Reports Guide
revision 5.0







McAfee®
Network Protection
Industry-leading network security solutions





McAfee® Network Security Platform
Network Security Manager
version 5.1






COPYRIGHT
Copyright ® 2001 - 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into
any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),

ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION
THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA),
NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN,
VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or
its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks
herein are the sole property of their respective owners.
LICENSE AND PATENT INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH
THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,
PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING
OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE
FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL
THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
This product includes or may include:
* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( * Cryptographic software written by Eric A. Young and software written by
Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses
which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for
any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such
software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software
program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by
Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by
Douglas W. Sauder. * Software developed by the Apache Software Foundation ( A copy of the license agreement for this software can be found at
www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. *
Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin,
Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by
Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the
University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by

Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted
by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham
Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python
Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman
Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone
Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab
( * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of
California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <> for use in the mod_ssl project (http:// www.modssl.org/). * Software
copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001,
2002. See /> for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *
Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software
copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See
for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (), (C) 2001, 2002. * Software copyrighted by
Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi (), (C) 1999, 2000. *
Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen
Cleary (
), (C) 2000. * Software copyrighted by Housemarque Oy <>, (C) 2001. * Software copyrighted by Paul Moore, (C)
1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter
Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. *
Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by
Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software
copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C)
2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software
contributed to Berkeley by Chris Torek.




Issued NOVEMBER 2010 / Reports Guide
700-1814-00/ 5.0 - English


Contents
Preface iv
Introducing McAfee Network Security Platform iv
About this Guide iv
Audience v
Conventions used in this guide v
Related Documentation vi
Contacting Technical Support vi
Chapter 1 Report Generation 1
Reports Main page 1
Localization of Reports 2
Next Generation Reports 5
Next Generation Saved Reports 5
Traditional-Configuration Reports 14
Saving Configuration Reports 16
ACL Assignments Report 16
ACL Definitions Report 18
Admin Domain and Users Report 18
Alert Filters Report 20
Faults Report 21
Integration Summary Report 22
Intrusion Policy Report 26
IPS Configuration Summary Report 27
IPS Policy Assignment Report 32
IPS Policy Details Report 33
IPS Sensor Report 34
Manager Report 35
NAC Configuration Summary Report 38
NAC Sensor Report 39

Performance Monitoring - Admin Domain Configuration Report 41
Performance Monitoring - Sensor Configuration Report 42
Reconnaissance Policy Report 43
Rule Set Report 44
Traffic Management Report 45
User Activity Report 48
Version Summary Report 50
Traditional-IPS Events Reports 51
Big Movers Report 52
Executive Summary Report 53
Reconnaissance Attacks Report 56
Top N Attacks Report 58
Trend Analysis Report 61
User Defined Report 65
Templates Reports 69
Scheduling of Reports 71
Scheduling a Report 72
Edit scheduled report settings 75
Edit the recipient list for scheduled reports 77
Sent Reports 77
General Settings 79
Add a Report Recipient 80
Index 81

iii









iv

Preface
This preface provides a brief introduction to the product, discusses the information in this
document, and explains how this document is organized. It also provides information such
as the supporting documents for this guide and how to contact McAfee Technical Support.
Introducing McAfee Network Security Platform
McAfee
®
Network Security Platform [formerly McAfee
®
IntruShield
®
] delivers the most
comprehensive, accurate, and scalable Network Access Control (NAC) and network
Intrusion Prevention System (IPS) for mission-critical enterprise, carrier, and service
provider networks, while providing unmatched protection against spyware and known,
zero-day, and encrypted attacks.
McAfee Network Security Platform combines real-time detection and prevention to provide
the most comprehensive and effective network IPS in the market.

