Summary of Contents for Trend Micro viruswall enforcer 1500i
Page 1
Network Virus Wall Enforcer 1500i (R210 Series) Network Security for Enterprise and Medium Business Administrator’s Guide Network Security...
Page 2
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files, release notes, and the latest version of the applicable user documentation, which are available from the Trend Micro website at: http://docs.trendmicro.com...
Page 3
You should read through it prior to installing or using the product. Detailed information about how to use specific features within the product are available in the online help file and the Knowledge Base at Trend Micro website. Trend Micro is always seeking to improve its documentation. Your feedback is always welcome at the following site: http://docs.trendmicro.com...
Page 6
Contents Chapter 2: Setting Up the Device Management Options ..................2-2 Preconfiguration Console ................. 2-2 Accessing the Preconfiguration Console Remotely ......2-2 Web Console ....................2-3 Comparing the Consoles ................2-5 Logging on to the Web Console ..............2-6 Connecting to the Network ................2-6 Management IP Address ................
Page 8
Contents Chapter 4: Policy Creation and Deployment Policy Enforcement Features ................ 4-2 Actions and Remediation Methods .............. 4-4 Policy Matching Overview ................4-5 First-Match Rule ..................4-5 Policy Enforcement Best Practices .............. 4-6 Overview of Policy Sections ................. 4-8 Creating a Policy ..................... 4-9 Step 1: Specify Endpoint Settings ............
Page 9
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Chapter 5: Maintaining the Device Configuring Administrative Accounts ............5-2 Backing Up Device Settings ................5-2 Performing Device Tasks ................5-5 Locking the Device ..................5-5 Resetting the Device .................. 5-6 Shutting Down the Device ...............
Page 10
Contents Chapter 6: Viewing Status, Logs, and Summaries Viewing Summary Information ..............6-2 Viewing Real-Time Status Information ............6-3 Viewing the Pattern Release History ............6-3 Viewing Supported Products ................ 6-4 Using Logs ....................... 6-4 Overview of Log Types ................6-4 Viewing and Exporting the Event Log ..........
Page 12
Contents Control Manager User Access ..............A-8 Network VirusWall Enforcer User Access ......... A-10 Managed Product MCP Agent Heartbeat ..........A-11 Using the Schedule Bar ................A-12 Determining the Right Heartbeat Setting ........... A-13 Managing Network VirusWall Enforcer from Control Manager ..A-14 Understanding Product Directory ............
Page 13
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Querying Log Data ..................A-50 Understanding Data Views ...............A-51 Working with Reports .................A-52 Understanding Control Manager Report Templates ......A-52 Understanding Control Manager 5.0 Templates ......A-53 Understanding Control Manager 3.0 Templates ......A-54 Adding One-time Reports ..............A-54...
Preface Preface Welcome to the Administrator’s Guide for Trend Micro™ Network VirusWall™ Enforcer 1500i. This book is intended for novice and experienced users of Network VirusWall Enforcer who want to quickly configure, deploy, and monitor the device. This preface discusses the following topics: •...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide About this Administrator’s Guide This document contains detailed information about how to configure and manage Network VirusWall Enforcer. It assumes that you have read and performed the tasks described in the Installation and Deployment Guide, particularly preconfiguring the device to enable access to the web console.
Page 16
HAPTER ONTENT UMMARY Getting Support How to contact technical support on page 8-1 Introducing Trend Micro Control Overview of Control Manager, including how to use it to manage Network VirusWall Enforcer Manager™ on page A-1 Definitions of relevant terms Glossary...
Readme Text • Provides late-breaking USB flash drive news and software build • Trend Micro information Download Center Documentation and Software Updates For the latest documentation and software updates, visit the Trend Micro Download Center at: http://downloadcenter.trendmicro.com/...
Device and Software Version This Administrator’s Guide is released for administrators that are using the following device and software version. P-3. Target device and software ABLE RODUCT ARGET NFORMATION Device Network VirusWall Enforcer 1500i Hardware series R210 Series Software version...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Document Conventions Network VirusWall Enforcer documentation uses the following conventions. P-4. Conventions used in the documentation ABLE ONVENTION ESCRIPTION Acronyms, abbreviations, and names of certain ALL CAPITALS commands and keys on the keyboard...
Page 20
Chapter 1 Understanding Network VirusWall Enforcer This chapter introduces Trend Micro™ Network VirusWall™ Enforcer 1500i and provides an overview of its capabilities and design. This chapter discusses the following topics: • Network VirusWall Enforcer Overview on page 1-2 • What’s New on page 1-3 •...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Network VirusWall Enforcer Overview Trend Micro™ Network VirusWall™ Enforcer 1500i is an outbreak prevention appliance that allows organizations to enforce security policies at the network layer. Network VirusWall Enforcer scans network traffic to help ensure that it is free of fast-spreading network viruses.
• Registry checks Other Enhancements This version also includes the following features and enhancements: • Synchronization of global endpoint exception lists using Trend Micro Control Manager (TMCM). • Central management of administrative accounts using the Microsoft Active Directory (AD) server.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Carried Over from Previous Versions Software Version 3.1 Software version 3.1 adds the following enhancements. Expanded IPv6 Support Version 3.1 expands IPv6 support, enabling the following policy enforcement capabilities in IPv6 networks: •...
Understanding Network VirusWall Enforcer Software Version 3.0 Patch 3 Patch 3 for software version 3.0 includes the following enhancements: • Export filtered endpoint history data—filter endpoint history data before exporting the data to a CSV file. • Easy shutdown—power off the device through the web or the Preconfiguration console.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide • ARP spoofing prevention—ARP spoofing attacks can leave networks and data severely compromised by giving attackers access to network packets. Attackers can manipulate redirected packets to extract data or compromise intended recipients.
Threat Mitigation with TDA Network VirusWall Enforcer works with Trend Micro Threat Discovery Appliance (TDA). TDA can identify endpoints with active threats by gathering and correlating network activity. To mitigate threats identified by TDA and prevent them from spreading, Network VirusWall Enforcer can actively monitor or quarantine endpoints.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Technologies Network VirusWall Enforcer is equipped with state-of-the-art antivirus technology. Designed to act as shield for a segment of your network, it can scan and drop infected network packets before they reach your endpoints. It can also prevent vulnerable or infected endpoints from accessing the rest of the network.
Understanding Network VirusWall Enforcer • Cleaning up of infected systems Platforms Supported by the Agent The agent version released with has been tested on the Network VirusWall Enforcer following platforms: • Microsoft™ Windows™ 2000 (including Professional, Server, and Advanced Server editions) with Service Pack 4 Note: Windows 2000 does not support IPv6 addressing.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide • Single-use agent—installs an agent for assessment and stops the agent service after the assessment is completed. Unless the agent is outdated, Network VirusWall Enforcer will reuse the same agent to perform an assessment on the same endpoint.
Understanding Network VirusWall Enforcer Vulnerabilities Trend Micro assesses the risks posed by software vulnerabilities by considering the number and the significance of the threats that use them, their potential and actual impact, and the difficulty or ease by which they can be exploited. Vulnerabilities are considered low, moderate, important, critical, or highly critical as described below.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide File-Based Malware Most malware programs can be classified as file-based—they exist as files in physical drives. Such malware programs include what are commonly known as viruses, Trojans, and worms. •...
