Troubleshooting Guide
Page 1
Troubleshooting Guide Revision 6.0 McAfee® Network Security Platform version 6.0 McAfee® Network Protection Industry-leading network security solutions
Troubleshooting Guide Revision 6.0 McAfee® Network Security Platform version 6.0 McAfee® Network Protection Industry-leading network security solutions
Troubleshooting Guide
Page 3
Contents Preface ...v Introducing McAfee Network Security Platform v About this Guide...v Audience ...v Conventions used in this book ...vi Related Documentation...vii Contacting Technical Support ...viii Information ... User Policies ...11 Setting a Desktop Firewall 11 Configuring Audit Events...12 Chapter 4 Troubleshooting Network Security Platform 14 Facilitating troubleshooting...14 Starting your troubleshooting ...15 Difficulties connecting Sensor and Manager 15 Network connectivity ...15 Inconsistency in Sensor and Manager configuration 15 Software or signature set incompatibility 15...
Contents Preface ...v Introducing McAfee Network Security Platform v About this Guide...v Audience ...v Conventions used in this book ...vi Related Documentation...vii Contacting Technical Support ...viii Information ... User Policies ...11 Setting a Desktop Firewall 11 Configuring Audit Events...12 Chapter 4 Troubleshooting Network Security Platform 14 Facilitating troubleshooting...14 Starting your troubleshooting ...15 Difficulties connecting Sensor and Manager 15 Network connectivity ...15 Inconsistency in Sensor and Manager configuration 15 Software or signature set incompatibility 15...
Troubleshooting Guide
Page 5
.... Introducing McAfee Network Security Platform McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for maintaining the Network Security Platform and analyzing and disseminating the resulting data. McAfee® Network Threat Behavior Analysis Appliance provides the capability of in the McAfee® Network Security Manager [formerly McAfee®...
.... Introducing McAfee Network Security Platform McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for maintaining the Network Security Platform and analyzing and disseminating the resulting data. McAfee® Network Threat Behavior Analysis Appliance provides the capability of in the McAfee® Network Security Manager [formerly McAfee®...
Troubleshooting Guide
Page 6
... the Properties tab specifies the name of keys on the keyboard Press ENTER. Text such as loss of numbered steps. Names of the requested service. McAfee® Network Security Platform 6.0 Preface Conventions used in this book This document uses the following typographical conventions: Convention Example Terms that you must read before beginning a procedure or...
... the Properties tab specifies the name of keys on the keyboard Press ENTER. Text such as loss of numbered steps. Names of the requested service. McAfee® Network Security Platform 6.0 Preface Conventions used in this book This document uses the following typographical conventions: Convention Example Terms that you must read before beginning a procedure or...
Troubleshooting Guide
Page 7
McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on-line help are companions to Quick Tour for more information on these guides. Quick Tour ...
McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on-line help are companions to Quick Tour for more information on these guides. Quick Tour ...
Troubleshooting Guide
Page 8
... phone contact numbers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase. Note: McAfee requires that you have available for troubleshooting. Registered customers can be provided with Technical Support. McAfee® Network Security Platform 6.0 Preface Special Topics Guide-Sensor High Availability Special Topics Guide-Virtualization Special...
... phone contact numbers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase. Note: McAfee requires that you have available for troubleshooting. Registered customers can be provided with Technical Support. McAfee® Network Security Platform 6.0 Preface Special Topics Guide-Sensor High Availability Special Topics Guide-Virtualization Special...
Troubleshooting Guide
Page 9
... in Providing a Sensor diagnostics trace. Sensor operating mode (i.e., In-line, SPAN or TAP). McAfee® Network Security Platform 6.0 Preface Did you make any changes in your network topology ix this information is extremely helpful for troubleshooting asymmetric traffic issues) a Sensor trace file,.../setup/configuration that may ask you to us for analysis As of traffic through the Sensor in some cases, a network diagram (particularly for troubleshooting link issues the volume of this writing, the tool is available at which you see the...
