Troubleshooting Guide
Page 3
Contents Preface ...v Introducing McAfee Network Security Platform v About this Guide...v Audience ...v Conventions used in this book ...vi Related Documentation...vii Contacting Technical Support ...viii ......11 Setting a Desktop Firewall 11 Configuring Audit Events...12 Chapter 4 Troubleshooting Network Security Platform 14 Facilitating troubleshooting...14 Starting your troubleshooting ...15 Difficulties connecting Sensor and Manager 15 Network connectivity ...15 Inconsistency in Sensor and Manager configuration 15 Software or signature set incompatibility 15 Firewall between the ...
Contents Preface ...v Introducing McAfee Network Security Platform v About this Guide...v Audience ...v Conventions used in this book ...vi Related Documentation...vii Contacting Technical Support ...viii ......11 Setting a Desktop Firewall 11 Configuring Audit Events...12 Chapter 4 Troubleshooting Network Security Platform 14 Facilitating troubleshooting...14 Starting your troubleshooting ...15 Difficulties connecting Sensor and Manager 15 Network connectivity ...15 Inconsistency in Sensor and Manager configuration 15 Software or signature set incompatibility 15 Firewall between the ...
Troubleshooting Guide
Page 4
Checking Sensor health ...22 Pinging a Sensor...22 Ensuring that the Sensor is receiving traffic 22 Checking Sensor failover status 23 Cabling failover through a network device 23 Checking whether a signature or software update was successful 24 Checking status of a download or upload 24 Conditions requiring a Sensor reboot 24 Rebooting a Sensor via the Manager 25 Rebooting a Sensor using ...Starting Manager Watchdog...82 Using Manager Watchdog with Manager in an MDR configuration 82 Tracking Manager Watchdog activities 82 Chapter 10 Utilizing the McAfee Knowledge Base 84 Index ...86 iv
Checking Sensor health ...22 Pinging a Sensor...22 Ensuring that the Sensor is receiving traffic 22 Checking Sensor failover status 23 Cabling failover through a network device 23 Checking whether a signature or software update was successful 24 Checking status of a download or upload 24 Conditions requiring a Sensor reboot 24 Rebooting a Sensor via the Manager 25 Rebooting a Sensor using ...Starting Manager Watchdog...82 Using Manager Watchdog with Manager in an MDR configuration 82 Tracking Manager Watchdog activities 82 Chapter 10 Utilizing the McAfee Knowledge Base 84 Index ...86 iv
Troubleshooting Guide
Page 5
... this document is intended for use by network technicians responsible for maintaining the Network Security Platform and analyzing and disseminating the resulting data. McAfee® Network Threat Behavior Analysis Appliance provides the capability of in the McAfee® Network Security Manager [formerly McAfee® IntruShield® Security Manager] and McAfee® Network Security Sensor [formerly McAfee® IntruShield® Sensor] software in a step-by analyzing NetFlow information...
... this document is intended for use by network technicians responsible for maintaining the Network Security Platform and analyzing and disseminating the resulting data. McAfee® Network Threat Behavior Analysis Appliance provides the capability of in the McAfee® Network Security Manager [formerly McAfee® IntruShield® Security Manager] and McAfee® Network Security Sensor [formerly McAfee® IntruShield® Sensor] software in a step-by analyzing NetFlow information...
Troubleshooting Guide
Page 6
...the Configuration tab, click Backup. Variable information that you must read before beginning a procedure or that alerts you must Type: Sensor-IP-address and then press type based on the keyboard Press ENTER. Note: vi Select My Company > Admin Domain > ... are denoted using Courier New font. The Service field on the User Interface (UI) are denoted using UPPER CASE. McAfee® Network Security Platform 6.0 Preface Conventions used in this book This document uses the following typographical conventions: Convention Example Terms that identify fields, buttons...
...the Configuration tab, click Backup. Variable information that you must read before beginning a procedure or that alerts you must Type: Sensor-IP-address and then press type based on the keyboard Press ENTER. Note: vi Select My Company > Admin Domain > ... are denoted using Courier New font. The Service field on the User Interface (UI) are denoted using UPPER CASE. McAfee® Network Security Platform 6.0 Preface Conventions used in this book This document uses the following typographical conventions: Convention Example Terms that identify fields, buttons...
