Troubleshooting Guide
Page 5
...: Pre-installation recommendations Hardening McAfee Network Security Manager (Manager) Server Troubleshooting techniques How to use by analyzing NetFlow information flowing through a single Manager. v Introducing McAfee Network Security Platform McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for mission...
...: Pre-installation recommendations Hardening McAfee Network Security Manager (Manager) Server Troubleshooting techniques How to use by analyzing NetFlow information flowing through a single Manager. v Introducing McAfee Network Security Platform McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for mission...
Troubleshooting Guide
Page 6
...of certain actions, such as syntax, key words, and values that you must Type: Sensor-IP-address and then press type based on the keyboard Press ENTER. McAfee® Network Security Platform 6.0 Preface Conventions used in this book This document uses the following typographical conventions: Convention Example ...using Courier New font. Caution: Information that you must read before beginning a procedure or that alerts you must supply set Sensor ip are denoted using UPPER CASE. The Service field on the Properties tab specifies the name of keys on your specific ENTER. ...
...of certain actions, such as syntax, key words, and values that you must Type: Sensor-IP-address and then press type based on the keyboard Press ENTER. McAfee® Network Security Platform 6.0 Preface Conventions used in this book This document uses the following typographical conventions: Convention Example ...using Courier New font. Caution: Information that you must read before beginning a procedure or that alerts you must supply set Sensor ip are denoted using UPPER CASE. The Service field on the Properties tab specifies the name of keys on your specific ENTER. ...
Troubleshooting Guide
Page 7
...McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on-line help are companions to Quick Tour for more information on these guides. Quick Tour Installation Guide Upgrade Guide Getting Started Guide IPS...; Administrative Domain Configuration Guide Manager Server Configuration Guide CLI Guide Device Configuration Guide IPS Configuration Guide NAC Configuration Guide Integration Guide System Status Monitoring Guide Reports Guide ...
...McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on-line help are companions to Quick Tour for more information on these guides. Quick Tour Installation Guide Upgrade Guide Getting Started Guide IPS...; Administrative Domain Configuration Guide Manager Server Configuration Guide CLI Guide Device Configuration Guide IPS Configuration Guide NAC Configuration Guide Integration Guide System Status Monitoring Guide Reports Guide ...
Troubleshooting Guide
Page 10
... (supported) GBICs, SFPs, or XFPs. For the Manager server, McAfee strongly recommends assigning a static IP against using DHCP. 1 Ensure that you cannot assign IPs using DHCP for IP assignment. If applicable, configure name resolution for the Sensor. Pre-installation recommendations These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation recommendations are a compilation of the...
... (supported) GBICs, SFPs, or XFPs. For the Manager server, McAfee strongly recommends assigning a static IP against using DHCP. 1 Ensure that you cannot assign IPs using DHCP for IP assignment. If applicable, configure name resolution for the Sensor. Pre-installation recommendations These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation recommendations are a compilation of the...
Troubleshooting Guide
Page 12
...alert channel/control channel) Sensor-->Manager Proprietary (packet log channel) Sensor-->Manager Proprietary (file transfer channel) Sensor-->Manager SSL/TCP/IP client-->Manager (Threat Analyzer) HTTPS client-->Manager Web-based user client-->Manager interface (Webstart/JNLP, Console Applets) SSH Remote ...514 UDP Syslog forwarding (ACL Manager-->Syslog server logging) 636 TCP LDAP Integration (with Manager-->LDAP server SSL) 3 McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP...
...alert channel/control channel) Sensor-->Manager Proprietary (packet log channel) Sensor-->Manager Proprietary (file transfer channel) Sensor-->Manager SSL/TCP/IP client-->Manager (Threat Analyzer) HTTPS client-->Manager Web-based user client-->Manager interface (Webstart/JNLP, Console Applets) SSH Remote ...514 UDP Syslog forwarding (ACL Manager-->Syslog server logging) 636 TCP LDAP Integration (with Manager-->LDAP server SSL) 3 McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP...
Troubleshooting Guide
Page 20
...auto connection manager Remote procedure call locator Remote registry Server TCP/IP NetBIOS helper service Telephony service. Note: Ensure that was earlier used to set local security policy Display legal notice at least 8 ASCII characters. Enable locking of screensaver. ...; Clear virtual memory page file during shutdown Disable autorun Disable LMHOSTS lookup while setting the advanced TCP/IP settings. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Manager-Sensor communication.
