Troubleshooting Guide
Page 5
Introducing McAfee Network Security Platform McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for Network Security Platform. It is organized. v You get information on the following topics: Pre-installation recommendations Hardening McAfee Network Security Manager (Manager) Server Troubleshooting techniques How to use...
Introducing McAfee Network Security Platform McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for Network Security Platform. It is organized. v You get information on the following topics: Pre-installation recommendations Hardening McAfee Network Security Manager (Manager) Server Troubleshooting techniques How to use...
Troubleshooting Guide
Page 6
...that provide related, but non-critical, information are shown enclosed in angle brackets. Warning: Notes that you must supply set Sensor ip are denoted using this notation. Variable information that you must read before beginning a procedure or that you must type exactly are ...Courier New font. Caution: Information that you must Type: Sensor-IP-address and then press type based on your specific ENTER. Menu or action group selections are shown in Arial Narrow bold font. McAfee® Network Security Platform 6.0 Preface Conventions used in this book This document uses the...
...that provide related, but non-critical, information are shown enclosed in angle brackets. Warning: Notes that you must supply set Sensor ip are denoted using this notation. Variable information that you must read before beginning a procedure or that you must type exactly are ...Courier New font. Caution: Information that you must Type: Sensor-IP-address and then press type based on your specific ENTER. Menu or action group selections are shown in Arial Narrow bold font. McAfee® Network Security Platform 6.0 Preface Conventions used in this book This document uses the...
Troubleshooting Guide
Page 7
McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on-line help are companions to Quick Tour for more information on these guides. Quick Tour Installation Guide Upgrade Guide Getting Started Guide IPS... Administrative Domain Configuration Guide Manager Server Configuration Guide CLI Guide Device Configuration Guide IPS Configuration Guide NAC Configuration Guide Integration Guide System Status Monitoring Guide Reports Guide ...
McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on-line help are companions to Quick Tour for more information on these guides. Quick Tour Installation Guide Upgrade Guide Getting Started Guide IPS... Administrative Domain Configuration Guide Manager Server Configuration Guide CLI Guide Device Configuration Guide IPS Configuration Guide NAC Configuration Guide Integration Guide System Status Monitoring Guide Reports Guide ...
Troubleshooting Guide
Page 10
... will be used for installation Before installation, ensure that all McAfee® Network Security Sensor, the use of the most seasoned McAfee Network Security Platform System Engineers at McAfee. For the Manager server, McAfee strongly recommends assigning a static IP against using DHCP for IP assignment. If applicable, configure name resolution for McAfee Network Security Manager (Manager) server. This server should not be...
... will be used for installation Before installation, ensure that all McAfee® Network Security Sensor, the use of the most seasoned McAfee Network Security Platform System Engineers at McAfee. For the Manager server, McAfee strongly recommends assigning a static IP against using DHCP for IP assignment. If applicable, configure name resolution for McAfee Network Security Manager (Manager) server. This server should not be...
Troubleshooting Guide
Page 12
McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP Description Direction of communication ...(install port) Sensor-->Manager Proprietary (alert channel/control channel) Sensor-->Manager Proprietary (packet log channel) Sensor-->Manager Proprietary (file transfer channel) Sensor-->Manager SSL/TCP/IP client-->Manager (Threat Analyzer) HTTPS client-->Manager Web-based user client-->Manager interface (Webstart/JNLP, Console Applets) SSH Remote console access Note: If you choose...
McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP Description Direction of communication ...(install port) Sensor-->Manager Proprietary (alert channel/control channel) Sensor-->Manager Proprietary (packet log channel) Sensor-->Manager Proprietary (file transfer channel) Sensor-->Manager SSL/TCP/IP client-->Manager (Threat Analyzer) HTTPS client-->Manager Web-based user client-->Manager interface (Webstart/JNLP, Console Applets) SSH Remote console access Note: If you choose...
Troubleshooting Guide
Page 20
McAfee® Network Security Platform 6.0 Hardening the Manager Server for Manager-Sensor communication. Setting User Policies Ensure to login. Disable Posix Clear virtual memory page file during shutdown Disable autorun Disable LMHOSTS lookup while setting the advanced TCP/IP settings. Note:...other open ports using a scanning tool such as Vulnerability Manager. 11 Setting System Policies Ensure to set local security policy Display legal notice at least 8 ASCII characters. Enable locking of the password database by running ...
