Troubleshooting Guide
Page 5
... commands necessary to perform particular tasks. known, zero-day, and encrypted attacks. Introducing McAfee Network Security Platform McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for Network Security Platform. About this Guide This guide provides the basic troubleshooting techniques for mission-critical...
... commands necessary to perform particular tasks. known, zero-day, and encrypted attacks. Introducing McAfee Network Security Platform McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for Network Security Platform. About this Guide This guide provides the basic troubleshooting techniques for mission-critical...
Troubleshooting Guide
Page 6
...angle brackets. Parameters that you must supply set Sensor ip are denoted using Courier New font. Warning: Notes that provide related, but non-critical, information are shown in Arial Narrow bold font. McAfee® Network Security Platform 6.0 Preface Conventions used in this book This document .... Menu or action group selections are presented as loss of the requested service. Caution: Information that you must Type: Sensor-IP-address and then press type based on your specific ENTER. On the Configuration tab, click Backup. are denoted using this notation...
...angle brackets. Parameters that you must supply set Sensor ip are denoted using Courier New font. Warning: Notes that provide related, but non-critical, information are shown in Arial Narrow bold font. McAfee® Network Security Platform 6.0 Preface Conventions used in this book This document .... Menu or action group selections are presented as loss of the requested service. Caution: Information that you must Type: Sensor-IP-address and then press type based on your specific ENTER. On the Configuration tab, click Backup. are denoted using this notation...
Troubleshooting Guide
Page 7
McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on these guides. Quick Tour Installation Guide Upgrade Guide Getting Started Guide IPS Deployment Guide Manager Configuration Basics Guide I-1200... Domain Configuration Guide Manager Server Configuration Guide CLI Guide Device Configuration Guide IPS Configuration Guide NAC Configuration Guide Integration Guide System Status Monitoring Guide Reports Guide...
McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on these guides. Quick Tour Installation Guide Upgrade Guide Getting Started Guide IPS Deployment Guide Manager Configuration Basics Guide I-1200... Domain Configuration Guide Manager Server Configuration Guide CLI Guide Device Configuration Guide IPS Configuration Guide NAC Configuration Guide Integration Guide System Status Monitoring Guide Reports Guide...
Troubleshooting Guide
Page 10
... server should not be used for installation Before installation, ensure that you cannot assign IPs using DHCP for IP assignment. If applicable, configure name resolution for the Manager. Ensure that the required number of Network Security Platform dongles, which McAfee® Network Security Manager software will be connected to be placed online. You must have...
... server should not be used for installation Before installation, ensure that you cannot assign IPs using DHCP for IP assignment. If applicable, configure name resolution for the Manager. Ensure that the required number of Network Security Platform dongles, which McAfee® Network Security Manager software will be connected to be placed online. You must have...
Troubleshooting Guide
Page 12
McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP Description Direction of communication ...(install port) Sensor-->Manager Proprietary (alert channel/control channel) Sensor-->Manager Proprietary (packet log channel) Sensor-->Manager Proprietary (file transfer channel) Sensor-->Manager SSL/TCP/IP client-->Manager (Threat Analyzer) HTTPS client-->Manager Web-based user client-->Manager interface (Webstart/JNLP, Console Applets) SSH Remote console access Note: If you choose...
McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP Description Direction of communication ...(install port) Sensor-->Manager Proprietary (alert channel/control channel) Sensor-->Manager Proprietary (packet log channel) Sensor-->Manager Proprietary (file transfer channel) Sensor-->Manager SSL/TCP/IP client-->Manager (Threat Analyzer) HTTPS client-->Manager Web-based user client-->Manager interface (Webstart/JNLP, Console Applets) SSH Remote console access Note: If you choose...
Troubleshooting Guide
Page 20
... least 8 ASCII characters. Enable locking of the password database by running SYSKEY.EXE Use Microsoft security compliance toolkit or set the following user policies: Rename the administrator account. Disable guest account ....auto connection manager Remote procedure call locator Remote registry Server TCP/IP NetBIOS helper service Telephony service. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Manager-Sensor communication. Setting a Desktop Firewall It is absolutely required. ...
