Escolar Documentos
Profissional Documentos
Cultura Documentos
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
Preface 5
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1 Product overview 7
Security management of your cloud assets made easy . . . . . . . . . . . . . . . . . . . 7
Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Components and what they do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5 Remediation 43
Remediate firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Edit the security group rules . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Detach the security group from an instance . . . . . . . . . . . . . . . . . . . . 44
Index 61
This guide provides the information you need to work with your McAfee product.
Contents
About this guide
Find product documentation
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
• Administrators — People who implement and enforce the company's security program.
Conventions
This guide uses these typographical conventions and icons.
Task
1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2 In the Knowledge Base pane under Content Source, click Product Documentation.
3 Select a product and version, then click Search to display a list of documents.
Cloud Workload Discovery enables you to discover, import, manage, and secure your Amazon Web
Services and Microsoft Azure virtual infrastructure using McAfee® ePolicy Orchestrator® (McAfee ePO™).
Contents
Security management of your cloud assets made easy
Key features
Components and what they do
• It synchronizes periodically with the cloud, and imports the virtual infrastructure details to McAfee
ePO.
• You can choose to deploy the McAfee Agent to discovered instances during the discovery or after.
Then, other McAfee products can be installed on these discovered instances.
• It has an innovative dashboard to view and monitor the security compliance of your cloud assets.
• You can flag systems at risk and can take corrective actions.
• You can view traffic flow from and to your AWS instances. It also provides traffic insights for AWS.
Key features
These features are important for your organization's security, protection, and performance.
• Security status of suspicious external connections and blocked internal connections for your AWS
instances.
Microsoft Azure — Cloud computing platform and infrastructure for building, deploying, and
managing applications and services through a global network of Microsoft-managed datacenters.
Virtual Machines (VMs) — An isolated guest operating system installation in a normal host
operating system that supports both virtual desktops and virtual servers.
Security Groups — A virtual firewall for your instances to control inbound and outbound traffic.
Network Security Groups — A list of rules in Microsoft Azure cloud network that allow or deny
network traffic to your instances.
Azure Virtual Network — A logical isolation of your azure cloud dedicated to your subscription.
AWS Virtual Private Cloud — A logically isolated section of Amazon Web Services cloud to launch
your AWS resources in a virtual network.
Template — Templates are snap shots or images using with which you can span instances in AWS
and Microsoft Azure cloud.
Amazon Machine Image — Amazon Machine Image provides the information required to launch an
instance.
McAfee ePO — Management software that allows you to register a cloud account, so that you can
import your VMs and view them.
McAfee Agent — The client‑side component providing secure communication between McAfee ePO
and managed products.
For installation instructions, see the installation guide for McAfee Public Cloud Server Security Suite.
You must register cloud accounts with McAfee ePO to establish a connection to the McAfee ePO server.
McAfee ePO then discovers, imports, and displays the cloud asset information.
After registering the cloud accounts, you can view:
• Virtual networks, templates, firewall (security group) information of your virtual machines in Cloud
Workload Discovery.
• Imported VMs and virtualization properties on the McAfee ePO System Tree.
Contents
Configuring an AWS cloud account
Configuring Microsoft Azure cloud accounts
Registered cloud account details
Task
1 Log on to your Amazon Web Services management console.
2 Select IAM to load the Identity and Access Management (IAM) dashboard.
4 Type a name for the user and select Generate an access key for each user.
5 Click Create.
6 Click Download Credentials and save the CSV file. These credentials contain both the Access Key ID and
the Secret Access Key.
Task
1 Log on to your Amazon Web Services management console.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateFlowLogs",
"ec2:CreateSecurityGroup",
"ec2:DeleteFlowLogs",
"ec2:DeleteSecurityGroup",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AttachVolume",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DetachVolume
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"iam:GetUser"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:List*" ],
"Resource": [
"*"
]
}
]
}
Task
1 Log on to your Amazon Web Services management console.
3 Select the policy that you made and then click Attach Policy.
Create an IAM role with flow logs for your AWS account
You must create an IAM role with flow log policies to access the IP traffic flow in your virtual networks.
Then you can view the IP traffic flows of your Virtual networks in Cloud Workload Discovery.
Task
1 Log on to your Amazon Web Services management console.
2 Select IAM to load the Identity and Access Management (IAM) dashboard.
3 Enter this name McafeeFlowLogger for your role, and then choose Next.
The name of the role has to be McafeeFlowLogger and it is case sensitive.
4 On the Select Role Type page next to Amazon EC2, click Select.
6 On the Review page, make a note of the ARN for your role. When you are ready, choose Create Role.
8 Under Permissions, expand the Inline Policies section, and then select Click here.
10 Copy this policy and paste it in the Policy Document window. Enter a name for your policy in Policy
Name, and then click Apply Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
11 Select Edit Trust Relationship. Delete any existing policy document. Copy and paste this policy, and click
Update Trust Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
• AWS users must have an access key ID and a secret access key set up for them in the
AWS console.