About this Guide
This guide describes how to use Network Security Platform Reports generation feature to
produce different kinds of reports, be it configuration reports or IPS reports.
The Configuration Reports are based on specific type of information like the configuration
of the McAfee
®

Network Security Manager [formerly McAfee
®
IntruShield
®
Security
Manager], policies, alerts, and summaries of current McAfee Network Security Manager
(Manager) and McAfee
®
Network Security Sensor [formerly McAfee
®
IntruShield
®
Sensor]
software versions. These reports provide an updated result of the different configurations
set on the Manager and McAfee Network Security Sensors (Sensors).
The IPS reports provide details of alerts generated by Sensors as well as Host Intrusion
Prevention Sensors. They are basically summaries generated with data like attack name,
attack type, time of alert and IP address.
Scheduled reports contain action that enables you to automate report generation. Thus,
you can create reports to re-occur at specific time spans.
The reports can be generated on a daily, monthly, and weekly basis. Several pre-
formatted reports are provided for simple information gathering.
This guide is organized into:
 Configuration Reports (on page 14
): provides information on the settings
configured using the Configuration page and scheduling of reports.
 IPS Reports (on page 51
): details the network alerts generated by your Network
Security Platform sensors as well as those sent via Host Intrusion Prevention
integration. Provides information on how to schedule reports and automatically

generate them.


McAfee® Network Security Platform 5.1

Preface

Audience
This guide is intended for use by network technicians responsible for maintaining the
Manager and analyzing and disseminating the resulting data. It is assumed that you are
familiar with IPS-related tasks, the relationship between tasks, and the commands
necessary to perform particular tasks.

Conventions used in this guide
This document uses the following typographical conventions:
Convention Example
Terms that identify fields, buttons,
tabs, options, selections, and
commands on the User Interface
(UI) are shown in
Arial N3arrow bold
font.
The
Service field on the Properties tab specifies the
name of the requested service.
Menu or action group selections
are indicated using a right angle
bracket.
Select My Company > Admin Domain > Summary.
Procedures are presented as a

series of numbered steps.
1. On the Configuration tab, click Backup.

Names of keys on the keyboard
are denoted using UPPER CASE.
Press ENTER.
Text such as syntax, keywords,
and values that you must type
exactly are denoted using
Courier New font.
Type: setup and then press ENTER.
Variable information that you must
type based on your specific
situation or environment is shown
in italics.
Type: sensor-IP-address and then press ENTER.
Parameters that you must supply
are shown enclosed in angle
brackets.
set Sensor ip <A.B.C.D>
Information that you must read
before beginning a procedure or
that you to negative
consequences of certain actions,
such as loss of data is denoted
using this notation.
Caution:
Information that you must read to
prevent injury, accidents from
contact with electricity, or other

serious consequences is denoted
using this notation.
Warning:
v

McAfee® Network Security Platform 5.1

Preface

vi

Convention Example
Notes that provide related, but
non-critical, information are
denoted using this notation.
Note:
Related Documentation
The following documents and on-line help are companions to this guide. Refer to Quick Tour
for more information on these guides.
 Quick Tour
 Manager Installation Guide
 4.1 to 5.1 Upgrade Guide
 Getting Started Guide
 IPS Deployment Guide
 Manager Configuration Basics Guide
 Administrative Domain Configuration Guide
 Manager Server Configuration Guide
 Sensor CLI Guide
 Sensor Configuration Guide
 IPS Configuration Guide

 NAC Configuration Guide
 Integration Guide
 System Status Monitoring Guide
 User-Defined Signatures Guide
 Central Manager Administrator's Guide
 Best Practices Guide
 Troubleshooting Guide
 I-1200 Sensor Product Guide
 I-1400 Sensor Product Guide
 I-2700 Sensor Product Guide
 I-3000 Sensor Product Guide
 I-4000 Sensor Product Guide
 I-4010 Sensor Product Guide
 Gigabit Optical Fail-Open Bypass Kit Guide
 Gigabit Copper Fail-Open Bypass Kit Guide
 Special Topics Guide—In-line Sensor Deployment
 Special Topics Guide—Sensor High Availability
 Special Topics Guide—Virtualization
 Special Topics Guide—Denial-of-Service

Contacting Technical Support
If you have any questions, contact McAfee for assistance:
McAfee® Network Security Platform 5.1

Preface

vii

Online
Contact McAfee Technical Support .