McAfee® Network Security Platform 6.0 Hardening the Manager Server for Manager-Sensor communication. Setting User Policies Ensure to login. Disable Posix Clear virtual memory page file during shutdown Disable autorun Disable LMHOSTS lookup while setting the advanced TCP/IP settings. Note:...other open ports using a scanning tool such as Vulnerability Manager. 11 Setting System Policies Ensure to set local security policy Display legal notice at least 8 ASCII characters. Enable locking of the password database by running ...
Troubleshooting Guide
Page 31
... in IEEE 802.3u for 10/100 Mbps auto-negotiation (such as Sensor image version, type, name, Manager and Sensor IP addresses, and so on ). Follow this procedure to 1 ping/sec. Sensor should be ACTIVE. To ping a Sensor Management... implementation, hardware incapability, or software defects. This prevents it from multiple hosts, increase the time interval between pings. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Situations that may lead to a ping flood. This displays configuration information (such as auto-polarity or cabling integrity) ...
... in IEEE 802.3u for 10/100 Mbps auto-negotiation (such as Sensor image version, type, name, Manager and Sensor IP addresses, and so on ). Follow this procedure to 1 ping/sec. Sensor should be ACTIVE. To ping a Sensor Management... implementation, hardware incapability, or software defects. This prevents it from multiple hosts, increase the time interval between pings. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Situations that may lead to a ping flood. This displays configuration information (such as auto-polarity or cabling integrity) ...
Troubleshooting Guide
Page 32
... displayed on the number of IP spoofing attacks detected by McAfee Network Security Platform. If you wish to view flow statistics. 9 Click Refresh to view the flow statistics for the selected Sensor. 10 Follow a similar procedure and select other Monitors for Sensor Performance to view the relevant Sensor Statistics. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform 1 Click Options > Dashboard > New...
... displayed on the number of IP spoofing attacks detected by McAfee Network Security Platform. If you wish to view flow statistics. 9 Click Refresh to view the flow statistics for the selected Sensor. 10 Follow a similar procedure and select other Monitors for Sensor Performance to view the relevant Sensor Statistics. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform 1 Click Options > Dashboard > New...
Troubleshooting Guide
Page 33
...progress of failure), and the time the command was successful To see CLI Guide. Changing the Sensor's management port IP address (IPv4 or IPv6) requires a manual reboot of various download/upload operations: signature, software image, and DoS profile ... complete. You can reboot the Sensor from the NSM interface, or you have two options for rebooting the Sensor. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Checking whether a signature or software update was executed. Note the signature version. 2 Update the signature set on the...
...progress of failure), and the time the command was successful To see CLI Guide. Changing the Sensor's management port IP address (IPv4 or IPv6) requires a manual reboot of various download/upload operations: signature, software image, and DoS profile ... complete. You can reboot the Sensor from the NSM interface, or you have two options for rebooting the Sensor. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Checking whether a signature or software update was executed. Note the signature version. 2 Update the signature set on the...
Troubleshooting Guide
Page 34
...Sensor doesn't boot If you see the Sensor Product Guide for IPv4 and IPv6 traffic, IPS Configuration Guide. Upgrading Sensor software requires a manual reboot of the Sensor. For more information on Operational Status ... See a description of the Sensor for attacks option from the IP Settings tab (IPS Settings/Sensor_Name > Advanced Scanning > IP Settings). If you cannot get the Sensor to reboot itself. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Certain internal software errors may have a corrupted internal ...
...Sensor doesn't boot If you see the Sensor Product Guide for IPv4 and IPv6 traffic, IPS Configuration Guide. Upgrading Sensor software requires a manual reboot of the Sensor. For more information on Operational Status ... See a description of the Sensor for attacks option from the IP Settings tab (IPS Settings/Sensor_Name > Advanced Scanning > IP Settings). If you cannot get the Sensor to reboot itself. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Certain internal software errors may have a corrupted internal ...
Troubleshooting Guide
Page 35
... and Available parameters: duplex on datapaths. Note: This setting should be reconfigured if the Sensor is rebooted. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Debug command name/Parameter(s) set l3 Description Enables or disables the layer 3 packet processing on datapaths. Enables or...the specified gigabit ethernet monitoring port. 1A-6B (a valid ethernet monito It is rebooted. Displays the IP fragment reassembly processing status. show l3 status set l7 Available parameters: on/off show sensor health Displays the Sensor ...