Understanding Network VirusWall Enforcer Prohibited Network Use Unregulated user activities on the network can severely compromise security. Depending on the needs of your network, Network VirusWall Enforcer allows you to regulate the following network use: • Port activity—by regulating port activity, you can control the use of certain applications or protocols.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Enforcement Coverage The following features let you control when a policy applies to an endpoint or a connection: • User authentication—during policy creation, you can define whether the policy applies to all users, authenticated users only, or guest users only. Network VirusWall Enforcer assesses an endpoint against the policy only when the specified type of user is logged on to the endpoint.
Understanding Network VirusWall Enforcer • Popup notifications—these notifications use either the Windows Messenger service to display messages on a standard Windows message box or the agent to display a balloon message from the agent system tray icon. Note: If you have selected to hide the agent system tray icon, any balloon messages from the icon will not display.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide The Real-time Status screen displays the following information: • Performance Status—displays CPU usage, memory usage, and concurrent connections • Interface Configuration Status—displays a graphical view of the current port settings that correspond to the physical port layout...
Understanding Network VirusWall Enforcer • Endpoint History—whenever Network VirusWall Enforcer matches a policy to an endpoint, it creates an endpoint history entry. If you register the device to Control Manager, you can configure the time interval for sending endpoint history entries to the Control Manager server.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide • Unsupported OS—endpoints that cannot be assessed because they are running on unsupported platforms Assessment Intervals Noncompliant endpoints, by default, are assessed more frequently to help increase compliance across the network. The following table shows the different reassessment schedules and the factors that may trigger them.
Understanding Network VirusWall Enforcer For instructions on how to configure SNMP settings, see Configuring SNMP Settings page 5-8. MIB Security Managed devices can protect their MIBs by granting only specific network management stations access. One way of doing this is through authentication. Managed devices can require that all NMSs belong to a community, the name of which acts as a password that the managed devices use to authenticate management stations attempting to gain access.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide 1-3. Supported SNMP agent specifications (Continued) ABLE Allows up to 255 specific network management RUSTED ETWORK station IP addresses to access the agent ANAGEMENT TATIONS (NMS) Table 1-4 enumerates the supported SNMP trap specifications.
Understanding Network VirusWall Enforcer • Authentication failure—three consecutive attempts to log on to the Preconfiguration console during the same local or remote SSH session were unsuccessful • Shutdown—SNMP agent disabled Note: This trap is also sent if Network VirusWall Enforcer shuts down while the SNMP agent is enabled.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Tagged and Non-tagged Frames When a local switch on the network receives a packet, it can use the destination port, destination MAC address, or protocol to determine which VLAN the packet belongs.
Page 42
Chapter 2 Setting Up the Device After installing Network VirusWall Enforcer and performing all preconfiguration tasks described in the Installation and Deployment Guide, there are a number of tasks you need to perform to ensure that everything is properly set up. This chapter describes how to ensure that Network VirusWall Enforcer is connected to the network and that it is activated and fully updated.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Management Options Network VirusWall Enforcer provides a Preconfiguration console and a web console for configuring or managing the device. Preconfiguration Console The Preconfiguration console lets you configure the device before deploying it to your network.
Setting Up the Device Consider the following when accessing the console remotely: • SSH console access must be enabled from the web console. See Configuring Access Control on page 2-12. • Connect to the device management IP address using SSH. •...
Page 45
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide 2-2. Network VirusWall Enforcer web console IGURE After preconfiguration, the web console lets you perform the following administrative tasks: • Analyze your network’s protection against viruses • View the Pattern Release History •...
Setting Up the Device Comparing the Consoles The following table lists the differences between the consoles: 2-1. Comparison of the Network VirusWall Enforcer consoles ABLE RECONFIGURATION ONSOLE ONSOLE Configure port functions Configure interface speed and duplex mode Configure IP address settings Manage policies Configure proxy settings and updates...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide 2-1. Comparison of the Network VirusWall Enforcer consoles (Continued) ABLE RECONFIGURATION ONSOLE ONSOLE Restart and shut down device View device information (CPU and memory usage) View interface configuration Logging on to the Web Console...
Setting Up the Device Management IP Address The management IP address lets you access the web console and manage the device. For instructions, see Configuring IP Address Settings on page 2-10. Note: If you have a dual-stack environment, ensure that you specify both IPv4 and IPv6 address settings.
Page 49
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Router Router Network VirusWall Management Bridge Enforcer Bridge IP 2 IP 1 Switch 1 Switch 2 Web Console Management Segment Protected Segment 1 Protected Segment 2 2-3. Bridge IP addresses and protected segments...
Setting Up the Device Static Routes A static route defines a specific router IP address that Network VirusWall Enforcer should use to reach endpoints in a particular segment. A static route is required for each router between Network VirusWall Enforcer and a protected segment or segments. You can define up to 50 static routes.
Setting Up the Device To configure IP address settings: Click IP Address Settings in the Administration menu. Select to allow Network VirusWall Enforcer to obtain IP address settings from a DHCP server or configure the settings manually. Click the Bridge IP Address tab to add or delete bridge IP addresses. Bridge IP addresses allow the device to access endpoints in another segment.
Type the new password and retype it for confirmation. Note: Trend Micro strongly recommends changing all default passwords as soon as you are able to access the web console. A strong password is at least 8 characters long and a combination of upper and lower case letters, numbers, punctuation marks, and other special characters.
Setting Up the Device Click Save. Note: When you enable IP address access restriction, you will be logged off from the web console and will need to log on again. If you did not add your current IP address to the access control list, you will be prevented from accessing the web console and from logging on.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide • Automatically—configure Network VirusWall Enforcer to automatically connect to the update source, download, and then apply the latest components. Use the Scheduled Update option on the web console to set this type of update.
Setting Up the Device To set the update source: Click Update Source from the Updates menu. Select Trend Micro ActiveUpdate Server or select Other update source and type the URL of the update source. Note: The update source must be a valid URL that begins with http or https. When using a URL with a literal IPv6 address, enclose the IPv6 address in square brackets.
Setting Up the Device 2-2. Updatable components (Continued) ABLE OMPONENT ESCRIPTION Pattern Release Contains information about the latest patterns for sup- History ported antivirus products. Network VirusWall Enforcer uses this information to check whether endpoints are running the latest patterns. Note: You can specify a different update schedule for updating the Pattern Release History.
Micro recommends updating pattern files at least once a day. Click Save. Installing Hot Fixes, Patches, and Service Pack Trend Micro may provide the following releases to fix bugs or enhance the device: • Hot fix—a small release designed to address a few very specific issues •...
Page 60
Setting Up the Device To apply a hot fix, a patch or a service pack: Click Patch in the Updates menu. Specify the Installation file. Click Browse to navigate to the file. Click Install. To view installed hot fixes: Click Patch in the Updates menu. Refer to the information displayed under Patching History.
Chapter 3 Preparing for Policy Enforcement After setting up the device, prepare Network VirusWall Enforcer for policy creation and deployment. This chapter discusses the following topics: • Configuring HTTP Detection Settings on page 3-2. • Configuring LDAP Authentication Settings on page 3-2. •...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Configuring HTTP Detection Settings Provide the ports used in your network for HTTP communication. The specified ports allow Network VirusWall Enforcer to block or monitor HTTP traffic. Network VirusWall Enforcer checks ports 80, 443, and 8080 by default.