... in Providing a Sensor diagnostics trace. Sensor operating mode (i.e., In-line, SPAN or TAP). McAfee® Network Security Platform 6.0 Preface Did you make any changes in your network topology ix this information is extremely helpful for troubleshooting asymmetric traffic issues) a Sensor trace file,.../setup/configuration that may ask you to us for analysis As of traffic through the Sensor in some cases, a network diagram (particularly for troubleshooting link issues the volume of this writing, the tool is available at which you see the...
Troubleshooting Guide
Page 10
...61623; If applicable, configure name resolution for the Manager. Ensure that the required number of Network Security Platform dongles, which McAfee® Network Security Manager software will be installed, should not be connected to be dedicated, hardened for the Sensor. Ensure...for 10/100 or 10/100/1000 monitoring ports if they are approved hardware from McAfee or a supported vendor. Pre-installation recommendations These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation recommendations are a compilation of sub-interfaces or ...
...61623; If applicable, configure name resolution for the Manager. Ensure that the required number of Network Security Platform dongles, which McAfee® Network Security Manager software will be installed, should not be connected to be dedicated, hardened for the Sensor. Ensure...for 10/100 or 10/100/1000 monitoring ports if they are approved hardware from McAfee or a supported vendor. Pre-installation recommendations These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation recommendations are a compilation of sub-interfaces or ...
Troubleshooting Guide
Page 11
...in which includes a personal firewall on the Manager server, the Manager will lose connectivity with all Sensors and the McAfee® Network Security Update Server because SSL is time sensitive.) If Manager Disaster Recovery (MDR) is configured, ensure that ...(source port on the Manager) and 8500 (destination port on the client PCs. McAfee® Network Security Platform 6.0 Before You Install Identify hosts that is, the localhost. Install a desktop firewall McAfee strongly recommends that you configure a packet-filtering firewall to block connections to these ...
...in which includes a personal firewall on the Manager server, the Manager will lose connectivity with all Sensors and the McAfee® Network Security Update Server because SSL is time sensitive.) If Manager Disaster Recovery (MDR) is configured, ensure that ...(source port on the Manager) and 8500 (destination port on the client PCs. McAfee® Network Security Platform 6.0 Before You Install Identify hosts that is, the localhost. Install a desktop firewall McAfee strongly recommends that you configure a packet-filtering firewall to block connections to these ...
Troubleshooting Guide
Page 12
McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP Description Direction of communication ...+ Integration Sensor-->TACACS+ server 162 UDP SNMP Forwarding Manager-->SNMP server 389 TCP LDAP Integration Manager-->LDAP server (without SSL) 443 TCP Secure communication Manager 1-->Manager 2 for MDR 443 TCP Secure communication Manager 2-->Manager 1 for the Install port, Alert port, and Log port, ensure that those ports are also open on the...
McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP Description Direction of communication ...+ Integration Sensor-->TACACS+ server 162 UDP SNMP Forwarding Manager-->SNMP server 389 TCP LDAP Integration Manager-->LDAP server (without SSL) 443 TCP Secure communication Manager 1-->Manager 2 for MDR 443 TCP Secure communication Manager 2-->Manager 1 for the Install port, Alert port, and Log port, ensure that those ports are also open on the...
Troubleshooting Guide
Page 13
...subdirectories will be in an exclusion list. The Manager takes advantage of the JavaMail API to avoid port conflicts. McAfee® Network Security Platform 6.0 Before You Install Port # 1812 Protocol UDP Description RADIUS Integration Direction of communication Manager-->RADIUS server ...to block all outbound connections over SMTP using a homemade mail client. Otherwise, Network Security Platform packet captures may prevent the application from legitimate mail clients, such as McAfee VirusScan on the Manager after the installation of the Manager software, the MySQL ...
