About the connector
McAfee Network Security Manager is an advanced solution for up to six McAfee Network Security Platform sensors, McAfee Network Access Control appliances, or McAfee Network Threat Behavior Analysis appliances deployed in small and medium-size networks and enterprise branch offices.
This document provides information about the McAfee Network Security Manager connector, which facilitates automated interactions with McAfee Network Security Manager using FortiSOAR™ playbooks. Add the McAfee Network Security Manager connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving details for a specific domain from McAfee Network Security Manager and creating a new domain in McAfee Network Security Manager.
Version information
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 6.4.4-3164
Authored By: Fortinet
Certified: Yes
Release Notes for version 1.1.0
Following enhancements have been made to the McAfee Network Security Manager connector in version 1.1.0:
- Added the following operations and playbooks:
- Update Block IP Duration
- Get Blocked IP List
- Get Blocked IP Details
- Added copyright information to the connector.
- Updated the 'UnBlock IP' and 'Block IP' operations as follows:
- Replaced the incorrect API with the correct one.
- Added a mandatory parameter named 'Sensor ID'.
- Removed invalid values 'TWELVE_HOURS' and 'SIXTEEN_HOURS' for the "Duration" parameter in the 'Block IP' operation.
- Updated the field type of the 'Sensor ID' parameter from text to integer for the 'Get Sensor Details' operation.
Installing the connector
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-mcafee-network-security-manager
Prerequisites to configuring the connector
- You must have the URL of the McAfee Network Security Manager server to which you will connect and perform automated operations and credentials (username-password pair) used to access that server.
- The FortiSOAR™ server should have outbound connectivity to port 443 on the McAfee Network Security Manager server.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, click the McAfee Network Security Manager connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Server URL |
URL of the McAfee Network Security Manager server to which you will connect and perform automated operations. |
| Username |
Username to access the McAfee Network Security Manager server to which you will connect and perform automated operations. |
| Password |
Password to access the McAfee Network Security Manager server to which you will connect and perform automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Create Domain |
Creates a new domain in McAfee Network Security Manager based on the domain name, contact person, email address, and default IPs and Recon policy you have specified. |
add_domain
Investigation |
| Update Domain |
Updates details for an existing domain in McAfee Network Security Manager based on the domain name, contact person, and other input parameters you have specified |
update_domain
Investigation |
| Get Domain Details |
Retrieves details for an existing domain from McAfee Network Security Manager based on the domain ID you have specified. |
get_domain_details
Investigation |
| Delete Domain |
Deletes an existing domain from McAfee Network Security Manager based on the domain ID you have specified. |
delete_domain
Investigation |
| Get All Domains |
Retrieves a list of all domains present in McAfee Network Security Manager. |
get_domains
Investigation |
| Get Domain Sensors |
Retrieves a list of all sensors in a specified domain from McAfee Network Security Manager based on the domain ID you have specified. |
get_domain_sensors
Investigation |
| Get Sensor Details |
Retrieves details for a specified sensor from McAfee Network Security Manager based on the sensor ID you have specified. |
get_sensor_details
Investigation |
| Get Domain Firewall Policies |
Retrieves firewall policies for a specified domain from McAfee Network Security Manager based on the domain ID you have specified. |
list_policies
Investigation |
| Get Policy Details |
Retrieves details of a specified firewall policy from McAfee Network Security Manager based on the policy ID you have specified. |
get_policy_details
Investigation |
| Delete Policy |
Deletes a specific firewall policy from McAfee Network Security Manager based on the policy ID you have specified. |
delete_policy
Investigation |
| Block IP |
Blocks a specific IP address on McAfee Network Security Manager based on the sensor ID, IP address, and other input parameters you have specified. |
block_ip
Investigation |
| UnBlock IP |
Unblocks a specific IP address on McAfee Network Security Manager based on the sensor ID and IP address you have specified. |
unblock_ip
Investigation |
| Update Block IP Duration |
Updates the block duration for a specific IP address in McAfee Network Security Manager based on the sensor ID, IP address, duration, and other input parameters you have specified. |
