zone of the device.
NTBA Denial-of-Service alerts
The NTBA DoS alerts in the Attack Log are grouped under the category Volume DoS. The attacks listed against the Volume DoS
category alerts are of two kinds. They are either Volume Anomaly attacks or Threshold Anomaly Attacks.
Volume DoS alerts for volume anomaly attacks
The volume anomaly attacks listed as alerts in the Attack Log are attacks that are detected with reference to DoS profiles. They
are essentially anomalies in the volume of traffic with reference to the Endpoint DoS Profiles and Zone DoS Profiles.
If the rate sample for any short-term observation in a bin of a DoS profile exceeds the corresponding rate sample for the long-
term significantly, for a duration determined as significant by the NTBA Appliance, an alert is raised in the Attack Log.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 175
Volume DoS anomaly attack alert listed in the Attack Log
You can double-click an attack listed in the Attack Log to view the page in the <Attack Name> panel on the right hand side.
The alerts detail for a Volume DoS Anomaly Alert reflects the sample rate distribution at the time of raising the alert.
In the following illustration, the packet rate observed at the time that the alert was raised was 12.43 packets/sec.
NTBA volume DoS anomaly alert details
Volume DoS alerts for threshold anomaly attacks
Threshold anomaly attack alerts are listed under Volume DoS alerts if the threshold for an attack set in the NTBA Policy Editor is
exceeded beyond the set threshold interval.
Threshold anomaly attack alerts are listed against the Volume DoS category in the Attack Log.
176 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Volume DoS threshold alert listed in the Attack Log
Note: Quarantine option is also supported for Threshold-based anomaly attacks for endpoints.
The Alerts Detail for a Volume DoS threshold alert lists the details of the alert.
In the following illustration, the Alert Details page shows that the set threshold value and the observed value.
Volume DoS threshold attack alert details
Note: Policies that contain set values for anomaly attacks and threshold attacks need to be applied to an NTBA Appliance and
NTBA zones for alerts to be raised in the Attack Log.
Viewing NTBA reports
The Reports page of the Manager enables generation of Traditional and Next Generation reports on the data generated by the NTBA
Appliances.
Configuration reports
The Configuration reports display information specific to an admin domain or NTBA Appliance with reference to the time at which
the report is generated. The output choices are HTML, PDF, Save as CSV and Save as HTML.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 177
Generate Device Summary report
The Device Summary report contains information regarding all the IPS, Virtual IPS, NTBA, and Virtual NTBA devices configured. It
provides a summary of information per device irrespective of the number of similar Sensor models configured. The device count
provides a summarized count of all the devices configured.
To generate a Device Summary report, do the following:
Task
1. Click the Manager tab.
2. Select <Admin Domain Name> → Reporting → Configuration Reports → Device Summary.
3. Select the Output Format.
4. Click Submit.
The field descriptions in this report are as follows:
Summary
◦ Device model — Provides the Sensor models configured
◦ Count — Displays a summarized count of the similar Sensor models
Sensor Name (IPS, Virtual IPS, NTBA, Virtual NTBA)
Field Name Description Applicable to Sensor model
Name Displays the name of the Sensor. IPS, Virtual IPS, NTBA, Virtual NTBA
Model Displays the Sensor model number. IPS, Virtual IPS, NTBA, Virtual NTBA
Serial Number Displays the serial number specified on IPS, NTBA, Virtual NTBA
the physical Sensor.
Software Version Displays the current software version IPS, Virtual IPS, NTBA, Virtual NTBA
configured on the Sensor.
Contact Information Displays the contact information IPS, Virtual IPS, NTBA, Virtual NTBA
provided by the user at the time of
configuration of the Sensor.
Location Displays the geographical location IPS, Virtual IPS, NTBA, Virtual NTBA
provided by the user at the time of
configuration of the Sensor.
Updating Mode Displays the mode of configuration IPS, Virtual IPS
update for the Sensor. It can be
updated online or offline.
Signature Version Displays the current signature version IPS, Virtual IPS
configured on the Sensor.
Hardware Version Displays the current hardware version IPS
running on the Sensor.
Gateway Anti-Malware DAT Version Displays the current version of the IPS (NS Series), Virtual IPS, NTBA, Virtual
Gateway Anti-Malware DAT file. NTBA
Gateway Anti-Malware Engine Version Displays the current version of the IPS (NS Series), Virtual IPS, NTBA, Virtual
Gateway Anti-Malware Engine. NTBA
178 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Field Name Description Applicable to Sensor model
Anti-Virus DAT Version Displays the current version of the Anti- IPS (NS Series), Virtual IPS, NTBA, Virtual
Virus DAT file. NTBA
Anti-Malware Engine Version Displays the current version of the Anti- IPS (NS Series), Virtual IPS, NTBA, Virtual
Malware Engine. NTBA
IP Address Connected to the Manager Displays the IP address used by the IPS, Virtual IPS, NTBA, Virtual NTBA
Sensor to connect with the Manager.
Subnet Mask Displays the subnet mask IP address. IPS, Virtual IPS
Default Gateway Displays the IP address of the default IPS, Virtual IPS
gateway.
Up Time Displays the time period from when the IPS, Virtual IPS, NTBA, Virtual NTBA
Sensor started running.
Last Reboot Displays the date and time of the IPS, Virtual IPS, NTBA, Virtual NTBA
previous reboot.
Last Signature Set Update Displays the date and time of the IPS, Virtual IPS, NTBA, Virtual NTBA
previous signature set update.
FIPS Mode Displays if FIPS mode is enabled or IPS, Virtual IPS
disabled.
View NTBA Appliance reports
The NTBA Appliance report displays information on the selected NTBA Appliance. Information includes device name, serial
number, port configuration, flow information, general settings, IP settings to the interfaces, exporters settings, SNMP settings, list
of NTBA interfaces, list of inside zones, list of outside zones, and zone elements.
Follow this procedure to view the NTBA Appliance report:
Task
1. Select Manager → <Admin Domain Name> → Reporting → Configuration Reports.
The Configuration Reports page is displayed.
2. Click the NTBA Appliance link.
The NTBA Appliance report page with the configuration options is displayed.
NTBA Appliance report page
3. Configure the following:
◦ Select the device for which you want to generate the report from the Device field.
◦ Select the required checkboxes against Device Information, Port Configuration, NTBA Configuration, and Zone.
◦ Select the required Output Format from the Output Format drop-down list.
◦ Click Submit.
For the selected admin domain, the NTBA Appliance report displays the following device configuration details:
a. NTBA Appliance Information for <Device Name>
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 179
i. Device Name
ii. Serial Number
iii. Contact Information
iv. Location
v. Model
vi. Software Version
vii. IP Address
viii. Up Time
ix. Last Reboot
x. Last Signature Set Update
b. Current NTBA Port Configuration for device <Device Name>
c. Port Settings
i. Port #
ii. Port Type
iii. Configuration
iv. Speed
v. Duplex
vi. Administrative Status
vii. Operational Status
d. Flow Information
i. Flow Protocol Supported
e. Proxy Server Settings
i. User Parent Settings?
ii. User Proxy Server?
iii. Proxy Server Name or IP Address
iv. Port Number
v. User Name
vi. Test URL
f. NTBA General Settings
i. Use Global Settings?
ii. NTBA listening port for flow records
iii. Enable De-duplication?
g. IP Settings to the NTBA interfaces
i. IP Address
ii. Network Mask
iii. Gateway IP
h. Exporters
i. Name
ii. IP Address
iii. Type
iv. Enabled
v. Description
vi. Flow Type and Version
i. SNMP Settings for exporter <Device Name>
i. Use Global Settings?
ii. UDP Port
iii. SNMP Version
iv. Read-Only Community String
v. SNMP Polling Interval Time
j. List of NTBA-ready Interface
i. Enabled
ii. Name
iii. Type
iv. External?
180 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
v. Description
k. SNMP Settings for exporter
i. Use Global settings?
ii. UDP Port
iii. SNMP Version
iv. Read-Only Community String
v. SNMP Polling Interval Time
l. List of NTBA-ready Interface
i. Enabled
ii. Name
iii. Type
iv. External?
v. Description
m. Summary of list of inside zones
i. Name
ii. Description
n. Summary of list of outside zones
i. Name
ii. Description
o. Zone elements of inside Zones
i. Zone
ii. Element
iii. Type
p. Zone elements of outside Zones
i. Zone
ii. Element
iii. Type
View NTBA Configuration Summary reports
The NTBA Configuration Summary report displays information on NTBA Appliance configuration. The settings include spambot
detection, Manager Presentation, services, collector details, and exporter settings.
Task
1. Select Manager → <Admin Domain Name> → Reporting → Configuration Reports.
The Configuration Reports page is displayed.
2. Click NTBA Configuration Summary link.
The NTBA Configuration Summary report page with the configuration options is displayed.
NTBA Configuration Summary report page
3. Configure the following:
◦ Select the Admin Domain for which you want to generate the report from the drop-down list.
Note: The admin domain selected in the left pane has no impact on the reports generated. The Admin Domain drop-down list
is explicitly to filter the reports that are generated.
◦ Select the Output Format from the drop-down list.
◦ Click Submit.
For the selected Admin Domain, the NTBA Configuration Summary report is displayed with the following configuration details:
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 181
a. Spambot Detection
i. Email Domain
b. Manager Presentation
i. The Value of N in Top N lists
ii. Consider Endpoints/Protocols "New" if Seen for First Time Within (days)
iii. Consider Endpoints/Protocols "New" if Seen for First Time With Reference Days As (days)
iv. Consider Endpoints/Protocols "Active" if Seen for First Time Within (days)
c. Service
i. Name
ii. Enable
iii. Service Details
d. Collector Details
i. Listen for flow information on UDP Port
ii. Enable De-duplication
iii. Primary Name Server
iv. Secondary Name Server
v. Refresh Interval (hours)
e. Exporter Settings
i. UDP Port
ii. SNMP Version
iii. Read Only Community String
iv. SNMP Polling Interval Time
Next generation reports
The Next Generation reports display network-wide information with data options for generating queries for a day, between two
dates, or during the past month(s), week(s), day(s) or hour(s).
Run a Next Generation Default report
The Next Generation reports display network-wide information with data options for generating queries for a day, between two
dates, or during the past months, weeks, days, or hours.
Next Generation Saved Reports
182 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Default - Top URLs Accessed report
This report shows the most accessed URLs by hosts in the network during the selected period.
Field Description
Access Count Displays the number of times the URLs were accessed.
URL Displays all the URLs accessed.
URL Category Displays the URL categories, for example, Business,Games,
Search Engine.
URL Reputation Displays the reputation score (risk factor) of the URLs.
Country Displays the country the URLs originate from.
Default - Top URLs by Reputation report
This report shows the list of URLs sorted by reputation during the selected period.
Field Description
URL Reputation Displays the reputation score (risk factor) of the URLs.
URL Displays all the URLs accessed.
URL Category Displays the category of the URLs, for example, Business,
Games, Search Engine.
Country Displays the country the URLs originates from.
Access Count Displays the number of times the URLs were accessed.
Default - Top URL Categories report
This report shows the most accessed URL categories during the selected period.
Field Description
URL Count Displays the number of times the URLs were accessed.
URL Category For each category, the following data will be displayed:
• URL - Displays all the URLs accessed.
• URL Reputation - Displays the reputation score (risk factor)
of the URLs.
• Country- Displays the country the URLs originates from.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 183
Default - Top 10 Endpoint Executables
This report displays the list of Top 10 endpoint executables based on the filters used. This report shows the Summary data such
as the total number of endpoints using the executable, the number of connections created via the executable, and the number
of events raised by the executable.
To run this report, select Analysis → Event Reporting → Next Generation Reports → Default - Top 10 Endpoint Executables.
The available filters are admin domain, application, classification, device, executable name, malware confidence, and time
interval.
Field descriptions of Top 10 Endpoint Executables report
Field Description
Executable Displays the file hash, name, and version of the executable
Malware Confidence Displays the malware confidence of the executable. Malware
confidence values are very high, high, medium, low, very low,
and unknown
Classification Displays the executable classification, whether blocklisted,
allowlisted, or unclassified
First Seen Displays when the executable was first reported by the
endpoint to the NTBA Appliance
Last Seen Displays when the executable was last reported by the
endpoint to the NTBA Appliance
Counts Displays the number of endpoints running the executables,
the events triggered by the executable, and the number of
connections made by the endpoint
Comment Displays the comments you have entered
Default - Endpoint Executable Details
This report displays a detailed view of the executables selected as part of the filter criteria. To run this report, select Analysis →
Event Reporting → Next Generation Reports → Default - Endpoint Executable Details.
The available filters are admin domain, device, and executable name.
Note: You must select an executable name to generate this report.
Field descriptions of Endpoint Executables Details report
Field Description
Endpoint Executable Details Displays the file hash, name, version, malware confidence,
classification of the executable, time when the executable was
first seen and last seen as reported by the endpoint to the
NTBA Appliance, the number of endpoints running the
executables, the events triggered by the executable, and the
number of connections made by the endpoint, and
comments.
Properties for Executable Displays the binary type, classifier, and classified details
184 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Field Description
Malware Indicators for Executable Displays the methods that were used to compute the
executable reputation
Libraries Invoked by Executable Displays the all the libraries (DLLs) invoked by the executable
Endpoints that have run Executable Displays information of the endpoints that have run the
executable
Default - Top Files Accessed report
This report shows the most accessed files in the network during the selected period.
Field Description
Access Count Displays the number of times the files were accessed.
File Name Displays the name of the files accessed.
File Path Displays the path of the files accessed.
Default - Top Most Recently-Active Endpoints report
This report shows the endpoints most recently active on the network.
Field Description
Last Seen Displays when the endpoints were last seen on the network.
Endpoint IP Displays the IP address of the endpoints.
Hostname Displays the endpoints accessed.
Zone Displays the zone names.
ETF Displays the threat factor value of the endpoints. See also,
Endpoint Threat Factor.
Default - Top Endpoint Summary report
This report shows the summary detail for endpoints in the network during the selected period.
Field Description
Last Activity Time Displays the last activity time of the endpoints.
Endpoint IP Displays the IP address of the endpoints.
Hostname Displays name of the endpoints.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 185
Field Description
Zone Displays zone name of the endpoints.
Applications Displays the list of application names, for example, HTTP,
Gmail, eDonkey.
Active Connections Displays the number of active connections to the endpoints.
ETF Displays the threat factor value of the endpoints. See also,
Endpoint Threat Factor.
Default - Top Endpoints by Bandwidth Usage report
This report shows endpoints sending/receiving the most bytes in the network during the selected period.
Field Description
Total Bytes Displays the traffic volume in bytes.
Endpoint IP Displays the IP address of the endpoints.
Hostname Displays name of the endpoints.
Zone Displays zone name of the endpoints.
ETF Displays the threat factor value of the endpoints. See also,
Endpoint Threat Factor.
In Bytes Displays the inbound traffic volume in bytes.
Out Bytes Displays the outbound traffic volume in bytes.
Default - Top Endpoints by GTI Reputation report
This report shows the endpoint with the highest GTI Reputation in the network during the selected period.
Field Description
Reputation Displays the reputation of the endpoints.
Endpoint IP Displays IP address of the endpoints.
Hostname Displays the name of the endpoints.
Country Displays the country of the endpoints.
Zone Displays the zone name of the endpoints.
186 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Default - Top Endpoints by Threat Factor report
This report shows the endpoints sorted by Threat Factor during the selected period.
Field Description
ETF Displays the threat factor value of the endpoints. See also,
Endpoint Threat Factor.
Endpoint IP Displays the IP address of the endpoints.
Hostname Displays the name of the endpoints.
Zone Displays the zone name of endpoints.
In Bytes Displays the inbound traffic in bytes.
Out Bytes Displays the outbound traffic in bytes.
Total Bytes Displays the traffic volume in bytes.
Default - Top New Applications Seen report
This report shows the applications that are new on the network during the selected period.
Field Description
First Seen Displays the first seen time of the applications.
App Name Displays the application names, for example, HTTP, Gmail,
eDonkey.
Last Seen Displays the last seen time of the applications.
Default - Top New Services Seen report
This report shows services that are new on the network during the selected period.
Field Description
First Seen Displays the first seen time of the services.
Service Name Displays the service names, for example, ftp (tcp), dns (udp).
Last Seen Displays the last seen time of the services.
Default - Top New Endpoints Seen report
This report shows the endpoints that are new on the network during the selected period.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 187
Field Description
First Seen Displays the first seen time of the endpoints.
Endpoint IP Displays the IP address of the endpoints.
Hostname Displays the name of the endpoints.
Zone Displays the zone name of the endpoints.
ETF Displays the threat factor value of the endpoints. See also,
Endpoint Threat Factor.
Default - Top Services by Bandwidth Usage report
Thisreport shows services consuming the most bandwidth (bytes) in the network during the selected period.
Field Description
Total Bytes Displays the traffic volume in bytes.
Service Name Displays the service names, for example, ftp (tcp), dns (udp).
In Bytes Displays the inbound traffic volume in bytes.
Out Bytes Displays the outbound traffic volume in bytes.
In Packets Displays the inbound packets on the network.
Out Packets Displays the outbound packets on the network.
Total Packets Displays the total packets on the network.
Default - Top Applications by Bandwidth Usage report
This report shows applications consuming the most bandwidth (bytes) in the network during the selected period.
Field Description
Total Bytes Displays the traffic volume in bytes.
App Name Displays the application being accessed.
In Bytes Displays the inbound traffic volume in bytes.
Out Bytes Displays the outbound traffic volume in bytes.
In Packets Displays the inbound packets in the network.
Out Packets Displays the outbound packets in the network.
Total Packets Displays the total packets in the network.
188 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Default - Top Most Recent Connections report
This report shows connection summary in the network during the selected period.
Field Description
Time Displays the time of connections.
Src IP Displays the IP address of the source hosts.
Dst IP Displays the IP address of the destination hosts.
Src Port Displays the source port of the hosts.
Dst Port Displays the destination port of the hosts.
App Displays the application names or service names or protocol.
Total Bytes Displays the traffic volume in bytes.
Total Packets Displays the total packets on the network.
URLs Displays the URLs on the network.
File Names Displays the files on the network.
Default - Top 10 Exporter Interfaces report
This report lists the Exporter interfaces that were high on traffic during the selected period.
Field Description
Total Bytes (packets) Displays the traffic volume in bytes.
Interface Name Displays name of the interface.
In Bytes (packets) Displays the inbound traffic in bytes.
Out Bytes (packets) Displays the outbound traffic in bytes.
Avg Bytes (packets) Displays the average traffic in bytes.
Max Bytes (packets) Displays the maximum traffic in bytes.
Default - Top Conversations report
This report lists conversations that were high on traffic during the selected time period.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 189
Field Description
Total Bytes Displays the traffic volume in bytes.
Src IP Displays the IP address of the source hosts.
Dest IP Displays the IP address of the destination hosts.
Service Displays the service names, for example, ftp (tcp), dns (udp).
In Bytes Displays the inbound traffic in bytes.
Out Bytes Displays the outbound traffic in bytes.
Create a Next Generation duplicate report
You can create duplicate reports of the Default Next Generation reports. You can then edit the parameters to suit your
requirements.
Task
1. On the Manager home page, click Analysis.
2. Select Event Reporting → Next Generation Reports.
3. From the Saved Reports list, select a Next Generation default report and click Duplicate.
4. Select a Next Generation default report and click Duplicate.
The Duplicate Next Generation Report page is displayed.
Duplicate Next Generation Report page
5. Enter the name and description (mandatory fields), then click OK.
The duplicate report is displayed in the Saved Reports section.
6. Click Edit to change the parameters.
The Data Source page is displayed.
190 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Data Source page
7. Select a row in the left pane to view the Data Fields options.
8. Click Save.
9. On the Save Query page, enter a name and description for the query.
10. Click Next.
The Select Recipients page is displayed.
11. Click New to add a recipient.
12. Click Finish to complete the process.
Run Next Generation User Defined report
You can create a new report with a choice of data source, presentation, and filter.
Task
1. On the Manager home page, click Analysis.
2. Select Event Reporting → Next Generation Reports.
3. Click New.
4. Select a data source for the report. Data source represent the database tables the report information is retrieved from.
5. Click New.
6. Select how the report is displayed: table, bar chart, or pie chart.
The Display Options page is displayed.
Display Options page
7. Select the columns that you want to include in the report by selecting rows in the left pane.
8. Select a row in the left pane to view the data filter options.
You can enhance the filter options for the fields selected in step 4 from the Data Filter options. Use the + and - options to add or
delete conditions.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 191
When you finish the selections, you can save your report query by clicking Save. You can also run the report directly without
saving by clicking the Run Once option.
9. On the Save Query page, enter a name and description for the query.
10. Click Finish to save the query.
The report is saved and displayed in the Saved Reports section of the Next Generation page.
11. Select the report, then click Run Once.
12. In Run Query, enter the data options and the report format.
13. Click Run to run the report query. The generated report is displayed in the selected report format.
If there are no alerts, only the table is displayed.
After the User Defined Report is saved, you cannot change its data source.
Note: The New option is not supported for NTBA Generated Reports. You can either run it or duplicate and modify some of the
conditions in the query.
Run Next Generation default report
Task
1. Select Analysis → Event Reporting → Next Generation Reports.
The Next Generation Saved Reports page is displayed. The available reports are listed in the left pane.
