Troubleshooting Guide
Page 2
... Cisco, Inc and Information Network Center of Beijing University of their respective owners. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. For any Free Software licenses require that McAfee provide rights to use, ...the GNU General Public License (GPL) or other registered and unregistered trademarks herein are registered trademarks or trademarks of California, (C) 1990, 1993, with security is distinctive of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001....
... Cisco, Inc and Information Network Center of Beijing University of their respective owners. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. For any Free Software licenses require that McAfee provide rights to use, ...the GNU General Public License (GPL) or other registered and unregistered trademarks herein are registered trademarks or trademarks of California, (C) 1990, 1993, with security is distinctive of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001....
Troubleshooting Guide
Page 3
Contents Preface ...v Introducing McAfee Network Security Platform v About this Guide...v Audience ...v Conventions used in this book ...vi Related Documentation...vii Contacting Technical Support ...viii Information requested for Troubleshooting viii Chapter 1 Before You Install 1 Pre-installation recommendations 1 Planning for installation ...1 Functional requirements...2 Using anti-virus software with the Manager 4 User interface responsiveness 5 Chapter 2 Hardening the Manager Server for Windows...
Contents Preface ...v Introducing McAfee Network Security Platform v About this Guide...v Audience ...v Conventions used in this book ...vi Related Documentation...vii Contacting Technical Support ...viii Information requested for Troubleshooting viii Chapter 1 Before You Install 1 Pre-installation recommendations 1 Planning for installation ...1 Functional requirements...2 Using anti-virus software with the Manager 4 User interface responsiveness 5 Chapter 2 Hardening the Manager Server for Windows...
Troubleshooting Guide
Page 4
...22 Pinging a Sensor...22 Ensuring that the Sensor is receiving traffic 22 Checking Sensor failover status 23 Cabling failover through a network device 23 Checking whether a signature or software update was successful 24 Checking status of a download or upload 24 Conditions requiring ... ...80 Chapter 9 Automatically restarting a failed Manager with Manager Watchdog ...81 Introduction...81 How the Manager Watchdog Works 81 Installing Manager Watchdog...82 Starting Manager Watchdog...82 Using Manager Watchdog with Manager in an MDR configuration 82 Tracking Manager Watchdog activities ...
...22 Pinging a Sensor...22 Ensuring that the Sensor is receiving traffic 22 Checking Sensor failover status 23 Cabling failover through a network device 23 Checking whether a signature or software update was successful 24 Checking status of a download or upload 24 Conditions requiring ... ...80 Chapter 9 Automatically restarting a failed Manager with Manager Watchdog ...81 Introduction...81 How the Manager Watchdog Works 81 Installing Manager Watchdog...82 Starting Manager Watchdog...82 Using Manager Watchdog with Manager in an MDR configuration 82 Tracking Manager Watchdog activities ...
Troubleshooting Guide
Page 5
... the following topics: Pre-installation recommendations Hardening McAfee Network Security Manager (Manager) Server Troubleshooting techniques How to perform particular tasks. step manner; About this guide and how to the product, discusses the information in a step-by analyzing NetFlow information flowing through a single Manager. right from installing Network Security Platform to be taken care of...
... the following topics: Pre-installation recommendations Hardening McAfee Network Security Manager (Manager) Server Troubleshooting techniques How to perform particular tasks. step manner; About this guide and how to the product, discusses the information in a step-by analyzing NetFlow information flowing through a single Manager. right from installing Network Security Platform to be taken care of...
Troubleshooting Guide
Page 7
... for more information on -line help are companions to this guide. McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on these guides. Quick Tour Installation Guide Upgrade Guide Getting Started Guide IPS.../M-6050/M-4050/M-3050 Slide Rail Assembly Procedure M-2750 Slide Rail Assembly Procedure M-series DC Power Supply Installation Procedure Administrative Domain Configuration Guide Manager Server Configuration Guide CLI Guide Device Configuration ...
... for more information on -line help are companions to this guide. McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on these guides. Quick Tour Installation Guide Upgrade Guide Getting Started Guide IPS.../M-6050/M-4050/M-3050 Slide Rail Assembly Procedure M-2750 Slide Rail Assembly Procedure M-series DC Power Supply Installation Procedure Administrative Domain Configuration Guide Manager Server Configuration Guide CLI Guide Device Configuration ...