update_block_ip_duration
Investigation |
| Get Blocked IP List |
Retrieves a list of the blocked IP addresses on a specific sensor in McAfee Network Security Manager based on the sensor ID you have specified. |
get_blocked_ip_list
Investigation |
| Get Blocked IP Details |
Retrieves details of the blocked IP addresses on a specific sensor in McAfee Network Security Manager based on the sensor ID you have specified. |
get_blocked_ip_details
Investigation |
operation: Create Domain
Input parameters
| Parameter |
Description |
| Domain Name |
Name of the domain that you want to create in McAfee Network Security Manager. |
| Contact Person |
Name of the contact person associated with the domain that you want to create in McAfee Network Security Manager. |
| Email Address |
Email address associated with the domain that you want to create in McAfee Network Security Manager. |
| Default IPS Policy |
Default IPs policy to be applied to the domain that you want to create in McAfee Network Security Manager. |
| Default Recon Policy |
Default Recon policy to be applied to the domain that you want to create in McAfee Network Security Manager. |
Output
The output contains the following populated JSON schema:
{
"createdResourceId": ""
}
operation: Update Domain
Input parameters
| Parameter |
Description |
| Domain ID |
Unique identifier of the domain that you want to update in McAfee Network Security Manager. |
| Domain Name |
Name of the domain that you want to update in McAfee Network Security Manager. |
| Contact Person |
Name of the contact person associated with the domain that you want to update in McAfee Network Security Manager. |
| Email Address |
Email address associated with the domain that you want to update in McAfee Network Security Manager. |
| Default IPS Policy |
Default IPs policy to be applied to the domain that you want to update in McAfee Network Security Manager. |
| Default Recon Policy |
Default Recon policy to be applied to the domain that you want to update in McAfee Network Security Manager. |
Output
The output contains the following populated JSON schema:
{
"status": ""
}
operation: Get Domain Details
Input parameters
| Parameter |
Description |
| Domain ID |
ID of the domain whose details you want to retrieve from McAfee Network Security Manager. |
Output
The output contains the following populated JSON schema:
{
"parentDomainId": "",
"domainName": "",
"contactPerson": "",
"emailAddress": "",
"title": "",
"contactPhoneNumber": "",
"companyPhoneNumber": "",
"organization": "",
"address": {
"address1": "",
"address2": ""
},
"city": "",
"state": "",
"country": "",
"allowChildAdminDomain": "",
"allowDevices": "",
"defaultIPSPolicy": "",
"defaultReconPolicy": ""
}
operation: Delete Domain
Input parameters
| Parameter |
Description |
| Domain ID |
ID of the domain that you want to delete from McAfee Network Security Manager. |
Output
The output contains the following populated JSON schema:
{
"status": ""
}
operation: Get All Domains
Input parameters
None.
Output
The output contains the following populated JSON schema:
{
"DomainDescriptor": {
"childdomains": [
{
"childdomains": "",
"id": "",
"name": ""
}
],
"id": "",
"name": ""
}
}
operation: Get Domain Sensors
Input parameters
| Parameter |
Description |
| Domain ID |
ID of the domain whose sensor information you want to retrieve from McAfee Network Security Manager. |
Output
The output contains the following populated JSON schema:
{
"SensorDescriptor": [
{
"DomainID": "",
"name": "",
"model": "",
"ReconPolicyID": "",
"IPSPolicyID": "",
"SigsetVersion": "",
"SoftwareVersion": "",
"LastSignatureUpdateTs": "",
"sensorId": "",
"LastModTs": "",
"Description": "",
"sensorIPAddress": "",
"nsmVersion": "",
"isFailOver": "",
"MemberSensors": [
{
"sensorId": "",
"name": "",
"sensorIPAddress": "",
"SigsetVersion": ""
}
]
}
]
}
operation: Get Sensor Details
Input parameters
| Parameter |
Description |
| Sensor ID |
ID of the sensor whose details you want to retrieve from McAfee Network Security Manager. |
Output
The output contains the following populated JSON schema:
{
"SensorInfo": {
"SensorDescriptor": {
"DomainID": "",
"name": "",
"ReconPolicyID": "",
"IPSPolicyID": "",
"SoftwareVersion": "",
"SigsetVersion": "",
"LastSignatureUpdateTs": "",
"sensorId": "",
"model": "",
"LastModTs": "",
"Description": ""
},
"Interfaces": {
"InterfaceInfo": [
{
"DomainId": "",
"Description": "",
"IPSPolicyId": "",
"Interfacetype": {
"Dedicated": {}
},
"vidsId": "",
"LastModTs": "",
"name": ""
}
]
},
"Ports": {
"PortInfo": [
{
"portId": "",
"ResponseMode": {
"sendResponseFrom": ""
},
"operatingMode": {
"peerPort": "",
"connectedTo": "",
"mode": ""
},
"portSettings": {
"portName": "",
"portType": "",
"configuration": {
"duplex": "",
"speed": ""
},
"administrativeStatus": "",
"operationalStatus": ""
}
}
]
}
}
}
operation: Get Domain Firewall Policies
Input parameters
| Parameter |
Description |
| Domain ID |
ID of the domain whose firewall policies you want to retrieve from McAfee Network Security Manager. |