Page 64
Preparing for Policy Enforcement To configure LDAP server settings: Click LDAP Settings in the Administration menu. The LDAP Settings screen displays. Select Use Microsoft Active Directory or Use OpenLDAP. Note: Network VirusWall Enforcer supports single sign-on (SSO) to the Internet if you select Use Microsoft Active Directory.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide About Single Sign-On (SSO) Depending on your security policy settings, you can configure Network VirusWall Enforcer to allow single sign-on to the Internet for users using their Active Directory account. This means that once a user signs on to their computer with their Active Directory credentials, they no longer need to sign on through Network VirusWall Enforcer to connect to the Internet.
Preparing for Policy Enforcement Click Add to to add the specified URL to the list. Add more URLs to the list as necessary. Click Save. Defining Network Zones Network zones are predefined IP and MAC address groupings that allow you to manage policy coverage.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Note: When specifying multiple VLAN IDs, separate each ID with a comma. You can specify up to 32 VLAN IDs. Click the Exception tab to specify exceptions to this network zone. Exceptions are MAC or IP addresses that are not covered by the network zone, even when you have added them implicitly as part of an address range in the General tab.
Preparing for Policy Enforcement Specifying OfficeScan Detection Ports If your organization has Trend Micro™ OfficeScan™ deployed, specify the port or ports used by OfficeScan clients to listen for server commands. These ports can be used by Network VirusWall Enforcer to detect the OfficeScan client on endpoints.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Configuring Notifications Network VirusWall Enforcer can send notifications using the following media to inform either endpoint users or administrators about policy violations or related events. 3-1. Notification media ABLE EDIA...
Preparing for Policy Enforcement Web Notifications When a quarantined or blocked endpoint attempts to access a web page or other remote resources using a web browser, Network VirusWall Enforcer can display one of the following notifications on the web browser. 3-2.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide 3-2. Types of web notifications ABLE OTIFICATION URPOSE User Login Unsuc- Informs the endpoint user that the attempt to log on to cessful the domain has failed. Threat Mitigation Indicates that the endpoint is being blocked because of suspicious network activity detected by Threat Discov- ery Appliance.
Preparing for Policy Enforcement 3-3. Types of popup notifications ABLE OTIFICATION URPOSE Network Virus Scan Indicates that malware code has been found in network traffic from the endpoint. Threat Mitigation Indicates that suspicious network activity by an appli- cation on the endpoint has been detected by Threat Discovery Appliance.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Enabling or Disabling Notifications The following table summarizes the default notification enable/disable settings and how you can change these settings. 3-4. Enable/Disable Settings of Notifications ABLE OTIFICATION EFAULT ODIFYING THE...
Preparing for Policy Enforcement Formatting Tags for Web Notifications The following table lists the supported HTML formatting tags for web notifications. 3-5. Supported formatting tags for web notifications ABLE ESCRIPTION <blockquote> Defines a long quotation <p> Defines a paragraph <br> Inserts a single line break <pre>...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide 3-5. Supported formatting tags for web notifications ABLE ESCRIPTION <i> Renders text in italics <b> Renders text in bold <font> Changes the font face, size, and color of the text Variable Tags for Web Notifications Use the following variable tags to customize the content of web notifications.
Preparing for Policy Enforcement 3-6. Supported variable tags for web notifications ABLE ESCRIPTION <%=VA_PATCH_REQUIRE%> Missing software patch <%=DCS_NOT_CLEAN_VIRUS%> Uncleanable active malware <%=AUTH_RESULT_MSG%> Authentication result Variable Tags for Popup Notifications You can customize the content of popup notifications using the following variable tag: <%=SERVER_HOSTNAME%>...
Page 77
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide 3-7. Supported variable tags for email notifications ABLE ARIABLE ESCRIPTION <%=TRAFFIC_DIRECTION%> Whether traffic is incoming or outgoing relative to the endpoint <%=RISK_TYPE%> Threat type <%=RISK_PROTOCOL%> Port where the malicious packet was found <%=RULE_ID%>...
Preparing for Policy Enforcement Customizing Notification Content Customizing Web and Popup Notification Content Both web and popup notifications are targeted at endpoint users. Customize these notifications if you want to provide information that is important to endpoint users in your organization. Tip: For the list of formatting and variable tags that you can use with notifications, see Notification Tags...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Customizing Email Notification Content Email notifications are targeted at administrators. Customize these notifications if you want to provide information that can be important particularly to administrators in your organization. Notification Tags...
Preparing for Policy Enforcement • Custom—select this option to specify the Page title, Title text color, and Banner color. • Display the assessment screen—select this option to display the assessment page whenever the endpoint attempts to opens a web page while it is being assessed. To configure web notification settings: Click Policy Enforcement >...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Configuring email notification settings lets you define: • Recipient addresses—the notification recipients • Sender address—the email address to use for sending notifications • Character encoding—the encoding method that best matches the language of your email notifications.
Preparing for Policy Enforcement To understand the threat posed by ARP spoofing, see ARP Spoofing Prevention on page 1-7. Monitoring for ARP Spoofing Malware To detect and terminate ARP spoofing malware on endpoints, Network VirusWall Enforcer monitors applications for outgoing ARP traffic. If an application is found to be sending more than 100 ARP packets per second, Network VirusWall Enforcer considers the application ARP spoofing malware and can terminate the application.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Specify the IP and MAC addresses of your critical nodes to help ensure that traffic to these nodes are not affected by ARP spoofing. To do this: Type a valid IP address.
Page 84
Chapter 4 Policy Creation and Deployment This chapter describes how to define policies for enforcement by Trend Micro™ Network VirusWall™ Enforcer 1500i. It also discusses different deployment scenarios and how you can create policies to match these scenarios. This chapter discusses the following topics: •...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Actions and Remediation Methods The following table describes the actions and remediation methods that Network VirusWall Enforcer can perform in response to policy violations. 4-2. Supported actions and remediation methods...
Policy Creation and Deployment 4-2. Supported actions and remediation methods ABLE ETHOD ARGET ESCRIPTION Reject Application- or Prevents packets from passing and protocol-specific sends a reset packet (RST) to the packets source Drop Application- or Prevents packets from passing protocol-specific packets Clean up Endpoint...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Table 4-3, placing broader policies lower in the list prevents situations where specific and more stringent policies are never matched. Table 4-4, placing broader polices higher in the priority list prevents other policies from being enforced.
Page 90
• If you select user authentication, you must configure LDAP settings. • If you select the ActiveX deployment option and select to assess only Trend Micro products using networking protocols, the Threat Management Agent (TMAgent) will not install on endpoints.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide • Selecting to monitor action for all new policies helps locate problem areas without disrupting endpoints. This is a good way to begin deploying new policies on your network. •...
Policy Creation and Deployment 4-5. Policy sections ABLE ECTION ESCRIPTION Network Application Regulation of port activity, instant messaging, and file Policy transfers Threat Mitigation Enforcement of detections from Threat Discovery Rules Appliance, which monitors for suspicious network activity URL Exceptions URLs that are always accessible to all endpoints, including noncompliant endpoints Creating a Policy...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Tip: For detailed information about a wizard screen, click the Help button while on that screen. For important information about policy rules and priorities before you create a Policy Enforcement Best Practices policy, see on page 4-6.
