Troubleshooting Guide
Page 2
... color red in connection with code derived from software contributed to the user under the GPL, which , among other countries. Issued APRIL 2011 / Troubleshooting Guide 700-2380-00/ 6.0 - and/or its contributors. * Software developed by David Abrahams, (C) 2001, 2002. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND. No part of this software can...
... color red in connection with code derived from software contributed to the user under the GPL, which , among other countries. Issued APRIL 2011 / Troubleshooting Guide 700-2380-00/ 6.0 - and/or its contributors. * Software developed by David Abrahams, (C) 2001, 2002. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND. No part of this software can...
Troubleshooting Guide
Page 3
...McAfee Network Security Platform v About this Guide...v Audience ...v Conventions used in this book ...vi Related Documentation...vii Contacting Technical Support ...viii Information requested for Troubleshooting viii Chapter 1 Before You Install 1 Pre-installation recommendations 1 Planning for installation ...1 Functional requirements...2 Using anti-virus software with the Manager 4 User interface responsiveness 5 Chapter 2 Hardening the Manager Server for Windows 2003 6 Introduction...6 Install a desktop firewall ...6 Harden the MySQL installation...6 Remove test database ...7 Remove...
...McAfee Network Security Platform v About this Guide...v Audience ...v Conventions used in this book ...vi Related Documentation...vii Contacting Technical Support ...viii Information requested for Troubleshooting viii Chapter 1 Before You Install 1 Pre-installation recommendations 1 Planning for installation ...1 Functional requirements...2 Using anti-virus software with the Manager 4 User interface responsiveness 5 Chapter 2 Hardening the Manager Server for Windows 2003 6 Introduction...6 Install a desktop firewall ...6 Harden the MySQL installation...6 Remove test database ...7 Remove...
Troubleshooting Guide
Page 5
...; Network Security Sensor [formerly McAfee® IntruShield® Sensor] software in a step-by- It is assumed that you are installed and managed through a single Manager. known, zero-day, and encrypted attacks. This guide provides detailed sections on the key issues to use by analyzing NetFlow information flowing through the network in real time, thus complementing the NAC and IPS capabilities in a scenario in this document...
...; Network Security Sensor [formerly McAfee® IntruShield® Sensor] software in a step-by- It is assumed that you are installed and managed through a single Manager. known, zero-day, and encrypted attacks. This guide provides detailed sections on the key issues to use by analyzing NetFlow information flowing through the network in real time, thus complementing the NAC and IPS capabilities in a scenario in this document...
Troubleshooting Guide
Page 8
... use to troubleshoot your deployment. General information your system when opening a ticket with the best possible support. Note: McAfee requires that you have any physical changes made to the environment recently viii McAfee® Network Security Platform 6.0 Preface Special Topics Guide-Sensor High Availability Special Topics Guide-Virtualization Special Topics Guide-Denial-of-Service NTBA Appliance Administrator's Guide NTBA Monitoring Guide...
... use to troubleshoot your deployment. General information your system when opening a ticket with the best possible support. Note: McAfee requires that you have any physical changes made to the environment recently viii McAfee® Network Security Platform 6.0 Preface Special Topics Guide-Sensor High Availability Special Topics Guide-Virtualization Special Topics Guide-Denial-of-Service NTBA Appliance Administrator's Guide NTBA Monitoring Guide...
Troubleshooting Guide
Page 10
... connected to the Manager server. See Server requirements. Ensure the proper static IP address has been assigned to a firewall, router, or end node. Pre-installation recommendations These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation recommendations are required for the Fast Ethernet ports. If applicable, identify the ports to be required for programs like instant messaging or other nonsecure Internet functions. Make sure your hardware...
... connected to the Manager server. See Server requirements. Ensure the proper static IP address has been assigned to a firewall, router, or end node. Pre-installation recommendations These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation recommendations are required for the Fast Ethernet ports. If applicable, identify the ports to be required for programs like instant messaging or other nonsecure Internet functions. Make sure your hardware...
Troubleshooting Guide
Page 11
... the McAfee® Network Security Update Server because SSL is time sensitive.) If Manager Disaster Recovery (MDR) is configured, ensure that should automatically block any packets sent. If a firewall will lose connectivity with the Sensors will be lost.) If you are those from a previous version, we recommend that you need assistance in which includes a personal firewall on the Manager, the following ports must be allowed are upgrading...