... least 8 ASCII characters. Enable locking of the password database by running SYSKEY.EXE Use Microsoft security compliance toolkit or set the following user policies: Rename the administrator account. Disable guest account ....auto connection manager Remote procedure call locator Remote registry Server TCP/IP NetBIOS helper service Telephony service. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Manager-Sensor communication. Setting a Desktop Firewall It is absolutely required. ...
Troubleshooting Guide
Page 31
... not described in IEEE 802.3u for 10/100 Mbps auto-negotiation (such as Sensor image version, type, name, Manager and Sensor IP addresses, and so on ). McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Situations that may lead to clear the fault. Sensor should exist. Problems may arise when vendor switches/routers do one of...
... not described in IEEE 802.3u for 10/100 Mbps auto-negotiation (such as Sensor image version, type, name, Manager and Sensor IP addresses, and so on ). McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Situations that may lead to clear the fault. Sensor should exist. Problems may arise when vendor switches/routers do one of...
Troubleshooting Guide
Page 32
...communicating via their interconnection cable, go to each Sensor (per port), listed in the Monitor choices box. 7 Select Statistics - McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform 1 Click Options > Dashboard > New to open the Create New Dashboard dialog. 2 Enter a name for the new dashboard in...do not include layer 2 or 3 headers on a Sensor. The statistics includes the count of number of IP spoofing attacks detected by the Network Security Sensor. If you wish to view flow statistics. 9 Click Refresh to view the flow statistics for the selected...
...communicating via their interconnection cable, go to each Sensor (per port), listed in the Monitor choices box. 7 Select Statistics - McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform 1 Click Options > Dashboard > New to open the Create New Dashboard dialog. 2 Enter a name for the new dashboard in...do not include layer 2 or 3 headers on a Sensor. The statistics includes the count of number of IP spoofing attacks detected by the Network Security Sensor. If you wish to view flow statistics. 9 Click Refresh to view the flow statistics for the selected...
Troubleshooting Guide
Page 33
...'s management port IP address (IPv4 or IPv6) requires a manual reboot of various download/upload operations: signature, software image, and DoS profile downloads (from Manager to Sensor) and DoS profile and debug trace uploads (from the NSM interface, or you have two options for rebooting the Sensor. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Checking whether a signature...
...'s management port IP address (IPv4 or IPv6) requires a manual reboot of various download/upload operations: signature, software image, and DoS profile downloads (from Manager to Sensor) and DoS profile and debug trace uploads (from the NSM interface, or you have two options for rebooting the Sensor. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Checking whether a signature...
Troubleshooting Guide
Page 34
...Viewer, see Configuring IP Settings for attacks option from the IP Settings tab (IPS Settings/Sensor_Name > Advanced Scanning > IP Settings). You perform this action in IPv6 traffic with the Scan IPv6 traffic for IPv4 and IPv6 traffic, IPS Configuration Guide. ... an error message in IPv6 traffic passing through the Sensor monitoring port requires a manual reboot of critical issues. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Certain internal software errors may have a corrupted internal flash. If you cannot get the Sensor to ...
...Viewer, see Configuring IP Settings for attacks option from the IP Settings tab (IPS Settings/Sensor_Name > Advanced Scanning > IP Settings). You perform this action in IPv6 traffic with the Scan IPv6 traffic for IPv4 and IPv6 traffic, IPS Configuration Guide. ... an error message in IPv6 traffic passing through the Sensor monitoring port requires a manual reboot of critical issues. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Certain internal software errors may have a corrupted internal flash. If you cannot get the Sensor to ...
Troubleshooting Guide
Page 35
...set ipfrag Available parameters: on datapaths. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Debug command name/Parameter(s) set intfport id... 3A adminstatus up /down Example 1 ifo/ifc/tap/span(changesYou can also execute this command with multiple parameters. Note: This setting should be reconfigured if the Sensor is rebooted. Enables or disables IP fragment reassembly processing on datapaths. Displays the IP...