• To view IP traffic flows in your virtual network, the account you are registering with
McAfee ePO should have an IAM role with flow log policies.
• You must have installed the Cloud Workload Discovery extension on McAfee ePO.
• Make sure that your McAfee ePO system date and time is synchronized with internet
date and time.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Select Menu | Configuration | Registered Cloud Accounts, then click Actions | Add Cloud Account to open the Add
Cloud Account page.
3 From the Choose Connector drop-down list on the Description page, select Amazon Web Service, then click
OK.
• Name — Type a name for the AWS account in McAfee ePO. Account names can include characters
a-z, A–Z, 0–9, and [_.-], without space.
• Secret Access Key — Type the secret access key to log on to AWS.
Each user can be configured to have an access key ID and secret access key in the AWS console.
• Tags — List of McAfee ePO tags that are applied on VMs discovered for this AWS account. Tag
name can include characters a-z, A–Z, 0–9, and [_.-], with space. For details about Tag usage,
see the product documentation for your version of McAfee ePO.
• Sync interval (In Minutes) — Specify the interval for McAfee ePO to AWS synchronization (the default
value is 5 minutes. The maximum value is 60 minutes). If you specify the sync interval as 5
minutes, the next sync is scheduled 5 minutes after the completion of the current sync.
5 Enable GovCloud option if the AWS account belongs to the AWS GovCloud (US) region. For other
users, leave it deselected.
6 Select Enable Traffic Discovery to discover and view traffic flow logs for instances in your AWS accounts.
7 Click Validate Parameters to validate the account details and verify the connection to the AWS cloud.
8 (Optional) Deploy McAfee Agent to the registered VMs, select Auto deploy Mcafee Agent on VMs, and type
the credentials to deploy the McAfee Agent package.
Make sure that the McAfee ePO server and the VMs in the AWS cloud can communicate with each
other.
This action registers the AWS cloud and imports all discovered VMs, which are unmanaged, into the
System Tree. The instances are imported with the structure and hierarchy of the AWS cloud. The
VMs that are already added and managed by McAfee ePO are retained with the existing policy
settings.
• Select Menu | Systems | System Tree in McAfee ePO. You can find your AWS account under the group
AWS. The virtual machines from AWS are logically grouped with the hierarchy AWS | Cloud account
name | Region | Avalibilty zone | instances.
• For Microsoft Azure classic account: You can view your cloud account details in System Tree.
• By running the power shell scripts. For details, see KB87316. We have automated the steps to
create application, get tenant ID, client ID and your client key. You can access these details from
the file MicrosoftAzurecloudaccountdetails.txt.
Task
1 Log on to the Microsoft Azure portal and select Active Directory from the left pane.
2 Select the directory that you want to use for creating the application.
4 On the What do you want to do? page, select Add an application my organization is developing.
5 Type a name for your application and select WEB APPLICATION AND/OR WEB API and click Next.
6 Type the properties for your application. For SIGN-ON URL, give the URI to a website that describes
your application. The existence of the website is not validated. For APP ID URI, provide the URI that
identifies your application. The uniqueness or existence of the endpoint is not validated.
• Select the application that you created and click Configure tab and you can see your Client ID.
• Click VIEW ENDPOINTS button on the bottom pane and you can see App Endpoints page.
You can get your Tenant ID from this page. Your tenant ID is given after the URLs for all the
attributes in this page.
Task
1 Log on to the Microsoft Azure portal.
2 Select the application that you created and click the Configure tab.
3 Scroll down to the Keys section and select how long you would like your password to be valid. Select
the duration and click Save to create the key.
Copy the key displayed in the application. You won't be able to retrieve it after you leave this page.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Select the application that you created, then click the Configure tab.
4 From the list in the Name field, select Windows Service Management API, then click Complete.
5 From Permissions to other applications section, for Windows Azure Service Management, set the Delegated Permission
as Access Azure Service Management as organization.
• Configure Client key for your application and set the delegated permissions.
Task
For details about product features, usage, and best practices, click ? or Help.
4 Click Add users and search for your application, click Select and click OK.
• Get Client ID and Tenant ID from the Microsoft Azure console after creating the
application.
• Assign the newly created application to a role and to your Microsoft Azure cloud account
subscription.
• You must have installed the Cloud Workload Discovery extension on McAfee ePO.
• Make sure that your McAfee ePO system date and time is synchronized with internet
date and time.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Select Menu | Configuration | Registered Cloud Accounts, then click Actions | Add Cloud Account.
3 From the Choose Connector drop-down list, select Microsoft Azure, then click OK.
• Name — A name for the Azure account in McAfee ePO. Account names can include characters a–
z, A–Z, 0–9, and [_.-], without space.
