Troubleshooting Guide
Page 2
... TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND...by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar ... Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Todd C. TRADEMARKS ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY...
... TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND...by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar ... Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Todd C. TRADEMARKS ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY...
Troubleshooting Guide
Page 3
Contents Preface ...v Introducing McAfee Network Security Platform v About this Guide...v Audience ...v Conventions used in this book ...vi Related Documentation...vii Contacting Technical Support ...viii Information requested for Troubleshooting viii Chapter 1 Before You Install 1 Pre-installation recommendations 1 Planning for installation ...1 Functional requirements...2 Using anti-virus software with the Manager 4 User interface responsiveness 5 Chapter 2 Hardening the Manager Server for Windows...
Contents Preface ...v Introducing McAfee Network Security Platform v About this Guide...v Audience ...v Conventions used in this book ...vi Related Documentation...vii Contacting Technical Support ...viii Information requested for Troubleshooting viii Chapter 1 Before You Install 1 Pre-installation recommendations 1 Planning for installation ...1 Functional requirements...2 Using anti-virus software with the Manager 4 User interface responsiveness 5 Chapter 2 Hardening the Manager Server for Windows...
Troubleshooting Guide
Page 4
...22 Pinging a Sensor...22 Ensuring that the Sensor is receiving traffic 22 Checking Sensor failover status 23 Cabling failover through a network device 23 Checking whether a signature or software update was successful 24 Checking status of a download or upload 24 Conditions requiring ... ...80 Chapter 9 Automatically restarting a failed Manager with Manager Watchdog ...81 Introduction...81 How the Manager Watchdog Works 81 Installing Manager Watchdog...82 Starting Manager Watchdog...82 Using Manager Watchdog with Manager in an MDR configuration 82 Tracking Manager Watchdog activities ...
...22 Pinging a Sensor...22 Ensuring that the Sensor is receiving traffic 22 Checking Sensor failover status 23 Cabling failover through a network device 23 Checking whether a signature or software update was successful 24 Checking status of a download or upload 24 Conditions requiring ... ...80 Chapter 9 Automatically restarting a failed Manager with Manager Watchdog ...81 Introduction...81 How the Manager Watchdog Works 81 Installing Manager Watchdog...82 Starting Manager Watchdog...82 Using Manager Watchdog with Manager in an MDR configuration 82 Tracking Manager Watchdog activities ...
Troubleshooting Guide
Page 5
... the Network Security Platform and analyzing and disseminating the resulting data. v McAfee® Network Threat Behavior Analysis Appliance provides the capability of in the McAfee® Network Security Manager [formerly McAfee® IntruShield® Security Manager] and McAfee® Network Security Sensor [formerly McAfee® IntruShield® Sensor] software in a step-by- You get information on the following topics: Pre-installation recommendations Hardening McAfee Network Security...
... the Network Security Platform and analyzing and disseminating the resulting data. v McAfee® Network Threat Behavior Analysis Appliance provides the capability of in the McAfee® Network Security Manager [formerly McAfee® IntruShield® Security Manager] and McAfee® Network Security Sensor [formerly McAfee® IntruShield® Sensor] software in a step-by- You get information on the following topics: Pre-installation recommendations Hardening McAfee Network Security...
Troubleshooting Guide
Page 7
McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on these guides. Quick Tour Installation Guide Upgrade Guide Getting Started Guide IPS Deployment Guide Manager ...; M-8000/M-6050/M-4050/M-3050 Slide Rail Assembly Procedure M-2750 Slide Rail Assembly Procedure M-series DC Power Supply Installation Procedure Administrative Domain Configuration Guide Manager Server Configuration Guide CLI Guide Device Configuration Guide ...
McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on these guides. Quick Tour Installation Guide Upgrade Guide Getting Started Guide IPS Deployment Guide Manager ...; M-8000/M-6050/M-4050/M-3050 Slide Rail Assembly Procedure M-2750 Slide Rail Assembly Procedure M-series DC Power Supply Installation Procedure Administrative Domain Configuration Guide Manager Server Configuration Guide CLI Guide Device Configuration Guide ...