Policy Creation and Deployment Step 2: Specify Authentication and Network Zones Specify optional authentication settings by selecting the Enable user authentication. This option lets you select whether to apply the policy to authenticated users or to guest users. Note: Configure LDAP settings if you select Enable user authentication. See Configuring LDAP Authentication Settings on page 3-2 for more information.
To detect antivirus products using only protocol activity, select Only use networking protocols to assess Trend Micro products. Selecting this option will allow you to detect certain Trend Micro products without an agent. Specify the Endpoint Action by selecting one of the following: •...
Page 96
Policy Creation and Deployment • Block endpoints—you can select a remedy from None or Redirect to URL, which redirects endpoint users to a page where they may rectify policy violations. If you select Redirect to URL, you have the option of limiting the number of pages endpoint users can navigate to by selecting Allow off-page navigation and Link depth.
Page 97
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide • Monitor endpoints—flag the endpoint as "noncompliant", but allow endpoint traffic to pass. • Block endpoints—you can select a remedy from None or Redirect to URL, which redirects endpoint users to a page where they may rectify policy violations.
Policy Creation and Deployment Select Notify endpoints about policy violations to display popup messages on endpoints that violate this section of the policy. Click Next. Step 4: Specify Network Virus Policy Select the Enable Network Virus Scan to detect network viruses in packets that pass through the device.
Page 99
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide d. Select ICMP to regulate ICMP activity. Note: To use ICMP, ensure you select All ports in the TCP/UDP Protocol Step 2: Specify Authentication and Network Zones Ports settings in on page 4-11.
Policy Creation and Deployment File transfer detection—use this feature to regulate file transfer activity. WARNING! Avoid overly broad wildcard entries such as *.* or *.htm for the files to assess. These entries can completely block access to the Internet. Select File transfer detection. b.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide • Monitor endpoints—flag the endpoint as "noncompliant", but allow endpoint traffic to pass. • Quarantine endpoints—blocks the endpoint from accessing the network until it is released through the console. Select Send policy violation data to syslog to record events to logs.
Policy Creation and Deployment Scenario 1: Different Policies for Different Users In this scenario, we define three policies: a policy for authenticated users, a policy for guest users, and a catch-all policy to be triggered if neither of the two policies is triggered.
Page 103
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Add a policy and specify the name "Authenticated users". Ensure that the persistent agent deployment option is selected. 4-2. Adding the policy IGURE 4-20...
Page 104
Policy Creation and Deployment Specify the network zone and authentication settings. Select Enable user authentication and then select Apply policy to authenticated users. This ensures that the policy applies to endpoints whose current users have authenticated either locally or to the domain. Choose to specify a network zone and add the Internal endpoints network zone to the list of selected network zones.
Page 105
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide To ensure logging and to notify end users when this particular criteria is violated, select Send policy violation data to syslog and Notify endpoints about policy violations. 4-4. Specifying enforcement policy...
Page 106
Policy Creation and Deployment Complete the policy. Click Next until you reach the policy review screen. Review the policy before enabling and saving it. 4-5. Reviewing the policy and enabling it IGURE Note: Network Virus Scan is enabled by default on all policies. 4-23...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Policy for Guest Users This policy ensures that all guest users have a certain registry key. Create the "Guest users" policy. Add a policy and specify the name "Guest users". Ensure that the persistent agent deployment option is selected.
Page 108
Policy Creation and Deployment Click Show details to show more options. Choose to specify a network zone for the packet destinations and add the Internal endpoints network zone to the list of selected network zones. Note that you do not specify an endpoint network zone. 4-7.
Page 109
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Specify the enforcement policy. Select Registry Scan. Expand the section and click Add to specify the registry keys to check. You can check for registry keys that indicate whether required applications or product upgrades are installed.
Page 110
Policy Creation and Deployment Click Next until you reach the policy review screen. Review the policy before enabling and saving it. 4-10. Reviewing the policy and enabling it IGURE Note: Network Virus Scan is enabled by default on all policies. 4-27...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Catch-All Policy When you create this policy, note the following: • Do not select Enable user authentication in Step 2 of the policy creation wizard. • Ensure that settings are configured to apply to Any or All.
Policy Creation and Deployment Scenario 2: Ensuring Platform Compliance In this scenario, create a policy that ensures that endpoints are running Windows XP and have Service Pack 2 installed. To create this policy: Create a policy that deploys a persistent agent on endpoints. 4-12.
Page 113
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Specify the network zone and authentication settings. Ensure that Enable user authentication is not selected. Choose to specify a network zone and select the Internal endpoints network zone as the source and destination zone.
Page 114
Policy Creation and Deployment Select Registry Scan. Expand the section and click Add to specify the registry keys to check. 4-14. Selecting registry scan IGURE Add the registry value for Service Pack 2 as a required registry key. 4-15. Adding the Windows XP SP2 Registry key IGURE To ensure logging and to notify end users when this particular criteria is violated, select Send policy violation data to syslog and Notify endpoints about policy...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide 4-16. Reviewing the policy and enabling it IGURE Enable the policy and save it. Sample Deployment Scenarios Network VirusWall Enforcer deployment needs to be tailored to the topology of your network.
Page 116
Policy Creation and Deployment • Protects the public server farm by scanning all traffic for network viruses and enforcing a policy for remote endpoints. Network VirusWall Enforcer also applies a remedy to endpoints that violate the policy. • Protects an internal server farm by scanning all traffic for network viruses. •...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Deployment Scenario II: Global Site In this sample deployment scenario, Network VirusWall Enforcer: • Protects the data center by scanning all traffic for network viruses and enforcing a policy for remote endpoints. Network VirusWall Enforcer also applies a remedy to endpoints that violate policy.
Policy Creation and Deployment Sample Policy Configuration This section provides three sample policy configurations for Deployment Scenario I: Standard Network on page 4-32. To protect each area of the network, create different policies based on area and type of access. For this example: •...
Page 119
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide 4-6. Priority 1 policy for public server farm scenario (Continued) ABLE ETTINGS ETAILS • Network Virus Network Virus Scan Policy Set- Action: Drop packet tings Remedy: None • Send policy violation data to syslog...
Page 120
Policy Creation and Deployment The last policy, Table 4-8, handles all cases not covered by the other policies. 4-8. Priority 3 policy for public server farm scenario ABLE ETTINGS ETAILS • Endpoint Set- Policy name: Catch All tings • Policy comment: Set with the lowest priority. •...
Page 121
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide The first policy, Table 4-9, specifically handles all traffic from guest endpoint. It redirects users to the page where they can obtain installers for the recommended antivirus product. 4-9. Priority 1 policy for the distribution and access switch scenario...
Page 122
Policy Creation and Deployment 4-9. Priority 1 policy for the distribution and access switch scenario (Con- ABLE ETTINGS ETAILS • Network Virus Network Virus Scan Policy Set- Action: Quarantine endpoint tings Remedy: Clean up • Send policy violation data to syslog and notify endpoints about policy violations •...
Page 123
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide 4-10. Priority 2 policy for the distribution and access switch scenario (Con- ABLE ETTINGS ETAILS • Enforcement Antivirus Product Scan Policy Settings Action: Block endpoints Remedy: Redirect to URL Details: 56 Antivirus Products •...