The endpoint is pre-populated. Do not change the endpoint URL unless confirmed by the cloud
provider.
• Subscription ID — Type your subscription ID. This is the ID that you get for your Microsoft Azure
subscription.
• Tenant ID— Type the unique ID of the organization in Microsoft Azure Active Directory.
• Tags — List of McAfee ePO tags that are applied to VMs discovered for this cloud account. Tag
name can include characters a–z, A–Z, 0–9, and [_.-], with space. For details about tag usage,
see the product documentation for your version of McAfee ePO.
• Sync interval (in Minutes) — Specify the interval for McAfee ePO to synchronize with the cloud (the
default value is 5 minutes. The maximum value is 60 minutes). If you specify the sync interval
as 5 minutes, the next sync is scheduled 5 minutes after the completion of the current sync.
5 Click Validate Parameters to validate the account details and verify the connection to the cloud.
6 (Optional) Deploy McAfee Agent on the registered VMs, select Create McAfee Agent deployment task and
type the credentials to deploy the McAfee Agent package.
This action registers the Microsoft Azure cloud account and imports all discovered VMs, which are
unmanaged, into the System Tree. The instances are imported with the structure and hierarchy of
the Azure cloud.
The VMs that are already added and managed by McAfee ePO are retained with the existing policy
settings.
• Select Menu | Systems | System Tree in McAfee ePO. After the discovery, you can find your account
under the group Azure. The VMs from each Microsoft Azure account are logically grouped under
different geographical zones in McAfee ePO.
• You must have installed the Cloud Workload Discovery extension on McAfee ePO.
• You must have your JKS or PFX certificate and Keystore Password for your Microsoft
Azure classic account. See Microsoft Azure documentation for more details.
• Make sure that your McAfee ePO system date and time is synchronized with internet
date and time.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Select Menu | Configuration | Registered Cloud Accounts, then click Actions | Add Cloud Account.
3 From the Choose Connector drop-down list, select Microsoft Azure Classic, then click OK.
4 On the Microsoft Azure Classic Account Details page, type these details:
• Name — A name for the Azure account in McAfee ePO. Account names can include characters a–
z, A–Z, 0–9, and [_.-], without space.
The endpoint is pre-populated. Do not change the endpoint URL unless confirmed by the cloud
provider.
• Keystore (JKS/PFX) containing private key of management certificate— Upload your JKS/PFX certificate.
• Keystore Password — Type the password you specified for the JKS/PFX file.
For details about creating .pfx file, see Microsoft Azure documentation.
• Tags — List of McAfee ePO tags that are applied to VMs discovered for this cloud account. Tag
name can include characters a–z, A–Z, 0–9, and [_.-], with space. For details about tag usage,
see the product documentation for your version of McAfee ePO.
• Sync interval (in Minutes) — Specify the interval for McAfee ePO to synchronize with the cloud (the
default value is 5 minutes. The maximum value is 60 minutes). If you specify the sync interval
as 5 minutes, the next sync is scheduled 5 minutes after the completion of the current sync.
5 Click Validate Parameters to validate the account details and verify the connection to the cloud.
6 (Optional) Deploy McAfee Agent on the registered VMs, select Create McAfee Agent deployment task and
type the credentials to deploy the McAfee Agent package.
This action registers the Microsoft Azure cloud account and imports all discovered VMs, which are
unmanaged, into the System Tree. The instances are imported with the structure and hierarchy of the
Azure cloud.
The VMs that are already added and managed by McAfee ePO are retained with the existing policy
settings.
8 View the imported VMs: Select Menu | Systems | System Tree in McAfee ePO.After the discovery, you
can find your account under the group Azure. The VMs from each azure account are logically
grouped under different geographical zones in McAfee ePO.
Property Description
Name Name of your cloud account.
Type Name of cloud account vendor.
Last Successful Sync Displays the date and time of last successful synchronization between McAfee ePO
and your cloud account.
Last Sync Status Displays the last synchronization status, including Sync Scheduled, Success, In Progress,
and Failure. Hover your mouse over this property to know the start and end times of
your account synchronization. If your account synchronization is in progress, you
can see the sync start time.
Total VMs Displays the number of VMs discovered for this account.
Running VMs Displays the number of VMs that are up and running in this account.
Managed VMs Displays the number of VMs that are managed by McAfee ePO.
Auto Deploy MA Specifies if the administrator has enabled the Auto deploy McAfee Agent task for the
registered cloud account.
Property Description
Tags Displays the tags of the VMs.
Actions You can edit, delete, and synchronize the cloud account using McAfee ePO.
When you delete an account, you have these options:
• Delete System Tree group corresponding to this account — Deletes all virtual machines and
groups from this account.
• Delete Tags — Deletes the McAfee ePO tags for this account.