Registered customers can obtain up-to-date documentation, technical bulletins, and quick
tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also
resolve technical issues with the online case submit, software downloads, and signature
updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7
Technical Support is available for customers with Gold or Platinum service contracts.
Global phone contact numbers can be found at McAfee Contact Information
/>act/index.html page.
Note: McAfee requires that you provide your GRANT ID and the serial number of
your system when opening a ticket with Technical Support. You will be provided with
a user name and password for the online case submission.








1

C HAPTER 1
Report Generation
McAfee
®
Network Security Manager [formerly McAfee
®
IntruShield
®

Security Manager]
provides you report generation options for two types of reports: next generation reports
and traditional (configuration and IPS events) reports. Clicking Reports from the McAfee
Network Security Manager (Manager) Home page opens the Reports Main page.

Figure 1: Accessing Reports from the homepage
Item Description
1 Click to access the Reports main page.
Access to the Reports Main page is based on user roles. By definition, report generation is
available for Super User, Security Expert, and Operator roles. Access is also restricted by
admin domain; for example, a user with access to a child domain only cannot view data or
templates that require root or higher-level domain access.

Reports Main page
Clicking Reports from the Manager Home page opens the Reports Main page.
The following options are available on the Reports Main page:
 Next Generation (on page 5
): generate customized reports. You can choose the type
of data to base the report on, the fields that you would like to display, whether to
display data in table, bar chart, or a pie chart, etc.
 Traditional Reports: generate reports based on pre-defined conditions. You can
generate traditional reports under two categories: Configuration and IPS
 The Traditional-Configuration (on page 14
) reports are based on specific type of
information like the configuration of Manager, policies, alerts, and summaries of
current Manager and Sensor software versions. These reports provide an updated
result of the different configurations set on Manager and Sensors.
 The Traditional-IPS Events (on page 51) reports provide details of alerts
generated by Network Security Sensors as well as Host Intrusion Prevention
Sensors. They are basically summaries generated with data like attack name,

attack type, time of alert and IP address.
 Scheduled (on page 71
): schedule report to run automatically and mail to recipients
on a daily or weekly basis
McAfee® Network Security Platform 5.1

Report Generation

 Sent Reports (on page 77): view a list of reports generated and mailed to recipients
 General Settings (on page 79): edit report header footer, schedule for running the
report, recipient's list for sending the generated reports etc.

Figure 2: Reports main page
The report generation time is the time displayed when a report generation is initiated. This
is displayed according to the time zone.
Note: Click
Back to navigate to the Reports Main page from a generated report page.
You can view reports in Japanese, Korean, Chinese Simplified, and Chinese Traditional.
For more information, see Localization of Reports. (on page 2
)
Localization of Reports
Manager supports report generation in the following languages:
 English
 Japanese
 Chinese Simplified
 Chinese Traditional
 Korean
You can configure, schedule, and view the generated reports in all the 5 languages
mentioned.
2


McAfee® Network Security Platform 5.1

Report Generation

You can select the language in the Language field in the Reports Main page. The Reports
Main page is displayed in English the first time you access it. Subsequently, it is displayed
in the language that you last chose.

Figure 3: Language field in the Reports Main page
Note 1: If you are accessing Manager from a client machine, you need to install
East Asian characters else such characters in the reports appear as square boxes
or question marks. To install the East Asian characters, go to Settings -> Control
Panel-> Regional and Language options -> Languages -> select "Install files for
East Asian languages", Install "Asian Language Characters" and then restart the
machine.
Note 2: To view the PDF version of the localized reports, you need the required
fonts in your Acrobat Reader. The first time you attempt to view the PDF version,
Acrobat Reader attempts to update with the required fonts.
You can specify the language for the recipients of scheduled reports, and the scheduled
reports are generated in those languages. For example, if you have scheduled the
Executive Summary Report with 5 recipients (one recipient for each language including
English), then this report is generated in all the 5 languages at the specified time and the
appropriate version is emailed to the recipients. That is, the Japanese recipient receives
the Japanese version of the report.
3

McAfee® Network Security Platform 5.1

Report Generation


The data retrieved from the database is displayed in the language in which it is stored in
the database, and this data is independent of the language that you choose in the Reports
Main page. For example, if a saved report was generated in English, you cannot view it
Japanese by choosing Japanese in the Report Main page. To do this, you need to add
another recipient for this report with the language as Japanese.

