Technical Articles ID:
KB90063
Last Modified: 5/19/2020
Environment
McAfee Cloud Workload Security (CWS) 5.x
CWS components:
McAfee CWS for Amazon Web Services (AWS)
McAfee CWS for Microsoft Azure
McAfee CWS for vSphere
NOTE: Cloud Workload Security was formerly known as Cloud Workload Discovery (CWD).
Summary
This article is a consolidated list of common questions and answers related to Cloud Workload Security. It is intended for users who are new to the product, but can be of use to all users.
Recent updates to this article:
Date
Update
May 19, 2020
Minor formatting changes; no content changes.
April 24, 2018
New FAQ added, which covers GuardDuty.
April 17, 2018
Implemented expand and collapse design.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents:
Click to expand the section you want to view:
What is Cloud Workload Security?
CWS helps you to discover, import, manage, and protect the virtual infrastructure from the cloud to ePolicy Orchestrator (ePO).
What is McAfee Data Protection for Cloud?
Data Protection for Cloud allows you to encrypt the cloud volumes of AWS that ePO discovers, registers, and manages.
How many CWS products are available?
Three products are currently available:
Cloud Workload Security for AWS
Cloud Workload Security for Azure
Cloud Workload Security for vSphere
What is included in the CWS extension?
Data Center Assessment
Data Center Metering
Data Center Visualization
AWS Connector
Azure Connector
McAfee Data Center Connectors (MDCC)
Data Protection for Cloud
vSphere Connector
CWS_License
NOTE: CWS_License is only included in the CWS advanced bundle.
What cloud computing solutions are compatible with CWS?
Each Cloud Connector can discover and manage your VMs from different solutions:
Amazon Web Services - A collection of web services that make up the cloud computing solution offered by Amazon.
Microsoft Azure - A cloud computing platform, and infrastructure for building, deploying, and managing applications and services. Achieved through a global network of Microsoft-managed data centers.
VMware vSphere - The VMware cloud computing virtualization operating system.
What is new in CWS 5.0?
These new features are important for an organization's security, protection, and performance:
Card-based user interface for improved usability.
Activate McAfee Adaptive Threat Protection.
Activate Network Intrusion Prevention.
Install license extension to enable advanced security features.
View traffic details for Microsoft Azure instances.
View traffic flow logs.
Perform DAT assessment.
System card filters.
Summary card.
Deploy NSP probe.
Change Assessment Policy at account level and workload level.
Set AWS and Azure permissions.
Shut down workload.
What is AMI?
AMI stands for Amazon Machine Image. It is a template available on the AWS marketplace that starts a virtual instance with a preconfigured installation of ePO and several McAfee products. For details, see: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
Which products are included in the PCSCWS AMI?
At every release, the PCS AMI release notes are updated to retain a comprehensive list of the products included.
Why is the 'dc_vm_auto' tag applied on the VMs discovered by a connector?
This tag is used by MDCC extension to identify VMs discovered from CWS. This tag is essential for Dashboards to work.
Which McAfee product suites include CWS?
CWS is included as part of several McAfee product suites:
McAfee Server Security Suite Essentials
McAfee Server Security Suite Advanced
McAfee Public Cloud Server Security
McAfee Security Suite for VDI
CWS Basic - Provides the new card-based User Interface with basic security, based on Endpoint Security (ENS) and Agentless Firewall.
CWS Essentials - Includes Endpoint Security Threat Protection (ENSTP), Threat Intelligence Exchange (TIE), Dynamic Application Containment (DAC), and Real Protect. With basic security for behavioral malware detection, network visualization, and network anomaly detection.
CWS Advanced - Includes Application Control, File Integrity Monitoring, and Change Control, for zero-day malware protection. These items are based on hardening and compliance, in addition to features included in essentials.
What are the differences between the three available CWS packages?
Cloud Workload Security is packaged in public, hybrid, and private variants to support different cloud vendor accounts.
The Cloud Workload Security packages contain different extensions to support a specific cloud type; see the table below for details.
