Skip to main content
McAfee MVISION Cloud

About Firewall and Proxy Integrations

Integrating your firewall and proxies with MVISION Cloud Connector allows you to leverage MVISION Cloud Service Groups within egress/ingress policies. This means you can use existing functionality to inoculate against undiscovered high-risk services that anyone in your organization may be using.

Depending on the capabilities of your edge devices, you may configure settings so that changes made to your MVISION Cloud Service Groups are reflected on your edge devices using the Automatic update process. Otherwise, updates will need to be made manually.

Admins can enable an approval workflow where changes are queued for review before they are sent to your edge device. Then they can enable notifications that send an Email Summary to the configured email IDs, to keep them informed of changes made to edge devices.

These firewall/proxy integrations are managed in Settings > Integrations > Firewall/Proxy. Then click, Edit Integration. For details, see Integrating an Edge Device

Native support exists for the following devices:

  • Blue Coat
  • Fortigate
  • McAfee Web Gateway
  • Palo Alto Networks Panorama
  • Zscaler

pan_url_select_devices.png

NOTE: On the Firewall/Proxy Integration page, whenever a service is added or removed within a service group, the #URLs and Changes Since Last Sync columns may take a few minutes to update, or may only be updated when you refresh the page. However, the # Services column is updated in real time.

How are Service Group Changes Synced

When you configure your firewall or proxy devices, you'll select a way for Service Group changes to be synced to edge devices:

  • Automatic. Automatic updates are synced to edge devices automatically.
  • Manual. Manual updates require downloading a file, editing if necessary, then uploading it to an edge device.

IMPORTANT: Automatic updates require MVISION Cloud Connector v3.3 or later.

KNOWN ISSUE: Do not use white space when you create the service group name. You can use "_" or  "-" instead of a space. If there is white space in the service group name, and if the service group is used in Panorama integration, there can be problems accessing the published URL list. 

Available Integration Modes are defined as:

  • Published URL List. This is how Automatic updates are processed. On the Firewall/Proxy Integration page, click Published URL List to display the URL(s) you will use to synchronize the edge device server. (This URL query string includes your Cloud Connector's symbolic server name and your edge device ID. If you have multiple Cloud Connector installed and pointing to this tenant, they will all be listed here.)
  • Config File. For Manual updates, you'll have to manually download config files before uploading them to each device. This filename is displayed on the Firewall/Proxy Integration page. Click Download
  • API Integration. Panorama devices use an API Integration or Published URL. 

IMPORTANT: If you have Panorama 7.1 or later, use the Publish URL method instead of configuring Cloud Connector.

For details, see Integrating an Edge Device

Approvals

If your integrated edge devices support Automatic syncing, you can enable an approval workflow to be notified of automatic updates and other activity. This way, no automatic updates are synced to edge devices without the approval of a Policy Manager. Each change must be downloaded, then uploaded to the edge device for changes in Service Groups to be applied.

Administrators may approve updates when changes to URLs in a Service Group occur, such as:

  • If new services match a service group's inclusion criteria.
  • If existing services no longer match a service group's inclusion criteria.
  • When an admin manually adds or removes services.
  • If the URL for a service changes.

NOTE: If all your edge devices are set to use the Manual update process, the approval workflow is not applicable, and is disabled.

For details, see Integrating an Edge Device

Email Summary

Notifications for changes to Service Groups can send an Email Summary containing all URL changes by Service Group synced to each edge device. You can specify who the recipients should be of the notifications should be. The recipients must be MVISION Cloud users who have the Administrator role. Notifications can be set to trigger on a Daily/Weekly/or Monthly basis. (Selecting a frequency of None basically turns off the Email Summary.) These emails summarize all URL changes (by Service Group, for each device) that occurred during the past Day/Week/Month.

For details, see Integrating an Edge Device

MVISION Cloud Connector Integration

Before your edge device is integrated with the MVISION Cloud dashboard, MVISION Cloud Connector should be installed and configured. Then perform make sure to perform any further integration steps required for your edge device:

  • Was this article helpful?