Figure 4: Language field in the Add Recipient page
In the following pages, you can enter text in the language that you had chosen:
 Add Report Template (Description)
 Edit Report Template (Description)
 Add Recipient (First Name and Last Name)
 Edit Recipient (First Name and Last Name)

The following table provides the extent of localization in the Reports module:
Category Extent of Localization
User-configurable data retrieved
from the database
Not localized
Data that is not user-configurable Fully localized
Informational messages Fully localized
Error messages Fully localized
Help and Documentation Available in English only
Text in charts and graphs Partially localized
Dates Fully localized
Calendar Fully localized
4

McAfee® Network Security Platform 5.1


Report Generation

5

Category Extent of Localization
Numeric, monetary, and metric Partially localized
Data input through keyboard Partially localized
Next Generation Reports
The Next Generation report option allows you to generate customized reports. You can
make selections such as the type of data to base the report on, the format in which you
want the data to be presented such as table, bar chart, or a pie chart, etc. From a list of
fields that are applicable for a report, you can select the fields that you wish to display; you
can also specify the conditions that must be met to include the information for those fields
in the report.
You can then save the query that you have just built for later use. You can also generate
the report immediately or schedule it to run automatically by setting options like the period
to be considered for displaying data, report output format etc.
Next Generation reports can be generated from the
Reports menu in the Manager.
When you select the Reports menu in the Manager Home page, the Next Generation page
displays the
Saved Reports on the left pane by default.

Figure 5: Next Generation Page
Next Generation Saved Reports
The Saved Reports pane lists three types of saved reports:

McAfee Default Report: These are reports that are listed by default which can only be
duplicated and run but cannot be edited or deleted.
McAfee® Network Security Platform 5.1


Report Generation

 Derived from “{report name of McAfee Default Report}”: These are reports that are duplicates
of McAfee Default Report. This has the options of Duplicate, Edit, Run and Delete. But
editing of these reports allows user to edit only the data filter.
 User Defined Report: These are reports which are created when you click New from the
main screen of Next Generation Report.


Next Generation Default Reports
The Next Generation Default reports available under Saved Reports are:
 Default- Attack URL Info: A list of URL information of the attacks.
 Default - IPS Quarantine History: A list of hosts in quarantine because they have attempted
an intrusion.

Default - High Sensor Throughput Utilization: Status of Sensor throughput utilization
threshold.

Default - High Sensor TCP / UDP Flow Utilization: Status of TCP/UDP flow utilization.
 Default - Top 10 Attacks: The top 10 attacks by attack count.
They are generated from the query structure illustrated below:
Select Col1, Col2 Presentation
from table Data Source
where (Condition Expression) Data Filter

Creating a Duplicate Report
To Generate a duplicate report:
1 Select a report to be duplicated from the
Saved Reports

2 Click
Duplicate.

Figure 6: Reports main page
6

McAfee® Network Security Platform 5.1

Report Generation

3 Type the name of the duplicate report in the Name field.
4 Click
OK.

Figure 7: Duplicate report displayed under Saved Reports
Now, the name of the duplicate report gets included under Saved Reports.
5 Click Edit to define the parameters to be used for generating the report.
For example, if you are creating a duplicate Default - Attack URL Info report, you can
choose to filter data based on the following parameters:
 Admin Domain
 Sensor
 Interface
6 Click Save.
Generating Next Generation User Defined Report
You can create a new report with a choice of data source, presentation and filter.
1 To create a new report, select
New. This option can be seen in the bottom left corner of
Next Generation page.

Figure 8: New Reports - Data source selection

7

McAfee® Network Security Platform 5.1

Report Generation

You need to select the data sources for the report. Data sources represent the database
tables from where information is retrieved to generate the report. There are three selection
options for data sources: Alert information, Host Event and Sensor Performance.
1 Click
Next to set the display options for the report. Report can be displayed as a Table,
Bar Chart or Pie Chart.

Figure 9: Diplay options for new Report
2 Select the columns of choice that you want to include in the report output by selecting
rows in the left panel.