2. Select the report that you want to run among those listed in the Saved Reports pane.
For example, select Default - Attack Destination Reputation Summary report in the left pane. The details of the report are listed in the
right pane.
Next Generation Saved reports
3. Click Run.
The Run Report page is displayed.
192 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Run Report page
4. Select the Date options. [Query for the day or between two dates, or for the specified period (number of months or weeks or
days or hours.)]
5. Select the Report Format. (HTML or PDF Portrait or PDF LandscapeSave as CSV or Save as HTML.)
6. Click Run.
For HTML and PDF options, the report is displayed in the Manager. For Save as CSV and Save as HTML, use the File Download option
to save the report.
Create Next Generation duplicate reports
The Manager allows you to create duplicate reports of the Default Next Generation reports. The parameters for the duplicated
report can then be edited to suit your requirements.
To create a duplicate report, do the following:
Task
1. Select a Next Generation default report and click Duplicate.
2. Enter the Name and Description (mandatory fields) and click OK.
3. The duplicate report is displayed under Next Generation Saved Reports section.
4. Click Edit to change the parameters.
5. Select a row in the left panel to view the Data Fields options.
Note: The admin domain selected in the left pane has no impact on the reports generated. The admin domain data filter
selected is explicitly to filter the reports that are generated.
6. Click Save As to save the change made.
7. In the Save Report page, you need to enter a Name and Description for the Query.
You can also select the following options in the Save Report:
◦ Automate Report Generation
◦ Report Frequency
◦ Events to Display
◦ Report Format
8. Select Next. Select Recipients page is displayed.
9. Click New to add a recipient through the Add Recipient dialog.
10. Click Finish to completes the process and Next Generation main page is displayed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 193
Managing the NTBA Appliance
Maintenance
You can maintain your NTBA appliance by keeping the software and signatures up-to-date, archiving data and maintaining the
database, and preparing for disaster recovery.
Updating software and signatures
You can manually download and import the latest software and signatures for the Sensor and the NTBA Appliance. You can also
schedule automatic downloads and imports.
Important: Make sure you are connected to the Internet while downloading and updating antimalware software and signatures.
Updating antimalware software and signatures from offline servers is not supported.
Note: You can perform only one download or upload at a time from any McAfee® Network Security Platform component,
including the update server.
The Updating menu contains:
• Download Signature Sets — Download the latest attack and signature information from the update server to the Manager.
• Download Callback Detectors — Download the latest callback detectors from the update server to the Manager.
• Download Device Software — Download the latest Sensor or NTBA Appliance software image file from the update server to the
Manager.
• Manual Import — Manually import downloaded Sensor or NTBA Appliance software image and signature files to the Manager.
• Messages from McAfee — View and acknowledge messages from McAfee.
• Automatic Updating — Configure the frequency by which the Manager checks the update server for updates, and the frequency by
which Sensors and NTBA Appliances receive signature updates from the Manager.
Download software updates
You can download the available Sensor software and NTBA Appliance updates on demand from the update server. If more than
one version is available, select the most recent version.
Automation enables the Manager to check the update server for software updates on a periodic basis.
Task
1. Select Manager → <Admin Domain Name> → Updating → Download Device Software.
The Download Device Software page is displayed showing the software available for download.
There are two tables on this page.
◦ Software Available for Download — Current software versions available on the update server.
◦ Software on the Manager — The software versions that have been downloaded to the Manager.
2. Select the required software update from the Software Available for Download column of the Model: <Sensor Name> table.
Note: Click a version listed in the Software Available for Download column to view details of the software update.
3. Click Download to download the software updates.
Note: The following options are available for Sensor—Update all Sensors under the Sensors node, update a single Sensor.
What to do next
Use the Deploy Device Software option to deploy these software updates. For more information, see the McAfee Network Security
Platform Installation Guide.
194 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Download signature set updates
The Download Signature Sets option enables you to download available attack signature updates on demand from the update server
to the Manager server. You can then push the signature download onto your Sensors or NTBA Appliance.
Tip: Because incremental emergency signature sets can be downloaded with regular signature sets, you do not need to use the
custom attack definitions feature to import late-breaking attacks.
The Download Signature Sets option not only allows you to import regular signature sets, but also incremental emergency signature
sets that include attack signatures not yet available in regular signature sets.
Incremental emergency signature sets are meant to address late-breaking attacks that might need to be addressed immediately.
Emergency signature sets are non-cumulative and can only add new signatures, so they do not contain a full set of signatures.
To ensure that you have a complete set of signatures, Network Security Platform checks to see if a required regular signature set
is missing and downloads it prior to downloading the related emergency signature set.
Note: You must use the Download Signature Sets or Automatic Updating option in order for Network Security Platform to download a
required regular signature set automatically, before downloading an emergency signature set. You will receive an error if you try
to import an emergency signature set through the Manual Import option.
When a signature file or version is downloaded, the version is listed in the Download Signature Sets configuration table as the Active
Manager Signature Set.
Setting a schedule enables the Manager to check the update server for signature updates on a periodic basis, download the
available updates, and push these updates to your Sensors or NTBA Appliances without your intervention.
Task
1. Select Manager → <Admin Domain Name> → Updating → Download Signature Sets.
The Download Signature Sets page is displayed.
2. View the Active Manager Signature Set: Version n.
This is the version that is currently available for your Sensors or NTBA Appliances to download. This signature set is kept in a
queue for download to your Sensors or NTBA Appliances. You can only have one version in the queue for download.
3. Select the signature update you want from Signature Sets Available for Download.
You can click a version number to view update details.
Note: If you have downloaded the latest version, a default message reads, No new signature sets available. The Manager has the most
recent signature set.
Note: Click view all to display all the signature updates available on the update server.
4. Click Download.
A status window opens to verify signature download progress. The Download button only appears when there is a new version
to download.
Note: Fore more information on Signature Set, see the Signature Set.
How to automate updates
McAfee is constantly researching security issues and developing new signatures to provide the best protection available. New
signatures are being constantly developed and existing ones modified to respond to the most current attacks. Software updates
continually improve Sensor and NTBA Appliance performance. These enhancements are made available on a regular basis
through the update server.
Update availability is not confined to a set day and time; rather, updates are provided when they are developed, enabling you to
have the latest improvements as soon as they are ready. The Automation feature enables you to configure the frequency by which
the Manager or McAfee® Network Security Central Manager (Central Manager) checks the update server for updates. At your
automated time, the Manager polls the update server; if an update is available that is newer than the current signature set for
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 195
the Sensor and NTBA Appliance software versions on your Manager, that update is downloaded to the Manager. You can check
what has been downloaded at the Software and Signature Sets option.
Note: The Automation feature is available in the Central Manager in the Manager → Updating → Automatic Updating.
After downloading a signature set update, you can configure your Manager to push the update to all your Sensors or NTBA
Appliances either immediately or by automation. Since signature sets can be updated to Sensors and NTBA Appliances in real
time without shutdown, this scheduling feature enables you to propagate the latest signature set across your Sensors and NTBA
Appliances quickly.
The Automatic Updating → Signature Sets combines two actions for scheduling updates:
• Automatic IPS Signature Set Downloading — Downloads signature sets from the update server. Configure a schedule by which Manager
polls the update server for available signature set updates.
• Automatic IPS Signature Set Deployment — Deploys new signature sets to NTBA and Sensor devices. Enable either automatic or
scheduled downloading of the most recently downloaded signature set to your Sensors.
Note: You must perform each action separately.
Automate signature set downloads from the update server
The server update automation process involves scheduling the Manager to poll the update server for signature downloads on a
periodic basis.
After your polling schedule is set, you can use the Signatures action to check what signature updates have been downloaded to
your Manager and thus available for download to your Sensors and NTBA Appliances.
Task
1. Select Manager → Updating → Automatic Updating → Signature Sets.
The Signature Sets page is displayed.
Signature Sets page
2. For Enable Automatic Downloading, select Yes. By default, No is selected.
3. Select the Schedule by which you want the Manager to poll the update server. The choices are:
◦ Frequently — Several times a day during a specified period at interval indicated in the Recur every option
◦ Daily — Once a day
◦ Weekly — Once a week
4. Select the Start Time, End Time, and Recur every options specify intervals. Based on Schedule frequency, these fields allow you to
select options.
5. Click Save. When enabled, the Manager downloads signature sets from the update server as per the set schedule.
Automatically deploy new signature sets to your devices
You can automate signature file updating for all your Sensor and NTBA Appliances. This means you can have all your Sensors
and NTBA Appliances updated:
1. As soon as signature updates are downloaded to the Manager from the update server (real-time).
2. By a set schedule.
196 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
3. By both a real-time setting and a scheduled time in an effort to reinforce immediate updating with a scheduled check to make
sure the latest update is loaded to your Sensors and NTBA Appliances.
Note: Setting both real-time and schedule options enables the system to check update availability for cases where the real-time
updating might have missed an update.
Note: If you are going to use automated updating, McAfee recommends a scheduled time rather than real time for signature
updating in case slower performance is experienced during signature file download. You can schedule a time when you know
your network sees a lesser amount of traffic.
Task
1. Select Manager → Updating → Automatic Updating → Signature Sets.
The Signature Sets page is displayed.
Signature Sets page
2. Configure the following:
◦ For Deploy in Real Time, select Yes. (This option pushes signature sets update to all Sensors and NTBA Appliances immediately
after it is downloaded to the Manager.) By default, No is the default option.
◦ Select the Schedule by which you want the Manager to check for a newly downloaded signature set. The choices are:
◦ Frequently — Several times a day during a specified period at interval indicated in the Recur every option
◦ Daily — Once a day
◦ Weekly — Once a week
◦ Select the Start Time, End Time, and Recur every options to specify intervals. Based on Schedule frequency, these fields allow you to
select options.
3. Click Save.
Manually import a software image or signature set
The Manual Import option enables manual loading of the latest Sensor and NTBA Appliance software and signature files to the
Manager or Central Manager from another workstation.
This method is particularly useful if the Manager server is in a lab or secure environment and you do not want to compromise
that environment by an Internet connection. This is crucial for administrators who do not want to connect their Manager to the
update server through the Internet.
McAfee provides an alternate FTP server that contains the latest updates. You can download the update you need from the FTP
location to a client machine. After the image file is downloaded to the alternate machine, you can pull the file from the client to
the Manager server using the Import action.
Task
1. Select Manager → Updating → Manual Import.
The Manual Import page is displayed.
2. Click Browse to locate the Sensor or NTBA Appliance software or signature set file or enter the absolute path of the file.
3. Click Import.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 197
Note: You need to restart the Sensor after manual import. For more information on rebooting the Sensor, see McAfee Network
Security Platform Product Guide.
Update software for a Sensor or NTBA Appliance
The Upgrade action enables an on-demand download of the latest or earlier software updates for a Sensor or NTBA Appliance
from your Manager. All the software versions, applicable to the device and available in the Manager are listed. From this, you can
choose the version that you want to push to the device. These versions are the ones that you downloaded from the update
server onto your Manager.
Note: You can only update online devices. Make sure it is discovered, initialized, and connected to the Manager.
Note: You can switch between different minor versions of the device software. Consider the scenario where you downloaded
6.0.1.1, 6.0.1.2, and 6.0.1.3 versions for M6050 Sensors from the update server onto the Manager. Also, assume that currently
the M6050 Sensor that you want to update is on 6.0.1.2. You can now update this Sensor to either 6.0.1.1 or 6.0.1.3.
Subsequently, you can also revert to 6.0.1.2. However, you cannot switch between major versions of the software through the
Manager. For example, you cannot switch between 6.0 and 5.1 versions of device software using the Manager.
Note: After you update the software of a device, you must restart it.
Task
1. Click Devices → <Admin Domain Name> → Devices → <Device Name> → Maintenance → Deploy Device Software.
The Deploy Device Software page is displayed.
In case of Sensors in fail-over pair, select a Sensor under the fail-over pair name node, and then select Upgrade.
Note: <Device Name> refers to name of the Sensor or NTBA Appliance.
2. Select the required version from the Software Ready for Installation section.
Note: The Software Ready for Installation section lists the applicable versions of software that you downloaded from the update
server (Manager → Updating → Download Device Software).
3. Click Upgrade.
When a device is being updated, it continues to function using the software that was present earlier.
4. After the update is complete, restart the Sensor or NTBA Appliance.
If the device that you updated is a Sensor in a fail-over pair (not applicable to NTBA Appliance), then update the other Sensor
in the pair also to the same version. Note that both the Sensors of a fail-over pair need to be of the same software version.
Possible actions from the Devices node
This section describes all the options under the Devices node.
View details of a selected device
The Devices → <Admin Domain Name> → Devices → <Device Name> → Summary action presents a read-only view of the configured
information for an installed device (Sensor or NTBA Appliance). The information displayed is configured during the installation
and initialization of the selected device through the device or NTBA Appliance command line interface.
If the device is a virtual security system, see View summary details for virtual security systems.
For the selected device, verify that the Name, IP address, subnet mask, and default gateway IP address are the same as what you
set through the command line interface.
When the Sensor is configured with dual stack (IPv4 and IPv6 addresses) and the NTBA Appliance is configured with IPv4
addresses, following fields in the Summary page displays only the IP address on which trust was established between the device
and the Manager.
• IP Address Connected to Manager
198 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
• Subnet Mask
• Default Gateway
For example, if you configure both IPv4 and IPv6 addresses in the Sensor, but establish trust with the Manager on IPv4, then the
Summary page displays only the IPv4 address for IP Address Connected to Manager, Subnet Mask, and Default Gateway.
Follow this procedure to view the summary of the device configurations:
Select Devices → <Admin Domain Name> → Devices → <Device Name> → Summary (Devices → <Admin Domain Name> → Devices → < Failover Pair
Node> → Summary in case of failover pair Sensors).
The Summary page is displayed.
Note: The Name could refer to either a Sensor or an NTBA Appliance.
Click Edit to edit the displayed information.
Reboot a device from the Manager
You can reboot the device from the Manager. Certain devices support full reboot and hitless reboot. Full reboot restarts the
entire system, whereas a hitless reboot restarts select processes but not the entire system.
Note: Full reboot can take up to 10 minutes, whereas hitless reboot can be completed in about 3-4 minutes. Full reboot is not
applicable for the following Sensor models:
• M-1250
• M-2850
• M-2950
Task
1. Select Devices → <Admin Domain Name> → Devices → <Device_Name> → Maintenance → Reboot.
The Reboot page appears.
2. Click Reboot Now.
a. To perform a hitless reboot, clear the Full Reboot checkbox, then click Reboot Now.
3. Click OK to confirm reboot.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 199
Shut down a Sensor or NTBA Appliance
The Shut Down action turns off a Sensor or an NTBA Appliance with no restart.
Task
1. Select Devices → <Admin Domain Name> → Devices → <Device Name> → Maintenance → Shut Down.
The Shut Down page is displayed.
2. Click Shut Down Now.
Note: The <Device Name> could be a Sensor or an NTBA Appliance.
Upload diagnostics trace
The Diagnostics Trace action uploads a device diagnostics log from a Sensor or NTBA Appliance to your Manager server. The
diagnostics file includes debug, log, and other information that can be used to determine device or NTBA Appliance malfunctions
or other performance issues. Once uploaded to your Manager, this file can be sent through email to McAfee Technical Support
for analysis and troubleshooting advice.
Task
1. Select Devices → <Admin Domain Name> → Devices → <Device Name> → Troubleshooting → Diagnostics Trace.
Note: The <Device Name> could refer to a Sensor or an NTBA Appliance.
The Diagnostics Trace page is displayed.
Diagnostics Trace page
2. Select the Upload? checkbox if it is not already selected.
3. Click Upload.
The status appears in the Upload diagnostics Status pop-up window.
4. Click Close Window when the message "DOWNLOAD COMPLETE" appears. The trace file is saved to your Manager server at:
<Install Dir> \temp \tftpin \< Device Name \trace\. Once downloaded, the file also appears in the Uploaded Diagnostics Trace Files
dialog box under this action.
5. [Optional] Export a diagnostics file to a client machine by selecting the file from the Uploaded Diagnostics Files listed and clicking
Export. Save this file to your client machine. Saving the file is particularly useful if you are logged in remotely, need to perform a
diagnostics trace, and send the file to technical support.
200 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Import an NTBA Appliance configuration file
Before you begin
The NTBA Appliance from which configuration is exported and the one to which configuration is imported must be identical. They
should be of the same model, and same software version.
Both Managers must have the same admin domain hierarchy, or at a minimum, the same admin domain hierarchy starting from
the domain wherein the NTBA Appliance resides.
For example, if you exported an NTBA Appliance belonging to /My Company/Domain A, and below Domain A, there is:
• /My Company/Domain A/Domain B
• /My Company/Domain A/Domain B/Domain C
The importing NTBA Appliance must reside in a domain that has the following sub-domains:
• Domain B
• Domain B/Domain C
Caution: McAfee recommends that the NTBA Appliance receiving the import has the same signature set as the exporting NTBA
Appliance. It is recommended that both the Managers have the same set of policies if policies have also been exported/
imported.
The Import Configuration option enables you to overwrite the current configuration on a saved (exported) NTBA Appliance
configuration file.
Importing a saved configuration is useful in a test-to-production environment where you configure your settings on a test (non-
production) Manager system, then import to an NTBA Appliance in your live environment.
Importing is also useful in the event a NTBA Appliance fails and you replace the failed NTBA Appliance with a new NTBA
Appliance, which requires the same configuration as the previous NTBA Appliance.
Task
1. Select Devices → <Admin Domain Name> → Devices → <Device Name> → Maintenance → Import Configuration.
Note: The <Device Name> could refer to either a Sensor or an NTBA Appliance.
The Import Configuration page is displayed.
2. Click Choose File to locate your saved Sensor configuration.
3. Click Save.
4. Upon completion of import, reboot the NTBA Appliance.
5. Run an NTBA Appliance report to verify settings.
Export the Sensor configuration
The Export Configuration feature enables you to save the configuration of a Sensor (including NTBA Appliance configuration settings
of the Sensor) into a single file for later application to the same Sensor or another Sensor of the same model.
The Export Configuration feature helps to avoid duplication of work when it comes to configuring Sensors. For example, if you are
deploying multiple Sensors of the same model with similar configuration, you can configure one Sensor and export its
configuration to the rest. This feature is also useful if you plan on restoring the configuration back on the same Sensor or its
replacement.
You can include the following when you export a Sensor configuration. The choices vary depending on the Sensor model:
• Include firewall policy information — Includes firewall policy information.
• Include monitoring port information — Includes monitoring port information.
• Include exceptions — This option exports the alert-filter-to-attack mappings configured for the Sensor, its interfaces, and sub-
interfaces. Note that selecting this option exports only the exceptions association but not the actual exceptions.
• Include NTBA configuration — This option exports NTBA configuration set for M-series and NS-series Sensors.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 201
Task
1. Select Devices → <Admin Domain Name> → Devices → <IPS Sensor> → Maintenance → Export Configuration.
The Export Configuration page is displayed.
Configuration Export page
2. Select the configurations that you want to include in the export.
3. Click Export and save the file to a location of your choice.
Export the NTBA Appliance configuration
You can export the NTBA Appliance configuration to any location on the system.
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Maintenance → Export Configuration.
The Export Configuration page is displayed.
2. Click Export and save the file.
Caution: Although this feature outputs an XML file, this file is NOT intended for reading or editing. Any manipulation of this
file besides regular copying from/to different media might result in failure during import.
Database tuning and pruning
Each NTBA Appliance stores its flow information in an embedded database.
Database tuning and pruning are essential to ensure optimal performance of the NTBA Appliance. It can be enabled on a weekly
basis and is optional.
Database pruning is based on capacity planning settings.
Database tuning is a memory intensive process on big databases. The system might consume lot of memory during the tuning
process. Hence, database tuning and pruning are set to occur at different intervals to ensure that the NTBA Appliance does not
run out of memory.
Both database tuning and pruning do not result in any downtime for the user.
Note: The procedure for database tuning and pruning from the Devices node is similar.
Tune the database
Each NTBA Appliance has an embedded database. You can tune the database of an individual NTBA Appliance or apply global
settings configured at the Devices node.
202 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Task
1. Select Devices → <Admin Domain Name> → Devices → <NTBA Appliance> → Maintenance → Database Tuning.
The Database Tuning Scheduler page is displayed.
Database Tuning page
Note: If you have applied global settings, then the Use Global Settings? checkbox will be selected. Deselect the checkbox to tune
the database at the NTBA Appliance level.
2. Do the following:
◦ Select the Inherit Settings? checkbox to enable database tuning.
◦ Select the day of the week from the drop-down list against Run Every.
3. Select the start time from the hour and minutes drop-down list against Start Time.
4. Click Save.
Prune the database
You can prune the NTBA Appliance database by setting the disk space capacity planning threshold. Setting disk space thresholds
ensures that older flow records are deleted, to make space for new records. You can also set the maximum time period for which
you want to store data in the NTBA database.
Note: NTBA Appliance database cannot be pruned for appliance running on NTBA device version prior to 9.1.
Capacity planning sessions are set for the following storage types:
• 1-Hour Summary Data
• 6-Hour Summary Data
• 12-Hour Summary Data
• 1-Day Summary Data
• 2-Day Summary Data
• 7-Day Summary Data
• 14-Day Summary Data
Note: Age based pruning for netflow database is based on the above mentioned data types. For the context data, pruning
configuration is based on Network Forensics Data.
