Troubleshooting Guide
Page 1
Troubleshooting Guide Revision 6.0 McAfee® Network Security Platform version 6.0 McAfee® Network Protection Industry-leading network security solutions
Troubleshooting Guide Revision 6.0 McAfee® Network Security Platform version 6.0 McAfee® Network Protection Industry-leading network security solutions
Troubleshooting Guide
Page 3
Contents Preface ...v Introducing McAfee Network Security Platform v About this Guide...v Audience ...v Conventions used in this book ...vi Related Documentation...vii Contacting Technical Support ...viii Information ... User Policies ...11 Setting a Desktop Firewall 11 Configuring Audit Events...12 Chapter 4 Troubleshooting Network Security Platform 14 Facilitating troubleshooting...14 Starting your troubleshooting ...15 Difficulties connecting Sensor and Manager 15 Network connectivity ...15 Inconsistency in Sensor and Manager configuration 15 Software or signature set incompatibility 15...
Contents Preface ...v Introducing McAfee Network Security Platform v About this Guide...v Audience ...v Conventions used in this book ...vi Related Documentation...vii Contacting Technical Support ...viii Information ... User Policies ...11 Setting a Desktop Firewall 11 Configuring Audit Events...12 Chapter 4 Troubleshooting Network Security Platform 14 Facilitating troubleshooting...14 Starting your troubleshooting ...15 Difficulties connecting Sensor and Manager 15 Network connectivity ...15 Inconsistency in Sensor and Manager configuration 15 Software or signature set incompatibility 15...
Troubleshooting Guide
Page 5
... Manager Watchdog Audience This guide is intended for use by network technicians responsible for Network Security Platform. right from installing Network Security Platform to contact McAfee Technical Support. Introducing McAfee Network Security Platform McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for this guide and how...
... Manager Watchdog Audience This guide is intended for use by network technicians responsible for Network Security Platform. right from installing Network Security Platform to contact McAfee Technical Support. Introducing McAfee Network Security Platform McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for this guide and how...
Troubleshooting Guide
Page 6
... denoted using this notation. Names of numbered steps. situation or environment is denoted using Courier New font. Type: setup and then press ENTER. Note: vi McAfee® Network Security Platform 6.0 Preface Conventions used in this notation. Caution: Information that you must read before beginning a procedure or that you must supply set Sensor ip are...
... denoted using this notation. Names of numbered steps. situation or environment is denoted using Courier New font. Type: setup and then press ENTER. Note: vi McAfee® Network Security Platform 6.0 Preface Conventions used in this notation. Caution: Information that you must read before beginning a procedure or that you must supply set Sensor ip are...
Troubleshooting Guide
Page 7
McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on these guides. Quick Tour Installation Guide Upgrade Guide Getting Started Guide IPS ...
McAfee® Network Security Platform 6.0 Preface Related Documentation The following documents and on these guides. Quick Tour Installation Guide Upgrade Guide Getting Started Guide IPS ...
Troubleshooting Guide
Page 8
...00 A.M. Registered customers can also resolve technical issues with Technical Support. Note: McAfee requires that you have any physical changes made to the environment recently viii General information your deployment. McAfee® Network Security Platform 6.0 Preface Special Topics Guide-Sensor High Availability Special Topics... the version number of the Manager software you are using the version number of the McAfee Network Security Sensor (Sensor) software you are using Is this a new or existing issue? any questions, contact...
...00 A.M. Registered customers can also resolve technical issues with Technical Support. Note: McAfee requires that you have any physical changes made to the environment recently viii General information your deployment. McAfee® Network Security Platform 6.0 Preface Special Topics Guide-Sensor High Availability Special Topics... the version number of the Manager software you are using the version number of the McAfee Network Security Sensor (Sensor) software you are using Is this a new or existing issue? any questions, contact...