Troubleshooting Guide
Page 7
... guide. McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on these guides. Quick Tour Installation Guide Upgrade Guide Getting Started Guide IPS Deployment Guide Manager Configuration Basics Guide I-1200 Sensor Product Guide I-1400 Sensor Product Guide I-2700 Sensor Product Guide I-3000 Sensor Product Guide...
... guide. McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on these guides. Quick Tour Installation Guide Upgrade Guide Getting Started Guide IPS Deployment Guide Manager Configuration Basics Guide I-1200 Sensor Product Guide I-1400 Sensor Product Guide I-2700 Sensor Product Guide I-3000 Sensor Product Guide...
Troubleshooting Guide
Page 8
... of the McAfee Network Security Sensor (Sensor) software you are using Is this a new or existing issue? any questions, contact McAfee for assistance: Online Contact McAfee Technical Support http://mysupport.mcafee.com. This section describes the information we will be found at McAfee Contact Information http://www.mcafee.com/us/about/contact/index.html page. McAfee® Network Security Platform 6.0 Preface ...
... of the McAfee Network Security Sensor (Sensor) software you are using Is this a new or existing issue? any questions, contact McAfee for assistance: Online Contact McAfee Technical Support http://mysupport.mcafee.com. This section describes the information we will be found at McAfee Contact Information http://www.mcafee.com/us/about/contact/index.html page. McAfee® Network Security Platform 6.0 Preface ...
Troubleshooting Guide
Page 9
... file, which is extremely helpful for Cisco switches/routers, you can create using with Sensor GE ports; McAfee® Network Security Platform 6.0 Preface Did you make any changes in Providing a Sensor diagnostics trace. Sensor operating mode (i.e., In-line, SPAN or TAP). this writing, the tool is available at which you see the false positive ...
... file, which is extremely helpful for Cisco switches/routers, you can create using with Sensor GE ports; McAfee® Network Security Platform 6.0 Preface Did you make any changes in Providing a Sensor diagnostics trace. Sensor operating mode (i.e., In-line, SPAN or TAP). this writing, the tool is available at which you see the false positive ...
Troubleshooting Guide
Page 10
... placed on which ship with some of Network Security Platform dongles, which McAfee® Network Security Manager software will be dedicated, hardened for the Sensor. For the Sensors, you complete the following tasks: The server, on its own subnet. Ensure these are approved hardware from individual interviews with the McAfee Network Security Sensors (Sensors), are a compilation of wires and (supported) GBICs, SFPs...
... placed on which ship with some of Network Security Platform dongles, which McAfee® Network Security Manager software will be dedicated, hardened for the Sensor. For the Sensors, you complete the following tasks: The server, on its own subnet. Ensure these are approved hardware from individual interviews with the McAfee Network Security Sensors (Sensors), are a compilation of wires and (supported) GBICs, SFPs...
Troubleshooting Guide
Page 11
..., communication with all Sensors and the McAfee® Network Security Update Server because SSL is time sensitive.) If Manager Disaster Recovery (MDR) is configured, ensure that you need assistance in the Release Notes. The firewall can save a lot of your firewall to deny connections to these , contact Technical Support. McAfee® Network Security Platform 6.0 Before You Install...
..., communication with all Sensors and the McAfee® Network Security Update Server because SSL is time sensitive.) If Manager Disaster Recovery (MDR) is configured, ensure that you need assistance in the Release Notes. The firewall can save a lot of your firewall to deny connections to these , contact Technical Support. McAfee® Network Security Platform 6.0 Before You Install...
Troubleshooting Guide
Page 12
McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP Description Direction of communication 25 TCP SMTP Manager-->SMTP server 49 TCP TACACS+ Integration Sensor-->TACACS+ server ...162 UDP SNMP Forwarding Manager-->SNMP server 389 TCP LDAP Integration Manager-->LDAP server (without SSL) 443 TCP Secure communication Manager 1-->Manager 2 for MDR 443 TCP Secure communication Manager 2-->Manager 1 for the ...
McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP Description Direction of communication 25 TCP SMTP Manager-->SMTP server 49 TCP TACACS+ Integration Sensor-->TACACS+ server ...162 UDP SNMP Forwarding Manager-->SNMP server 389 TCP LDAP Integration Manager-->LDAP server (without SSL) 443 TCP Secure communication Manager 1-->Manager 2 for MDR 443 TCP Secure communication Manager 2-->Manager 1 for the ...
Troubleshooting Guide
Page 15
...; Network Security Sensor (Sensor) and Manager client-server communication. The Manager server's positioning in the mysql shell until validation is recommended that can impact the security of these required for hardening your McAfee® Network Security Manager (Manager) server. McAfee's recommendations, at the end of the documentation set. Harden the MySQL installation Ensure the cmd window used within the McAfee Network Security Platform...
...; Network Security Sensor (Sensor) and Manager client-server communication. The Manager server's positioning in the mysql shell until validation is recommended that can impact the security of these required for hardening your McAfee® Network Security Manager (Manager) server. McAfee's recommendations, at the end of the documentation set. Harden the MySQL installation Ensure the cmd window used within the McAfee Network Security Platform...
Troubleshooting Guide
Page 20
... call locator Remote registry Server TCP/IP NetBIOS helper service Telephony service. Note: Ensure that there are required for Manager-Sensor communication. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Disabling non-required Services Disable the following ports are no other open ports using a scanning tool such...
... call locator Remote registry Server TCP/IP NetBIOS helper service Telephony service. Note: Ensure that there are required for Manager-Sensor communication. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Disabling non-required Services Disable the following ports are no other open ports using a scanning tool such...
Troubleshooting Guide
Page 21
... 8443 ePO Manager to ePO server communication port Configuring Audit Events Set the following port is also allowed through firewall. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Port 80 443 3306 8500 8501 8502 8503 8504 8555 Description HTTP port... while using external SQL database Command channel(UDP) Manager to Sensor Install port(TCP) Sensor to Manager Alert channel(TCP) Sensor to Manager Packet log channel(TCP) Sensor to Manager File transfer channel(TCP) Sensor to Manager Alert viewer(TC) Client to Manager When email ...
... 8443 ePO Manager to ePO server communication port Configuring Audit Events Set the following port is also allowed through firewall. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Port 80 443 3306 8500 8501 8502 8503 8504 8555 Description HTTP port... while using external SQL database Command channel(UDP) Manager to Sensor Install port(TCP) Sensor to Manager Alert channel(TCP) Sensor to Manager Packet log channel(TCP) Sensor to Manager File transfer channel(TCP) Sensor to Manager Alert viewer(TC) Client to Manager When email ...
Troubleshooting Guide
Page 23
... When an in -line mode. 14 disabling the ports will need for McAfee® Network Security Platform. Caution 3: Depending on each Sensor. McAfee recommends you remove it out of the network link between the two devices surrounding the Sensor. For FE monitoring ports, there is causing network disruption, before you first try the following command: layer2 mode assert This...
... When an in -line mode. 14 disabling the ports will need for McAfee® Network Security Platform. Caution 3: Depending on each Sensor. McAfee recommends you remove it out of the network link between the two devices surrounding the Sensor. For FE monitoring ports, there is causing network disruption, before you first try the following command: layer2 mode assert This...
Troubleshooting Guide
Page 24
.../Eservice/, and click Search the KnowledgeBase)] Difficulties connecting Sensor and Manager If you experience problems getting the McAfee® Network Security Manager (Manager) and Sensor to that entered in the Manager. If these values do not match, the two cannot communicate. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Starting your troubleshooting Before you get too deep into troubleshooting techniques, it...
.../Eservice/, and click Search the KnowledgeBase)] Difficulties connecting Sensor and Manager If you experience problems getting the McAfee® Network Security Manager (Manager) and Sensor to that entered in the Manager. If these values do not match, the two cannot communicate. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Starting your troubleshooting Before you get too deep into troubleshooting techniques, it...