If you do not select any of these options, this action deletes only the account
details.
To distinguish VMs imported by the Cloud Workload Discovery from other systems in the System Tree,
check for the tags of the system. The VMs imported are tagged with dc_vm_auto.
Property Description
System Name Displays the name of the VM.
Managed State Specifies if the system is managed by McAfee Agent.
Tags Displays the tag applied to this VM.
IP Address Displays the IP address of the VM.
User Name Displays the user name of the user logged on to the system.
Last Communication Displays the time of the last synchronization.
You can view more details of your AWS account by selecting and adding the required column using the
Choose Columns option under System Tree | Actions. By default, these columns don't appear under System
Tree.
Property Description
Vendor Name Displays the name of the cloud vendor.
Account Name Displays name of the cloud account.
Unique ID Displays the Unique ID of the instance.
Power Status Displays if the instance is turned on or off.
Instance ID Displays the unique value provided to the instance from AWS.
Instance Name Displays the instance name as shown on AWS console.
Image ID Displays the unique value of Amazon machine image with which the instance was
created.
Private DNS name Displays the private DNS name from AWS.
Public DNS name Displays the Public DNS name from AWS.
State Transition Reason Displays the reason for the instance to move from one state to another from the
AWS console.
Key Name Displays the key name of the instance, which is provided during the launch.
Instance Type Displays the hardware configuration selected for an instance during the launch.
Launch Time Displays the time the instance is launched in AWS.
Availability Zone Displays the region where the instance is created in AWS.
Property Description
Platform Specifies whether the platform is Microsoft Windows or Linux.
Private IP Address Displays the private IP address from AWS.
Public IP Address Displays the public IP address from AWS, are accessed by McAfee ePO.
VPC ID Displays the Amazon Virtual Private cloud ID.
MAC Address Displays the MAC address of an Instance in Amazon Virtual private cloud.
Architecture Provides details about the hardware specifications of the processor. For example,
x86_64, i386.
Virtualization Type Displays the virtualization type of VM like HVM and paravirtualization.
Tags Displays the tags of the VMs.
Security Groups Displays the security group details where the instance is linked in AWS.
Network Interfaces Displays details about all network interfaces associated to the EC2 instance
You can view the virtualization properties of the selected virtual machine by navigating to Menu |
Systems | System Tree and double-clicking the target virtual machine.
To distinguish VMs imported by the Cloud Workload Discovery from other systems in the System Tree,
check for the tags of the system. The VMs imported are tagged with dc_vm_auto.
You will have VMs from your Microsoft Azure Classic account or Microsoft Azure accounts are displayed
here.
Property Description
System Name Displays the name of the VM.
Managed State Specifies if the system is managed by McAfee Agent.
Tags Displays the tag applied on this VM.
IP Address Displays the IP address of the VM.
User Name Displays the user name of the user logged on to the system.
Last Communication Displays the time of the last synchronization.
You can view more details of the cloud accounts by selecting and adding the required columns using
the Choose Columns option under System Tree | Actions. By default, these columns don't appear under
System Tree.
From Choose Columns, select Vendor, and you can see the name of the vendor for your cloud account.
Property Description
Vendor Name Displays the name of the cloud account vendor.
Account Name Displays the name of the account in McAfee ePO.
Power Status Displays if the system is in running or stopped state.
Created Time Displays the time when the instance is created.
Image ID Displays the unique image value provided to the instance from the cloud account.
Instance ID, Unique ID Displays the unique value provided to the instance from the cloud account.
Instance Size Displays the hardware configuration selected for an instance during the launch.
IP Address Displays the IP address from the cloud account.
Last Modified Time Displays the time when the instance was last modified in the cloud account.
Location Displays the location of the instance.
Platform Specifies whether the platform is Microsoft Windows or Linux.
Public DNS Displays the public DNS name from the cloud account.
Virtual IP Address Displays the virtual IP address of the instance.
Network Security Group Displays the network security group associated with this instance.
Instance Endpoints Displays the instance endpoints.
You can view the virtualization properties of the selected VM by navigating to Menu | Systems | System
Tree. Double-click the target VM and click the Virtualization tab.
Integrate and manage firewall and anti-malware policies using McAfee ePO software.
McAfee ePO provides centralized policy management and enforcement of your McAfee security
products and the systems where they are installed. It also provides comprehensive reporting and
product deployment capabilities through a single point of control.
Contents
Cloud Workload Discovery policies on McAfee ePO
Where to find policies
Create a new firewall policy
Create a new anti-malware policy
Assign custom policies to systems in your network
Category Description
Assessment Rules - This policy defines the firewall settings for the systems. You can set
Firewall inbound rules for the systems. It also defines how the systems are flagged
if they violate the specified rules.
Assessment Rules - This policy defines how the systems are flagged if McAfee Anti-Malware
Anti-Malware products are not installed.