Troubleshooting Guide
Page 10
... Network Security Platform dongles, which McAfee® Network Security Manager software will be connected to the Manager server. Ensure these are available. Crossover cables will be installed, should be configured and ready to be placed online. You must have agreed to a firewall, router, or end node. Pre-installation recommendations These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation...
... Network Security Platform dongles, which McAfee® Network Security Manager software will be connected to the Manager server. Ensure these are available. Crossover cables will be installed, should be configured and ready to be placed online. You must have agreed to a firewall, router, or end node. Pre-installation recommendations These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation...
Troubleshooting Guide
Page 11
... server itself; The firewall can save a lot of time during deployment. Determine a way in which includes a personal firewall on the client PCs. McAfee® Network Security Platform 6.0 Before You Install Identify hosts that you configure a packet-filtering firewall to block connections to ports 8551, 3306, 8007, 8009, and 8552 of your firewall to...
... server itself; The firewall can save a lot of time during deployment. Determine a way in which includes a personal firewall on the client PCs. McAfee® Network Security Platform 6.0 Before You Install Identify hosts that you configure a packet-filtering firewall to block connections to ports 8551, 3306, 8007, 8009, and 8552 of your firewall to...
Troubleshooting Guide
Page 12
... UDP Syslog forwarding (ACL Manager-->Syslog server logging) 636 TCP LDAP Integration (with Manager-->LDAP server SSL) 3 McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP Description...Forwarding Manager-->SNMP server 389 TCP LDAP Integration Manager-->LDAP server (without SSL) 443 TCP Secure communication Manager 1-->Manager 2 for MDR 443 TCP Secure communication Manager 2-->Manager 1 for the Install port, Alert port, and Log port, ensure that those ports are also open on ...
... UDP Syslog forwarding (ACL Manager-->Syslog server logging) 636 TCP LDAP Integration (with Manager-->LDAP server SSL) 3 McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP Description...Forwarding Manager-->SNMP server 389 TCP LDAP Integration Manager-->LDAP server (without SSL) 443 TCP Secure communication Manager 1-->Manager 2 for MDR 443 TCP Secure communication Manager 2-->Manager 1 for the Install port, Alert port, and Log port, ensure that those ports are also open on ...
Troubleshooting Guide
Page 13
McAfee® Network Security Platform 6.0 Before You Install Port # 1812 Protocol UDP Description RADIUS Integration Direction of processes... of excluded processes. In other words, VirusScan ships with the anti-virus scanner. Also exclude the Network Security Platform installation directory and its sub-directories because temporary files are created there that access. If you do not ...SMTP notification and also run VirusScan 8.0i or above, you install McAfee VirusScan 8.5.0i on the Manager, be created automatically, but the Network Security Platform exceptions will not.
McAfee® Network Security Platform 6.0 Before You Install Port # 1812 Protocol UDP Description RADIUS Integration Direction of processes... of excluded processes. In other words, VirusScan ships with the anti-virus scanner. Also exclude the Network Security Platform installation directory and its sub-directories because temporary files are created there that access. If you do not ...SMTP notification and also run VirusScan 8.0i or above, you install McAfee VirusScan 8.5.0i on the Manager, be created automatically, but the Network Security Platform exceptions will not.
Troubleshooting Guide
Page 14
... save the changes. The more often you tune the MySQL database after /before other scheduled actions. Consider defragmenting the disks at least once a month. McAfee® Network Security Platform 6.0 Before You Install 1 Launch the VirusScan Console. 2 Right-click the task called Access Protection and choose Properties from the right-click menu. 3 Highlight the rule called...
... save the changes. The more often you tune the MySQL database after /before other scheduled actions. Consider defragmenting the disks at least once a month. McAfee® Network Security Platform 6.0 Before You Install 1 Launch the VirusScan Console. 2 Right-click the task called Access Protection and choose Properties from the right-click menu. 3 Highlight the rule called...
Troubleshooting Guide
Page 15
... Manager client-server communication. Introduction Manager implementation varies between environments. This information should be used by Network Security Platform are shown at a high level: Install a desktop firewall on page 2). The ports used in combination with the McAfee® Network Security Platform Release Notes and the rest of Manager. Use another cmd window, where necessary, to validate hardening...