Output
The output contains the following populated JSON schema:
{
"FirewallPoliciesForDomainResponseList": [
{
"policyId": "",
"policyName": "",
"domainId": "",
"visibleToChild": "",
"description": "",
"isEditable": "",
"policyType": "",
"policyVersion": "",
"lastModUser": ""
}
]
}
operation: Get Policy Details
Input parameters
| Parameter |
Description |
| Policy ID |
ID of the policy whose details you want to retrieve from McAfee Network Security Manager. |
Output
The output contains the following populated JSON schema:
{
"FirewallPolicyId": "",
"Name": "",
"DomainId": "",
"VisibleToChild": "",
"Description": "",
"LastModifiedTime": "",
"IsEditable": "",
"PolicyType": "",
"PolicyVersion": "",
"LastModifiedUser": "",
"MemberDetails": {
"MemberRuleList": [
{
"Description": "",
"Enabled": "",
"Response": "",
"IsLogging": "",
"Direction": "",
"SourceAddressObjectList": [
{
"RuleObjectId": "",
"Name": "",
"RuleObjectType": ""
}
],
"DestinationAddressObjectList": [
{
"RuleObjectId": "",
"Name": "",
"RuleObjectType": ""
}
],
"SourceUserObjectList": [
{
"RuleObjectId": "",
"Name": "",
"RuleObjectType": ""
}
],
"ServiceObjectList": [],
"ApplicationObjectList": [
{
"RuleObjectId": "",
"Name": "",
"RuleObjectType": "",
"ApplicationType": ""
}
],
"TimeObjectList": [
{
"RuleObjectId": "",
"Name": "",
"RuleObjectType": ""
nbsp; }
]
}
]
}
}
operation: Delete Policy
Input parameters
| Parameter |
Description |
| Policy ID |
ID of the domain that you want to delete from McAfee Network Security Manager. |
Output
The output contains the following populated JSON schema:
{
"status": ""
}
operation: Block IP
Input parameters
| Parameter |
Description |
| Sensor ID |
ID of the sensor whose associated IP address you want to block in McAfee Network Security Manager. |
| IP Address |
IP address to be quarantined in McAfee Network Security Manager. |
| Duration Time |
Select the duration time for which you want to block the specified IP address in McAfee Network Security Manager. |
| Remediate |
Select this option to enable or activate remediation for the specified IP address along with quarantining the IP address. By default this option is disabled, i.e., remediation is not activated. |
Output
The output contains the following populated JSON schema:
{
"status": ""
}
operation: UnBlock IP
Input parameters
| Parameter |
Description |
| Sensor ID |
ID of the sensor whose associated IP address you want to unblock in McAfee Network Security Manager. |
| IP Address |
IP address to be unblocked in McAfee Network Security Manager. |
Output
The output contains the following populated JSON schema:
{
"status": ""
}
operation: Update Block IP Duration
Input parameters
| Parameter |
Description |
| Sensor ID |
ID of the sensor whose associated IP addresses block duration you want to extend in McAfee Network Security Manager. |
| IP Address |
Quarantined IP address whose block duration you want to update in McAfee Network Security Manager. |
| Duration Time |
Duration for which the quarantine of the IP address needs to be extended. You can extend the quarantine by "FIVE_MINUTES" / "FIFTEEN_MINUTES" / "THIRTY_MINUTES" / "FORTYFIVE_MINUTES" / "SIXTY_MINUTES" / "UNTIL_EXPLICITLY_RELEASED" |
| Override |
Select this option to enable overriding previous data if it is present for the specified IP address. By default this option is disabled, i.e., previous data for the specified IP address is not overridden. |
Output
The output contains the following populated JSON schema:
{
"status": ""
}
operation: Get Blocked IP List
Input parameters
| Parameter |
Description |
| Sensor ID |
ID of the sensor whose blocked IP address list you want to retrieve from McAfee Network Security Manager. |
Output
The output contains the following populated JSON schema:
{
"QuarantineHostDescriptor": [
{
"IPAddress": "",
"Duration": ""
}
]
}
operation: Get Blocked IP Details
Input parameters
| Parameter |
Description |
| Sensor ID |
ID of the sensor whose blocked IP address details you want to retrieve from McAfee Network Security Manager. |
Output
The output contains the following populated JSON schema:
{
"QuarantineHostDetail": [
{
"ipAddress": "",
"hostname": "",
"OS": "",
"user": "",
"quarantineDetails": {
"device": "",
"quarantineZone": ""
},
"addedToQuarantine": {
"by": "",
"time": ""
},
"remediate": "",
"pendingRelease": ""
}
]
}
Included playbooks
The Sample - McAfee Network Security Manager - 1.1.0 playbook collection comes bundled with the McAfee Network Security Manager connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the McAfee Network Security Manager connector.
- Block IP
- Create Domain
- Delete Domain
- Delete Policy
- Get All Domains
- Get Blocked IP Details
- Get Blocked IP List
- Get Domain Details
- Get Domain Firewall Policies
- Get Domain Sensors
- Get Policy Details
- Get Sensor Details
- UnBlock IP
- Update Block IP Duration
- Update Domain
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