Each policy category includes McAfee Default and My Default policies. Initially, the settings for both
policies are the same. You can use policies as is, edit My Default policies, or create policies.
Policy Description
McAfee Default Defines the out-of-the-box policy that takes effect if no other policy is applied. You
can duplicate this policy, but you can't delete or change it.
• Create policies.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Select Menu | Policy | Policy Catalog, then from the Product list, select Cloud Workload Discovery.
4 Select New Policy, type a name for the policy, then click OK.
You can edit the My Default policies, or any policies that you create. McAfee Default policies aren't
editable.
6 Specify which inbound firewall rules can come from which IP addresses and their severities.
Option Definition
If inbound firewall rule to port Select the inbound port from the list
Is from Enter the source IP address
Then flag as Select the flag value from Critical or Warning
7 Click Save.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Select Menu | Policy | Policy Catalog, then from the Product list, select Cloud Workload Discovery.
You can edit the My Default policies, or any policies that you create. McAfee Default policies aren't
editable.
6 Click Save.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Select Menu | Systems | System Tree, then select your group of systems from the hierarchy.
3 From the Assigned Policies, you can see policies assigned to these systems. Click Edit Assignment.
4 Select Break inheritance and assign the policy and settings below for Inherit from.
5 Select your custom policy from the Assigned Policy list, then specify the values for other fields.
6 Click Save.
After configuring and registering the cloud accounts with McAfee ePO, you can view your cloud account
information from Menu | Systems | Cloud Workload Discovery.
This graphical visualization of your cloud accounts gives you visibility into your cloud infrastructure
assets and their hierarchy.
The left Issues pane highlights any immediate issues or violations on your firewall settings or your IP
traffic settings.
The user interface is very initiative and you can expand and collapse the menus, select appropriate
filters to view what you want.
Contents
Problems or issues with your firewall settings or traffic
Viewing account properties
Instance properties
Security group information for your instance
McAfee anti-malware details on your instance
Traffic details for your instance
Apply McAfee ePO tags to VMs in your network
• Traffic issues
• Suspicious external connections
• Templates
• Select the Virtual network and you can see the workloads under that Virtual Network.
• If you select the VM, you can see the system properties for that VM.
• If you have any VMs which are not grouped under any VPC, they are placed under Ungrouped VMs for
AWS instances.
By default, we list all virtual networks in your account, which have at least one running instance. To
view all instances either running or stopped in your account, select filter Show All.
By default we show Accounts | Virtual Networks | Workload, to see the templates in your virtual networks,
select the filter Group by Templates.
• Yellow - Warning
Templates and workloads are classified as critical or warning if they violate the security policies and
color-coded. This is determined on how you defined your policies on McAfee ePO Policy Catalog. If
your virtual network has any one instance or template that violates the security policies, it is classified
as critical and color-coded red.
Instance properties
View the properties of your virtual systems from your cloud account.
Property Definition
Location Displays the region of the instance as shown in your cloud account.
Instance ID Displays the instance ID as shown in your cloud account.
Property Definition
Instance Name Displays the instance name as shown in your cloud account.
Instance Type Displays the hardware configuration selected for an instance during the launch.
Platform Displays whether the platform is Microsoft Windows or Linux.
Private DNS Name Displays the private DNS name from the cloud account.
Private IP Address Displays the private IP address from the cloud account.
Public DNS Name Displays the Public DNS name from the cloud account.
Public IP Address Displays the public IP address from the cloud account.
McAfee ePO Managed Displays if this instance is managed by McAfee ePO.
Virtual Network ID Displays the ID of the Virtual network of this instance.
Power Status Displays if this instance is running or if it is stopped.
McAfee ePO Tags Displays McAfee ePO tags for this instance.
See also
Apply McAfee ePO tags to VMs in your network on page 41
Some VMs in Microsoft Azure accounts might not be associated with any security groups.
To view the rules in each security group, click Edit or double click the security group.
We check for the presence of McAfee anti-malware software such as McAfee VirsuScan Enterprise or
McAfee VirusScan Enterprise for Linux.
If this product is installed on the instance, you can view these McAfee VirusScan Enterprise properties.
• McAfee Acess Protection • Buffer Overflow Detection
• On-Access ScriptScan
You can see if any of these properties are either enabled or disabled. For details see the product guide
for McAfee VirusScan Enterprise or McAfee VirusScan Enterprise for Linux.
To install McAfee Anti-Malware product (McAfee VirusScan Enterprise or McAfee VirusScan Enterprise
for Linux) on your instances, you can use McAfee ePO tags. You can tag this system with the McAfee
ePO tags related to product deployment tasks of these products. To know about product deployment
tasks and tags, see the product guide for your version of McAfee ePO.