These data refer to data summarized and presented in the following NTBA monitors:
• Applications - Active (Last 7 Days)
• Applications - New (Last 7 Days)
• Applications Traffic (Bytes)
• Bandwidth Utilization (%) - Interfaces
• Endpoints - Active (Last 7 Days)
• Endpoints - New (Last 7 Days)
• Endpoints - Threat Factor
• Protocol Distribution (Bytes)
• Services - Active (Last 7 Days)
• Services New (Last 7 Days)
• Services Traffic (Bytes)
• Throughput Enterprise Traffic (Bytes)
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 203
• Top External Endpoints By Reputation
• Top Files
• Top URLs
• Top URLs By Category
• Top URLs By Reputation
• Traffic Volume (Bytes) - Zones
• Traffic Volume (Bytes) - Top Source Endpoints
Capacity level based pruning configuration is common for netflow and forensic database. Whenever these databases reach a
configured critical level, only the specific database is pruned as part of the critical or emergency level.
These are the maximum age for each storage type:
Storage type Default value Valid range Unit of measure
1-Hour Summary Data 6 1-24 Hours
6-Hour Summary Data 12 1-48 Hours
12-Hour Summary Data 24 1-96 Hours
1-Day Summary Data 2 1-8 Days
2-Day Summary Data 7 1-28 Days
7-Day Summary Data 14 1-56 Days
14-Day Summary Data 28 1-365 Days
Network Forensics Data 100 1-500 Days
The default threshold settings are adequate to ensure proper pruning of the database and to ensure optimum memory usage.
The default threshold settings are therefore recommended. You can change the default settings based on the volume of traffic in
your network.
Task
1. Select Devices → Device → <NTBA Device> → Maintenance → Database Pruning. The Database Pruning page is displayed.
Database Pruning page
2. In the Total Disk Space section, the used and available disk space for flows is displayed. Click Show Disk Usage to view the latest
details.
3. Deselect the Inherit Settings? checkbox to prune the database for the NTBA device.
204 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Tip: If you have applied global settings, then this checkbox is selected by default. You can configure and apply global settings
from Devices → Global → NTBA Device Settings → Device Settings → Setup → Maintenance → Database Pruning.
4. Configure the values in the following fields:
Fields Description
Specify the disk space capacity level at which each fault type is generated From the drop-down list, configure the disk space capacity
for the following faults:
◦ Informational Fault — By default, these faults are generated
when the disk capacity is 60%.
◦ Warning Fault — By default, these faults are generated when
the disk capacity is 70%.
◦ Critical Fault — By default, these faults are generated when
the disk capacity is 80%.
For each fault, you can set the disk capacity to in the range
of 50-100% like 55%, 60%, 65% and so on in increments of 5.
If you do not want to generate any of these alerts, Select
Disabled from the drop-down list.
Specify the maximum age for each storage type Type the maximum time the data can be stored for the
following storage types:
◦ 1-Hour Summary Data: The number of maximum hours to
store 1-Hour summary data.
◦ 6-Hour Summary Data: The number of maximum hours to
store 6-Hour summary data.
◦ 12-Hour Summary Data: The number of maximum hours to
store 12-Hour summary data.
◦ 1-Day Summary Data: The number of maximum days to store
1-day summary data.
◦ 2-Day Summary Data: The number of maximum days to store
2-day summary data.
◦ 7-Day Summary Data: The number of maximum days to store
7-day summary data.
◦ 14-Day Summary Data: The number of maximum days to store
14-day summary data.
◦ Network Forensics Data: The number of maximum days to
store network forensics data.
System events are raised when the database capacity reaches the set values.
5. Click Save.
Data archive options
The Archiving option presents actions that enable you to save alerts and packet logs from the database on demand or by a set
schedule.
You can also restore archived alerts and packet logs on the client or another Manager. The procedure for archiving data relating
to Sensor and NTBA Appliance is similar.
The archiving action for the Sensor and the NTBA Appliance is done from the Manager → <Admin Domain Name> → Maintenance → Data
Archiving option of the Manager tab tree.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 205
Archive alerts and packet logs
The Archive Now action enables you to archive alerts and packet logs on demand into an archival file for future restoration. This
process reads alerts and packet logs for the given time range from the database and writes them into a zip file.
Note: Archive your alerts and packet logs regularly. We recommend that you archive your alert data monthly, and that you
discard alert and packet log information from your database every 90 days to manage your database size. There is a 4 GB size
limitation for restoration (import of the file in the Manager) of a single archive file. However, you can extract an archive zip file
greater than 4 GB in size but in that case the archived file cannot be restored.
Archived files less than 4GB in size are saved locally to the Manager, and can be exported to your client.
Task
1. Select Manager → <Admin Domain Name> → Maintenance → Data Archiving → IPS → Archive Now (Manager → Maintenance → Alerts → Archiving →
NTBA → Archive Now for the NTBA Appliance).
The Archive Now page is displayed.
Archive Now page
2. Choose one of the following time spans in Time Range:
◦ A single day (yyyy/mm/dd) — Select alerts and packet logs for a single day in the format yyyy/mm/dd. Default is the Manager system
date.
◦ Within a specific period (yyyy/mm/dd hh:mm:ss) — Select alerts and packet logs between the begin and end dates in the format
yyyy/mm/dd hh:mm:ss. Default Begin Date is the oldest alert detected time and default End Date is the Manager system time.
◦ In the past — Selects alerts from a point in the past relative to the current time. This time in the past can be months, weeks,
days (default), or hours. Select a time (yyyy/mm/dd hh:mm:ss) when the span of reporting time ends (default is the Manager
system time).
3. Click Archive.
When the archival process is complete, the file is saved to <Network Security Manager install directory>\alertarchival
The files also appear in the Existing Archives page.
Existing Archives page
You can click an archived file listed in the Existing Archives page to view the details in the Archived File Info page.
4. Optionally, select an archived file in the Existing Archives page and click Export to download that file from the Manager to your
client.
Note: You can import an exported file it into another Manager, such as a test Manager.
206 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Schedule automatic archival
The Automated Archival action enables you to set a schedule by which alerts and packet logs are automatically archived.
The scheduled archival process archives alerts and packet logs daily, weekly, or monthly depending on the frequency you select.
If you choose Weekly and select a day of the week from the drop-down list, the archival begins from the previous week for the
selected day. For example, if you choose Weekly and choose Sunday as the day of the week, logs from the previous Sunday through
Saturday are archived.
If you choose Monthly, the archive frequency is the 1st of every month and the logs for the month are archived.
If you choose Daily, the logs from the hour 00:00:00 through 23.59.59 from the previous day is archived. For example, if you set
the Scheduler to Daily on 3-Sep, then the logs from the hour 00:00:00 through 23.59.59 from 2-Sep are archived.
Note: When scheduling archival, set a time when no other scheduled functions (backups, database tuning) are running. The time
should be a minimum of an hour after/before other scheduled actions.
Task
1. Select Manager → <Admin Domain Name> → Maintenance → Data Archiving → IPS → Automated Archival.
The Automated Archival page is displayed.
Automated Archival page
2. Select Yes against Enable Automatic Downloading to turn on the scheduling process.
3. Select values for any of the following against Frequency:
◦ Daily
◦ Weekly — (select the day of the week)
◦ Monthly
◦ Start Time — Hours: Minutes (24 hour clock)
4. Click Save. Every time the process runs, finished archival is saved to: <Network Security Manager install directory>
\alertarchival.
5. Optional:
◦ Click Refresh to reset the settings to those last applied. This is helpful when you started to make changes but forgot what the
last settings were.
◦ Click View Scheduler Detail to see the present settings for all scheduled processes. (Including backups, database maintenance,
and file maintenance actions.)
Export an archive
The Export Archives action enables you to export an archive from the Manager to your client, or to a location reachable by your
client. You can take the exported archival and import (that is, restore) it into another Manager, such as a test Manager.
Task
1. Select Manager → <Admin Domain Name> → Maintenance → Data Archiving → IPS → Export Archives.
The Export Archives page is displayed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 207
Export Archives page
2. Select an archive to export from the list.
3. Click Export.
The File Download window of your client machine is displayed.
4. Click Save to save the file to a location in your client machine.
Delete archives from the Manager
You can delete archives from the Manager.
Task
1. Select Manager → <Admin Domain Name> → Maintenance → Data Archiving → IPS → Restore Archives.
2. Scroll down the page to the list of Existing Archives.
Existing Archives page
3. Select an archival and click Delete.
4. Click OK to confirm deletion.
Restore an archive
The Restore action enables you to restore an archived alerts and packet logs file to the Manager. When restoring an archival to a
target Manager, the archive must be copied to a directory on the target Manager or a network directory that Manager can
access. The Restore feature also enables you to filter through the alerts in the archival.
Task
1. Select Manager → <Admin Domain Name> → Maintenance → Data Archiving → IPS → Restore Archives.
The Restore page with Restore Archives option and Existing Archives list is displayed.
208 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Restore page
2. Do one of the following:
a. Click Browse to locate the archival or enter the absolute path of the archived file and click Restore.
b. Select an archival listed under Existing Archives and click Restore.
The Restore Filter page is displayed.
Restore Filter page
3. Filter alerts by the following parameters:
◦ Severity — Select one or more severities to keep.
◦ Result Status — Select one or more results to keep.
◦ Start Date — Keep only the alerts and packet logs starting from the designated time.
◦ End Date — Keep only the alerts and packet logs up to the designated time.
4. Click Restore.
Note: Click Restore All to restore all alerts without any filtering.
Note: Manager only permits 300,000 alerts to be restored at a time if filtering is applied. If your archive contains more than
300,000 alerts, you need to perform the restoration process multiple times. For example, if your archival still contains 750,000
alerts after filtering parameters have been met, you will have to restore three times: 1) 300,000 2) 300,000 3) 150,000.
5. To see the alerts restored in attack log, run solr import.
Note: To run solr import, refer to Network Security Platform Installation Guide.
Manager Disaster Recovery (MDR) support for NTBA Appliance
The Manager Disaster Recovery (MDR) refers to a setup where you can have a secondary Manager available in case the primary
Manager fails.
In the initial setup, the primary Manager is in the active state and the secondary Manager is in the standby state.
Whenever the stand-by Manager detects that the active Manager is down, it takes over the Manager functions seamlessly after
the Downtime Before Switchover configured in the Manager at the Manager Pair page of the primary Manager (Manager → Setup → MDR).
The active Manager manages devices configured in the Manager, including NTBA Appliances. The standby Manager is connected
to the devices but can manage them only when it moves to the active state.
MDR setup and NTBA Appliance
MDR support for NTBA Appliance works in IPv4, and a dual stack environment. The communication between the NTBA Appliance
and the Manager takes place over IPV4.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 209
NTBA Appliance is installed on the active Manager. The active Manager communicates the NTBA Appliance installation
information to the standby Manager. Once the Configuration data synchronization happens between the active, and standby
Managers, the NTBA Appliance information is received by both the Managers.
Signature sets can be pushed to the NTBA Appliance from the active Manager.
NTBA policy configuration export (Policy → Network Threat Behavior Analysis → Policy Export → NTBA Policies), and import (Policy → Network
Threat Behavior Analysis → Policy Imxport → NTBA Policies) are allowed only from the active Manager.
Alerts and faults are sent to both the Managers, however alerts action responses are done only from the active Manager.
The right-click monitors (accessed from the right-click options) in the NTBA default monitors can be viewed from both the active
and standby Managers.
The next generation and traditional reports can be viewed from both the active and standby Managers; however, the scheduled
reports can be viewed only from the active Manager.
Note: When the NTBA Appliance is uninstalled from the Manager in an MDR setup, the Manager IP address is reset to the
primary Manager IP address.
210 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
NTBA CLI commands
NTBA CLI commands
You can use the NTBA command line interface commands to configure the NTBA Appliance. Some of the commands are
common to both NTBA Appliance and the Sensor.
clear antimalware cache
Clears the antimalware cache.
Syntax:
clear antimalware cache
Sample Output:
ntbaSensor@vNTBA> clear antimalware cache
It will take 5 to 10 seconds to clear the cache
commands
Displays all CLI commands supported for the current user role.
This command has no parameters.
Syntax:
commands
Applicable to:
M-series and NS-series, and NTBA Appliances.
deinstall
Clears the Manager-Sensor trust data (the certificate and the shared key value). Every time you delete a Sensor from the
Manager, you must issue this command on the Sensor to clear the established trust relationship before reconfiguring the
Sensor.
This command has no parameters.
Syntax:
deinstall
On executing the command, the following messages are displayed:
Initiating to deinstall and will remove trust with the configured Manager.
Closed communication channels with Network Security Manager.
Stopping all services.
Removing anomaly profiles.
Resetting the Endpoint Intelligence Agent related configurations.
Executable classifications are removed.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 211
Endpoint Intelligence Agent certificate files are removed.
Allowlist and blocklist sync information is reset to default.
ePolicy Orchestrator credentials are removed.
The Service manager is informed to load the configurations.
Restarting services. This will take few minutes.
The Manager trust is removed. Wait for the services to start. After the services are up, establish trust with
the Manager.
Applicable to:
M-series and NS-series, and NTBA Appliances.
Errors while running deinstall
The following errors might occur while you run this command:
• Error: Database migration is in progress. You can run deinstall only after migration.
• Error: The system can't verify if the IPS Sensor is installed. Reboot the appliance or VM and rerun deinstall.
• NTBA is deinstalled and so you can establish trust with the Manager.
• Error: An exception occurred. Reboot the appliance or VM and rerun deinstall.
• Error: The system can't communicate with the Service manager to load configurations. Reboot the appliance or
VM and rerun deinstall.
• Error: The system can't communicate with the Service manager to restart services. Run service restart all.
• Error: An exception occurred while restarting the services. Run service restart all.
deletemgrsecintf
Clears the IP address of a Manager's secondary NIC.
This command has no parameters.
Syntax:
deletemgrsecintf
On executing the command, the following messages are displayed:
Please enter Y to confirm: y
Managers secondary intf IPaddr doesn't exist.
Deleting managers secondary interface had some Warnings/Errors.
Applicable to:
M-series and NS-series, and NTBA Appliances.
deletesignatures
Deletes signatures on the Sensor and reboots the Sensor. When you execute this command, the signatures are deleted and then
the Sensor is restarted automatically. Before executing the command, you are prompted whether both the tasks should be
performed.
This command has no parameters.
Syntax:
deletesignatures
On executing the command, the following messages are displayed:
Delete the signatures and reboot the sensor ?
Please enter Y to confirm: y
deleting the signatures and rebooting the sensor
signatures deleted
212 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Broadcast message from root (Fri Mar 28 05:15:54 2014):
The system is going down for reboot NOW!
Applicable to:
M-series and NS-series, and NTBA Appliances.
download antimalware updates
This command is used to download the antimalware updates. Make sure you are connected to the Internet to download and
update antimalware software and updates.
Syntax:
download antimalware updates
Sample Output:
On executing the command, the following messages are displayed
• If already running:
ntbaSensor@vNTBA> download antimalware updates
Downloading the antimalware updates.
Antimalware update is in progress.
• If not running:
ntbaSensor@vNTBA> download antimalware updates
Downloading the antimalware updates.
Initiated to download the antimalware update download. Run show antimalware status to see the results.
Errors while running download antimalware upgrades:
The following errors might occur while you run this command:
Error: Detached from shared memory
Error: An exception occurred while downloading the antimalware updates. In the Manager, check the system events
for root cause.
exit
Exits the CLI.
This command has no parameters.
Syntax:
exit
Applicable to:
M-series and NS-series, and NTBA Appliances.
factorydefaults
Wipes all settings, certificates, and signatures, from the Sensor, clearing it to blank settings. This command does not appear
when you type ? or commands, nor does the auto-complete function apply to this command. You must type the command in full
to execute it.
This command has no parameters.
Note: You are warned that the operation will clear the Sensor and you must confirm the action. The warning occurs since the
Sensor returns to its clean, pre-configured state, thus losing all current configuration settings.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 213
Syntax:
factorydefaults
On executing the command the following messages are displayed for an NTBA Appliance:
Are you sure you want to reset NTBA to factory defaults?
WARNING: All existing configuration and data will be lost.
Please enter Y to confirm: y
Step 1 of 3: Removing trust with Network Security Manager
Network Security Manager trust is removed.
Step 2 of 3: Resetting the NTBA database to factory defaults. This will take few minutes.
Stopping all services.
Formatting NTBA database partitions. This will take several minutes depending on the disk size.
Creating fresh databases.
Resetting NTBA configurations.
The NTBA configuration and signature files are reset to default.
Step 3 of 3: Rebooting the NTBA appliance. After the reboot, log in to complete the NTBA setup.
Broadcast message from root (Thu Feb 27 11:57:26 2014):
The system is going down for reboot NOW!
Applicable to:
M-series and NS-series, and NTBA Appliances.
Errors while running factorydefaults
The following errors might occur while you run this command:
• An error occurred while stopping the database events. Restart the appliance or VM and rerun factorydefaults.
• An error occurred while trying to disable database events. Restart the appliance or VM and rerun
factorydefaults.
• An error occurred while stopping the database processes. Restart the appliance or VM and rerun
factorydefaults.
• An error occurred while disabling the database processes. Restart the appliance or VM and rerun
factorydefaults.
• The NTBA database service is still up. Sending a termination signal.
• The NTBA database service is still up. Sending a kill signal.
• The NTBA database service can't be stopped. Restart the appliance or VM and rerun factorydefaults.
• Formatting the NTBA database partitions. This will take several minutes depending on the disk size.
• Dropping NTBA databases failed. Restart the appliance or VM and rerun factorydefaults.
• Formatting NTBA database partitions failed. Restart the appliance or VM and rerun factorydefaults.
• Creating fresh databases
• Mounting NTBA database partitions failed. Restart the appliance or VM and rerun factorydefaults.
• Installing the NTBA database engine failed. Restart the appliance or VM and rerun factorydefaults.
• Installing the NTBA databases failed. Restart the appliance or VM and rerun factorydefaults.
• Resetting NTBA configurations
• Verifying software image on the appliance or VM failed. Load the correct NTBA software image and rerun
factorydefaults.
• Extracting the tar file failed. Load the correct NTBA software image and rerun factorydefaults.
• Checking consistency of software image on the appliance or VM failed. Load the correct NTBA software image and
rerun factorydefaults.
• Retrieving package from the software image failed. Load the correct NTBA software image and rerun
factorydefaults.
• NTBA configuration and signature files are reset to default.
214 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
flowforward collector
Adds or removes flow forwarding destination entry on a particular IP address and port.
Syntax:
flowforward collector <add | delete> <ip> <A.B.C.D port> <1-665535>
Run the show flowforwardinfo command to check if the change has taken effect.
Sample Output:
ntbaSensor@vNTBA> flowforward collector add ip 1.1.1.8 port 2565
[flow forward Info]
Flow forward IP : 1.1.1.8
Flow forward Port : 2565
Flow forwarding mode : BLIND
Note: You can add a maximum of 5 flow forward collectors.
help
Provides a description of the interactive help system.
This command has no parameters.
Syntax:
help
Sample Output:
intruShell@john> help or ntbaSensor@vNTBA> help
If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available
options.
Two styles of help are provided:
1. Full help is available when you are ready to enter a command argument (e.g. 'set ?') and describes each
possible argument.
2. Partial help is provided when an abbreviated argument is entered and you want to know what arguments match
the input (e.g. 'set em?'.)
Applicable to:
M-series and NS-series, and NTBA Appliances.
host-vlan
Enables or disables host-vlan.
Syntax:
host-vlan <enable | disable>
Parameter Description
enable enables host vlan
disable disables host vlan
Applicable to:
M-series and NS-series, and NTBA Appliances.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 215
installdb
This command is used to reinstall the NTBA NetFlow database and the configuration database. This command backs up your
current database configuration and restores it once the database is recreated.
• If the database is up while you run this command, the trust connection between the Manager and NTBA remains intact.
• If the database is down while you run this command, the trust connection is removed and you need to re-establish the trust
between the Manager and NTBA.
Syntax:
installdb
On executing the command, the following messages are displayed:
Scenario 1: Database is up
Are you sure you want to reinstall the NTBA database ?
WARNING: All existing data will be lost.
Please enter Y to confirm: y
Starting installdb...
Step 1/7: Stopping all services
Step 2/7: Stopping all database processes
Step 3/7: Backing up configurations
Step 4/7: Formatting NTBA database partition. This will take several minutes depending on the disk size.
Step 5/7: Creating fresh databases
Step 6/7: Restoring configurations
Step 7/7: Starting services. This will take few minutes.
NTBA database reinstallation successfully completed.
Scenario 2: Database is down
Are you sure you want to reinstall the NTBA Database ?
WARNING: All existing data will be lost.
Please enter Y to confirm: y
Starting installdb...
Step 1/7: Stopping all services
Step 2/7: Stopping all database processes
Step 3/7: Backing up configurations
Database is down. Configuration was not backed up.
Network Security Manager trust is removed.
Step 4/7: Formatting NTBA database partition. This will take several minutes depending on the disk size.
Step 5/7: Creating fresh databases
Step 6/7: Restoring configurations
Step 7/7: Starting services. This will take few minutes.
IMPORTANT: Re-establish trust with Network Security Manager after the services are up. Go to the Manager console
and update configuration for the NTBA appliance so that the system can function.
NTBA database reinstallation successfully completed.
ntbaSensor@NTBA_VM>
At the prompt, run the set sensor sharedsecretkey to establish trust between Manager and NTBA, and receive latest
configuration from the Manager.