...subdirectories will be in an exclusion list. The Manager takes advantage of the JavaMail API to avoid port conflicts. McAfee® Network Security Platform 6.0 Before You Install Port # 1812 Protocol UDP Description RADIUS Integration Direction of communication Manager-->RADIUS server ...to block all outbound connections over SMTP using a homemade mail client. Otherwise, Network Security Platform packet captures may prevent the application from legitimate mail clients, such as McAfee VirusScan on the Manager after the installation of the Manager software, the MySQL ...
Troubleshooting Guide
Page 14
...itself. Perform monthly or semi-monthly database purging and tuning. Warning: Do NOT attempt to remove them. The default Network Security Platform settings err on startup. When scheduling certain Manager actions (backups, file maintenance, archivals, database tuning), set a time...safely remove alerts after /before other scheduled actions. The more often you tune the MySQL database after each purge operation. McAfee® Network Security Platform 6.0 Before You Install 1 Launch the VirusScan Console. 2 Right-click the task called Access Protection and choose Properties ...
...itself. Perform monthly or semi-monthly database purging and tuning. Warning: Do NOT attempt to remove them. The default Network Security Platform settings err on startup. When scheduling certain Manager actions (backups, file maintenance, archivals, database tuning), set a time...safely remove alerts after /before other scheduled actions. The more often you tune the MySQL database after each purge operation. McAfee® Network Security Platform 6.0 Before You Install 1 Launch the VirusScan Console. 2 Right-click the task called Access Protection and choose Properties ...
Troubleshooting Guide
Page 15
...at a high level: Install a desktop firewall on page 2). The ports used in combination with the McAfee® Network Security Platform Release Notes and the rest of this section. Introduction Manager implementation varies between environments. The Manager server's positioning in... influence specific remote access and firewall configuration requirements. Harden the MySQL installation Ensure the cmd window used within the McAfee Network Security Platform. Use another cmd window, where necessary, to validate hardening changes you to database tables in the "mysql" database...
...at a high level: Install a desktop firewall on page 2). The ports used in combination with the McAfee® Network Security Platform Release Notes and the rest of this section. Introduction Manager implementation varies between environments. The Manager server's positioning in... influence specific remote access and firewall configuration requirements. Harden the MySQL installation Ensure the cmd window used within the McAfee Network Security Platform. Use another cmd window, where necessary, to validate hardening changes you to database tables in the "mysql" database...
Troubleshooting Guide
Page 16
... user. You should see only two databases (MYSQL and LF) if you are using the default Network Security Platform installation of the mysql.db table. 4. mysql> select host,db,user from was created and row count db_backup; mysql> show databases; Validate that of MySQL... anonymous users To remove remote anonymous users, you will now need to get into the mysql shell as select * from the mysql.exe CLI. McAfee® Network Security Platform 6.0 Hardening the Manager Server for a username and password to qualify username and password on the mysql> show databases;
... user. You should see only two databases (MYSQL and LF) if you are using the default Network Security Platform installation of the mysql.db table. 4. mysql> select host,db,user from was created and row count db_backup; mysql> show databases; Validate that of MySQL... anonymous users To remove remote anonymous users, you will now need to get into the mysql shell as select * from the mysql.exe CLI. McAfee® Network Security Platform 6.0 Hardening the Manager Server for a username and password to qualify username and password on the mysql> show databases;
Troubleshooting Guide
Page 17
Validate that user_backup; of the following: Remove admin (Network Security Platform user) remote access mysql> delete from user where host!='localhost' and user='admin'; (The admin user cannot login remotely; mysql> select... remote access This section provides two options for Windows 2003 Start MySQL. Remove anonymous/blank accounts. mysql>flush privileges; McAfee® Network Security Platform 6.0 Hardening the Manager Server for removing remote access. Remove individual users' remote access Remove ALL remote access (Recommended) Remove ...
Validate that user_backup; of the following: Remove admin (Network Security Platform user) remote access mysql> delete from user where host!='localhost' and user='admin'; (The admin user cannot login remotely; mysql> select... remote access This section provides two options for Windows 2003 Start MySQL. Remove anonymous/blank accounts. mysql>flush privileges; McAfee® Network Security Platform 6.0 Hardening the Manager Server for removing remote access. Remove individual users' remote access Remove ALL remote access (Recommended) Remove ...