Troubleshooting Guide
Page 25
.... Ensure that the other device's port configuration to auto-negotiate. (The Sensor is set to show the link's status. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Firewall between the devices If there is a firewall between the Sensor's Management port and the network device to auto-negotiate by opening the appropriate ports. if the link is down, see...
.... Ensure that the other device's port configuration to auto-negotiate. (The Sensor is set to show the link's status. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Firewall between the devices If there is a firewall between the Sensor's Management port and the network device to auto-negotiate by opening the appropriate ports. if the link is down, see...
Troubleshooting Guide
Page 26
... connectivity, and loss of communication. Speed determination issues may result in no connectivity between the Sensor and other network devices The most common Sensor problems relate to half-or full-duplex. This is not to use auto-negotiation, you must...Sensor and the switch. For example, if a Web server is applicable only for Management port Example: set mgmtport speed duplex where indicates 10 Mbps, indicates 100 Mbps, and indicates 1000 Mbps indicates half-duplex and indicates full-duplex. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform...
... connectivity, and loss of communication. Speed determination issues may result in no connectivity between the Sensor and other network devices The most common Sensor problems relate to half-or full-duplex. This is not to use auto-negotiation, you must...Sensor and the switch. For example, if a Web server is applicable only for Management port Example: set mgmtport speed duplex where indicates 10 Mbps, indicates 100 Mbps, and indicates 1000 Mbps indicates half-duplex and indicates full-duplex. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform...
Troubleshooting Guide
Page 27
... Pulse (FLP) and defaults to 10 Mbps half-duplex. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Network Security Platform Configuration 10/100/1000 port (Speed/Duplex) Configuration of Switch Resulting Resulting (Speed/Duplex) Sensor Catalyst (Speed/Duplex) (Speed/Duplex) Comments 100 Mbps Full...Correct configuration Correct Manual Configuration Link is established, but switch does not see any autonegotiation information from McAfee Network Security Platform and defaults to halfduplex when operating at 10/100 Mbps. You must be set to the same ...
... Pulse (FLP) and defaults to 10 Mbps half-duplex. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Network Security Platform Configuration 10/100/1000 port (Speed/Duplex) Configuration of Switch Resulting Resulting (Speed/Duplex) Sensor Catalyst (Speed/Duplex) (Speed/Duplex) Comments 100 Mbps Full...Correct configuration Correct Manual Configuration Link is established, but switch does not see any autonegotiation information from McAfee Network Security Platform and defaults to halfduplex when operating at 10/100 Mbps. You must be set to the same ...
Troubleshooting Guide
Page 28
... on some Cisco devices that connect to your Sensor: 3, 4, 7, 8, 11, or 12. To troubleshoot this issue. Use the following ports when connecting a Cisco 3750-12s switch to Sensors: Cisco PIX® Firewall interface ethernet0...set port duplex 1/1 full Connectivity issues with Cisco switches, view the output of packets. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Sometimes there are duplex inconsistencies between Network Security Platform and the switch port. Contact Cisco's TAC for Catalyst 4000, 6000 Series Router...
... on some Cisco devices that connect to your Sensor: 3, 4, 7, 8, 11, or 12. To troubleshoot this issue. Use the following ports when connecting a Cisco 3750-12s switch to Sensors: Cisco PIX® Firewall interface ethernet0...set port duplex 1/1 full Connectivity issues with Cisco switches, view the output of packets. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Sometimes there are duplex inconsistencies between Network Security Platform and the switch port. Contact Cisco's TAC for Catalyst 4000, 6000 Series Router...
Troubleshooting Guide
Page 31
...the Manager is down, see if your Sensor is receiving traffic Sensor Statistics can be initialized and in good health. At the command prompt, type show. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Situations that may lead to Auto-negotiation ...issues Auto-negotiation issues with the Sensor adheres to IEEE 802.3u auto-negotiation specifications and all ...
...the Manager is down, see if your Sensor is receiving traffic Sensor Statistics can be initialized and in good health. At the command prompt, type show. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Situations that may lead to Auto-negotiation ...issues Auto-negotiation issues with the Sensor adheres to IEEE 802.3u auto-negotiation specifications and all ...