After installdb is executed successfully, a system reboot and configuration push from Manager is not required. If you wish to
reset configuration to defaults, run the resetconfig command.
216 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
installntba
Installs the NTBA Appliance. You can use this command only by inserting CD, DVD, or USB drive.
Syntax:
installntba
On executing the command, the following messages are displayed:
Initiating to format system hard disk and install NTBA!
WARNING: This will delete all existing data.
Please enter Y to confirm:
If you enter Y, you will see:
Creating Linux disk partitions for installation . . .
Formatting Linux disk partitions . . .
Installing boot loader...
Loading the NTBA image . . .
Creating NTBA database disk partitions . . .
Creating labels . . .
Formatting NTBA database disk partitions . . .
NTBA is successfully installed.
Remove the CD or USB key and reboot the system.
Errors while running installntba
The following errors might occur while you run this command:
Installation failed: Hard disk for database is not found. Add a hard disk and rerun installntba.
Installation failed: Hard disk for NTBA is not found. Add a hard disk and rerun installntba.
Installation failed: An error occurred while creating Linux disk partitions for NTBA. Check /temp/
install_errors.log and rerun installntba.
Installation failed: An error occurred while formatting Linux disk partitions for NTBA. Check /temp/
install_errors.log and rerun installntba.
Installation failed: An error occurred while installing the boot loader. Check /temp/install_errors.log and
rerun installntba.
Installation failed: An error occurred while loading the NTBA installation image. Check /temp/install_errors.log
and rerun installntba.
Installation failed: An error occurred while creating disk partitions and labels for the NTBA database. Check /
temp/install_errors.log and rerun installntba.
Installation failed: An error occurred while formatting the disk partitions for the NTBA database. Check /temp/
install_errors.log and rerun installntba.
During installation, if an error occurs and the installation fails, you can check the install_errors.log file and fix the error. After this,
rerun the installntba to install NTBA.
loadimage
This command is used to install or upgrade the NTBA software on a physical or virtual NTBA Appliance.
Syntax:
loadimage <image path>
Sample Output:
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 217
ntbaSensor@vNTBA> loadimage NTBA/8.0.5.9/ntbasensorImage.T-200VM.opt.unsigned
Downloading NTBA/8.0.5.9/ntbasensorImage.T-200VM.opt.unsigned from TFTP Server
Image NTBA/8.0.5.9/ntbasensorImage.T-200VM.opt.unsigned downloaded successfully
Verifying the NTBA software image:
NTBA configuration is backed up.
NTBA configuration policy is not found. So NTBA configuration can't be backed up.
NTBA software image is found.
Verifying the NTBA software image security:
NTBA software image security check passed
NTBA software package check passed
Database will be upgraded from 8.0 to 8.1.
Loading NTBA software image
The NTBA software image is loaded. Reboot the NTBA appliance.
Errors while running loadimage
The following errors might occur while you run this command:
Before loading the image, set the TFTP server IP address. Execute set tftpserver ip.
An error occurred while downloading NTBA/8.0.5.9/ntbasensorImage.T-200VM.opt.unsigned from 10.213.173.1
An error occurred while downloading NTBA/8.0.5.9/ntbasensorImage.T-200VM.opt.unsigned from 10.213.173.1. Check
the connectivity.
Verifying NTBA software image:
Error: Unzipping the NTBA combined image [image + signature file] failed.
Load the correct NTBA software image and retry loading the image.
Error: NTBA combined image [image + signature file] missing files.
Load the correct NTBA software image and rerun loadimage.
Verifying NTBA software image security:
Error: NTBA software image security check failed.
Load the correct NTBA software image and rerun loadimage.
Error: Make sure to load signed image as NTBA accepts only signed image.
Error: NTBA software package security check failed.
Load the correct NTBA software image and rerun factorydefault.
Error: The NTBA software image loaded is not compatible.
Physical appliance image must be loaded into physical appliance and VM image must be loaded into virtual NTBA.
Error: Downgrading virtual machine software is not permitted.
Load supported VM software image.
Error: Trying to load and found incompatible appliance software image.
Load compatible appliance software image.
Verify the appliance model and the loaded NTBA software image.
Error: Virtual machine is configured with $totalMem GB, which is lesser than the required minimum memory of
$minMem GB.
The configured number of ethernet ports is $totalNetworkPorts, which is not as per the supported configuration
of $numPort.
Error: Configured hard disk size for NTBA database is $totalDbDiskSizeInGB GB, which is lesser than the required
minimum database disk space of $dbDiskSizeInGB GB.
Error: Configured hard disk size for NBA disk is $totalNtbaDiskSizeInGB GB , which is lesser than the required
minimum disk space of $ntbaDiskSizeInGB GB.
Warning: Attempting to downgrade the NTBA appliance database version from $cur_ver to $db_schema. This requires
reinstalling the NTBA database.
218 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Error: Current NTBA version not supported for migration. Consider upgrade to supported version $min_ver.
Attempting database migration $cur_ver to $db_schema.
Loading NTBA software image:
Error: An exception occurred while extracting the NTBA software image. Load the correct NTBA software image and
rerun loadimage.
Error: An exception occurred while extracting the boot package. Load the correct NTBA software image and rerun
loadimage.
Error: The system can't find the NTBA software image.
Load the correct NTBA software image and rerun loadimage.
nslookup
Displays nslookup query result for the given host-name.
Syntax:
nslookup WORD
Where WORD stands for the host name for which the nslookup query result must be displayed.
Sample Output:
ntbaSensor@vNTBA> nslookup google.com
Server: 10.213.154.101
Address 1: 10.213.154.101
Name: google.com
Address 1: 74.125.227.166 dfw06s32-in-f6.1e100.net
Address 2: 74.125.227.168 dfw06s32-in-f8.1e100.net
Address 3: 74.125.227.160 dfw06s32-in-f0.1e100.net
Address 4: 74.125.227.174 dfw06s32-in-f14.1e100.net
Address 5: 74.125.227.165 dfw06s32-in-f5.1e100.net
Address 6: 74.125.227.161 dfw06s32-in-f1.1e100.net
Address 7: 74.125.227.167 dfw06s32-in-f7.1e100.net
Address 8: 74.125.227.162 dfw06s32-in-f2.1e100.net
Address 9: 74.125.227.169 dfw06s32-in-f9.1e100.net
Address 10: 74.125.227.164 dfw06s32-in-f4.1e100.net
Address 11: 74.125.227.163 dfw06s32-in-f3.1e100.net
Address 12: 2607:f8b0:4000:804::1003 dfw06s32-in-x03.1e100.net
passwd
Changes the logon password for the Sensor. It prompts for the old password and then prompts for a new password. A password
must contain at least eight characters and can consist of any alphanumeric character or symbol.
This command has no parameters.
Syntax:
passwd
Sample Output:
ntbaSensor@vNTBA> passwd
Please enter old password:xxxxxxxx
Please enter new password:
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 219
Please Re-enter new password:
Password successfully changed
Applicable to:
M-series and NS-series, and NTBA Appliances.
ping
Pings a network host. You can specify either the IPv4 or IPv6 address here. This command pings the Sensor and returns a
response with the following values:
Value Description
icmp_seq number of times pinged to the Sensor
ttl number of hops between the source and destination
time taken the average time taken by the Sensor to respond to the ping
packets transmitted number of packets transmitted during the ping
packets received number of packets received during the ping
packet loss number of packets lost during the execution of the command
rtt min/avg/max minimum, average and maximum time taken for a round trip
in a ping cycle
Syntax:
ping <A.B.C.D><A:B:C:D:E:F:G:H> -c <1-100>
Parameter Description
<A.B.C.D> denotes the 32-bit IP address written as four eight-bit
numbers separated by periods. Each number (A,B,C or D) is
an eight-bit number between 0-255.
<A:B:C:D:F:G:H> denotes the 128-bit address written as octet (eight groups) of
four hexadecimal numbers, separated by colons. Each group
(A,B,C,D etc) represents a group of hexadecimal numbers
between 0000-FFFF.
-c <1-100> denotes the number of times to ping the Sensor. This is
optional and can be used if the Sensor needs to be pinged
multiple times.
Sample Output:
• For Sensor, the output is as shown:
intruShell@NSP4050> ping 172.16.100.100
PING 172.16.100.100 with 32[60] bytes of data
40 bytes from host 172.16.100.100: icmp_seq=1 ttl=64 time taken 0.30 msec
--- 172.16.100.100 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0.30ms
rtt min/avg/max = 0.30/0.30/0.30 msec
• For an NTBA Appliance the output is as shown:
220 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
ntbaSensor@vNTBA> ping 172.16.100.100
host 172.16.100.100 is alive
• For Sensor, when it is pinged multiple times the output is as shown:
intruShell@NSP4050> ping 172.16.100.100 -c 3
PING 172.16.100.100 with 32[60] bytes of data
40 bytes from host 172.16.100.100: icmp_seq=1 ttl=64 time taken 0.41 msec
40 bytes from host 172.16.100.100: icmp_seq=2 ttl=64 time taken 0.20 msec
40 bytes from host 172.16.100.100: icmp_seq=3 ttl=64 time taken 0.19 msec
--- 172.16.100.100 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 0.80ms
rtt min/avg/max = 0.19/0.26/0.41 msec
Example:
The following command pings a 128 bit address written as an octet of four hexadecimal numbers.
ping 2001:0db8:8a2e:0000:0000:0000:0000:0111
Applicable to:
M-series and NS-series, and NTBA Appliances.
quit
Exits the command line interface.
This command has no parameters.
Syntax:
quit
Applicable to:
M-series and NS-series, and NTBA Appliances.
reboot
Reboots the device. You must confirm that you want to reboot the device. If hitless reboot is currently available for the device,
then you are prompted to enter 'h' for hitless and 'y' for a full reboot. Use the status command to know if the hitless reboot
option is currently available for the device.
Note: In case of a full reboot, all the processes of a device are restarted. So, there is a break in the device's function until it comes
up again. In case of hitless reboot, only the required processes are restarted. For more information on hitless reboot, see McAfee
Network Security Platform Product Guide.
Syntax:
reboot
On executing the command the following messages are displayed:
• For Sensor, the output is as shown:
intruShell@john> reboot
Please enter Y to confirm: y
rebooting the Sensor...
Broadcast message from root (Fri Mar 29 05:45:14 2014):
The system is going down for reboot NOW!
• For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> reboot
Please enter Y to confirm: y
rebooting the NTBA Appliance ...
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 221
Broadcast message from root (Fri Mar 28 06:30:14 2014):
The system is going down for reboot NOW!
Applicable to:
M-series and NS-series, and NTBA Appliances.
resetconfig
This command is used to reset the NTBA configuration to the factory default values. This command can be used to clear all the
user defined configurations and to reset to default values.
Syntax:
resetconfig
This command will reset the configurations related to host finger printing, database pruning, anti-malware settings, proxy
settings, and de-duplication. This command will also remove the anomaly profiles and signature files configurations. The
command will break the Manager trust and after successful completion of the command will request user to re-establish trust
with the Manager. This command will not remove the exporter and interface details from the configuration.
On executing the command, the following messages are displayed:
Are you sure you want to reset the NTBA appliance configuration?
WARNING: All existing configuration will be lost and reset to defaults.
Please enter Y to confirm: y
If you enter Y, you will see:
Step 1 of 4: Checking if database migration is in progress
Database migration is not in progress. Continue with resetconfig.
Step 2 of 4: Removing trust with Network Security Manager
Step 3 of 4: Resetting NTBA configurations
Stopping all services
The configuration for the NTBA database is reset to default.
The configuration for NTBA services is reset to default.
Anomaly profile data is removed.
Signature files are removed.
Anti-Malware cache and DAT files are removed.
Miscellaneous configuration files are removed.
Executable classifications are removed.
Endpoint Intelligence Agent certificate files are removed.
Allowlist and blocklist sync information is reset to default.
ePolicy Orchestrator credentials are removed.
Step 4 of 4: Restarting all services
Configuration for NTBA appliance is reset to defaults.
IMPORTANT: Re-establish trust with Network Security Manager after the services are up. Go to the Manager console
and update configuration for the NTBA appliance so that the system can function.
Errors while running resetconfig
The following errors might occur while you reset the NTBA configuration:
Step 1 of 4: Checking if database migration is in progress
Database migration is not in progress. Continue with resetconfig.
Step 2 of 4: Removing trust with Network Security Manager
Network Security Manager trust is not removed. After resetconfig, run deinstall and re-establish the trust.
Step 3 of 4: Resetting NTBA configurations
222 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Stopping all services
An error occurred while stopping the database events. Restart the appliance or VM and rerun resetconfig.
An error occurred while disabling database events. Restart the appliance or VM and rerun resetconfig.
An error occurred while generating disable-database processes script. Restart the appliance or VM and rerun
resetconfig.
An error occurred while disabling database processes. Restart the appliance or VM and rerun resetconfig.
The NTBA database is down and so configuration can't be reset to default. Restart all services and once they are
up, run resetconfig.
An error occurred while accessing the configuration database. Restart the appliance or VM and rerun resetconfig.
An error occurred while backing up the current configuration. Restart the appliance or VM and rerun resetconfig.
An error occurred while restoring internal configuration. Run deinstall and re-establish trust with Network
Security Manager.
An error occurred while removing the configuration backup. This error can be ignored. So resetconfig will
continue.
The configuration for the NTBA database is reset to default.
Verifying the software image failed on the appliance or VM. Load the correct NTBA software image and rerun
resetconfig.
Extracting from a tar file failed. Load the correct NTBA software image and rerun resetconfig.
Checking consistency of software image failed on the appliance or VM. Load the correct NTBA software image and
rerun resetconfig.
Retrieving the package from the software image failed. Load the correct NTBA software image and rerun
resetconfig.
The configuration for NTBA services is reset to default.
Anomaly profile data is removed.
Signature files are removed.
Anti-Malware cache and DAT files are removed.
Miscellaneous configuration files are removed.
An error occurred while clearing the classification for executables.
Executable classifications are removed.
Endpoint Intelligence Agent certificate files are removed.
Allowlist and blocklist sync information is reset to default.
ePolicy Orchestrator credentials are removed.
Step 4 of 4: Restarting all services
An error occurred while sending a signal to the Service manager to use the latest configuration. Run service
restart all.
An error occurred while sending a signal to the Service manager to restart services. Run service restart all.
An error occurred while restarting services. Run service restart all.
Configuration for the NTBA appliance is reset to default.
resetpasswd
Changes the log in password for the NTBA Appliance. You can use this command only by inserting CD.
Syntax:
resetpasswd
On executing the command, the following messages are displayed:
Are you sure you want to reset admin password to default?
Please enter Y to confirm.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 223
If you enter Y, you will see
Resetting admin password to default . . .
Reset admin password to default completed,
please reboot the NTBA Appliance and remove the NTBA CD.
scan
Scans the IP address and provides information about host name, operating system, services running, device type, and MAC
address.
Syntax:
scan ip <ip_address>
Sample Output:
ntbaSensor@vNTBA> scan ip 192.168.1.5
Starting Nmap 6.25 ( http://nmap.org ) at 2014-03-28 06:57 UTC
Nmap scan report for 10.213.171.222
Host is up (0.000025s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.0 (protocol 2.0)
111/tcp open rpcbind 2-4 (RPC #100000)
443/tcp open ssl/https?
9876/tcp open sd?
1 service unrecognized despite returning data. If you know the service/version, please submit the following
fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port443-TCP:V=6.25%T=SSL%I=7%D=3/28%Time=53351D6F%P=x86_64-unknown-linu
SF:x-gnu%r(GetRequest,6F,"HTTP/1\.0\x20501\x20Not\x20Implemented\r\nConten
SF:t-Length:\x2033\r\nContent-Type:\x20text/plain\r\n\r\nDownload\x20hook\
SF:x20is\x20not\x20implemented\.")%r(FourOhFourRequest,6F,"HTTP/1\.0\x2050
SF:1\x20Not\x20Implemented\r\nContent-Length:\x2033\r\nContent-Type:\x20te
SF:xt/plain\r\n\r\nDownload\x20hook\x20is\x20not\x20implemented\.");
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.25%E=4%D=3/28%OT=22%CT=1%CU=35842%PV=Y%DS=0%DC=L%G=Y%TM=53351DF
OS:7%P=x86_64-unknown-linux-gnu)SEQ(SP=CF%GCD=1%ISR=D0%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M400CST11NWA%O2=M400CST11NWA%O3=M400CNNT11NWA%O4=M400CST11NWA%O5=
OS:M400CST11NWA%O6=M400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6
OS:=8000)ECN(R=Y%DF=Y%T=40%W=8018%O=M400CNNSNWA%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=
OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O=M400C
OS:ST11NWA%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%
OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL
OS:=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.18 seconds
224 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
service list
Lists all the available services.
Syntax:
service list
Sample Output:
ntbaSensor@vNTBA> service list
[Services List]
NetflowProcessor
AntiMalwareService
DeviceProfiler
EpIntelligenceServer
service restart
Restarts all services or the specified service. To get the list of all services, run the service list command.
This command has all and <service_name> as parameters
Syntax:
service restart all
service restart <service_name>
Sample Output:
ntbaSensor@vNTBA> service restart all
Service command execution in progress. Please check status using "service status <service-name>" or status
command after some time.
service start
Starts all services or the specified service. To get the list of all services, run the service list command.
This command has all and <service_name> as parameters
Syntax:
service start all
service start <service_name>
For example, if the service user display name is NetflowProcessor, the command is service start NetflowProcessor.
Sample Output:
ntbaSensor@NTBA_210> service start NetflowProcessor
Service command execution in progress. Please check status using "service status <service-name>" or status
command after some time.
service status
Shows the status of all services or the specific service. To get the list of all services, run the service list command.
This command has all and <service_name> as parameters
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 225
Syntax:
To get the status of all services, run:
service status
service status all
To get the status of a specific service, run:
service status <service_name>
For example, if the service user display name is NetflowProcessor, the command is service status NetflowProcessor.
Sample Output:
• For a particular service:
ntbaSensor@vNTBA> service status NetflowProcessor
[Services Status]
NetflowProcessor : Running
• For all services:
ntbaSensor@vNTBA> service status all
[Services Status]
NetflowProcessor : Running
AntiMalwareService : Running
DeviceProfiler : Disabled
EpIntelligenceServer : Running
The service status are displayed as:
• Running — The service is running properly.
• Not Running — The service is not running because of some issue, for example, service crash.
• Stopped — When user runs the service stop command, this status will appear for the corresponding service.
• Disabled — This status is displayed depending on the Manager configurations set by the administrator. It appears only for the
DeviceProfiler service based on the Manager configuration.
service stop
Stops all services or the specified service. To get the list of all services, run the service list command.
This command has all and <service_name> as parameters
Syntax:
service stop all
service stop <service_name>
For example, if the service user display name is NetflowProcessor, the command is service stop NetflowProcessor.
Sample Output:
ntbaSensor@NTBA_210> service stop NetflowProcessor
Service command execution in progress. Please check status using "service status <service-name>" or status
command after some time.
set antimalware cache
Allows you to enable or disable the antimalware cache.
Syntax:
set antimalware cache <enable/disable>
226 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
set console timeout
Specifies the number of minutes of inactivity before the console or SSH session times out.
Syntax:
set console timeout <0 - 1440>
Parameter Description
<0-1440> An integer between 0 and 1440. If the value is set to 0, the
session will never timeout.
where <0 - 1440> is an integer between 0 (never) and 1440 (24 hours).
Example:
set console timeout 60
Default Value:
15 (15 minutes)
Applicable to:
M-series and NS-series Sensors and NTBA Appliances.
set dbdisksize
Specifies the percentage of disk size that can be allocated for netflow and forensic database. The percentage limits are 20-80%.
Syntax:
set dbdisksize netflow <20 |80>
set dbdisksize forensic <20 |80>
Sample Output:
ntbaSensor@vNTBA> set dbdisksize netflow 60
Setting database disk size...
Database disk size is set. Restarting netflow service...
ntbaSensor@vNTBA> set dbdisksize forensic 40
Setting database disk size...
Database disk size is set. Restarting forensic service...
set flow-fw
Forwards a copy of the NetFlow information from the NTBA Appliance to a third party device.
Syntax:
set flow-fw <ip> <A.B.C.D port> <1-65535>
Parameter Description
<A.B.C.D> A 32-bit address written as four eight-bit numbers separated
by periods. A,B,C or D represents an eight-bit number
between 0-255.
<1-65535> Port number range
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 227
Note: This command is applicable only to NTBA Appliances. This command forwards NetFlow information received by NTBA
Appliance from third-party network devices such as CISCO Routers. NetFlow information received by the NTBA Appliance from
Network Security Sensors is proprietary, and is not forwarded when this command is executed.
set endpointintelligence demo
This command is to enable or disable endpoint intelligence in demo mode.
Syntax:
set endpointintelligence demo <enable/disable>
Sample Output:
• Enable endpoint intelligence demo mode:
ntbaSensor@vNTBA> set endpointintelligence demo enable
Setting endpoint intelligence in demo mode.
Demo handler is created.
Configuration file for certificates is created.
NTBA private key is created and copied.
Endpoint key is created and self signed.
ePolicy Orchestrator certificate is copied.
Endpoint certificate files are created.
Uploading endpoint certificates to tftp server 10.213.173.1 ...
Uploading eiahostcert.p12 ...
Transfer Successful
Uploading CA certificates to tftp server 10.213.173.1 ...
Uploading ntbacacert.pem ...