Page 124
Policy Creation and Deployment The last policy, Table 4-11, handles all cases not covered by the other policies. 4-11. Priority 3 policy for the distribution and access switch scenario ABLE ETTINGS ETAILS • Endpoint Set- Policy name: Catch-all tings • Policy comment: Since this policy is designed to check endpoints that do not violate any other policies, this policy should have the low- est priority.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide 4-11. Priority 3 policy for the distribution and access switch scenario (Con- ABLE ETTINGS ETAILS • Network Virus Network Virus Scan Policy Settings Action: Quarantine endpoint Remedy: Clean up •...
Page 126
Policy Creation and Deployment To import policies: Click Policy Enforcement > Export/Import Policy Data. Click Browse under Import Policies. The Choose File screen displays. Select a file to import and then click Open. Click Import Policy. Note: Network VirusWall Enforcer may reset after importing policies. 4-43...
Page 128
Chapter 5 Maintaining the Device This chapter describes maintenance options for Network VirusWall Enforcer. It discusses the following topics: • Configuring Administrative Accounts on page 5-2 • Backing Up Device Settings on page 5-2 • Performing Device Tasks on page 5-5 •...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Configuring Administrative Accounts Configure administrative accounts to manage Network VirusWall Enforcer. You can create new accounts or use default accounts or AD groups to manage Network VirusWall Enforcer. There are two kinds of accounts in Network VirusWall Enforcer: •...
Page 130
Maintaining the Device Exporting and Note: For instructions on how to export or import policy data only, see Importing Policy Data on page 4-42. To backup the configuration file: Click Administration from the side menu. A drop down menu displays. Click Configuration Backup from the drop down menu.
Page 131
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide To import the configuration file: Prepare a copy of the configuration file on a USB flash drive. Attach the flash drive to Network VirusWall Enforcer. Access the Network VirusWall Enforcer Preconfiguration console (see the Installation and Deployment Guide for instructions).
Maintaining the Device Type to import the configuration file. A confirmation screen appears. Type to continue. Note: Refer to the Installation and Deployment Guide for detailed information on using the Preconfiguration console. To export the configuration file: Attach a USB flash drive for saving the configuration file to Network VirusWall Enforcer.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide To set the network traffic lock: Click Administration. Click Device Tasks. Click Lock. The network traffic lock does not take effect if the device has been powered Note: off. If the device has been powered off, failopen allows traffic to pass even when network traffic has been locked.
Maintaining the Device Select item to reset the device. A confirmation screen appears. Select to continue. To reset the device using the power button: Press the power button on the front panel of the device. After the device fully powers off, press the power button again to restart the device. To reset the device through the web console: Click Administration.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Replacing the HTTPS Certificate To secure access to the console using your own HTTPS certificate, replace the certificate. To replace the HTTPS Certificate: Click Administration > HTTPS Certificate. Click Replace HTTPS Certificate.
Maintaining the Device Click Add to. The community name displays in the table. Type the IP address to add under Trusted Network Management IP Address(es). 10. Click Add to. The IP address displays in the table. 11. Click Save. To export the MIB file: Click Administration.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Restoring Default Settings If you experience any issues during configuration, you can initialize Network VirusWall Enforcer through the Preconfiguration console. This restores settings to the factory defaults. WARNING! You will lose all preconfiguration settings when you perform an initializa- tion.
Maintaining the Device System Recovery You can perform pattern and engine rollbacks using the Preconfiguration console. You also have the option to reinstall the Network VirusWall Enforcer from an image file. Pattern and Engine Rollback Perform pattern and engine rollbacks by accessing the Preconfiguration console locally or remotely using SSH.
Page 139
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Reinstalling with Program Rescue Note: To perform this procedure, you need the Trivial File Transfer Protocol (TFTP) tool in the provided USB flash drive. Ensure that the device is connected to a network.
Page 140
Chapter 6 Viewing Status, Logs, and Summaries This chapter explains how to access antivirus information to evaluate your organization’s virus protection policies and identify endpoints that are at a high risk of infection. Network VirusWall Enforcer logs a wide variety of information about events that occur on your network, such as endpoint infections and policy violations, virus outbreaks, and component updates.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Viewing Summary Information When you open the web console, the Summary screen appears. This screen provides information about the general status of device components and policy enforcement through the following fields: •...
Viewing Status, Logs, and Summaries • AV Product Detection Status—provides statistics on the number of endpoints with antivirus products. Click Export to save the information to a file. • Protected Endpoints—number of endpoints with installed antivirus software. • Undetectable Endpoints—includes endpoints that do not have antivirus software installed, endpoints that are running an operating system other than Windows, and endpoints that have a firewall that prevents assessment.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Viewing Supported Products The Supported Antivirus Products screen lists all the antivirus products that Network VirusWall Enforcer can recognize for the purposes of policy enforcement. Network VirusWall Enforcer can identify and block endpoints that do not have any of the supported antivirus products installed.
Viewing Status, Logs, and Summaries 6-1. Log types (Continued) ABLE ESCRIPTION Network virus log Whenever Network VirusWall Enforcer detects a net- work virus, it creates a network virus log entry. If you register the device to Control Manager, it automati- cally sends network virus log entries to the Control Manager server.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide The event log displays the following information. 6-2. Event log fields ABLE IELD ESCRIPTION Date/Time Date and time the event occurred Severity How critical the event information is under Severity...
Viewing Status, Logs, and Summaries 6-3. Network virus log fields (Continued) ABLE IELD ESCRIPTION Network Virus Name Name of the network virus Scan Action Action performed (this is the action speci- fied in the policy) Engine Version Version of the Network Virus Engine used to detect this virus Pattern Version Version of the Network Virus Pattern used...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide 6-4. ARP spoofing log fields (Continued) ABLE IELD ESCRIPTION Endpoint MAC Address MAC address of the endpoint Process ID Process ID of the detected malware File Name File name of the detected malware To view the ARP spoofing log: Click Logs >...
Viewing Status, Logs, and Summaries To view and export the threat mitigation log: Click Logs > Threat Mitigation Log to open the Threat Mitigation Log screen. By default all entries in the log are listed. To export the threat mitigation log, click Export All to CSV. Note: The exported CSV contains all log entries that are listed in the table.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide To view and export the endpoint history: Click Logs > Endpoint History to open the Endpoint History screen. By default all entries in the log are listed. To export the endpoint history, click Export All to CSV.
Viewing Status, Logs, and Summaries 6-7. Endpoint details (Continued) ABLE IELD ECTION ESCRIPTION Passed Policies This section includes information about policies to which the endpoint is compliant Policy Violations This section includes information about policies that the endpoint has violated Related Threat Miti- This tab contains information on Threat Discovery gation Logs...
Use the System Log Viewer to view system debug log entries and save them to a text file. System logs contain information useful for troubleshooting. If you experience problems with Network VirusWall Enforcer and contact Trend Micro support, you may be asked to use the System Log Viewer.
Chapter 7 Troubleshooting and FAQs This chapter addresses troubleshooting issues that may arise and answers frequently asked questions. This chapter discusses the following topics: • Troubleshooting on page 7-2 • Frequently Asked Questions (FAQs) on page 7-10...