...auto connection manager Remote procedure call locator Remote registry Server TCP/IP NetBIOS helper service Telephony service. Note: Ensure that was earlier used to set local security policy Display legal notice at least 8 ASCII characters. Enable locking of screensaver. ...; Clear virtual memory page file during shutdown Disable autorun Disable LMHOSTS lookup while setting the advanced TCP/IP settings. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Manager-Sensor communication.
Troubleshooting Guide
Page 31
... procedure to 1 ping/sec. Pinging a Sensor The Sensor Management port responds only to view Sensor Flow Statistics: 22 McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Situations that display different type of the following: On the Sensor: At the command prompt, type status.... lead to Auto-negotiation issues Auto-negotiation issues with the Sensor adheres to clear the fault. Sensor Flow Statistics, IP Spoofing Statistics, Packet Drop Statistics, Port Packet Drop Statistics and Rate Limiting Statistics are not described in good health...
... procedure to 1 ping/sec. Pinging a Sensor The Sensor Management port responds only to view Sensor Flow Statistics: 22 McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Situations that display different type of the following: On the Sensor: At the command prompt, type status.... lead to Auto-negotiation issues Auto-negotiation issues with the Sensor adheres to clear the fault. Sensor Flow Statistics, IP Spoofing Statistics, Packet Drop Statistics, Port Packet Drop Statistics and Rate Limiting Statistics are not described in good health...
Troubleshooting Guide
Page 32
... rate on a port. Rate Limiting Statistics: Rate limiting statistics provides the estimated number of IP spoofing attacks detected by McAfee Network Security Platform. If you wish to view flow statistics. 9 Click Refresh to view the flow statistics for the selected...maximum number of flows supported as well as UP. Cabling failover through a network device Do not cable the heartbeat connection through an external network device. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform 1 Click Options > Dashboard > New to open the Create New Dashboard ...
... rate on a port. Rate Limiting Statistics: Rate limiting statistics provides the estimated number of IP spoofing attacks detected by McAfee Network Security Platform. If you wish to view flow statistics. 9 Click Refresh to view the flow statistics for the selected...maximum number of flows supported as well as UP. Cabling failover through a network device Do not cable the heartbeat connection through an external network device. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform 1 Click Options > Dashboard > New to open the Create New Dashboard ...
Troubleshooting Guide
Page 33
...into effect. 24 Checking status of a download or upload To see CLI Guide. Changing the Sensor's management port IP address (IPv4 or IPv6) requires a manual reboot of the Sensor, before updating the signature set on the Sensor. It ...status of your Sensor successfully received a signature update or software upgrade, you have two options for rebooting the Sensor. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Checking whether a signature or software update was successful To see if your previous attempt to perform the operation (including...
...into effect. 24 Checking status of a download or upload To see CLI Guide. Changing the Sensor's management port IP address (IPv4 or IPv6) requires a manual reboot of the Sensor, before updating the signature set on the Sensor. It ...status of your Sensor successfully received a signature update or software upgrade, you have two options for rebooting the Sensor. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Checking whether a signature or software update was successful To see if your previous attempt to perform the operation (including...
Troubleshooting Guide
Page 34
... Sensor monitoring port requires a manual reboot of the Sensor for attacks option from the IP Settings tab (IPS Settings/Sensor_Name > Advanced Scanning > IP Settings). For more information on the front of attacks in the Manager interface. Sensor doesn... help in IPv6 traffic with the Scan IPv6 traffic for better debugging of attacks in recovering the Sensor. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Certain internal software errors may have a corrupted internal flash. You perform this chapter. Debugging critical...
... Sensor monitoring port requires a manual reboot of the Sensor for attacks option from the IP Settings tab (IPS Settings/Sensor_Name > Advanced Scanning > IP Settings). For more information on the front of attacks in the Manager interface. Sensor doesn... help in IPv6 traffic with the Scan IPv6 traffic for better debugging of attacks in recovering the Sensor. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Certain internal software errors may have a corrupted internal flash. You perform this chapter. Debugging critical...