Troubleshooting Guide
Page 10
... subnet. Pre-installation recommendations These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation recommendations are required for the Fast Ethernet ports. If applicable, identify the ports to the production network. Get the required license file and grant number. Accumulate the required number of the most seasoned McAfee Network Security Platform System Engineers at McAfee. Ensure that...
... subnet. Pre-installation recommendations These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation recommendations are required for the Fast Ethernet ports. If applicable, identify the ports to the production network. Get the required license file and grant number. Accumulate the required number of the most seasoned McAfee Network Security Platform System Engineers at McAfee. Ensure that...
Troubleshooting Guide
Page 11
...61623; If you are not initiated by Sensors. Ensure the correct version of JRE is installed on the client PCs. Install a desktop firewall McAfee strongly recommends that you follow the instructions in which includes a personal firewall on the Manager, the following... Recovery (MDR) is configured, ensure that the time difference between the Primary and Secondary Managers is , the localhost. McAfee® Network Security Platform 6.0 Before You Install Identify hosts that you configure a packet-filtering firewall to block connections to ports 8551, 3306, 8007, 8009...
...61623; If you are not initiated by Sensors. Ensure the correct version of JRE is installed on the client PCs. Install a desktop firewall McAfee strongly recommends that you follow the instructions in which includes a personal firewall on the Manager, the following... Recovery (MDR) is configured, ensure that the time difference between the Primary and Secondary Managers is , the localhost. McAfee® Network Security Platform 6.0 Before You Install Identify hosts that you configure a packet-filtering firewall to block connections to ports 8551, 3306, 8007, 8009...
Troubleshooting Guide
Page 12
... UDP Syslog forwarding (ACL Manager-->Syslog server logging) 636 TCP LDAP Integration (with Manager-->LDAP server SSL) 3 McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP Description...Forwarding Manager-->SNMP server 389 TCP LDAP Integration Manager-->LDAP server (without SSL) 443 TCP Secure communication Manager 1-->Manager 2 for MDR 443 TCP Secure communication Manager 2-->Manager 1 for the Install port, Alert port, and Log port, ensure that those ports are also open on ...
... UDP Syslog forwarding (ACL Manager-->Syslog server logging) 636 TCP LDAP Integration (with Manager-->LDAP server SSL) 3 McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP Description...Forwarding Manager-->SNMP server 389 TCP LDAP Integration Manager-->LDAP server (without SSL) 443 TCP Secure communication Manager 1-->Manager 2 for MDR 443 TCP Secure communication Manager 2-->Manager 1 for the Install port, Alert port, and Log port, ensure that those ports are also open on ...
Troubleshooting Guide
Page 13
...SMTP connections from legitimate mail clients, such as McAfee VirusScan on the Manager after the installation of the Manager software, the MySQL scanning exceptions will be created automatically, but the Network Security Platform exceptions will already be sure the MySQL directory and...client. If you do not explicitly create the exclusion within VirusScan, you plan to send SMTP notifications. McAfee® Network Security Platform 6.0 Before You Install Port # 1812 Protocol UDP Description RADIUS Integration Direction of communication Manager-->RADIUS server Close all ...
...SMTP connections from legitimate mail clients, such as McAfee VirusScan on the Manager after the installation of the Manager software, the MySQL scanning exceptions will be created automatically, but the Network Security Platform exceptions will already be sure the MySQL directory and...client. If you do not explicitly create the exclusion within VirusScan, you plan to send SMTP notifications. McAfee® Network Security Platform 6.0 Before You Install Port # 1812 Protocol UDP Description RADIUS Integration Direction of communication Manager-->RADIUS server Close all ...
Troubleshooting Guide
Page 14
... but essential steps, to save the changes. The greater the quantity of Processes to Exclude. 6 Click OK to ensure that Network Security Platform responsiveness is imperative that is unique and is a minimum of an hour after 30 days. This will reduce the total quantity ...will be slow if you tune the MySQL database after each that you connect to the Manager using an O/S defrag utility. McAfee® Network Security Platform 6.0 Before You Install 1 Launch the VirusScan Console. 2 Right-click the task called Access Protection and choose Properties from the right-click menu. ...
