Table of Contents
Advertisement
Firewall menu options
Access control
Enabling security policy enforcement
This access control module allows a site's security policy to be partially actively enforced. Hosts that do not
adhere to their defined policy are automatically denied access through the firewall. A number of security
groups can be defined where each group contains a number of host IP addresses or IP address ranges. For
further information, see
permitted and denied services that they are allowed to offer. Each host in each group are periodically
actively scanned for the services they are not allowed to offer and if a connection to one of these services is
successful, the host is blacklisted until such time as the offending service is no longer offered. Scans are
never performed against permitted services.
A number of predefined allow and deny service lists are provided; however, these should be considered a
guideline only, as they are not a replacement for a well-designed security policy.
To enable and configure security policy enforcement
From the Firewall menu, click Access Control > Policy tab. The Policy Enforcement page appears
1
(Figure
215).
Figure 215 Policy Enforcement page
To enable policy enforcement, select the Enable Policy Enforcement checkbox. Turning policy
2
enforcement on without specifying anything to scan causes a slight decrease in performance of the
appliance.
[Optional] Select the Block Unscanned Hosts checkbox. This checkbox specifies the behavior taken
3
when a host scheduled to be scanned but not actually been scanned yet attempts to access the Internet.
By default, the host would be allowed access. By checking this box, the host would be denied access
instead.
Enter the maximum number of different hosts to scan together in the Simultaneous Probes field. This
4
specifies the maximum number of simultaneous scanning processes allowed to exist at any single point
in time. Specifying a larger number reduces the time a security scan takes, but increases the load of doing
so both on the network and on the appliance. Specifying too large a number could result in the appliance
exhausting its memory and the scan failing completely.
• Default: 4
• Integer value equal to or greater than 1
Enter the minimum number of seconds between scans of a single host in the Minimum Inter Probe
5
Delay field. The delay specifies the minimum interval between starting successive security scans. If a
scan takes longer than the specified number of seconds to complete, the setting is ignored and scanning
is continuous. However, if a scan takes less time to perform than this setting, the following scan is delayed
until this number of seconds has elapsed since the start of the current scan. This setting also determines
the maximum time for changes to take effect.
• Integer value equal to or greater than 1
McAfee UTM Firewall 4.0.4 Administration Guide
Creating a security policy
group. Each group is additionally given a number of
213
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Related Manuals for McAfee SG310
Related Products for McAfee SG310
- McAfee SG720
- McAfee SAV85E - Active VirusScan - PC
- MCAFEE AGENT 4.0 PATCH 2 - FOR WINDOWS S 10-03-2009
- MCAFEE EPOLICY ORCHESTRATOR 4.0 PATCH 5 - S 12-05-2009
- MCAFEE VIRUSSCAN ENTERPRISE 8.7I PATCH 1 - S 24-04-2009
- MCAFEE VIRUSSCAN ENTERPRISE 8.7I PATCH 2 - S 31-08-2009
- MCAFEE VIRUSSCAN ENTERPRISE 8.7I PATCH 3 - S 09-02-2009
- McAfee SMEFCE-AI-DA - Email Security Service Inbound