... and Available parameters: duplex on datapaths. Note: This setting should be reconfigured if the Sensor is rebooted. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Debug command name/Parameter(s) set l3 Description Enables or disables the layer 3 packet processing on datapaths. Enables or...the specified gigabit ethernet monitoring port. 1A-6B (a valid ethernet monito It is rebooted. Displays the IP fragment reassembly processing status. show l3 status set l7 Available parameters: on/off show sensor health Displays the Sensor ...
Troubleshooting Guide
Page 37
.../dp/m reset debugmode passwd Resets the password for a specific attack ID enable/disable/attack ID show datapath processunits Description Displays the IP fragment statistics in a data path. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Debug command name/Parameter(s) show statistics ipfrag show aidlog status Displays the status of total watermark exceeded in the DoS processor. Note...
.../dp/m reset debugmode passwd Resets the password for a specific attack ID enable/disable/attack ID show datapath processunits Description Displays the IP fragment statistics in a data path. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Debug command name/Parameter(s) show statistics ipfrag show aidlog status Displays the status of total watermark exceeded in the DoS processor. Note...
Troubleshooting Guide
Page 39
...Number Alert Type 100000 Signature based alerts 2500 Throttled alerts (with source and destination IP information) 2500 Compressed throttled alerts (alerts with no source and destination IP information) 2500 Statistical or anomaly DoS 2500 Throttled DoS alerts 1000 Host sweep alerts ... Has the time been reset on the Manager server? If the buffer fills up to the Manager. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Check to ensure the Management port on the Sensor is configured with the proper speed and duplex mode ...
...Number Alert Type 100000 Signature based alerts 2500 Throttled alerts (with source and destination IP information) 2500 Compressed throttled alerts (alerts with no source and destination IP information) 2500 Statistical or anomaly DoS 2500 Throttled DoS alerts 1000 Host sweep alerts ... Has the time been reset on the Manager server? If the buffer fills up to the Manager. McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Check to ensure the Management port on the Sensor is configured with the proper speed and duplex mode ...
Troubleshooting Guide
Page 40
McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Manager database is full We recommend that the customer... restoration. This typically happens if you access various versions of the device you just lose the IPS functionality for everything more than 600Mbps? Sensor response if its throughput is designed with various file ...you stay within the operating parameters of the Manager from happening. You can inline-forward traffic without IPS inspection if it throttle the throughput to oversubscribe the limit. This is theoretically possible to 600Mbps or ...
McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform Manager database is full We recommend that the customer... restoration. This typically happens if you access various versions of the device you just lose the IPS functionality for everything more than 600Mbps? Sensor response if its throughput is designed with various file ...you stay within the operating parameters of the Manager from happening. You can inline-forward traffic without IPS inspection if it throttle the throughput to oversubscribe the limit. This is theoretically possible to 600Mbps or ...
Troubleshooting Guide
Page 41
... When trying to view packet log for in McAfee KnowledgeBase article KB60660 (Go to IPS inspection. The following are the types of traffic Non-ethernet frames are forwarded without IPS inspection. 32 MySQL issues The common symptoms that your MySQL...frames based on verifying your tables, which is not subjected to http://mysupport.mcafee.com/Eservice/, and click Search the KnowledgeBase). McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform 4000/I-4010/M3050/M4050/M6050 and M8000.Sensor, which all Sensor software versions) pass ISL frames ...
... When trying to view packet log for in McAfee KnowledgeBase article KB60660 (Go to IPS inspection. The following are the types of traffic Non-ethernet frames are forwarded without IPS inspection. 32 MySQL issues The common symptoms that your MySQL...frames based on verifying your tables, which is not subjected to http://mysupport.mcafee.com/Eservice/, and click Search the KnowledgeBase). McAfee® Network Security Platform 6.0 Troubleshooting Network Security Platform 4000/I-4010/M3050/M4050/M6050 and M8000.Sensor, which all Sensor software versions) pass ISL frames ...
Troubleshooting Guide
Page 43
...McAfee to recommend many more attacks - the list of RFB attacks is a subset of the list of attacks for example. Before you set of RFSB attacks. Tune your analysis. Once properly tuned, however, they can be reduced to a rare occurrence. When initially deployed, Network Security Platform frequently exposes unexpected conditions in IPS... when high confidence signatures are valid and useful for your policies The default McAfee Network Security Platform policy templates are routine for your network, so you can also modify a policy directly rather than modifying a copy...
