Troubleshooting Guide
Page 1
Troubleshooting Guide Revision 6.0 McAfee® Network Security Platform version 6.0 McAfee® Network Protection Industry-leading network security solutions
Troubleshooting Guide Revision 6.0 McAfee® Network Security Platform version 6.0 McAfee® Network Protection Industry-leading network security solutions
Troubleshooting Guide
Page 3
Contents Preface ...v Introducing McAfee Network Security Platform v About this Guide...v Audience ...v Conventions used in this book ...vi Related Documentation...vii Contacting Technical Support ...viii Information ... User Policies ...11 Setting a Desktop Firewall 11 Configuring Audit Events...12 Chapter 4 Troubleshooting Network Security Platform 14 Facilitating troubleshooting...14 Starting your troubleshooting ...15 Difficulties connecting Sensor and Manager 15 Network connectivity ...15 Inconsistency in Sensor and Manager configuration 15 Software or signature set incompatibility 15...
Contents Preface ...v Introducing McAfee Network Security Platform v About this Guide...v Audience ...v Conventions used in this book ...vi Related Documentation...vii Contacting Technical Support ...viii Information ... User Policies ...11 Setting a Desktop Firewall 11 Configuring Audit Events...12 Chapter 4 Troubleshooting Network Security Platform 14 Facilitating troubleshooting...14 Starting your troubleshooting ...15 Difficulties connecting Sensor and Manager 15 Network connectivity ...15 Inconsistency in Sensor and Manager configuration 15 Software or signature set incompatibility 15...
Troubleshooting Guide
Page 5
... how this document is assumed that you are installed and managed through a single Manager. right from installing Network Security Platform to troubleshooting the system. Introducing McAfee Network Security Platform McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for Network Security Platform. It is organized.
... how this document is assumed that you are installed and managed through a single Manager. right from installing Network Security Platform to troubleshooting the system. Introducing McAfee Network Security Platform McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for Network Security Platform. It is organized.
Troubleshooting Guide
Page 6
McAfee® Network Security Platform 6.0 Preface Conventions used in this book This document uses the following typographical conventions: Convention Example Terms that provide related, but non-critical, information are denoted ...
McAfee® Network Security Platform 6.0 Preface Conventions used in this book This document uses the following typographical conventions: Convention Example Terms that provide related, but non-critical, information are denoted ...
Troubleshooting Guide
Page 7
McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on-line help are companions to Quick Tour for more information on these guides. Quick Tour ...
McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on-line help are companions to Quick Tour for more information on these guides. Quick Tour ...
Troubleshooting Guide
Page 8
...html page. This section describes the information we ask that you are using the version number of the McAfee Network Security Sensor (Sensor) software you provide your GRANT ID and the serial number of your GRANT ID. General information ...In addition, customers can obtain up-to the environment recently viii Information requested for customers with Gold or Platinum service contracts. McAfee® Network Security Platform 6.0 Preface Special Topics Guide-Sensor High Availability Special Topics Guide-Virtualization Special Topics Guide-...
...html page. This section describes the information we ask that you are using the version number of the McAfee Network Security Sensor (Sensor) software you provide your GRANT ID and the serial number of your GRANT ID. General information ...In addition, customers can obtain up-to the environment recently viii Information requested for customers with Gold or Platinum service contracts. McAfee® Network Security Platform 6.0 Preface Special Topics Guide-Sensor High Availability Special Topics Guide-Virtualization Special Topics Guide-...
Troubleshooting Guide
Page 9
... is available at the following link: http://serviceweb/McAfee/backline/escalations/MER_TOOL/IPSInfoCollector.zip Sensor issues the Sensor deployment configuration information on the affected systems your network topology ix this information is extremely helpful for troubleshooting... example, ems.log, emsout, output.bin, config back, and the Sensor trace file, if you have introduced the issue? McAfee® Network Security Platform 6.0 Preface Did you make any changes in Providing a Sensor diagnostics trace. Sensor operating mode (i.e., In-...