7-2. Troubleshooting configuration issues ABLE ISSUE CORRECTIVE ACTION Issues with Trend Micro Control Manager Network VirusWall Check all network connections and ensure you have correctly performed preconfiguration (refer to the Installation and Enforcer is unable to Deployment Guide for more information).
Page 155
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide 7-2. Troubleshooting configuration issues (Continued) ABLE ISSUE CORRECTIVE ACTION The Network When Network VirusWall Enforcer is turned off, or is disconnected from the network, the Control Manager agent for Network VirusWall...
Page 156
Troubleshooting and FAQs 7-2. Troubleshooting configuration issues (Continued) ABLE ISSUE CORRECTIVE ACTION Network VirusWall Check the Policy Enforcement Service configuration from Policy Enforcement > Policies. Click on the policy that includes settings Enforcer is not that quarantines endpoints with infected packets. quarantining endpoints whose Network VirusWall Enforcer can quarantine a maximum of 4096...
Page 157
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide 7-2. Troubleshooting configuration issues (Continued) ABLE ISSUE CORRECTIVE ACTION Network VirusWall An HTTP proxy server located between Network VirusWall Enforcer Enforcer Policy and endpoints on the network may prevent Network VirusWall Enforcement does Enforcer from correctly identify endpoint status.
Page 158
Troubleshooting and FAQs 7-2. Troubleshooting configuration issues (Continued) ABLE ISSUE CORRECTIVE ACTION Endpoints are unable If there is a proxy server on your network, ensure that your proxy to access the update settings are correct. source for component updates. If you want quarantined or blocked endpoints to access the update source, add the IP address of the update source to the URL Exception List.
Page 159
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide 7-2. Troubleshooting configuration issues (Continued) ABLE ISSUE CORRECTIVE ACTION Users cannot see There are two possible causes: popup messages on endpoints with 1. By default in Windows XP SP2 the Messenger service is Windows XP SP2 disabled.
Troubleshooting and FAQs 7-2. Troubleshooting configuration issues (Continued) ABLE ISSUE CORRECTIVE ACTION Unable to perform Ensure that the scheduled update configurations for updating the scheduled update Pattern Release History and other pattern/engines are not set to correctly. update at the same time. Unable to see Do one of the following: blocking page when...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Frequently Asked Questions (FAQs) This section answers the following common questions about Network VirusWall Enforcer. Hardware and Deployment Does Network VirusWall Enforcer support Gigabit Ethernet? Yes, all Network VirusWall Enforcer ports support Gigabit Ethernet.
Troubleshooting and FAQs What features and functionality are not supported on IPv6 networks? The following features are not supported on IPv6 networks: • Threat mitigation with Threat Discovery Appliance • Policies that require user authentication using Kerberos • Program rescue •...
Page 163
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide How does Network VirusWall Enforcer handle FTP transfers when I configure specific ports to assess? When you assess and block specific ports, the FTP connection and download may not be successful. Initial communication goes through port 21 to the FTP server. However, since the download goes through port 20, the connection may match two different policies and never complete.
Page 164
Troubleshooting and FAQs Why does the dynamic IP address remain changed after I change the subnet? The device should dynamically get an IP address on the new subnet when the lease to its current IP address expires. To immediately get a new IP address, restart the device or set a static IP address and then change settings back to "dynamic IP address".
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Agent Can an agent that has been removed be reinstalled? If the endpoint matches a policy, then the agent will be reinstalled. Otherwise, the endpoint will not have an agent installed.
Troubleshooting and FAQs Endpoints Does Network VirusWall Enforcer support endpoints running Windows 95, 98, and ME? These platforms are not supported for policy enforcement using the persistent and single-use agent deployment options. Network VirusWall Enforcer, however, can still perform some agent-free enforcement actions on these endpoints, including network virus scanning.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Why doesn’t simple authentication for an OpenLDAP work? Ensure that the DNS server can map the OpenLDAP server IP address and host name. For a DN, please type the full path in the Base Distinguished Name field. (For example, ou = sales, dc = trend, dc = com.)
Troubleshooting and FAQs Can Network VirusWall Enforcer block files shared through Windows Live (MSN) Messenger shared folder? Yes, Network VirusWall Enforcer supports blocking of files in the Windows Live Messenger shared folder. Will Network VirusWall Enforcer block activities through SOCKS 4 and SOCKS 5 proxy servers? This version of the device does not block instant messenger activities through SOCKS 4 and SOCKS 5 proxy servers.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Why is HTTPS traffic not redirecting to the blocking page? This version of the device does not support decryption of encrypted HTTPS traffic. Why is an HTTPS page being blocked? This can occur when the HTTPS page request triggers an assessment.
Troubleshooting and FAQs Can I import and export the Network VirusWall Enforcer configuration information? Yes, the System Tasks option on the Preconfiguration console allows you to import and export the Network VirusWall Enforcer configuration information. Note: Export configuration files only for backup purposes. This feature is not intended for copying the configuration of one Network VirusWall Enforcer device to another.
Page 171
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide How many concurrent HTTP, HTTPS, and SSH sessions on the management consoles are allowed? The device supports up to 10 concurrent HTTP and 10 concurrent HTTPS sessions. It can support more than 10 concurrent SSH sessions.
Troubleshooting and FAQs I have just installed Network VirusWall Enforcer, why can’t I access the web console? You may need to add the Network VirusWall Enforcer IP address to the trusted sites list on Internet Explorer. Why does the web console stop displaying after I modify the management IP address? The web console IP address also changes when you modify the management IP address.
You can use any Control Manager account in place of the root account user ID. However, Trend Micro recommends using the root account because if you delete the user ID specified during registration, you will have difficulty managing the device.
Troubleshooting and FAQs Why am I not receiving Control Manager notifications for network virus detections? Ensure that you have registered the device to Control Manager and have configured network virus alerts on Control Manager. If you still do not receive notifications, there are several possible reasons: •...
Page 175
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Why is the authentication page displayed repeatedly? If Internet Explorer is configured to use a proxy server and the matching policy performs user authentication, the authentication page may display repeatedly.
Page 176
This chapter discusses the following topics: • Before Contacting Technical Support on page 8-2 • Contacting Technical Support on page 8-2 • Sending Infected Files to Trend Micro on page 8-3 • Introducing TrendLabs on page 8-3 • Other Useful Resources on page 8-4...
Guide, and Online Help provide comprehensive information about Network VirusWall Enforcer. Search these documents for helpful information. • Knowledge Base—a key part of our technical support website, the Trend Micro Knowledge Base contains the latest information about Trend Micro products. To search the Knowledge Base, visit: http://esupport.trendmicro.com...
Trend Micro TrendLabs is a global network of antivirus research and product support centers that provide continuous 24 x 7 coverage to Trend Micro customers around the world. Staffed by a team of hundreds of engineers and skilled support personnel, the...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Other Useful Resources Trend Micro offers a host of services from its website: http://www.trendmicro.com Internet-based tools and services include: • HouseCall™ — Trend Micro online virus scanner • Virus risk assessment—the Trend Micro online virus protection assessment...
Page 180
Introducing Trend Micro Control Manager™ Trend Micro Control Manager™ is a central management console that manages Trend Micro products and services, third-party antivirus, and content security products at the gateway, mail server, file server, and corporate desktop levels. The Control Manager web-based management console provides a single monitoring point for antivirus and content security products and services throughout the network.