... but essential steps, to save the changes. The greater the quantity of Processes to Exclude. 6 Click OK to ensure that Network Security Platform responsiveness is imperative that is unique and is a minimum of an hour after 30 days. This will reduce the total quantity ...will be slow if you tune the MySQL database after each that you connect to the Manager using an O/S defrag utility. McAfee® Network Security Platform 6.0 Before You Install 1 Launch the VirusScan Console. 2 Right-click the task called Access Protection and choose Properties from the right-click menu. ...
Troubleshooting Guide
Page 15
... firewall on page 2). All remaining unnecessary ports should be closed. Harden the MySQL installation Ensure the cmd window used within the McAfee Network Security Platform. McAfee's recommendations, at the end of these required for Manager--McAfee® Network Security Sensor (Sensor) and Manager client-server communication. The ports used by Network Security Platform are used for hardening your McAfee® Network Security Manager (Manager) server.
... firewall on page 2). All remaining unnecessary ports should be closed. Harden the MySQL installation Ensure the cmd window used within the McAfee Network Security Platform. McAfee's recommendations, at the end of these required for Manager--McAfee® Network Security Sensor (Sensor) and Manager client-server communication. The ports used by Network Security Platform are used for hardening your McAfee® Network Security Manager (Manager) server.
Troubleshooting Guide
Page 16
McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2003 Remove test database Remove the 'test" database from db; 3. Start My SQL. mysql> create table db_backup as follows. 7 Manager server. 5. Remove the test db, Keep only the MYSQL and Network Security Platform (for user. matches that of MySQL. mysql> drop database test; 6. ... created and row count db_backup; mysql> use mysql; 2. Remove remote anonymous users To remove remote anonymous users, you are using the default Network Security Platform installation of the mysql.db table. 4.
McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2003 Remove test database Remove the 'test" database from db; 3. Start My SQL. mysql> create table db_backup as follows. 7 Manager server. 5. Remove the test db, Keep only the MYSQL and Network Security Platform (for user. matches that of MySQL. mysql> drop database test; 6. ... created and row count db_backup; mysql> use mysql; 2. Remove remote anonymous users To remove remote anonymous users, you are using the default Network Security Platform installation of the mysql.db table. 4.
Troubleshooting Guide
Page 18
...addition to denying traffic over port 9001 and 9002 (as described in Install a desktop firewall. (on page 2) Make sure the PC is in an isolated, physically secure environment Disallow access to the directory clumsily and all its...to user; mysql> flush privileges; mysql> rename table db_backup to db_1; McAfee® Network Security Platform 6.0 Hardening the Manager Server for the Manager server and perform a fresh install of the Manager software, including the installation of the iv.policymgmt.RuleEngine.BSH_Diagnostics_Port record in the "/Apache/conf" directory...
...addition to denying traffic over port 9001 and 9002 (as described in Install a desktop firewall. (on page 2) Make sure the PC is in an isolated, physically secure environment Disallow access to the directory clumsily and all its...to user; mysql> flush privileges; mysql> rename table db_backup to db_1; McAfee® Network Security Platform 6.0 Hardening the Manager Server for the Manager server and perform a fresh install of the Manager software, including the installation of the iv.policymgmt.RuleEngine.BSH_Diagnostics_Port record in the "/Apache/conf" directory...
Troubleshooting Guide
Page 19
... Manager perform the following : Minimize the number of Windows roles and features that are installed. Uninstall applications that the server is located in the network influences specific remote access and firewall configuration requirements. Note: Exclude "Network Security Manager" and "MySQL" directories from environment to remove all partitions. The Manager's physical and logical...
... Manager perform the following : Minimize the number of Windows roles and features that are installed. Uninstall applications that the server is located in the network influences specific remote access and firewall configuration requirements. Note: Exclude "Network Security Manager" and "MySQL" directories from environment to remove all partitions. The Manager's physical and logical...
Troubleshooting Guide
Page 21
McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Port 80 443 3306 8500 8501 8502 8503 8504 8555 Description HTTP port Communication Client to Manager HTTPS Client to Manager MySQL database Open only while using external SQL database Command channel(UDP) Manager to Sensor Install port(TCP) Sensor to Manager Alert channel...
McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Port 80 443 3306 8500 8501 8502 8503 8504 8555 Description HTTP port Communication Client to Manager HTTPS Client to Manager MySQL database Open only while using external SQL database Command channel(UDP) Manager to Sensor Install port(TCP) Sensor to Manager Alert channel...
Troubleshooting Guide
Page 25
... , use the set mgmtport command. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Firewall between the devices If there is fixed to 1000 and also set to auto-negotiate). 16 For example, if the device connecting to the Sensor is established, or use the same settings as described below in the section Install a desktop firewall. (on page...
... , use the set mgmtport command. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Firewall between the devices If there is fixed to 1000 and also set to auto-negotiate). 16 For example, if the device connecting to the Sensor is established, or use the same settings as described below in the section Install a desktop firewall. (on page...
Troubleshooting Guide
Page 39
...connection from the Sensor to the Manager has been re-established, the queued alerts are forwarded up before you install the Manager software and never change could ultimately cause serious database errors. The following table lists the number of ...information, see the KnowledgeBase article KB55587 (Go to an analyst. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Check to ensure the Management port on the Sensor is configured with the Manager. Network Security Platform classifies events and prioritizes to ensure the buffer is filled with ...
...connection from the Sensor to the Manager has been re-established, the queued alerts are forwarded up before you install the Manager software and never change could ultimately cause serious database errors. The following table lists the number of ...information, see the KnowledgeBase article KB55587 (Go to an analyst. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Check to ensure the Management port on the Sensor is configured with the Manager. Network Security Platform classifies events and prioritizes to ensure the buffer is filled with ...
Troubleshooting Guide
Page 45
Although you use against your network: Relevance analysis involves the analysis of the vulnerability relevance of events through policy customization or installing attack filters. Another example of noise would -be interested in the form of Web server you can ...the traffic originated. If this type of real-time alerts, using a traffic dump relay, make sure that some network bandwidth. Users can also be if someone attempted an IIS-based attack against your Apache Web server. McAfee® Network Security Platform 6.0 Determining False Positives Correct identification;
Although you use against your network: Relevance analysis involves the analysis of the vulnerability relevance of events through policy customization or installing attack filters. Another example of noise would -be interested in the form of Web server you can ...the traffic originated. If this type of real-time alerts, using a traffic dump relay, make sure that some network bandwidth. Users can also be if someone attempted an IIS-based attack against your Apache Web server. McAfee® Network Security Platform 6.0 Determining False Positives Correct identification;
Troubleshooting Guide
Page 71
... records are already Installed Warning Manager shutdown Warning was reached, and configured number of records the Manager will begin written. Warning McAfee NAC channels are now being is required. Sensor command line interface. peer Manager. McAfee® Network Security Platform 6.0 System Fault ...Please see log messages if download has failed, and check for offline Sensor to you updated the updated the McAfee NAC installation parameters. So communicate over IPv6 to been initiated form the complete the download. overwriting the oldest records with...
... records are already Installed Warning Manager shutdown Warning was reached, and configured number of records the Manager will begin written. Warning McAfee NAC channels are now being is required. Sensor command line interface. peer Manager. McAfee® Network Security Platform 6.0 System Fault ...Please see log messages if download has failed, and check for offline Sensor to you updated the updated the McAfee NAC installation parameters. So communicate over IPv6 to been initiated form the complete the download. overwriting the oldest records with...
Troubleshooting Guide
Page 77
... in progress Policy is applied on resources Informational Description/Cause Manager is archiving the alerts, and this is in control of Sensors. 68 software version installed. McAfee® Network Security Platform 6.0 System Fault Messages Fault Alert archival in progress Severity Informational Deleted Central Manager Policy is applied on resources. Manager version Informational mismatch. The Secondary...
... in progress Policy is applied on resources Informational Description/Cause Manager is archiving the alerts, and this is in control of Sensors. 68 software version installed. McAfee® Network Security Platform 6.0 System Fault Messages Fault Alert archival in progress Severity Informational Deleted Central Manager Policy is applied on resources. Manager version Informational mismatch. The Secondary...