Transfer Successful
Endpoint intelligence is set in demo mode.
• Disable endpoint intelligence demo mode:
ntbaSensor@vNTBA> set endpointintelligence demo disable
Setting endpoint intelligence in demo mode.
Demo file is removed.
ePolicy Orchestrator demo certificates are removed.
Demo certificates are removed.
Private key is removed.
Endpoint certificate is removed.
Demo mode is disabled for endpoint intelligence.
Errors while running set endpointintelligence demo
The following errors might occur while you run this command:
Error: The system failed to remove the demo handler.
Error: The system failed to clean up the ePolicy Orchestrator demo certificates.
Error: The system failed to clean up the endpoint intelligence demo certificates.
Error: The system failed to clean up the private key.
Error: The system failed to clean up the endpoint certificate.
Error: The TFTP server IP address is not set. Run set tftp server ip to set the IP address.
Error: The system failed to create the demo handler.
Error: The system failed to create the configuration file required to create the certificates.
Error: The system failed to create the NTBA private key.
Error: The system failed to copy the NTBA private key.
228 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Error: The system failed to create the endpoint key.
Error: The system failed to self sign the endpoint private key.
Error: The system failed to copy the ePolicy Orchestrator certificate.
Error: The system failed to create the endpoint certificate files.
The certificate files upload process failed or timed out.
Make sure that you have a file $SRCFILENAME with correct permissions.
If the full path name doesn't work, try path name relative to /tftpboot.
Timeouts may occur when the network is congested.
Error: The system failed to upload the endpoint certificate file.
The certificate files upload process failed or timed out.
Make sure that you have a file $SRCFILENAME with correct permissions.
If the full path name doesn't work, try path name relative to /tftpboot.
Timeouts may occur when the network is congested.
Error: The system failed to upload the endpoint certificate file.
Error: The system failed to upload the CA certificate file.
set endpointintelligence alertinterval
Configures the time interval as to when the alert should be raised again. By default, it is 7 days.
Syntax:
set endpointintelligence alertinterval <0-30>
Note: Configure it as zero if you want to disable alert throttling.
Sample Output:
Setting the endpoint intelligence alert interval
Alert throttle interval is set to 1.
If you wish to disable alert throttling, set the interval to 0.
• If EIS is enabled and you disable alert throttling:
ntbaSensor@vNTBA> set endpointintelligence alertinterval 0
Alert throttle interval was set to 0. Continue with the cleanup.
Stopping endpoint intelligence services
Resetting the alert throttle for all executables
Removing alert throttling files
Restarting endpoint intelligence services. This will take few minutes.
• If EIS is disabled and you disable alert throttling:
ntbaSensor@vNTBA> set endpointintelligence alertinterval 0
Setting endpoint intelligence alert interval.
Alert throttle interval set to 0.
Errors while running set endpointintelligence alertinterval
The following errors might occur while you run this command:
Error: The system can't find alert statistics. From the Manager console, go to Setup | Enable Integration,
enable EIA integration and configure the settings.
Error: An exception occurred while resetting the alert throttle for executables. Try to set the alert interval.
Error: The system can't communicate with the Service manager. Restart the endpoint intelligence services.
Error: An exception occurred while restarting endpoint intelligence services. Run the endpoint intelligence
services.
Error: An exception occurred while setting the alert throttle interval. Set the alert throttle interval again.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 229
set htf delta-period
Specifies the duration (in minutes) of the htf delta period.
Syntax:
set htf delta-period WORD
Parameter Description
WORD denotes minutes between 0 to 1440
Example:
set htf delta-period 180
Tip: Run the show htf CLI command to check if the change has taken effect.
set htf max-deltas
Specifies the maximum count for htf delta period.
Syntax:
set htf max-deltas <1-100>
Parameter Description
<1-100> an integer between 1 to 100
Example:
set htf max-deltas 100
set manager alertport
Specifies the port on which the Manager listens to the Sensor alerts. You can assign any unassigned port for this communication.
If the Sensor and the Manager are separated by a firewall, you must make sure to open the specified port on the firewall. If your
Sensor is already installed, deinstall the Sensor before changing this parameter.
Syntax:
set manager alertport <0 - 10000>
Parameter Description
<0-10000> the port number ranging from integer values 0 to 10000.
On executing the command, the following messages are displayed
• When Sensor is installed:
sensor is already installed, please do a deinstall before changing this parameter
• When Sensor is deinstalled:
Missing manager alert port, default 8502 used
Default Value:
230 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Default port number is 8502.
Applicable to:
M-series and NS-series, and NTBA Appliances.
set manager installsensorport
Specifies the port which the Manager uses to exchange configuration information with the Sensor when using 2048 bit
encryption. You can assign any unassigned port for this communication.
Syntax:
set manager installsensorport <0 - 10000>
Parameter Description
<0-10000> the port number ranges from integer values 0 to 10000.
On executing the command, the following messages are displayed
• When Sensor is installed:
sensor is already installed, please do a deinstall before changing this parameter
• When Sensor is deinstalled:
Missing manager Install Sensor Port, default 8501 used
Default Value:
Default port number is 8501.
Applicable to:
M-series and NS-series, and NTBA Appliances.
set manager ip
Specifies the IPv4 or IPv6 address of the Manager server's primary interface.
Syntax:
set manager ip <A.B.C.D |A:B:C:D:E:F:G:H>
Parameter Description
<A.B.C.D> a 32-bit address written as four eight-bit numbers separated
by periods. A,B,C or D represents an eight-bit number
between 0-255.
<A:B:C:D:E:F:G:H> a 128-bit address written as octet (eight groups) of four
hexadecimal numbers, separated by colons. Each group
(A,B,C,D etc) represents a group of hexadecimal numbers
between 0000-FFFF
Example:
set manager ip 192.34.2.8
Or
set manager ip 2001:0db8:8a2e:0000:0000:0000:0000:0111
Note: If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::)
Applicable to:
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 231
M-series and NS-series, and NTBA Appliances.
set manager secondary ip
Specifies an IPv4 or IPv6 address for the Manager server's secondary interface.
Syntax:
set manager secondary ip <A.B.C.D | A:B:C:D:E:F:G:H>
Parameter Description
<A.B.C.D> a 32-bit address written as four eight-bit numbers separated
by periods. A,B,C or D represents an eight-bit number
between 0-255.
<A:B:C:D:E:F:G:H> a 128-bit address written as octet (eight groups) of four
hexadecimal numbers, separated by colons. Each group
(A,B,C,D etc) represents a group of hexadecimal numbers
between 0000-FFFF
Example:
set manager secondary ip 192.34.2.8
Or
set manager secondary ip 2001:0db8:8a2e:0000:0000:0000:0000:0111
Note: If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::)
Applicable to:
M-series and NS-series, and NTBA Appliances.
set mgmtport auto
Configures the Management port to auto-negotiate the connection between the Sensor and the network device.
This command has no parameters.
Syntax:
set mgmtport auto
Default Value:
By default, the Management port is set to auto (auto-negotiate).
Applicable to:
M-series and NS-series, and NTBA Appliances.
set mgmtport speed and duplex
Configures the management port to match the speed of the network device connecting to the Sensor and to run in full- or half-
duplex mode.
Syntax:
set mgmtport <speed <10 | 100> duplex <full | half>>
232 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Parameter Description
<10|100> sets the speed on the ethernet management port. The speed
value can be either 10 or 100 Mbps. To set the speed to 1000
Mbps, use the set mgmtport auto command.
<half|full> sets the duplex setting on the ethernet management port. Set
the value half for half duplex and full for full duplex.
Note: The NS9500 and NS7500 Sensor models do not support this command. The speed of the management port in these
Sensors is set to auto by default.
Default Value:
By default, the management port is set to auto (auto-negotiate).
Applicable to:
NS-series Sensors except NS9500 and NS7500
set sensor gateway
Specifies IPv4 address of the gateway for the Manager server.
Syntax:
set sensor gateway <A.B.C.D>
Parameter Description
<A.B.C.D> a 32-bit address written as four eight-bit numbers separated
by periods. A,B,C or D represents an eight-bit number
between 0-255.
Sample Output:
• For Sensor, the output is as shown:
intruShell@john> set sensor gateway 10.213.174.201
sensor gateway = 10.213.174.201
• For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> set sensor gateway 192.34.2.8
sensor gateway = 192.34.2.8
Example:
set sensor gateway 192.34.2.8
Applicable to:
M-series and NS-series, and NTBA Appliances.
set sensor ip
Specifies the Sensor's IPv4 address and subnet mask. Changing the Sensor IP requires a Sensor reboot for the changes to take
effect. See the reboot command for instructions on how to reboot the Sensor.
Syntax:
set sensor ip <A.B.C.D E.F.G.H>
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 233
Parameter Description
<A.B.C.D E.F.G.H> indicates an IPv4 address followed by a netmask.The netmask
strips the host ID from the IP address, leaving only the
network ID. Each netmask consists of binary ones (decimal
255) to mask the network ID and binary zeroes (decimal 0) to
retain the host ID of the IP address(For example, the default
netmask setting for a Class C address is 255.255.255.0).
Sample Output:
• For Sensor, the output is as shown:
intruShell@john> set sensor ip 10.213.168.169 255.255.255.0
Sensor IP is already set, new IP will take effect after a reboot
sensor ipv4 = 10.213.168.169, sensor subnet mask = 255.255.255.0
• For an NTBA Appliance, the output is as shown:
ntbaSensor@NTBA_210> set sensor ip 10.213.171.210 255.255.255.0
Sensor IP is already set, new IP will take effect after a reboot
sensor ipv4 = 10.213.171.210, sensor subnet mask = 255.255.255.0
Example:
set sensor ip 192.34.2.8 255.255.0.0
Applicable to:
M-series and NS-series, and NTBA Appliances.
set sensor name
Sets the name of the Sensor. This name is used to identify the Sensor to the Manager and to identify the Sensor to the admin in
the Manager interface. The name you use here in the CLI to identify the Sensor must match the name you use in the Manager
interface or the Manager and Sensor will be unable to communicate.
Syntax:
set sensor name <WORD>
Parameter Description
<WORD> indicates a case-sensitive character string up to 25 characters.
The string can include hyphens, underscores, and periods,
and must begin with a letter.
Sample Output:
On executing the command, the following messages are displayed
• When Sensor is installed:
sensor is already installed, please do a deinstall before changing this parameter
• When Sensor is deinstalled:
◦ intruShell@john> set sensor name admin
sensor name = admin
◦ ntbaSensor@NTBA_210>set sensor name vNTBA
sensor name = vNTBA
Example:
set sensor name SanJose_Sensor1
234 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Applicable to:
M-series and NS-series, and NTBA Appliances.
set sensor sharedsecretkey
Specifies the shared secret key value that the Manager and Sensor will use to establish a trust relationship.
Type the command as shown in the Syntax below. The Sensor prompts you for a secret key value. The value you enter is not
shown. You will be prompted to type the value a second time to verify that the two entries match.
Note: The sharedsecretkey value you use here in the CLI to identify the Sensor must match the one you use in the Manager
interface or the Manager and Sensor will be unable to communicate. If you want to change the value, you must change the value
in the CLI as well as the manager interface.
Syntax:
set sensor sharedsecretkey
At the Sensor's prompt for a secret key value, enter a case-sensitive character string between 8 and 25 characters of any ASCII
text.
Sample Output:
On executing the command, the following messages are displayed
• When the Sensor is installed:
sensor is already installed, please do a deinstall before changing this parameter
• When Sensor is deinstalled:
◦ intruShell@john> set sensor shared secretkey
Please enter shared secret key:
Please Re-enter shared secret key:
This will take a couple of seconds, please check status on CLI
◦ ntbaSensor@vNTBA> set sensor sharedsecretkey
Please enter shared secret key:
Please Re-enter shared secret key:
This will take a couple of seconds, please check status on CLI
Applicable to:
M-series and NS-series, and NTBA Appliances.
set store-url-type
This command is used to set the configuration to full capture information from the URL.
Example: For domain: http://abc.com, for full-url: http://abc.com/image.html.
Syntax:
set store-url-type <domain-name | full-url>
Parameter Description
domain-name capture only the domain name information from the URL
full-url capture full path information from the URL
Note: When the NTBA Appliance is configured to store full URL (set store-url-type full-url), the performance might drop by 25-30
percent.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 235
set tftpserver ip
Specifies the IPv4 or IPv6 address of your TFTP server.
Syntax:
set tftpserver ip <A.B.C.D | A:B:C:D:E:F:G:H>
Parameter Description
<A.B.C.D> indicates a 32-bit address written as four eight-bit numbers
separated by periods. A,B,C or D represents an eight-bit
number between 0-255.
<A:B:C:D:E:F:G:H> indicates a 128-bit address written as octet (eight groups) of
four hexadecimal numbers, separated by colons. Each group
(A,B,C,D etc) represents a group of hexadecimal numbers
between 0000-FFFF.
Sample Output:
• For Sensor, the output is as shown:
intruShell@john> set tftpserver ip 192.34.5.12
TFTP Server IP = 192.34.5.12
• For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> set tftpserver ip 192.34.2.54
TFTP Server IP = 192.34.2.54
Example:
set tftpserver ip 192.34.2.54
Or
set tftpserver ip 2001:0db8:8a2e:0000:0000:0000:0000:0111
Note: If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons (::).
Applicable to:
M-series and NS-series, and NTBA Appliances.
setup
This command is used to setup Sensor parameters. You are required to run this command when you newly set up your Sensor or
after resetting the Sensor by using the factory defaults command.
This command has no parameters.
Syntax:
setup
When you enter this command, you are prompted to enter the following:
• Current password
• New password
• Sensor name
• IP Type (IPV4=1 or IPV6=2 or BOTH=3)
Note: The IP Type command is applicable only for IPS. It is not applicable for NTBA.
• Sensor IP(IPv4 or IPv6 address or BOTH)
• Sensor subnet mask (IP address)
• Manager primary IP (IPv4 or IPv6 address or BOTH)
• Manager secondary IP (IPv4 or IPv6 address or BOTH)
236 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
• Sensor default gateway (IPv4 or IPv6 address or BOTH)
• Management port configuration choice (a/m)
• Shared secret key
Note: If you press Enter, your current settings are taken as default.
Sample Output:
ntbaSensor@NTBA_210> setup
**Press ESC key or CTRL-C at any prompt to abort the setup**
Please enter the current password before starting setup:
Please enter the new password [current password]:
Please confirm the new password:
Password successfully changed
Please enter the sensor name [NTBA_210]:
Please enter the sensor IP(A.B.C.D) [10.213.171.210]:
Please enter the sensor subnet mask(A.B.C.D) [255.255.255.0]:
Please enter the manager primary IPv4 address(A.B.C.D) [10.213.171.215]:
**You can set the Manager secondary IP in case the manager has two interfaces**
Press Y to configure manager secondary IP address [N]: n
Please enter the sensor default gateway(A.B.C.D) [10.213.171.252]:
Please enter management port configuration choice(a/m) [Auto]: a
Sensor configuration is almost complete. The final step is to establish a secure management channel (trust)
between the sensor and its Manager.
This is accomplished by a secret key that is shared by the Manager and this sensor.
Please ensure that a shared secret key has already been defined on the Manager for this sensor...
Press Y to set shared secret key now or N to exit [Y]: y
Please enter shared secret key:
Please re-enter the shared secret key:
This will take a couple of seconds, please check status on CLI
show
Shows all the current configuration settings on the Sensor like model, installed software version, IP address and Manager details.
This command has no parameters.
Syntax:
show
Information displayed by the show command includes:
[Sensor Info]
• Date
• System Uptime
• System Type
• Software Version
• MGMT Ethernet Port
• System serial number (displays the primary, secondary and master/system serial numbers separately in case of NS9300)
[Sensor Network Config]
• IP Address
• Netmask
• Default Gateway
• Default TFTP server
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 237
[Manager Config]
• Manager IP addr
• Install TCP Port
• Alert TCP Port
[Peer Manager Config]
• Manager IP addr
• Install TCP Port
• Alert TCP Port
Sample Output:
• For Sensor, the output is as shown:
intruShell@john> show
[Sensor Info]
System Name : M6050
Date : 2/6/2015 - 9:23:18 UTC
System Uptime : 6 days 23 hrs 10 min 13 secs
System Type : M-6050
Serial Number : J021834009
Software Version : 8.2.2.98
Hardware Version : 1.30
MGMT Ethernet port : auto negotiated
MGMT port Link Status : link up
[Sensor Network Config]
IP Address : 10.213.174.202
Netmask : 255.255.255.0
Default Gateway : 10.213.174.201
SSH Remote Logins : enabled
[Manager Config]
Manager IP addr : 10.213.169.178 (primary intf)
Install TCP Port : 8506
Alert TCP Port : 8507
Logging TCP Port : 8508
• For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> show
[Sensor Info]
System Name : vNTBA
Date : Fri Mar 28 08:55:26 2014
System Uptime : 02 hrs 24 min 54 secs
System Type : T-200VM
Serial Number : T0020140324185515
Software Version : 8.1.3.6
MGMT Ethernet port : speed = 10 mbps, full duplex, link up
[Sensor Network Config]
IP Address : 1.1.1.1
Netmask : 255.255.255.0
Default Gateway : 1.1.1.5
Default TFTP server : 1.2.3.4
[Manager Config]
Manager IP addr : 1.1.1.2 (primary intf)
Install TCP Port : 8501
238 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Alert TCP Port : 8502
• For NS9300 Sensor, the output is as shown:
intruShell@KAM9300> show
[Sensor Info]
System Name : KAM9300
Date : 1/28/2015 - 8:34:53 UTC
System Uptime : 6 days 22 hrs 03 min 43 secs
System Type : IPS-NS9300
System Serial Number : J073350027
NS9300 P Serial Number : J071328008
NS9300 S Serial Number : J064227B70
Software Version : 8.1.5.71
Hardware Version : 1.10
MGMT Ethernet port : auto negotiated
MGMT port Link Status : link up
[Sensor Network Config]
IP Address : 1.1.1.1
Netmask : 255.255.255.0
Default Gateway : 1.1.1.5
Default SCPserver : 1.2.3.4
SSH Remote Logins : enabled
[Manager Config]
Manager IP addr : 1.1.1.2 (primary intf)
Install TCP Port : 8506
Alert TCP Port : 8507
Logging TCP Port : 8508
Applicable to:
M-series and NS-series, and NTBA Appliances.
show aggstats
Displays aggregator statistics.
Syntax:
show aggstats
Sample Output:
ntbaSensor@vNTBA> show aggstats
[Aggregation module stats]
aggregator - mode : 1
aggregator - running flag : 1
aggregator - stop flag : 0
aggregator - thread stage : 11
aggregator - number of peers : 2
aggregator - peer component nodes :
1.0.0.0
10.213.173.174
aggregator - thread start timestamp : Mon Sep 30 14:54:58 2013
aggregator - latest packet processing timestamp : Tue Oct 1 10:27:32 2013
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 239
aggregation self - running flag : 1
aggregation self - stop flag : 0
aggregation self - thread stage : 15
aggregation self - thread start timestamp : Mon Sep 30 14:54:58 2013
aggregation self - latest run timestamp : Tue Oct 1 10:27:19 2013
aggregation committer - running flag : 1
aggregation committer - stop flag : 0
aggregation committer - thread stage : 2
aggregation committer - thread start timestamp : Mon Sep 30 14:54:58 2013
aggregation committer - latest run timestamp : Tue Oct 1 10:27:34 2013
component - mode : 0
component - running flag : 0
component - stop flag : 0
component - thread stage : 51
component - aggregator ip : 0.0.0.0
component - thread start timestamp : Not applicable
component - latest packet processing timestamp : Not applicable
Num of Sensor_Traffic monitor data processed : 2786
Num of Top_HTF monitor data processed : 3245
Num of Top_Src_Host monitor data processed : 3246
Num of Top_Dst_Host monitor data processed : 0
Num of Top_Hosts monitor data processed : 0
Num of Top_Ext_Hosts monitor data processed : 3246
Num of Zones monitor data processed : 3246
Num of Top_Services monitor data processed : 3246
Num of Top_Applications monitor data processed : 3173
Num of New_Hosts monitor data processed : 3251
Num of New_Services monitor data processed : 3251
Num of New_Apps monitor data processed : 3251
Num of Top_Files monitor data processed : 0
Num of Top_URLs monitor data processed : 2093
Num of Interface_Summary monitor data processed : 3251
show anomaly
Displays statistics of host-level and zone-level anomaly profiles created.
Syntax:
show anomaly
Sample Output:
ntbaSensor@vNTBA> show anomaly
[anomaly info]
[zone anomaly status:]
[0] Zone id: 112, mode: DETECTION
[1] Zone id: 113, mode: DETECTION
[2] Zone id: 109, mode: DETECTION
240 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
[Host anomaly status:]
Number of Host Profiles maintained: 869
Number of hosts in DETECTION mode: 486
show antimalware scandetails
Displays the antimalware scanning details for IPS Sensors.
