The Category Filters are selected in the toolbar of the Management Client. You can create a custom Category Filter containing any combination of Categories. For example, you could apply a Category for a particular geographic location and a Category for critical servers to view only elements related to the critical servers at one location. The Category Filter is applied in all views.
Examples of Categories 73
Examples of Categories
The examples in this section illustrate some a common uses for Categories and general steps on how each scenario is configured.
Creating Separate Categories for a Firewall and an IPS Configuration
Company A is a large enterprise planning a new system. The system will include several Firewall and IPS engines. Each Firewall and IPS engine has its own policy. The company’s administrators only need to manage the Firewall engines and their policies or the IPS engines and their policies at a time. To restrict which engines and policies are displayed, the following steps are taken:
1. The headquarters administrator creates two Categories: one for the elements that belong to the Firewall configuration and another for the elements that belong to the IPS
configuration.
2. The headquarters administrator creates the elements that represent the Firewalls, Firewall policies, IPS engines, and IPS policies and selects the appropriate Category to each element while defining its properties.
3. The administrators select the appropriate Category as the Category Filter so that only the elements in the Firewall or IPS configuration are displayed.
Combining Categories
Company B has sites in New York, Toronto, and Mexico City. The company’s administrators have defined separate Categories for the elements that belong to each site as the administrators usually work with the elements of only one site at a time. Today, however, Administrator A needs to apply the same configuration changes to the New York and Toronto sites. Administrator A does not want to create a new Category for this temporary need. To be able to filter the elements belonging to both the New York and Toronto sites, Administrator A does the following:
1. Creates a custom Category Filter that contains the New York and Toronto Categories so that the elements at both the New York and Toronto sites are displayed, and elements in the Mexico City Category are filtered out.
2. Makes the configuration changes to the elements in the New York and Toronto sites.
3. Selects the Category Filter Not Used filter to display all elements again.
75
L OGS , A LERTS , A ND R EPORTS
In this section:
Filters - 77 Log Management - 85 Alert Escalation - 93 Reports - 103 Incident Cases - 113
77
C H A P T E R 1 0
F ILTERS
Filters combine log fields and values with operations to allow you to sort data. Filters can be used, for example, to select which logs are displayed in the Logs view or which logs will be archived or exported.
The following sections are included:
Overview of Filters (page 78)
Configuration of Filters (page 78)
Examples of Filters (page 83)
Overview of Filters
Network traffic can generate a large amount of log data. You can use Filters to select data for many operations such as viewing log entries in the Logs view or generating statistical reports.
Filters allow you to efficiently manage the large amounts of data that the system generates.
Filters select entries by comparing values defined in the Filter to each data entry included in the filtering operation. The operation can use the filter to either include or exclude matching data.
You can use filters for selecting data in the following tasks:
•Browsing logs, alerts, audit data, blacklists, and currently open connections on a Firewall.
•Browsing authenticated users, routes and VPN tunnels.
•Pruning log data.
•Archiving, exporting, and deleting log data and alerts.
•Creating reports.
•Selecting which logs administrators with restricted accounts or Web Portal User accounts are allowed to view.
•Defining how logs are highlighted in the Logs view.
•Forwarding log data from a Log Server to an external host.
•Forwarding audit data from a Management Server to an external host.
•Creating Correlation Situations to analyze engine and Log Server events.
Configuration of Filters
You can create filters in various views in the Management Client. Permanent Filter elements can be used anywhere in the Management Client. In addition to permanent Filters, you can also define local filters that are specific to the element or view in which the local filters were created.
Filters are constructed from the following parts:
•The fields that you want to match in the data (for example, there are separate fields for source IP address and port in logs). You can filter data according to any field.
•The values in those fields that you want to match (for example, the exact port number or IP address you are interested in).
•Operations define the way in which the fields and values are matched to data entries (especially if there are several fields included as the filtering criteria).
Illustration 10.1 Matching Events with a filter
Illustration 10.1 shows a Filter with several fields and operations. This Filter matches if the
Configuration of Filters 79
A data entry of a connection to host 192.168.11.10 on port 80 matches the first AND operation in the example filter. The same connection does not match the second AND operation in the Filter. Since the two AND operations are combined with OR, the Filter as a whole is considered a match and the data is selected for the task that is being carried out.
Default Elements
There are many predefined Filter elements in the system that you can use for various tasks. You cannot modify the predefined Filters. You can, however, can duplicate predefined Filters to create copies that you can modify. Filter elements may be imported and updated when you activate new dynamic update packages, so the selection and names of predefined filters may change. The default Filter elements have the type System or Correlation (for filters used in Correlation Situations).
Configuration Workflow
The following sections provide an overview of the configuration tasks. Detailed step-by-step instructions can be found in the Management Client Online Help and the McAfee SMC Administrator’s Guide.