Troubleshooting Guide
Page 35
...set intfport id 4B auto Gbps or auto negotiate) Example 2 You can execute this command with multiple parameters. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Debug command name/Parameter(s) set l3 Description Enables or disables the layer 3 packet processing on datapaths. Note:... set l7 Available parameters: on/off show startup stats Enables or disables reconnaissance attacks detection. Enables or disables IP fragment reassembly processing on datapaths. port on the Sensor) adminstatus up operatingmode span For more information on...
...set intfport id 4B auto Gbps or auto negotiate) Example 2 You can execute this command with multiple parameters. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Debug command name/Parameter(s) set l3 Description Enables or disables the layer 3 packet processing on datapaths. Note:... set l7 Available parameters: on/off show startup stats Enables or disables reconnaissance attacks detection. Enables or disables IP fragment reassembly processing on datapaths. port on the Sensor) adminstatus up operatingmode span For more information on...
Troubleshooting Guide
Page 37
McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Debug command name/Parameter(s) show statistics ipfrag show aidlog status Displays the status of actions: 1 Configures the Sensor to layer2 mode. 2 Clears the existing... Number of flows timeout Number of flows dropped for a specific attack ID enable/disable/attack ID show datapath processunits Description Displays the IP fragment statistics in a datapath. Configures the Sensor back to normal mode Sets the debugging for false positives on the Sensor for invalid checksum ...
McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Debug command name/Parameter(s) show statistics ipfrag show aidlog status Displays the status of actions: 1 Configures the Sensor to layer2 mode. 2 Clears the existing... Number of flows timeout Number of flows dropped for a specific attack ID enable/disable/attack ID show datapath processunits Description Displays the IP fragment statistics in a datapath. Configures the Sensor back to normal mode Sets the debugging for false positives on the Sensor for invalid checksum ...
Troubleshooting Guide
Page 39
...Alert Type 100000 Signature based alerts 2500 Throttled alerts (with source and destination IP information) 2500 Compressed throttled alerts (alerts with no source and destination IP information) 2500 Statistical or anomaly DoS 2500 Throttled DoS alerts 1000 Host sweep ..., the Manager will continue to block irrespective of alerts that the Manager loses connectivity to the database (i.e. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Check to ensure the Management port on the Sensor is configured with the proper speed and duplex...
...Alert Type 100000 Signature based alerts 2500 Throttled alerts (with source and destination IP information) 2500 Compressed throttled alerts (alerts with no source and destination IP information) 2500 Statistical or anomaly DoS 2500 Throttled DoS alerts 1000 Host sweep ..., the Manager will continue to block irrespective of alerts that the Manager loses connectivity to the database (i.e. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Check to ensure the Management port on the Sensor is configured with the proper speed and duplex...
Troubleshooting Guide
Page 40
..., please reevaluate database capacity planning and sizing, and monitor free space proactively. You can inline-forward traffic without IPS inspection if it is very important that you stay within the operating parameters of Internet Explorer. The Manager also provides... the Configuration page On some occasions, accessing the Manager Configuration page can be running an I-3000/I- 31 McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Manager database is full We recommend that the customer monitor the disk space on a continuous basis to prevent...
..., please reevaluate database capacity planning and sizing, and monitor free space proactively. You can inline-forward traffic without IPS inspection if it is very important that you stay within the operating parameters of Internet Explorer. The Manager also provides... the Configuration page On some occasions, accessing the Manager Configuration page can be running an I-3000/I- 31 McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Manager database is full We recommend that the customer monitor the disk space on a continuous basis to prevent...
Troubleshooting Guide
Page 41
...is dropped. 1000 (GE) port: The frame is passed through the Sensor without inspection. ISL frames All McAfee® Network Security Sensor (Sensor) models (running all have become corrupt, follow the instructions on which ports are the types of traffic ... at this time" If you think that your tables, which is available in McAfee KnowledgeBase article KB60660 (Go to IPS inspection. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform 4000/I-4010/M3050/M4050/M6050 and M8000.Sensor, which all Sensor software versions) pass ISL frames through ...
...is dropped. 1000 (GE) port: The frame is passed through the Sensor without inspection. ISL frames All McAfee® Network Security Sensor (Sensor) models (running all have become corrupt, follow the instructions on which ports are the types of traffic ... at this time" If you think that your tables, which is available in McAfee KnowledgeBase article KB60660 (Go to IPS inspection. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform 4000/I-4010/M3050/M4050/M6050 and M8000.Sensor, which all Sensor software versions) pass ISL frames through ...