Syntax:
show antimalware scandetails
Sample Output:
ntbaSensor@vNTBA> show antimalware scandetails
[Antimalware Scanning details for IPS Sensors]
--------- IPS Sensor [1] ------------------------------ ---------------
IPS Sensor IP : 172.16.230.36
TotalPktsReceived : 652
TotalPktsSent : 652
LastPktRecvdTime : Thu Sep 12 13:22:52 2013
LastPktSentTime : Thu Sep 12 13:22:52 2013
Successful scan counts : 0
Session Handle Null counts : 0
Internal Error Counts : 0
Unknown command received from IPS : 0
File String NULL : 0
File Data NULL : 0
Unknown File : 0
Out of Order Packets : 0
Scan Failed : 0
Md5 Mismatch : 0
Max Load on Workers : 0
Memory allocation Failure : 0
File Transfer Timeout : 0
New File Count : 0
Shared Memory Allocation Failed Count : 0
Scan Response Sent : 0
Scan Request Received : 0
Scan Requests Timedout : 0
LastKeepAliveRecvdTime : Thu Sep 12 13:22:52 2013
LastKeepAliveSentTime : Thu Sep 12 13:22:52 2013
KeepAliveReceivedCount : 651
KeepAliveSentCount : 651
Md5 of Last File Downloaded From IPS : 86aa4dd53cfeefb17a722485b98b20af
show antimalware encryption status
Displays encryption status on the antimalware channel.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 241
Syntax:
show antimalware encryption status
Sample Output:
ntbaSensor@vNTBA> show antimalware encryption status
Strong encryption on the antimalware channel.
Applicable to:
NTBA Appliances
show antimalware status
Displays the anti-malware engine status (initialized or uninitialized), the anti-malware engine dat version, the anti-malware dat
version, the anti-malware last update time, the anti-malware last update status, the anti-malware last update status details, the
total scan requests received, the successful scans, and the failure count. It also displays the number of entries of a scanned file in
the cache, for example, how many times the same file was sent to the NTBA Appliance (hit count), the last access time, and the
last update time.
Syntax:
show antimalware status
Sample Output:
ntbaSensor@vNTBA> show antimalware status
[AntiMalware Engine Status]
Current Engine Status : Anti-Malware Engine Initialized
Gateway Antimalware Engine Version : 7001.1403.1968
Gateway Antimalware Dat Version : 3185
Antivirus Dat Version : 7195
Antivirus Engine Version : 5600
[AntiMalware Update Status]
Last Update Time : Thu Sep 12 12:11:49 2014
Last Update Status : Download Updates Success
Last Update Status Details : Success
[AntiMalware Scan Summary]
Total Scan Requests : 10
Total Successful scans : 9
Total Scan Failures : 1
[AntiMalware Cache Stats]
Number of Entries in Cache : 0
Hit Count : 0
Last Access Time :
Last Update Time :
Cache Look up : Enabled
The Current Engine Status might display any of the following statuses depending on the action performed:
Action Status Description
Engine will be initialized whenever IPS service is coming up. Anti-Malware Engine Initializing
242 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Action Status Description
If engine fails to initialize NTBA failed to initialize Anti-Malware Engine because Anti-
Malware signatures are not available. Please try \"download
antimalware updates\" command.
When successfully initialized Anti-Malware Engine Initialized
NTBA failed to initialize the downloaded anti-malware NTBA failed to initialize the downloaded Anti-Malware
signatures signatures
The following table lists the different statuses that can be displayed by Last Update Status and the corresponding Last Update
Status Details depending on the action:
Last Update Status Last Update Status Details
Download Updates Failed • Update Request Not Valid
• Protocol Version Not Supported
• No Node Groups Found
• Request Blocked by Export Compliance
• Internal Server Error
Download Updates In Progress • Sending Update Request
• Parsing Response
• Downloading Dat and Engine Files
• Validating Downloaded Engine
Download Updates Failed • Sending Update Request Failed
• Get Url List Failed
• Failed to Download Dat and engine Files
• Could not get Version
• Internal Error
• Validating Downloaded Engine Failed
Download Updates Success Nothing To Update
Download Updates Completed Success
Update Dats In Progress Applying Dats and Engine
Update Dats Completed Success
Update Dats Failed Internal Error
Failed to set Configuration Variables Failed to set Dat/Engine Version
Setting Configuration Variables Setting Dat/Engine Version
Copying Downloaded Files to Slot Copying Downloaded Files to Slot
Copying Downloaded Files to Slot Failed Copying Downloaded Files to Slot Failed
Removing Old Dats from the slot Removing Old Dats the slot
Removing Old Dats from the slot Failed Removing Old Dats from the slot Failed
Getting current slot Getting current slot
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 243
Last Update Status Last Update Status Details
Getting current slot Failed Getting current slot Failed
Setting Last Update Time Setting Last Update Time
Setting Update Version Setting Update Version
Setting Update Version Failed Setting Update Version Failed
show cachestats
Displays cache statistics information for NetFlow processor.
Syntax:
show cachestats
Sample Output:
ntbaSensor@vNTBA> show cachestats
[Cache Stats Info for NetflowProcessor]
Cache Name : nf_conversation_cache
Node Size : 920
Max Nodes : 2000000
Current Allocs : 2074
Total Allocs : 403094
Total Frees : 401020
Failed Allocs : 0
Max Allocs : 2854
Cache Name : netflow_data_cache
Node Size : 1856
Max Nodes : 600000
Current Allocs : 17302
Total Allocs : 1966740
Total Frees : 1949438
Failed Allocs : 0
Max Allocs : 17303
Cache Name : netflow_src_cache
Node Size : 80
Max Nodes : 5000000
Current Allocs : 2972
Total Allocs : 555853
Total Frees : 552881
Failed Allocs : 0
Max Allocs : 3901
Cache Name : netflow_pkt_cache
Node Size : 1552
Max Nodes : 524288
Current Allocs : 0
Total Allocs : 1060375
244 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Total Frees : 1060375
Failed Allocs : 0
Max Allocs : 240
Cache Name : db_update_cache
Node Size : 8884936
Max Nodes : 65
Current Allocs : 1
Total Allocs : 14135
Total Frees : 14134
Failed Allocs : 0
Max Allocs : 6
Cache Name : traffic_summary_cache
Node Size : 160
Max Nodes : 1700000
Current Allocs : 1948
Total Allocs : 163662
Total Frees : 161714
Failed Allocs : 0
Max Allocs : 16415
[Cache Stats Info for EIS]
Cache Name : nia_sock_cache
Node Size : 112
Max Nodes : 50000
Current Allocs : 31
Total Allocs : 10572
Total Frees : 10541
Failed Allocs : 0
Max Allocs : 35
Cache Name : nia_pkt_cache
Node Size : 3016
Max Nodes : 500000
Current Allocs : 30834
Total Allocs : 74565540
Total Frees : 74534706
Failed Allocs : 0
Max Allocs : 30835
Cache Name : nia_metadata_cache
Node Size : 5720
Max Nodes : 500000
Current Allocs : 3262
Total Allocs : 270668
Total Frees : 267406
Failed Allocs : 0
Max Allocs : 3263
Cache Name : wb_entry
Node Size : 20
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 245
Max Nodes : 100000
Current Allocs : 0
Total Allocs : 0
Total Frees : 0
Failed Allocs : 0
Max Allocs : 0
show dbstats
Displays statistics of the database such as its status, disk size, total records and so on.
Syntax:
show dbstats
Sample Output:
ntbaSensor@vNTBA> show dbstats
[Database information]
Database status : Up
Database uptime : 7 days 19 hrs 37 min 25 secs
Total records inserted into database : 0
Average records per second : 0
Average data log files per second : 0
Database growth rate: 2%
Netflow database disk ratio: 30%
Forensic database disk ratio: 70%
Netflow database disk size : 75594.02M
Forensic database disk size : 176386.05M
Netflow database size: 147.3G
Forensic database size: 6.9M
show disk-usage
Displays disk usage per partition for all disk drives. This is equivalent to the df-h command in Linux.
Syntax:
show disk-usage
Sample Output:
246 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
show endpointintelligence details
Displays the number of executables processed after reboot, network connection summary, blocklist and allowlist update details,
EIA alert details, and packet processing statistics.
Syntax:
show endpointintelligence details
Sample Output:
ntbaSensor@vNTBA> show endpointintelligence details
[Endpoint Intelligence demo]
Endpoint Intelligence demo mode : Disabled
[Endpoint executables since reboot]
Total executables : 52
Total high and very high malware confidence executables : Programs: 0
Total medium malware confidence executables : Programs: 0
Total auto-classified allowed executables : 40
Total auto-classified blocked executables : 0
Total unclassified executables : 15
[Network connections summary]
Total connections by all endpoints : 16201
Total connections by blocked executables : 17
Total connections by unclassified executables : 127
Total connections by allowed executables : 14751
Total connections by high & very high malware confidence executables: 10
Total connections by medium malware confidence executables : 0
Total connections by low & very low malware confidence executables : 15166
Total connections by unknown malware confidence executables : 135
Total connections by cert allowed executables : 16
Total connections by GTI allowed executables : 3319
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 247
Total connections by GTI blocked executables : 0
Total connections by Raptor blocked executables : 5
[Allow and Block List]
Last Allowlist and Blocklist update time :
Total user blocked executables : 10
Total user allowed executables : 0
GTI allowed executable events to NSM : 0
GTI blocked executable events to NSM : 0
Cert allowed executable events to NSM : 0
[Endpoint Intelligence alerts]
Alert throttling interval (in days) : 0
Total alerts : 33
Very High confidence malicious data file alerts : 0
Very High confidence malware alerts : 16
High confidence malware alerts : 0
Medium confidence malware alerts : 0
Blocked executable alerts : 17
Unclassified executable alerts : 0
Allowed executable alerts : 0
Throttled Alerts : 0
Alerts dropped due to high-load : 0
[Packet processing stats]
Total packets received : 178
Total packets sent : 2
Total metadata flows : 177
Total Sysinfo packets received : 1
Total keepalives received : 2
Total keepalives sent : 2
Total malformed packets : 0
Total unsupported packets : 0
Total packet send failures due to session not available : 0
Total connections : 1
Total active connections : 1
Total connection timeouts : 0
Total sessions : 1
Total session failures : 0
Total session failures due to timeouts : 0
show endpointintelligence summary
Displays summarized data for active endpoint connections, connectivity status of ePO, and certificate status.
Syntax:
show endpointintelligence summary
Sample Output:
ntbaSensor@vNTBA> show endpointintelligence summary
248 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
[Endpoint Configuration and Status]
Endpoint Intelligence Service : Running
ePO Server IP : 172.16.233.6
Last ePO connection attempt : 2013-09-24 14:17:59
Last ePO connection status : Success
ePO certificate : Downloaded at 2013-09-24 14:17:59
Alert throttling : Enabled
GTI file reputation server : Not reachable
[Endpoint connections]
Total active endpoint connections : 22
Total packets received : 16884
Field Values
Endpoint Intelligence Service • Running
• Not Running
• Stopped
• Disabled
Last ePO connection status Success or Failed
Alert throttling Enabled or Disabled
GTI file reputation server Reachable or Not reachable
ePO certificate • If ePO certificate is available, it will display as Downloaded
along with the time it was downloaded
• If ePO certificate is not available, it will display as Failed
along with the reason for failure within parentheses
show exporters
This command displays exporter details like IP address, type, and interface count.
Syntax:
show exporters
Sample Output:
ntbaSensor@NTBA_210> show exporters
[Exporter details]
-------------------
Exporter name : M-2850-254
Exporter type : IPS sensor
Exporter IP : 10.1.1.10
Packets received : 210706
Last packet received time: 2014-11-04 12:48:41
Flow data records : 421412
Template records : 4458
Interface count : 2
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 249
show fingerprinting stats
Shows statistics related to active device profiling. The statistics are collected or reset once the Device Profiler service is started or
stopped.
Syntax:
show fingerprinting stats
The fingerprinting statistics include:
• Fingerprinting Service Enabled: Describes whether the user has enabled/disabled the service. Values will be "Yes" or "No".
• Service Start Time: Indicates when the service should be started.
• Schedule Type: Indicated whether the schedule is either configured by the user or by NTBA
• Next Scan Schedule: Shows the next available schedule time for scan.
• Total Results Sent to Manager: This counter signifies the number of device profile results sent to the Manager through alert
channel.
• Total Current Running Scan Count: This counter signifies the number of scans currently in progress.
• Total number of Hosts Scanned: This counter signifies the number of hosts scanned and results stored in the database.
• Total Scan Failures: This counter signifies the number of scan failures.
• Total Passive Info Host Count Received From Manager: This counter signifies the number of hosts the Manager sent as the
preferred list of IP addresses to be scanned.
• Total Number of Hosts Excluded From Scan: This counter signifies the total number of hosts excluded from scanning.
• Total Internal Host: This counter signifies the total number of hosts to be considered for scanning.
• Total Active FP Host: This counter signifies the total number of hosts for which the active scan results are available in the
database.
• Total Host with no FP: This counter signifies the total number of hosts for which the active scan results are not available in the
database.
[Last Scan Run Details]
• Last Scan Time: Indicates the last scan time.
• Total Number of Hosts Scanned: This counter signifies the total number of hosts scanned.
• Total Number of Hosts UP: This counter signifies the total number of hosts that are up.
• Total Number of Hosts DOWN: This counter signifies the total number of hosts that are down.
• Total Results sent to Manager: This counter signifies the total number of results sent to the Manager.
Sample Output:
ntbaSensor@vNTBA> show fingerprinting stats
[Host FingerPrinting Stats]
[ Note: All Stats Will be Reset Once Host FingerPrinting Service Restarts ]
FingerPrinting Service Enabled : NO
Service Start Time : 2014-03-28 06:57 UTC
Schedule Type : 0
Next Scan Schedule : 0
Total Alerts Sent to NSM : 20
Total Current Running Scan Count : 3000
Total Number of Hosts Scanned : 400000
Total Scan Failures : 10
Total Passive Info Host Count Received From NSM : 0
[ Last Scan Run Details ]
Last Scan Time : 2014-03-28 10:57 UTC
Total Number of Hosts Scanned : 2000
Total Number of Hosts UP : 164
Total Number of Hosts DOWN : 20
250 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Total Results Sent to NSM : 140
show forensic-db details
Displays basic forensic data collection information like data and profile collection time, and context details.
Syntax:
show forensic-db details
Sample Output:
[Forensic database details]
Forensic status : Enabled
Context data collection interval : Before attack: 20 mins | After attack: 20 mins
Alert source : Network Security Sensor & NTBA
Last context data collection time : 2014-07-31 03:41:00
Last service profile collection time : 2014-07-31 04:01:00
Last executable profile collection time : 2014-07-31 04:01:00
IPS alert rate per second : 0 for the last 10 minutes
NTBA alert rate per second : 0 for the last 10 minutes
Average context records per alert : 9.00 for the last 10 minutes
Attack context stored in database for : Last 2 days
show flowforwardinfo
Displays flow forwarding configurations.
Syntax:
show flowforwardinfo
Sample Output:
ntbaSensor@vNTBA> show flowforwardinfo
[flow forward Info]
Flow forward IP : 1.1.1.8
Flow forward Port : 2565
Flow forwarding mode : BLIND
show host-vlan
Shows the status of host-vlan whether it is enabled or disabled.
This command has no parameters.
Syntax:
show host-vlan
Sample Output:
ntbaSensor@vNTBA> show host_vlan
[HOST VLAN settings]
HOST VLAN : enabled
Applicable to:
M-series and NS-series, and NTBA Appliances.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 251
show htf
Displays the htf configuration of delta period, learning period, max deltas, and htf filter.
Syntax:
show htf
Sample Output:
ntbaSensor@vNTBA> show htf
[HTF settings]
HTF delta period : 180 minutes
HTF Filter IP List :
show intfport
Shows the status of the specified Sensor port. Note that specifying a non-existent port results in an error. Ensure to capitalize the
character when typing the command. For example, 1a will be seen as an invalid command.
Syntax:
show intfport <port>
Parameter Description
<port> Sets the port for which the status is to be displayed.
• Valid port numbers for M-series are: 1A | 1B | 2A | 2B | 3A
| 3B| 4A | 4B | 5A | 5B | 6A | 6B | 7A | 7B | 8A | 8B |
WORD | all
• Valid port numbers for NS-series are: G0/1 | G0/2 | G1/1 |
G1/2 | G1/3 | G1/4 | G1/5 | G1/6 | G1/7 | G1/8 | G1/9 |
G1/10 | G1/11 | G1/12 | G2/1 | G2/2 | G2/3 | G2/4 | G2/5 |
G2/6 | G2/7 | G2/8 | G2/9 | G2/10 | G2/11 | G2/12 | G3/1 |
G3/2 | G3/3 | G3/4 | G3/5 | G3/6 | G3/7 | G3/8 | WORD |
all
Information displayed by the show intfport command includes:
• Whether the port's administrative status is enabled or disabled
• The Sensor's operational status
• The Sensor's operating mode
• Whether full duplex mode is enabled
• The port's configured traffic direction (inside or outside)
• The speed of the 10/100 ports, if applicable
• The speed of the Gigabit ports, if applicable
• The peer port's supported link mode
• The peer ports negotiated duplex and speed
• The auto-negotiating configuration
• Total packets received
• Total packets sent
• Total CRC errors received
• Total CRC errors sent
• Whether or not flow control is on (this applies only to Sensor gigabit ports)
Sample Output:
252 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
• For Sensors, the output is as shown
intruShell@john> show intfport 2A
Displaying port 2A
Administrative Status : ENABLED
Operational Status : UP
Operating Mode : INLINE_FAIL_CLOSED
Duplex : FULL
Port Connected to : OUTSIDE
Port Speed : 1 GBPS-AUTONEG
Peer port
supported link modes :
10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Actual negotiated Duplex: FULL
Actual negotiated Speed : 1 GBPS
Additional Porttype Info:
Total Packets Received : 403
Total Packets Sent : 24130
Total CRC Errors Rcvd : 0
Total Other Errors Rcvd : 0
Total CRC Errors Sent : 0
Total Other Errors Sent : 0
Flow Control Status : OFF
• For NTBA, the output is as shown
ntbaSensor@NTBA_210> show intfport 1
Administrative status : Enabled
Link status : Up
Port speed : Auto, 1000 Mbps
Duplex : Auto, Full
Total packets received : 27416335
Total packets sent : 291
Total CRC errors received : 0
Total other errors received : 0
Total CRC errors sent : 0
Total other errors sent : 0
IP Address : 17.68.26.27
MAC Address : 00:1B:21:44:77:48
Mapped to ethernet port : eth2
Applicable to: M-series, NS-series, Virtual IPS Sensors, and NTBA Appliances. The command does not apply to Virtual Security
System instances; use the show ingress-egress stat command instead.
show l7dcapstats
Displays statistics for Layer 7 captured data.
Syntax:
show l7dcapstats
Sample Output:
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 253
ntbaSensor@Demo-NTBA> show l7dcapstats
[Layer7 Data Capture Statistics]
-------------------------------
Total Dcap HTTP URI Count : 66709
Total Dcap HTTP Domain Name Count : 65588
Total Dcap AttackId Count : 19
Total Dcap AppId Count : 158018
Total Forensics Attack Id Count : 7113
Total Forensics Victim Direction Count : 7113
Total File Type : 31416
Total File Hash : 31416
show mem-usage
This command displays the system memory usage details of the device.
This command has no parameters.
Syntax:
show mem-usage
The show mem-usage command also gives the average percentage usage (Avg.) and the maximum percentage usage (Max.) of
these entities on all the processing elements.
The L7Dcap counter descriptions are as follows:
• Avg. Used L7 Dcap flows across all PEs — Average percentage of L7Dcap flows used from the value configured in the
Manager across all the Processing Engines in the Sensor
• Max. Used L7 Dcap flows on a single PE — Percentage of L7Dcap flows used from the maximum value that a single
Processing Engine manages
Sample Output:
• For Sensors, the output is as shown
Avg. Used TCP and UDP Flows across all PEs : 0%
Max. Used TCP and UDP Flows on a single PE : 0%
Avg. Used Fragmented IP Flows across all PEs : 0%
Max. Used Fragmented IP Flows on a single PE : 0%
Avg. Used ICMP Flows across all PEs : 0%
Max. Used ICMP Flows on a single PE : 0%
Avg. Used SSL Flows across all PEs : 0%
Max. Used SSL Flows on a single PE : 0%
Avg. Used Fragment Reassembly Buffers across all PEs : 0%
Max. Used Fragment Reassembly Buffers on a single PE : 0%
Avg. Used Packet Buffers across all PEs : 0%
Max. Used Packet Buffers on a single PE : 0%
Avg. Used Attack Marker Nodes across all PEs : 0%
Max. Used Attack Marker Nodes on a single PE : 0%
Avg. Used Shell Marker Nodes across all PEs : 0%
Max. Used Shell Marker Nodes on a single PE : 0%
Avg. Used L7 Dcap flows across all PEs : 0%
Max. Used L7 Dcap flows on a single PE : 0%
Applicable to:
NS-series Sensors
254 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
show mgmtport
Shows all the current configuration settings for the Sensor Management port.
This command has no parameters.