Packages
Cloud Workload Security
For Private Cloud
Cloud Workload Security
For Public Cloud
Cloud Workload Security
For Hybrid Cloud
DC_Assessment
DC_Assessment
DC_Assessment
DC_Visualization
DC_Visualization
DC_Visualization
MDCC
MDCC
MDCC
DC_Metering
DC_Metering
DC_Metering
DC_VCenter
-
DC_VCenter
-
DC_Azure-RM
DC_Azure-RM
-
DPC
DPC
-
DC_AWS
DC_AWS
What is the Assurance Information Module (AIM)?
This module was a telemetry extension used to use information for Cloud Workload Discovery and Data Center Connector and it is not used in CWS. For information about environments where it was used, see KB87516.
Can I upgrade from a previous extension version?
Yes. The product supports upgrades from CWD version to 4.5.1, and then an upgrade to CWS 5.0.0. IMPORTANT:
You can't upgrade Cloud Workload Discovery 4.0.0 to CWS 5.0.0 directly.
The development team recommends upgrading your existing ePolicy Orchestrator (ePO), to versions ePO 5.3.3, or ePO 5.9 (EPO590HF1208662).
What happens to my old policy settings and assignments when I upgrade from Cloud Workload Discovery 4.5.1 to Cloud Workload Security 5.0?
The previous policy settings and assignments are removed. The administrator must redefine the settings, and assign them to respective workloads in the ePO System Tree.
How can I get started with a CWS?
Check in the CWS extension to ePO, then start the CWS user interface and follow the wizard to register the cloud account to establish the connection.
Can I install McAfee Agent using the ePO Agent Deployment URL feature?
Yes. For details, see KB85233.
Can I use Puppet and Chef scripts to install and configure security solutions offered by McAfee via CWS?
Yes. For details, see the CWS Product Guide. Toaccess product documentation, see the Related Information section below.
Are Azure Classic assets supported by CWS?
No. Azure Classic assets are not supported. For all new Azure infrastructure assets created through the Azure Resource Manager, the tag is named Azure connector.
Is it possible to remove the vSphere cloud connector extension from ePO if devices have already been discovered via the connector?
Yes. But before removing the vSphere connector extension, remove the vSphere accounts from the Registered cloud accounts page. When you remove the cloud account, you can delete, or keep the System Tree groups, and system.
Is Google Platform supported with CWS?
No. CWS currently does not support Google Platform. To have support for this platform, submit a new product idea so McAfee can explore its feasibility. To submit a new product idea, see the Related Information section in this article below.
Does Cloud Workload Security support McAfee products installed on the instances?
Yes. For details, see KB90062.
Can ePO manage systems in the cloud?
Yes. An administrator can deploy the McAfee Agent and then other McAfee products to the virtual machines.
The administrator can also view the following in the ePO Console: Query their virtualization properties, protection status, and security compliance with dashboards and queries,
What are the supported ePO versions for CWS?
McAfee advises you to review the CWS Product Guide. In addition, see the up-to-date information maintained in the CWS supported environment article. For details, see KB90062.
To access product documentation, see the Related Information section below.
Is AWS China supported?
No. CWS doesn't currently support AWS China.
Does CWS support GuardDuty?
Yes. From CWS 5.0.1, GuardDuty alerts can be viewed and corrective actions taken from CWS.
How many cloud accounts can I register under one ePO server?
There is no limit to the number of cloud accounts that can be registered under one ePO server.
How do I configure ePO to automatically secure discovered instances?
McAfee Agent deployment can happen automatically if the option is selected during registration of the cloud account. Securing the discovered instances can be done via the CWS UI.
What network configurations does the AWS connector support?
For details, see the Best Practices section in the CWS Product Guide. To access product documentation, see the Related Information section below.
Can I use AWS Connector with a proxy server?
Yes. The proxy setup must allow DNS resolution for the CWS.
What is Subscription ID, Tenant ID, Client ID, and Secret Key for an Azure account?
See the section 'Configuring Microsoft Azure Cloud Account', in the CWS Product Guide. To access product documentation, see the Related Information section below.
How do I get the subscription ID, tenant ID, and client ID, for Microsoft Azure cloud?
To register a Microsoft Azure account in ePolicy Orchestrator via CWS, obtain your client ID, tenant ID, and subscription ID.
Or
To automate this process, run a PowerShell script. For details, see KB87316.
Can I set different levels of user permissions for AWS and Microsoft Azure cloud accounts?