See also
Apply McAfee ePO tags to VMs in your network on page 41
The traffic displayed here is the data accumulated from a week or from the time you install your
extension which ever is the earliest. The traffic records are retained in McAfee ePO for 7 days.
On the AWS management console, we enable VPC flow log service and create a log file with the name
log_Mcafee_regionname for a particular region. You can view this log file from your VPC under Flow
Logs section on the AWS management console.
Property Definition
Traffic Displays the number of blocked, inbound, and outbound connections to this instance.
Status Displays if this traffic is blocked or allowed.
Direction Displays if the traffic is Inbound (N-S), Outbound (N-S), Inbound (E-W), Outbound (E-W),
Bi-Directional (E-W), Bi-Directional (N-S).
From/To Displays the source IP address or the destination IP address for the traffic to this instance.
Port Displays the port number.
Protocol Displays the protocol name.
If any instance is receiving traffic from multiple IP addresses from the same port, protocol, status, and
direction, the From/To field lists multiple IP addresses. You can view the different IP addresses by
generating a report from Queries and Reports.
You can unblock your internal connections and block your external connections by remediating your
security groups. Click Firewall (Security Groups) to open the security groups associated with this instance.
See also
Create custom queries on page 48
Remediate firewall rules on page 43
Task
Use this option to apply tags to your VM. You can manage your tags from Menu | Systems | Tag Catalog.
For details about managing tags, see the product documentation for your version of McAfee ePO. For
details about product features, usage, and best practices, click ? or Help.
5 Specify a name for your tag and click the green check mark.
• Issues: Select Menu | Systems section | Cloud Workload Discovery | Issues | Secuirty | Unsafe Firewall Settings,
select a system and select Security | Security Groups | View details.
• Accounts | Virtual Networks, then select a VM. You can view and correct the firewall rules from Security |
Security Groups | View details.
• For AWS instances, Select Accounts | Virtual Networks | Workloads, then select a VM. You can view and
correct the firewall rules from Traffic | View details | Firewall (Security Groups).
Tasks
• Edit the security group rules on page 43
Change the rules in your security group policy and secure your critical instances.
• Detach the security group from an instance on page 44
To secure your critical systems, remove the association of the security group to your AWS
instance.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Select the critical system and its security group policy from:
• Menu | Systems section | Cloud Workload Discovery | Issues | Secuirty | Unsafe Firewall Settings
• Menu | Systems section | Cloud Workload Discovery | Accounts | Virtual Networks | Worklaods then select a VM.
Select Security | Firewall (Security Groups)
3 Click View details to see security groups, select one and click Edit to edit the security group policy. The
non-compliant rules are highlighted by a red dot.
4 Edit the security group rules by changing Type, Protocol, Port range, or Source. For Microsoft Azure
instances, you cannot edit rules that have Access as Deny.
5 While editing Source, you can choose Anywhere to allow connections from all traffic or Custom IP to
provide a IP address that you want to allow. For AWS instances you can also provide the security
group for which you want to allow traffic.
• A security group which is associated with this workload can also be associated with many NICs.
• You can not detach a security group if it is the only security group associated with a NIC.
• You can detach a security group only from your AWS instances.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Select the critical system and its security group policy from:
• Menu | Systems section | Cloud Workload Discovery | Issues | Security | Unsafe Firewall Settings
• Menu | Systems section | Cloud Workload Discovery | Accounts | Virtual Networks | Workloads then select a VM.
Select Security | Firewall (Security Groups)
3 Click View details to see security groups associated with this instance.
4 Select one of them and click Detach to detach the security group policy form this instance
You can see the detach failure or success details in Menu | User Management | Audit Log.
With the Cloud Workload Discovery, you can quickly generate a summary view of all registered Data
Centers.
The predefined queries and dashboards provide out‑of‑the‑box functionality, because they are added to
your McAfee ePO server when the software is installed. You can configure these queries to display
results in charts or tables, which you can use as dashboard monitors. Query results can be exported to
several formats, which you can download or send as an attachment to an email message.
You can view the list of predefined queries for the Data Centers from Queries and reports | McAfee Groups |
Data Center.
You can view the list of predefined queries for the public cloud accounts from Queries and reports | McAfee
Groups | Public Cloud.
Contents
Predefined queries
Create custom queries
Dashboards and monitors
Predefined queries
You can use predefined queries as is, edit them, or create queries from events and properties stored in
the McAfee ePO database.
To create custom queries, your assigned permission set must include the ability to create and edit
private queries.
Query Definition
Anti-Malware Status Specifies whether the system is in one of these states:
• Application Control Enabled — These VMs have McAfee Application Control installed
®
and enabled.
• Only Anti-Virus Enabled — These VMs have a McAfee anti-malware product installed
and enabled.
• Unprotected — These VMs don't have any McAfee anti-malware product enabled.