Troubleshooting Guide
Page 18
...RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] 9 No other than authorized administrators. Use Microsoft Knowledge Base article # 324067 to db_1; McAfee® Network Security Platform 6.0 Hardening the Manager Server for the Manager server and perform a fresh install of the Manager software, including the installation of a ... syntax in the Apache Server's httpd.conf file (available in the field called "value" = -1 Other best practices for securing Manager Use a clean, dedicated machine for Windows 2003 Rolling back your changes If you need to roll back your...
...RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] 9 No other than authorized administrators. Use Microsoft Knowledge Base article # 324067 to db_1; McAfee® Network Security Platform 6.0 Hardening the Manager Server for the Manager server and perform a fresh install of the Manager software, including the installation of a ... syntax in the Apache Server's httpd.conf file (available in the field called "value" = -1 Other best practices for securing Manager Use a clean, dedicated machine for Windows 2003 Rolling back your changes If you need to roll back your...
Troubleshooting Guide
Page 20
... Display legal notice at least 8 ASCII characters. Enable locking of screensaver. Setting a Desktop Firewall It is absolutely required. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Manager-Sensor communication. Setting User Policies Ensure to login. Disable Posix Clear virtual memory page file during shutdown ...
... Display legal notice at least 8 ASCII characters. Enable locking of screensaver. Setting a Desktop Firewall It is absolutely required. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Manager-Sensor communication. Setting User Policies Ensure to login. Disable Posix Clear virtual memory page file during shutdown ...
Troubleshooting Guide
Page 21
Port Description Communication 8443 ePO Manager to ePO server communication port Configuring Audit Events Set the following ports are allowed through firewall. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Port 80 443 3306 8500 8501 8502 8503 8504 8555 Description HTTP port Communication Client to Manager HTTPS ...
Port Description Communication 8443 ePO Manager to ePO server communication port Configuring Audit Events Set the following ports are allowed through firewall. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Port 80 443 3306 8500 8501 8502 8503 8504 8555 Description HTTP port Communication Client to Manager HTTPS ...
Troubleshooting Guide
Page 23
... controller, to put the Sensor into L2 bypass mode if the Sensor experiences a specified number of internal errors. (It does not need for McAfee® Network Security Platform. Caution 1: Note that the Sensor will send traffic through the Sensor without passing to the detection engine. Connect a fail-open functionality... within a specified timeframe. This enables you have a Layer2 Passthru feature. the problem could instead be examined elsewhere. CHAPTER 4 Troubleshooting Network Security Platform This section lists some troubleshooting tips for the external kit.
... controller, to put the Sensor into L2 bypass mode if the Sensor experiences a specified number of internal errors. (It does not need for McAfee® Network Security Platform. Caution 1: Note that the Sensor will send traffic through the Sensor without passing to the detection engine. Connect a fail-open functionality... within a specified timeframe. This enables you have a Layer2 Passthru feature. the problem could instead be examined elsewhere. CHAPTER 4 Troubleshooting Network Security Platform This section lists some troubleshooting tips for the external kit.
Troubleshooting Guide
Page 24
... command prompt. Note: The Sensor name is case-sensitive. Check the network addresses for the shared secret key value. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Starting your Sensor? [For a list of approved hardware, see McAfee KnowledgeBase article KB56364 (Go to http://mysupport.mcafee.com/Eservice/, and click Search the KnowledgeBase)] Difficulties connecting Sensor and Manager If...
... command prompt. Note: The Sensor name is case-sensitive. Check the network addresses for the shared secret key value. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Starting your Sensor? [For a list of approved hardware, see McAfee KnowledgeBase article KB56364 (Go to http://mysupport.mcafee.com/Eservice/, and click Search the KnowledgeBase)] Difficulties connecting Sensor and Manager If...