... is available at the following link: http://serviceweb/McAfee/backline/escalations/MER_TOOL/IPSInfoCollector.zip Sensor issues the Sensor deployment configuration information on the affected systems your network topology ix this information is extremely helpful for troubleshooting... example, ems.log, emsout, output.bin, config back, and the Sensor trace file, if you have introduced the issue? McAfee® Network Security Platform 6.0 Preface Did you make any changes in Providing a Sensor diagnostics trace. Sensor operating mode (i.e., In-...
Troubleshooting Guide
Page 10
... the Manager server. CHAPTER 1 Before You Install This chapter lists pre-installation recommendations. Pre-installation recommendations These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation recommendations are a compilation of the most seasoned McAfee Network Security Platform System Engineers at McAfee. Ensure these are available. Crossover cables will be installed, should be required for programs like...
... the Manager server. CHAPTER 1 Before You Install This chapter lists pre-installation recommendations. Pre-installation recommendations These McAfee® Network Security Platform [formerly McAfee® IntruShield®] pre-installation recommendations are a compilation of the most seasoned McAfee Network Security Platform System Engineers at McAfee. Ensure these are available. Crossover cables will be installed, should be required for programs like...
Troubleshooting Guide
Page 11
...less than 60 seconds. (If the spread between the two exceeds more than two minutes, communication with all Sensors and the McAfee® Network Security Update Server because SSL is time sensitive.) If Manager Disaster Recovery (MDR) is configured, ensure that you configure...you are the functional requirements to port 8551, 8552, 3306, 8007 and 8009 the firewall should be a host-based or a network-based. McAfee® Network Security Platform 6.0 Before You Install Identify hosts that you need assistance in the respective version's release notes or, if applicable, ...
...less than 60 seconds. (If the spread between the two exceeds more than two minutes, communication with all Sensors and the McAfee® Network Security Update Server because SSL is time sensitive.) If Manager Disaster Recovery (MDR) is configured, ensure that you configure...you are the functional requirements to port 8551, 8552, 3306, 8007 and 8009 the firewall should be a host-based or a network-based. McAfee® Network Security Platform 6.0 Before You Install Identify hosts that you need assistance in the respective version's release notes or, if applicable, ...
Troubleshooting Guide
Page 12
...and there is firewall residing between the Manager and your SMTP or SNMP server, ensure the following ports are available as well. McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP... server 162 UDP SNMP Forwarding Manager-->SNMP server 389 TCP LDAP Integration Manager-->LDAP server (without SSL) 443 TCP Secure communication Manager 1-->Manager 2 for MDR 443 TCP Secure communication Manager 2-->Manager 1 for the Install port, Alert port, and Log port, ensure that those ports are ...
...and there is firewall residing between the Manager and your SMTP or SNMP server, ensure the following ports are available as well. McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP... server 162 UDP SNMP Forwarding Manager-->SNMP server 389 TCP LDAP Integration Manager-->LDAP server (without SSL) 443 TCP Secure communication Manager 1-->Manager 2 for MDR 443 TCP Secure communication Manager 2-->Manager 1 for the Install port, Alert port, and Log port, ensure that those ports are ...
Troubleshooting Guide
Page 13
... you enable SMTP notification and also run VirusScan 8.0i or above, you install McAfee VirusScan 8.5.0i on the Manager, be created automatically, but the Network Security Platform exceptions will exclude the entire MySQL installation directory from binding to install anti-virus ... such as Outlook and Eudora, by including the processes used by default) to create outbound TCP port 25 connections; McAfee® Network Security Platform 6.0 Before You Install Port # 1812 Protocol UDP Description RADIUS Integration Direction of communication Manager-->RADIUS server Close...
... you enable SMTP notification and also run VirusScan 8.0i or above, you install McAfee VirusScan 8.5.0i on the Manager, be created automatically, but the Network Security Platform exceptions will exclude the entire MySQL installation directory from binding to install anti-virus ... such as Outlook and Eudora, by including the processes used by default) to create outbound TCP port 25 connections; McAfee® Network Security Platform 6.0 Before You Install Port # 1812 Protocol UDP Description RADIUS Integration Direction of communication Manager-->RADIUS server Close...