Host Firewall Status Specifies whether the system is in one of these states:
• Firewall Enabled — These VMs have McAfee Host Intrusion Prevention (McAfee
®
Agent-based) installed.
• Not in use — These VMs don't have McAfee Host Intrusion Prevention (McAfee
Agent-based) installed.
OS Distribution The OS Type shows the template value selected while creating the VMs. However, it
might not be the actual operating system installed on the VM.
Boot Attestation Displays the boot attestation status of VMs. For details, see the product
Status of Hypervisors documentation for McAfee Boot Attestation Service.
®
Usage Metering Displays the usage of cloud accounts in number of hours per month.
Report
• CPU cores->Usage Month — Specifies if the CPU cores used are single, dual or quad
core plus and the usage month.
• Sum of: Hours used — Specifies the sum of usage hours.
Query Definition
Endpoint Scan Displays the details of the last scan of the endpoints.
Report
Best Practice: To get accurate data in this report, first run the Data Center: Compute
Endpoint Reports server task from Menu | Automation | Server Tasks.
Instance Assessment Displays the number of instances that are classified as critical and the number of
Status instances that are classified as warning.
Data Protection per Displays the number of VMs that are encrypted and not encrypted.
Cloud VM
Task
For details about product features, usage, and best practices, click ? or Help.
3 From the Groups pane, select Data Center to display the queries for the selected group. Reports are
grouped under McAfee Groups.
5 In the query results page, click any item in the results to drill down further.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Select Menu | Reporting | Queries & Reports, then click Actions | New to open the Query Builder wizard.
3 To view Usage Metering records, Select Public Cloud on the Feature Group list and on the Result Type page,
select Usage Metering records, then click Next.
If you have upgraded from 3.6.1 to this version, you can also see Usage Metering Report- Legacy to view
the old usage metering reports.
4 To view IP traffic reports for your AWS instances, select Data Center on the Feature Group list and on the
Result Type page, select Amazon Network Traffic Logs, then click Next.
5 Select the type of chart or table to display the primary results of the query, then click Next to open
the Columns page.
If you select Boolean Pie Chart, you must configure the criteria to include in the query.
6 Select the columns to include in the query, then click Next to open the Filter page.
If you had selected Table on the Chart page, the columns you select here are the columns of that
table. Otherwise, these are the columns that make up the query details table.
content pane with operators that can specify criteria to narrow the data that is returned for that
property.
• If the query does not return the expected results, click Edit Query to go back to the Query Builder
and edit the details of this query.
• If this is a query you want to use again, click Save and continue to the next step.
8 On the Save Query page, type a name for the query, add any notes, and select one of these options:
• New Group — Type the new group name and select whether the group is private or public.
• Existing Group — Select the group from the list of Shared Groups.
9 Click Save.
• The Public Cloud dashboard displays the collection of monitors for default public cloud account
queries.
• OS Distribution — Displays the operating system type. It shows the template value selected while
creating the VMs. However, it might not be the actual operating system installed on the VM.
• Security Incidents (last 14 days) — Specifies events reported for these components on the VMs in the last
14 days.
• Application Control
• Antivirus
• Firewall
• Memory Protection
• Only Anti-Virus Enabled — These VMs have a McAfee anti-virus product installed and enabled.
• Unprotected — These VMs don't have any McAfee anti-malware product enabled.
• Not in use — These VMs don't have McAfee Host Intrusion Prevention installed.
• File Integrity Monitoring Status — Displays the number of VMs with File Integrity Monitoring (FIM)
installed and enabled.
• Enabled — File Integrity Monitoring is enabled on these VMs.
For more details about FIM, see the product documentation for McAfee Change Control.
• Instance Assesment status — Displays the number of instances that are classified as critical and the
number of instances that are classified as warning.
• Data protection per Cloud VM — Displays the number of VMs that are encrypted versus the number of
VMs that are not encrypted.
• Encrypted — These VMs are encrypted.
• Usage Metering Report — Displays the usage of running AWS and Microsoft Azure cloud instances, in
number of hours per month.
You can see how many hours are used by your single core, dual core, and your quad core instances
for every month.
• Application Reputation — Categorizes the applications based on McAfee GTI file reputation.
• Good
• Bad
• Unclassified
This dashboard retrieves data from the McAfee Application Control extension.
For details about file reputation, see the product documentation for McAfee Application Control.
• Boot Attestation Status for Hypervisors — Displays the Boot Attestation status of vCenter hypervisors. For
details, see the product documentation for Boot Attestation Service.
• Endpoint Scan Report — Displays the last scan details of the endpoints. This report is run every eight
hours.
• Endpoint — Displays the name of the endpoint.
• Last Scan — Displays the last on-demand scan time for an endpoint with different anti-virus
software.
Best Practice: To get accurate data in this report, first run the Data Center: Compute Endpoint Reports
server task from Menu | Automation | Server Tasks.