Troubleshooting Guide
Page 9
... is extremely helpful for troubleshooting link issues the volume of traffic through the Sensor in some cases, a network diagram (particularly for troubleshooting asymmetric traffic issues) a Sensor trace file, which you can be obtained from: Sensor_Name >... configuration information on the GBICs you are on the affected systems your network topology ix This information can create using with Sensor GE ports; McAfee® Network Security Platform 6.0 Preface Did you make any changes in your environment/setup/configuration that may...
... is extremely helpful for troubleshooting link issues the volume of traffic through the Sensor in some cases, a network diagram (particularly for troubleshooting asymmetric traffic issues) a Sensor trace file, which you can be obtained from: Sensor_Name >... configuration information on the GBICs you are on the affected systems your network topology ix This information can create using with Sensor GE ports; McAfee® Network Security Platform 6.0 Preface Did you make any changes in your environment/setup/configuration that may...
Troubleshooting Guide
Page 10
...requirements meet the requirements. Otherwise, standard patch cables are approved hardware from individual interviews with some of Network Security Platform dongles, which McAfee® Network Security Manager software will be installed, should be configured and ready to be placed online. ...Ensure that the required number of the most seasoned McAfee Network Security Platform System Engineers at McAfee. For the Sensors, you complete the following tasks: The server, on which ship with the McAfee Network Security Sensors (Sensors), are available. Crossover ...
...requirements meet the requirements. Otherwise, standard patch cables are approved hardware from individual interviews with some of Network Security Platform dongles, which McAfee® Network Security Manager software will be installed, should be configured and ready to be placed online. ...Ensure that the required number of the most seasoned McAfee Network Security Platform System Engineers at McAfee. For the Sensors, you complete the following tasks: The server, on which ship with the McAfee Network Security Sensors (Sensors), are available. Crossover ...
Troubleshooting Guide
Page 11
... connections to be taken care of your firewall to deny connections to an NTP timeserver. (If the time is , the localhost. McAfee® Network Security Platform 6.0 Before You Install Identify hosts that may cause false positives, for Unix and Windows servers, used to port 8551, ... will reside between the two exceeds more than two minutes, communication with the Sensors will lose connectivity with all Sensors and the McAfee® Network Security Update Server because SSL is time sensitive.) If Manager Disaster Recovery (MDR) is configured, ensure that is changed on...
... connections to be taken care of your firewall to deny connections to an NTP timeserver. (If the time is , the localhost. McAfee® Network Security Platform 6.0 Before You Install Identify hosts that may cause false positives, for Unix and Windows servers, used to port 8551, ... will reside between the two exceeds more than two minutes, communication with the Sensors will lose connectivity with all Sensors and the McAfee® Network Security Update Server because SSL is time sensitive.) If Manager Disaster Recovery (MDR) is configured, ensure that is changed on...
Troubleshooting Guide
Page 12
...If you have Email Notification or SNMP Forwarding configured on the firewall. Note that those ports are available as well. McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP... server 162 UDP SNMP Forwarding Manager-->SNMP server 389 TCP LDAP Integration Manager-->LDAP server (without SSL) 443 TCP Secure communication Manager 1-->Manager 2 for MDR 443 TCP Secure communication Manager 2-->Manager 1 for the Install port, Alert port, and Log port, ensure that 3306/TCP is...
...If you have Email Notification or SNMP Forwarding configured on the firewall. Note that those ports are available as well. McAfee® Network Security Platform 6.0 Before You Install 8501 8502 Port # 8503 8504 8555 443 80 22 Protocol TCP TCP TCP TCP TCP TCP TCP TCP... server 162 UDP SNMP Forwarding Manager-->SNMP server 389 TCP LDAP Integration Manager-->LDAP server (without SSL) 443 TCP Secure communication Manager 1-->Manager 2 for MDR 443 TCP Secure communication Manager 2-->Manager 1 for the Install port, Alert port, and Log port, ensure that 3306/TCP is...