- Control Manager 3.0 SP6 Standard or Enterprise Edition Control Manager 5.0 Standard servers cannot be child servers. How to Use Control Manager Trend Micro designed Control Manager to manage antivirus and content security products and services deployed across an organization’s local and wide area networks. A-1.
Page 182
Introducing Trend Micro Control Manager™ A-1. Control Manager features (Continued) ABLE EATURE ESCRIPTION Proactive outbreak pre- With Outbreak Prevention Services (OPS), take pro- vention active steps to secure your network against an emerging virus/malware outbreak. Secure communication Control Manager uses a communications infrastruc- infrastructure ture built on the Secure Socket Layer (SSL) protocol.
Page 183
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide A-1. Control Manager features (Continued) ABLE EATURE ESCRIPTION Centralized update Update virus patterns, anti-spam rules, scan control engines, and other antivirus or content security com- ponents to help ensure that all managed products are up-to-date.
Introducing Trend Micro Control Manager™ Control Manager Architecture Trend Micro Control Manager provides a means to control Trend Micro products and services from a central location. This application simplifies the administration of a corporate virus/malware and content security policy. Refer to...
Page 185
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide A-2. Control Manager components (Continued) ABLE OMPONENT ESCRIPTION Control Manager server A report server, present only in the Advanced Edi- tion, that generates antivirus and content security product reports A Control Manager report is an online collection of figures about virus/malware and content security events that occur on the Control Manager network.
Introducing Trend Micro Control Manager™ A-2. Control Manager components (Continued) ABLE OMPONENT ESCRIPTION Control Manager 2.x Receives commands from the Control Manager Agents server and sends status information and logs to the Control Manager server The Control Manager agent is an application installed on a managed product server that allows Control Manager to manage the product.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide To register Network VirusWall Enforcer to Control Manager: Log on to the Preconfiguration console. On the Main Menu of the Preconfiguration console, select Register to Trend Micro Control Manager and press Enter.
Page 188
Introducing Trend Micro Control Manager™ Control Manager 5.0 user access control provides greater flexibility than previous versions of Control Manager. Control Manager administrators can now restrict user access to the following: • Control Manager menu items and screens • Managed products and all information relating to the managed products •...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide A-3. Control Manager user access options (Continued) ABLE ECTION ESCRIPTION User Groups The Group Accounts screen contains Control Manager groups and provides options for creating groups. Control Manager uses groups as an easy method to send notifications to a number of users without having to select the users individually.
Introducing Trend Micro Control Manager™ Managed Product MCP Agent Heartbeat To monitor the status of Network VirusWall Enforcer devices, MCP agents poll Control Manager based on a schedule. Polling occurs to indicate the status of the Network VirusWall Enforcer device and to check for commands to the Network VirusWall Enforcer device from Control Manager.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Aside from simply sending the heartbeat to indicate the product status, additional data can upload to Control Manager along with the heartbeat. The data usually contains Network VirusWall Enforcer device activity information to display on the console.
Introducing Trend Micro Control Manager™ Specify the time that the Network VirusWall Enforcer device communicates with Control Manager. Click Save. Determining the Right Heartbeat Setting When choosing a heartbeat setting, balance between the need to display the latest managed product status information and the need to manage system resources. Trend...
Product Directory. The Control Manager management console represents managed products as icons. These icons represent Network VirusWall Enforcer devices, other Trend Micro antivirus and content security products, as well as third party products.
Page 194
Introducing Trend Micro Control Manager™ Indirectly administer the managed products either individually or by groups through the Product Directory. The following table lists the menu items and buttons on the Product Directory screen: A-5. Control Manager product directory items ABLE...
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide A-5. Control Manager product directory items (Continued) ABLE TEMS ESCRIPTION Status Click this button, after selecting a managed product/direc- tory, to obtain status summaries about the managed prod- uct or managed products found in the directory.
Page 196
Introducing Trend Micro Control Manager™ Plan the structure carefully, because the structure also affects the following: A-6. Planning the product structure ABLE 1. Consideration 2. Impact 3. User access 4. When creating user accounts, Control Manager prompts for the segment of the Product Directory that the user can access.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide A sample Product Directory appears below: Managed products identify the regis- tered antivirus or content security product, as well as provide the con- nection status. Refer to the Control Manager Under-...
Introducing Trend Micro Control Manager™ Deploy Components Using the Product Directory Manual deployments allow you to update the virus patterns, spam rules, and scan engines of your Network VirusWall Enforcer devices and other managed products on demand. Download new components before deploying updates to specific or groups of Network VirusWall Enforcer devices or managed products.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide To access through Product Directory: Click Products on the main menu. Select the desired folder or Network VirusWall Enforcer device. Note: By default, the Status Summary displays a week's worth of information ending with the day of your query.
Introducing Trend Micro Control Manager™ Issue Tasks to Network VirusWall Enforcer Devices and Managed Products Use the options under the Tasks menu item to start actions on a group or specific Network VirusWall Enforcer device or managed product. You can perform the following tasks on Network VirusWall Enforcer devices: •...
Page 201
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Select the data to query by specifying a data view for the log. Click Next. The Step 3: Query Criteria screen appears. Specify the data to appear in the log and the order in which the data appears: Click Change column display.
Tip: If you do not specify any filtering criteria, the Ad Hoc query returns all results for the applicable columns. Trend Micro recommends specifying filtering criteria to simplify data analysis after the information for the query returns. To save the query: Saving queries allows you to reuse them or to share them with others.
Trend Micro Control Manager Note: These are the services that run in the background on the Windows operating system, not the Trend Micro services that require Activation Codes (for example, Outbreak Prevention Services, Damage Cleanup Services). To restart Control Manager services: Click Start >...
Introducing Trend Micro Control Manager™ To search for a folder or managed product: Access Product Directory. Type the entity display name of the managed product in the Find Entity field. Click Search. To perform an advanced search: Access Product Directory.
Page 205
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide • Deployment Plans • Ad Hoc Query • Control Manager reports Group managed products according to geographical, administrative, or product specific reasons. In combination with different access rights used to access managed products or...
Page 206
Introducing Trend Micro Control Manager™ To use and apply changes in the Directory Management screen: • Select a managed product/directory and click Rename to rename a managed product/directory • Click + or the folder to display the managed products belonging to a folder •...
Page 207
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Renaming Folders or Managed Products Rename directories and managed products from the Directory Manager. To rename a folder or managed product: Access the Directory Management screen. Select the managed product/directory to rename. The item highlights in the Product Directory.
Downloading and Deploying New Components Trend Micro recommends updating the antivirus and content security components to remain protected against the latest virus and malware threats. By default, Control Manager enables virus pattern, damage cleanup template, and Vulnerability Assessment pattern download even if there is no managed product registered on the Control Manager server.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide • Engines: Engines refer to virus/malware scan engines, damage cleanup engine, VirusWall engines, the spyware/grayware engine and so on. These components perform the actual scanning and cleaning functions. • Product program: Product specific components (for example, Service Pack...
Page 210
Introducing Trend Micro Control Manager™ This is the Trend Micro recommend method of configuring manual downloads. Manually downloading components requires multiple steps: Tip: Ignore steps 1 and 2 if you have already configured your deployment plan and configured your proxy settings.