... Manager client-server communication. Introduction Manager implementation varies between environments. This information should be used by Network Security Platform are shown at a high level: Install a desktop firewall on page 2). The ports used in combination with the McAfee® Network Security Platform Release Notes and the rest of Manager. Use another cmd window, where necessary, to validate hardening...
Troubleshooting Guide
Page 16
...You should see only two databases (MYSQL and LF) if you are using the default Network Security Platform installation of the mysql.db table. 4. Remove local anonymous users To remove local anonymous users: 1. McAfee® Network Security Platform 6.0 Hardening the Manager Server for example, lf) databases. mysql> use mysql; 2. ... * from db; 2. mysql> select host,db,user from db; 3. Remove the test db, Keep only the MYSQL and Network Security Platform (for Windows 2003 Remove test database Remove the 'test" database from the mysql.exe CLI. Look for blank entries for a ...
...You should see only two databases (MYSQL and LF) if you are using the default Network Security Platform installation of the mysql.db table. 4. Remove local anonymous users To remove local anonymous users: 1. McAfee® Network Security Platform 6.0 Hardening the Manager Server for example, lf) databases. mysql> use mysql; 2. ... * from db; 2. mysql> select host,db,user from db; 3. Remove the test db, Keep only the MYSQL and Network Security Platform (for Windows 2003 Remove test database Remove the 'test" database from the mysql.exe CLI. Look for blank entries for a ...
Troubleshooting Guide
Page 18
...policymgmt.RuleEngine.BSH_Diagnostics_Port record in an isolated, physically secure environment Disallow access to the directory clumsily and all its sub-directories to denying traffic over port 9001 and 9002 (as per Install a desktop firewall) (on page 2), the...61623; Full control Disable HTTP TRACE request. McAfee® Network Security Platform 6.0 Hardening the Manager Server for the Manager server and perform a fresh install of the Manager software, including the installation of a hostbased firewall as described in Install a desktop firewall. (on page 2) Make...
...policymgmt.RuleEngine.BSH_Diagnostics_Port record in an isolated, physically secure environment Disallow access to the directory clumsily and all its sub-directories to denying traffic over port 9001 and 9002 (as per Install a desktop firewall) (on page 2), the...61623; Full control Disable HTTP TRACE request. McAfee® Network Security Platform 6.0 Hardening the Manager Server for the Manager server and perform a fresh install of the Manager software, including the installation of a hostbased firewall as described in Install a desktop firewall. (on page 2) Make...
Troubleshooting Guide
Page 19
...-based firewall, no other software should be installed on all partitions and create new partitions. Note: Exclude "Network Security Manager" and "MySQL" directories from Microsoft. Install a Virus Scanner and update the signatures. Installation Installation of Manager should be performed as follows: Install the US version of Manager. Post Installation After installation of Manager perform the following : ...
...-based firewall, no other software should be installed on all partitions and create new partitions. Note: Exclude "Network Security Manager" and "MySQL" directories from Microsoft. Install a Virus Scanner and update the signatures. Installation Installation of Manager should be performed as follows: Install the US version of Manager. Post Installation After installation of Manager perform the following : ...
Troubleshooting Guide
Page 21
McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Port 80 443 3306 8500 8501 8502 8503 8504 8555 Description HTTP port Communication Client to Manager HTTPS Client to Manager MySQL database Open only while using external SQL database Command channel(UDP) Manager to Sensor Install port(TCP) Sensor to Manager Alert channel...
McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Port 80 443 3306 8500 8501 8502 8503 8504 8555 Description HTTP port Communication Client to Manager HTTPS Client to Manager MySQL database Open only while using external SQL database Command channel(UDP) Manager to Sensor Install port(TCP) Sensor to Manager Alert channel...
Troubleshooting Guide
Page 25
McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Firewall between the Sensor and the Manager server, make sure the ... and Manager to communicate, it may be a communication issue between the Sensor's Management port and the network device to which the Management port is connected is connected. For example, if the device connecting to the... the two devices must configure the Management port to use the same settings as described below in the section Install a desktop firewall. (on the Sensor; Note : Ports used by default.) 2 Using the set to auto...
McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Firewall between the Sensor and the Manager server, make sure the ... and Manager to communicate, it may be a communication issue between the Sensor's Management port and the network device to which the Management port is connected is connected. For example, if the device connecting to the... the two devices must configure the Management port to use the same settings as described below in the section Install a desktop firewall. (on the Sensor; Note : Ports used by default.) 2 Using the set to auto...
Troubleshooting Guide
Page 39
...; Has the time been reset on the Manager server? the database goes down) the alerts are forwarded up before you install the Manager software and never change could ultimately cause serious database errors. You must set the time on the Manager server ... How Sensor handles new alerts during connectivity loss The Sensor stores alerts internally until connection is disrupted for some time. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Check to ensure the Management port on the Sensor is time-sensitive, so the time on the devices ...
...; Has the time been reset on the Manager server? the database goes down) the alerts are forwarded up before you install the Manager software and never change could ultimately cause serious database errors. You must set the time on the Manager server ... How Sensor handles new alerts during connectivity loss The Sensor stores alerts internally until connection is disrupted for some time. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Check to ensure the Management port on the Sensor is time-sensitive, so the time on the devices ...
Troubleshooting Guide
Page 45
...Manager database. Some users will detect a UDP-based host sweep when a given host sends UDP packets to see? McAfee® Network Security Platform 6.0 Determining False Positives Correct identification; significance subject to -incorrect-identification ratio can effectively manage the noise level by defining... dumps that are actually not live traffic, please provide detailed information of events through policy customization or installing attack filters. Another example of a network diagram. 36 This is a hostile act, but it will take notice because it 's still possible...
...Manager database. Some users will detect a UDP-based host sweep when a given host sends UDP packets to see? McAfee® Network Security Platform 6.0 Determining False Positives Correct identification; significance subject to -incorrect-identification ratio can effectively manage the noise level by defining... dumps that are actually not live traffic, please provide detailed information of events through policy customization or installing attack filters. Another example of a network diagram. 36 This is a hostile act, but it will take notice because it 's still possible...
Troubleshooting Guide
Page 71
McAfee® Network Security Platform 6.0 System Fault Messages Fault Initiating Audit Log file rotation Severity Warning Description/Cause Action The Audit Log capacity of the This fault will be raised after a Manager was reached, and configured number of audit reached, then Audit Log rotation log records are already Installed... shutdown, such as a (dbtuning) to update the McAfee NAC- So communicate over IPv6 to you updated the updated the McAfee NAC installation parameters. McAfee NAC installation related configuration. Sensor command line interface. If this option...
McAfee® Network Security Platform 6.0 System Fault Messages Fault Initiating Audit Log file rotation Severity Warning Description/Cause Action The Audit Log capacity of the This fault will be raised after a Manager was reached, and configured number of audit reached, then Audit Log rotation log records are already Installed... shutdown, such as a (dbtuning) to update the McAfee NAC- So communicate over IPv6 to you updated the updated the McAfee NAC installation parameters. McAfee NAC installation related configuration. Sensor command line interface. If this option...
Troubleshooting Guide
Page 77
... overwritten as part of the Secondary Manager. Creating clone before delete. software version installed. Secondary Manager has latest version Network Security Platform- MDR manual switch over successful; The Primary Manager software is action required. The...software version. McAfee® Network Security Platform 6.0 System Fault Messages Fault Alert archival in progress Severity Informational Deleted Central Manager Policy is applied on resources. Action Wait for Recovery initiated via a user information. software version installed. No manual...
... overwritten as part of the Secondary Manager. Creating clone before delete. software version installed. Secondary Manager has latest version Network Security Platform- MDR manual switch over successful; The Primary Manager software is action required. The...software version. McAfee® Network Security Platform 6.0 System Fault Messages Fault Alert archival in progress Severity Informational Deleted Central Manager Policy is applied on resources. Action Wait for Recovery initiated via a user information. software version installed. No manual...