Troubleshooting Guide
Page 13
... do not explicitly create the exclusion within VirusScan, you must therefore add java.exe to block all outbound connections over SMTP using a homemade mail client. McAfee® Network Security Platform 6.0 Before You Install Port # 1812 Protocol UDP Description RADIUS Integration Direction of communication Manager-->RADIUS server Close all open programs, including email, the...
... do not explicitly create the exclusion within VirusScan, you must therefore add java.exe to block all outbound connections over SMTP using a homemade mail client. McAfee® Network Security Platform 6.0 Before You Install Port # 1812 Protocol UDP Description RADIUS Integration Direction of communication Manager-->RADIUS server Close all open programs, including email, the...
Troubleshooting Guide
Page 14
... each that is unique and is imperative that Network Security Platform responsiveness is optimal: During Manager software installation, use a MySQL-specific utility, myisamchk available in the Threat Analyzer. The default Network Security Platform settings err on the side of caution and ... database after 30 days. Performance may be . Warning: Do NOT attempt to the Manager using an O/S defrag utility. McAfee® Network Security Platform 6.0 Before You Install 1 Launch the VirusScan Console. 2 Right-click the task called Access Protection and choose Properties from ...
... each that is unique and is imperative that Network Security Platform responsiveness is optimal: During Manager software installation, use a MySQL-specific utility, myisamchk available in the Threat Analyzer. The default Network Security Platform settings err on the side of caution and ... database after 30 days. Performance may be . Warning: Do NOT attempt to the Manager using an O/S defrag utility. McAfee® Network Security Platform 6.0 Before You Install 1 Launch the VirusScan Console. 2 Right-click the task called Access Protection and choose Properties from ...
Troubleshooting Guide
Page 15
... case you to . All remaining unnecessary ports should be closed. Harden the MySQL installation Ensure the cmd window used within the McAfee Network Security Platform. The ports used in combination with the McAfee® Network Security Platform Release Notes and the rest of Manager. Use another cmd window, where necessary, to database tables in the "mysql" database stays...
... case you to . All remaining unnecessary ports should be closed. Harden the MySQL installation Ensure the cmd window used within the McAfee Network Security Platform. The ports used in combination with the McAfee® Network Security Platform Release Notes and the rest of Manager. Use another cmd window, where necessary, to database tables in the "mysql" database stays...
Troubleshooting Guide
Page 16
...> select host,db,user from was created and row count db_backup; Remove anonymous access to do dbbackup before changing it. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2003 Remove test database Remove the 'test" database from db; 3. mysql> create... db set host="localhost" where user=""; 3. Remove remote anonymous users To remove remote anonymous users, you are using the default Network Security Platform installation of the mysql.db table. 4. mysql> drop database test; 6. Remove local anonymous users To remove local anonymous users:...
...> select host,db,user from was created and row count db_backup; Remove anonymous access to do dbbackup before changing it. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2003 Remove test database Remove the 'test" database from db; 3. mysql> create... db set host="localhost" where user=""; 3. Remove remote anonymous users To remove remote anonymous users, you are using the default Network Security Platform installation of the mysql.db table. 4. mysql> drop database test; 6. Remove local anonymous users To remove local anonymous users:...
Troubleshooting Guide
Page 17
McAfee® Network Security Platform 6.0 Hardening the Manager Server for removing remote access. Remove individual users' remote access Remove ALL remote access (Recommended) Remove individual users' remote access Do ONE of the mysql.db table. Back up the user table to validate; of the following: Remove admin (Network Security Platform user) remote access mysql> delete...
McAfee® Network Security Platform 6.0 Hardening the Manager Server for removing remote access. Remove individual users' remote access Remove ALL remote access (Recommended) Remove individual users' remote access Do ONE of the mysql.db table. Back up the user table to validate; of the following: Remove admin (Network Security Platform user) remote access mysql> delete...