Figure 10: New Report - Data source page
8

McAfee® Network Security Platform 5.1

Report Generation

3 Select a row in the left panel to view the Data Filter options.

Figure 11: New Report - Data filter setting
You can enhance the filter options for the fields selected in step 4 from the Data Filter
options. Use the + and - options to add or delete conditions.
When you finish the selections, you can save your report query using Save. You can

also run the report directly without saving by clicking the
Run Once option.

Figure 12: Saving a Flexible Report
4 In the Save Query page, you need to enter a Name and Description for the Query.
You can also select the following options in the Save Query:
9

McAfee® Network Security Platform 5.1

Report Generation

 Automate Report Generation
 Report Frequency
 Events to Display
 Report Format
5 Select
Finish, to save the query.
6 The report is saved and displayed in the
Saved Reports section of the Next Generation
page.
7 Select the report, and then click
Run Once to view the Run Query.

Figure 13: Run options for the new Report
10

McAfee® Network Security Platform 5.1

Report Generation


8 In the Run Query, enter the Data Options and the Report Format.
Click
Run, to run the report query. The generated report is displayed in the selected report
format.

Figure 14: New Report - Bar chart selection output
When the Bar Chart display option is selected, the output contains both the bar chart and
table. If you select the Pie Chart option, the Pie Chart and the table are displayed. If there
are no alerts, only the table is displayed.
Data Display Order:
Table Type Bar Chart Pie Chart Table Only
Alert table Data is displayed in
descending order
Data is displayed in
descending order
Data is displayed in
ascending order
Host Event table Data is displayed in
ascending order
Data is displayed in
ascending order
Data is displayed in
ascending order
Once the User Defined Report is saved, you cannot change its data source.


Generating a period specific report on Sensor performance
Follow this procedure to generate a period specific Next Generation report on Sensor
performance.

11

McAfee® Network Security Platform 5.1

Report Generation

1 Select the Reports icon from the ManagerHome page.
2 Click
Next Generation .
3 Click
New at the bottom of the left pane.
4 Select the Hourly radio button under Sensor Performance in the data source page.
Daily, Weekly and Monthly period specific reports can be generated by selecting the
Daily, Weekly or Monthly radio buttons.

Figure 15: Hourly Data Source Selection
5 Click Next.
6 Click Table under display options (the only option for this report) and click Next.

Figure 16: Sensor Performance Report - Table Display Option
12

McAfee® Network Security Platform 5.1

Report Generation

7 Click the desired fields in the Available Fields pane to move it to the Selected Fields
pane (You can click the left/right arrow buttons on each columns to change the
position of the column. You can click on the X button on each column to remove the
column). Click Next.


Figure 17: Data Source - Selected Fields for Report
8 Click the properties listed on the left pane and move them to the right pane to reduce
the quantity of information shown in the report. Click
Run Once to run the report, click
Save to save the report.

Figure 18: Data Source with Property Selection
13

McAfee® Network Security Platform 5.1

Report Generation

9 Select one of the Data Options (either query for the day or between two dates or for a
selected period in the past. Select the report format (HTML, PDF, Save as CSV or
Save as HTML) and click Run.

Figure 19: Next Generation Report - Run Query Choices
10 The hourly report is generated.

Figure 20: New User Defined Report

Traditional-Configuration Reports
Traditional-Configuration Reports are based on pre-defined conditions and detail your system
configuration settings.
14

McAfee® Network Security Platform 5.1


Report Generation

You can generate these reports to view your current software and signature versions, the
configuration and status of a McAfee
®
Network Security Sensor [formerly McAfee
®

IntruShield
®
Sensor], policy settings, and so forth. The report generation time is the time
displayed when a report has been executed. This is displayed according to the time zone.
Several pre-formatted reports are provided for simple information gathering.