Troubleshooting Guide
Page 14
...the database until the user explicitly decides to defragment the MySQL directory using a browser on your overall product satisfaction. McAfee® Network Security Platform 6.0 Before You Install 1 Launch the VirusScan Console. 2 Right-click the task called Access Protection and choose Properties ...time for each purge operation. User interface responsiveness The responsiveness of the MySQL directory. Performance may be . The default Network Security Platform settings err on a routine basis, with the exception of the user interface, the Threat Analyzer in your defragmenter, the...
...the database until the user explicitly decides to defragment the MySQL directory using a browser on your overall product satisfaction. McAfee® Network Security Platform 6.0 Before You Install 1 Launch the VirusScan Console. 2 Right-click the task called Access Protection and choose Properties ...time for each purge operation. User interface responsiveness The responsiveness of the MySQL directory. Performance may be . The default Network Security Platform settings err on a routine basis, with the exception of the user interface, the Threat Analyzer in your defragmenter, the...
Troubleshooting Guide
Page 15
... the Manager host Install a desktop firewall It is recommended that can impact the security of this section. This information should be used within the McAfee Network Security Platform. McAfee's recommendations, at the end of Manager. Harden the MySQL installation Ensure the cmd...database tables in the "mysql" database stays opened in combination with the McAfee® Network Security Platform Release Notes and the rest of these required for hardening your McAfee® Network Security Manager (Manager) server. Introduction Manager implementation varies between environments. Some ...
... the Manager host Install a desktop firewall It is recommended that can impact the security of this section. This information should be used within the McAfee Network Security Platform. McAfee's recommendations, at the end of Manager. Harden the MySQL installation Ensure the cmd...database tables in the "mysql" database stays opened in combination with the McAfee® Network Security Platform Release Notes and the rest of these required for hardening your McAfee® Network Security Manager (Manager) server. Introduction Manager implementation varies between environments. Some ...
Troubleshooting Guide
Page 16
...on the mysql> show databases; Start My SQL. Validate that of MySQL. Look for blank entries for example, lf) databases. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2003 Remove test database Remove the 'test" database from db; 2. mysql> use mysql; ... select * from the mysql.exe CLI. Remove remote anonymous users To remove remote anonymous users, you are using the default Network Security Platform installation of the mysql.db table. 4. Remove local anonymous users To remove local anonymous users: 1. Validate that "localhost" ...
...on the mysql> show databases; Start My SQL. Validate that of MySQL. Look for blank entries for example, lf) databases. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2003 Remove test database Remove the 'test" database from db; 2. mysql> use mysql; ... select * from the mysql.exe CLI. Remove remote anonymous users To remove remote anonymous users, you are using the default Network Security Platform installation of the mysql.db table. 4. Remove local anonymous users To remove local anonymous users: 1. Validate that "localhost" ...
Troubleshooting Guide
Page 17
mysql> use mysql; of the following: Remove admin (Network Security Platform user) remote access mysql> delete from user where user=""; Remove anonymous/blank accounts. Validate that user_backup; user; Use another cmd window to ...Manager user can log in to the MySQL CLI on the Manager server by qualifying username, password and db. Use second cmd window to validate; McAfee® Network Security Platform 6.0 Hardening the Manager Server for removing remote access. Remove individual users' remote access Remove ALL remote access (Recommended) Remove ...
mysql> use mysql; of the following: Remove admin (Network Security Platform user) remote access mysql> delete from user where user=""; Remove anonymous/blank accounts. Validate that user_backup; user; Use another cmd window to ...Manager user can log in to the MySQL CLI on the Manager server by qualifying username, password and db. Use second cmd window to validate; McAfee® Network Security Platform 6.0 Hardening the Manager Server for removing remote access. Remove individual users' remote access Remove ALL remote access (Recommended) Remove ...