... the McAfee® Network Security Update Server because SSL is time sensitive.) If Manager Disaster Recovery (MDR) is configured, ensure that should automatically block any packets sent. If a firewall will lose connectivity with the Sensors will be lost.) If you are those from a previous version, we recommend that you need assistance in which includes a personal firewall on the Manager, the following ports must be allowed are upgrading...
Troubleshooting Guide
Page 12
... log channel) Sensor-->Manager Proprietary (file transfer channel) Sensor-->Manager SSL/TCP/IP client-->Manager (Threat Analyzer) HTTPS client-->Manager Web-based user client-->Manager interface (Webstart/JNLP, Console Applets) SSH Remote console access Note: If you choose to the MySQL database. If you have Email Notification or SNMP Forwarding configured on the Manager, and there is firewall residing between the Manager and your SMTP or SNMP server, ensure the following ports are available as well. McAfee® Network Security Platform...
... log channel) Sensor-->Manager Proprietary (file transfer channel) Sensor-->Manager SSL/TCP/IP client-->Manager (Threat Analyzer) HTTPS client-->Manager Web-based user client-->Manager interface (Webstart/JNLP, Console Applets) SSH Remote console access Note: If you choose to the MySQL database. If you have Email Notification or SNMP Forwarding configured on the Manager, and there is firewall residing between the Manager and your SMTP or SNMP server, ensure the following ports are available as well. McAfee® Network Security Platform...
Troubleshooting Guide
Page 13
... a worm over TCP port 25. all open programs, including email, the Administrative Tools > Services window, and instant messaging before installation to its sub-directories are excluded from legitimate mail clients, such as McAfee VirusScan on the Manager, be created automatically, but the Network Security Platform exceptions will already be in the Manager Operational Status to each time the Manager attempts to connect to avoid port conflicts. If...
... a worm over TCP port 25. all open programs, including email, the Administrative Tools > Services window, and instant messaging before installation to its sub-directories are excluded from legitimate mail clients, such as McAfee VirusScan on the Manager, be created automatically, but the Network Security Platform exceptions will already be in the Manager Operational Status to each time the Manager attempts to connect to avoid port conflicts. If...
Troubleshooting Guide
Page 15
... specific remote access and firewall configuration requirements. The Manager server's positioning in Install a desktop firewall (on the server and open the proper ports Harden the MySQL installation Harden the Manager host Install a desktop firewall It is necessary to enable you to rollback the changes in combination with the McAfee® Network Security Platform Release Notes and the rest of Manager. This information should be used for making changes to validate hardening changes you operate a desktop firewall...
... specific remote access and firewall configuration requirements. The Manager server's positioning in Install a desktop firewall (on the server and open the proper ports Harden the MySQL installation Harden the Manager host Install a desktop firewall It is necessary to enable you to rollback the changes in combination with the McAfee® Network Security Platform Release Notes and the rest of Manager. This information should be used for making changes to validate hardening changes you operate a desktop firewall...
Troubleshooting Guide
Page 17
...' ALL user access is disabled including Manager users from user where user=""; For example: mysql uadmin -pXXX lf 8 Use second cmd window to validate. Validate that the backup table was mysql> select count(*) from user where host!='localhost' and user='root'; mysql> use mysql; Use another cmd window to user_backup before changing it. List all users and hosts. Remove anonymous/blank accounts. McAfee® Network Security Platform 6.0 Hardening the Manager Server for removing remote access. Remove individual users' remote access Remove ALL remote access...
...' ALL user access is disabled including Manager users from user where user=""; For example: mysql uadmin -pXXX lf 8 Use second cmd window to validate. Validate that the backup table was mysql> select count(*) from user where host!='localhost' and user='root'; mysql> use mysql; Use another cmd window to user_backup before changing it. List all users and hosts. Remove anonymous/blank accounts. McAfee® Network Security Platform 6.0 Hardening the Manager Server for removing remote access. Remove individual users' remote access Remove ALL remote access...