...set ipfrag Available parameters: on datapaths. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Debug command name/Parameter(s) set intfport id... 3A adminstatus up /down Example 1 ifo/ifc/tap/span(changesYou can also execute this command with multiple parameters. Note: This setting should be reconfigured if the Sensor is rebooted. Enables or disables IP fragment reassembly processing on datapaths. Displays the IP...
Troubleshooting Guide
Page 37
...the existing active TCP and UDP flows using the following information. Total number of IP Fragments received Total number of IP flows Number of duplicate fragments Number of fragments dropped Fragments ...dropped for a specific attack ID enable/disable/attack ID show datapath processunits Description Displays the IP fragment statistics in a data path. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Debug command name/Parameter(s) show statistics ipfrag show aidlog status Displays the status of the...
...the existing active TCP and UDP flows using the following information. Total number of IP Fragments received Total number of IP flows Number of duplicate fragments Number of fragments dropped Fragments ...dropped for a specific attack ID enable/disable/attack ID show datapath processunits Description Displays the IP fragment statistics in a data path. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Debug command name/Parameter(s) show statistics ipfrag show aidlog status Displays the status of the...
Troubleshooting Guide
Page 39
... described in the database. 30 Manager connectivity to the database In the event that machine. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Check to ensure the Management port on the Sensor is configured with no source and destination IP information) 2500 Statistical or anomaly DoS 2500 Throttled DoS alerts 1000 Host sweep alerts 1000 Port...
... described in the database. 30 Manager connectivity to the database In the event that machine. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Check to ensure the Management port on the Sensor is configured with no source and destination IP information) 2500 Statistical or anomaly DoS 2500 Throttled DoS alerts 1000 Host sweep alerts 1000 Port...
Troubleshooting Guide
Page 40
... Manager client to access other Web-based applications as well. For example, the Network Security Platform 2700 Sensor is rated at gigabit speeds, you just lose the IPS functionality for creating database backups that the customer monitor the disk space on accessing...This typically happens if you access various versions of the device you are actually running an I-3000/I- 31 McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Manager database is theoretically possible to oversubscribe the limit. If the Manager database or disk space is over-subscribed...
... Manager client to access other Web-based applications as well. For example, the Network Security Platform 2700 Sensor is rated at gigabit speeds, you just lose the IPS functionality for creating database backups that the customer monitor the disk space on accessing...This typically happens if you access various versions of the device you are actually running an I-3000/I- 31 McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Manager database is theoretically possible to oversubscribe the limit. If the Manager database or disk space is over-subscribed...
Troubleshooting Guide
Page 41
The following are receiving them. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform 4000/I-4010/M3050/M4050/M6050 and M8000.Sensor, which all Sensor software versions) pass ISL frames through the Sensor, but is not subjected ...The common symptoms that occur if your tables, which ports are the types of traffic Non-ethernet frames are forwarded without IPS inspection. 32 ISL frames All McAfee® Network Security Sensor (Sensor) models (running all have become corrupt, follow the instructions on which is passed through the Sensor without...
The following are receiving them. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform 4000/I-4010/M3050/M4050/M6050 and M8000.Sensor, which all Sensor software versions) pass ISL frames through the Sensor, but is not subjected ...The common symptoms that occur if your tables, which ports are the types of traffic Non-ethernet frames are forwarded without IPS inspection. 32 ISL frames All McAfee® Network Security Sensor (Sensor) models (running all have become corrupt, follow the instructions on which is passed through the Sensor without...
Troubleshooting Guide
Page 43
... False Positives This section lists methods for your needs. So the first step in IPS Configuration Guide. The ultimate goal of policy tuning is to clone the most appropriate policy for your network and your policies The default McAfee Network Security Platform policy templates are routine for SmartBlocking (RFSB) because this process: initial policy configuration and...