Yes. It is possible to set three levels of user permissions for your AWS and Microsoft Azure cloud accounts. The following three levels can be applied based on the selected privilege:
Does CWS require the Common User Interface Core extension update?
Yes. It is located in ePO in the extensions section under Shared components. If not present, use the ePO Software Manager and search for Common to locate the Common UI 1.7.x extension. Select it, and install it.
What is Data Center Metering?
Data Center Metering is an extension to help track the CPU hours used by instances in the AWS and Azure cloud.
What does the CWS Assessment Rules-General policy do?
It specifies the policy settings for workload assessment status for the following categories:
Strong security groups
Volume encryption
Threat Prevention
Application Control
Change Control
Network intrusion prevention
What is Data Center Assessment?
Data Center Assessment is an extension that allows administrators to assess security alerts. These alerts are based on categories, and use tags, to prioritize alerts from the ePO console.
Why is Data Center Assessment extension needed for CWS?
The Data Center Assessment extension provides the following:
Firewall
Antimalware status for workload
Security groups
Security group rules.
How does CWS pull AWS tagging?
CWS always picks the value of the tag with KeyName as 'Name', which is the standard naming convention on AWS.
Does Cloud Workload Security for AWS support Assume Role?
No.
If the AWS instance contains multiple AWS tags, how does CWS determine the tag?
CWS only picks the value of the tag 'Name'; all other tags, except 'Name' are ignored.
Is AWS Desktop-as-a-service (workspaces) identified and reported in ePO by CWS?
CWS currently identifies only AWS EC2. AWS workspaces is a separate environment.
How do I configure ePO-based AWS tagging?
The AWS tagging can be configured in the CWS user Interface, which includes a Tags field.
If the AWS instances do not have a tag 'Name' specified, how does CWS tag them?
If the tag 'Name' is not available, CWS picks up another tag for the VM randomly.
What is Data Center Visualization?
Data Center Visualization allows an administrator to view, create, and change discovered assets. This graphical visualization of your cloud accounts gives you visibility into your cloud infrastructure assets and their hierarchy.
Can systems in the cloud be managed in ePO?
Yes. An administrator can deploy the McAfee Agent and then other McAfee products to the virtual machines. The administrator can also view and query their virtualization properties, protection status, and security compliance via several dashboards and queries.
Can I sync cloned or duplicated virtual machines?
Yes. You must make sure that the system name is unique for each clone. For details, see KB82030.
When AWS instances are switched off, are they reported as 'powered off' in ePO?
Yes. If the computers are managed, they are not deleted, even when shut down. For unmanaged systems, they are no longer seen in the ePO System Tree when they are shut down.
How does CWS handle a situation where the instances already have MA installed?
If the discovered VMs are already managed through MA, they retain the existing policy and their group in ePO. Otherwise, on discovery, the instances are discovered and displayed as Unmanaged in the ePO System Tree.
How does the CWS handle instances that already have McAfee managed products installed?
The instance displays as Managed after discovery, and ePO manages the installed products.
How long until CWS discovers a new instance?
CWS discovers a new instance after the synchronization occurs. By default, the synchronization occurs every five minutes, but you can change this interval as needed.
What happens when an instance is terminated in EC2?
After the instance is terminated and a synchronization occurs, the instance is no longer displayed in the CWS user interface. But, any events from this instance are still present.
What ports are included when I select port as Any when configuring inbound firewall rule?
Ports (0–65535) are included.
Can I view traffic details for Microsoft Azure instances?
Yes. View traffic details for your Microsoft Azure instances in the CWS console.
What is the MDCC extension?
MDCC is the base management extension for all CWS
CWS relies on the MDCC extension for the following management tasks:
Creating hierarchy in the ePO System Tree and CWS UI.
Saving VMs and group data in the ePO database.
Maintaining account data, such as identity endpoint, user name, password, and tag.
Reporting and dashboards.
What is the new CWS_License extension?
The CWS_License extension enables the traffic discovery, assessment, visualization, and Network Security Manager account registration, in CWS.
Why can't I enable the traffic discovery, assessment, visualization, and Network Security Manager account registration in CWS?
You must install the license extension to enable those features.
Click Sign In and enter your ServicePortal User ID and password. If you do not yet have a ServicePortal or Community account, click Register to register for a new account on either website.