Troubleshooting Guide
Page 20
... screensaver. Note: Enable these services only if it is recommended that was earlier used to set local security policy Display legal notice at during shutdown Disable autorun Disable LMHOSTS lookup while setting the advanced TCP/IP settings. Setting a Desktop Firewall It is absolutely required. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Manager-Sensor communication. Setting User Policies Ensure to login. Disable Posix Clear virtual memory page file during interactive...
... screensaver. Note: Enable these services only if it is recommended that was earlier used to set local security policy Display legal notice at during shutdown Disable autorun Disable LMHOSTS lookup while setting the advanced TCP/IP settings. Setting a Desktop Firewall It is absolutely required. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Manager-Sensor communication. Setting User Policies Ensure to login. Disable Posix Clear virtual memory page file during interactive...
Troubleshooting Guide
Page 21
... firewall between Manager and SNMP Server, ensure that the following ports are allowed through firewall. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Port 80 443 3306 8500 8501 8502 8503 8504 8555 Description HTTP port Communication Client to Manager HTTPS Client to Manager MySQL database Open only while using external SQL database Command channel(UDP) Manager to Sensor Install port(TCP) Sensor to Manager Alert channel(TCP) Sensor to Manager Packet log channel(TCP) Sensor to Manager File transfer channel...
... firewall between Manager and SNMP Server, ensure that the following ports are allowed through firewall. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Port 80 443 3306 8500 8501 8502 8503 8504 8555 Description HTTP port Communication Client to Manager HTTPS Client to Manager MySQL database Open only while using external SQL database Command channel(UDP) Manager to Sensor Install port(TCP) Sensor to Manager Alert channel(TCP) Sensor to Manager Packet log channel(TCP) Sensor to Manager File transfer channel...
Troubleshooting Guide
Page 23
... troubleshooting When an in -line mode. 14 Check to see whether your Sensor is attached to the Sensor, disabling the Sensor ports forces traffic to the detection engine. Connect a fail-open functionality. For FE monitoring ports, there is to set a threshold on either side of the Sensor and requires the renegotiation of internal errors. (It does not need for McAfee® Network Security Platform. disabling the ports will need to reboot...
... troubleshooting When an in -line mode. 14 Check to see whether your Sensor is attached to the Sensor, disabling the Sensor ports forces traffic to the detection engine. Connect a fail-open functionality. For FE monitoring ports, there is to set a threshold on either side of the Sensor and requires the renegotiation of internal errors. (It does not need for McAfee® Network Security Platform. disabling the ports will need to reboot...
Troubleshooting Guide
Page 24
... the KnowledgeBase)] Difficulties connecting Sensor and Manager If you experience problems getting the McAfee® Network Security Manager (Manager) and Sensor to ensure everything is identical to that accompany each product release. 15 Network connectivity Ensure that the Sensor and Manager server have power and are appropriately connected to the network. Verify the link LEDs on the network. Inconsistency in Sensor and Manager configuration Check to ensure that the...
... the KnowledgeBase)] Difficulties connecting Sensor and Manager If you experience problems getting the McAfee® Network Security Manager (Manager) and Sensor to ensure everything is identical to that accompany each product release. 15 Network connectivity Ensure that the Sensor and Manager server have power and are appropriately connected to the network. Verify the link LEDs on the network. Inconsistency in Sensor and Manager configuration Check to ensure that the...
Troubleshooting Guide
Page 25
...; Check that the network device is on-line. Check the cable connecting the Sensor to the network device. Ensure that the other device's port configuration's speed is fixed to 1000 and also set mgmtport command as those of the two devices must configure the Management port to use the same settings as described below in the section Install a desktop firewall. (on the other device to auto-negotiate by opening the appropriate ports. Note: Check the link LEDs...
...; Check that the network device is on-line. Check the cable connecting the Sensor to the network device. Ensure that the other device's port configuration's speed is fixed to 1000 and also set mgmtport command as those of the two devices must configure the Management port to use the same settings as described below in the section Install a desktop firewall. (on the other device to auto-negotiate by opening the appropriate ports. Note: Check the link LEDs...