...McAfee to recommend many more attacks - the list of RFB attacks is a subset of the list of attacks for example. Before you set of RFSB attacks. Tune your analysis. Once properly tuned, however, they can be reduced to a rare occurrence. When initially deployed, Network Security Platform frequently exposes unexpected conditions in IPS... when high confidence signatures are valid and useful for your policies The default McAfee Network Security Platform policy templates are routine for your network, so you can also modify a policy directly rather than modifying a copy...
Troubleshooting Guide
Page 44
...IPS devices, it's very important to understand the exact meanings of different types of alerts so that appropriate response can be fixed by signature modifications or software bug fixes. Correct identification; In order to better manage the security risks using any security analyst. With Network Security Platform...disable IIS-related attacks. Universities, for example, typically have custom rule sets specific to his environment. McAfee® Network Security Platform 6.0 Determining False Positives Take steps to reduce false positives and noise from overly aggressive ...
...IPS devices, it's very important to understand the exact meanings of different types of alerts so that appropriate response can be fixed by signature modifications or software bug fixes. Correct identification; In order to better manage the security risks using any security analyst. With Network Security Platform...disable IIS-related attacks. Universities, for example, typically have custom rule sets specific to his environment. McAfee® Network Security Platform 6.0 Determining False Positives Take steps to reduce false positives and noise from overly aggressive ...
Troubleshooting Guide
Page 45
...configuration in dedicated interface mode Users can view the resulting packet log) Determine whether any applications are suspected of the host IPs being scanned are actually not live traffic, please provide detailed information of the attack/test tool used . This is another type ... through policy customization or installing attack filters. For example, Network Security Platform will not actually harm anything except wasting some or all of triggering the alert-which ones, which versions, and in , due to work with McAfee Technical Support on the issue, we ask that the attack...
...configuration in dedicated interface mode Users can view the resulting packet log) Determine whether any applications are suspected of the host IPs being scanned are actually not live traffic, please provide detailed information of the attack/test tool used . This is another type ... through policy customization or installing attack filters. For example, Network Security Platform will not actually harm anything except wasting some or all of triggering the alert-which ones, which versions, and in , due to work with McAfee Technical Support on the issue, we ask that the attack...
Troubleshooting Guide
Page 48
...to communicate with a proxy server.) This fault clears when communication to the Update Server through the proxy succeeds. Conflict in MDR IP Critical address type The Manager is connected to the Internet, ensure it has connectivity to correct the MDR configuration. CRC Errors ... communicate with the proxy server. (This fault can occur only when the Manager is detached from the Manager server. McAfee® Network Security Platform 6.0 System Fault Messages Fault Cluster software mismatch status Severity Critical Description/Cause The software versions on the cluster primary and...
...to communicate with a proxy server.) This fault clears when communication to the Update Server through the proxy succeeds. Conflict in MDR IP Critical address type The Manager is connected to the Internet, ensure it has connectivity to correct the MDR configuration. CRC Errors ... communicate with the proxy server. (This fault can occur only when the Manager is detached from the Manager server. McAfee® Network Security Platform 6.0 System Fault Messages Fault Cluster software mismatch status Severity Critical Description/Cause The software versions on the cluster primary and...
Troubleshooting Guide
Page 50
McAfee® Network Security Platform 6.0 System Fault Messages Fault Failover peer status Fan error Severity Critical ...Sensor's front panel For the I -4000, you can also the Sensor have failed. Either configure the Monitoring Port IPs for the ports on which fan has failed. The Sensor is up or down the Sensor and contacting Technical Support to... schedule a replacement unit. Monitoring port IP settings are not configured for all the above ports (or) Disable the IBAC/NAC on the Sensor. Action ...
McAfee® Network Security Platform 6.0 System Fault Messages Fault Failover peer status Fan error Severity Critical ...Sensor's front panel For the I -4000, you can also the Sensor have failed. Either configure the Monitoring Port IPs for the ports on which fan has failed. The Sensor is up or down the Sensor and contacting Technical Support to... schedule a replacement unit. Monitoring port IP settings are not configured for all the above ports (or) Disable the IBAC/NAC on the Sensor. Action ...