• Endpoint Security Report — Displays the protection status of the endpoints. This report is run every
eight hours.
• Endpoint — Displays the name of the endpoint.
• VM Classification — Specifies if the VM is a part of public (Cloud Machine) or private (Virtual Machine)
cloud.
• Vendor — Displays the name of the cloud service provider of the endpoint.
• AntiVirus/Antimalware — Displays the name of the McAfee anti-virus and anti-malware software that
is installed on the endpoint.
• Firewall — Displays the name of the McAfee software with the firewall protection active on the
endpoint.
• Access Protection — Displays the name of the McAfee software that provides access protection.
• Memory Protection — Displays the name of the McAfee software that provides memory protection.
• Last Communication — Displays the time details of the last server-client communication.
Best Practice: To get accurate data in this report, first run the Data Center: Compute Endpoint Reports
server task from Menu | Automation | Server Tasks.
Installation
Can I install McAfee Agent on AWS instances using the McAfee ePO Agent Deployment URL
feature and Amazon User Data?
Yes. For details, see KB85233.
Can I use scripts for Puppet, Chef, or Amazon OpsWorks to install and configure security
solutions offered by Intel Security?
Yes.
• For Puppet sample scripts, see KB82585.
Configuration
How do I troubleshoot AWS instance connectivity issues?
See AWS documentation.
How many cloud accounts can I register under one McAfee ePO server?
There is no limit to the number of cloud accounts that can be registered under one McAfee ePO
server.
How do I get a subscription ID and JKS or PFX certificate for a Microsoft Azure classic
account?
See Microsoft Azure documentation.
How do I get the subscription ID, tenant ID, and client ID?
You can get your client ID, tenant ID, and subscription ID after creating an application. You need
to configure your client key. You can create application by following steps listed in Create an
application in the Microsoft Azure console. You can also run power shell scripts which automate
this process. For details, see KB87316.
A firewall policy rule which has port as any, and IP address as 0.0.0.0/0 matches with
what criteria?
This firewall policy rule matches with
In AWS,
Port IP
All Anywhere (0.0.0.0/0)
0-65535 Anywhere (0.0.0.0/0)
In Azure,
Port IP
* *
0-65535 *
Functionality
When AWS instances are switched off, will they be reported "powered off" in McAfee ePO?
Yes. If the computers are managed, they are not deleted, even on termination. Unmanaged
systems, when terminated, are no longer seen in the McAfee ePO System Tree.
How long until a new instance gets discovered by the Cloud Workload Discovery?
After the synchronization occurs, the new instance is discovered. Synchronization depends on
the Sync Interval that you specified. If you specify the sync interval as 5 minutes, the next sync is
scheduled 5 minutes after the completion of the current sync. You can also schedule a manual
sync and the synchronization will start immediately.
What happens when an instance is terminated in EC2?
After the instance is terminated (and a synchronization occurs), the instance is no longer
displayed in the McAfee ePO System Tree. However, any events from this instance are still
present.
What are the reasons for my cloud account synchronisation to fail?
• Check your cloud account details. Your access key and secret Key pair might have been
disabled.
• Check if your McAfee ePO system date and time is synchronized with internet date and time.
• Check if you are registering the same AWS account again in McAfee ePO.
• If your instance is associated with multpitle NICs and you are trying to detach a security
group which is the only security group associated with another NIC, then also the detach
fails.
I can see some names and some IDs under Virtual Networks and Workloads.
By default you can see the name of the your virtual networks and workloads. If they don't have
a name then you can see their IDs.
Which vendor cloud accounts are supported in Cloud Workload Discovery dashboard.
Currently we support AWS and Microsoft Azure cloud accounts. Microsoft Azure classic accounts
are not shown here.
I can't see IP traffic for some workloads on Cloud Workload Discovery dashboard.
• IP traffic records are available only for AWS workloads.
• If you can't view traffic for your AWS workloads, make sure that you have selected Enable
Traffic Discovery for your AWS account.
• When creating IAM role for flow logs for your AWS account, make sure that the name of your
role is McafeeFlowLogger.
My traffic discovery is disabled, but I can still see traffic details for AWS instances.
Data retention period for AWS traffic data is 7 days. So you might still see some traffic details
until the retention period.
How long is the AWS traffic data stored in McAfee ePO?
Data retention period for AWS traffic data is 7 days.
Sometimes the Cloud Workload Discovery screen remains in collapsed state.
Do a browser refresh using F5.
R
V
reports, datacenter 45
virtual machines
anti-malware status 49
trust status 15
application reputation 49
virtual properties, displaying 15, 21, 23
File Integrity Monitoring Status 49
VMs
Firewall Status 49
applying tags 41
OS Distribution 49
tagging 41
security incidents 49
required permissions policy on AWS
assigning 14
requirements
other requirements 45