Figure 21: Configuration Reports
Item Description
1 Configuration Reports
The available configuration reports are:
 ACL Assignments Report (on page 16): provides a detailed view of the ACL rules and
ACL groups that are created and applied to Sensor, interface and sub-interface levels.
 ACL Definitions Report (on page 18
): provides a detailed view of the ACL rules
configured for one or more McAfee Network Security Sensors (Sensors).
 Admin Domain and Users Report (on page 18
): information on the admin domains
and users controlled through your Manager.
 Alert Filters Report (on page 20
): information on all of the alert filters available for
policy application.
 Faults Report (on page 21

): information on Manager and Sensor fault logs.
 Integration Summary Report (on page 22
): provides a summary of configurations
done in the Manager to integrate with other McAfee products such as, ePO and
Vulnerability Manager.
 Intrusion Policy (on page 26): provides a detailed view of the policies—Exploit,
Reconnaissance, and DoS—applied to one or more admin domains.
 IPS Configuration Summary Report (on page 27
): provides a detailed view of the IPS
configuration settings made by the user.
 IPS Policy Assignment Report (on page 32
): provides a detailed view of the IPS
policies available for application.
15

McAfee® Network Security Platform 5.1

Report Generation

 IPS Policy Details Report (on page 33): provides a detailed view of the IPS policies
available for application.
 IPS Sensor Report (on page 32
): information on the policies applied to one or more
Sensors.
 Manager Report (on page 35
): configuration information related to the notification mail
server, proxy server, and MDR.
 NAC Configuration Summary Report (on page 38
): gives the details of the NAC
configuration at the admin domain level.

 NAC Sensor Report (on page 39
): gives the details of the NAC configuration in the
Sensor monitoring ports.
 Performance Monitoring - Admin Domain Configuration Report (on page 41
): displays
information on admin domain wise configuration made in the Manager
 Performance Monitoring - Sensor Configuration Report (on page 42
): displays
information on Sensor configuration settings made in the Manager
 Reconnaissance Policy Report (on page 43
): information on all the Reconnaissance
policies available for application.
 Rule Set Report (on page 44
): information on all of the rule sets available for
application.
 Traffic Management Report (on page 45
): details the traffic management configuration
information for each port on one or more Sensors.
 User Activity Report (on page 48
): information on the actions performed by Network
Security Platform users.
 Version Summary Report (on page 50
): information on the versions of software and
signatures in use
Note: For more information on IPS Reports, see IPS Reports (on page 51
) section.
Saving Configuration Reports
To save a Configuration Report, select the Output Format: HTML, PDF, Save as CSV or Save as
HTML
. You can then click Save and specify a location where to save the file.

If you select PDF, a PDF file format displays on the Report page. You need Adobe Acrobat
7.0 or later to view reports in PDF. The recommended viewing size for the PDF version of
a report is “Actual Size” or 100%. If you want to save the PDF of a report, McAfee
recommends customizing the file name for later recognition. If you want to keep the
generated file name, check the length of the name. If you had de-selected Day/Time
Detected from the Fields of Interest section of a report generation template, the default file
name would be “ViewReport.pdf.”
If you select
Save as CSV, a dialog box displays prompting you for the file name and location.
You can specify an appropriate file name and location and click Save to save the report in
CSV format. You can open or view using Microsoft Excel.
ACL Assignments Report
The ACL Assignments Report provides a detailed view of the ACL rules and IP spoofing
enablement status configured for one or more Sensors.
To generate an ACL Assignments Report, do the following:
16

McAfee® Network Security Platform 5.1

Report Generation

1 Select the Reports icon from the Manager Home page.
2 Click
Traditional > Configuration > ACL Assignments.

Figure 22: Sensor ACL Configuration Report Options
3 Select one or more Sensors.
Tip: Sensor ACL Reports can be very long when multiple Sensors are selected.
McAfee recommends selecting a single Sensor for ease of readability.
4 Select one or more of the following based on what information you want to see in the

report:

Anti-spoofing: Lists all anti-spoofing rules for the selected Sensor.

Sensor Level Rules: Lists the ACL rules, both inbound and outbound, configured at
the Sensor level.
 Port Level Rules: Lists the ACL rules, both inbound and outbound, configured at the
port or interface level.

Local Level Rules: Lists the ACL rules, both inbound and outbound, configured at
the local or sub-interface level.
5 Select the
Output Format.
6 Click
Submit. The generated information is separated by direction of traffic (inbound
versus outbound) in which ACL rules have been configured.

Figure 23: Sensor ACL Configuration Report

17