Page 211
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Click OK. Click Save to apply the new deployment plan. Step 2: Configure your proxy settings, if you use a proxy server Mouseover Administration. A drop-down menu appears. Mouseover Settings. A sub-menu appears.
Page 212
Introducing Trend Micro Control Manager™ Step 4: Configure the download settings Select the update source: • Internet: Trend Micro update server: Download components from the official Trend Micro ActiveUpdate server. • Other update source: Type the URL of the update source in the accompanying field.
Page 213
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide • Based on deployment plan: Components download to Control Manager, but deploy to managed products based on the schedule you select • When new updates found: Components download to Control Manager when...
Page 214
Select components that you want to download. b. Select the update source: • Internet: Trend Micro update server to download components from the official Trend Micro ActiveUpdate server. • Other update source: Type the URL of the update source in the accompanying field.
Configuring Scheduled Download Exceptions Download exceptions allow administrators to prevent Control Manager from downloading Trend Micro update components for entire day(s) or for a certain time every day. A-36...
Introducing Trend Micro Control Manager™ This feature is particularly useful for administrators who prefer not to allow Control Manager to download components on a non-work day or during non-work hours. Note: Daily scheduled exceptions apply to the selected days, while hourly scheduled exceptions apply to every day of the week.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Use the Scheduled Download screen to obtain the following information for components currently in your Control Manager system: • Frequency: Shows how often the component updates • Enabled: Indicates if the schedule for the component is enabled or disabled •...
Page 218
Introducing Trend Micro Control Manager™ On the Add New Schedule screen, choose a deployment time schedule by selecting one the following options: • Delay - after Control Manager downloads the update components, Control Manager delays the deployment according to the interval you specify Use the menus to indicate the duration, in terms of hours and minutes.
Page 219
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide From the Components area select the components to download. Click the + icon to expand the component list for each component group. b. Select the components to download. To select all components for a group, select: •...
Page 220
Introducing Trend Micro Control Manager™ Select Retry frequency and specify the number or retries and duration between retries for downloading components. Save Edit Deployment Plan Tip: Click before clicking on this screen. If you Save do not click your settings will be lost.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Enable the schedule and save settings Step 7: Click the status button in the Enable column. Click Save. Configuring Scheduled Download Schedule and Frequency Specify how often Control Manager obtains component updates at the Schedule and Frequency group.
Page 222
Under Download settings: Under Source, select one of the following update sources: • Internet: Trend Micro update server — (default setting) Control Manager downloads latest components from the Trend Micro ActiveUpdate server. • Other Internet source — specify the URL of the latest component source, for example, your company's Intranet server After selecting Other update source, you can specify multiple update sources.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide If you are using a proxy server on the network (that is, the Control Manager server does not have direct Internet access), click Edit to configure the proxy settings from the Connection Settings screen.
Trend Micro ScanMail for Microsoft Exchange. The Control Manager installation creates two deployment plans: •...
Page 225
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Select or create plans from the Manual and Scheduled download pages. Customize these plans, or create new ones, as required by your network. For example, create Deployment Plans according to the nature of the outbreak: •...
Introducing Trend Micro Control Manager™ On the Add New Schedule screen, choose a deployment time schedule by selecting one the following options: • Delay: After Control Manager downloads the update components, Control Manager delays the deployment according to the interval you specify Use the menus to indicate the duration, in terms of hours and minutes.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Configuring Update/Deployment Settings Using HTTPS to download components from the Trend Micro ActiveUpdate server (http://cm5-p.activeupdate.trendmicro.com) or other Internet source provides a more secure method for retrieving components. Downloading components from a shared folder in a network requires setting the local Windows and Remote UNC authentications.
Introducing Trend Micro Control Manager™ Click Save. Access Manual Download or Scheduled Download. On the working area under Download settings > From group, select File path and then specify the shared network folder. Click Save. Setting "Log on as batch job" Policy The local Windows authentication refers to the active directory user account in the Control Manager server.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Understanding Managed Product Logs Managed product logs provide you with information about the performance of your managed products. You can obtain information for specific or groups of products administered by the parent or child server. With Control Manager’s data query on logs and filtering capabilities, administrators can now focus on the information they need.
Introducing Trend Micro Control Manager™ Understanding Data Views A Data View is a table consisting of clusters of related data cells. Data Views provide the foundation on which users perform Ad Hoc Queries to the Control Manager database. Control Manager separates Data Views into two major categories: Product Information and Security Threat Information.
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide Working with Reports Control Manager reports consist of two parts: report templates and report profiles. Where a report template determines the look and feel of the report, the report profile specifies the origin of the report data, the schedule/time period, and the recipients of the report.
Introducing Trend Micro Control Manager™ Understanding Control Manager 5.0 Templates Control Manager 5.0 report templates use database views as the information foundation for reports. For more information on data views, see Understanding Data Views on page A-51. The look and feel of generated reports falls to the report elements. Report elements consist of the following: A-9.
Specify the data to appear in the report and the order in which the data appears. Complete report template creation. Understanding Control Manager 3.0 Templates Trend Micro Control Manager 3.0/3.5 added 65 pre-generated report templates divided into six categories: Desktop, File Server, Gateway, Mail Server, Executive Summary, and Network Products.
Page 234
Glossary EFINITION ActiveUpdate server The Trend Micro server hosting the Network VirusWall Enforcer components. The ActiveUpdate™ server can be set as the update source. Automatic switch- A mode that allows the management device to auto- back matically switch-back to the default primary device once it becomes online.
Page 235
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide EFINITION Control Manager Trend Micro management product for different enter- prise security applications. Directory Manager A feature of Control Manager that lets you to custom- ize the Product Directory structure to suit your admin- istration needs.
Page 236
Glossary EFINITION Malware Malicious code or files containing malicious code; includes Trojans, worms, network viruses, and other threats. Managed product Refers to any software program or hardware device managed by Control Manager. Management console Short for Control Manager management console. A web-based console published via IIS from the Control Manager server, which administrators use to adminis- ter managed products and devices registered to Con-...
Page 237
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide EFINITION Network Address Also known as NAT. The term refers to an Internet Translation standard that enables a local area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic.
Page 238
Glossary EFINITION Network virus The type of threat that Network VirusWall Enforcer devices can detect, eliminate, and contain. A virus spreading over a network is not, strictly speak- ing, a network virus. Only some of the known malware programs, such as worms, are actually network viruses.
Page 239
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide EFINITION OSI model Short for Open System Interconnection model. This model defines a networking framework for implement- ing protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, proceeding to the bottom layer, over the channel to the next station and back up the hierarchy.
Page 240
Glossary EFINITION Preconfiguration The process of preparing the product for management through the web console through a much simpler con- sole. Preconfiguration typically includes setting port functions and the management IP address. Preconfiguration The console used to preconfigure a Network VirusWall console Enforcer device.
Page 241
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide EFINITION Spanning Port Spanning Port indicates the ability to copy traffic from all the ports to a single port but also typically disallows bi-directional traffic on the port. In the case of Cisco, SPAN stands for Switch Port Analyzer.
Page 242
Glossary EFINITION VLAN Short for virtual LAN. A network consisting of clients that are not necessarily on the same segment of a local area network (LAN) but behave as if they are. Short for virtual private network. A network that makes use of public wires to connect nodes.
Need help?
Do you have a question about the viruswall enforcer 1500i and is the answer not in the manual?
Questions and answers