Troubleshooting Guide
Page 28
.... Contact Cisco's TAC for Catalyst 4000, 6000 Series Router(config)# interface fastethernet slot/port Router(config-if)# speed 100 Router(config-if)# duplex full When troubleshooting Network Security Platform performance issues with Cisco 3750-12S switch Use the following ports when connecting a Cisco 3750-12s switch to 100 Mbps, half-duplex. Connections using ports 1, 2, 5, 6, 9, or 10 may be running into this issue, manually configure the switchport to your Sensor: 3, 4, 7, 8, 11, or...
.... Contact Cisco's TAC for Catalyst 4000, 6000 Series Router(config)# interface fastethernet slot/port Router(config-if)# speed 100 Router(config-if)# duplex full When troubleshooting Network Security Platform performance issues with Cisco 3750-12S switch Use the following ports when connecting a Cisco 3750-12s switch to 100 Mbps, half-duplex. Connections using ports 1, 2, 5, 6, 9, or 10 may be running into this issue, manually configure the switchport to your Sensor: 3, 4, 7, 8, 11, or...
Troubleshooting Guide
Page 32
... a network device, such as a switch or router, between the heartbeat ports, the heartbeat connection will fail. 23 To keep overhead low and throughput high, the Sensors do not include layer 2 or 3 headers on the number of packets dropped by McAfee Network Security Platform. If you determine if your flow rates can view rate limiting statistics for each Sensor's CLI and type show failover-status. Checking your...
... a network device, such as a switch or router, between the heartbeat ports, the heartbeat connection will fail. 23 To keep overhead low and throughput high, the Sensors do not include layer 2 or 3 headers on the number of packets dropped by McAfee Network Security Platform. If you determine if your flow rates can view rate limiting statistics for each Sensor's CLI and type show failover-status. Checking your...
Troubleshooting Guide
Page 33
... a signature update or software upgrade, you can issue the reboot CLI command. It also lists the number of times you have two options for rebooting the Sensor. The downloadstatus command displays the status of failure), and the time the command was successful To see CLI Guide. Changing the Sensor's management port IP address (IPv4 or IPv6) requires a manual reboot of an upload or download, use the status command: 1 On the Sensor, type status at the command prompt before the change takes...
... a signature update or software upgrade, you can issue the reboot CLI command. It also lists the number of times you have two options for rebooting the Sensor. The downloadstatus command displays the status of failure), and the time the command was successful To see CLI Guide. Changing the Sensor's management port IP address (IPv4 or IPv6) requires a manual reboot of an upload or download, use the status command: 1 On the Sensor, type status at the command prompt before the change takes...
Troubleshooting Guide
Page 34
... IPv6 traffic for IPv4 and IPv6 traffic, IPS Configuration Guide. Upgrading Sensor software requires a manual reboot of attacks in recovering the Sensor. For more information on Operational Status Viewer, see Configuring IP Settings for attacks option from the IP Settings tab (IPS Settings/Sensor_Name > Advanced Scanning > IP Settings). Rebooting a Sensor via the Manager The Reboot Sensor action restarts a Sensor. You perform this chapter. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Certain internal software errors may...
... IPv6 traffic for IPv4 and IPv6 traffic, IPS Configuration Guide. Upgrading Sensor software requires a manual reboot of attacks in recovering the Sensor. For more information on Operational Status Viewer, see Configuring IP Settings for attacks option from the IP Settings tab (IPS Settings/Sensor_Name > Advanced Scanning > IP Settings). Rebooting a Sensor via the Manager The Reboot Sensor action restarts a Sensor. You perform this chapter. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Certain internal software errors may...
Troubleshooting Guide
Page 52
... first appears 7 days prior to expire; This fault clears when communication is current. Ethernet ports or devices connected to which it is connected. The link between the Sensor and the device to which it ; It can indicate a problem with the setup or configuration of the 10/100 Action Check the speed and duplex settings on the Sensor and the troubleshoot connectivity device to those ports. Reboot the Manager server. 43
... first appears 7 days prior to expire; This fault clears when communication is current. Ethernet ports or devices connected to which it is connected. The link between the Sensor and the device to which it ; It can indicate a problem with the setup or configuration of the 10/100 Action Check the speed and duplex settings on the Sensor and the troubleshoot connectivity device to those ports. Reboot the Manager server. 43