Troubleshooting Guide
Page 18
... shell that runs on the server, with the following mod_rewrite syntax in the Apache Server's httpd.conf file (available in the "/Apache/conf" directory). McAfee® Network Security Platform 6.0 Hardening the Manager Server for the Manager server and perform a fresh install of the Manager software, including the installation of the iv.policymgmt.RuleEngine.BSH_Diagnostics_Port...
... shell that runs on the server, with the following mod_rewrite syntax in the Apache Server's httpd.conf file (available in the "/Apache/conf" directory). McAfee® Network Security Platform 6.0 Hardening the Manager Server for the Manager server and perform a fresh install of the Manager software, including the installation of the iv.policymgmt.RuleEngine.BSH_Diagnostics_Port...
Troubleshooting Guide
Page 19
...61623; Minimize the number of Manager. Note: Exclude "Network Security Manager" and "MySQL" directories from Microsoft. Install a Virus Scanner and update the signatures. Also keep a check on Manager impacts the security of Windows roles and features that are installed. ...partitions. The Manager's physical and logical position in a physically secure environment. Connect the server on a protected or isolated network. If the hard disk is located in the network influences specific remote access and firewall configuration requirements. Pre-installation Use...
...61623; Minimize the number of Manager. Note: Exclude "Network Security Manager" and "MySQL" directories from Microsoft. Install a Virus Scanner and update the signatures. Also keep a check on Manager impacts the security of Windows roles and features that are installed. ...partitions. The Manager's physical and logical position in a physically secure environment. Connect the server on a protected or isolated network. If the hard disk is located in the network influences specific remote access and firewall configuration requirements. Pre-installation Use...
Troubleshooting Guide
Page 20
.... Note: Ensure that a desktop firewall operates on the Manager server. Setting User Policies Ensure to set local security policy Display legal notice at least 8 ASCII characters. Enable locking of the password database by running SYSKEY...following system policies: Implement the System key and strong encryption of screensaver. Setting a Desktop Firewall It is absolutely required. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Manager-Sensor communication. The following services. DHCP Client FTP Print...
.... Note: Ensure that a desktop firewall operates on the Manager server. Setting User Policies Ensure to set local security policy Display legal notice at least 8 ASCII characters. Enable locking of the password database by running SYSKEY...following system policies: Implement the System key and strong encryption of screensaver. Setting a Desktop Firewall It is absolutely required. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Manager-Sensor communication. The following services. DHCP Client FTP Print...
Troubleshooting Guide
Page 21
... to SMTP server 162 SNMP forwarding Manager to SNMP server If you have ePO integration configured on Manager and there is also allowed through firewall. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Port 80 443 3306 8500 8501 8502 8503 8504 8555 Description HTTP port Communication Client to Manager...
... to SMTP server 162 SNMP forwarding Manager to SNMP server If you have ePO integration configured on Manager and there is also allowed through firewall. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Port 80 443 3306 8500 8501 8502 8503 8504 8555 Description HTTP port Communication Client to Manager...
Troubleshooting Guide
Page 23
to place the Sensor back in in -line device experiences problems, most people's instinct is no need for McAfee® Network Security Platform. McAfee recommends you have a Layer2 Passthru feature. if they are, then you first try the following command: layer2 mode ...Note that pushes the Sensor into L2 mode). A very brief link disruption might occur while the links are still affected; CHAPTER 4 Troubleshooting Network Security Platform This section lists some troubleshooting tips for the external kit. Check to put the Sensor into L2 bypass mode if the Sensor experiences a...
to place the Sensor back in in -line device experiences problems, most people's instinct is no need for McAfee® Network Security Platform. McAfee recommends you have a Layer2 Passthru feature. if they are, then you first try the following command: layer2 mode ...Note that pushes the Sensor into L2 mode). A very brief link disruption might occur while the links are still affected; CHAPTER 4 Troubleshooting Network Security Platform This section lists some troubleshooting tips for the external kit. Check to put the Sensor into L2 bypass mode if the Sensor experiences a...