... False Positives This section lists methods for your needs. So the first step in IPS Configuration Guide. The ultimate goal of policy tuning is to clone the most appropriate policy for your network and your policies The default McAfee Network Security Platform policy templates are routine for SmartBlocking (RFSB) because this process: initial policy configuration and...
Troubleshooting Guide
Page 44
... attacks. Incorrect identification These alerts typically result from the start. Network Security Platform provides two means by usage policy correctly identified events uninteresting to the user. With Network Security Platform, there are three types of the hosts except a few hosts...Issues in which the policy is applied. McAfee® Network Security Platform 6.0 Determining False Positives Take steps to reduce false positives and noise from overly aggressive signature design, special characteristics of any IDS/IPS devices, it's very important to understand ...
... attacks. Incorrect identification These alerts typically result from the start. Network Security Platform provides two means by usage policy correctly identified events uninteresting to the user. With Network Security Platform, there are three types of the hosts except a few hosts...Issues in which the policy is applied. McAfee® Network Security Platform 6.0 Determining False Positives Take steps to reduce false positives and noise from overly aggressive signature design, special characteristics of any IDS/IPS devices, it's very important to understand ...
Troubleshooting Guide
Page 45
... and in the form of Web server you use against your network: Relevance analysis involves the analysis of the vulnerability relevance of the host IPs being scanned are dealing with McAfee Technical Support on the issue, we ask that you expect to... subject to user sensitivity (also known as a dedicated pentest machine, alert filters can use . McAfee® Network Security Platform 6.0 Determining False Positives Correct identification; For example, Network Security Platform will not actually harm anything except wasting some or all of real-time alerts, using testing tools...
... and in the form of Web server you use against your network: Relevance analysis involves the analysis of the vulnerability relevance of the host IPs being scanned are dealing with McAfee Technical Support on the issue, we ask that you expect to... subject to user sensitivity (also known as a dedicated pentest machine, alert filters can use . McAfee® Network Security Platform 6.0 Determining False Positives Correct identification; For example, Network Security Platform will not actually harm anything except wasting some or all of real-time alerts, using testing tools...
Troubleshooting Guide
Page 48
... in MDR Mode Critical Sensor found a conflict with MDR MDR mode; Check your Update Server authentication information. MDR configuration. IP address / MDR action. Reboot the Sensor, which may need to cluster. McAfee® Network Security Platform 6.0 System Fault Messages Fault Cluster software mismatch status Severity Critical Description/Cause The software versions on the cluster primary...
... in MDR Mode Critical Sensor found a conflict with MDR MDR mode; Check your Update Server authentication information. MDR configuration. IP address / MDR action. Reboot the Sensor, which may need to cluster. McAfee® Network Security Platform 6.0 System Fault Messages Fault Cluster software mismatch status Severity Critical Description/Cause The software versions on the cluster primary...
Troubleshooting Guide
Page 50
...Bypass Switch. The Sensor is up or down the Sensor and contacting Technical Support to schedule a replacement unit. Monitoring port IP settings are not configured for all the above ports (or) Disable the IBAC/NAC on the Sensor. Hardware error Critical ...have failed. Check external FailOpen kit connections or portpair configuration to restore Inline FailOpen mode. If a fan is completed. McAfee® Network Security Platform 6.0 System Fault Messages Fault Failover peer status Fan error Severity Critical Critical Fail-Open Bypass Critical Switch timeout Failed to ...
...Bypass Switch. The Sensor is up or down the Sensor and contacting Technical Support to schedule a replacement unit. Monitoring port IP settings are not configured for all the above ports (or) Disable the IBAC/NAC on the Sensor. Hardware error Critical ...have failed. Check external FailOpen kit connections or portpair configuration to restore Inline FailOpen mode. If a fan is completed. McAfee® Network Security Platform 6.0 System Fault Messages Fault Failover peer status Fan error Severity Critical Critical Fail-Open Bypass Critical Switch timeout Failed to ...