Syntax:
show mgmtport
Information displayed by the show mgmtport command includes:
• The Sensor's Management port value (1000Mbps, 100Mbps, 10Mbps, or auto-negotiate)
• The Sensor's Management port link status (what speed the two devices settled upon—typically the highest common setting)
• What mode has been settled upon
• The link status
• The capabilities of the Management port (possible values are: 1000baseTx-FD, 100baseTx-FD, 100baseTx-HD, 10base-T-FD,
10base-T-HD)
• What the Management port is advertising its capabilities as (possible values are: 1000baseTx-FD, 100baseTx-FD, 100baseTx-HD,
10base-T-FD, 10base-T-HD)
• The characteristics of its link partner (possible values are: 1000baseTx-FD, 100baseTx-FD, 100baseTx-HD, 10base-T-FD, 10base-
T-HD)
Sample Output:
• For Sensor, the output is as shown
intruShell@john> show mgmtport
MGMT Ethernet port : auto negotiated
Settings for MGMT port :
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Auto-negotiation: on
Wake-on: d
Link detected: yes
eth0 Link encap:Ethernet HWaddr 00:06:92:2B:69:40
inet addr:10.213.174.202 Bcast:10.213.174.255 Mask:255.255.255.0
inet6 addr: fe80::206:92ff:fe2b:6940/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3072499 errors:0 dropped:0 overruns:0 frame:0
TX packets:333882 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:255473849 (243.6 Mb) TX bytes:38758684 (36.9 Mb)
Interrupt:24
• For NTBA, the output is as shown
ntbaSensor@NTBA_210> show mgmtport
Link status : Up
Port speed : Auto, 1000 Mbps
Duplex : Auto, Full
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 255
Total packets received : 15176
Total packets sent : 14356
Total CRC errors received : 0
Total other errors received : 0
Total CRC errors sent : 0
Total other errors sent : 0
IP Address : 10.213.171.210
MAC Address : 00:24:E8:46:46:D6
Mapped to ethernet port : eth4
Applicable to:
M-series and NS-series, and NTBA Appliances.
show netstat
This command displays the management port netstat output.
This command has no parameters.
Syntax:
show netstat
Sample Output:
• For Sensor, the output is as shown
show netstat command output for Sensors
• For an NTBA Appliance, the output is as shown
256 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
show netstats command output for NTBA
Applicable to:
M-series and NS-series, and NTBA Appliances.
show nfcstats
Displays the flow collector statistics. Check the output to verify if the packets are being processed correctly by NTBA.
Syntax:
show nfcstats
Sample Output:
ntbaSensor@vNTBA> show nfcstats
[Netflow-Collector Statistics]
-------------------------------
Total packets received : 1047496
Total flow data records received : 2291170
Total v10 flow data records : 20000
Total v9 flow data records : 2091170
Total v5 flow data records : 0
IPS flow data records : 2091170
Total Templates : 2467
V10 Templates : 2000
IPS templates : 467
Total TCP conversations : 240259
Total UDP conversations : 86656
Total ICMP conversations : 74702
Total L7 URL count : 20842
Total L7 FILE count : 12
Internal Hosts : 823
[Netflow Processing Stats]
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 257
Duplicate flow data records : 0
Flows excluded by User Config : 0
L7 data excluded by User Config : 0
Flows getting processed : 2824
Flows processed in last minute : 3107
Coalesced Conversations count : 318593
Template Cache : 1
Throttled flow data records : 0
Write index : 0
Remove index : 0
Nba read index : 0
Recon read index : 0
Htf read index : 0
Anomaly read index : 0
[Packet Parsing and Preprocessing Errors]
Erroneous flow data records : 0
Pkts from unconfigured exporter : 0
Pkts with invalid netflow version : 0
Pkts with IP version other than 4 : 0
Unidirectional flow in ips pkt : 760371
Needs dedup count : 0
Update nxthop failed : 0
Functional buf insert failed : 0
Invalid L7 data length : 0
Invalid templates : 0
Flows ignored after max host limit : 0
Flows ignored for not-enough memory : 0
Flows ignored for external traffic : 187
Flows ignored for non-match template: 1444
Misc preprocessing error : 0
[Netflow-Collector Incoming Load Stats]
Last netflow seen time : Mon Sep 30 04:41:42 2013
Incoming flows per sec for last 10 minutes : 7
Incoming flows for last 10 minutes :
Flows for last 0 - 1 minute : 4432
Flows for last 1 - 2 minute : 0
Flows for last 2 - 3 minute : 0
Flows for last 3 - 4 minute : 0
Flows for last 4 - 5 minute : 0
Flows for last 5 - 6 minute : 0
Flows for last 6 - 7 minute : 0
Flows for last 7 - 8 minute : 0
Flows for last 8 - 9 minute : 0
Flows for last 9 -10 minute : 0
258 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
show pktrecvstats
Displays the statistics of the packets received by NTBA.
Syntax:
show pktrecvstats
Sample Output:
ntbaSensor@vNTBA> show pktrecvstats
[Pktrecv Info]
Start Time : Sat Sep 21 14:25:43 2013
Last Packet Recv Time : Never
Packets observed : 0
Packets Read : 0
Pktrecv socket mode : 0
Number of Restarts : 0
Netflow Listen Port : 9996
Thread status : PROCESSING_PKT
show route
This command is used to show routes configured in the NTBA Appliance using Manager interface.
Syntax:
show route
Sample Output:
ntbaSensor@vNTBA> show route
network 10.10.210.0 netmask 255.255.255.0 gateway 192.168.0.251 port 1
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.213.173.0 0.0.0.0 255.255.255.0 U 0 0 0 mgmt
10.10.210.0 0.0.0.0 255.255.255.0 U 0 0 0 4
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 mgmt
22.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 2
0.0.0.0 10.213.173.252 0.0.0.0 UG 0 0 0 mgmt
show store-url-type
This command displays the current settings of the URL. The setting can be either ONLY-DOMAIN or FULL-URL.
Syntax:
show store-url-type
Sample Output:
ntbaSensor@vNTBA> show store-url-type
[store url type]
Url Store Type : ONLY-DOMAIN
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 259
show tsstats
Displays statistics for GTI-related lookups.
Syntax:
show tsstats
Sample Output:
ntbaSensor@vNTBA> show tsstats
[Trusted-Source Stats]
Trusted Source Activate Failed : 0
Trusted Source NetConfigInternal Failed : 0
Trusted Source NetConfigSetting Failed : 0
Trusted Source NetLookup Failed : 0
Trusted Source DB Download Failed : 0
Trusted Source DB Load Failed : 0
Trusted Source Create Attribute Failed count : 0
Trusted Source Create Url Failed count : 0
Trusted Source Ip Cache Insert Failed count : 2559
Trusted Source Parse Url Failed count : 0
Trusted Source Create Category Failed count : 0
Trusted Source Remove Category Failed count : 0
Trusted Source Category to Array Failed count : 0
Trusted Source Category to String Failed count : 0
Trusted Source Rate Ip Failed count : 23046
Trusted Source Rate Url Failed count : 6
Trusted Source NTBA DB Ip Updates Failed count : 0
Trusted Source NTBA DB Url Failed count : 2939
Trusted Source Conversation Drop count : 5188
Trusted Source Urls Drop count : 12157
Trusted Source Conversation Send Drop count : 0
Trusted Source Urls Send Drop count : 0
Trusted Source Number of Ip's Updated : 56848
Trusted Source Number of Ips Loaded from File : 0
Trusted Source Number of Entries in Cache : 2025
Trusted Source Lookup drops due to configuration : 732359
Trusted Source Total Conv Request Count : 30894
Trusted Source Successful Connection Lookup count : 0
Trusted Source Total Url Request Count : 19313
Trusted Source Successful Url Lookup count : 7144
Trusted Source Conversation Cachehit Count : 121992
Trusted Source Conversation Cache Busy Count : 28
Trusted Source Rate cache Lookup Time : 0
Time Of Day In Seconds : 1380516471
260 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
shutdown
Halts the Sensor so you can turn it off. You can turn off the Sensor manually after a minute. The Sensor does not turn off
automatically. You must confirm that you want to shut down the Sensor.
This command has no parameters.
Syntax:
shutdown
Applicable to:
M-series and NS-series, and NTBA Appliances.
status
Shows Sensor system status, such as System Health, Manager communication, signature set details, total number of alerts
detected, and total number of alerts sent to the Manager.
This command has no parameters.
Syntax:
status
Sample Output:
For Sensor, the output is as shown:
intruShell@john> status
[Sensor]
System Initialized : yes
System Health Status : good
Layer 2 Status : normal (IDS/IPS)
Installation Status : complete
IPv6 Status : Parse and Detect Attacks
Reboot Status : Not Required
Guest Portal Status : up
Hitless Reboot : Not-Available
Last Reboot reason : reboot issued from CLI
[Signature Status]
Present : yes
Version : 8.6.0.6
Power up signature : good
Geo Location database : Present
DAT file : Present
Version : 318.0
[Manager Communications]
Trust Established : yes (RSA 1024-bit or 2048-bit)
Alert Channel : up
Log Channel : up
Authentication Channel : up
Last Error : None
Alerts Sent : 961
Logs Sent : 974
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 261
[Alerts Detected]
Signature : 4246 Alerts Suppressed : 3483
Scan : 0 Denial of Service : 2
Malware : 0
[McAfee NTBA Communication]
Status : up
IP : 10.213.174.132
Port : 8505
[McAfee MATD Communication]
Status : up
IP : 10.213.174.134
Port : 8506
The same status message appears in an NTBA Appliance also.
Note: In NS-9300 Sensor, if the Sensor reboots due to mismatch in software version, the status command specifies the reason
recovered from sw version mismatch in Last Reboot reason.
Note: If there is a failure in establishing trust relationship between the Sensor and Manager due to mismatch in shared secret
key, the Last Error displays the message Alert Channel - Install Keys Mismatch. In such an instance, check the shared
secret key on the Manager and set it on the Sensor using set sensor sharedsecretkey command.
Applicable to:
M-series and NS-series, and NTBA Appliances.
tcpdump sec
Displays tcpdump capture for specified duration in seconds; optionally, tcpdump arguments can be placed after second duration
value.
Syntax:
tcpdump sec <1-30> WORD WORD …
Sample Output:
ntbaSensor@vNTBA> tcpdump sec 5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
Examples:
tcpdump sec 5
tcpdump sec 5 -i eth4 dst host A.B.C.D
Applicable to:
NTBA Appliances only.
traceupload
Uploads an encoded diagnostic trace file to the configured TFTP server, from which you can send it to the McAfee Technical
Support for diagnosing a problem with the Sensor. A trace upload facility is also available in the Manager interface.
Syntax:
traceupload WORD
where WORD stands for the file name to which the trace must be written.
Note the following:
262 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
• Before executing this command, configure TFTP server on NTBA Appliance by running the set tftpserver ip command.
• When loading a trace file from the configured TFTP server the pathname of the file should be relative to /tftpboot.
• Before executing this command (uploading on the TFTP server), ensure that the file is created on the TFTP server with write
permissions for everyone.
Note: As part of traceupload, additional information is collected using logstat. Due to this, additional time is required to collect
logs from the Sensor, and can take around 10-30 minutes based on the Sensor model.
On executing the command the following messages are displayed:
Please enter Y to confirm: y
Uploading trace file to TFTP server
Trace file uploaded successfully to TFTP server.
Sample Output:
For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> traceupload ntbaTraceFile
Make sure the file ntbaTraceFile exists on the server with 'WRITE' permission for everyone. If it doesn't exist,
then create an empty ntbaTraceFile file with 'WORLD WRITE' permissions.
Please enter Y to confirm: y
Uploading trace file to TFTP server
Trace file uploaded successfully to TFTP server.
Applicable to:
M-series and NS-series, and NTBA Appliances.
unknown-interfaces-flows
Flows from an unknown interfaces to NTBA Appliance. The unknown interfaces are only from known exporters.
Syntax:
unknown-interfaces-flows <accept> | <reject> | <status>
Parameter Description
<accept> NTBA accepts flows from an unknown interface
<reject> NTBA rejects flows from an unknown interface
<status> displays the status of the unknown interface flows (accepted
or rejected)
Note: If SNMP is not configured, NTBA cannot discover interfaces and does not accept any flows from a router unless this
command is set to accept. You also need to configure proper CIDR ranges in inside and outside zones. If not configured, all
endpoints are treated as inside by NTBA.
Sample Output:
• For Sensor, the output is as shown:
intruShell@john> unknown-interfaces-flows accept
Accepted
• For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> unknown-interfaces-flows accept
ntbaSensor@vNTBA> unknown-interfaces-flows status
interface status: Reject
Applicable to:
Only NTBA Appliances
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 263
watchdog
The watchdog process reboots the device whenever an unrecoverable failure is detected in the device.
Syntax:
watchdog <on | off | status>
Parameter Description
<on> enables the watchog
<off> disables the watchdog. Use it when a Sensor reboots
continuously due to repeated system failure.
<status> displays the status of the watchdog process ('on' or 'off')
Sample Output:
• For Sensor, the output is as shown:
intruShell@john> watchdog status
watchdog = off
• For an NTBA Appliance, the output is as shown:
ntbaSensor@vNTBA> watchdog status
watchdog = on
Applicable to:
M-series and NS-series, and NTBA Appliances.
264 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Troubleshooting
Troubleshooting
This chapter addresses some of the issues that might be encountered while handling and setting up the NTBA Appliance.
Caution: Repairs to the NTBA Appliance may be done only by certified technicians under the guidance of McAfee support
personnel. The information given here is only for customer awareness purposes. Damage due to servicing that is not authorized
is not covered by any liability.
The NTBA Appliance does not start
If the power-on indicator light on the front panel does not appear after the NTBA Appliance has had reasonable time to boot,
ensure that all external cables are securely attached to the external connectors on your system.
The NTBA Appliance is not receiving power
Check the following:
• The NTBA Appliance is connected properly to a working power outlet, using the supplied power cord. If the power outlet has a
switch, make sure it is on.
• The NTBA Appliance is correctly switched on.
• The power cord is plugged in to the back of the NTBA Appliance.
Note: If the NTBA Appliance is still not receiving power, check the power outlet by plugging other equipment into it. If the
power outlet is working, there could be a problem with the NTBA Appliance or its power cord. Contact your supplier or McAfee
technical support.
The NTBA Appliance is not booting up
After you power on an appliance, if the appliance does not boot up automatically and come to the logon prompt, follow these
steps.
1. Connect the System restore USB flash drive to the NTBA appliance and power on the appliance.
2. After the McAfee logo is displayed, press F6 and under boot options, select the USB drive.
3. At the logon prompt, log on to the NTBA Appliance using the default user name admin and password admin123.
Note: You can type help or ? to access instructions on using the built-in command syntax help.
4. At the prompt, type installntba. This will take some time.
5. At the prompt, type reboot to bring up the NTBA appliance. Remove the USB flash drive.
6. At the logon prompt, log on to the NTBA Appliance using the default user name admin and password admin123.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 265
The NTBA Appliance is not communicating with the network on
the management port
Check the following:
• The NTBA Appliance is turned on and its software is running, indicated by the lights on the front display panel.
• The NTBA Appliance has a valid management port IP address, can ping the gateway, or can be pinged from another system.
• The network cables that you are using are undamaged and connected properly to the NTBA Appliance management port and
your existing network equipment. Ensure that the cables you use are of the correct specification.
• You have used the correct management port when connecting the NTBA Appliance to your existing network equipment.
• Perform the configuration process afresh.
Note: If the NTBA Appliance is still not receiving network traffic, check the network cables and the network ports on your
existing network equipment. If the cables and ports are working, there could be a problem with the NTBA Appliance. Contact
your supplier or McAfee technical support.
The NTBA Appliance is not communicating or receiving traffic in
the collection port
Task
1. Check the following:
◦ The NTBA Appliance is turned on and its software is running, indicated by the lights on the front display panel.
◦ The NTBA Appliance has valid collection port IP addresses.
◦ The network cables that you are using are undamaged and connected properly to the NTBA Appliance collection ports and
your existing network equipment. Ensure that the cables you use are of the correct specification.
◦ You have used the correct collection ports when connecting the NTBA Appliance to your existing network equipment.
◦ Perform the configuration process afresh.
2. Execute the following command in the NTBA Appliance command line interface:
◦ Whether the NTBA Appliance is initialized
◦ The NTBA Appliance's health status
◦ Boot Flag On/Off
◦ Status of signatures (if present) and version number
◦ The NTBA Appliance signature version
◦ Whether trust is established between NTBA Appliance and Manager
◦ The Alert Channel status
◦ Alert / SysEvent Sent
◦ Alert / SysEvent Dropped
◦ Alert Detected
◦ SysEvent Detected
In case any errors are found, contact McAfee technical support.
3. Check whether port LEDs are lighting up according to the NIC codes:
266 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
NIC indicator codes
Item Description
1 Link indicator
2 Activity indicator
Indicator Description
Link and activity indicators are off. The NIC is not connected to the network.
Link indicator is green. The NIC is connected to a valid network link at 1000 Mbps.
Link indicator is amber. The NIC is connected to a valid network link at 10/100 Mbps.
Activity indicator is green and blinking. Network data is being sent or received.
Check the connections, connectors and try again.
Troubleshooting a hardware failure
If you suspect a hardware failure, contact McAfee Technical Support. McAfee recommends you troubleshoot all hardware issues
with a technical support technician.
You might be asked to use the recovery disk included with the NTBA Appliance.
If trust is not getting established
Task
1. Check if the Manager IP address is correct.
2. Check if the default gateway is correct. Ping the Manager IP address and check if the Manager is reachable.
3. Check if the device type was selected as NTBA from the drop-down list while adding the Sensor.
4. Check if firewall is blocking port 8443/44.
5. Check if the Sensor shared secretkey is correct. Re-enter the key.
6. Check if the NTBA Appliance name is correct. It is case-sensitive.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 267
Signature update failure/if channel is not coming up
Task
1. Check if the version of the Manager and the NTBA Appliance are supported.
2. If channel is not coming up for T-VM, check if it has already been added.
Note: Only one T-VM can be added.
3. Check if the NTBA Appliance is in good health.
4. Check whether installdb was executed on NTBA when the database was down. If after installdb, trust is not established
again, then sigfile push may fail.
5. Check if exporter configuration is complete on Manager.
6. Check if the Manager to NTBA connectivity is fine. Ping from the NTBA CLI to Manager IP address and check. Check if "MAX
CIDR COUNT IN A ZONE REACHED" error message is thrown. There is a bug that sigfile update fails if CIDR count is exceeding
more than 18 elements in 7.1.3.6 NTBA release.
NetFlow is not being received at the interface level of NTBA
Task
1. Run the ntbastat command on the IPS Sensor and see if IPS is sending NetFlow and template data as shown:
intruShell@K-1450-1> ntbastat
Core id range is not selected, Displaying ALL
Total netflows created : 12118943
Templates created : 0
TCP netflows created : 6678683
UDP netflows created : 5248569
ICMP netflows created : 191691
Total netflows sent : 12118963
Templates sent : 1291
Netflows sent via ring buffer : 0
Total active netflows : 0
Total free netflow buffers : 741
Multiple netflows count : 4245871
Total netflow allocation failures : 433421 219
Netflow creation failures due to exporting port disable : 193386
Netflow data record allocation failures : 433225 487
Total Dcap L7 fields counts : 2060721
Total Dcap Attack Id count : 611594
Total Dcap HTTP URL count : 380521
Total Dcap HTTP UserAgent count : 370342
Total Dcap HTTP Host count : 312479
Total Dcap FTP Banner count : 112
Total Dcap FTP UserName count : 71
Total Dcap SMTP Attachment count: 3
Total Dcap SMTP From count : 462
Total Dcap SMTP To count : 238
Total Dcap SMTP Banner count : 2334
Total Dcap FTP Return count : 134
268 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Total Dcap HTTP Request count : 380563
Total Dcap HTTP Return count : 1868
2. Check if the NTBA Appliance is in good health. Appliance will be in good health when signature file is applied successfully to
the NTBA Appliance and when all process is working. Only then will the packets be processed. Check the signature file push.
To verify this, select Deploy Pending Changes and click the Configuration & Signature Set checkbox for NTBA and IPS, and click Update.
3. Check if the firewall is blocking port 9996 in the NetFlow receiving path of the NTBA Appliance.
4. Check if the collection port IP address of the NTBA Appliance is configured to the correct physical port.
5. Check if the mask value of the collection port is correct.
6. Check if NetFlow between the IPS Sensor and the NTBA Appliance is being blocked by the firewall.
7. Check in the IPS Sensor if the flow source IP address is configured for the port that is exporting NetFlow to NTBA.
8. Check in the IPS Sensor if the flow source ports gateway is configured correctly. It should be next hops ip.
9. Check in the IPS Sensor if the ports are chosen for them to be monitored.
10. Check if the IPS monitoring and the NTBA collection port are up.
11. Check if all the configuration signature file update has been done to the NTBA Appliance and the IPS Sensor. To verify this,
select Deploy Pending Changes and click the Configuration & Signature Set checkbox for NTBA and IPS, and click Update.
12. In the IPS Sensor, enable ping to the IPS monitoring port that is configured for exporting NetFlow. Use the set mon-port-
ping-status enable command in the IPS CLI to enable ping to the IPS exporting port. Now from the NTBA CLI, ping the IPS
exporting port to check for connectivity. Once testing is done, disable this option.
Note: The usage of this command is just to ping the IPS exporting port from the NTBA CLI. Even when this command is
enabled, we cannot ping from IPS CLI to the NTBA interface to which that exporting port is connected.
13. From the CLI, do a tcpdump sec 5 and check if NetFlows are received at the interface level.
14. Check if the IPS Sensor is in good health.
15. Use CLI commands such as show intf 5A command, 5A being flow exporter to check if flows are reaching a particular
interface.
16. If these steps do not resolve the problem, then go to Section, IPS Sensor troubleshooting to check if problem is on the IPS side.