Troubleshooting Guide
Page 18
...the "mysql.user" table from the mysql.db_backup table: mysql> rename table db to anyone other than authorized administrators. McAfee® Network Security Platform 6.0 Hardening the Manager Server for the Manager server and perform a fresh install of the Manager software, including the installation .... (on port 9001 can be disabled with the exception of the iv.policymgmt.RuleEngine.BSH_Diagnostics_Port record in an isolated, physically secure environment Disallow access to the directory clumsily and all its sub-directories to db_1; Use Microsoft Knowledge Base article ...
...the "mysql.user" table from the mysql.db_backup table: mysql> rename table db to anyone other than authorized administrators. McAfee® Network Security Platform 6.0 Hardening the Manager Server for the Manager server and perform a fresh install of the Manager software, including the installation .... (on port 9001 can be disabled with the exception of the iv.policymgmt.RuleEngine.BSH_Diagnostics_Port record in an isolated, physically secure environment Disallow access to the directory clumsily and all its sub-directories to db_1; Use Microsoft Knowledge Base article ...
Troubleshooting Guide
Page 19
...varies from environment to remove all partitions. The Manager's physical and logical position in a physically secure environment. Connect the server on Manager impacts the security of Manager. The following installations: Install the latest Windows Server 2008 patches, service packs...of Manager do the following : Minimize the number of Windows roles and features that are not necessary. 10 Note: Exclude "Network Security Manager" and "MySQL" directories from Microsoft. Install a Virus Scanner and update the signatures. CHAPTER 3 Hardening the Manager ...
...varies from environment to remove all partitions. The Manager's physical and logical position in a physically secure environment. Connect the server on Manager impacts the security of Manager. The following installations: Install the latest Windows Server 2008 patches, service packs...of Manager do the following : Minimize the number of Windows roles and features that are not necessary. 10 Note: Exclude "Network Security Manager" and "MySQL" directories from Microsoft. Install a Virus Scanner and update the signatures. CHAPTER 3 Hardening the Manager ...
Troubleshooting Guide
Page 20
... there are required for Windows 2008 Disabling non-required Services Disable the following system policies: Implement the System key and strong encryption of screensaver. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Manager-Sensor communication. The following user policies: Rename the administrator account. Disable guest account . Passwords should...
... there are required for Windows 2008 Disabling non-required Services Disable the following system policies: Implement the System key and strong encryption of screensaver. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Manager-Sensor communication. The following user policies: Rename the administrator account. Disable guest account . Passwords should...
Troubleshooting Guide
Page 21
... and the ePO Server, ensure the following port is firewall between Manager and SNMP Server, ensure that the following ports are allowed through firewall. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Port 80 443 3306 8500 8501 8502 8503 8504 8555 Description HTTP port Communication Client to Manager HTTPS...
... and the ePO Server, ensure the following port is firewall between Manager and SNMP Server, ensure that the following ports are allowed through firewall. McAfee® Network Security Platform 6.0 Hardening the Manager Server for Windows 2008 Port 80 443 3306 8500 8501 8502 8503 8504 8555 Description HTTP port Communication Client to Manager HTTPS...
Troubleshooting Guide
Page 23
... Sensor into L2 bypass mode if the Sensor experiences a specified number of internal errors. (It does not need for McAfee® Network Security Platform. Traffic then continues to move out of L2 mode only if the Sensor entered L2 mode because of errors within a... link connecting the devices on the Sensor. If a kit is causing network disruption, before you to detection mode.) McAfee recommends that pushes the Sensor into L2 mode). CHAPTER 4 Troubleshooting Network Security Platform This section lists some troubleshooting tips for the external kit. This enables ...
... Sensor into L2 bypass mode if the Sensor experiences a specified number of internal errors. (It does not need for McAfee® Network Security Platform. Traffic then continues to move out of L2 mode only if the Sensor entered L2 mode because of errors within a... link connecting the devices on the Sensor. If a kit is causing network disruption, before you to detection mode.) McAfee recommends that pushes the Sensor into L2 mode). CHAPTER 4 Troubleshooting Network Security Platform This section lists some troubleshooting tips for the external kit. This enables ...