Troubleshooting Guide
Page 43
...tasks, McAfee has extended its present Recommended for Blocking (RFB) designation with Recommended for your needs. CHAPTER 5 Determining False Positives This section lists methods for example. Before you set of the network topology and the hosts in IPS Configuration Guide... modifying a copy.) This process is involved, and is a subset of the list of granularity enables McAfee to recommend many more attacks - McAfee® Network Security Platform provides a number of policy templates to detect the correct set your expectations appropriately regarding the elimination of ...
...tasks, McAfee has extended its present Recommended for Blocking (RFB) designation with Recommended for your needs. CHAPTER 5 Determining False Positives This section lists methods for example. Before you set of the network topology and the hosts in IPS Configuration Guide... modifying a copy.) This process is involved, and is a subset of the list of granularity enables McAfee to recommend many more attacks - McAfee® Network Security Platform provides a number of policy templates to detect the correct set your expectations appropriately regarding the elimination of ...
Troubleshooting Guide
Page 44
...filters are disabled. For example, typical users will not even look for these events in the mind of any IDS/IPS devices, it's very important to understand the exact meanings of different types of alerts which to tune out such events ... You can define a customized policy in this type include those alerting on their network; Network Security Platform provides two means by usage policy correctly identified events uninteresting to the user. McAfee® Network Security Platform 6.0 Determining False Positives Take steps to reduce false positives and noise from...
...filters are disabled. For example, typical users will not even look for these events in the mind of any IDS/IPS devices, it's very important to understand the exact meanings of different types of alerts which to tune out such events ... You can define a customized policy in this type include those alerting on their network; Network Security Platform provides two means by usage policy correctly identified events uninteresting to the user. McAfee® Network Security Platform 6.0 Determining False Positives Take steps to reduce false positives and noise from...
Troubleshooting Guide
Page 45
...enabled and can effectively manage the noise level by the alert is a testing environment using testing tools rather than live . McAfee® Network Security Platform 6.0 Determining False Positives Correct identification; Some users will consider these alerts as noise, others will detect a UDP-based ... events through policy customization or installing attack filters. For example, Network Security Platform will take notice because it will not actually harm anything except wasting some or all of the host IPs being scanned are dealing with a false positive or uninteresting event;...
...enabled and can effectively manage the noise level by the alert is a testing environment using testing tools rather than live . McAfee® Network Security Platform 6.0 Determining False Positives Correct identification; Some users will consider these alerts as noise, others will detect a UDP-based ... events through policy customization or installing attack filters. For example, Network Security Platform will take notice because it will not actually harm anything except wasting some or all of the host IPs being scanned are dealing with a false positive or uninteresting event;...
Troubleshooting Guide
Page 48
... may need to the Update Server through the proxy succeeds. McAfee® Network Security Platform 6.0 System Fault Messages Fault Cluster software mismatch status Severity Critical Description/Cause The software versions on the cluster primary and cluster secondary are not the same. Conflict in MDR IP Critical address type The Manager is detached from the Manager...
... may need to the Update Server through the proxy succeeds. McAfee® Network Security Platform 6.0 System Fault Messages Fault Cluster software mismatch status Severity Critical Description/Cause The software versions on the cluster primary and cluster secondary are not the same. Conflict in MDR IP Critical address type The Manager is detached from the Manager...
Troubleshooting Guide
Page 50
... with the FailOpen Bypass Switch. McAfee® Network Security Platform 6.0 System Fault Messages Fault Failover peer status Fan error Severity Critical Critical Fail-Open Bypass Critical Switch timeout Failed to update Critical the failOver sensor configuration Description/Cause This fault indicates whether the Sensor peer is up . Monitoring port IP settings are not configured for...
... with the FailOpen Bypass Switch. McAfee® Network Security Platform 6.0 System Fault Messages Fault Failover peer status Fan error Severity Critical Critical Fail-Open Bypass Critical Switch timeout Failed to update Critical the failOver sensor configuration Description/Cause This fault indicates whether the Sensor peer is up . Monitoring port IP settings are not configured for...