If no URLs and files data are seen
Task
1. Check that the exporter being used is IPS Sensor. Routers do not send L7 data.
2. Check that in IPS, L7 data for NetBIOS, ftp, telnet and SMTP are enabled.
3. Check using the show nfcstats command if L7 data are coming in the NetFlow.
4. Check using ntbastat command on IPS Sensor if IPS is sending the L7 data or not.
5. Check if the IPS Sensor is in good health.
If no Application data is being received
Task
1. Check that exporter being used is IPS Sensor. Routers do not send L7 data.
2. Check that Application Identification is enabled in the IPS Sensor and the sigfile is being pushed to the IPS Sensor.
3. Check that Application identification is happening in the IPS Sensor by checking the Top Application dashboard in the Manager.
4. Check if the IPS Sensor is in good health.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 269
If no data is seen in the Top External Host By Reputation, Top
URLs By Reputation, and Top URLs By Category monitors
Task
1. Check if DNS is enabled and is configured for the device.
2. Check if the DNS name is getting resolved using the nslookup command.
3. Check from the NTBA CLI if trustedsource.org is being reached. Do a nslookup to check as shown:
ntbaSensor@My-NTBA> nslookup trustedsource.org
Server: 192.168.215.101
Address 1: 192.168.215.101
Name: trustedsource.org
Address 1: 216.203.40.70
4. Check that port 443 and 80 is not blocked by the firewall from NTBA.
5. Check if proxy is enabled and traffic from proxy for port 443 and 80 is not blocked by firewall.
6. If proxy is enabled DNS should be configured either in proxy to download URL database.
7. Check the output of show store-url-type as shown:
ntbaSensor@My-NTBA> show store-url-type
[store url type]
Url Store Type : ONLY-DOMAIN
8. Check using the show tsstats command if connection lookup and URL lookups are being shown as successful.
ntbaSensor@My-NTBA> sho tsstats
[Trusted-Source Stats]
Trusted Source Activate Failed : 0
Trusted Source NetConfigInternal Failed : 0
Trusted Source NetConfigSetting Failed : 0
Trusted Source NetLookup Failed : 0
Trusted Source DB Download Failed : 0
Trusted Source DB Load Failed : 0
Trusted Source Create Attribute Failed count : 0
Trusted Source Create Url Failed count : 0
Trusted Source Ip Cache Insert Failed count : 38742
Trusted Source Parse Url Failed count : 0
Trusted Source Create Category Failed count : 0
Trusted Source Remove Category Failed count : 0
Trusted Source Category to Array Failed count : 0
Trusted Source Category to String Failed count : 0
Trusted Source Rate Ip Failed count : 1311
Trusted Source Rate Url Failed count : 0
Trusted Source NTBA DB Ip Updates Failed count : 0
Trusted Source NTBA DB Url Failed count : 31839
Trusted Source Conversation Drop count : 797
Trusted Source Urls Drop count : 7123
Trusted Source Conversation Send Drop count : 540
Trusted Source Urls Send Drop count : 501
Trusted Source Number of Ip's Updated : 998238
Trusted Source Number of Ips Loaded from File : 0
270 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
Trusted Source Number of Entries in Cache : 281
Trusted Source Lookup drops due to configuration : 69186302
Trusted Source Total Conv Request Count : 1007279
Trusted Source Successful Connection Lookup count : 967180
Trusted Source Total Url Request Count : 375261
Trusted Source Successful Url Lookup count : 368136
Trusted Source Conversation Cachehit Count : 85778527
Trusted Source Conversation Cache Busy Count : 182289
Trusted Source Rate cache Lookup Time : 0
Time Of Day In Seconds : 1364550961
9. Check if there are external hosts. If all hosts fall under inside zone, no lookups will happen. Configure zones, using CIDR or
interface, appropriately.
10. Check if McAfee GTI lookups are failing. Failed value is not shown in the attack log alert details.
11. Check in sysevent for any error message regarding McAfee GTI.
If no Communication alerts are seen
Task
1. Check if the Time of Day is configured correctly.
2. Check if the time zone is matching the configured Time of Day value.
3. Check if the communication rule is configured for Time of Day value chosen and if it is falling under the present time when
checking for alert.
If no Behavioral alerts are seen
Behavioral alerts are informational by default. Check if auto acknowledgment is enabled. If so, disable auto ack to see these
alerts.
If no Callback Activity alerts are seen
Check that in the IPS Sensor, the forward to NTBA option is enabled at the interface level.
Antimalware system faults
Antimalware system faults might occur while you download the antimalware updates. Make sure you are connected to the
Internet while downloading and updating antimalware software and DAT updates. You can check the system events for the root
cause.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 271
Incorrect proxy credentials
The Fault Type displays Gateway Anti-Malware signature download failure and the reasons can be:
• Incorrect proxy credentials — To resolve this issue, configure correct credentials.
• Update server is not reachable — To resolve this issue, check the network connection.
If no Anti-malware alerts are seen
Task
1. Check if in the IPS Sensor, the interface through which the traffic is being sent is selected for anti-malware detection at the
policy level.
2. Check if in IPS the policy that is applied has anti-malware enabled for the anti-virus engine for all file types.
Advanced Malware Policies page
3. Check using the show netstat command if the NTBA Appliance is listening on port 8505.
[root@NTBA /nba]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 172.16.233.156:56837 8.18.25.6:https ESTABLISHED
tcp 0 0 172.16.233.156:ssh 172.16.233.191:ltp ESTABLISHED
tcp 0 0 172.16.233.156:8505 172.16.233.66:56329 ESTABLISHED
272 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
tcp 0 0 172.16.233.156:45709 8.18.25.6:https ESTABLISHED
tcp 0 0 172.16.233.156:36095 172.16.233.242:8502 ESTABLISHED
tcp 0 0 localhost:https localhost:60564 TIME_WAIT
tcp 0 0 172.16.233.156:33292 8.18.25.6:https ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
4. Check whether the proxy server is enabled. Anti-malware download support with the proxy server is added from 7.5.3.14 and
later release.
5. Check whether IPS Sensor is sending antimalware files to the Gateway Anti-Malware engine of NTBA.
6. Check using the show antimalware status command if antimalware service is running and is not disabled.
NTBASensor@Ladak> st
[Sensor]
System Health Status : good
Watchdog Flag : off
[Services Status]
NetflowProcessor : Running
AntiMalwareService : Running
DeviceProfiler : Running
7. Check that once an exporter is added to the NTBA Appliance, the SSL channel is open between the IPS Sensor and the NTBA
Appliance and that it is up and running using the shown ipsclient command as shown.
NTBASensor@Ladak> show antimalware status [AntiMalware Engine Status]
Current Engine Status : Engine Initialized
Gateway Antimalware Engine Version : 2012.2
Gateway Antimalware Dat Version : 7001.1202.1796
Antivirus Dat Version : 7020
Antivirus Engine Version : 5400
[AntiMalware Update Status]
Last Update time : Fri Mar 29 09:55:34 2013
Last Update Status : Download Updates Success
Last Update Status Details : Nothing To Update
[AntiMalware Scan Summary]
Total Scan Requests : 0
Total Successful Scans : 0
Total Scan Failures : 0
Total Malicious Files Detected : 0
Total Clean Files Scanned : 0
[AntiMalware Cache Stats]
Number of Entries in Cache : 3
Hit Count : 47834
Last Access Time : Fri Mar 29 10:45:59 2013
Last Update Time : Wed Mar 20 13:29:12 2013
Cache Look up : Enabled
8. Check using the show antimalware status command if the DAT files are applied and are updated.
9. Check using the show ipsclient command if the file is coming to the NTBA Appliance from the IPS Sensor and if it is being
scanned by the scan engine and the result sent to IPS.
NTBASensor@Ladak> show antimalware scandetails [Antimalware Scanning details for IPS Sensors]
--------- IPS Sensor [1] ---------------------------------------------
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 273
IPS Sensor IP : 172.16.233.66
TotalPktsReceived : 120298
TotalPktsSent : 104154
LastPktRecvdTime : Fri Mar 29 10:46:15 2013
LastPktSentTime : Fri Mar 29 10:46:15 2013
Successful scan counts : 0
Session Handle Null counts : 0
Internal Error Counts : 0
UnknownCmd received from IPS : 0
File String NULL : 0
File Data NULL : 0
Incomplete File Transfer : 0
Unknown File : 0
File Offset errors : 0
Scan Failed : 0
Md5 Mismatch : 0
Max Load on Workers : 0
NTBA Busy : 0
Memory allocation Failure : 0
File Transfer Timeout : 0
New File Count : 40604
Shared Memory Allocation Failed Count: 0
File Size Exceeded : 0
Scan Response Sent : 39889
Scan Request Received : 39889
Md5 of Last File Downloaded From IPS: 5c331f2e854935a78a439650ade2743f
10. Check if the anti-malware DAT updates failed, and then look at the DNS configuration.
Database issues
Run the show dbstats CLI command to show the current step for migration.
If the migration takes more than an hour, do not restart the appliance. Depending on your environment and settings, migration
might take shorter or longer period to complete.
To check if migration is complete, check system activity by running the status CLI command.
Note: Restarting the appliance is not required after migration.
IPS Sensor troubleshooting
In the IPS Sensor, go to CLI and run the ntbastats command and check if NetFlow is being created and template and NetFlow
(tcp/udp/icmp) are being sent to NTBA.
intruShell@K-1450-1> ntbastat
Core id range is not selected, Displaying ALL
Total netflows created : 1031210
Templates created : 0
274 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
TCP netflows created : 577662
UDP netflows created : 436780
ICMP netflows created : 16768
Total netflows sent : 1031207
Templates sent : 109
Netflows sent via ring buffer : 0
Total active netflows : 3
Total free netflow buffers : 739
Multiple netflows count : 352687
Total netflow allocation failures : 35293292
Netflow data record allocation failures : 35293245
Total Dcap L7 fields counts : 132683
Total Dcap Attack Id count : 51066
Total Dcap AppId count : 81617
Upload diagnostics trace
The Diagnostics Trace action uploads a device diagnostics log from a Sensor or NTBA Appliance to your Manager server. The
diagnostics file includes debug, log, and other information that can be used to determine device or NTBA Appliance malfunctions
or other performance issues. Once uploaded to your Manager, this file can be sent through email to McAfee Technical Support
for analysis and troubleshooting advice.
Task
1. Select Devices → <Admin Domain Name> → Devices → <Device Name> → Troubleshooting → Diagnostics Trace.
Note: The <Device Name> could refer to a Sensor or an NTBA Appliance.
The Diagnostics Trace page is displayed.
Diagnostics Trace page
2. Select the Upload? checkbox if it is not already selected.
3. Click Upload.
The status appears in the Upload diagnostics Status pop-up window.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 275
4. Click Close Window when the message "DOWNLOAD COMPLETE" appears. The trace file is saved to your Manager server at:
<Install Dir> \temp \tftpin \< Device Name \trace\. Once downloaded, the file also appears in the Uploaded Diagnostics Trace Files
dialog box under this action.
5. [Optional] Export a diagnostics file to a client machine by selecting the file from the Uploaded Diagnostics Files listed and clicking
Export. Save this file to your client machine. Saving the file is particularly useful if you are logged in remotely, need to perform a
diagnostics trace, and send the file to technical support.
Perform a NTBA Appliance system recovery procedure
You can recover the NTBA Appliance using a DVD or USB recovery key.
Before you begin
Caution: Contact McAfee support before executing this procedure.
Recover using a USB recovery key
1. Insert the NTBA USB recovery key in one of the available USB ports.
2. Restart the system.
3. Press F6 to boot from the USB key.
4. log on as admin in the NTBA Appliance console (password - admin123
5. Execute:installntba. If you wish to re-install NTBA without re-installing the database, execute: installntbaskipdb.
6. Execute: reboot
7. Remove the NTBA USB recovery key from the port.
Recover using a DVD drive
Task
1. Insert the NTBA recovery disk in the DVD drive.
2. Restart the system.
3. Log on as admin in the NTBA Appliance console (password - admin123).
4. Run installntba.
If you want to re-install NTBA without re-installing the database, run installntbaskipdb.
5. Run reboot.
6. Remove the NTBA recovery disk from the DVD drive.
Reset the NTBA Appliance admin password to default
Before you begin
Caution: Contact McAfee technical support before executing this procedure.
The default NTBA Appliance command line interface logon id is admin and the default password in admin123. To change the
default password execute the passwd command. In case you forget the changed password, you can reset the password to default
using the following procedure:
Task
1. Insert the NTBA recovery disk in the DVD drive.
Note: The default recovery disk shipped with NTBA Appliance is of version 7.1.x. It can be used to reset the admin password
on 7.1 and higher versions of NTBA Appliance software.
2. Restart the system.
3. Log on as admin in the NTBA Appliance console (password - admin123).
4. Run resetpasswd.
5. Run reboot.
276 McAfee Network Threat Behavior Analysis 9.1.x Product Guide
6. Remove the NTBA recovery disk from the DVD drive.
Checklist for known issues
The following table lists the checklist for known issues of Virtual NTBA Appliance:
Checklist for Known Issues
Issue Checklist
NTBA monitors are blank • Check for initialization status
• Check for NTBA and IPS connectivity by checking interface
stats
• Check exporter configuration
• Check traffic on IPS ports
IPS and NTBA connectivity issues • Check physical connectivity
• Check gateway configuration
• Check port status
• Check management and monitor port subnets (they must
be on different subnets)
Status is uninitialized • Check if incompatible software versions are used between
the Manager and the Sensor
• Check if upgrade path is supported
NTBA diagnostic CLI commands
The following table lists the NTBA diagnostic CLI commands:
NTBA diagnostic CLI commands
Command Description
show nfcstats Displays the number of NetFlow packets received/processed
and their exporter, protocol, and l7 details.
show pktrecvstats Displays packet statistics.
show tsstats Displays McAfee GTI reputation lookup related statistics.
show intfport (1|2|3|4) Displays the statistics of the monitoring interface ports.
show anomaly Displays the zonewise anomaly detection mode (learning/
detection) and the total hosts in detection mode regarding
the host profiles maintained.
show route Displays the routing table information.
McAfee Network Threat Behavior Analysis 9.1.x Product Guide 277
COPYRIGHT
Copyright © 2021 Musarubra US LLC.
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
You might also like
- Endpoint Product Removal User Guide 21.11No ratings yetEndpoint Product Removal User Guide 21.1115 pages
- Falcon Forensics Deployment Guide - 01192022100% (1)Falcon Forensics Deployment Guide - 0119202221 pages
- CrowdStrike Installation For Windows Check List PDFNo ratings yetCrowdStrike Installation For Windows Check List PDF1 page
- Darktrace Threat Visualizer: User Guide V5.2No ratings yetDarktrace Threat Visualizer: User Guide V5.2183 pages
- Nozomi Networks OT IoT Security Report 2021 02No ratings yetNozomi Networks OT IoT Security Report 2021 0254 pages
- 2022-08-19 - Back in Black - Unlocking A LockBit 3.0 Ransomware AttackNo ratings yet2022-08-19 - Back in Black - Unlocking A LockBit 3.0 Ransomware Attack6 pages
- Symantec Endpoint Detection and Response 4.6 Installation Guide For Virtual AppliancesNo ratings yetSymantec Endpoint Detection and Response 4.6 Installation Guide For Virtual Appliances49 pages
- 2025_MGT 3213 _MIS_Data Communications and NetworkNo ratings yet2025_MGT 3213 _MIS_Data Communications and Network70 pages
- Mcafee Active Response 2.4.x Product Guide 2-21-2022No ratings yetMcafee Active Response 2.4.x Product Guide 2-21-202285 pages
- Red Hat Enterprise Linux-5-5.5 Technical Notes-en-USNo ratings yetRed Hat Enterprise Linux-5-5.5 Technical Notes-en-US421 pages
- McAfee MOVE AntiVirus 4.8.0 Client Command Line Interface Reference Guide - CLP9421No ratings yetMcAfee MOVE AntiVirus 4.8.0 Client Command Line Interface Reference Guide - CLP94218 pages
- Technical Seminar Report On Wireless Application Protocol100% (4)Technical Seminar Report On Wireless Application Protocol25 pages
- Mcafee Network Security Platform 10.1.x Manager API Reference Guide 5-6-2022No ratings yetMcafee Network Security Platform 10.1.x Manager API Reference Guide 5-6-20221,399 pages
- Basic F5 LTM Troubleshooting SSL Ciphersuits - Using Httpwatch and Long Run TcpdumpsNo ratings yetBasic F5 LTM Troubleshooting SSL Ciphersuits - Using Httpwatch and Long Run Tcpdumps25 pages
- Mcafee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (Mcafee Epolicy Orchestrator) - Window 4-7-2021No ratings yetMcafee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (Mcafee Epolicy Orchestrator) - Window 4-7-202153 pages
- Fotigate Network Firewall Gartner ReportNo ratings yetFotigate Network Firewall Gartner Report41 pages
- The Core Web Moves Towards a Smart World EnNo ratings yetThe Core Web Moves Towards a Smart World En135 pages
- Regulatory Guide: Regulatory Guide 1.152 Criteria For Use of Computers in Safety Systems of Nuclear Power PlantsNo ratings yetRegulatory Guide: Regulatory Guide 1.152 Criteria For Use of Computers in Safety Systems of Nuclear Power Plants13 pages
- The Dog Whisperer'S Handbook 3: A Hacker'S Guide To The Bloodhound GalaxyNo ratings yetThe Dog Whisperer'S Handbook 3: A Hacker'S Guide To The Bloodhound Galaxy53 pages
- PCNSE - Premium.exam.263q: Pcnse Palo Alto Networks Certified Network Security EngineerNo ratings yetPCNSE - Premium.exam.263q: Pcnse Palo Alto Networks Certified Network Security Engineer103 pages
- Customer Presentation SAP Master Data Governance EAMx and SAP Asset Information Workbench 2020No ratings yetCustomer Presentation SAP Master Data Governance EAMx and SAP Asset Information Workbench 2020127 pages
- 0xcybery Github Io Blog Splunk Use CasesNo ratings yet0xcybery Github Io Blog Splunk Use Cases14 pages
- FW2535 19.0v1 Getting Started With Security Heartbeat On Sophos FirewallNo ratings yetFW2535 19.0v1 Getting Started With Security Heartbeat On Sophos Firewall16 pages
- WAF01 Barracuda Web Application Firewall - Foundation - Lab GuideNo ratings yetWAF01 Barracuda Web Application Firewall - Foundation - Lab Guide19 pages
- Privacy and Public Access Using Internet Cafes in ZimbabweNo ratings yetPrivacy and Public Access Using Internet Cafes in Zimbabwe18 pages
- Update On Telecommunications For Disaster Relief, Mitigation, and Early WarningNo ratings yetUpdate On Telecommunications For Disaster Relief, Mitigation, and Early Warning16 pages
- Confluent - Information Security Questionnaire IroncladNo ratings yetConfluent - Information Security Questionnaire Ironclad6 pages
- SMB Relay Attacks and Active Directory - TCM SecurityNo ratings yetSMB Relay Attacks and Active Directory - TCM Security16 pages
- Configuring Interface-Based VLAN AssignmentNo ratings yetConfiguring Interface-Based VLAN Assignment8 pages
- FAQs For Management For Optimized Virtual EnvironmentsNo ratings yetFAQs For Management For Optimized Virtual Environments25 pages
- List of Phising Email Analysis Tools 1710705066No ratings yetList of Phising Email Analysis Tools 17107050663 pages
- Huawei AirEngine 5761R-11 & AirEngine 5761R-11E Access Points DatasheetNo ratings yetHuawei AirEngine 5761R-11 & AirEngine 5761R-11E Access Points Datasheet15 pages
- Gartner Magic Quadrant For SIEM Products (2010-2020) - Info Security MemoNo ratings yetGartner Magic Quadrant For SIEM Products (2010-2020) - Info Security Memo7 pages
- CIS288 WEEK 10, PART 2: Securing Network ClientsNo ratings yetCIS288 WEEK 10, PART 2: Securing Network Clients6 pages
- Works Transcender Pcnse Sample Question 2023-Mar-10 by Burgess 99q VceNo ratings yetWorks Transcender Pcnse Sample Question 2023-Mar-10 by Burgess 99q Vce18 pages
- AppWall Implementation Plan V10 AppWall Verion 5 6No ratings yetAppWall Implementation Plan V10 AppWall Verion 5 67 pages
- Corelight's Introductory Guide To Threat Hunting With Zeek (Bro) LogsNo ratings yetCorelight's Introductory Guide To Threat Hunting With Zeek (Bro) Logs6 pages
- HAC - Pentest Solutions Brief HackerOne - L1R7 RGBNo ratings yetHAC - Pentest Solutions Brief HackerOne - L1R7 RGB2 pages
- SandBlast Network PTK Training Labs-V7.12 CloudShareNo ratings yetSandBlast Network PTK Training Labs-V7.12 CloudShare60 pages
- FireEye Endpoint Deployment Quick Start GuideNo ratings yetFireEye Endpoint Deployment Quick Start Guide9 pages
- CCNA 2 RSE Chapter 2 SIC Practice Skills Assessment Packet Tracer AnswersNo ratings yetCCNA 2 RSE Chapter 2 SIC Practice Skills Assessment Packet Tracer Answers4 pages
- Cyber Security Best Practices Roundtable - 8 - 30No ratings yetCyber Security Best Practices Roundtable - 8 - 305 pages
- System Administrator Interview QuestionsNo ratings yetSystem Administrator Interview Questions2 pages
- Configuring IPCop Firewalls: Closing Borders with Open SourceFrom EverandConfiguring IPCop Firewalls: Closing Borders with Open SourceNo ratings yet
